A system is secure only if the entire system is secure.
While this may sound obvious, achieving total security throughout a system is rarely trivial when you consider many real-world systems are constantly evolving. In the following paper, "The Emergence of Cross Channel Scripting" (XCS), Hristo Bojinov, Elie Bursztein, and Dan Boneh highlight this problem.
The systems examined in the paper are embedded Web servers that have become prevalent for system management and configurations of consumer electronic devices like digital photo frames, wireless routers, and network-attached storage (NAS) appliances.
Web applications have long suffered cross site scripting (XSS) vulnerabilities. XSS vulnerabilities of a Web application allows an attacker to inject attacking scripts into the Web application and then the attacking scripts execute with the privilege of the Web site on browsers. A particularly damaging type of XSS is persistent XSS in which the injected script persists beyond a browsing session and across different browsing users. For example, the infamous Samy worm exploits an XSS vulnerability in MySpace.com and the attacker (Samy, in this case) injected a script as part of Samy's (persistent) user profile. People who viewed Samy's profile found their profiles infected as did the viewers of their profiles, and so on.
For a device with such co-location of services, even if each of the services is secure on its own, running them together creates new security holes because each service has not had the assumption that the global state (such as the file system) is shared with others. To make things worse, if any of the services has a security hole, all services can be affected. Here, the authors talk about reverse XCS vulnerabilities where a Web server's XSS vulnerability can cause private data from other services to be leaked.
The cross site scripting (XSS) problem is amplified in the embedded Web server setting where servers co-locate with other services, sharing the underlying device resources, like the file system.
Based on these keen observations, the authors uncovered real-world XCS vulnerabilities in a slew of embedded systems, including several NAS appliances, lights-out management systems (LOM), and photo frames. The authors also explore cellphone-based XCS where the Palm Pre is vulnerable to an XCS attack that injects its payload through a calendar title or content.
The authors note some initial directions for defending against XCS, mostly along the lines of preventing information leakage by restricting the destinations of the outgoing network messages. This is indeed an interesting direction. The heart of the problem here is to construct such a policy. To me, a more fundamental solution would be to address the root cause of the problem and eliminate any state sharing of independently designed services. If cross-service sharing is needed, the service designer must enable such sharing explicitly.
By highlighting the vulnerabilities that still exist, this paper offers a valuable lesson inand interesting read aboutsystem security.
©2010 ACM 0001-0782/10/0800 $10.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2010 ACM, Inc.
No entries found