Chrome and Firefox Typecasting Security Error and Fix
Written by Karolis Liucveikis on
What is missing in the news coverage of major security hacks is how they work. This is because most newspaper readers and writers are not programmers. But a journalist should be able to explain such things in an easy-to-understand manner so that the ordinary person can understand how high-profile hacking works. We will do that here for one example, and then explain how researchers earned a prize for fixing that. Interestingly the security bug, which was in Google Chrome and Firefox, was found by a different group of researchers who also won a prize for finding that. Typecasting for an actor in Hollywood is the worst thing that can happen. If you saw “Get Shorty” then you know that Danny DeVito said in the film “I almost got typecast.” in reference to a movie in which he played.
That would have turned him into someone like Jeff Goldblum who played a nerdy genius in Jurassic Park and Independence Day and has been playing a nerdy genius ever since. Once you get typecast like that you would find it hard or impossible to play a role that calls for a different personality thus limiting your career. But typecasting in programming languages means converting an object from one type to another. For example, a ball can be a volleyball or a tennis ball. So a programmer can create a volleyball and then upcast it to a ball, like this.
Ball ordinaryBall = (Ball) VolleyBall
This is how you declare a variable. The words in capital letters means the type of object. The item in the parentheses () is the cast. And the newly created object is ordinaryBall. This cast works because obviously a volleyball is a type of ball. But you cannot go the other way, downcast, since not all balls are volleyballs. That means cannot write this:
VolleyBall myVolleyBall = (VolleyBall) Ball.
Computer languages like C++ are compiled languages. Chrome and Firefox are written in C++ That means their software code is converted into object code, like an .exe program Other programs, like Java, are only compiled at run time. So they are not permanently saved as a ready-to-run program. The danger with C++ is that a programmer can make mistakes with memory thus giving a hacker access to memory that is supposed to be protected. That means the hacker can take over a running program, like Chrome, and make it do something else.
The USENIX Security Conference calls for papers each year to present at the conference. They award the Internet Defense Prize for the best idea on how to make the internet safer by fixing a security flaw. Some computer scientists at Georgia Tech won last year and wrote this paper describing a new tool called CAVER, which catches these kinds of errors, at runtime. That fixed this security bug in Chrome CVE-2013-0912, which we can explain in the simplest possible terms.
The bug was with an HTML element. An HTML element is something like:
That means create a table in a web page and then display it. Web pages are written in HTML. The TABLE object is a type of HTML object. At the top of each page is the HTML tag:
which also ends the web page:
The stuff in between all that are tables, images (<IMG>), push buttons (<INPUT>), etc.
In terms of what we just talked about that means you can cast a TABLE object as an HTML object. This is because a TABLE is a type of HTML object. So you can upcast and write:
HTML myHTML = (HTML) Table
but you cannot write
TABLE myTable = (TABLE) HTML
since not all HTML objects are tables. The programming error in the case of Chrome was this:
SOMETHING_UNKNOWN myUnknown = (SOMETHING_UNKNOWN) HTML
In this case the program is downcasting, which should be prohibited by the compiler, to an HTML object to something that does not exist. So the Georgia tech researchers tightened up the compiler to detect this kind of error and created their new tool CAVER. (Actually they outlined the requirements of the tool. It is up to the compiler writers to actually implement that.)
The way this error helps the hacker is like this. Suppose than an HTML object has length of 10. That means the program has permission to access 10 positions (bytes) in memory. Like this 12347890. Now the downcast gave the program access to 60 positions in memory because that is the length of SOMETHING_UNKNOWN. So is memory it looked like this:
0123467890(... memory not used by this program ...).
This is called a buffer overflow error. A hacker can create a web page that causes Chrome to this SOMETHING_UNKNOWN empty memory and exploit that. Now they have access to 50 bytes of memory that is outside the limits of the program. It’s like letting the chickens outside the fence. They become subject to attack by the fox since nothing is in control there. So, after the first 10 bytes of HTML the hacker can put data which is not HTML at all. Instead they can put their own programming instructions there. These instructions tell the program to execute something other than was designed by Google Chrome. Now the hacker has control of the computer once having diverted Chrome from what it is supposed to do.
Understanding and exploiting all of this is difficult even for programmers. You would have to be a C++ and Assembly language programmer, which is far more complicated than what ordinary Java and web page programmers do. But studying such low-level items like memory and how to affect program control is what security researchers and hackers do. Thankfully this bug was discovered by the good guys first and then fixed by Chrome and Firefox. However it is not known if hackers previously used this to hack machines. Because if they had they would certainly not tell anyone, as they can make money or do damage from that.
▼ Show Discussion