dawn song
play

Dawn Song dawnsong@cs.berkeley.edu 1 Administrative Stuff - PDF document

Feb 26, 2024 •221 likes •272 views

Web Security (II) Dawn Song dawnsong@cs.berkeley.edu 1 Administrative Stuff Proposal feedback Revised proposal due Oct 22 Timeline More clear description of problem & approach Feedback on Oct 23 3:30-5:30pm Each group

  1. Web Security (II) Dawn Song dawnsong@cs.berkeley.edu 1 Administrative Stuff • Proposal feedback – Revised proposal due Oct 22 » Timeline » More clear description of problem & approach – Feedback on Oct 23 » 3:30-5:30pm » Each group 10mins » Sign-up sheet • BitBlaze info session – 5pm, Soda 405 2 Access Control in OS & Browser • Access control in OS – Principals – Resources – Policies? • Access control in Browser – Principals » Owner of web content – Resources » Memory: heap of script objects » Persistent state: cookies » Display: HTML DOM » Network communication – Policies? 3

  2. Same-Origin Principle (SOP) • Documents or scripts loaded from one origin cannot get or set properties of documents from a different origin • Origin – Two pages have the same origin if the protocol, port, host are the same for both pages • The origin of a script – The origin that a script is loaded is the origin of the document that contains the script rather than the origin that hosts the script – E.g., a.com/service.html contain <script src=http://b.com/lib.js>, can lib.js access a.com’s or b.com’s HTML DOM objects? 4 Problems with SOP • Rigid: all-or-nothing – Insufficient for Mashup • Too coarse-grained if site hosts unrelated pages – Example: Web server often hosts sites for unrelated parties » http://www.example.com/account/ » http://www.example.com/otheraccount/ – Same-origin policy, allows script on one page to access properties of document from another 5 Trust Models in Mashup • Content provider P, content integrator T 6

  3. Policy Enforcement • What are the OS analogous counterpart? 7 What Other Methods Can We Design to Address These Problems? • Capabilities – How capabilities may be used here? – Advantages? – Disadvantages? • Crypto – How crypto may be used here? – Advantages? – Disadvantages? • What other methods? 8 Discussion • How to compare with Tahoma? • Open Mic – Questions, comments? 9

  4. Input Validation in Web Security • System takes input strings • Incorporates input into output • Output is interpreted • Unexpected input may cause problems • Examples – SQL Command Injection Attack » 60% web applications vulnerable » 100ks of private records exposed in 1 attack – Cross-site scripting (XSS) attack » More than 21% vulnerabilities reported to CVE » #1 reported vulnerability, surpassing buffer overflows 10 Pointer by Ari 11 Defenses • Input filtering – Issues? • MashupOS’ defense against XSS? • Other methods? 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293

Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293 HRE-THR 850 1930 ALICE SMITH COACH SPECIAL INSTRUX: NONE Dawn Song

804 views • 61 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Computer Security Course. Dawn Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song Example Application Consider a social networking site, GraceBook, that allows users to share happenings from

696 views • 54 slides
Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour Webcast Calcentral: select cs161 Dawn Song 2 Intro HTTP REQUEST

1.74k views • 41 slides
Security Analysis &amp; Threat Models Dawn Song Logistics Sessions You can go to any

Security Analysis &amp; Threat Models Dawn Song Logistics Sessions You can go to any

Introduction Security Analysis &amp; Threat Models Dawn Song Logistics Sessions You can go to any sessions Project groups You can switch groups for difgerent projects Wait List Dawn Song Evolving Threats Dawn Song

957 views • 49 slides
Overview Dawn Song Teaching Team Dawn Song What is

Overview Dawn Song Teaching Team Dawn Song What is

CCS161 Computer Security Overview Dawn Song Teaching Team Dawn Song What is Computer Security About? General goals: Allow intended use of

407 views • 28 slides
Web Security: Vulnerabilities &amp; Attacks Slide credit: John Mitchell Dawn Song Security User

Web Security: Vulnerabilities &amp; Attacks Slide credit: John Mitchell Dawn Song Security User

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Slide credit: John Mitchell Dawn Song Security User Interface Dawn Song Safe to type your password?

652 views • 47 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is Cross-site Scripting (XSS)? Vulnerability in web application that

760 views • 53 slides
Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva

Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva Program Verifjcation Dawn Song Program Verifjcation How to prove a

768 views • 60 slides
Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song

A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song

A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song CMU, UCB Adrian Perrig and Dawn Song NDSS - APG 1 Difficulties in the Design of Security Protocols Usually ad-hoc, lacking formalism. Hidden

324 views • 19 slides
Dawn Song dawnsong@cs.berkeley.edu 1 The Problem How to ensure the execution of a given

Dawn Song dawnsong@cs.berkeley.edu 1 The Problem How to ensure the execution of a given

Analysis and Defense against Privacy- Breaching Code Dawn Song dawnsong@cs.berkeley.edu 1 The Problem How to ensure the execution of a given program will not leak private information? Why should we care? Users download/execute

300 views • 8 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Safe Extension Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web Security More esoteric topics Click fraud, etc. Reputation systems &amp; trust metrics Few papers, but local experts

420 views • 5 slides
Dawn Song dawnsong@cs.berkeley.edu Thanks for Benny Pinkas for some of the slides 1 Project

Dawn Song dawnsong@cs.berkeley.edu Thanks for Benny Pinkas for some of the slides 1 Project

Privacy-preserving Distributed Information Sharing and Secure Function Evaluation Dawn Song dawnsong@cs.berkeley.edu Thanks for Benny Pinkas for some of the slides 1 Project Milestone report Do not affect grade Just for status

153 views • 13 slides
So)ware Security: Vulnerability Analysis Dawn Song Finding

So)ware Security: Vulnerability Analysis Dawn Song Finding

Computer Security Course. Dawn

539 views • 32 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis &amp; Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&amp;C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Here are the songs we sang this Sunday. This shows the song name, the artist who performed the

Here are the songs we sang this Sunday. This shows the song name, the artist who performed the

Here are the songs we sang this Sunday. This shows the song name, the artist who performed the song, and the cd that contains the song. We Will Hold On Paul Baloche Glorious By Faith Keith &amp; Kristyn Getty Awaken the Dawn

526 views • 31 slides
Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer

Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer

Effizienz-Optimierung daten-intensiver Data Mashups am Beispiel von Map-Reduce Pascal Hirmer BTW 2017 BigDS Workshop Towards optimizing the efficiency of data- intensive data mashups based on the example of Map-Reduce Pascal Hirmer BTW

313 views • 13 slides
An End User Perspective on Mashup Makers Lars Grammel The CHISEL Group University of Victoria

An End User Perspective on Mashup Makers Lars Grammel The CHISEL Group University of Victoria

An End User Perspective on Mashup Makers Lars Grammel The CHISEL Group University of Victoria 1 Lars Grammel, The CHISEL Group, University of Victoria Why should end users create software? e.g. trip planning, search for accommodations ,

310 views • 18 slides
Case Study: Wind Sports Mashup on Google App Engine JAOO rhus 2009 | Jakob A. Dam |

Case Study: Wind Sports Mashup on Google App Engine JAOO rhus 2009 | Jakob A. Dam |

Case Study: Wind Sports Mashup on Google App Engine JAOO rhus 2009 | Jakob A. Dam | dam@cs.au.dk Explaining the title Case Study: Wind Sports Mashup on Google App Engine Explaining the title Case Study: Wind Sports Mashup on Google App

721 views • 60 slides
Mashup Generator for XBaya Denis Weerasiri University of Moratuwa 1 Outline The Story

Mashup Generator for XBaya Denis Weerasiri University of Moratuwa 1 Outline The Story

Mashup Generator for XBaya Denis Weerasiri University of Moratuwa 1 Outline The Story Mashups to the rescue Mooshabaya Back to the story Implementation Mooshabaya in.. Mooshabaya Further.. 2 Motivation From

777 views • 25 slides
Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of

Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of

Web Map Mashups: Cartography of Insurgence? Alan McConchie Dr. Brian Klinkenberg University of British Columbia Spatial Knowledge and Information - Canada Saturday February 16 2008 Few Questions What are mashups? ow have they evolved? Who

605 views • 21 slides
Context, Quality and Relevance: Dependencies and Impacts on RESTful Web Services Design Hong-Linh

Context, Quality and Relevance: Dependencies and Impacts on RESTful Web Services Design Hong-Linh

Context, Quality and Relevance: Dependencies and Impacts on RESTful Web Services Design Hong-Linh Truong 1 , Schahram Dustdar 1 , Andrea Maurino 2 , Marco Comerio 2 1 Distributed Systems Group, Vienna University of Technology 2 Department of

612 views • 23 slides
ResEval: A Mashup PlaDorm For Research Evalua5on Muhammad

ResEval: A Mashup PlaDorm For Research Evalua5on Muhammad

ResEval: A Mashup PlaDorm For Research Evalua5on Muhammad Imran, Florian Daniel, Fabio Casa5 &amp; Maurizio Marchese DISI, University of Trento, Italy

855 views • 23 slides
John Magee jmagee@clarku.edu 1 Whats a Mashup? Why does this course list 3 (or 4) books?

John Magee jmagee@clarku.edu 1 Whats a Mashup? Why does this course list 3 (or 4) books?

Welcome to CS140 Assembly Language and Computer Organization aka Computer Systems Spring 2017 John Magee jmagee@clarku.edu 1 Whats a Mashup? Why does this course list 3 (or 4) books? Were going to be doing some kind of

374 views • 3 slides

More recommend