Re: What a failure of Secure by Design looks like: Web Browsers

[Michal Zalewski via Dailydave <dailydave () lists aitelfoundation org>]

As you note, the list is much longer than JIT - web fonts, WebGL, and so on.

But I was there, and many of these decisions weren't about not
grasping the risk, or prioritizing performance for the sake of it.

Rather, they came from a place of terror: look at mobile applications
cannibalizing the browser market share! If we don't give people the
ability to build applications with as much flexibility as they have
natively, the web will start shrinking, and we'll trade an open
platform for a universe of walled gardens tightly controlled by
companies such as Facebook. And you know, it's hard to offer a good
rebuke to that. "Sure, the web might die, but it will die secure".

In practice, yeah, some of this didn't matter. Web fonts were
essential. WebGL enabled some niche applications, but it didn't
revolutionize the platform. Stuff like JS JIT or WebAssembly probably
weren't worth the price. But you only know this in retrospect.

The fundamental problem with browsers is that the current way we think
about them is kind of nuts - i.e., we design them as operating systems
that can safely run untrusted code. But if you started with the
paradigm that you don't want to expose anything risky or unproven to
the world, you'd have ended up with a fairly niche document reader -
plus a lot more native apps and monstrosities such as Java in the
browser or Macromedia Flash. So at what point do you say "enough"?

/mz

On Thu, May 16, 2024 at 8:49 AM Dave Aitel via Dailydave
<dailydave () lists aitelfoundation org> wrote:
> I know it's in vogue to pick on enterprise hardware marketed to "Secure your OT Environment" but actually written in 
> crayon in a language made of all sharp edges like C or PHP, with some modules in Cobol for spice. This is the 
> "Critical Infrastructure" risk du jour, on a thousand podcasts and panels, with Volt Typhoon in the canary seat, 
> where once only the "sophisticated threat" Mirai had root permissions.
>
> As embarrassing as having random Iranian teenagers learn how to do systems administration on random water plants in 
> New Jersey is, it's more humiliating to have systemic vulnerabilities right in front of you, have a huge amount of 
> government brain matter devoted to solving them, and yet not make the obvious choice to turn off features that are 
> bleeding us out.
>
> And when you talk about market failure in Security you can't help but talk about Web Browsers, both mobile and 
> desktop. Web Browsing technology is in everything - and includes a host of technologies too complicated to go into, 
> but one of the most interesting has been Just in Time compiling, which got very popular as an exploitation technique 
> (let's say) in 2010 but since then - for over a decade! - has been a bubbling septic font of constant systemic, 
> untreated risk.
>
> Proponents of having a JIT in your Javascript compiler say "Without this kind of performance, you wouldn't be able to 
> have GMail or Expedia!" Which is not true on today's hardware (Turn on Edge Strict Security mode today and you won't 
> even notice it), and almost certainly not true on much older hardware. The issue with JITs is visible to any hacker 
> who has looked at the code - whenever you have concepts like "Negative Zero" that have to be gotten perfectly every 
> time or else the attacker gets full control of your computer, you are in an indefensible space.
>
> I would, in a perfect world, like us to be able to get ahead of systemic problems. We have a rallying cry and a lot 
> of signatories on a pledge, but we need to turn it into clicky clicking on the configuration options that turn these 
> things off on a USG and Enterprise level, the same way we banned Russian antivirus from having Ring0 in our 
> enterprises, or suspiciously cheap subsidized Chinese telecom boxes from serving all the phone companies across the 
> midwest.
>
> The issue with web browsers is not limited to JITs. A Secure By Design approach to web browsing would mean that most 
> sites would not have access to large parts of the web browsing specification. We don't need to be tracked by every 
> website. They don't all need access to Geolocation or Video or Web Assembly or any number of other parts of the 
> things our web browsers give them, largely in order to allow the mass production of targeted advertising.
>
> If we've learned anything in the last decade, it is that the key phrase in Targeted Advertising is "Targeted", and 
> malware authors have known this for as long as the ecosystem existed. The reason your browser is insecure by default 
> is to support a parasitic advertising ecology, enhancing shareholder value, but leaving our society defenceless 
> against anyone schooled enough in the dark arts.
>
> Google's current solution to vulnerabilities in the browser is Yet Another Sandbox. These work for a while until they 
> don't - over time, digital sandboxes get dirty and filled with secrets just like the one in your backyard gets filled 
> with presents from the local feral cat community. I know Project Zero's Samuel Groß is better at browser hacking than 
> I am, and he personally designed the sandbox, but I look out across the landscape of the Chinese hacking community 
> and see only hungry vorpal blades and I do not think it is a winning strategy.
>
> -dave
>
> References:
>
> Microsoft's Strict mode turns the JIT off (kudos to Johnathan Norman) 
> https://support.microsoft.com/en-us/microsoft-edge/enhance-your-security-on-the-web-with-microsoft-edge-b8199f13-b21b-4a08-a806-daed31a1929d
> The Sandbox: https://v8.dev/blog/sandbox
>
>
>
>
> _______________________________________________
> Dailydave mailing list -- dailydave () lists aitelfoundation org
> To unsubscribe send an email to dailydave-leave () lists aitelfoundation org
_______________________________________________
Dailydave mailing list -- dailydave () lists aitelfoundation org
To unsubscribe send an email to dailydave-leave () lists aitelfoundation org