Secure web applications – using JS to create a new web language

When you look around on security mailing lists you’ll probably an increase in security warnings relating to web applications… many of them based on JS code injected into a webpage.

This has lead to the uncomfortable situation where pages that are based on usercontent can not trust their users to provide JS as part of their submitted content. So now we can share video, audio and other passive media but anything interactive is out of the question.

What to do about it? The JS security system is entirely based on domain names and some providers have resorted to running all user js code on a seperate domain… but this again limits the usefulness of JS because it can only operate within the assigned iFrame. Others are trying to run the JS code through code analysis tools to find out if it is doing anything “forbidden”.

But who are we kidding? Blacklist attempts have never worked so far and the thing about web security is that even a single attack can leave data from dozens of apps exposed.

The alternative is quite simple, but to my best knowledge has never been tried: Implementing a second language in JS, running protected in a seperate sandbox, allowing only whitelisted calls and if necessary filtering the results. Is this possible? Certainly? Is it hard? Not as hard as one would imagine? Is it slow? Definately slower than true JS but still fast enough to be of use.

Let’s tackle these questions one by one:

Is it possible? Every language that can implement basic text parsing can implement it’s own parser… it’s really as simple as that. And it JS it’s even easier because we have a bunch of text processing tools like RegularExpressions that make parsing quite straight-forward and simple.

Is it hard? Not really… many of the requirements for the interpreted language can be mapped to native behaviour. For example: the garbage collector can work for the interpreted language as well if we map stacks and variables in the interpreted language back to native objects.

Is it slow? In order to answer this question we have to remember how code is usually stored in high level languages: The CodeDOM. The codedom is a simple, object-based tree structure where any number of atoms make up expressions. Once we have parsed the expressions into this DOM and inserted all implicit behaviour, executing code is really just a matter of walking this tree. So each interpreted operation means running the atom handler and following the tree. The atom handlers usually don’t change and can therefore be compiled by the JS handler and the jump to the next atom is just following a single reference. Combine that with the fact that we can replace known atom combinations with optimized functions and you’ll see that this is fast enough for the majority of simple web apps.

Just think about it what people could do if their apps were not restricted to their iFrames… youTubeOS? mySpace dynamic layouts? The sky would be the limit (That and the rules inserted into the interpreter… mySpace could opt to give users full access over the page’s elements, but not their ads and not the document and window elements).

If I had a Hammer OR Why RFID in passports is a really bad idea…

First things first: I actually do have a hammer and I know how to use it when it’s time to get my new RFID-enabled passport. It’s a fairly easy method to disable this ugly tracking device.

The more important question is why should I do it? Well there are a couple of reasons, so let’s make a list:

Let’s start with the basic problems of any encrypted data:

  1. I don’t want the state to identify me… sure they say the data is encrypted, but there was no way for officials to read it, then we wouldn’t have to carry it around… so the key is somewhere and let’s face it: If any part of our state has this key then it won’t take long until every single policestation or whatever has access to it.
  2. I don’t want others to identify me … if the key is available somewhere, then it won’t take long until it leaks out.

But are there other scenarios where the chip could reveal your presence. Even if the encryption was not compromised?
Hell yes. With RFID anybody can track you, even without the encryption key. This is by far the most interesting point. Lets assume for a moment that the data is stored 100% perecent secure and that the key is not available to anybody (I know, it’s difficult but let’s try). Then the chip is still sending out the encrypted data which may not be readable by itself, but it’s still a unique identifier. It says that person XY was last seen going to a bank, then going to a chemical supply firm and finally after a brief visit to Starbucks boarding a flight to Saudi Arabia (at least if there’s a RFID scanner at all these locations…. this probably isn’t the case now but it’s still a possiblity we’ll have to deal with). Maybe you can’t find out who person XY is, but you sure can find out what he’s been doing as XY has left the same digital fingerprint at all these locations. And if XY has used another identifier, let’s say a credit card, at at least two locations with an RFID scanner, we even know that this person is me.

Now this may all be very useful when trying to catch a criminal (eventhough it violates about every privacy law we’ve got), but this kind of information is available to anybody who can afford an RFID scanner. Let’s assume a group of stores agrees to exchange RFID information… not with any other authority, just among themselves. Sounds pretty harmless doesn’t it? But from this information alone, combined with the list of items bought while you were at the store and matched across multiple shopping sessions and some easy statistical analysis they’ll get something like this:

Usually around 1pm at store A, usually buys sweets, pizza, Coke and bathroom acessories. around 6pm either at store B or C. This is only a tiny bit of what they could derive but already they’d know where you live, where you work and what you buy, just like that.

And this would only be the “normal”, “marketing” way of analysing your data. Criminals are much more inventive…

I’m not asking you to do anything but think about it how your privacy gets a beating with RFID passports.