lecture 20 & 21 - web security · cmpsc 443 introduction to computer and network security -...
TRANSCRIPT
![Page 1: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/1.jpg)
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
Lecture 20 & 21 - Web Security
CMPSC 443 - Spring 2012Introduction Computer and Network Security
Professor Jaegerwww.cse.psu.edu/~tjaeger/cse443-s12/
![Page 2: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/2.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Network vs. Web Security
![Page 3: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/3.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
What is the web?
• A collection of application-layer ! services used to distribute content
– Web content (HTML)– Multimedia– Email– Instant messaging
• Many applications– News outlets, entertainment, education, research and
technology, …– Commercial, consumer and B2B
• The largest distributed system in existence– threats are as diverse as applications and users– But need to be thought out carefully …
![Page 4: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/4.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Security: The High Bits• The stakeholders include
– Consumers (users, businesses, agents, etc)– Providers (web servers, IM servers, etc)
• Another way of seeing web security is– Securing the web infrastructure such that the integrity,
confidentiality, and availability of content and user information is maintained
![Page 5: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/5.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Secure Socket Layer (SSL/TLS)
• Used to authenticate servers– Uses certificates, “root” CAs
• Can authenticate clients• Inclusive security protocol• Security at the socket layer
– Transport Layer Security (TLS)– Provides
• authentication• confidentiality• integrity
TCP
IP
SSL
HTTP
![Page 6: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/6.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
SSL Handshake
(1) Client Hello (algorithms,…)
(2) Server Hello (alg. selection, …)(3) Server Certificate
(4) ClientKeyRequest
(5) ChangeCipherSuite
(6) ChangeCipherSuite
(7) Finished
(8) Finished
Client Server
![Page 7: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/7.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Simplified Protocol Detail
Participants: Alice/A (client) and Bob/B (server)
Crypto Elements : Random R, Certificate C, k+i Public Key (of i)
Crypto Functions : Hash functionH(x), EncryptionE(k, d), DecryptionD(k, d),Keyed MAC HMAC(k, d)
1. Alice! Bob RA
2. Bob! Alice RB , CB
Alice pick pre-master secret SAlice calculate master secretK = H(S, RA, RB)
3. Alice! Bob E(k+B , S), HMAC(K,0 CLNT 0 + [#1,#2])
Bob recover pre-master secret S = D(k�B , E(k+B , S))
Bob calculate master secretK = H(S, RA, RB)
4. Bob! Alice HMAC(K,0 SRV R0 + [#1,#2])
Note: Alice and Bob : IV Keys, Encryption Keys, and Integrity Keys 6 keys,where
each key ki = gi(K, RA, RB), and gi is key generator function.
1
![Page 8: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/8.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Advantages of SSL
• Confidential session• Server authentication*• GUI clues for users• Built into every browser• Easy to configure on the server• Protocol has been heavily analyzed• Seems like you are getting security “for free”
![Page 9: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/9.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Disadvantages of SSL
• Users don’t check certificates – most don’t know meaning
• Too easy to obtain certificates• Too many roots in the browsers• Some settings are terrible
– ssl v2 is on– totally insecure cipher suites included
• Very little use of client-side certificates• Performance!
– early days had sites turning off– getting better (crypto coprocessors, etc)
![Page 10: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/10.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Reality of SSL
• SSL is here to stay no matter what• credit card over SSL connection is! probably safer than credit card to waiter• biggest hurdles:
– performance– user education (check those certificates)– too many trusted sites (edit your browser prefs)– misconfiguration (turn off bad ciphersuites)– can be used for many non-web applications
![Page 11: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/11.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookies
• Cookies were designed to offload server state to browsers– Not initially part of web tools (Netscape)– Allows users to have cohesive experience– E.g., flow from page to page,
• Someone made a design choice– Use cookies to authenticate and authorize users– E.g. Amazon.com shopping cart, WSJ.com
![Page 12: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/12.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookie Issues …
• New design choice means– Cookies must be protected
• Against forgery (integrity)• Against disclosure (confidentiality)
• Cookies not robust against web designer mistakes– Were never intended to be– Need same scrutiny as any other tech.
Many security problems arise out of a technology built for one thing incorrectly applied to something else.
![Page 13: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/13.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookie Design 1: mygorilla.com
• Requirement: authenticate users on site
mygorilla.com
• Design: 1. use digest authentication to login user2. set cookie containing hashed username3. check cookie for hashed username
• Q: Is there anything wrong with this design?
User Server
![Page 14: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/14.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookie Design 2: mygorilla.com
• Requirement: authenticate users on site
mygorilla.com
• Design: 1. use digest authentication to login user2. set cookie containing encrypted username3. check cookie for encrypted username
• Q: Is there anything wrong with this design?
User Server
![Page 15: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/15.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Exercise: Cookie Design
• Design a secure cookie for mygorilla.com that meets the following requirements
• Requirements1. Users must be authenticated (assume digest completed)2. Time limited (24 hours)3. Unforgeable (only server can create)4. Privacy-protected (username not exposed)5. Location safe (cannot be replayed by another host)
User Server
![Page 16: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/16.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Library Attack ….
• I am sitting in the local library using the computer …• … to buy some stuff …• … and walk away …
![Page 17: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/17.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server
• Entry point for clients – To a variety of services– Customized for clients (e.g., via cookies)– Supported by complex backend applications (e.g.,
databases)• Target of attackers
– Common protocol– Supports a wide range of inputs– Complex software interactions– Running with high privilege
• Q: How does this impact?– Vulnerabilities, Threats, Risks
![Page 18: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/18.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server Deployments
• Note the multiple application layers and connection to legacy code
![Page 19: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/19.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server Architecture
• Server Components
ServerFront-End(E.g., IIS)
GenericServices
(E.g., SMTP, FTP, etc)
Application Layer
(E.g., Active Server Pages)
DatabaseLayer
(Pick your favorite)
LegacyApplicationNetwork
![Page 20: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/20.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Dynamic Content Server generates content at runtime• For time-sensitive information (stock ticker)
• For user customization (Amazon.com)
• Provide HTML interface to complex system (e.g., course management system)
![Page 21: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/21.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Dynamic Content: CGI
• Common Gateway Interface (CGI)– Generic way to call external applications on the server– Passes URL to external program (e.g., form)– Result is captured and return to requestor
• Historically– “shell” scripts used to generate content
• Very, very dangerous
• NOTE: server extensions are no better (e.g., servlets)
Web ServerClient
Shell
Script(e.g., PHP, ASP, Perl, Python )
![Page 22: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/22.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Server-side Scripting
• Program placed directly in content, run during request time and output returned in content– MS active server pages (ASP)– PHP– mod_perl– server-side JavaScript– python, ....
• Nice at generating output– Dangerous if tied to user input
![Page 23: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/23.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Injection Attacks
• Attacker that can inject arbitrary inputs into the system can control it in subtle ways– interpreter injection - if you can get PHP to “eval” your
input, then you can run arbitrary code on the browser ...– e.g., leak cookies to remote site (e.g., session hijacking)
– filename injection - if you can control what a filename is in application, then you can manipulate the host
• Poorly constructed applications build filename based on user input or input URLS, e.g., hidden POST fields
• e.g., change temporary filename input to ~/.profile
$INPUT = “Alice\;mail($to, $subject, $body);”
<FORM METHOD=POST ACTION="../cgi-bin/mycgi.pl"><INPUT TYPE="hidden" VALUE="~/.profile" NAME="LOGFILE"></FORM>
![Page 24: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/24.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
SQL Injection
• An injection that exploits the fact that many inputs to web applications are– under control of the user– used directly in SQL queries against back-end databases
• Bad form inserts escaped code into the input ...
• This vulnerability became one of the most widely exploited and costly in web history.– Industry reported as many as 16% of websites were
vulnerable to SQL injection in 2007– This may be inflated, but clearly an ongoing problem.
SELECT email, login, last_name FROM user_table WHERE email = 'x'; DROP TABLE members; --';
![Page 25: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/25.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server Security• Microsoft IIS 5.0 had many flaws
– Buffer overflows (Code Red)– ON by default
• All services (ftp, smtp, etc) ON by default• ISAPI enables access to many libraries
– Permissions on server are loose (modify system files)– Default website, so everyone knows where you are
• IIS 6.0 is better– OFF by default– Perms still a challenge– Use non-default website
![Page 26: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/26.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Warning: Cross-Site Scripting
• Assume the following is posted to a message board on your favorite website:! !Hello message board.
! !<SCRIPT>malicious code</SCRIPT>!This is the end of my message.
• Now a reasonable ASP (or some other dynamic content generator) uses the input to create a webpage (e.g., blogger nonsense).
• Now a malicious script is now running– Applet, ActiveX control, JavaScript…
![Page 27: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/27.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Dynamic Content Security
• Largely just applications – Inasmuch as application are secure– Command shells, interpreters, are dangerous
• Three things to prevent DC vulnerabilities– Validate input
• Input often received as part of user supplied data• E.g., cookie
– Limit program functionality• Don’t leave open ended-functionality
– Execute with limited privileges
![Page 28: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/28.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Content (client-side)• All providers serve up content …• All sorts of technologies to improve content
– Interactivity: Forms, CGI, Javascript, …– Web applications: Java, Flash, ActiveX…– Dynamic content: JavaScript …
• However, these come with risks …– Both clients and servers must use complex and
sometimes untried technologies …– … that have led to some nasty security problems.
![Page 29: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/29.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Applications/Plugins
• A plugin is a simply a program used by a browser to process content– MIME type maps content to plugin– Like any old application (e.g., RealAudio)– Newer browsers have autoinstall features
• A kind of plug-in …– (1997) David.exe– “Free pornography …”
• Moral: beware of plugins
![Page 30: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/30.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Active X• Active X is a MS Windows technology
– Really, just a way to run arbitrary code – Called controls (.OCX), just programs– Conforms to MS APIs to interact with web
• Extends user experience in lots of nice ways– Microsoft upgrade, BIOS Upgrades, Lookup services
• Active X controls are automatically downloaded and run by browser– Must pass authenticode “trust” check– Must be marked as “safe for scripting”
• Assumed promise of sandboxing …
• Massive security hole ….
![Page 31: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/31.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Is There a Concern?Initially, MS thought that users would have no problem with ActiveX controls
• Hey, you run programs you buy, right?
• With traditional applications• You (generally) know who the software comes from
• You (generally) have some recourse
• On the Internet …• Neither of the above may be true
• User not actually be involved/aware in execution
![Page 32: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/32.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Authenticode
• Problem: I need to run an application code on my machine, but I worry about security
• Solution: Make sure code only comes from people that you trust.
• Authenticode– Sign download content– Check that signer is “trusted”– Used for all Win* content– Problem: Jan 2001
• Verisign issued two bad MS certs
![Page 33: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/33.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Active X Cautionary Tales• Exploder (Win95)
– 1996, Fred McLain– Acquired Verisign
certificate– Signed Exploder
• 10 second countdown• … shutdown
• MS/Verisign upset
• Microsoft Access• 2000, Guninski• ActiveX related control• Allowed a website to load
and execute an spreadsheet …
• ... Which can contain any command …
• … which means …• A website can run any
command on the user machine.
![Page 34: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/34.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
JavaScript
• Scripting Language used to improve ! the quality/experience
– Create dialogs, forms, graphs, …– Built upon API functions (lots of different flavors)– No ability to read local files, open connections …
• Security: No ability to read local files, open connections, but …– DOS – the “infinite popup” script
• Often could not “break out” with restarting computer– Spoofing – easy to create “password” dialogs
![Page 35: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/35.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Same-Origin Policy
• Can run multiple JavaScripts on the same browser – What can they access?
• Same origin policy limits them to methods and properties from the same site only– Restricts to same host, protocol, and port
• For http://www.example.com/foo.html– http://www.example.com/dir2/purchase.html -- OK?– https://example.com:81/dir/index.html -- OK?
• Does not prevent a variety of attacks– XSS -- script arrives from server, but not “from” server– XSRF -- script accesses other site user is authenticated to
• send cookies for the site, which may enable action to be performed
![Page 36: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/36.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Java
• Platform and language for writing applets– Sun Microsystems platform for set-top boxes– Applets embedded in web pages (or native)– Language loosely resembling C++– Runs in a Java Virtual Machine (JVM)
• Every platform has JVM• Platform runs arbitrary code (bytecode)• Hence: one application runs on a bunch of platforms• Great way to take advantage of the web• Slow for data/processing intensive applications
![Page 37: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/37.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
• Problem: running arbitrary code downloaded from the network is inherently dangerous– Safety - Restrict the language such that the programmer cannot
do anything unsafe• No pointers, bounds checking, type safety • Automated memory management • Access checking
– Security - Restrict the environment such that the program cannot do anything insecure
• Sandbox, signed code (often .jar files)• Bytecode verifier - checks for forged pointers, access
violations, type safety violations• SecurityManager class – validates operations• ClassLoader – safe class loading
Java Security
![Page 38: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/38.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Drive by downloads
• Using a deceptive means to get someone to install something on their own (spyware/adware)
– Once you have one, then it starts downloading lots of others, their friends, …
– A personal favorite: extortion-ware -- pay us 40$ for our popup blocker, etc ….
• The real gambit is that they demand 40$ for the uninstall option
• Answer: go get ad-aware and install it (its free)!
![Page 39: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/39.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Spyware• Definition: hidden software that uses local host to
transmit user secrets– e.g., browsing habits, forms data
• Typically found in “free” software– Gnutella, game tools, demo software, MP3 tools ...)– Implemented using spyware “engines” - gator
• Embeds in local host to– Adds shared libraries (.dlls), adds to startup as TSR programs
(in registries, start)– Often difficult or impossible to remove
• You are never really sure it is gone (advice: reinstall)
• Gets installed by user action or via some of IEs ability to “help” the user via tools such as Active-X
![Page 40: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/40.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Browsers
• Browsers are the new operating systems • Huge, complex systems that support
– Many document types, structures, e.g., HTML, XML, ...– Complex rendering, e.g., CSS, CSS 2.0– Many “program/scripting” languages, e.g., JavaScript– Dynamic content, e.g., AJAX– Native code execution, e.g., ActiveX
• Virtualized computers in a single program ...
![Page 41: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/41.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Extending the Sandbox
• Netscape used strict sandbox– No local disk access– No connections to hosts other than webserver
• Internet Explorer has “Security Zones”– Zones: Internet, Trusted, Restricted, Local Intranet,
MyComputer– Each zone has a range of enabled features– Customizable, also pertains to ActiveX controls– Nice, but largely unused (at least by me)
![Page 42: Lecture 20 & 21 - Web Security · CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Lecture 20 & 21 - Web Security CMPSC 443 - Spring 2012](https://reader033.vdocuments.site/reader033/viewer/2022060510/5f2731a20da2a9157e3c488f/html5/thumbnails/42.jpg)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Browser Security
• We don’t have the ability to control this much complexity, so we have to try other things ...– Restricting functionality, e.g., NoScript– Process Isolation, e.g., OP, Chrome
• Read: http://www.google.com/googlebooks/chrome/
Process 1
http://a.com/<img>
http://c.com/<img>
http://b.com/<img>
TAB 1
http://d.com/<IMG>
http://e.com/<IMG>
<body>
Process 2
http://a.com/<img>
http://c.com/<img>
http://b.com/<img>
TAB 2
http://d.com/<IMG>
http://e.com/<IMG>
<body>
Process 3
http://a.com/<img>
http://c.com/<img>
http://b.com/<img>
TAB 3
http://d.com/<IMG>
http://e.com/<IMG>
<body>
Main Browser Process