Difference between revisions of "RIA Security Smackdown"

Latest revision as of 15:11, 14 April 2008

Notes from the OWASP Washington chapter meeting where we discussed:

Java Applet - very old technology, runs in sandbox
Flash 7 - old flash movie environment
JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
Google Gears - local storage component with JavaScript API (Same Origin all the way down)
AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV

Threat Agents to Consider

Threat from external attackers against your desktop application
Threat from an attacker against back end systems
Threat from malicious developers

References

AIR - http://www.flashsec.org, http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.swf

Results

Key

(Y) - Allowed by RIA framework
(LF) - Limited by framework (a built in limitation or control)
(LSO) - Limited by same origin policy (special built in policy)
(LD) - Limited by developer (specified in a policy file like security.policy, jnlp, or crossdomain.xml)
(LU) - Limited by user (specified in a policy file)
(N) - Denied by RIA framework

RIA Framework	Java Applet	Adobe Flash	Google Gears	Java FX (JFX)	MS Silverlight	Adobe AIR
Persistence - Does the RIA framework allow data to be persisted in the client?	N	LF	LSO	LD	LU	Y
Sharing - Does the RIA framework allow uploading data?	LSO	LSO	Y	LD	LSO	Y
Exchange - Does the RIA framework use data formats that scramble data and code (HTML, JSON)	N	N	?	LD	Y (XAML and PE)	Y
Pipes - Does the RIA framework allow multiple RIAs to communicate with each other on the client?	Y (LiveConnect)	N	N	?	N	Y
Files - Does the RIA framework have access to the local file system?	N	N	N	LD	LU (IsoStore)	Y
Sockets - Does the RIA framework have access to local network sockets?	LSO	LSO	LSO	LD	N (yet)	Y
Windows - Does the RIA framework have the ability to create windows?	LF	N	N	LD	N	Y
Devices - Does the RIA framework have the ability to access local cameras and microphones?	N	LF	N	LD	N	Y
Native - Does the RIA framework have access to local native code or executables?	N	N	N	LD	N	Y
DOM - Does the RIA framework have access to the DOM?	Y	Y	Y	?	Y	Y
Controls - Does the RIA framework have access to other components within the DOM?	N	Y	LSO	LD	?	Y
Self-Modify - Can an RIA modify the RIA framework?	N	N	?	LD	N	Y
DNS Pinning - Does the RIA framework protect against DNS pinning?	N	N	N	LD	N	N

@@ Line 1: / Line 1: @@
 Notes from the OWASP Washington chapter meeting where we discussed:
-* FLEX (Adobe) - development environment for Flash Apps
+* Java Applet - very old technology, runs in sandbox
-* Flash Studio for movies
+* Flash 7 - old flash movie environment
+* JFX (Sun Java) - New scripting language compiles to bytecode, runs via Java Web Start
-* Java Applet
+* Silverlight (Microsoft) - .NET Applets that run inside the browser, no privileged code
-* Flash 7
+* Google Gears - local storage component with JavaScript API (Same Origin all the way down)
-* JFX (Sun Java)
-* Silverlight (Microsoft)
-* Google Gears
 * AIR (Adobe - formerly Apollo) - VM that runs Flash, Shockwave movies, ActionScript, JavaScript, FLV
-==Criteria==
+==Threat Agents to Consider==
-* Cross platform
-* Local File system access
-* Network access
-* Built-in Database
-* HTML
-* JavaScript
-* Support for cross-domain policy (crossdomain.xml)
-Organizations have been rated on the following five characteristics:
-; 1. Adobe AIR
-: The
-; 2.
+* Threat from external attackers against your desktop application
-: The
+* Threat from an attacker against back end systems
+* Threat from malicious developers
-; 3. Flex
+==References==
-: The
-; 4. Flex
+AIR - http://www.flashsec.org, http://www.wisec.it/en/Docs/flash_App_testing_Owasp07.swf
-: The
-; 5. Flex
+==Results==
-: The
-==Scoring==
+Key
+* (Y) - Allowed by RIA framework
+* (LF) - Limited by framework (a built in limitation or control)
+* (LSO) - Limited by same origin policy (special built in policy)
+* (LD) - Limited by developer (specified in a policy file like security.policy, jnlp, or crossdomain.xml)
+* (LU) - Limited by user (specified in a policy file)
+* (N) - Denied by RIA framework
-{|class="wikitable sortable" style="text-align: center;" width="100%"
+{|class="wikitable sortable" style="text-align:left;" width="100%"
 |-
 ! RIA Framework
-! width="14%" | 1. Awareness
+! width="10%" | Java Applet
-! width="14%" | 2. Requirements
+! width="10%" | Adobe Flash
-! width="14%" | 3. Verification
+! width="10%" | Google Gears
-! width="14%" | 4. AppSec Team
+! width="10%" | Java FX (JFX)
-! width="14%" | 5. Response
+! width="10%" | MS Silverlight
-! width="14%" | Score
+! width="10%" | Adobe AIR
+|-
+| '''Persistence''' - Does the RIA framework allow data to be persisted in the client?
+| N
+| LF
+| LSO
+| LD
+| LU
+| Y
+|-
+| '''Sharing''' - Does the RIA framework allow uploading data?
+| LSO
+| LSO
+| Y
+| LD
+| LSO
+| Y
+|-
+| '''Exchange''' - Does the RIA framework use data formats that scramble data and code (HTML, JSON)
+| N
+| N
+| ?
+| LD
+| Y (XAML and PE)
+| Y
+|-
+| '''Pipes''' - Does the RIA framework allow multiple RIAs to communicate with each other on the client?
+| Y (LiveConnect)
+| N
+| N
+| ?
+| N
+| Y
+|-
+| '''Files''' - Does the RIA framework have access to the local file system?
+| N
+| N
+| N
+| LD
+| LU (IsoStore)
+| Y
+|-
+| '''Sockets''' - Does the RIA framework have access to local network sockets?
+| LSO
+| LSO
+| LSO
+| LD
+| N (yet)
+| Y
+|-
+| '''Windows''' - Does the RIA framework have the ability to create windows?
+| LF
+| N
+| N
+| LD
+| N
+| Y
+|-
+| '''Devices''' - Does the RIA framework have the ability to access local cameras and microphones?
+| N
+| LF
+| N
+| LD
+| N
+| Y
 |-
-|
+| '''Native''' - Does the RIA framework have access to local native code or executables?
-| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic3_2 Full]
+| N
-| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_1 Full]
+| N
-| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_4 Full]
+| N
-| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic3_4 Full]
+| LD
-| [http://msdn2.microsoft.com/en-us/library/ms995349.aspx#sdl2_topic2_6 Full]
+| N
-| 10
+| Y
 |-
-| [http://www.oracle.com Oracle]
+| '''DOM''' - Does the RIA framework have access to the DOM?
-| [http://www.oracle.com/security/docs/software-security-assurance-process.pdf Full]
+| Y
-| None
+| Y
-| [http://www.oracle.com/security/secure-development-processes.html Partial]
+| Y
-| None
+| ?
-| [http://www.oracle.com/security/software-security-assurance.html Full]
+| Y
-| 5
+| Y
 |-
-| [http://www.foobar.com Foobar]
+| '''Controls''' - Does the RIA framework have access to other components within the DOM?
-| [http://link Full]
+| N
-| [http://link Full]
+| Y
-| [http://link Full]
+| LSO
-| [http://link Full]
+| LD
-| [http://link Full]
 | ?
+| Y
+|-
+| '''Self-Modify''' - Can an RIA modify the RIA framework?
+| N
+| N
+| ?
+| LD
+| N
+| Y
+|-
+| '''DNS Pinning''' - Does the RIA framework protect against DNS pinning?
+| N
+| N
+| N
+| LD
+| N
+| N
 |}
 __NOTOC__

Difference between revisions of "RIA Security Smackdown"

Latest revision as of 15:11, 14 April 2008

Threat Agents to Consider

References

Results

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Reference

Tools