storytelling

2018-11-06

An Update on the Edge XSS Filter

In Windows 10 RS5 (aka the “October 2018 Update”), the venerable XSS Filter first introduced in 2008 with IE8 was removed from Microsoft Edge. The XSS Filter debuted in a time before Content Security Policy as a part of a basket of new mitigations designed to mitigate the growing exploitation of cross-site scripting attacks, joining older features like HTTPOnly cookies and the sandbox attribute for IFRAMEs.

The XSS Filter feature was a difficult one to land– only through the sheer brilliance and dogged persistence of its creator (David Ross) did the IE team accept the proposal that a client-side filtering approach could be effective with a reasonable false positive rate and good-enough performance to ship on-by-default. The filter was carefully tuned, firing only on cross-site navigation, and in need of frequent updates as security researchers inside and outside the company found tricks to bypass it. One of the most significant technical challenges for the filter concerned how it was layered into the page download pipeline, intercepting documents as they were received as raw text from the network. The filter relied evaluating dynamically-generated regular expressions to look for potentially executable markup in the response body that could have been reflected from the request URL or POST body. Evaluating the regular expressions could prove to be extremely expensive in degenerate cases (multiple seconds of CPU time in the worst cases) and required ongoing tweaks to keep the performance costs in check.

In 2010, the Chrome team shipped their similar XSS Auditor feature, which had the luxury of injecting its detection logic after the HTML parser runs, detecting and blocking reflections as they entered the script engine. By throttling closer to the point of vulnerability, its performance and accuracy is significantly improved over the XSS Filter.

Unfortunately, no matter how you implement it, clientside XSS filtration is inherently limited– of the four classes of XSS Attack, only one is potentially mitigated by clientside XSS filtration. Attackers have the luxury of tuning their attacks to bypass filters before they deploy them to the world, and the relatively slow ship cycles of browsers (6 weeks for Chrome, and at least a few months for IE of the era) meant that bypasses remained exploitable for a long time.

False positives are an ever-present concern– this meant that the filters have to be somewhat conservative, leading to false-negative bypasses (e.g. multi-stage exploits that performed a same-site navigation) and pronouncements that certain attack patterns were simply out-of-scope (e.g. attacks encoded in anything but the most popular encoding formats).

Early attempts to mitigate the impact of false positives (by default, neutering exploits rather than blocking navigation entirely) proved bypassable and later were abused to introduce XSS exploits in sites that would otherwise be free of exploit (!!!). As a consequence, browsers were forced to offer options that would allow a site to block navigation upon detection of a reflection, or disable the XSS filter entirely.

Surprisingly, even in the ideal case, best-of-class XSS filters can introduce information disclosure exploits into sites that are free of XSS vulnerabilities. XSS filters work by matching attacker-controlled request data to text in a victim response page, which may be cross-origin. Clientside filters cannot really determine whether a given string from the request was truly reflected into the response, or whether the string is naturally present in the response. This shortcoming creates the possibility that such a filter may be abused by an attacker to determine the content of a cross-origin page, a violation of Same Origin Policy. In a canonical attack, the attacker frames a victim page with a string of interest in it, then attempts to determine that string by making a series of successive guesses until it detects blocking by the XSS filter. For instance, xoSubframe.contentWindow.length exposes the count of subframes of a frame, even cross-origin. If the XSS filter blocks the loading of a frame, its subframe count is zero and the attacker can conclude that their guess was correct.

In Windows 10 RS4 (April 2018 update), Edge shipped its implementation of the Fetch standard, which redefines how the browser downloads content for page loads. As a part of this massive architectural shift, a regression was introduced in Edge’s XSS Filter that caused it to incorrectly determine whether a navigation was cross-origin. As a result, the XSS Filter began running its logic on same-origin navigations and skipping processing of cross-origin navigations, leading to a predictable flood of bug reports.

In the process of triaging these reports and working to address the regression, we concluded that the XSS Filter had long been on the wrong side of the cost/benefit equation and we elected to remove the XSS Filter from Edge entirely, matching Firefox (which never shipped a filter to begin with).

We encourage sites that are concerned about XSS attacks to use the client-side platform features available to them (Content-Security-Policy, HTTPOnly cookies, sandboxing) and the server-side patterns and frameworks that are designed to mitigate script injection attacks.

-Eric Lawrence

2018-06-04

Back Home

I rejoined Microsoft as a Principal Program Manager for the web networking team on June 4th, 2018.

TravellogForward

June2018

2017-12-06

What If?

Spoiler alert

If you haven’t read For a Lark yet, please go read that first.

What If?

I like to think.

Well, actually, I’m not sure I like to think, but I find it really hard to relax and let my brain rest… given a few minutes of idle time, I usually find myself deep in thought about some random nonsense. One topic that I’ve gone back to for years is thinking of vignettes to write in my years-overdue memoir, which started as a pleasant diversion into nostalgia but now haunts me with its incompleteness as I continually fail to translate those thoughts into text. But nevertheless, I still love to write and when I play with the thought experiment “What if I was born a hundred years ago? Or a hundred years from now, what would I do for a living?” I often come up with “I’d write, if I could make a living at it.”

I spend a lot of time thinking about “What if” scenarios, most of which you wouldn’t consider remotely interesting.

Bitcoin, however, is interesting, and I keep coming back to “What if…” questions about it.

My boss at Telerik was almost obsessed with Bitcoin back in 2014 and finally I ended up buying six Bitcoins just so I’d feel slightly invested in the topic and might manage to avoid rolling my eyes when he talked excitedly about it.

Screen Shot 2017-12-06 at 10.03.49 AM

I watched Bitcoin’s price float around through 2014 and 2015. A blog post published in January 2016 by one of the early Bitcoin developers persuaded me to sell five of my six Bitcoins at a small profit (I recouped what I paid for the six, effectively keeping the last coin “for free”).

I later decided that perhaps I’d sold prematurely, but not having enough “play money” to buy another Bitcoin in July of 2016, I instead bought twenty Ethereum, a new and more exotic cryptocurrency which had recently started trading on Coinbase.

Screen Shot 2017-12-06 at 10.16.11 AM

After watching it grow, I bought Litecoin almost as soon as it became available on Coinbase, buying 20 at just under $20 each.
Screen Shot 2017-12-06 at 10.19.43 AM

Over time, I increased my holdings a bit, swapping between the coins and cashing out as they appreciated to recover my initial USD investments. So, at this point, my coin holdings are pure, unrealized profit.

Screen Shot 2017-12-06 at 10.21.52 AM

Almost 40 grand worth, assuming that I cash them out before they crash. And crashing seems almost certain, considering the underlying nature of the currencies. Bitcoin is a venture-capital backed ponzi scheme, a legal casino open 24/7/365 and as close as your nearest mobile phone or tablet. It’s also pretty terrible for the environment.

But that doesn’t make Bitcoins any less fun from a “What if” perspective. I recently found myself thinking about what I’d’ve done if I had any inkling of the eventual price of Bitcoins back in 2010. I quickly settled on the idea of giving out small gifts of 100 BTC to everyone I knew. To minimize taxes, I’d have to give out the coins when they were without value, and somehow prevent the recipient from cashing them out too early. 100 BTC seemed like a good amount, where recipients would be ecstatic but not crippled by their sudden wealth.

It’s too easy when playing “What if” to imagine some trivial change (“Aluminum was priced 15% lower in 1935”) spiraling into the root cause of World War III, or whatever, but I think the Bitcoin story is interesting in how little impact it would’ve had globally– a few people would get a bit richer, but beyond their immediate circles, nobody would even necessarily know it had happened.

Eventually, I decided I’d write up the idea as a short story, changing the amount to 1000 BTC to make things more interesting and perhaps somewhat less believable. I wrote it from the point-of-view of a recipient, because the story isn’t very interesting from the perspective of the giver.

Random factoids:

Bitcoin has appreciated 160 million percent since “David” bought or mined his coins in the summer of 2010.
If the recipient of the gift had sold it as soon as Coinbase started trading in 2013, they’d reap a windfall of $13300 and be overjoyed at receiving such a wonderful gift.
Sales in the following years would be similarly joyful.
That joy would likely turn to crippling dismay or horror as the price rose to $11M when the story-teller opened the card last week. Or, $12.5M today.
Bitcoin profit would be taxed at the long-term capital gains rate, meaning recipients selling today would clear a cool $10 Million after taxes.
The Bitcoin Pizza account tracks the value of the 10000 bitcoins an early user spent on two pizzas; currently around $120M. An early Bitcoin buyer who forgot he’d bought 5000 coins spent a fifth of his Bitcoin on an apartment in 2013; that Bitcoin has appreciated about 14x since then.
“David” in my story is an amalgamation of a few engineers I worked with at Microsoft; Dave is a super-smart guy who’s into all sorts of geeky projects, Christine went to Africa to work with the Peace Corps, and Herman left to go do a startup in San Francisco.
My wife, reading the story, deemed it implausible. “Why?” I asked. “Because in the story you cleaned the garage not once, but twice!” she retorted.

After publishing the story, I got a few kind words about it being a nice story, but it seemed that not everyone recognized it as fiction. I later realized that my blog theme displays a post’s “Tags” but not its “Categories”, so the post didn’t show up with the storytelling category. However, some of the reactions were so interesting that I decided not to explicitly correct anyone. Most reactions were of the form “Wow, congrats” which I deemed ambiguous (maybe they liked the story?).

A few people asked whether it was fact or fiction. An early direct message hit upon one of the themes I was trying to convey with the story:

If that article is real, congrats! Amazing story either way, draws parallels to what planting a small seed or a small act of kindness can flourish into. I think about things like that every time I get to help newer folks learn new tech like git. And seeing what things they do later always makes me proud that I might have had a part in what they’ve accomplished

But overall, there were very few comments, even from people who believed the story was true. Only one person (a Microsoft colleague) asked “which David was the gift giver,” and no one asked about the fate of the other gifts David was handing out. I was amused at the idea that people who know me would think I’d casually announce on Twitter that I was suddenly worth over ten million dollars. Nobody asked for money.

Nobody asked what I’d do with the money. While I’d probably brainstorm a million ideas, I think reality would turn out to be pretty boring. Why? When Telerik acquired Fiddler, my offer came with what seemed like a comically small number of stock options at an absurdly high price. When I asked, no one was willing to tell me how many shares the non-public company had issued, what fraction my stake might represent, or when the company might go public. I then naturally valued the options at zero (which is approximately how much I made from options when hired at Microsoft) and ignored them for years. Then, Telerik got acquired by Progress at the end of 2014 and my options were bought out for a bit over half what I paid for my house. I came home and that night I asked my wife “Hey, remember those worthless options? Well…” and eagerly awaited her reaction and the inevitable brainstorming of what we’d do with the sudden windfall. Ultimately, we bought a case of our favorite wine and put the remainder into savings.

-Eric

2017-12-01

For a Lark

“Happy Holidays” David said as he poked his head into my office, handing me an unwrapped holiday card featuring a kitten in a Santa hat. As I took it, I nearly dropped a small white envelope that dropped out from inside. The inscription in the card read simply “Best wishes, David – 2010.”

“Uh, thanks, you too!” I replied, both surprised and a bit uncomfortable that my colleague had gotten me a card. We were friendly but not friends. We’d only worked together a few times over the prior year, and it would’ve never occurred to me to get him anything for Christmas. He seemed like an archetypal geek, so we shared an interest in technology and science fiction, but we didn’t hang out or anything like that. Fortunately, he had a stack of cards in his hands, so it wasn’t like I’d been singled out or anything. Hoping he hadn’t gotten me anything fancy, I asked “What’s this?” as I flipped over the rigid envelope. In small print near the flap, it read “Do not open until Christmas 2017.”

His eyes twinkled and he grinned mischievously, an expression I’d never seen from him before. “Just a tiny gift. Well, maybe sort of a test. It’s very important that I give it to you now. But if you open it before 2017, it’ll be the crummiest gift you ever got. If you can wait, maybe it’ll be pretty nice.”

I furrowed my brow. “So, like some sort of Savings bond thing?” I asked, thinking back to the bonds I’d gotten from far-off relatives as a little kid… I’d recently stopped dragging them around from apartment to apartment and taken them to the bank to collect the princely sum of $261, two decades after I’d ungratefully wished they were some action figures or a book instead.

David smiled. “Sure, sorta. Don’t lose it. Don’t get it wet. And don’t open it early!”

“Uh, I won’t… Thanks?” I promised, and with that, David disappeared into Rob’s office next door to start his spiel all over.

Weird. Well, I’d already bought my direct reports gift cards for the IPic movie theatre and I had one extra left over… I’ll put that in a New Year’s card for David and leave it in his office sometime next week, I resolved. I tossed the card and envelope into the stack of RFC printouts on my bookshelf and went back to the email I was writing, hoping to get everything squared away before leaving for a short Christmas vacation.

The envelope sat on my bookshelf undisturbed, buried in an ever growing pile of paper. I might’ve remembered it the following year, but David had left the company that summer, off to do a volunteer tour with the Peace Corps before joining some startup out in San Francisco. Still buried in a pile of paper when I left the company two years later, the card made its way into an unsorted moving box labeled “office stuff” as we moved across the country to Texas. It then sat quietly in the box in my garage for five more years.

In the summer of 2017, I finally got around to digging through the garage, trashing what I could in an effort to make way for the growing proliferation of tricycles, big wheels, wagons, bikes, and pool toys that our two Texas-born children had collected. I spent a quiet Saturday afternoon in July mired in nostalgia, poring through boxes full of old books and papers and remembering a life before kids and so many responsibilities.

When I eventually uncovered the kitten card in the pile, I snorted and stretched to toss it in the “Recycle” pile before I remembered the weird little envelope. Sure enough, it was still inside, forgotten and untouched for the better part of a decade. I ignored the admonition of the faded green warning and tore it open, long-forgotten curiosity mounting.

The envelope contained a pile of papers folded in thirds. The outermost of these was a cleanly cut sheet of wax paper of the sort that was used for sandwiches back before ziplock bags took over the world. Odd, I mused as I discarded it. The next was a folded sheet of thick white cardstock, taped closed, which bore a short paragraph printed in Christmas-colored ink. It read simply:

Is it Christmas 2017 yet?

If so, happy holidays! Enjoy your present.
If not, please google ‘Marshmallow experiment’ and wait patiently.
You’ve been warned.

I paused as the marshmallow reference tickled something in my memory … some university lecture I’d forgotten long ago? Mildly annoyed, I dragged out my phone and searched as instructed. Oh yeah, that Stanford study about delayed gratification. It’s not like anyone will ever know… I mused as I put down my phone and started to peel back the tape holding the cardstock shut.

The door to the garage opened. “Nap’s over, Nate’s up.” my wife called, and I tossed the letter back in the box, eagerly grabbing the large pile of recycling I’d generated to show her my progress. Dancing around, building lego cars, and wrestling with my two kids, I completely forgot about David’s weird little present for another few months.

In December, off work for a two week winter holiday vacation, I resolved to finish cleaning out the garage. Thirty minutes into the job, I came across the card. I tore open the cardstock. Inside lay a single laser-printed page with a letter printed on one side. The opening paragraph read:

Happy holidays, friend!

I hope you’ve waited patiently for this small gift and aren’t too annoyed at the oddity of its presentation, but it’s all for a purpose.

My accountant has instructed me to make it very clear that this is a GIFT, granted freely without any restrictions, from me to you on December 17th, 2010. It has an approximate market value of $250. Relax– it only cost me about 8 bucks, and it may well be worthless by the time you open it. (Market value is only possibly important for tax purposes)

Beneath the card was a black and white picture, one inch square, full of smaller squares, the sort of bar code you’ll find on the back of shampoo bottles.

code

The letter continued and I read on, confused but intrigued.

This is a QR code containing the private key for a digital wallet containing bitcoin. Bitcoins are a virtual currency that I’ve been playing with this year, and I thought it would be a lark to give some out as a present. (I’m not clever at picking presents– growing up, I got a new leather wallet every year for Christmas.)

Perhaps in 2017 bitcoins have become worthless (that seems like the most likely outcome), but I have a hunch that perhaps they’ll continue to appreciate over the years. If you’ve been patient, maybe it’s enough to buy you a nicer present now.

If so, happy holidays! If not, I hope my folly brings you at least a chuckle. :)

My heart started to pound in my chest. The page concluded with David’s signature, preceded by 7 hand-scrawled characters.

1000 BTC

Hands shaking with the instant weight of the letter, I dropped it and the universe entered slow motion as the paper fluttered to the ground.