CNT 5410 - Computer and Network Security: Web Security Professor - - PowerPoint PPT Presentation

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

CNT 5410 - Computer and Network Security: Web Security

Professor Kevin Butler Fall 2015

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Network vs. Web Security

2

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

What is the web?

• A collection of application-layer

services used to distribute content

• Web content (HTML)
• Multimedia
• Email
• Instant messaging
• Many applications
• News outlets, entertainment, education, research and

technology, …

• Commercial, consumer and B2B

3

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Web security: the high bits

• The largest distributed system in existence
• threats are as diverse as applications and users
• But need to be thought out carefully …
• The stakeholders are …
• Consumers (users, businesses, agents, …)
• Providers (web-servers, IM services, …)
• Another way of seeing web security is
• Securing the web infrastructure such that the integrity,

confidentiality, and availability of content and user 
 information is maintained

4

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Early Web Systems

• Early web systems provided a click-render-

click cycle of acquiring web content.

• Web content consisted of static content

with little user interaction.

5

http://a.com/<img> http://c.com/ <img> http:// b.com/ <img>

Webpage

http:// d.com/ <IMG> http:// e.com/ <IMG> <body>

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Adding State to the Web:Cookies

• Cookies were designed to offload server

state to browsers

• Not initially part of web tools (Netscape)
• Allows users to have cohesive experience
• E.g., flow from page to page,
• Someone made a design choice
• Use cookies to authenticate and authorize users
• E.g. Amazon.com shopping cart, WSJ.com

6

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Cookie Issues …

• New design choice means
• Cookies must be protected
• Against forgery (integrity)
• Against disclosure (confidentiality)
• Cookies not robust against web designer 


mistakes, committed attackers

• Were never intended to be
• Need the same scrutiny as any other tech.

Many security problems arise out of a technology built for one thing incorrectly applied to something else.

7

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

But What About...

8

9

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Web Transport Security: SSL

• Secure socket Layer (SSL/TLS)
• Used to authenticate servers
• Uses certificates, “root” CAs
• Can authenticate clients
• Inclusive security protocol
• Security at the socket layer
• Transport Layer Security (TLS)
• Provides
• authentication
• confidentiality
• integrity

TCP IP SSL HTTP

10

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

SSL Handshake

(1) Client Hello (algorithms,…) (2) Server Hello (alg. selection,) (3) Server Certificate (4) ClientKeyRequest (5) ChangeCipherSuite (6) ChangeCipherSuite (7) Finished (8) Finished

Client Server

11

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Simplified Protocol Detail

Participants: Alice/A (client) and Bob/B (server) Crypto Elements : Random R, Certificate C, k+

i Public Key (of i)

Crypto Functions : Hash function H(x), Encryption E(k, d), Decryption D(k, d), Keyed MAC HMAC(k, d) 1. Alice → Bob RA 2. Bob → Alice RB, CB Alice pick pre-master secret S Alice calculate master secret K = H(S, RA, RB) 3. Alice → Bob E(k+

B, S), HMAC(K,0 CLNT 0 + [#1, #2])

Bob recover pre-master secret S = D(k

B, E(k+ B, S))

Bob calculate master secret K = H(S, RA, RB) 4. Bob → Alice HMAC(K,0 SRV R0 + [#1, #2]) Note: Alice and Bob : IV Keys, Encryption Keys, and Integrity Keys 6 keys,where each key ki = gi(K, RA, RB), and gi is key generator function.

12

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 13

Running a CA? Also hard.

13

Certificate Authorities are constantly in the news for high- profile compromises and blunders. Can they be trusted?

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center 14

Developers misunderstand and even intentionally disable certificate validation in their SSL/TLS client software.

(Never Called)

Status Quo for Trust Online

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Solutions

• Alternatives/Enhancements to traditional CAs infrastructure:
• Convergence: Distributed certificate verification
• Cert Pinning: Remember the first cert and use it!
• DANE: Use DNS to distribute SSL/TLS keys
• CertShim overrides SSL behavior in 


client applications, providing certificate 
 handling.

• This research project is based 

• ut of UF (ask Adam for details)

15

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Heartbleed Bug

• An implementation weakness in TLS/DTLS
• Not a fundamental issue with the protocols
• Allows an adversary to arbitrarily read

memory

• What could they do with that?
• Server-side systems must be patched.
• How do you know if the systems you’re


talking to are patched?

16

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

The Data Structure

struct { HeartbeatMessageType type; uint16 payload_length;

• paque payload[HeartbeatMessage.payload_length];
• paque padding[padding_length];

} HeartbeatMessage;

17

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

The Code...

2412 /* Read type and payload length first */ 2413 hbtype = *p++; 2414 n2s(p, payload); 2415 pl = p; 2416 2417 if (s->msg_callback) 2418 s->msg_callback(0, s->version, TLS1_RT_HEARTBEAT, 2419 &s->s3->rrec.data[0], s->s3->rrec.length, 2420 s, s->msg_callback_arg); 2421 2422 if (hbtype == TLS1_HB_REQUEST) 2423 { 2424 unsigned char *buffer, *bp; 2425 int r; 2426 2427 /* Allocate memory for the response, size is 1 bytes 2428 * message type, plus 2 bytes payload length, plus 2429 * payload, plus padding 2430 */ 2431 buffer = OPENSSL_malloc(1 + 2 + payload + padding); 2432 bp = buffer; 2433 2434 /* Enter response type, length and copy payload */ 2435 *bp++ = TLS1_HB_RESPONSE; 2436 s2n(payload, bp); 2437 memcpy(bp, pl, payload); 2438 2439 r = ssl3_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);

18

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

The Fix

/* Read type and payload length first */ + if (1 + 2 + 16 > s->s3->rrec.length) + return 0; /* silently discard */ + hbtype = *p++; + n2s(p, payload); + if (1 + 2 + payload + 16 > s->s3->rrec.length) + return 0; /* silently discard per RFC 6520 sec. 4 */ + pl = p;

19

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

SSL Tradeoffs

• Pros
• Server authentication*
• GUI clues for users
• Built into every browser
• Easy to configure on the server
• Protocol has been analyzed like crazy
• Cons
• Users don’t check certificates
• Too easy to obtain certificates
• Too many roots in the browsers
• Some settings are terrible

20

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Dynamic Content: CGI

• Common Gateway Interface (CGI)
• Generic way to call external applications on the

server

• Passes URL to external program (e.g., form)
• Result is captured and return to requestor
• Historically
• “shell” scripts used to generate content

Web Server Client Shell

Script (e.g., PHP, ASP, Perl, Python )

21

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

DC: Embedded Scripting

• Program placed directly in content, run on server

upon request and output returned in content

• MS active server pages (ASP)
• PHP
• mod_perl
• server-side JavaScript
• python, ....
• Nice at generating output
• Dangerous if tied to user input

22

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Applications/Plugins

• A plugin is a simply a program used by a browser

to process content

• MIME type maps content to plugin
• Like any old application (e.g., RealAudio)
• Newer browsers have autoinstall features
• A kind of plug-in …
• (1997) David.exe
• “Free pornography …”
• Moral: beware of plugins

23

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Drive by downloads

• Traditional: Using a deceptive means to get

someone to install something on their own (spyware/adware)

• Once you have one, then it starts downloading lots of others,

their friends, …

• Modern: The download happens without user

knowledge or consent, and does its damage from there...

24

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Malicious content injection

• Currently, two central infection vectors
• 1. Website compromise (and insert

IFRAMEs)

• 2. Advertising: the abuse of Ad syndication

(malverts)

25

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Active X

• ActiveX is a MS windows technology
• Really, just a way to run arbitrary code
• Called controls (.OCX), just programs
• Conforms to MS APIs to interact with web
• Extends user experience in lots of nice ways
• Microsoft upgrade service
• BIOS Upgrades
• Lookup services
• Massive security hole ….

26

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Authenticode

• Problem: I need to run an application code on my

machine, but I worry about security

• Solution: Make sure code only comes from people

that you trust.

• Authenticode
• Sign download content
• Check that signer is “trusted”
• Used for all Win* content
• Problem: Jan 2001
• Verisign issued two bad MS

27

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Web Systems Evolve ...

• The web has evolved from a document retrieval and rendering

to sophisticated distributed application platform providing:

• dynamic content
• user-driven content
• interactive interfaces
• multi-site content content
• ....
• With new interfaces comes new vulnerabilities ...

28

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

The new web-page

• Rendered elements from many sources containing scripts,

images, and stylized by cascading style sheets (CSS)

• A browser may be compromised by any of these elements

29

http://a.com/<Script> http://c.com/ <Script> http:// b.com/ <Script>

Webpage

http:// d.com/ <IMG> http:// e.com/ <IMG> <body> CCS-stylized

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

AJAX

• AJAX: asynchronous JavaScript and XML
• A collection of approaches to implementing web applications
• Changes the click-render-click web interface to allow

webpages to be interactive, change, etc.

• Examples: Google Gmail/Calendar, Facebook, ...
• Hidden requests that replace document elements (DOM)

30

Webpage

Banner Script Onclick Script Periodic Refresh Script

Web-server 1 Web-server 2 Web-server 3

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Malicious IFrame(s)

• An IFRAME is a HTML tag that creates an embedded

frame in the content of another page.

• This is the attack vector de jour for adversaries

attempting to delivery content that exploits browser vulnerabilities.

• E.g., deliver crafted .jpg or malicious scripting
• The attack occurs when the adversary breaks into a

webserver and places a IFRAME in legitimate content

• e.g., by sniffing passwords, recursively adding

IFRAMEs

31

<iframe src=http://[REMOVED].info/counter style=display:none></iframe>

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Web-server APIs

• Web-servers often provide application

extension APIs to which developers can build ...

• ISSAPI
• Apache API
• Act as kinds of “kernel modules” for web-

server

• Web-server processes received inputs

(URL, fields, etc.)

• Passes result to custom code (typically,

C code)

32 Web Server Domain App 1 Domain App 2 Domain App 3 Domain App 4 Domain App 5 Domain App 6 Domain App 7 Domain App 8

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Application Frameworks

• Application frameworks are software stacks

that implement a web application

• Programmer adds domain-specific programming
• Handle request handling and rendering
• Quickly implement web apps without dealing the

the nasty details of HTTP/HTML

• For example, the Zend framework

implements a web application by processing incoming URLs

• E.g., http://base/module/function
• Zend accepts returned framework objects and

renders them via internal API

• Modify documents on the fly using AJAX scripts

such as JavaScript

33

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Attacks on web systems

• Web systems have replaced custom
• rganization, enterprise and customer

applications ..

• ... this move is has led to many new attacks ...

34

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Cross-Site Scripting

• Note Assume the following is posted to a

message board on your favorite website: Hello message board. <SCRIPT>malicious code</SCRIPT>
 This is the end of my message.

• Now a reasonable ASP (or some other dynamic

content generator) uses the input to create a webpage (e.g., blogger nonsense).

• Now a malicious script is now running
• Applet, ActiveX control, JavaScript…

35

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

XSS Exercise

• Head to the following website:


http://www.steve.org.uk/Security/XSS/ Tutorial/


• Complete points 2 through 6 with a

partner.

36

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Follow Up

• The author suggests using other techniques

than “<script>” to avoid filtering. Are there

• ther techniques?
• <script>Hello</script> =

&ltscript&gtHello&lt/script&gt

• Why would you want to steal a cookie?
• What else can you do?

• How do you solve this class of attack 


in general?

37

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Injection

• Attacker that can inject arbitrary inputs into the system can

control it in subtle ways

• interpreter injection - if you can get PHP to “eval” your input,

then you can run arbitrary code on the browser …

• e.g., leak cookies to remote site (e.g., session hijacking)
• filename injection - if you can control what a filename is in

application, then you can manipulate the host

• Poorly constructed applications build filename based on user

input or input URLS, e.g., hidden POST fields

• e.g., change temporary filename input to ~/.profile

38

$INPUT = “Alice\;mail($to, $subject, $body);” <FORM METHOD=POST ACTION="../cgi-bin/mycgi.pl"> <INPUT TYPE="hidden" VALUE="~/.profile" NAME="LOGFILE"> </FORM>

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

SQL Injection

• An injection that exploits the fact that many inputs to web

applications are

• under control of the user
• used directly in SQL queries against back-end databases
• Bad buy just inserts escaped code into the input ...
• This vulnerability became one of the most widely exploited

and costly in web history.

• Industry reported as many as 16% of website were

vulnerable to SQL injection in 2007

• This may be inflated, but clearly an ongoing problem.

39

SELECT email, login, last_name FROM user_table WHERE email = 'x'; DROP TABLE members; --';

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Bobby Tables

40

bobby-tables.com : prevent SQL injection 
 in 13 web languages

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Preventing SQL injection

• Use the SQL/perl prevent libraries
• Before
• After
• Other approaches: have built (static analysis) tools for

finding unsafe input code and (dynamic tools) to track the use of inputs within the web application lifetime.

41

$sql = "select * from some_table where some_col = ?"; $sth = $dbh->prepare( $sql ); $sth->execute( $input ); $sql = "select * from some_table where some_col = $input"; $sth = $dbh->prepare( $sql ); $sth->execute;

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Taint Tracking

• Taint Tracking is the most common program analysis

technique used to detect and prevent injection attacks

• Can be done statically or dynamically (e.g., Perl taint

tracking)

• Marks all input data as tainted (i.e., untrusted)
• Track all derivative information, e.g., if “c” is tainted, then

“a = b + c” causes “a” to be tainted

• Removes the taint flag when data is sanitized
• This can be hard to get right
• At the sensitive operation (e.g., SQL query API), simply

looks for tainted input

42

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Session Hijacking

• Virtual sessions are implemented in many ways
• session ID in cookies, URLs
• If I can guess, infer, or steal the session ID, game over
• Example, if your bank encodes the session ID in the

url, then a malicious attacker can simply keep trying session IDs until gets a good one.

• ... note that if the user was logged in, then the

attacker has full control over that account.

• Countermeasure: randomized, confidential session IDs

that are tied to individual host address (see cookies)

43

http://www.mybank.com/loggedin?sessionid=11

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Browsers

• Browsers are the new operating systems
• Huge, complex systems that support
• Many document types, structures, e.g., HTML, XML, ...
• Complex rendering, e.g., CSS, CSS 2.0
• Many “program/scripting” languages, e.g., JavaScript
• Dynamic content, e.g., AJAX
• Native code execution, e.g., ActiveX
• Virtualized computers in a single program ...

44

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Browser Security

• We don’t have the ability to control this much complexity, so

we have to try other things ...

• Restricting functionality, e.g., NoScript
• Process Isolation, e.g., OP

, Chrome

• Read: http://www.google.com/googlebooks/chrome/

45

Process 1

http://a.com/<img> http://c.com/ <img> http:// b.com/ <img>

TAB 1

http:// d.com/ <IMG> http:// e.com/ <IMG> <body>

Process 2

http://a.com/<img> http://c.com/ <img> http:// b.com/ <img>

TAB 2

http:// d.com/ <IMG> http:// e.com/ <IMG> <body>

Process 3

http://a.com/<img> http://c.com/ <img> http:// b.com/ <img>

TAB 3

http:// d.com/ <IMG> http:// e.com/ <IMG> <body>

Main Browser Process

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

OP Principles

• Simple and explicit communication between components
• Explicit interfaces reduce number of control flow paths
• Strong isolation between browser components
• Prevents unanticipated and unaudited interactions
• Monitor components to ensure faithful execution
• Delegate some security logic
• Compatible with existing technologies
• Goal is to secure web browsing
• Result: Reference Monitoring for a Browser

46

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

OP Architecture

47

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Browser Kernel

• Manage subsystems
• Creates and deletes all processes and subsystems
• Creates web-page instances on demand
• Manages communication between subsystems
• interposes on all message communication (via pipes)
• Manages access control
• Browser processes tagged with a security context
• Tag depends on initial messages intercepted
• Maintains detailed security audit log

48

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Web Page Subsystem

49

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Web Page Subsystem

• HTML parsing and rendering Engine
• KHTML
• JavaScript Interpreter
• Rhino (Java based)
• provides strong isolation
• Plugins are separate OS level processes
• provide better isolation
• Xvnc server renders visual content

50

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Subsystem Privileges

51

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

OP and Plugin Security

• Plugin Security Policies
• Provider domain policy
• allows a plugin in a page to use the permissions
• f the plugin content source
• Plugin freedom policy
• allows additional outgoing network accesses for

plugins to support peer-to-peer applications

• can only talk to network and storage

subsystems

52

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Formal Verification

• OP browser modeled using Maude (reasoning

engine)

• Both interpreter and language
• Formally specify browser components in terms of

invariants over finite space

• Program invariants include access control policies
• Visual invariants include UI tampering
• Address bar spoofing
• Maude checks for states that violate invariants

53

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Browser as OS

• Apply OS principles for security
• Process abstraction to provide protection and isolation
• Process management
• How long to cache the web page instance ?
• Messages to subsystems analogous to syscalls
• Access to protected resources via the kernel
• Browser kernel intercepts all messages
• Plugins are like device drivers
• Hard to secure
• OP provides protection against buggy plugins
• Not against malicious ones

54

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Chrome Browser

55

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Chrome Design

• Different processes for

different tabs

• separate address space
• No fragmentation of

memory unlike legacy browsers

• isolation offers

protection

• Separate thread for

JavaScript

56

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Chrome vs OP

• Similarities with OP
• Browser split into components
• Each within its own protection domain
• Both have a main process
• Browser Kernel, Chrome Process
• Plugins are executed as separate processes
• No details about extension handling
• Differences with OP
• Separate thread for JavaScript VM
• Separation of browser and tabs

57

Southeastern Security for Enterprise and Infrastructure (SENSEI) Center

Preventing Web System Attacks

• Largely just applications
• In as much as application are secure
• Command shells, interpreters, are dangerous
• Broad Approaches
• Validate input (also called input sanitization)
• Limit program functionality
• Don’t leave open ended-functionality
• Execute with limited privileges
• Input tracking, e.g., taint tracking
• Source code analysis, e.g., c-cured

58