>> Alright, good afternoon everybody.  If people have been coming to Def Con or Black Hat or paying attention to information security, pretty much in the last 10 years or so, this man needs very little introduction.  He blew my mind the first year I came to Def Con, Def Con 13, and I was just telling him I cited his stuff in a paper in law school.  So it's my distinct pleasure to introduce to you all Dan Kaminsky.

>>  Holy crap, we are back at Def Con.  Who is here for their first Def Con ever?  Awesome.  Welcome to Vegas.  At least our version of it.  Have been coming for 15 years and I do talk about more than DNS and I want to thank you for being here.  Because it not like I told you what I'm going the talk about.  Why am I here.  Why do I come back to vegas.  I like hacking and the primary thing that we break as hackers are assumption and people think they know how the world works and there is difference just because we break assumption and dealing the way things work doesn't mean we understand what we're doing.  What do you think happens when you mess with system and you don't how it works well it falls over and breaks.  But there is advantage to now how things work.  We can fix things no one else cares to if we with bother to care to.  I want the talk about something I like.  I like the web.  I think is web is the most interest advance in technology that I have seen in my career.  HT pH is property people don't realize.  It was the first document format and put the crap into it and it would renter something.  This should not be weird but if you got a hammer and you hit a nail and miss the nail it is not like the board turns into a fish.  Most file formats if you got it wrong even a little -- there is this great phrase surfing the web.  Do you realize how weird this phrase is.  You don't surf cobwebs but the experience of being able to go ahead and I'm on this site and now on this and now I'm here and there.  It was so compelling we got this weird phrase popular.  The web is always up to date.  Not stale or old.  Not like old version how do we patch 950 million web pages.  The web is always live and I like that property and not how the world has to work.  Mobile does not work that way.  Your phone does not work that way.  Not saying mobile is bad, but it is optimize for you using way less internet.  You have to accept installation and wait for download and mobile has a lot of friction, applications get old and stale you can't re-download because 25 megs and the worse part the permission you have the apple situation to put something online or you doctor the google android model where it might work better if you needed permission because there is lot of crap out there.  The web has amazing security model really does.  The browser represents a neutral broker but software that approvals other software and implementing two major ideas.  The first idea is same origin policy which basically says we have one user.  We have one program.  The web browser and that program might be at two sites one of them is CNN and one is G mail, CNN doesn't get to read your G mail.  The only intersection between the two programs is the user.  Might not be two tabs and you have thing called io family where you embed paypal and say do you want to spent a thousand dollars and buy something and the one at the top page can't say I am going to click the button and make some money.  That doesn't work because the web made sure that didn't work.  Other thing about the web it should be safe to surf anywhere.  The web requires you to download unaudited code and execute it blindly.  That is now web works but in return user require the web anything executed is constrained and lives in the most aggressively tested sand box that has been deployed.  Not perfect but that is model we had to do things to make this safe.  Active X gone.  Java gone flash not looking so good.  We keep pulling back because this is really hard challenge.  Now advertising there is thing where people say everybody should run add blockers because adds might contain dangerous contend.  This is because adds might contain dangerous contend.  It is true just not exclusively true.  All these terrible sites that are everyone complains about.  You think these are more secure than add networks who do you think is making more money.  These little crappy sites no.  So if you follow the add pattern you are saying it is not safe to brows with all these sites you should have a list of sites that you get contend from because those are the only places trusted so Facebook and twitter and nothing else that sounds like the web, not to me.  That sounds awful.  The you want say everyone should run add blockers because adds are annoying and make the web slow now you a different point you have the totally different story and to tell you I have been working for the last cup to clean up the ad system because somebody got to and one of questions why are ads causing all of these performance problems.  Turns out it is our fought in security.  Same origin policy as wonderful as it is can be a problem.  This is a surprising finding.  What is ultimate goal of the same origin policy.  Protect the user.  We fight for the user you have all of these distrusting entities.  The only thing that it can do is draw pixel in this frame I need the make sure that it doesn't take over my clicks.  It has to live in the box but turns out what is not accurate.  Things can be invisible and still make your web slow.  You are not allowed to tell.  As far as the system knows bunk up to works is possible thing.  So same origin policy means the parent should not be able I frames.  So I wrote a CPU in Java script.  This thing goes -- crap what are you asking me to do and this is big thing.  We will go to little site and see this does some work but it is taking way way less work so it works much faster.  So this way of measuring what is going on.  Anyone got a theory for what trick I'm pulling here.  This works everywhere.  Works in IE, Firefox chrome, every browser sick the beginning of time.  Someone tell me if he was right.  Check it out, you can just ask the browser to do something in 250m s and then you find out if it did so you set a interval so keep trying to do something and find out the gap between attempt and reality.  If it happens at the ms mark yes browser was a daily -- was busy.  This is what you're doing.  So I have been building this code up one is to find out for a page is slow and two if you do something that might make a page slow, how about we wait until later.  So you can schedule events so like a set idle time out.  So what do we have here in term of usefulness, for the people trying to make web pages we have easy way of seeing if the page sucks so we also have a way of seeing across the frame boundary something is going on in there.  Hard to know what but you do get the find out something is going on at 60 frames a second.  So attacks that have taken advantage of this stuff.  Could we fix this problem.  Well as it happens because it is in single web browser it is core to way browser are built and frames share the event loop so they are using resources that we are trying to use so if they are busy we are busy.  So you have to design the web browser to try and fix this and chrome is doing stuff like that they are going to try the make io frames work but still you share CPU.  Not like two computer there so even if it still not blocking other things are trying to work.  Do we want to fix this.  Is this a good thing for the user that random things can be included in the web page and no one can tell it is making things slow.  No.  What we might be able to do because I don't know if you guys know this when you are like a publisher of the ad site or news site you doctor no idea what contend you are including from ads.  I run this script and it brings stuff in.  You can't tell if it is good or bad.  So by design I have a frame here tell me if this particular frame is using up all the CPU cycles and making things slow or if it is not, if it is being very quick what is how you get to point where people can manages performance impact.  So let's step back.  What have I just done.  What is conversation that I just had in front of you.  It's a hack.  What should browser developers do.  Turns out that is complicated question to answer.  Even if you just have a med trick of what is best for the user.  We have a theoretical harm maybe some how some stuff that you can see through the timing attack and you have actual real word problem.  The web is drowning under poorly performing web page.  So which thing do we want to protect.  We have different things we're going to do versus from a one line fix that just works to rehabbing the re-architect the world and not going to be fixed after we do that anyway.  That matters and how useful would a proper implementation be.  Maybe this is not a bug maybe we should double down and make this awesome feature.  This is conversation that you have to have.  If you want to make things better this is the conversation you have to have.  If not sure why are you at my talk.  I like making things better.  Our first step by ad space on the popular site, step three profit.  Anybody know what step two is?  Turns out there are some unknowns out there.  This is called ad stuff in this is why web browser are sucking.  So buying ads on popular sites and putting 10 more ads in that ad.  You don't see it but the web browser is choking on this stuff.  This is why nobody can audit for this stuff.  It is ugly.  There is no limit.  They are just keep doing it all day you don't notice anything on screen meanwhile you turn around and run sniffer.  So there is this thing called view ability and it basically comes down to maybe we should be able to notice there is bunch of stuff that loading that nobody can see.  Maybe that is not good for anybody but the scrammer.  You can see this stuff with (indiscernible) because CPU goes through the roof and there are tricks to go ahead and detect I am the box that says one pixel by one pixel some time these tricks work sometimes they do not work.  Should this be a hack at all?  So who here knows what click jacking is?  The only environment in the world I can have that many hands go up.  So there is this dialogue and in the middle of flash and this dialogue is a permission dialogue that if you happen to click allow flash gets to see your camera and get to listen to your microphone.  That is mission model the viewable the harm is done just because it loaded just because it executed but there was no user interaction but that rabbit hole gets deep because the point is you show somebody important warning and if you click allow you may be recorded and then you get the actual user for action.  If the user doesn't know what they give permission to the interaction doesn't mean anything legitimate.  So we call these attacks that try to hijack user interrex click jacking attack and offend against them we make the web suck.  So here is paypal.  You buy something on paypal and you are on E-bay you get the buy something on E-bay.  You have pay button but if you anywhere else beside E-bay it navigates you somewhere else.  So you go to store and buy something and like you go to the cash register and go over there and we can't take your card.  That would be a terrible model but that is only way E-bay knows that It cannot be manipulated.  Should say a thousand dollars but we will put a icon that says one dollar.  Sure I will buy that for a buck and now you are out a ground.  Twitter knows a thing or two about web design and when you re-tweet it does a pop up.  People hate pop ups but the most poplar sites have to use pop up us but a the only way they can know you just not browsing random sites.  We have this terrible design that is being maintained.  Some bugs need to be judged by the crap they create in their wake.  We fix click jacking by turning off embedding entirely.  Disables and io frames entirely or at least controls where they should be.  That thing you were doing on web is nice but still too ugly.  That sucks.  Embedding is one of cool parts of the web.  People are doing pop ups and some sites are doing things like forget the security model.  We have a really good security model and we are going abandon it but what's what people do because of risk of content bedding adobe can't do anything of that.  They have advantage they have code.  They destroyed click jacking.  We have the thing fully visible it works put in a frame that too small it doesn't load.  You put stuff on top it renter but you fry to click stuff nothing happens.  You try to move it to left page nothing happens.  So as far as flash knows has all of pixel space but some how it knows when inside of I frame not when this stuff on top of io frame.  Say we're going the talk this box here and have it follow the mouse so when you click it is under allow button.  S It is moving.  They make photoshop they can tell by the pixels.  Adobe is comparing the expected stuff whether they hope they are going the dis-plateau output.  If you renter their dialogue at 50 percent capacity.  If you put on top of it 25 percent image it works if two, 25 percent it doesn't work.  If you have originally 75 percent and with a 25 percent overlay it doesn't.  They have dealt with this problem.  Cool good job.  Adobe.  Glad I'm not getting spied on.  I guess flash can do -- you me want to read pixels back.  You don't get the read barkens not repeatedly what you have to do know things have been moving around you turn browser into the video parser so in this one content where security is necessary and the use is this, to a scenario where it is never going to have that dialogue up.  Here we can scrape some pixels.  Nowhere else do we get to do that but not like we can't patch browser too.  Adobe can patch flash we can patch browser engine.  HT5 people -- they have a group called web hack.  Which says maybe contend should know if it is being displayed or not.  It rems pixel scraping strategy.  I want these click jacking bugs off my web.  How we going to do it?  Okay browser don't really know what pixels they are displaying on screen they make a bunch of stuff up.  I don't know CPU you figure it out.  But not like a browser is without knowledge.  It is sended to CPU -- let me show you the Def Con web page here.  Nice simple this is the way your computer looks at the web page.  We see a stuff that is smacked on top of each other.  There are layers here.  This is what the computer sees would we make it see something else.  Pixels scraping attempt at auditing saying with have so many ways of putting something on screen we will see what happens after.  Building this thing call iron frame and attempt as correctness by design.  We take the layer so -- name for this was Jenga so take the layer at the bottom and drop it on the top.  This only thing that could be renderer is the right thing.  What happens when you play JENGA things roll over.  We can't put too much on the top but we can measure the position and size what our space should be and we only make things that big.  So let me show you this working and then -- before I do that, let me explain why you never use the word just when it comes to trouser.  Just is four letter word.  So we're going to start here is tweet.  There is no way for this frame to know it is being framed.  It would create this pop up.  I have slides here I could show it to you but forget.  On our left we have swift on security twitter account, there is this security applied no matter how this thing is messed with.  All right check it out.  We have to tweet it is visible am interact able.  This is gone down we have read boarder here can't use that.  We're going to put some stuff on top of your tweet over here if you look it is popped on top and fully visible.  Scroll down more.  We go off the left and not fully visible.  Secure mode it knows you can't mess with it.  Mouse follow this is the trick.  Only place mouse can be where it can click through.  So we have this follow the mouse.  Note it is following and it will get somewhere.  So it can yellow it is here but it is enterable.  Anyone think I am doing silly stuff.  No real attack is going to get through here?  Any bad asses out there.  Check it out.  We are going to make this 50 percent opaque.  Now it visible and put 10X icons on top.  So 10 of these things and all 10 percent visible.  We're going have a drop shadow this is element and not on top of us but it is like way over there and it is going the crap pixels on us and it is going to work.  Not working because it is not fully visible because it was not scrolled into space.  It knows about your scrolling.  Blurring, un-blurring.  We're going the draw a X over our frame.  I don't know anything else -- Zoom.  So check this out.  Scale 3D.  You can take imported contend and flip it and reverse it and it still a thing that you can interact with and still this code finds something bad happens.  Use the visible element and makes it visible.  So here is crazy thing, it's not like I did a bunch of special pieces here.  Security by design a thing.  Not say what I'm doing is perfect but all of those things that you saw all I'm going to make messed up contend all of those attacks failed because one fix that was using the way they web browser worked so I want the talk take the gory details here.  Let's talk about how this stuff works.  What it means to move a layer.  I'm talking to you about blink the renamed engine from web kit inside of chrome but old browser work this way.  They have to you're working with the actual graphical layer to build a security policy that we have been struggling with for 10 years.  What do we have to do here.  We have to promote contend to top lay r.  Then we need the make sure that we have not put too much on top.  And we have to report back how much was promoted.  The way security model works is not I a make things read and yellow.  You sending messages to thing you promote saying here is how visible you are.  What do you want to do with that information you figure it out.  Paypal is not going to have the same policy as anything else.  Here is information that you need to decide what the right thing to do is.  So what do we have to work with.  (indiscernible) graphic layer tree builder.  Wow web browser are complicated crap.  So let me make your life easier here you have three layer to worry about, you document layer and layer tree of paint layers.  I will teach you what these things are and this is not a final implementation.  I am still a hacker not a web developer.  I don't mean the document object in C plus plus it is basically the (indiscernible) without the guardrails.  You can do anything in here doesn't mean you should.  So you go ahead and move things around but anything you move remember the bad guy also has access and they can see what you did after and feed you bad stuff so be careful what you read.  Layout object this is first layer where the graphic engine says I don't need this script stuff, what I need to know is what are you trying to draw.  You have block flow for HD pH these things still know what they are just restricting anything that is not relevant to graphical subsystem and that is what moves around.  But still not bank transparency.  Anyone do website design and test to see the anything has changed so if you were doing that this is the layer you want to dump to be like what is web browser showing the user in a form less annoying than pixels.  So you have paint layer and different methods and likely the same underlying structure and here I have some stuff here and stack stack stack doesn't know what it is just knows it is pretty pictures.  Many objects the share the same graphic layers this is the problem because we have a particular object that we want to move.  We don't want to movables that are already there we want to specify this I frame need to be move able.  This will turn the simple layer tree and do a complicated layer tree.  You might think this is slow but most of these layers are not drawing contend just applying rules.  Throw a school bar here and this is complex tree you take this crap at the bottom and -- so what I found is that everything in iron frame could be implemented at document.  Layout object or graphics layer.  You do many ways for security and difficulty and stable.  The game you are playing is sort of fight before absorption of the browser knowledge versus what is to happen or not happen versus the web browser assumption.  Figuring out what should move is different story that is possible in graphics layer.  I am using the actual document layer.  That is useful method called wound in view port space.  All of those transforms and been a some done you are covering pixels 100 to 300.  This is you.  Cool.  And you apply to graphic numbers.  We have to find our document element so you have document and I frame it has document.  That is what I went to raise.  If you don't a I frame in the way you can say pages are filled else elements.  You just say we put that on top but if it is not across the I frame boundary and not across a domain some bad guy is like sweet.  I will put you back out because we are living in the same security domain and you need to use security model if you want there to be a security model I don't like check box features.  And once you are inside the I frame you can raise any element.  I want to raise all of it because I want to it to be a thing that testable.  There is different elements with different rules let's go this working on one of them and that one of them is everything inside of I frame then we clip it from we need the find our layer.  You go to document and you ask for object and lay it object and ask for lay r object and get the graphic layer back and over the river and through the woods reality that we are up to here.  So you find the graphic layer for I frame.  Then you have the find the root layer just root grab layer it just works.  Sweet I say that because lots of other ways that don't work and you scratch your head a lot.  So layer is too big and you lifted it up and it is huge.  You have the fix that.  So how do you do that.  The way I'm doing it now is -- so you inside I frame you might be inside like 10.  I saw one are 56I frames deep.  What the heck I have no good idea.  You have to walk your way up and key holes they are smaller than they could be so what you're doing you are saying I'm a thousand by a thousand and just keep getting smaller gone through here or there and trying to figure out how big you are by to time you make it to top frame and reason you do this manually normally graphics layer will do this for you but you don't like all the transformation graphic layer is going to do to you you go ahead and put stuff on top of you.  That is all the transformations like blurs and whatnot.  So then we go ahead and walk up the stack.  What next.  Now gone from a thousand to a thousand by a hundred by a hundred.  We're not done.   Because the top view port, we're like a user scrolls they night have scrolled through our screen or recently scrolled you.  That is not a frame boundary that view port boundary.  Where you supposed to be you have the shrink that stuff.  So we apply our wound and done using set position and size and take the scrolling into account.  Then you have to tell you layer you is had wound set apply them.  System will do it for you.  You wish you would be done but as it happens one last step those subframes scroll two.  So turns out there is function set off from layout object so use all three of the layers that I described to get not just stuff raised up but raised up correctly but it works and works well and 10 step is to report back and say here is where you are here is how visible you are.  It is so easy.  That is why you never see the word just.  So issues you need to actually get this in compositing pipeline.  There are step that go in order.  We are saying now just do it.  So you need to get the point where the thing is maintaining itself because other things will cause new law out the happen and it will blow away you fix.  It is most I will stable.  Usually is dis-flaying things when everything is in right mode.  Which I mean it aborts if not.  It was nice to schedule stuff at the right time and there is some issue with the mouse issue as well.  Testing gets weird biggest issue is do we want to be forcing things to be on top.  Are we altering the design of web pages.  My design I want the failing close.  It is saying whatever is reported is absolutely the correct thing.  It might be ugly but a visible and alternative the failing open you analyze and audit.  I don't care about fail close or open I want something with a bug bounty on it.  The thinking was that position and size was good enough.  How many times s someone putting stuff on contend and not trying the hack you.  Designers, you know.   So you have a frame on top and drawing a nice shade.  Could we support that yes but not with the toys that I have.  The deal is I got this world here up here that has drop shadow and that world is viewable but not like our viewable.  The area we want to promote that we want to record is being fully visible the down here.  We want to split our layer in two and promote the bottom half but not the top half.  That is not easy.  Chrome has something called replica layers.  One more thing I want, someone can draw a fake twitter.  They are just fake pixels.  When you lit the retreat doesn't know what you are.  What if we wanted the use iron frame for single sign on.  The it collects your -- now -- you don't know who it really is.  Look I frames have been -- that means when you talk to I frame it is the just the I frame.  We are now getting output that means whatever pixels are there this frame knows it is .  L we have input and output.  We can update the address bot.  We can say I know you are random site.com but right now you are interacting with coin based or paypal or anyone else.  No more messing around fix some stuff.  Here is what I have do leave you with.  We can kill click jacking.  This bug has been around for 10 years.  We can kill it.  We can do crazy things as hackers not just about blowing things up.  We can defend the open web and realize when we do this it is going to be hard and fail the first time, the second time and 10 time and that is okay.  All the greatest hacks that I have every seen have been you failed you failure nail and then you succeed and these ad stuffers that are making slights slow they can go stuff themselves.  That is what I have to say.  So looks like a have a couple minutes for questions.  Anyone want the ask something?  The question am I going to make this public.  I have to.  I want this in web browser not just to show off so the code will be public.  I am at a hallway at Def Con and I am like wait a minute this can be on twitter and code will be out next week.  Presentation will be up in the next eight hours.  Anyone else?  Go for it.  Testing one, two, three.  Sweet I am on the secured wire Mike.  When you conduct your research on port 3478 which is emulating tunnel traffic how much beer are you going to buy for everything that responded to that?  You know, sometimes you scan internets.  Sometimes internets scan you.  Any other questions about?  See you tonight.  Web developers if you got some interesting ideas I will make it so you can make it by itself it things so it doesn't suck security is going to give you a hand.  That is what I got.  

"This text is being provided in a rough draft format.  Communication Access Realtime Translation (CART) is provided in order to facilitate communication accessibility and may not be a totally verbatim record of the proceedings."