Scribd
Upload
121 views52 pages

Attack Surface

The document discusses techniques for reducing security risks by maintaining less code. It recommends tracking feature usage and removing unused features. Old features that receive little attention over time can increase risk. Sharing code across contexts can expose more attack vectors. Third-party code may include unnecessary features and lack updates. Having many similar product variants and software branches makes it harder to push security fixes consistently. The key is to only support needed functionality, prune unused code, carefully evaluate third parties, and minimize variances to simplify maintaining security.

Uploaded by

Karthik Bs
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
121 views52 pages

Attack Surface

The document discusses techniques for reducing security risks by maintaining less code. It recommends tracking feature usage and removing unused features. Old features that receive little attention over time can increase risk. Sharing code across contexts can expose more attack vectors. Third-party code may include unnecessary features and lack updates. Having many similar product variants and software branches makes it harder to push security fixes consistently. The key is to only support needed functionality, prune unused code, carefully evaluate third parties, and minimize variances to simplify maintaining security.

Uploaded by

Karthik Bs
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 52

Small Is Beautiful

How to improve security by maintaining less code


About Me
● Natalie Silvanovich AKA natashenka
● Project Zero member
● Previously did mobile security on
Android and BlackBerry
● Defensive-turned-offensive researcher
Attack surface reduction
Bugs that (maybe) shouldn’t be
● Unused features
● Old features
● Code sharing
● Third-party code
● Excessive SKUs and branching
Unused Features

● All code has risk, so


adding a feature is
a tradeoff
○ Make sure it’s worth
it!
CVE-2015-3039

● Redefinition issue in ConvolutionFilter


○ Reported by me
○ Used to win pwn2own
○ Turned up in HackingTeam dump
● Occurs due to Integer conversion
CVE-2015-3039
[{{ valueOf : ts }]
}

var filter = new ConvolutionFilter(...);


var n = { valueOf : ts };
var a = [];
a[0] = n;
filter.matrix = a; ConvolutionFilter
float* []
function ts(){ float* matrix
filter.matrix = [1]; 1.0
} ...

float* []

1.0
CVE-2015-3039
var filter = new ConvolutionFilter(...);
var n = { valueOf : ts };
var a = [];
a[0] = n;
filter.matrix = a;
function ts(){
filter.matrix = [1];
}
CVE-2015-3039
var filter = new ConvolutionFilter(...);
var n = { valueOf : ts };
var a = [];
a[0] = n;
filter.matrix = a;
function ts(){
filter.matrix = [1];
}
Array.species

“But what if I subclass an array and slice it, and I want the thing I
get back to be a regular Array and not the subclass?”

class MyArray extends Array {


static get [Symbol.species]() { return Array;}
}
● Easily implemented by inserting a call to script into *every
single* Array native call
CVE-2016-7200 (Array.filter)

● Bug in Array conversion due to Array.species


CVE-2016-7200
class dummy{
constructor(){ return [1, 2, 3]; }
}
class MyArray extends Array {
static get [Symbol.species]() { return dummy; }
}
var a = new MyArray({}, [], "natalie", 7, 7, 7, 7, 7);
function test(i){ return true; }
var o = a.filter(test);
CVE-2016-7200 (Array.filter)
RecyclableObject* newObj = ArraySpeciesCreate(obj, 0, scriptContext);
...
newArr = JavascriptArray::FromVar(newObj);

if (!pArr->DirectGetItemAtFull(k, &element))
...
selected = CALL_ENTRYPOINT(callBackFn->GetEntryPoint(), callBackFn,
CallInfo(CallFlags_Value, 4), thisArg, element, JavascriptNumber::ToVar(k,
scriptContext), pArr);

if (JavascriptConversion::ToBoolean(selected, scriptContext))
{
// Try to fast path if the return object is an array
if (newArr)
{
newArr->DirectSetItemAt(i, element);
Array.species, etc.

● Very uncommon Symbol


○ ~150k pages on the internet
● Base features on user need
● Track feature use in beta or production
● Be willing/able to disable features
Old features

● Sometimes features fall slowly into disuse


● Lack of attention to unused code can be make it
higher risk
CVE-2017-2988

● Dangling reference issue in Flash


● Result of a hack made to load macromedia.com in 2003
○ Deleting a MovieClip in onKillFocus
● Reported in 2017
CVE-2017-3558

● Memory corruption issue in Virtual Box allowing


guest-to-host escalation
● Caused by old code not being fully removed
● Also fixed in upstream but not downstream
CVE-2017-3558
void ip_input(PNATState pData, struct mbuf *m){
register struct ip *ip;
[...]
ip = mtod(m, struct ip *);
[...]
{
[...]
/*
* XXX: TODO: this is most likely a leftover spooky action at
* a distance from alias_dns.c host resolver code and can be
* g/c'ed.
*/
if (m->m_len != RT_N2H_U16(ip->ip_len))
m->m_len = RT_N2H_U16(ip->ip_len);
}
}
Font Issues
● Track feature use
○ Content stats are also possible
○ Compare usage to reported security issues
● Prune trees regularly
○ Track unmodified code
○ Refactor code if necessary
● Make sure all code has an owner
Code Sharing

● Using the same code for multiple purposes can expose it to


new and unnecessary attack vectors
● Multiple copies of same code are difficult to maintain
CVE-2015-7894, etc

● 7 memory corruption issues in Samsung S6 Edge image


processing
● Due to bugs in QJPG by QURAM
CVE-2015-7894, etc

● Old code
● Context issue
Android WebView Issues

● Several Android features contained their own version of


WebView
● Bugs were sometimes fixed in one version but not another
● Moved to unified WebView
Prevention

● Make sure each attack surface only supports


needed features
● Avoid multiple copies of the same library
○ Consider extending this to third parties if applicable
Third-party code

● Misuse
● Extra features
● Lack of updates
● Unexpected interactions
CVE-2916-4117 (666)

● Remote code execution in FireEye MPS


● Caused by JODE Java Decompiler executing Java classes
● JODE was never intended to be used on untrusted code
Linux Kernel Configuration and Android

● CVE-2017-7308 is a memory corruption issue in Linux


● Requires CAP_NET_RAW on Android due to
CONFIG_USER_NS not being defined
● Good design from both Android and Linux perspective
Flash Win32K Lockdown
Lack of Updates

● Android libraries
○ WebView
○ Media
○ Qualcomm
○ Linux
Lack of Updates
Prevention

● Track third-party software


● Have an internal process for use
● Trim unnecessary features
● (Security) update frequently
Excessive SKUs and branching

● Every SKU and branch makes it harder to push security


updates
● Can introduce bugs
● May patch incompletely
Vendor 1

● New product shares code with old product


● Determined bug was in both products
● Forgot to merge fix into old product
● Forgot to merge different issue into all branches
○ Root cause: build failure
Vendor 2

● Releases ~365/SKUs per year with unclear


support periods
● Could not fix bugs in 90 days
● Could not tell us fix date
● Could not tell us fix saturation
QPSIIR-175

● Qualcomm GPU driver bug


● Already fixed, but not fixed in all branches, or all current
products
QPSIIR-175
int adreno_perfcounter_query_group(struct adreno_device *adreno_dev,
unsigned int groupid, unsigned int __user *countables,
unsigned int count, unsigned int *max_counters)
{
...
if (countables == NULL || count == 0) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return 0;
}
t = min_t(int, group->reg_count, count);
buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);
if (buf == NULL) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return -ENOMEM;
}
for (i = 0; i < t; i++)
buf[i] = group->regs[i].countable;
QPSIIR-175

● Qualcomm GPU driver bug


● Already fixed, but not fixed in all branches, or all current
products
CVE-2017-0528

● Merge error in Android reducing ASLR bits


○ Bad conflict resolution
● Resolved by adding tests
● Android One
Prevention

● Avoid branching. Avoid SKUs.


● Make it difficult to branch
● Have a documented support period for every
branch/SKU/product
○ Make downstream do it too
● Robustly test every branch/product
Conclusions
Conclusions

● Consider the security impact of features in design


● Track feature use, and remove old and unused features
● Carefully consider third-party code and keep it up to date
● Reduce SKUs and branches
● Have a clear support period for every product
Questions

http://googleprojectzero.blogspot.com/
@natashenka
[email protected]

You might also like