Can You Trust Your Workers? Examining The Security Of Html5 Web Workers presented at HITBSecConf Malaysia 2010

by Paul Theriault (Stratsec),

Tags: Business Security

URL : http://conference.hackinthebox.org/hitbsecconf2010kul/?page_id=984

Summary : The Web Worker specification brings thread-like behaviour to web pages, allowing web pages to run scripts in the background. The presentation proposes to examine the security of Web Workers in the following areas:

- The security implications of the Web Worker specification
- Compare the current implementations functionality and restrictions
- Discuss previous bugs and look at potential future issues
- Testing the segregation of the Worker sandbox

As the specification is still in draft form, and browser implementations are relatively recent, there are significant differences that may have security consequences. While the core interface is the same between browsers, differences are observed in the following areas:

- The objects and functions available in the Worker scope, including differing network communication functions and methods of interacting with the local machine.
- Firefox currently supports recursive Workers (that is, Workers may spawn their own Workers) whereas Chrome does not.
- Differences in the mechanism used to pass data between the Worker and the calling page.

These differences have potential security consequences and need to be evaluated. A number of implementation bugs have led to serious vulnerabilities in most implementations of the Web Worker standard. These include problems with the handling of data passed between webpage and worker, dealing with recursive Workers and other problems. These issues will be examined, and potential for future issues will be discussed, including the potential challenges from shared Workers (which are currently limited in implementation).

Finally, one of the key security features of the Web Worker is the segregation from the context of the calling page. Due the potential for concurrency issues, Workers are denied access to non-thread-safe components or the DOM. At a glance these properties make the web worker a natural sandbox for running untrusted code. Despite the limitations of this sandbox, examples of this usage can be observed already on the web (e.g. http://github.com/eligrey/jsandbox). But how safe is it to run untrusted code in this manner – can you trust your Workers?

Paul Theriault: Security Consultant