Page 1 of 1

SVG concerns...

Posted: 27 Jun 2016, 13:04
by fullmoonremix
Recently a security concern was brought to my attention
about the merit of Scalable Vector Graphics (SVG) format
use in an OS either @ boot or as a Material Design GUI desktop element.

Since I have a keen interest in using SVG for Material Design GUI hi resolution
desktop elements... on advisement I did a cursory single page search.

The results (more or less)...
http://webwarper.net/ww/~av/www.securit ... ransomware
https://www.rapid7.com/db/modules/explo ... k_svg_java
https://cyberoperations.wordpress.com/o ... e-browser/
http://thehackernews.com/2015/06/Stegos ... lware.html
http://www.binarytides.com/hack-windows ... x-exploit/
http://eromang.zataz.com/2013/05/27/fir ... loit-demo/

The above referenced exploits only pertain to compromising applications.

To the best of my knowledge (and I have a lot)... the potential for ANY
image file (or ANY file) to pose a security threat has been long known.

However... for ANY file to pose a threat @ boot time (on secure media)...
the system firmware would have had already been compromised.

Which makes the problems source... firmware payload NOT file payload.

I have already stated MANY times before... Linux
(and by extension Porteus) is " Secure by design ".

If an OS (including derivatives) and/or repo contains ANY
unverified files the problems source... would be it's developer.

Therefore... in regards to a secure (even better... "hardened") live OS booting on signed secure
firmware/hardware and media... @ this time NO file format poses ANY "known" credible system threat.

For as far back as can be remembered... all software (including commercial) comes with a use @ your own risk disclaimer.
The reason for this... is because developers realized early on... that software is only as safe as the person using it.


Posted by 73.112.16.59 via http://webwarper.net
This is added while posting a message to avoid misusing the service

Re: SVG concerns...

Posted: 28 Jun 2016, 02:14
by brokenman
From my knowledge (and I don't have a lot on this topic) I would assume that if a crafted svg is used at boot time then there is the potential to run arbitrary/remote code as root. This is possible because svg files are xml based (unlike png or jpg). If one can execute arbitrary code as root then they have hit paydirt and the consequences are limitless. Secure boot procedures may prevent most of this but this is not really the issue.

For example, a fault was recently (in April) found in imagemagick that allows externals libraries to assist in processing. This means that with some command like: convert 'https://nastysite.com.with.extra.command' outfile.svg one can have a trojan library enter the equation. I think it is important to note that it is not the known sploits that we must worry about. You can read all the whitepapers, blogs and security notices you like, and these won't carry one iota of substance if the sploit you are hit with is not (widely) known. That said I agree that an xml based image is probably not the best kind to allow root access to.

Anyway, in my numerous years of using unix like operating systems I have never experienced one single attack, attempt, threat or even heart palpitation related to being hcaked, carcked or otherwise exploited. Maybe I'm just lucky.
However... for ANY file to pose a threat @ boot time (on secure media) ... the system firmware would have had already been compromised.
I don't think that is entirely accurate. It all depends on what you mean by secure media. Whatever loads during boot must be in the equation. Kernel, initrd, services up before switch. If one of these is exploited then a door is open. Unless you are creating your own distro from scratch (and I mean EVERYTHING included) then the chain of trust is weak at best. End user --> local hardware --> local network --> server --> distro maintainer --> package mantainer --> package developer --> libraries --> modules --> kernel --> etc etc

Security is a very vague word. More like a blanket that we wrap ourselves in and tell ourselves we are relatively safe. I don't think we ever truly are though. Just my two cents in what I hope will be a healthy and respectful thread where everyone learns something (because everyone CAN learn stuff) and nobody stoops to slander. :D

Re: SVG concerns...

Posted: 28 Jun 2016, 08:16
by fullmoonremix
...I hope will be a healthy and respectful thread
I fully agree... from my POV healthy disagreement (Dialogue) can be public but disagreeable should always be a private affair (PM).

Again... EVERY file format poses a threat because EVERY one of them can be jacked.
If the problem is simply vulnerability... we would have to throw ALL of them under the bus.

The point is not to throw the baby out with the bath water... it's to reduce the attack vector. This is why hardening was invented.
Your SVG file or ANY file (systemd anyone? aka Single point of failure ) should NOT be able to mow the lawn and wash the dishes.

Gaining root and jacking the session is OK (although still I endorse hardening to deal w/ that) if the system can be reset.
If the system is jacked the game is over. @ that point one becomes the proud owner of a... radioactive paper weight.

If the system firmware is compromised that is the whole game. Which is why I prefer Coreboot ( Chromebook / Chromebox ).
If the media is a signed firmware device (eg. flash/ssd drive...disk burner... etc) it's microcontroller cannot be compromised.

Which is why I prefer Kanguru (see... https://www.wired.com/2015/02/nsa-firmware-hacking/ )...
https://www.kanguru.com/storage-accesso ... ries.shtml
https://www.kanguru.com/secure-storage/ ... rage.shtml

If the media is a burnable it is not possible to burn @ boot. Changes to the original data MUST be made after loading.
(This also is why I prefer diskless aka "harddrive NOT" live OS secure forensic systems... after all I'm a CompTIA: A+ technician).

The idea is to create a "internet cafe"/kiosk environment that if attacked it can be reset.
This is what Google is doing w/ it's Chrome book/box (chroot jail?) offerings.

However... no one should have to choose jail (ChromeOS) to escape criminals. Which is why I boot Chromebook w/ Porteus.

...Agnostic Philosopher Mode: on

There is a distinct difference between a " Tin foil hat " which is a highly DISAGREEABLE
Pejorative (see... Shooting the messenger ) and Pragmatism (see... Contingency plan )
- Charles Baudelaire

"The devil's finest trick is to persuade you that he does not exist."

(see... index.php?title=Zombie computer&redirect=no )
I spent 30 frustrating yrs in "security" the last 10 in fire safety and loss prevention... manys yrs @ the
Google bldg (I was responsible for it's enormous computerized fire/security system) in NYC and other high profile bldgs.

In various sites I dealt with many arrogant rich powerful executives/managers that only cared about convenience.
When they would not listen to reason my job was to punish them @ the behest of the FDNY (NY's bravest).

In many cases their idea of "security" was decided by their accountants.

What many wrongly believe "security" is... boils down to an expectation (misnomer?) based on the definition of the word itself.
As a result... many confuse "security" with "guarantee" (hence... the Tin foil hat Pejorative based simplistic arguments) which "security" is NOT.

In life the only thing that is guaranteed is death.

"Security" is "contingency". It deals w/ catastrophe by trying to prevent (thru avoidance/caution)...
manage and/or minimize calamity even if it might not be preventable. (see... All Is Lost )

This is "security" (eg. w/out sarcasm and w/out being too verbose)...
...wearing a helmet in space
...skydiving w/ a parachute
...NOT tempting the hand of fate
...using an umbrella but not in a open field during an intense electrical storm (and so on)

"Security" deals with threat by taking it seriously before making preparations (contingency).

For example... in some emergencies people will die. The idea is to keep that
number low ( Triage )... not to "guarantee" life (because it might cost more lives).

The software version of Triage is Fault tolerance and redundancy (aka Fail-safe )

The idea of contingency comes down to generally... too much is better then not enough ("until it's not"... I'm agnostic so please forgive me).
Unfortunately... in today's world so many critical things are tied to computers that we no longer have the luxury of whistling past the graveyard.

IMHO for what it's worth... the subject of security bores me to tears (I'm retired from
that and other things) but it's a necessary evil. I prefer the sexy stuff like performance.

I for one... would rather drive a Tesla sports coupe (albeit a bulletproof one) than an armored truck.

Regards...
"David"


Posted by 73.112.16.59 via http://webwarper.net
This is added while posting a message to avoid misusing the service

Posted by 73.112.16.40 via http://webwarper.net
This is added while posting a message to avoid misusing the service