co co 447 lec ec 4
play

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND - PowerPoint PPT Presentation

Mar 06, 2023 •289 likes •920 views

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

  1. CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits

  2. Drive-by malware

  3. 3

  4. 4

  6. Go Google le patch ches Chrome zero-da day under under active e at attacks 6

  7. Con Continued 7

  8. Th Third 0-da day in n the he pa past yea ear 8

  9. Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice

  10. Network Security Network Attacker Intercepts and controls network communication Alice

  11. Web Malware Attacker Malware Attacker Escapes the browser to wreak havoc on Alice’s machine Alice

  12. Web Th Threat Models ¨ Web attacker ¤ Control https://attacker.com ¤ Can obtain SSL/TLS certificate for https://attacker.com ¤ User visits attacker.com n Or: runs attacker’s Facebook app, etc. This is what connects the world of web attacks to low-level ¨ Network attacker memory-based exploitation ¤ Passive: Wireless eavesdropper we’ve seen so far ¤ Active: Evil router, DNS poisoning ¨ Malware attacker ¤ Attacker escapes browser isolation mech chanisms and run separately under control of OS

  13. Cookies: Client State 13

  14. Cookies: Browser State POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

  15. Cookie-Based Authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth=val Set-cookie: auth=val Store val GET restricted.html restricted.html Cookie: auth=val auth=val Check val If YES, YES/NO restricted.html

  16. Cookie Security Policy ¨ Uses: ¤ User authentication ¤ Personalization ¤ User tracking: e.g. Doubleclick (3 rd party cookies) ¨ Browser will store: ¤ At most 20 cookies/site, 3 KB / cookie ¨ Origin is the tuple <do <doma main, n, pa path> h> ¤ Can set cookies valid across a domain suffix

  17. Cookies From www.marketplace.org 17 17

  18. Secure Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; Secure=true ¨ Provides confidentiality against network attacker ¨ Browser will only send cookie back over HTTPS ¨ No integrity ¤ Can rewrite secure cookies over HTTP ¤ Network attacker can rewrite secure cookie ¤ Can log user into attacker’s account

  19. A Real Secure Set-Cookie Request 19 19

  20. httpOnly Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly ¨ Cookie sent over HTTP(s), but no not acces essibl ble e to scripts ¤ cannot be read via document.cookie ¤ Helps prevent cookie theft via XSS ¨ … but does not stop most other risks of XSS bugs

  21. Fr Fram ame e and and Conten ent t Is Isola latio tion

  22. Frame and IFRAME ¨ Window may contain frames from different sources ¤ Frame: rigid division as part of frameset ¤ iFrame: fl floating inline frame ¨ iFrame example < iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </ iframe > ¨ Why use frames? ¤ Delegate screen area to content from another source ¤ Browser provides isolation based on frames ¤ Parent may work even if frame is broken

  23. Floating IFRAME s 23 23

  24. Wi Windo ndows s Interact. . Wha What? 24

  25. Web vs. OS: An Analogy Op Oper erating system em We Web browser Primitives Primitives ¨ ¨ Document object model (DOM) ¤ System calls ¤ Frames ¤ Processes ¤ Cookies / localStorage ¤ Disk ¤ Principals: “Origins” ¨ Principals: Users Mandatory access control ¤ ¨ Discretionary access control ¤ Application-level vulnerabilities ¨ Cross-site scripting ¤ Low-level vulnerabilities ¨ Cross-site request forgery ¤ Buffer overflow SQL injection ¤ ¤ Other memory issues etc. ¤ ¤

  26. Policy Goals ¨ Safe to visit a potentially evil web site ¨ Safe to visit two pages at the same time ¤ Address bar distinguishes them ¨ Allow safe delegation

  27. Br Browser r Se Securi rity Me Mechanism A B A A B ¨ Each frame of a page has an origin ¤ Origin = < pr protocol :// ho host:po :port > ¨ Frame can access its own origin ¤ Network access, Read/write DOM, Storage (cookies) ¨ Frame cannot access data associated with a different origin

  28. Or Origin Determination: http://www.example.com 28 28

  29. Components of Browser Security y Policy ¨ Frame-Frame relationships ¤ canScript(A,B) n Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B? ¤ canNavigate(A,B) n Can Frame A change the origin of content for Frame B? ¨ Frame-principal relationships ¤ readCookie(A,S), writeCookie(A,S) n Can Frame A read/write cookies from site S? See https://code.google.com/p/browsersec/wiki/Part1 https://code.google.com/p/browsersec/wiki/Part2

  30. Li Library I Imp mport ort E Excl cluded F From SO om SOP <script src=https://seal.verisign.com/getseal?host_name=a.com></script> VeriSign Script has privileges of im imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing •

  31. Do Domain ain R Rela laxatio ion www.facebook.com chat.facebook.com www.facebook.com facebook.com facebook.com chat.facebook.com www.facebook.com ¨ Origin: scheme, host, (port), hasSetDomain ¨ Try document.domain = document.domain

  32. Additional Mec Ad echanisms Server : CORS (Cross-origin network requests) Access-Control-Allow- Site B Site A Origin: <list of domains> Access-Control-Allow- Origin: * Client : Cross-origin client side communication Client-side messaging via navigation (old browsers) Site A context Site B context postMessage (modern browsers)

  33. if ifram ames es ¨ Embed HTML documents in other documents <iframe name=“myframe” src=“http://www.google.com/”> This text is ignored by most browsers. </iframe>

  34. Fr Fram ame e Bus usting ting ¨ Goal: prevent web page from loading in a frame ¤ example: opening login page in a frame will display correct passmark image ¨ Frame busting: if (top != self) top.location.href = location.href

  35. Be Better r Frame me Bu Busting ¨ Problem: Ja Javascr cript OnU OnUnl nload ev event <body onUnload="javascript: cause_an_abort;)"> ¨ Try this instead: if (top != self) top.location.href = location.href else { … code of page here …}

  36. Fr Fram ame e Bus usting ting via via Header Headers 36 36 Set X-Frame-Options to DENY or SAMEORIGIN dfd ¨ $ npm install busted var busted = require('busted'); var URL = 'http://www.bbc.co.uk'; busted.headersTest(URL, function(url, passed) { console.log(url + (passed ? ' passed ' : ' failed ') + 'the headers test.'); });

  37. CSP CSP an CORS

  38. CSP: Content Security Policy 38 38 ¨ Ex Exampl ple 1: ¤ A server wants all content to come from its own domain: X-Content-Security-Policy: default-src 'self‘ ¨ Ex Exampl ple 2: ¤ An auction site wants to allow images from an anywhere , plugin content from a list of tr trus usted media providers including a content distribution network, and sc scripts only from a server under its control hosting sanitized JavaScript: X-Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com

  39. CSP: Content Security Policy 39 39 Ex Exampl ple 3: ¨ ¤ A site op operation ons grou oup wants to globally deny all third-party scripts in the site, and a particular project team wants to also disallow third-party media in their section of the site. ¤ Site operations sends the first header while the pr project team am sends the second header, and the user-agent takes the in intersectio ion of the two headers to form the complete interpreted policy: X-Content-Security-Policy: default-src *; script-src 'self' X-Content-Security-Policy: default-src *; script-src 'self'; media-src 'self‘ Ex Exampl ple 4: ¨ ¤ Online banking site wants to ensure that all of the content in its pages is loaded over TLS to prevent attackers from eavesdropping on insecure content requests: X-Content-Security-Policy: default-src https://*:443

  40. XH XHR R and CSP CSP 40 40 var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.example.com/data.json", true); xhr.onreadystatechange = function() { if (xhr.readyState == 4) { // JSON.parse does not evaluate the attacker's scripts. var resp = JSON.parse(xhr.responseText); } } xhr.send();

  41. CO CORS 41 41 ¨ CORS can be used for a range of resources ¤ Invocations of the XMLHttpRequest or Fetch APIs in a cross-site manner, as discussed above. ¤ Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be cross-site loaded and used by web sites that are permitted to do so. ¤ WebGL textures. ¤ Images/video frames drawn to a canvas using drawImage. ¤ Stylesheets (for CSSOM access).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Security Abram Hindle abram.hindle@ualberta.ca Department of Computing Science University

Web Security Abram Hindle abram.hindle@ualberta.ca Department of Computing Science University

Web Security Abram Hindle abram.hindle@ualberta.ca Department of Computing Science University of Alberta http://softwareprocess.es/ CC-BY-SA 4.0 Security On the Web Multiple facets Client Side Server Side High value targets

500 views • 34 slides
TDT4205 Lecture 16 2 On our way toward the bottom We have a gap to bridge: Words Grammar

TDT4205 Lecture 16 2 On our way toward the bottom We have a gap to bridge: Words Grammar

1 Three-address code (TAC) TDT4205 Lecture 16 2 On our way toward the bottom We have a gap to bridge: Words Grammar Source program Semantics Program should do the same thing on all of these, but theyre all different... 3

800 views • 30 slides
Machine Programming II: C to assembly Move instructions, registers, and operands Complete

Machine Programming II: C to assembly Move instructions, registers, and operands Complete

University of Washington Machine Programming II: C to assembly Move instructions, registers, and operands Complete addressing mode, address computation ( leal) Arithmetic operations (including some x86 64 instructions) Condition

614 views • 46 slides
Bitwise Operations, Loops and using the terminal Eric McCreath Integer Operations rPeANUt has a

Bitwise Operations, Loops and using the terminal Eric McCreath Integer Operations rPeANUt has a

Bitwise Operations, Loops and using the terminal Eric McCreath Integer Operations rPeANUt has a standard set of integer operations that work on 2s complement 32 signed integers. These are: addition add &lt;RS1&gt; &lt;RS2&gt;

267 views • 8 slides
Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger

Theory of Computer Science D4. Halting Problem Variants &amp; Rices Theorem Gabriele R oger University of Basel April 29, 2020 Other Halting Problem Variants Rices Theorem Summary Other Halting Problem Variants Other Halting

675 views • 45 slides
The Turing Machine Motivating idea Unsolvable Problems Build a theoretical a human

The Turing Machine Motivating idea Unsolvable Problems Build a theoretical a human

The Turing Machine Motivating idea Unsolvable Problems Build a theoretical a human computer Likened to a human with a paper and pencil that can solve problems in an algorithmic way The theoretical machine provides a means

482 views • 8 slides
Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20

Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20

Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20 January 2020 CPP20 saarland university computer science Definition Undecidability Fragments Discussion Extending the Coq Library of

985 views • 54 slides
Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max

Undecidability of propositional separation logic and its neighbours James Brotherston 1 and Max Kanovich 2 1 Imperial College London 2 Queen Mary University of London LICS-25, University of Edinburgh, 12 July 2010 Separation logic (Reynolds,

1.11k views • 31 slides
Solvability of Matrix-Exponential Equations Jol Ouaknine, Amaury Pouly, Joo Sousa-Pinto,

Solvability of Matrix-Exponential Equations Jol Ouaknine, Amaury Pouly, Joo Sousa-Pinto,

Solvability of Matrix-Exponential Equations Jol Ouaknine, Amaury Pouly, Joo Sousa-Pinto, James Worrell University of Oxford July 8, 2016 Related work in the discrete case Input: A , C Q d d matrices Output: n N such that A n

681 views • 32 slides
Distributed Synthesis for Well Connected Architectures Paul Gastin, Nathalie Sznajder and Marc

Distributed Synthesis for Well Connected Architectures Paul Gastin, Nathalie Sznajder and Marc

Distributed Synthesis for Well Connected Architectures Paul Gastin, Nathalie Sznajder and Marc Zeitoun March 13th 2006 ACI Cortos Persee Versydis Synthesis of a reactive system inputs from E outputs to E Specification Open system S

1.07k views • 87 slides
Design and Analysis of Algorithms

Design and Analysis of Algorithms

Design and Analysis of Algorithms

689 views • 7 slides
Review of 136, Preview of 186 Peter Cappello Department of Computer Science University of

Review of 136, Preview of 186 Peter Cappello Department of Computer Science University of

Review of 136, Preview of 186 Peter Cappello Department of Computer Science University of California, Santa Barbara Santa Barbara, CA 93106 cappello@cs.ucsb.edu 1 Review of 136 The course develops: a precise description proven

269 views • 11 slides
Distributed Synthesis for LTL Fragments Krishnendu Chatterjee, Thomas A. Henzinger, Jan Otop ,

Distributed Synthesis for LTL Fragments Krishnendu Chatterjee, Thomas A. Henzinger, Jan Otop ,

Distributed Synthesis for LTL Fragments Krishnendu Chatterjee, Thomas A. Henzinger, Jan Otop , Andreas Pavlogiannis 21 October 2013 1 / 26 Reactive Distributed Systems An architecture is a directed graph describing topology of the system. p e

521 views • 26 slides
Verification and Qualitative analysis of hybrid systems: dimension 2 Joint work with Gerardo

Verification and Qualitative analysis of hybrid systems: dimension 2 Joint work with Gerardo

Verification and Qualitative analysis of hybrid systems: dimension 2 Joint work with Gerardo Schneider, Sergio Yovine and Gordon Pace Eugene Asarin VERIMAG AS - Paris - 27/06/02 p.1/38 Outline Motivation and Context SPDI -

626 views • 59 slides
Modeling and Analysis of Data Flow Graphs using the Digraph Real-Time Task Model Morteza

Modeling and Analysis of Data Flow Graphs using the Digraph Real-Time Task Model Morteza

Modeling and Analysis of Data Flow Graphs using the Digraph Real-Time Task Model Morteza Mohaqeqi, Jakaria Abdullah, and Wang Yi Uppsala University Ada-Europe 2016 Overview Introduction Data Flow Graphs: [ 1 , 3 ] [ 2 ] Signal processing a

508 views • 46 slides
Composition study of ultra-high-energy cosmic rays based on the Telescope Array surface detector

Composition study of ultra-high-energy cosmic rays based on the Telescope Array surface detector

Composition study of ultra-high-energy cosmic rays based on the Telescope Array surface detector data Yana Zhezher for the Telescope Array collaboration Institute for Nuclear Research of the Russian Academy of Sciences, Moscow, Russia July 17,

674 views • 25 slides
Vertex reconstruction Vertex reconstruction in large liquid scintillator detectors in large

Vertex reconstruction Vertex reconstruction in large liquid scintillator detectors in large

Vertex reconstruction Vertex reconstruction in large liquid scintillator detectors in large liquid scintillator detectors David Meyhfer March 20, 2017 Universitt Hamburg 1 / 17 Vertex reconstruction Why a vertex reconstruction? Novel

555 views • 34 slides
FPChecker Detecting Floating-Point Exceptions in GPUs Ignacio Laguna, Harshitha Menon, Tristan

FPChecker Detecting Floating-Point Exceptions in GPUs Ignacio Laguna, Harshitha Menon, Tristan

FPChecker Detecting Floating-Point Exceptions in GPUs Ignacio Laguna, Harshitha Menon, Tristan Vanderbruggen Lawrence Livermore National Laboratory Michael Bentley, Ian Briggs, Ganesh Gopalakrishnan University of Utah Cindy Rubio Gonzlez

607 views • 31 slides
Measurements of ASIC V2. M.Borri STFC Measurements in h-mode. Overview. Test01 GOAL:

Measurements of ASIC V2. M.Borri STFC Measurements in h-mode. Overview. Test01 GOAL:

Measurements of ASIC V2. M.Borri STFC Measurements in h-mode. Overview. Test01 GOAL: Test uniformity of channel response when pulses are injected. MEASUREMENT: Loops over all the channels. Only one channel is powered up at each

455 views • 20 slides
. 1 b i b i 1 b 2 b 1 b 0 b 1 b 2 b 3 b j 1/2 1/4

. 1 b i b i 1 b 2 b 1 b 0 b 1 b 2 b 3 b j 1/2 1/4

12/9/15 Fractional Binary Numbers 2 i 2 i 1 Floating-point numbers 4 2 . 1 b i b i 1 b 2 b 1 b 0 b 1 b 2 b 3 b j 1/2 1/4 Fractional binary numbers 1/8 IEEE

602 views • 3 slides
L1B Quality Assessment Discussion T. Pagano Tuesday, February 12, 2002 1 6/24/03 AIRS L1B QA

L1B Quality Assessment Discussion T. Pagano Tuesday, February 12, 2002 1 6/24/03 AIRS L1B QA

L1B Quality Assessment Discussion T. Pagano Tuesday, February 12, 2002 1 6/24/03 AIRS L1B QA OVERVIEW Types of data in L1B QA Files Data passed from L1A intended for L2 use (e.g. geolocation) Validated using earth scene

266 views • 9 slides
First Results from the CMD-3 Detector Simon Eidelman Budker Institute of Nuclear Physics SB RAS

First Results from the CMD-3 Detector Simon Eidelman Budker Institute of Nuclear Physics SB RAS

EPS11, Grenoble July 21-27, 2011 First Results from the CMD-3 Detector Simon Eidelman Budker Institute of Nuclear Physics SB RAS and Novosibirsk State University, Novosibirsk, Russia Outline 1. Motivation 2. Experiment 3. First results 4.

489 views • 21 slides
SE SECTIO CTION N 3 GR GRAPHS &amp; TES APHS &amp; TESTIN TING Slides by Andrew and Anny

SE SECTIO CTION N 3 GR GRAPHS &amp; TES APHS &amp; TESTIN TING Slides by Andrew and Anny

SE SECTIO CTION N 3 GR GRAPHS &amp; TES APHS &amp; TESTIN TING Slides by Andrew and Anny with material from Vinod Rathnam, Alex Mariakakis, Krysta Yousoufian, Mike Ernst, Kellen Donohue Agenda Graphs Testing Graph = collection of

388 views • 23 slides
CS3000: Algorithms &amp; Data Jonathan Ullman Lecture 10: Graphs Graph Traversals: DFS

CS3000: Algorithms &amp; Data Jonathan Ullman Lecture 10: Graphs Graph Traversals: DFS

CS3000: Algorithms &amp; Data Jonathan Ullman Lecture 10: Graphs Graph Traversals: DFS Topological Sort Feb 19, 2020 Whats Next Whats Next Graph Algorithms: Graphs: Key Definitions, Properties, Representations

934 views • 58 slides

More recommend