Hacker News new | ask | show | jobs
by davej 3476 days ago
> At the end of the day, window.crypto can be absolutely anything.

Would it be possible to toString() the function and check if it is a native function before execution? Seems like a simple solution but perhaps I'm missing something? I guess in theory the toString() method could also be hijacked. :-/
4 comments
ariabuckles 3476 days ago
If you wanted to test for a native function, I think you could probably do something like:

    (function() {}).__proto__.toString.apply(window.crypto.getRandomValues)
which grabs the toString function off the Function prototype without relying on explicit/modifiable globals.

However I'm not sure if the testing for a native method idea works in general (it might be possible to say something like `window.crypto.getRandomBytes = Array.prototype.slice`, which would show up as a native function, but leave the original, likely 0, bytes in the input array). This might still be okay, because in chrome that shows up as "function slice() { [native code] }" instead of "function getRandomValues() { [native code] }", but it might not; I'm not sure I have the appropriate js/security background to say.

link
josephg 3476 days ago
Cute idea, but thats not secure. You can edit the function prototype object to return anything you want:

    (function() {}).__proto__.toString = () => "Hi!"
All functions use same __proto__ object (including functions that haven't been written yet), and it can be edited from anywhere in your program. (Tested in chrome 54).

At a meta level, if you're trying to run trusted code in a JS environment that has some untrusted code in it too, you're going to have a bad time. The same is true in native programs by the way - you can't protect your program from a malicious library you're running in process.

The right way to solve this is to stop sharing a JS environment with libraries you don't trust. I don't know how you can protect yourself from malicious extensions, but you can stop pulling in a kitchen sink of JS libraries by being super selective about what you pull in from NPM. (Which you really should be doing anyway.)

link
rmrfrmrf 3476 days ago
> The right way to solve this is to stop sharing a JS environment with libraries you don't trust. I don't know how you can protect yourself from malicious extensions, but you can stop pulling in a kitchen sink of JS libraries by being super selective about what you pull in from NPM. (Which you really should be doing anyway.)

Well that's just the thing; it's far more likely that a user would encounter either a malicious script on the web, a virus that modifies the browser environment, or a browser that doesn't implement the Crypto API. Relying on the Crypto API for security is irresponsible in a production environment.

link
AgentME 3476 days ago
>it's far more likely that a user would encounter either a malicious script on the web

If it's a script on a different website (and no privilege-escalating-zeroday is involved), it doesn't matter.

If their computer does get a virus, then it may just keylog everything. If it does hook into a browser, it'll probably be made to log interesting plaintext bits straight out of the DOM before targeting the crypto API. If a virus is targeting users of a specific website and is able to inject code into a browser and fully control the environment that the website's code runs in, then it doesn't need to rely on the website using the crypto API to extract data from it. If the site keeps the key in localStorage, then any code running in that context could read from there too. If the site prompts the users for the password encrypting the key, then any code running in that context could read the password from DOM as it's entered, or prompt the user again. If the site's code is known to stick the key into a 256-byte array, then depending on the browser and type of attack then it could wrap the array constructor and log whenever it sees a 256-byte array get made.

The crypto API actually provides a good defense from some types of attacks. It allows you to create a crypto key that is handled by the browser and never has its key material exposed to page javascript.

link
ariabuckles 3476 days ago
You're right; upvoted.

I'm surprised that none of these global objects are set to not-configurable/not-writeable :/.

And yes, the general case of running untrusted js code in the same environment your code isn't safe.

link
tixzdk 3476 days ago
I think the article gets this wrong. `window.crypto` should be read-only
link
ifelsehow 3476 days ago
I find the following in Chrome:

> window.crypto.getRandomValues

// getRandomValues() { [native code] }

> window.crypto.getRandomValues = function () { return "aloha" }

> window.crypto.getRandomValues()

// "aloha"

Not sure if this is the case in all browsers. `window.crypto` certainly should be read-only.

link
niftich 3476 days ago
In Chrome, window.crypto is read-only:

> window.crypto

< Crypto {subtle: SubtleCrypto}

> window.crypto = "hi!"

< "hi!"

> window.crypto

< Crypto {subtle: SubtleCrypto}

But not anything underneath, including getRandomValues(), as you write. A recent issue about this [1] on the WebCrypto spec itself was closed with 'wontfix' because in their view, polyfilling web APIs is a common and accepted practice.

[1] https://github.com/w3c/webcrypto/issues/107

link
flukus 3476 days ago
Shouldn't all pollyfills check only override the functions if they're missing?
link
jsjohnst 3476 days ago
What if it's present but the implementation is incomplete?
link
paulddraper 3475 days ago
E.g. an extra optional parameter.
link
rmrfrmrf 3476 days ago
https://www.w3.org/Bugs/Public/show_bug.cgi?id=25345

It looks like they intentionally don't do that in order to prevent the illusion of security.

link
espeed 3476 days ago
See "Building web applications on top of encrypted data using Mylar" https://people.csail.mit.edu/nickolai/papers/popa-mylar-2016...

Mylar ensures that client-side application code is authentic, even if the server is malicious.

link
twr 3476 days ago
I was curious what that meant with "even if the server is malicious." Turns out, in short, the Mylar paper creates a distinction between the "web site owner," and "the server operator."

It shouldn't need to be stated, but not all people believe that is always an important distinction.

Mylar places complete trust in the application developer, whereas an important aspect of other security software is that you don't need to trust the developer: if one version of the software is audited, you can stay on that version; or the other can be examined.

Mylar doesn't make the web any less of an ephemeral and invisible black-box execution environment, where code goes in and vanishes without earlier proof of existence.

It sounds like I'm panning it, but really I think the idea is sound: It makes the lives of non-affiliated/non-government attackers more difficult. I'd use it with my bank website. Just not for highly sensitive communications.

link
bzbarsky 3476 days ago
You can hijack toString, sure.

You can also hijack other things. https://www.w3.org/Bugs/Public/show_bug.cgi?id=25345#c5 is a good example of how this can play out in an actual example of code using getRandomBytes and then doing something with the return value.

As I said there, the only principled solution here is something like Caja, where you freeze all the primordials up front and then run all the maybe-untrusted code in sandbox-like setups. Well, or not having XSS injection, of course...

link