openjnlp-devel

[Openjnlp-devel] Another update on Elvis

[Christopher H. <he...@ez...>]

Well, after more than a tad of thrashing and rework (mainly due to my own 
paranoia - I'm trying to make Elvis reasonably secure against attacks and 
hangs) Elvis is alive!

Aside from the rename (dropped the J, which got added in a moment of low 
lemming resistance - thanks for the nudge Kevin!), Elvis is now able to 
determine if he is or is not the only Elvis implementing a given program, and 
if he is not, defer to the more senior Elvis.

I haven't gotten as far as having Elvis do actually anything yet, but it's 
going to be a cool, damp weekend, with two Nascar races on the net broadcast, 
so I suspect a good bit of work will get done.


At this point, I'm going to babble incoherently about some security related 
details.  If you have the inclination to read further, I'd appreciate 
feedback on these points.

As I mentioned above, I've been a bit paranoid about the connection setup.  
Elvis talks to himself in "one liners" - single line messages consisting of a 
sequence of header tokens (three header tokens, identifying it as an Elvis 
message, for a given program, and a key identifying the specific incarnation 
of Elvis who is (supposedly) the Real Elvis at this time), an action token 
indicating what it is we want Elvis to do, and an optional data token, which 
can be any arbitrary plain text string (not including end-of-line).  The 
response is a similar "one liner", with a status token substituted for the 
action token.  In both cases all three header tokens must be correct for 
Elvis to accept the communication.  The whole point of this is to help 
prevent spoofing attacks, where one user attempts to get another user's Elvis 
to do something.  At the moment, though, this whole effort is short circuited 
because the key is stored in world readable plain text in a well known file 
in a well known directory.  Once that is secured (by making it readable only 
be the proper user), the whole structure hardens up nicely.

For additional paranoia, the Elvis port is chosen semi-randomly, by adding a 
random offset to a base port number supplied by the client..  This should 
make port guessing by an attacker difficult, except that the port number is 
stored in the same vulnerable directory mentioned above (and can be fixed in 
the same way).

Right now, if Elvis receives a connection attempt from a machine other than 
the local host, he decides that he's under attack and exits immediately.  
This could be inconvenient in a production environment, and needs some more 
thought.  Since Java is inherently resistant to buffer overflow attacks, that 
isn't a big concern.  It might be more appropriate to simply have Elvis log 
such attempts and discard the connections without further action.

The goal is to close any doors through which an attacker could get an Elvis 
implementation to do something.  For OpenJNLP, this could include worm 
programs, trojans, or access to otherwise secure data.

					Chris

Re: [Openjnlp-devel] Another update on Elvis

[Kevin H. <ke...@na...>]

On Saturday, April 27, 2002, at 03:20 , Christopher Heiny wrote:
[...]
> For additional paranoia, the Elvis port is chosen semi-randomly, by 
> adding a
> random offset to a base port number supplied by the client..  This 
> should
> make port guessing by an attacker difficult, except that the port 
> number is
> stored in the same vulnerable directory mentioned above (and can be 
> fixed in
> the same way).

This sounds good, but isn't necessarily. It's pretty simple to just run 
"netstat -a" to see what ports are being listened to. And if you're 
listening only on 127.0.0.1 it's even more obvious, since there are so 
few things restricted to 127.0.0.1. This falls into the "security by 
obscurity" category and seems more secure than it actually is. I'm not 
saying it's a bad thing to do, but I'd recommend focusing more on secure 
message passing.

> Right now, if Elvis receives a connection attempt from a machine other 
> than
> the local host, he decides that he's under attack and exits immediately.

Is Elvis listening on 127.0.0.1 only? If so, there is no way a 
connection can come from anywhere than 127.0.0.1. Well, okay, 
technically maybe any interface on the current machine but certainly not 
an interface from a different machine.

Re: [Openjnlp-devel] Another update on Elvis

[Christopher H. <he...@ez...>]

On Sunday 12 May 2002 01:20 pm, Kevin Herrboldt wrote:
> ...This falls into the "security by
> obscurity" category and seems more secure than it actually is. I'm not
> saying it's a bad thing to do, but I'd recommend focusing more on secure
> message passing.

I agree, somewhat.  However, it's very easy to implement (three lines of 
code), and I generally tend to favor anything that makes life more difficult 
to the casual cracker.  It's not so much "security through obscurity" as 
"slightly increased security through increased hassle".  The more of a pain 
you make things for script-kiddies, the less likely they are to trouble you.  
This means you can devote more of those lying-awake-worrying nights to the 
serious cracker.

Also, at least on the machine I'm using at the moment (running Mandrake 8.2 
x86 distro), doesn't reveal anything particularly Elvis related about the 
port, although it is possible to identify that a java program of some kind is 
using the port.  An attacker would still have to probe a number of possible 
ports in an attempt to spoof Elvis - thus increasing his exposure and risk of 
detection.  Yeh, I know, 99% of the population doesn't do anything to detect 
such attacks anyway....


>Is Elvis listening on 127.0.0.1 only?

I have no idea how I could have been so stupid as to miss that, but I did.  
Thanks!

					Chris