Language Selection

English French German Italian Portuguese Spanish

Security: Patches, Web Security Books, SecWeb – Designing Security for the Web

Filed under
Security

  • Security updates for Friday

    Security updates have been issued by Fedora (curl, LibRaw, python-pillow, and python36), Mageia (coturn, samba, and vino), openSUSE (opera), and Ubuntu (openssl).

  • Comparing 3 Great Web Security Books

    I thought about using a clickbait title like “Is this the best web security book?”, but I just couldn’t do that to you all. Instead, I want to compare and contrast 3 books, all of which I consider great books about web security. I won’t declare any single book “the best” because that’s too subjective. Best depends on where you’re coming from and what you’re trying to achieve.

  • Hardening Firefox against Injection Attacks – The Technical Details

    In a recent academic publication titled Hardening Firefox against Injection Attacks (to appear at SecWeb – Designing Security for the Web) we describe techniques which we have incorporated into Firefox to provide defense in depth against code injection attacks. Within this blogpost we are going to provide insights into the described hardening techniques at a technical level with pointers to the actual code implementing it. Note that links to source code are perma-linked to a recent revision as of this blog post. More recent changes may have changed the location of the code in question.

    [...]

    Firefox ships with a variety of built-in pages, commonly referred to as about: pages. Such about: pages allow the user to view internal browser information or change settings.

    If one were able to inject script into a privileged about: page it would represent a complete browser takeover in many cases. To reduce this injection attack surface, we apply a strong Content Security Policy (CSP) of default-src chrome: to all about: pages. The applied CSP restricts script to only JavaScript files bundled and shipped with the browser and accessible only via the Firefox internal chrome:// protocol. Whenever loading any kind of JavaScript, Firefox internally consults its CSP implementation by calling the function ShouldLoad() for external resources, or GetAllowsInline() for inline scripts. If the script to be executed is not allow-listed by the added CSP then Firefox will block the script execution, rendering the code injection attack obsolete.

    Further, we verify that any newly added about: page within Firefox exposes a strong CSP by consulting the function AssertAboutPageHasCSP(). This function basically acts as a commit guard to our codebase and ensures that no about: page makes it into the Firefox codebase without a strong CSP.

    Before we started to protect about: pages with a CSP we faced a bug where text and markup controlled by a web application was reused in a permission prompt, which led to a Universal Cross-Site Scripting (UXSS) attack in the browser interface (CVE-2018-5124). These scripts run with elevated privileges that get access to internal APIs and can result in a full system compromise. What raises the severity of such bugs is the high-level nature of the vulnerability and the highly deterministic nature of the exploit code which allowed comparably trivial exploitation.

More in Tux Machines

today's howtos

Graphics: AMD, Intel and Wayland/Wayfire

  • Defaulting Radeon GCN 1.0/1.1 GPUs To Better Linux Driver Is Held Up By Analog Outputs

    Switching from the "Radeon" to "AMDGPU" kernel driver on Linux is possible for Radeon GCN 1.0/1.1 era graphics cards and doing so can mean slight performance benefits, the ability to run the AMDVLK or RADV Vulkan drivers, and simply making use of this better maintained driver. But having these original GCN graphics cards default to the modern AMDGPU driver appears held up by the lack of analog video output support with that driver.

  • Intel's Open-Source H.265/HEVC Encoder Sees First Release Of 2020

    Intel's Scalable Video Technology team is known for their open-source video encoder work particularly on AV1 and VP9 formats, but they also continue to maintain a high performance H.265/HEVC encoder as well. Intel SVT-HEVC 1.5 was released on Monday as their first major update of the year. Intel SVT-HEVC 1.5 fixes "all memory leaks" following a refactoring of their allocation/deallocation code that also leads to the ability for FFmpeg to run multi-instance encoding in parallel. SVT-HEVC 1.5 also has a number of optimizations, fixes for a random hang issue with few threads (something we've seen as well with SVT-HEVC in our own benchmarks), and a number of other fixes.

  • GNOME's Mutter Adds Support For Launching "Trusted Clients" On Wayland

    Merged to GNOME's Mutter compositor is an API for Wayland to allow the launching of trusted clients. This "trusted clients" support is namely about allowing child windows to be signified as being from a parent window/process. This can also allow for some nifty use-cases for GNOME on Wayland. The patch explains: Unfortunately, although the child process can be a graphical program, currently it is not possible for the inner code to identify the windows created by the child in a secure manner (this is: being able to ensure that a malicious program won't be able to trick the inner code into thinking it is a child process launched by it).

  • Wayfire 0.5 Wayland Compositor Brings Latency Optimizations, More Protocols

    Wayfire, a Wayland compositor inspired by the likes of Compiz with different desktop effects, is out today with a new feature release. Perhaps most exciting with Wayfire 0.5 is the work done to improve (reduce) the latency. Wayfire now better tracks how much time it needs to draw a frame, support for the presentation time protocol, and other work. Aside from latency improvements, there are Wayland protocol additions for primary selection for allowing middle-click-paste to work plus the output-power-management protocol for better handling display output power management behavior.

How Librem 5 Solves NSA’s Warning About Cellphone Location Data

The NSA has published new warnings for military and intelligence personnel about the threats from location data that is captured constantly on modern cellphones (originally reported by the Wall Street Journal). While privacy advocates (including us at Purism) have long warned about these risks, having the NSA publish an official document on the subject helps demonstrate that cellphone tracking is a real privacy and security problem for everyone. We have been thinking about the danger of location data on cellphones for a long time at Purism and have designed the Librem 5 from scratch specifically to address this risk. The NSA document describes and confirms a number of the threats I wrote about almost a year and a half ago when I introduced our “lockdown mode” feature on the Librem 5–a feature that disables all sensors on the Librem 5. In this post I’ll describe the threats the NSA presents in their document and how we address them with the Librem 5. Read more Also: Librem 5 Web Apps

Latest Linux Magazine (With Paywall)