If you are running Microsoft Internet Explorer, then the status bar at the
bottom of your browser probably says "Installing components..." at this very
moment. This is an example of ActiveX (Microsoft's answer to
Java). Like Java, ActiveX involves downloading code to run.
Unlike Java,
ActiveX components have no restrictions on the action they can take in your
system. In order to reassure you that this is ok, Microsoft has devised
something called "Authenticode". Once the code is downloaded, you are
presented with a window telling you who wrote the code and asking if you want
to run it. The browser uses some sophisticated cryptography to certify who
wrote the code, so you can believe the statement of authorship.
Unfortunately, it is a flawed model of security, as I shall explain. More
seriously, it gives every appearance of offering some sort of safety, which
makes it all the more dangerous.
What's wrong with the security model?
When the code is downloaded,
you are presented with something that looks like a "goodhousekeeping seal of
safety" for the code. You should think of it instead as a set of AKC papers
for the dog you are about to install. It looks very official and reassuring,
but all that this really does for you is to tell you who wrote the
code. It does not tell you who is asking you to run it (DigiCrime - not the
author), nor does it tell you whether the code is safe to run. Microsoft
represents this as the download equivalent of "shrink-wrap" software, but
there is one very big difference: shrink-wrap software is run by the end user
with inputs designed to accomplish a task of the user, and ActiveX is run by
web pages downloaded from the net, with inputs designed to accomplish a
task of the server. Every time you run an ActiveX component, you
transfer your trust outside of your machine.
A demonstration
As a demonstration, the button below will invoke a piece of ActiveX
(once it is downloaded from the Microsoft site).
You will notice that we are not the authors of this code, but we can cause it
to be run with arguments of our choice. If you have already visited the Microsoft ActiveX site, then you
may have already installed the code, so it is run automatically when you visit
our page. If you have not installed the components yet, then when you visit
our page you are presented with the request to install and run the code.
So what's the problem?
I have every reason to believe that the author of this code
is probably a well intentioned
software designer. Unfortunately code safety is notoriously difficult.
One of the biggest security problem to affect UNIX over the years is that of
"stack
smashing" (here's a
definition). The general technique is well known to hackers, and examples
have arisen in various pieces of UNIX over the years, including passwd
(from 1989!), syslog,
rdist, NCSA httpd 1.3crontab, mount, talkd, rlogin,
and sendmail (so
many times we have lost count). The bottom line is that by using "stack
smashing", a page may cause your browser to execute code other than was
intended. Finding such vulnerabilities is very tedious and
technical, but often possible.
It doesn't work with all code, but it requires very careful coding
to avoid this vulnerability.
Note that Java is designed to avoid this
problem.
Here's a brief explanation of the problem. If
the program allocates space in a function for a character array like
addr[2048], and an argument supplied to the program at runtime has 2100
characters and is copied to addr, then the extra characters will be written to
the stack at the end of the memory where addr was located. Unfortunately, it
is possible to cause code to behave in quite dangerous ways by this mechanism.
If the buffer addr was used to hold a hostname for a machine, the author of
the software might be thinking that "nobody would ever need more than 2048
characters for this argument". If they fail to check the argument to see if
it fits in the buffer, then an evil adversary can cause the software to
misbehave by giving the program a cleverly constructed string of 2100
characters. This is not the result of the author writing evil code, just
sloppy code. Such code is extremely common, and can be caused by something
as simple as using the gets() or
sprintf() C library
functions to handle an argument. Both are inherently dangerous because
they don't check the inputs to be sure that they will fit in the output.
For more information on stack smashing, try looking
here
and here.
More problems
I have always felt that the most dangerous time in
running Windows is when you type d:\setup, because even well meaning programs
can often screw up your configuration. If it becomes commonplace for every
mouse click to be installing and updating your code, then this problem is
likely to become much worse.
A much more serious problem is that there is no expiration on ActiveX
controls. If a bug is ever found in the code that renders it unsafe, there is
no practical mechanism for a user to patch the code, since it is invoked by a
remote site and is completely hidden from the user once it is installed.
Aside from the security problems, users should be aware that ActiveX is a
cornerstone in Microsoft's approach to controlling the Internet. ActiveX is
only available in Microsoft's browser, and is only available on Windows
platforms. Content developers that want to reach as many people as possible
would be well advised to concentrate on other approaches.
The litigious approach to computer security
Authenticode attempts to model the "shrink-wrap" model of
software responsibility. If the code above had caused a malfunction on
your machine, what recourse would you have?
could you sue DigiCrime? What makes you think that you would have any
evidence that the page came from DigiCrime? After all, your evidence
is dependent on the Domain Name Service (DNS), which associates numeric
IP addresses with domain names like www.digicrime.com. What makes you think
that I couldn't fool your DNS server into thinking that my IP address was
associated with another site? (a hacker can).
would you sue Microsoft? They provided a piece of code that was safe
if used in a manner in which it was intended. They exhibited no appreciable
negligence or evil intent, so there is likely to be no liability.
what if a hacker breaks into a web server of a major corporation and
inserts HTML code to invoke their ActiveX component in a harmful manner?
Do you sue the site, who may have taken every reasonable security
precaution, but was outfoxed by a hacker? Legal precedent suggests that
they would not be liable.
Do we really want to depend on the ability to sue hackers in order
to maintain the security of computers anyway? What if the hacker lives
in another country or cannot be found? What if you really needed your data
rather than the ability to sue someone?
That leaves you holding the bag, and responsible for your decision.
The bottom line
ActiveX puts the responsibility of maintaining the safety of their machines in
the hands of the users. Authenticode attempts to give the user information to
assist them in evaluating whether code is trustworthy. This has some
advantages in that it allows the user to accomplish things with their machines
that they could not do within the restrictive security model of Java. Each
user has to ask themself the question: is the tradeoff of convenience for
security a worthwhile trade? Is there anything compelling enough in ActiveX
to make it worth the risk?
I believe that most users are incapable of making informed decisions regarding
complicated security risks, and ActiveX is not worth the risk (at least not
yet). Moreover, computers owned by a corporation are the responsibility of
the corporation, not the user. ActiveX coming through firewalls constitutes
far too high a risk for a corporation, and offers nothing of value to
compensate for the risk. Presumably you can make your own decision.
