DMActiveXSecurity
Transcript of DMActiveXSecurity
Download Manager Architecture
Internet Explorer
DMServer.exe(COM exe singleton)
IFileTransferEx IFileTransferAdmin
DMUser.xml(user
settings, authdomains)
DMTrayApp.exe
DLMonitorPage(HTML/Javascript)
DMControl.dll(ActiveX)
IFileTransfer
<obj ect >
</ obj ect >
Tray app startswhen user logson; holds areference toDMServer.exe
Open Monitor…About…Exit
These interfaces arederived from
IUnknown; notcallable from script
Upon downloadactivity, DMServer
ensures that the trayapp is running;
starting it ifnecessary
SelfCare Web Page
DLStart Web Page(served from client-specific URL)
(pushes install if needed)
DMControl.dll(ActiveX)
IFileTransfer
<obj ect >
</ obj ect >
instantiates
Kicks off file transfer
Monitors andcontrols transfer,
allows browsing oflibrary and playing
from library
Monitors andcontrols transferinstantiates
_IFileTransferEvents
_IFileTransferEvents
_IFileTransferEvents
Java
Scr
ipt
Eve
nts
Last Saved:8/8/2005
Internet Explorer
DMServer.exe(COM exe singleton)
IFileTransferEx IFileTransferAdmin
DMUser.xml(user
settings, authdomains)
DMTrayApp.exe
DLMonitorPage(HTML/Javascript)
DMControl.dll(ActiveX)
IFileTransfer
<obj ect >
</ obj ect >
Tray app startswhen user logson; holds areference toDMServer.exe
Open Monitor…About…Exit
These interfaces arederived from
IUnknown; notcallable from script
Upon downloadactivity, DMServer
ensures that the trayapp is running;
starting it ifnecessary
SelfCare Web Page
DLStart Web Page(served from client-specific URL)
(pushes install if needed)
DMControl.dll(ActiveX)
IFileTransfer
<obj ect >
</ obj ect >
instantiates
Kicks off file transfer
Monitors andcontrols transfer,
allows browsing oflibrary and playing
from library
Monitors andcontrols transferinstantiates
_IFileTransferEvents
_IFileTransferEvents
_IFileTransferEvents
Java
Scr
ipt
Eve
nts
Last Saved:8/8/2005
The Goal of Our Security Measures
Prevent an unauthorized script running in a web browser from using the DMControl ActiveX control
We assume that security is compromised if…– unauthorized (possibly malicious) code can be run on the user’s
machine outside of the browser sandbox– Windows user security is compromised– Physical security is compromised
The Security Threat
DMControl could be used by malicious scripts running in a web browser to:
– Download and write unauthorized files to the user’s system(But not to any arbitrary location; writes are allowed only under a
specific configured folder per customer; sensitive folders--i.e. Windows--are blacklisted)
– Have a downloaded file automatically deleted at a specified future time
– Delete files on demand that have been previously downloaded
Our Solution
Prevent unauthorized scripts from using DMControl– DMControl instantiation must be accompanied by a CustId<object
classid="clsid:80BE7A2F-3C63-4136-A488-F2FF10DAB3CA"id="oDMControl"><param
name="CustId"value="Entriq">
</param></object>
– CustId is validated against DMServer configuration and the host web page’s URL
IE/ActiveX Instantiation Communication
eoDMControl - IUnknowneoDMControl - _IFileTransferEventseoDMControl - IUnknowneoDMControl - IOleControleoDMControl - IPersistStreamIniteoDMControl - IViewObjectExeoDMControl – IObjectWithSite here we determine the host’s urleoDMControl - IConnectionPointContainereoDMControl - IOleControleoDMControl - IDispatcheoDMControl - IOleControleoDMControl – IObjectSafety here we tell the browser whether we’re
safe for scripting and initeoDMControl - IDispatch
IObjectWithSite Interaction
IE Browser DMControl
IObjectWithSite::SetSite(IUnknown*)
IUnknown::QueryInterface(IOleClientSite)
IOleClientSite::GetMoniker()
IMoniker::GetDisplayName()
IE calls component during componentinstantiation
We get the browser’s IOleClientSiteinterface
We get the IOleClientSite’s IMonikerinterface
We get the moniker’s display name whichis the host’s URL
We return from the original SetSite call