Category Archives: security

The Blind Doorkeeper Problem, or, Why Enclaves are Tricky

When trying to protect a secret on a client device, there are many strategies, but most of them are doomed. However, as a long-standing problem, many security experts have tried to chip away at its edges over the years. Over the last decade there’s been growing interest in using enclaves as a means to protectContinue reading “The Blind Doorkeeper Problem, or, Why Enclaves are Tricky”

Defense Techniques: Blocking Protocol Handlers

Application Protocols represent a compelling attack vector because they’re the most reliable and cross-browser compatible way to escape a browser’s sandbox, and they work in many contexts (Office apps, some PDFs handlers, some chat/messaging clients, etc). Some protocol handlers are broadly used, while others are only used for particular workflows which may not be relevantContinue reading “Defense Techniques: Blocking Protocol Handlers”

Attack Techniques: Steganography

Attackers are incentivized to cloak their attacks to avoid detection, keep attack chains alive longer, and make investigations more complicated. One type of cloaking involves steganography, whereby an attacker embeds hidden data inside an otherwise innocuous file. For instance, an attacker might embed their malicious code inside an image file, not in an attempt toContinue reading “Attack Techniques: Steganography”

ServiceWorkers vs. Network Filtering

In a recent post, I explored how the design of network security features impact the tradeoffs of the system. In that post, I noted that integrating a URL check directly into the browser provides the security check with the best context, because it allows the client to see the full URL being checked and ifContinue reading “ServiceWorkers vs. Network Filtering”

Security: The Impact of Time

Two years ago, I wrote a long post about the importance of time, and how practical time machines can help reduce emergencies into more mundane workitems. Today, we revisit the same topic, with a focus on the Security impact of time. Races In many ways, the story of modern security is a story about races,Continue reading “Security: The Impact of Time”