ABEI'm pleased to announce that ABE, the Application Boundaries Enforcer meant to fight CSRF and related web attacks, has finally been included in a stable NoScript release: version 1.9.5, available here.

It's been quite a long development journey since my first announcement, made possible by NLNet's foresight, and it required more than one month of beta testing: among the thousands of testers victims I inflicted twenty builds upon, I must especially thank therube, GµårÐïåñ, Tom T., Alan Baxter, dhown and the other friends at the NoScript forum, who devoted their time to aid debugging and optimization. A special thanks goes also to Edoardo "Sirdarckcat" Vela, talented hacker and loyal NoScript fan, who offered many useful suggestions to model the threats which ABE can counter react.

Great but.. now that I've got ABE, what can it do for me?

If you've got latest NoScript version installed on Firefox 3.0.11 or another compatible Gecko >= 1.9 browser, you'll notice a new "ABE" tab in NoScript Options|Advanced. There you can find a list of the loaded "Rulesets", i.e. groups of firewall-like rules (syntax specification PDF).
Rulesets can be:

  1. Built-in like the "SYSTEM" ruleset, shipping with ABE and meant to provide automatic protection against "general" threats; you don't want to edit them unless you know exactly what you're doing.
  2. User-defined like the "USER" ruleset, which is empty for you to customize according to your needs.
  3. Subscription-provided, coming from a centralized location which delivers "trusted" rules (not supported yet).
  4. Site-specific, created and made automatically available by site developers or administrators to protect their own web applications.

All these rulesets (built-in, yours, centralized and site-specific) cooperate to properly insulate your most sensitive web applications and prevent them from being abused by unrelated malicious web sites.

Drop-in LocalRodeo replacement

The "SYSTEM" built-in ruleset currently contains just one rule definition:

Site LOCAL
Accept from LOCAL
Deny

This simple rule protects your local network from CSRF attacks coming from outside, for instance from a malicious web page trying to hack your router. If this scenario does not sound new to you, maybe you've heard of LocalRodeo, an experimental Firefox extension which was meant to defeat exactly this kind of internet-to-intranet threats. In facts, the default ABE configuration shipping with NoScript 1.9.5 and above is as effective as LocalRodeo at least, but more performant, especially when DNS queries are involved, and much more flexible, since it's not limited to this specific attack scenario: if you're using both NoScript and LocalRodeo, it's time to uninstall the latter.

ABE for web authors

While centralized subscriptions aimed to protect the most popular web applications have been planned but are not implemented yet, you as a web author can already start experimenting how to protect your own web application by enforcing your own rules.
Just deploy your

rules.abe

file at the root of your HTTPS site and be sure to check Allow sites to push their own rules in the ABE options panel. This preference is initially disabled in 1.9.5, but this default will be likely inverted in next stable iteration, as soon as it gets enough testing.
More details here.

9 Responses to “Meet ABE”

  1. #1 Steuard says:

    Is it really a good idea to hard-code a filename for site-specific rulesets? I know there was some frustration and fuss when MSIE introduced the default location for favicon.ico; it seems like it could be better to avoid that here. I'd think that pointing to the appropriate file via some sort of META or LINK tag in the web page's header would be both better behaved and more flexible. (Otherwise, this is yet another file that every web browser will request from every site on every visit. And does this work for sites where the owner doesn't control the entire host but just a subdirectory?)

  2. #2 Blabulius Küngelstein says:

    @Steuard
    Giorgio answered at
    http://forums.informaction.com/viewtopic.php?f=10&t=1631#p5911

  3. #3 Tom T. says:

    Giorgio, congratulations on fathering your http://hackademix.net/2009/02/09/maone-20-released/ second child this year! However, rude as it is to correct one's superiors, I must say that I felt privileged, rather than a "victim", to have played any small part in the development and testing of ABE. Please forgive me for contradicting you in public. :-) :-)

    Warmest regards,
    Tom T.

  4. #4 Firefox firewall voor veilig interbankieren | Lost in the Noise says:

    [...] te beschermen en te voorkomen dat ze door kwaadaardige websites worden misbruikt”, zegt Giorgio Maone, ontwikkelaar van [...]

  5. #5 GµårÐïåñ says:

    Congrats my friend and I am sure the community will benefit greatly from your countless hours of hard work. It was an honor to be involved in any testing and support and will continue to look forward to more great contributions from you to the community. Get some rest, its well deserved.

  6. #6 hackademix.net » ABE Warnings Everywhere OMG! says:

    [...] Meet ABE 01 07 2009 [...]

  7. #7 Nan M says:

    Having a more secured router, from a trusted provider, and one that I know is providing round-the-clock support, is something a home user wouldn't have dared to imagine a couple of years ago, unless they had completed a networking qualification themselves.

    Much appreciation here from your Western Australian fans.

  8. #8 sirdarckcat says:

    hey!

    I think there's a small bug on the spec, on the Examples section:

    Accept POST SUBDOC from SELF https://secure.somesite.com

    Maybe that must be SUB (without the DOC), I guess that's from when we were discussing about the SUBREQ stuff :P

    Greetz!!

  9. #9 ant says:

    After wasting days looking for ways to minimise favicon.ico logspam, I think this time I'll just be rolling out an IP ban script instead.

Bad Behavior has blocked 7348 access attempts in the last 7 days.