lecture 20 & 21 - web security · cmpsc 443 introduction to computer and network security -...
TRANSCRIPT
CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger
Lecture 20 & 21 - Web Security
CMPSC 443 - Spring 2012Introduction Computer and Network Security
Professor Jaegerwww.cse.psu.edu/~tjaeger/cse443-s12/
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Network vs. Web Security
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
What is the web?
• A collection of application-layer ! services used to distribute content
– Web content (HTML)– Multimedia– Email– Instant messaging
• Many applications– News outlets, entertainment, education, research and
technology, …– Commercial, consumer and B2B
• The largest distributed system in existence– threats are as diverse as applications and users– But need to be thought out carefully …
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Security: The High Bits• The stakeholders include
– Consumers (users, businesses, agents, etc)– Providers (web servers, IM servers, etc)
• Another way of seeing web security is– Securing the web infrastructure such that the integrity,
confidentiality, and availability of content and user information is maintained
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Secure Socket Layer (SSL/TLS)
• Used to authenticate servers– Uses certificates, “root” CAs
• Can authenticate clients• Inclusive security protocol• Security at the socket layer
– Transport Layer Security (TLS)– Provides
• authentication• confidentiality• integrity
TCP
IP
SSL
HTTP
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
SSL Handshake
(1) Client Hello (algorithms,…)
(2) Server Hello (alg. selection, …)(3) Server Certificate
(4) ClientKeyRequest
(5) ChangeCipherSuite
(6) ChangeCipherSuite
(7) Finished
(8) Finished
Client Server
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Simplified Protocol Detail
Participants: Alice/A (client) and Bob/B (server)
Crypto Elements : Random R, Certificate C, k+i Public Key (of i)
Crypto Functions : Hash functionH(x), EncryptionE(k, d), DecryptionD(k, d),Keyed MAC HMAC(k, d)
1. Alice! Bob RA
2. Bob! Alice RB , CB
Alice pick pre-master secret SAlice calculate master secretK = H(S, RA, RB)
3. Alice! Bob E(k+B , S), HMAC(K,0 CLNT 0 + [#1,#2])
Bob recover pre-master secret S = D(k�B , E(k+B , S))
Bob calculate master secretK = H(S, RA, RB)
4. Bob! Alice HMAC(K,0 SRV R0 + [#1,#2])
Note: Alice and Bob : IV Keys, Encryption Keys, and Integrity Keys 6 keys,where
each key ki = gi(K, RA, RB), and gi is key generator function.
1
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Advantages of SSL
• Confidential session• Server authentication*• GUI clues for users• Built into every browser• Easy to configure on the server• Protocol has been heavily analyzed• Seems like you are getting security “for free”
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Disadvantages of SSL
• Users don’t check certificates – most don’t know meaning
• Too easy to obtain certificates• Too many roots in the browsers• Some settings are terrible
– ssl v2 is on– totally insecure cipher suites included
• Very little use of client-side certificates• Performance!
– early days had sites turning off– getting better (crypto coprocessors, etc)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Reality of SSL
• SSL is here to stay no matter what• credit card over SSL connection is! probably safer than credit card to waiter• biggest hurdles:
– performance– user education (check those certificates)– too many trusted sites (edit your browser prefs)– misconfiguration (turn off bad ciphersuites)– can be used for many non-web applications
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookies
• Cookies were designed to offload server state to browsers– Not initially part of web tools (Netscape)– Allows users to have cohesive experience– E.g., flow from page to page,
• Someone made a design choice– Use cookies to authenticate and authorize users– E.g. Amazon.com shopping cart, WSJ.com
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookie Issues …
• New design choice means– Cookies must be protected
• Against forgery (integrity)• Against disclosure (confidentiality)
• Cookies not robust against web designer mistakes– Were never intended to be– Need same scrutiny as any other tech.
Many security problems arise out of a technology built for one thing incorrectly applied to something else.
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookie Design 1: mygorilla.com
• Requirement: authenticate users on site
mygorilla.com
• Design: 1. use digest authentication to login user2. set cookie containing hashed username3. check cookie for hashed username
• Q: Is there anything wrong with this design?
User Server
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Cookie Design 2: mygorilla.com
• Requirement: authenticate users on site
mygorilla.com
• Design: 1. use digest authentication to login user2. set cookie containing encrypted username3. check cookie for encrypted username
• Q: Is there anything wrong with this design?
User Server
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Exercise: Cookie Design
• Design a secure cookie for mygorilla.com that meets the following requirements
• Requirements1. Users must be authenticated (assume digest completed)2. Time limited (24 hours)3. Unforgeable (only server can create)4. Privacy-protected (username not exposed)5. Location safe (cannot be replayed by another host)
User Server
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Library Attack ….
• I am sitting in the local library using the computer …• … to buy some stuff …• … and walk away …
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server
• Entry point for clients – To a variety of services– Customized for clients (e.g., via cookies)– Supported by complex backend applications (e.g.,
databases)• Target of attackers
– Common protocol– Supports a wide range of inputs– Complex software interactions– Running with high privilege
• Q: How does this impact?– Vulnerabilities, Threats, Risks
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server Deployments
• Note the multiple application layers and connection to legacy code
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server Architecture
• Server Components
ServerFront-End(E.g., IIS)
GenericServices
(E.g., SMTP, FTP, etc)
Application Layer
(E.g., Active Server Pages)
DatabaseLayer
(Pick your favorite)
LegacyApplicationNetwork
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Dynamic Content Server generates content at runtime• For time-sensitive information (stock ticker)
• For user customization (Amazon.com)
• Provide HTML interface to complex system (e.g., course management system)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Dynamic Content: CGI
• Common Gateway Interface (CGI)– Generic way to call external applications on the server– Passes URL to external program (e.g., form)– Result is captured and return to requestor
• Historically– “shell” scripts used to generate content
• Very, very dangerous
• NOTE: server extensions are no better (e.g., servlets)
Web ServerClient
Shell
Script(e.g., PHP, ASP, Perl, Python )
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Server-side Scripting
• Program placed directly in content, run during request time and output returned in content– MS active server pages (ASP)– PHP– mod_perl– server-side JavaScript– python, ....
• Nice at generating output– Dangerous if tied to user input
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Injection Attacks
• Attacker that can inject arbitrary inputs into the system can control it in subtle ways– interpreter injection - if you can get PHP to “eval” your
input, then you can run arbitrary code on the browser ...– e.g., leak cookies to remote site (e.g., session hijacking)
– filename injection - if you can control what a filename is in application, then you can manipulate the host
• Poorly constructed applications build filename based on user input or input URLS, e.g., hidden POST fields
• e.g., change temporary filename input to ~/.profile
$INPUT = “Alice\;mail($to, $subject, $body);”
<FORM METHOD=POST ACTION="../cgi-bin/mycgi.pl"><INPUT TYPE="hidden" VALUE="~/.profile" NAME="LOGFILE"></FORM>
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
SQL Injection
• An injection that exploits the fact that many inputs to web applications are– under control of the user– used directly in SQL queries against back-end databases
• Bad form inserts escaped code into the input ...
• This vulnerability became one of the most widely exploited and costly in web history.– Industry reported as many as 16% of websites were
vulnerable to SQL injection in 2007– This may be inflated, but clearly an ongoing problem.
SELECT email, login, last_name FROM user_table WHERE email = 'x'; DROP TABLE members; --';
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Server Security• Microsoft IIS 5.0 had many flaws
– Buffer overflows (Code Red)– ON by default
• All services (ftp, smtp, etc) ON by default• ISAPI enables access to many libraries
– Permissions on server are loose (modify system files)– Default website, so everyone knows where you are
• IIS 6.0 is better– OFF by default– Perms still a challenge– Use non-default website
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Warning: Cross-Site Scripting
• Assume the following is posted to a message board on your favorite website:! !Hello message board.
! !<SCRIPT>malicious code</SCRIPT>!This is the end of my message.
• Now a reasonable ASP (or some other dynamic content generator) uses the input to create a webpage (e.g., blogger nonsense).
• Now a malicious script is now running– Applet, ActiveX control, JavaScript…
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Dynamic Content Security
• Largely just applications – Inasmuch as application are secure– Command shells, interpreters, are dangerous
• Three things to prevent DC vulnerabilities– Validate input
• Input often received as part of user supplied data• E.g., cookie
– Limit program functionality• Don’t leave open ended-functionality
– Execute with limited privileges
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Web Content (client-side)• All providers serve up content …• All sorts of technologies to improve content
– Interactivity: Forms, CGI, Javascript, …– Web applications: Java, Flash, ActiveX…– Dynamic content: JavaScript …
• However, these come with risks …– Both clients and servers must use complex and
sometimes untried technologies …– … that have led to some nasty security problems.
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Applications/Plugins
• A plugin is a simply a program used by a browser to process content– MIME type maps content to plugin– Like any old application (e.g., RealAudio)– Newer browsers have autoinstall features
• A kind of plug-in …– (1997) David.exe– “Free pornography …”
• Moral: beware of plugins
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Active X• Active X is a MS Windows technology
– Really, just a way to run arbitrary code – Called controls (.OCX), just programs– Conforms to MS APIs to interact with web
• Extends user experience in lots of nice ways– Microsoft upgrade, BIOS Upgrades, Lookup services
• Active X controls are automatically downloaded and run by browser– Must pass authenticode “trust” check– Must be marked as “safe for scripting”
• Assumed promise of sandboxing …
• Massive security hole ….
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Is There a Concern?Initially, MS thought that users would have no problem with ActiveX controls
• Hey, you run programs you buy, right?
• With traditional applications• You (generally) know who the software comes from
• You (generally) have some recourse
• On the Internet …• Neither of the above may be true
• User not actually be involved/aware in execution
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Authenticode
• Problem: I need to run an application code on my machine, but I worry about security
• Solution: Make sure code only comes from people that you trust.
• Authenticode– Sign download content– Check that signer is “trusted”– Used for all Win* content– Problem: Jan 2001
• Verisign issued two bad MS certs
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Active X Cautionary Tales• Exploder (Win95)
– 1996, Fred McLain– Acquired Verisign
certificate– Signed Exploder
• 10 second countdown• … shutdown
• MS/Verisign upset
• Microsoft Access• 2000, Guninski• ActiveX related control• Allowed a website to load
and execute an spreadsheet …
• ... Which can contain any command …
• … which means …• A website can run any
command on the user machine.
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
JavaScript
• Scripting Language used to improve ! the quality/experience
– Create dialogs, forms, graphs, …– Built upon API functions (lots of different flavors)– No ability to read local files, open connections …
• Security: No ability to read local files, open connections, but …– DOS – the “infinite popup” script
• Often could not “break out” with restarting computer– Spoofing – easy to create “password” dialogs
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Same-Origin Policy
• Can run multiple JavaScripts on the same browser – What can they access?
• Same origin policy limits them to methods and properties from the same site only– Restricts to same host, protocol, and port
• For http://www.example.com/foo.html– http://www.example.com/dir2/purchase.html -- OK?– https://example.com:81/dir/index.html -- OK?
• Does not prevent a variety of attacks– XSS -- script arrives from server, but not “from” server– XSRF -- script accesses other site user is authenticated to
• send cookies for the site, which may enable action to be performed
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Java
• Platform and language for writing applets– Sun Microsystems platform for set-top boxes– Applets embedded in web pages (or native)– Language loosely resembling C++– Runs in a Java Virtual Machine (JVM)
• Every platform has JVM• Platform runs arbitrary code (bytecode)• Hence: one application runs on a bunch of platforms• Great way to take advantage of the web• Slow for data/processing intensive applications
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
• Problem: running arbitrary code downloaded from the network is inherently dangerous– Safety - Restrict the language such that the programmer cannot
do anything unsafe• No pointers, bounds checking, type safety • Automated memory management • Access checking
– Security - Restrict the environment such that the program cannot do anything insecure
• Sandbox, signed code (often .jar files)• Bytecode verifier - checks for forged pointers, access
violations, type safety violations• SecurityManager class – validates operations• ClassLoader – safe class loading
Java Security
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Drive by downloads
• Using a deceptive means to get someone to install something on their own (spyware/adware)
– Once you have one, then it starts downloading lots of others, their friends, …
– A personal favorite: extortion-ware -- pay us 40$ for our popup blocker, etc ….
• The real gambit is that they demand 40$ for the uninstall option
• Answer: go get ad-aware and install it (its free)!
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Spyware• Definition: hidden software that uses local host to
transmit user secrets– e.g., browsing habits, forms data
• Typically found in “free” software– Gnutella, game tools, demo software, MP3 tools ...)– Implemented using spyware “engines” - gator
• Embeds in local host to– Adds shared libraries (.dlls), adds to startup as TSR programs
(in registries, start)– Often difficult or impossible to remove
• You are never really sure it is gone (advice: reinstall)
• Gets installed by user action or via some of IEs ability to “help” the user via tools such as Active-X
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Browsers
• Browsers are the new operating systems • Huge, complex systems that support
– Many document types, structures, e.g., HTML, XML, ...– Complex rendering, e.g., CSS, CSS 2.0– Many “program/scripting” languages, e.g., JavaScript– Dynamic content, e.g., AJAX– Native code execution, e.g., ActiveX
• Virtualized computers in a single program ...
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Extending the Sandbox
• Netscape used strict sandbox– No local disk access– No connections to hosts other than webserver
• Internet Explorer has “Security Zones”– Zones: Internet, Trusted, Restricted, Local Intranet,
MyComputer– Each zone has a range of enabled features– Customizable, also pertains to ActiveX controls– Nice, but largely unused (at least by me)
CMPSC 443 Introduction to Computer (and Network) Security - Spring 2012 - Professor Jaeger Page
Browser Security
• We don’t have the ability to control this much complexity, so we have to try other things ...– Restricting functionality, e.g., NoScript– Process Isolation, e.g., OP, Chrome
• Read: http://www.google.com/googlebooks/chrome/
Process 1
http://a.com/<img>
http://c.com/<img>
http://b.com/<img>
TAB 1
http://d.com/<IMG>
http://e.com/<IMG>
<body>
Process 2
http://a.com/<img>
http://c.com/<img>
http://b.com/<img>
TAB 2
http://d.com/<IMG>
http://e.com/<IMG>
<body>
Process 3
http://a.com/<img>
http://c.com/<img>
http://b.com/<img>
TAB 3
http://d.com/<IMG>
http://e.com/<IMG>
<body>
Main Browser Process