Security

Some notes about security, secure programming, etc.

Introduction

Let be clear, with redtamarin the goal is to run on the command-line, so you are more likely to have a shell running some *.abc file or being an executable (projector) that embed this *.abc file.

My philosophy is: if you are an executable you have full access to everything, whether you use ActionScript, Python, Java, PHP, C#, C++, C, or whatever to format c: does not really matter.

But that does not mean we will ignore completely the security problems, for one in some case we will try to emulate what the Flash Player or AIR do (ex: emule Flash Player 9 web profile to test some code), second, the same as Adobe, we don't want malformed *.abc to execute malicious code because of a buffer overflow, and third when redtamarin will focus to run on the server side we want it to be as secure as any other server side language (Python, PHP, etc.).

Last but not least, our goal with redtamarin is to provide tools for the Flash Community, and we plan to have some focusing on security, wether some analysis tool that warn you about some "login","password" strings in your SWF or some other that would automate obfuscation and/or encryption, anyway expect some parts of redtamarin to be all about security.

Hacking With Redtamarin

From building a simple port scanner, to executing a reverse shell, to build a sniffer, etc. you can do a lot of fun (hacking?) stuff with the redtamarin runtime.

On my spare time, I do some small tests and prototypes, write a bit about it, no sure if I should put that in the open, maybe an e-book in the future, ...

Again, I do that for fun and because it interest me and also I can apply those tools directly to some parts of my work (programming and sysadmin), I'm not really sure where it would go but if the material is good enough and maybe if there is demands I could put something out there, we'll see :).

Resources

• [Secure Programming HOWTO](Secure Programming HOWTO)
  David A. Wheeler
• OWASP Flash Security Project
  OWASP Wiki
• Simple AS3 Decompiler Using Tamarin
  flashsec
• flashec wiki
  good list of resources related to Adobe Flash/Flex/AIR and ActionScript security
• Abusing JSONP with Rosetta Flash
  by Michele Spagnuolo @mikispag
• Catch-up on Flash XSS exploitation – bypassing the guardians! – Part 1
  by Soroush Dalili @irsdl
• Catch-up on Flash XSS exploitation Part 2 – “navigateToURL” and “jar:” protocol!
  by Soroush Dalili @irsdl
• SWF and the Malware Tragedy - Hide and Seek in a Flash (PDF)
  by Ben Fuhrmannek (blog) and fukami (web)
• Application-Specific Attacks: Leveraging the ActionScript Virtual Machine (PDF)
  By Mark Dowd (X-Force Researcher IBM Internet Security Systems)
  original link: Application-Specific Attacks: Leveraging the ActionScript Virtual Machine (PDF)
• Hacking The World With Flash: Analyzing Vulnerabilities in Flash and the Risk of Exploitation (PPT)
  by Paul Craig (Security-Assessment.com / OWASP 29/2008)
• Community Collaboration Enhances Flash
  Security @ Adobe Blog

Misc.

• A patched flash player which will log the AES key and each packet to a file
  OpenRTMFP Cumulus Google Groups
• Secure nonces in rtmfp
  Adobe Communities Forum

Dead links (if you got a hard copy contact me)

• Debugging ActionScript JITed code
  by Ariel E. Coronel
  @48bits blog, post by @Ariel_Coronel