Developers are taught to 'never trust the browser' to execute their client-side JavaScript. The inability for a developer to trust a browser has far reaching implications from not trusting client-side validation, to never being really sure the TLS connection doesn't have a man-in-the-middle. Software security such as white-box cryptography & obfuscation have been used in native environments for many years, but these techniques are hard in JS. We'll explain how these techniques can now be applied to JS code running in a web browser to secure it from MITM attacks.
While displayed do intro
I’m Ben Gidley, Director of Technology for Irdeto a company based in Hoofddorp, just by the airport, who specialize in Digital Platform Security. I’m a developer by background and have worked in media and cyber security for a number of years.
My name is Tim Charman, an Architect at Irdeto, my background is systems integration and managing data across government, media, manufacturing and payments.
Ben: Today we’re going to talk about browser security and some of the new options emerging to secure code running in it. This is especially important given the recent trend for serverless apps and more and more ‘smarts’ being run in the browser.
TIM
The web is a great thing, and it’s quite successful.
The basic architecture has a number of security elements built in
Firewalls and network security for the servers
Browser sandboxing, isolation for the browser
TLS/SSL for the network
Ben
BUT even with all this we ‘don’t trust the browser’ to run our JavaScript code. There are a three core reasons
Tim
Browsers are controlled by users. Users pick them, install them and can make the do whatever you want. The developer writing a website can only be sure 2 things have happened
Someone has downloaded your HTML/JS/CSS
You got some data back
What happens out on the browser will vary – it could be the user loads your page, runs your JavaScript, and does what you tested. It could also be they did something entirely different, or that they are not a human at all and instead are a bot feeding data to your server.
Some users want to play by the rules, others don’t. Those that don’t can change your code and ‘mess’ with it.
Ben
TLS as deployed to consumers asserts 2 things
The connection is encrypted, and only people the consumers computer trusts can intercept it
A certificate authority has verified the owner of the domain has approved the certificate
There is little certainty for the consumer about what code was downloaded
Most consumers don’t understand this, they just know “things are secure now”.
Ben
It tells you, the server API, NOTHING about the consumer and the integrity of the connection.
The only exception to this is 2 way TLS, but that’s too hard for most consumers. 2 Way TLS is where the consumer has a personal certificate, they securely store on their computer which identifies them. The problem is most people can’t keep their computers secure, and most likely don’t even know it exists.
Tim
Introduce 3 MITM
For more details see http://bit.ly/mitm-is-easy
Ben
CITE Google/Firefox research that 10-18% of all connections are MITM’d in real world!
Some of this is ‘harmless’ corporate proxies
Some of this is incompetence from AV vendors/IT departments
Some of this is hackers
But don’t just believe us let’s see how easy it is…
Pineapple Kali – hotspot
Chromebook – join evil hotspot
Install Certificate
I’m using site that set up right and is up to date etc
Give me key and install certificate
Cite IBM USB drive screw up
Evil Portal
This looks like a great free wifi
Ask audience for who will buy it
Do it twice ???
View hack see my credit card
Tim top bit should include ‘even though reputable e-commerce site’
Ben second bit
Tim – state problem
We could put a server in the middle to verify checksums from the code running on the browser.
However this would still leave us open to attacks – an a bad guy can simply modify the security libraries and make them tell us everything is fine and when it isn’t. Remember we can’t trust anything that’s going on in the browser.
So what if we also obfuscated the JavaScript. This would make it difficult for an attacker to modify the code.
However with just obfuscation the attacker could still ‘spoof’ our messages, they’d just have to watch what was being sent to the server and send their own messages.
Can we add cryptography to sign the message?
Now if we add Whitebox Crypto into the security library we can start signing and encrypting things.
BUT what’s to stop the attacker looking at this code and extracting the keys? Well that’s the ‘magic’ of whitebox.
White-box is a version of a crypto algorithm designed with the assumption that
The hacker can read the memory
The hacker can read the code
BUT they can’t extract the key.
This is very proven tech – Irdeto’s version of this is deployed on over 5 billion devices worldwide and is well suited to running in JavaScript in a browser. We’ll come back to this in a bit to explain a bit more how it’s possible.
But is that enough?
Not really
If we just use a single crypto key – it’s likely to get broken. Whitebox is good, but it’s not perfect. We can however diversify. This means we change the keys, the obfuscation over time to make it even harder to hack.
I started off by focusing on MITM attacks but this also hinders a range of other attacks.
Take for example any kind of XSS attack, any attempt to modify the page will fail IV, which in turn would stop the modified code talking to the underlying API. The XSS vulnerability would still be in the page, but it would be a lot harder to exploit.
Ben
If if these cards…. I’ve put them in an order I know
Then I give them to Tim, and ask him to
Take 2 cards and put them on the bottom
Go 3 cards cards from top and put next 2 card on bottom (card 4 and 5)
Tell me what card you have at card 4 from top
This is a simple example, but we can more complex for example if I told tim to take every other card move it up 3 etc
If we build this to the business logic of the page, then Tim is forced to follow the logic to keep being able the challenges
Take one off the top and put it on the top
This alone isn’t enough – but when we combine with with obfuscation and diversity we can make it really difficult for Tim to know the right answers to the questions (as we obfuscate the question) and mix up the data so it’s very hard to tell us the right answer.
We also add in anti-replay features to stop him just ’parroting’ a working client. This means the same operations will always give different answers.
The end result is we can ask questions only someone running our code can answer. This is then fed to the whitebox algo to securely communicate the result.
Picture Notes: Need ‘sausage machine diagram’ – ideally like this but with Keys & seeds separate and Obfuscated JS coming out on right
Tim tells
He has a sick cat, 🐈, and the vet has prescribed some pills. The trouble is, the cat doesn’t have the same idea about the pills as my neighbours. So for the first two days, the cat would take the pill. But the next day, no luck. So my neighbour wrapped the pill in pate. The cat likes pate, but that only worked for two more days. So my neighbour ground up the pill and mixed it with a bit of cat food. Again, after two days it had learnt. The last thing he tried is lifting the cats top lip up, which makes it drop its bottom jaw, shoves in the pill, and makes it swallow. After two days, the cat learnt to regurgitate the pill. Now he’s stuck.
With the right tooling you can generate as many techniques/JavaScript as you need. This makes it robust against attack as a hacker who figures out your technique has broken only instance, which most cases means they figured out how to hack they are currently using – e.g. they stolen their own credit card.
19
Demo of it working and showing encrypted code.
Show tamper detection failing