Insider threats and software

[crispin at novell.com (Crispin Cowan)]

Paco Hope wrote:
> On 8/16/07 7:44 PM, "silky" <michaelslists at gmail.com> wrote:
>
> how is this different then sending malformed packets to an rpc interface?
> ...
> Now I'll gently disagree with Gary, who is my boss, so you know I'll hear about it in the hallways... I think this 
> feels more like "privilege escalation" than "insider threat." The distinction being that these attacks allow an 
> authorized user who has liimited privileges to escalate their privileges and do things that they shouldn't be able to 
> do. An insider (to me) is a person who already had that privilege and status when they started their attack. (Read 
> Kevin Wall's follow-up on darkreading.com he has good things to say on who are insiders and outsiders).  Where we are 
> prone to confusion, I think, is that outsiders or limited authorized users can have the same IMPACT as an insider, 
> when the privilege escalation is sufficiently bad.
>   
Gary has an interesting but fairly obvious idea, that AJAX clients are
exceptionally vulnerable to the environment they run in. Said clients
are also part of a distributed computing system between the AJAX client,
the web front end, and whatever back-end systems are involved.

Is this an "insider" threat? Only if the people who coded the server
were dumb enough to treat the AJAX client as if it were an insider
component. Never do that.

This is web security 101: always always always check your input
parameters, and especially if they are coming from a web client.

There is a risk here that AJAX developers will get confused, lazy,
sloppy, about whether the AJAX client component is trusted or not. It is
not clear to me yet whether the AJAX dev tools that are emerging make
that mistake pervasive, or if it requires a special kind of stupid to
make that mistake.

Is this really an insider threat? I think that is stretching things, but
not a huge amount.

Gary also brings up references to his book on hacking games. Small-scale
distributed games are the same as web apps; never trust the client.
Large scale MMORP games (everything from World of Warcraft to Second
Life) are economically mandated to shift as much computational burden
onto the client as possible, and that entails inevitably trusting the
clients more than security really can tolerate. Such games are
inherently insecure; look for more hacking to occur. Read more about it
in this Oakland 2007 paper, with an interesting solution to this problem:

    /Enforcing Semantic Integrity on Untrusted Clients in Networked
    Virtual Environments (Extended abstract)/
    Somesh Jha, Stefan Katzenbeisser, Christian Schallhart, Helmut Veith
    and Stephen Chenney
    
http://csdl2.computer.org/persagen/DLAbsToc.jsp?resourcePath=/dl/proceedings/&toc=comp/proceedings/sp/2007/2848/00/2848toc.xml&DOI=10.1109/SP.2007.3

Crispin

-- 
Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
Director of Software Engineering   http://novell.com
        AppArmor Chat: irc.oftc.net/#apparmor