Solving the XSS problem by signing <SCRIPT> tags

Last week I talked about JavaScript security at Virus Bulletin 2009. One of the security problems with JavaScript (probably the most insidious) is Cross-site Scripting (which is usually shortened to XSS).

The basic defense against XSS is to filter user input, but this has been repeatedly shown to be a nightmare. Just yesterday Reddit got hit by an XSS worm that created comments because of a bug in the implementation of markdown.

I believe the answer is for sites to sign the <SCRIPT> tags that they serve up. If they signed against a key that they control then injected JavaScript could be rejected by the browser because its signature would be missing or incorrect and the entire XSS problem would disappear.

For example, this site includes Google Analytics and here's the JavaScript:

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + 
"google-analytics.com/ga.js'
type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-402747-4");
pageTracker._trackPageview();
} catch(err) {}</script>

Since I chose to include that JavaScript I could also sign it to say that I made that decision. So I could modify it to something like this:

<script type="text/javascript"
sig="068dd60b18b6130420fed77417aa628b">
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + 
"google-analytics.com/ga.js'
type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript"
sig="17aa628b05b602e505b602e505b602e5">
try {
var pageTracker = _gat._getTracker("UA-402747-4");
pageTracker._trackPageview();
} catch(err) {}</script>

The browser could verify that everything between the <SCRIPT> and </SCRIPT> is correctly signed. To do that it would need access to some PK infrastructure. This could be achieved either by piggybacking on top of existing SSL for the site, or by a simple scheme similar to DKIM where a key would be looked up via a DNS query against the site serving the page.

For example, jgc.org could have a special TXT DNS entry for _scriptkey.jgc.org which would contain the key for signature verification.

To make this work correctly with externally sourced scripts it would be important to include the src attribute in the signature. Or alternatively an entirely new tag just used for signatures could be created to sign the HTML between the tags:

<sign sig="068dd60b18b6130420fed77417aa628b">
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ?
"https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + 
"google-analytics.com/ga.js'
type='text/javascript'%3E%3C/script%3E"));
</script>

<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-402747-4");
pageTracker._trackPageview();
} catch(err) {}</script>
</sign>

Either way this would mean that JavaScript blocks could be signed against the site serving the JavaScript completely eliminating XSS attacks.

Note that in the case of externally sourced scripts I am not proposing that their contents be signed, just that the site owner sign the decision to source a script from that URL. This means that an XSS attack isn't possible. Of course if the remotely sourced script itself is compromised there's still a problem, but it's a different problem.

Geek Side Trip: CERN

While over in Geneva for the Virus Bulletin 2009 conference I managed to make a side trip to see CERN. It turned out to be a great afternoon because the tour was guided by actual physicists and I took a school trip.

I am a little old for it, but when I organized my trip I was told that I would be added to a group from Steyning Grammar School. There I was with 23 final year A-level students on a whirlwind trip to Switzerland. They were extremely nice kids, and I could easily imagine that teaching such a group would be incredibly rewarding.

The visit started with a talk and a film. This told the story of CERN itself (it's almost 55 years old) and described the operation of the Large Hadron Collider.

Here's what part of the LHC looks like (this is a mock-up). The large blue thing is one of the super-conducting magnets. There are 1,232 of these in the 27km ring, each weighs about 27 tonnes.



After that we were bussed over to where the superconducting magnets used in the LHC are received and tested. This involves cooling them down to very close to 0 K (actually 1.7 K), turning on the pair of magnets and inserting a rotating rod inside the two tubes where the particle beam will pass.

Here's a view of a slice through one of the magnets. The two tubes in the middle are where the particle beams pass. The tubes contain a hard vacuum and are surrounded by super-conductors that form the magnet. The entire thing is bathed in liquid helium by a network of pipes.



The rotating rods inserted to test the magnets contain coils that have an electric current induced in them. Measuring the electric current it's possible to confirm that the magnetic field inside the tubes is perfect. The magnetic field is what bends the counter-rotating beams slightly so that they end up tracing out a circle.

This is a detail of one of the particle bean tubes with the valve used for maintaining the hard vacuum. I was surprised how small it was.



And here's a shot of a single dipole magnet ready to be attached to the test apparatus.



And if you are going to move one of those around you need a robot. This one floats around on an air cushion.



To join the magnets together in the circle you need a flexible coupling. The Bulgarian physicist who showed us this bit explained how the magnets were coupled and soldered together: 125,000 separate joints! This is where the LHC failure occurred.



As well as the magnets for bending the beam the beam has to be accelerated. That's achieved by one of these:



And to keep the beam focussed you need another sort of magnet (I don't have a picture of those, but there are 392 of them).

After all that we headed over to the AMS which is a satellite that will be attached to the International Space Station. The highlight of that part was that the designer of it (and friendly Italian man called Giovanni Ambrosi) was on hand to explain what he'd been up to for the last 15 years.

POPFile v1.1.1

The cool team that manages the POPFile project (that I started what seems like years ago...) have just released v1.1.1 with a bunch of improvements (especially for Windows users).

From the release notes:

1. New features

You can now customize Subject Header modification placement (head or tail)
by changing the new option 'bayes_subject_mod_pos'. (ticket #74)

NNTP module now caches articles received with the message number specified.

You can now jump to message header/message body/quick magnets/scores in the
single message view by clicking links on the head of the page. (ticket #77)

You can now filter messages shown in the history using 'reclassified' option.
(ticket #67)


2. Windows version improvements

The minimal Perl has been updated to the most recent 5.8 release. Since this
release of Perl only officially supports Windows 2000 or later POPFile 1.1.1
may not work on Windows 95, Windows 98, Windows Millennium or Windows NT. The
installer will display a warning message explaining that POPFile may not work
properly on these old systems.

The Windows system tray icon's menu now offers options to visit the support
website and check for new versions of POPFile.

If the automatic version check feature has been turned on (via the Security tab
in the User Interface) then the system tray icon will change and a message box
will be displayed. This check is performed once per day.

Now that all known problems with the system tray icon have been fixed it will
be enabled by default in new installations. (ticket #106)

The Windows installer now preselects the relevant components when upgrading or
modifying an existing installation. (tickets #13 and #26)

The Windows installer can now display the UI properly even if the database is
very large (tens of MB). (ticket #109)

Fixed a problem that POPFile does not work on Japanese Windows when the path
of the data directory contains non-ASCII characters (e.g. the user name is
written in Japanese). (ticket #111)

The installer is now compatible with Windows 7.


3. Mac OS X version improvements

The installer for Mac OS X 10.6 (Snow Leopard) has come.
Since Snow Leopard includes Perl v5.10.0, the Perl modules which are supplied
with the POPFile installer v1.1.0 or earlier aren't compatible with it.

Starting with this version, two versions of installer will be released.
One is for Snow Leopard, and another is for the former versions of Mac OS X.
The name of Snow Leopard installer will have '-sl' suffix.


4. Other improvements

The users who are using very large database (tens of MB) will be able to
reclassify messages faster. (ticket #108)

JavaScript must die

I've just completed my presentation at Virus Bulletin 2009 which was entitled JavaScript Security: The Elephant running in your browser.

My thesis is that the security situation with JavaScript is so poor that the only solution is to kill it. End users have very little in the way of protection against malicious JavaScript, major web sites suffer from XSS and CSRF flaws, the language itself allows appalling security holes, and as data moves to the cloud the 14 year old JavaScript security sandbox becomes more and more irrelevant.

Here are the slides:

Javascript Security

View more presentations from jgrahamc.

The Geek Atlas: now on your iPhone

Today, O'Reilly released my book, The Geek Atlas, as an iPhone application. It's the complete text of the book on the iPhone. Since the book is organized as small chapters it's very readable on a small screen.



The neatest feature is that latitude and longitude given for each place in the book is clickable and takes you straight to that location on Google Maps.

And it's only $5.99 or £3.49.

"Hello John. It's Gordon Brown."

Last night the British Prime Minister Gordon Brown issued a long statement about my Alan Turing petition that included a clear apology for his treatment. Unfortunately, I've been in bed nursing the flu so it was only by chance that an amazing sequence of events occurred.

Yesterday evening I realized that I had to check my email (I'd been avoiding it while ill) because of a work commitment on Friday and so I logged in to find a message that read:

John - I wonder if you could call me as a matter of urgency, regarding your petition. Very many thanks!

Kirsty

Kirsty xxxxxxx
10 Downing St, SW1A 2AA
Tel: 020x xxxx xxxx

So, I called back. The telephone number was the Downing Street switchboard and after Kirsty told me that the government was planning to apologize for Alan Turing's treatment she then said "Gordon would like to talk to you".

A few minutes later the phone rang and a soft Scottish voice said: "Hello John. It's Gordon Brown. I think you know why I am calling you". And then he went on to tell me why. He thanked me for starting the campaign, spoke about a "wrong that he been left unrighted too long", said he thought I was "brave" (not sure why) and spoke about the terrible consequences of homophobic laws and all the people affected by them.

I was mostly speechless. The Prime Minister was calling me!

What no one saw was the work to make this happen. And what many don't realize is that the 'campaign' consisted of a staff of one: me. Although many people enthusiastically got the word out via Twitter, blogs and other means, I spent a great deal of time massaging the press, handling celebrities, and keeping the momentum to make it happen. One day, perhaps, I'll tell the story.

Most of the planning was done from the top deck of a London double-decker bus on the way to work. Amazing what you can do with 30 minutes of peace and an iPhone.

But what I must do is thank all 30,000 people who signed the petition, the media who ran with the story (especially the Manchester Evening News, BBC Radio Manchester, The Independent and BBC Newsnight) when it was still a small story. Thank you to all in the LGBT press that interviewed me and got the ball rolling in the first place. And thank you to the big names like Richard Dawkins and Stephen Fry who got the story out to a wide audience.

And thank you Gordon Brown. Your telephone conversation with me was heartfelt, and your apology clear and unambiguous. What a wonderful outcome!

For me, it's the end of my campaign.

But for others it is not. It's vital that Bletchley Park and the National Museum of Computing secure funding to keep them alive.