New Security Issues related to Embedded Web Servers

1
New Security Issues related to
Embedded Web Servers
Eric Vétillard, Trusted Labs
© 2009 Trusted Logic S.A.

3
Card characteristics
 Reacts to external requests
▪ a.k.a. APDU command
 Is accessible to the attacker
▪ Provided that the attacker has the card handy
▪ A bit more remotely with contactless cards
 Of course, most cards use specific protocols

4
Card functions
 Store, use, and protect secrets
 Store private user data
 Authenticate users
 Establish secure communication links

How is a Web Server Different ?

6
A Web server is standard
 There are many standards to be followed
▪ Protocols: HTTP, HTTPS, SSL, …
▪ Data formats: HTML, XML, CSS, …
▪ Languages: JavaScript, …
 Web clients are standardized
▪ Browsers
▪ JavaScript-based AJAX clients

7
A Web server is complex
 At least, more complex than a typical card
 Several layers of complexity
▪ TCP/IP is more complex than ISO7816-3
▪ Data exchange formats more complex
▪ XML more complex than TLV
▪ Processes often more complex
▪ In particular, GUI provided by the server
 But, complexity mostly handled by browser
▪ The server provides a description but no rendering
© 2009 Trusted Logic S.A

8
A Web server is accessible
 Most Web servers are on Internet
▪ They are widely accessible by everybody
 The most sensitive servers are not
▪ They are on various kinds of Intranets
▪ Think of your SVN servers
▪ Think of your router’s/printer’s internal server
 Some servers are local to a device
▪ Only accessible from the device that hosts them

9
An attacker’s point of view
 Standard
▪ Good reusability of attack efforts
▪ Widely deployed standard clients are vulnerable
 Complex
▪ More complex, more buggy, more vulnerable
 Accessibility
▪ Easy to reach and reproduce
▪ Possibility to evade law enforcement

11
What makes a good attack?
 A vulnerability
▪ Widely deployed is better
▪ Hard to fix is very good
▪ design flaw vs. implementation flaw
▪ Requiring significant work from developer
 Opportunities for exploitation
▪ Stealing/abusing authentication credentials
▪ Compromising users’ machine

12
State-of-the-art
 Web attacks are not static
 OWASP regularly updates its “Top 10”
▪ Old (under control) attacks are downgraded
▪ New (uncontrolled) attacks are added/upgraded
 Let’s look at their latest release
▪ Can they be applied to smart cards?

13
OWASP’s Top 10 Vulnerabilities
 Cross-site scripting (XSS)
 Injection flaws
 Malicious file execution
 Insecure direct object reference
 Cross site request forgery
 Information leakage and improper error handling
 Broken authentication and session management
 Insecure cryptographic storage
 Insecure communications
 Failure to restrict URL access

14
A1 – Cross-Site Scripting (XSS)
 Cross-site scripting is a subset of HTML
injection
▪ XSS allows attackers to execute a script in a
browser
 Reflected XSS
▪ Returns user-provided data to the same user
▪ Without checking it
out.println(" Successfully added " +
request.getParameter("id") ;

15
 Why is this vulnerable?
▪ Because of possible user entries
out.println(" Successfully added " +
request.getParameter("id") ;
<IMG SRC="javascript:alert('XSS');"> ;
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

16
 Stored XSS stores data before to display
it back
▪ Potentially to another user (a.k.a. the victim)
▪ Very useful in “social” sites
 DOM-based XSS modifies the DOM tree
▪ Usually in combination of Ajax
out.println("New friend added: " +
friend.getParameter("id") ;

17
 Recommended countermeasures include
▪ Input validation
▪ Use white-list validation (accept only limited input)
Validate length, type, syntax, business rules, …
▪ Avoid black-list validation, which can be bypassed
▪ Strong output encoding
▪ Encode all user-input directly
▪ Specify the output encoding explicitly
ISO8859-1 or UTF-8
▪ Watch out for canonicalization errors
▪ If possible, use standard library

18
 Does it apply to Smart Card Web Servers ?
 Yes, it definitely does
▪ Query data will be used by the server
▪ Resources are scarce
 Strong requirement for
▪ Output canonicalization

19
A2 – Injection flaws
 Every interpreter can fall victim of injection
flaws
▪ SQL is the most well-known victim
▪ HTML is also very common (see XSS)
▪ Any other interpreter can be attacked
▪ LDAP, XPath, XSLT, OS Command, …
▪ Your own proprietary language
 The danger comes from the interpreter itself
▪ Security is orthogonal to Java’s security

21
▪ White lists, no black lists
▪ Use standard libraries if available
▪ Design validation carefully for proprietary
frameworks
▪ Make exploits as difficult as possible
▪ Enforce least privilege principles
▪ Avoid detailed error messages
 Many countermeasures for specific
interpreters
▪ SQL is the most common

22
 Does it apply to Smart Card Web Servers?
 Not really, or not directly
▪ No interpreter, no problem
 But … a TLV format is a kind of interpreter
▪ Be careful as soon as data becomes structured
▪ Apply standard countermeasures

23
A3 – Malicious File Execution
 The attacker executes a malicious OS
command
▪ When runtime.exec() is used
▪ When files are created and/or updated
 Small example exploitable on a weak platform
String file = request.getParameter("file") ;
File f = new File(dir + "/"+ file) ;
http://www.example.com/banking?file=../../web.xml

24
A3 – Malicious File Execution
 No it doesn’t
▪ Advantage of a “bare metal” implementation
▪ No operating system to be abused
 But … there may still be an operating system
▪ Control all interfaces with Web server

25
A4 – Insecure Direct Object Ref
 Never expose reference to implementation objects
▪ Files, directories, records, keys, etc.
 An attacker may modify or abuse such references
String language = request.getParameter("language") ;
ResourceBundle rb = context.getResources("rsrc-"+language);
<select name=“language”>
<option value=“fr”>Français</option>
</select>
int cartId = Integer.parseInt(request.getParameter("cartID");
String query = "SELECT * FROM table WHERE cartID=" + cartId);

26
▪ Establish a standard way to refer to app objects
▪ Avoid exposing private object references to users
No primary keys, no filenames
▪ Validate any private object references extensively
An “accept know good” approach is here easy
▪ Verify authorization to all referenced objects
▪ Make sure that input does not contain attack
patterns
For instance, “../” and “%00”

27
▪ Think about the “cart Id” example
▪ Short identifiers are likely on smart cards
▪ These identifiers may be easy to guess
 Countermeasures are seen as expensive
▪ Map external references to internal ones

28
A5 – Cross Site Request Forgery
 Cross-site request forgery steals user
privileges
▪ The attacker sends a request from the victim’s
browser
▪ The browser will use the victim’s privileges
▪ For instance, if the victim is logged in to a bank
 The browser provides some protection
▪ There is a “same origin” policy
▪ It is not possible (easy) to directly steal content
▪ But, requests can be sent and interpreted on
server

31
A5 – Cross Site Request Forgery
 A few countermeasures are simple enough
▪ Insert random token in URL’s
▪ Re-authenticate for sensitive transactions
▪ More generally, limit the validity of authentication

32
A6 – Information Leakage and Improper
Error Handling
 Applications frequently use error messages
▪ They often try to be “helpful” for the user
 As a result, some information is leaked
▪ Results are often too differentiated
▪ “Wrong username” vs. “Wrong password”
▪ Debugging information is often included
▪ Stack traces
▪ Failed SQL statements

34
A6 – Information Leakage and Improper
Error Handling
 Yes, but not really
 Default output is likely to be scarce
▪ Tools are unlikely to include detailed information
▪ Applications are likely to have simple error mgmt
▪ Debugging code is the most likely culprit
▪ Override errors with standard response

35
A7 – Broken Authentication and Session
Management
 Many flaws are possible in authentication
▪ We know them quite well
 Flaws are often found in ancillary functions
▪ Logout that doesn’t work, password management,
no timeout, etc.
 Session management is provided by the
platform
▪ Don’t try to design one yourself

38
A7 – Broken Authentication and Session
Management
 Yes, it does
▪ All errors can be done on a card application
 Java Card 3.0 provides some tools
▪ They are not sufficient on their own
▪ Be careful if you write authenticators

39
A8 – Insecure Cryptographic Storage
 Sensitive data should be stored encrypted
▪ First, the data should actually be encrypted
▪ Then, the cryptography should be efficient
▪ Using well-known, accepted algorithms
▪ Protecting the keys adequately
 Sensitive data should be well qualified
▪ Don’t forget some sensitive data
▪ Don’t store data that you don’t need
▪ If you don’t have it, attackers can’t get it

40
A8 – Insecure Cryptographic Storage
 Not really, at least for card developers
▪ Java Card 3.0 is not as exposed as other
platforms
▪ Many mechanisms are readily accessible
▪ The storage is tamper-proof to some level
 Still, some recommendations apply
▪ Use the platform’s algorithms and key storage
▪ Ensure that your encryption cannot be bypassed
▪ Don’t store data unnecessarily

41
A9 – Insecure Communications
 Sensitive data should be encrypted
▪ Secure channels need to be used
▪ HTTPS, SSL, TLS, …
 Encryption is not sufficient
▪ Session establishment is crucial
▪ Authentication of other party is mandatory

42
A9 – Insecure Communications
 Yes it does
▪ SSL may be unusual and hard for smart card guys
▪ Mutual authentication may be hard to get
▪ How can you be sure that your user has actually
authenticated you (i.e., that phishing won’t work) ?
▪ All Web designers face the same issues

43
A10 – Failure to Restrict URL Access
 Flaws are linked to accessible URLs
▪ Hidden or specials URLs, proposed only to
privileged users, but in fact accessible to all users
▪ Pages used during development that perform
administrative functions (without authentication)
▪ Sensitive data hidden by “Security through
Obscurity”
▪ Out-of-date access control policies
▪ Some pages remain accessible to too many users
▪ Code that evaluates privileges on the client

45
A10 – Failure to Restrict URL Access
 Yes, to a certain degree
▪ Smart Card Web Servers are likely to be simple
▪ Less temptation to have “hidden URLs”
▪ But … Smart Card Web Servers may be
administered through the Web interface
▪ We can see a chicken and egg problem
▪ There is no “console” on a smart card

47
A Local Server?
 A Smart Card Web Server may be local
▪ Basic assumption in SCWS
▪ Not an assumption in Java Card 3.0
 Some applications don’t need Web access
▪ Being local greatly reduced the risk of attacks
▪ Physical access becomes a prerequisite
 Smart cards may very often be local

48
Basic defenses
 Validate input, encode outputs
▪ Standard libraries can’t be directly used
▪ Be ready to sacrifice flexibility for security
 Follow recommendations for encoding
▪ Don’t use internal identifiers in the interface
▪ Include random data in URL’s
 Follow recommendations for access control
▪ No hidden URL’s
▪ Authenticate user after opening secure channel
▪ …

49
Reproduce Web server architecture
 Web servers are not monolithic
▪ They usually are “n-tier” systems
▪ The Web server is the presentation tier
▪ The actual data is on another (Intranet) server
 Smart card servlets can be structured
▪ The Java Card firewall guarantees some isolation
▪ Data is best kept outside of the servlet
▪ Attacks then need to be performed through servlet
▪ Management uses a different security policy

51
Try it out !
 When trying SCWS/Java Card 3.0
▪ Think about Web security
▪ Develop appropriate countermeasures
▪ At least, list what you should do
▪ Assess the performance impact
 Now, you should realize the problem
▪ Web security is not easy

52
Build reference code ?
 The specification is not the right place
▪ Security code is by essence variable
▪ Security code usually is the result of a trade-off
▪ Input validation is much easier if you only accept
alphanumerical characters and spaces
 Yet, this is not really a competitive area
▪ A broken Web server is bad news for all
 Would there be a use for a reference code?
▪ Bring the Web spirit to smart cards

53
Thank you !
Eric Vétillard
eric.vetillard@trusted-labs.com

New Security Issues related to Embedded Web Servers

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (11)

Destaque

Destaque (16)

Semelhante a New Security Issues related to Embedded Web Servers

Semelhante a New Security Issues related to Embedded Web Servers (20)

Mais de Eric Vétillard

Mais de Eric Vétillard (9)

Último

Último (20)

New Security Issues related to Embedded Web Servers