ilab2 and application layer security
play

iLab2 WWW and Application Layer Security with friendly support by - PowerPoint PPT Presentation

Nov 25, 2022 •319 likes •802 views

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

  1. Chair for Network Architectures and Services Department of Informatics TU München – Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tübingen

  2. Recap: Internet Protocol Suite Application protocols: Application Layer e. g. HTTP, SIP, Instant Messengers, … End-to-end connectivity between Transport Layer processes (port concept) Network Layer Routing between networks Data Link Layer Interface to physical media Physical Layer  TCP/IP stack has no specific representation for OSI layers 5, 6, 7 („session“, „representation“, „application“): the Application Layer is responsible for all three 2 iLab 2, WWW Security, SS 2011

  3. Why Application Layer Security?  So far, we were mostly concerned with layers below the application layer:  Link Layer security  Crypto protocols: IPSec, SSL, Kerberos…  Firewalls  Intrusion Detection  There are attacks where these defenses do not work:  Cross-Site Scripting, Buffer Overflows, …  Possible because  These attacks are not detectable on lower layers (  cf. WWW Security), or  The mechanisms do not secure the correct communication end-points (  cf. Web Service Security, see our NetSec lecture)  In general, many applications need to provide their own security mechanisms  E. g. authentication, authorization 3 iLab 2, WWW Security, SS 2011

  4. Part I: Introduction to the WWW  Part I: Introduction to the WWW and  Part I: Introduction to the WWW and Security Aspects Security Aspects  Part II: Internet Crime  Part II: Internet Crime  Part III: Vulnerabilities and Attacks  Part III: Vulnerabilities and Attacks 4 iLab 2, WWW Security, SS 2011

  5. Introduction to the World Wide Web  You all know it – but what is it exactly?  Conceived in 1989/90 by Tim Berners-Lee at CERN  Hypermedia-based extension to the Internet on the Application Layer  Any information (chunk) or data item can be referenced by a Uniform Resource Identifier (URI)  URI syntax (defined in RFCs) : <scheme>://<authority><path>?<query>#<fragment>  Special case: URL (“Locator”) http://www.net.in.tum.de/de/startseite/  Special case: URN (“Name”) urn:oasis:names:specification:docbook:dtd:xml:4.1.2  Probably the best-known application of the Internet  Currently, most vulnerabilities are found in Web applications 5 iLab 2, WWW Security, SS 2011

  6. HTML and Content Generation  HTML is the lingua franca of the Web  Content representation: structured hypertext documents  HTML documents – i. e. Web pages – may include: • JavaScript: script that is executed in browser • Java Applets: Java program, executed by Java VM • Flash: multimedia application, executed (played) by Flash player  Today, much (if not most) content is created dynamically by server-side programs  (Fast-)CGI: interface between Web server and such a server-side program  Possible: include programs directly as modules in Web server (e.g. Apache)  Often, dynamic Web pages also interact with the user  Examples: searches, input forms  think of online banking  Examples of server-side technology/languages:  PHP, Python, Perl, Ruby, …  Java (several technologies), ASP.NET  Possible, but rare: C++ based programs 6 iLab 2, WWW Security, SS 2011

  7. HTTP  HTTP is the carrier protocol for HTML  Conceived to be state-less: server does not keep state information about connection to client  Mostly simple GET / POST semantics ( PUT is possible)  HTML-specific encoding options  OK for the beginnings – but the Web became the most important medium for all kinds of purposes (e. g. e-commerce, forums, etc.)  today: complete work flows implemented with HTTP/HTML  need to keep state between different pages  sessions 7 iLab 2, WWW Security, SS 2011

  8. Sessions Over HTTP  Sessions: many work-arounds around the state-less property  Cookies: small text files that the server makes the browser store • Client authenticates to server  receives cookie with a “secret” value  use this value to keep the session alive (re-transmit)  Session-IDs (passed in HTTP header)  Parameters in URL  Hidden variables in input forms (HTML-only solution)  Session information is a valuable target  E. g., online banking: credit card or account information 8 iLab 2, WWW Security, SS 2011

  9. A Few More Aspects  Cookies can be exploited to work against privacy  User tracking: identify user and store information about browsing habits  3rd party cookies: cookies that are not downloaded from the site you are visiting, but from another one • Can be used to track users across sites  Cookies can be set without the user knowing (there are reasonably safe standard settings)  Security trade-off: many Web pages require cookies to work, disabling them completely may not be an option  Cookies may also contain confidential session information  Attacker may try to get at such information (  Cross-Site Scripting) 9 iLab 2, WWW Security, SS 2011

  10. A Few More Aspects  Session IDs in the URL can also be a weakness  Can be guessed or involuntarily compromised (e. g. sending a link)  “session hijacking”  GET command may encode parameters in the URL  Can be a weakness:  Some URLs are used to trigger an action, e.g. http://www.example.org/update.php?insert=user  Attacker can craft certain URLs (  Cross-Site Request Forgery) 10 iLab 2, WWW Security, SS 2011

  11. HTTP Authentication  HTTP Authentication  Basic Authentication: not intended for security • Server requests username + password • Browser answers in plain text  relies on underlying SSL for security • No logout! Browser keeps username and password in cache  Digest Authentication: protects username + password • Server also sends a nonce • Browser reply is MD5 hash: md5(username,password,nonce) • No mutual authentication – only client authentication • More secure and avoids replay attacks, but MD5 is known to have weaknesses • SIP uses a similar method  HTTP authentication often replaced with other methods  Requires session management  Complex task 11 iLab 2, WWW Security, SS 2011

  12. JavaScript  Script language that is executed on client-side (not only in browsers!)  Originally developed by Netscape; today more or less a standard  Object-oriented with C-like syntax, but multi-paradigm  Allows dynamic content for the WWW  AJAX etc.  Allows a Web site to execute programs in the browser  The Web is less attractive without JavaScript – but anything that is downloaded and executed by a client may be a security risk  Recent development: JavaScript used on Server-side as well (Node.js) 12 iLab 2, WWW Security, SS 2011

  13. JavaScript  Security Issues:  Allows authors to write malicious code  Allows cross-site attacks (we look at these a bit later in this lecture)  Defenses:  Sandboxing of JavaScript execution • Difficult to implement  Same-origin policy: • script may only access resources on the Web that have the same origin: protocol://domain:port • Same-origin policy can be violated with Cross-Site Scripting 13 iLab 2, WWW Security, SS 2011

  14. Part II: Internet Crime  Part I: Introduction to the WWW and  Part I: Introduction to the WWW and Security Aspects Security Aspects  Part II: Internet Crime  Part II: Internet Crime  Part III: Vulnerabilities and Attacks  Part III: Vulnerabilities and Attacks 14 iLab 2, WWW Security, SS 2011

  15. Vulnerabilities: some numbers  3,462 vs 2,029 web/non-web application vulnerabilities (Symantec, 2008)  Average exposure time: 60 days  12,885 site-specific XSS vulnerabilities submitted to XSSed in 2008 alone  Only 3% of site-specific vulnerabilities were fixed by the end of 2008  The bad guys are not some hackers who “want to know how it works”  These days, it’s a business!  “Symantec Underground Economy Report 2008”: “Moreover, considerable evidence exists that organized crime is involved in many cases …“ [ed.: referring to cooperation between groups] 15 iLab 2, WWW Security, SS 2011

  16. From the Symantec Report 2008 (1/4) 16 iLab 2, WWW Security, SS 2011

  17. From the Symantec Report 2008 (2/4) 17 iLab 2, WWW Security, SS 2011

  18. From the Symantec Report 2008 (3/4) 18 iLab 2, WWW Security, SS 2011

  19. From the Symantec Report 2008 (4/4) 19 iLab 2, WWW Security, SS 2011

  20. Part III: Vulnerabilities and Attacks  Part I: Introduction to the WWW and  Part I: Introduction to the WWW and Security Aspects Security Aspects  Part II: Internet Crime  Part II: Internet Crime  Part III: Vulnerabilities and Attacks  Part III: Vulnerabilities and Attacks 20 iLab 2, WWW Security, SS 2011

  21. Comparison: two classic vulnerabilities Source: MITRE CVE trends 21 iLab 2, WWW Security, SS 2011

  22. Classification of Attacks (incomplete) Client-side Server-side Common  C++ (e. g. Firefox)  Web Server: C++, Java implementation  XULRunner languages  Script languages  Java Common attack  Drive-by downloads  Cross-Site scripting types  Buffer overflows  Code Injection  SQL Injection  (DoS and the like) Result of attack  Malware installation  Defacement  Computer  Loss of private data manipulation  Loss of corporate  Loss of private data secrets We are concerned with the server side in this Lab. 22 iLab 2, WWW Security, SS 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

755 views • 41 slides
Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen

Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

972 views • 46 slides
UNDERGROUND ECONOMIES CMSC 414 MAY 10 2018 BUT FIRST: APPLICATION-LAYER SECURITY

UNDERGROUND ECONOMIES CMSC 414 MAY 10 2018 BUT FIRST: APPLICATION-LAYER SECURITY

UNDERGROUND ECONOMIES CMSC 414 MAY 10 2018 BUT FIRST: APPLICATION-LAYER SECURITY APPLICATION LAYER Familiar faces: HTTP (web), SMTP (mail), Skype, Bittorrent, Gaming, All of these choose explicitly from the layer beneath

1.49k views • 89 slides
iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP

iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP - How? Repetition Security iLab2

263 views • 14 slides
Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals:

IN3210 Network Security Transport Layer Security The TLS Protocol Transport Layer Security (TLS) Security goals: Authentication Integrity Confidentiality Transparent security protocol between TCP and application

1k views • 66 slides
iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2

iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2

iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2 Security 2 3 Attacks 3 4 Defenses &amp; Mitigation 5 5 Reporting Vulnerabilities 7 1 WWW Basics reading mails chatting on facebook

177 views • 7 slides
Application Layer Transport Security Cesar Ghali, Adam Stubblefield, Ed Knapp, Jiangtao Li,

Application Layer Transport Security Cesar Ghali, Adam Stubblefield, Ed Knapp, Jiangtao Li,

Application Layer Transport Security Cesar Ghali, Adam Stubblefield, Ed Knapp, Jiangtao Li, Benedikt Schmidt, Julien Boeuf Real World Crypto, 2019 January 9-11, 2019 Introduction Design Trust Model Protocols Tradeoffs Application Layer

510 views • 39 slides
Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

Application-Layer Protocols: The World-Wide Web (HTTP) Reliable file transfer (FTP) The

COMP 431 Application-Layer Protocols Internet Services &amp; Protocols Outline application application transport network Example client/server systems and link their application-level protocols: physical Application-Layer Protocols:

432 views • 10 slides
Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

Application-Layer Protocols The World-Wide Web (HTTP) Reliable file transfer (FTP)

COMP 431 Application-Layer Protocols Internet Services &amp; Protocols Outline application application transport Example client/server systems and network their application-level protocols: link physical Application-Layer Protocols

281 views • 13 slides
11 Application Layer Application Layer DNS: Domain Name System Most commonly used names

11 Application Layer Application Layer DNS: Domain Name System Most commonly used names

Application Layer Application Layer SMTP: final words Mail message format SMTP uses persistent Comparison with HTTP: SMTP: protocol for connections exchanging email msgs header HTTP: pull blank SMTP requires message RFC 822:

453 views • 4 slides
Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics TCP Layer Responsible for reliable end-to-end transfer of application data.

632 views • 32 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials,

IPsec 1 IPsec Slide 1 Protocol security - where? Application layer: (+): easy access to user credentials, extend without waiting for OS vendor, understand data; (-): design again and again; e.g., PGP, ssh, Kerberos Transport layer: (+):

420 views • 18 slides
Application Layer CS 3516 Computer Networks CS 3516 Computer Networks 2: Application Layer 2

Application Layer CS 3516 Computer Networks CS 3516 Computer Networks 2: Application Layer 2

Application Layer CS 3516 Computer Networks CS 3516 Computer Networks 2: Application Layer 2 Chapter 2: Application Layer Some network apps learn about protocols Goals: conceptual, e-mail social networks by examining

371 views • 14 slides
On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti,

On Using Application-Layer Middlebox Protocols for Peeking Behind NAT Gateways Teemu Rytilahti, Thorsten Holz Horst Grtz Institute for IT-Security, Ruhr University Bochum, Germany Network and Distributed System Security Symposium 2020 1

581 views • 46 slides
1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

1 Connection Establishment Data Exchange Clients connect to an SSH server on port Once

Where in the stack is security? Attacks can be targeted at any layer of the 16: protocol stack Application layer: Password and data sniffing, Forged Exploits and Defenses Up and transactions, Security holes, Buffer Overflows?

1.15k views • 9 slides
Web Systems Architecture Web Systems &amp; Technologies: Basic architecture An Introduction

Web Systems Architecture Web Systems &amp; Technologies: Basic architecture An Introduction

Web Systems Architecture Web Systems &amp; Technologies: Basic architecture An Introduction information is structured as an ipertext allocation transparency Prof. Ing. Andrea Omicini resources as information Use of graphical interfaces

260 views • 4 slides
Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is

Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is

Birth of LibreSSL and its current status Frank Timmers Consutant, Snow B.V. Background What is LibreSSL A fork of OpenSSL 1.0.1g Being worked on extensively by a number of OpenBSD developers What is OpenSSL OpenSSL is an open

830 views • 24 slides
SEDA: An Architecture for Well-Conditioned, Scalable Internet Services By: Matt Welsh, David

SEDA: An Architecture for Well-Conditioned, Scalable Internet Services By: Matt Welsh, David

SEDA: An Architecture for Well-Conditioned, Scalable Internet Services By: Matt Welsh, David Culler, and Eric Brewer Presenter: Hong Quach Portland State University CS 533 - Fall 2013 Overview Introduction Background and Related

633 views • 36 slides
Outline Ancient to Modern Year of Wearable Technology From Mobile Web to Wearable Web

Outline Ancient to Modern Year of Wearable Technology From Mobile Web to Wearable Web

Web Web Computing Wearable Computing @ 2015 Dr. Hsing Mei ( ) Web Computing Laboratory Computer Science and Information Engineering Department Fu Jen Catholic University May 15, 2015 Outline Ancient to

629 views • 27 slides
DEB ii Platform for a Lexicographic Station Ale s Hor ak Karel Pala Faculty of

DEB ii Platform for a Lexicographic Station Ale s Hor ak Karel Pala Faculty of

Outline Server side Client side Current DEB projects DEB ii Future Directions DEB ii Platform for a Lexicographic Station Ale s Hor ak Karel Pala Faculty of Informatics, Masaryk University Botanick a 68a, CZ-602 00 Brno,

639 views • 20 slides
Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham

Weave Net Five years with no central control. FOSDEM 2020 Bryan Boreham @bboreham https://weave.works @weaveworks 1 Bryan Boreham Lead on Weave Net since 2015. Project member of Kubernetes, CNI, Cortex, Scope,

683 views • 36 slides
Porting Charm++ to a New System Writing a Machine Layer Sayantan Chakravorty 5/01/2008 Parallel

Porting Charm++ to a New System Writing a Machine Layer Sayantan Chakravorty 5/01/2008 Parallel

Porting Charm++ to a New System Writing a Machine Layer Sayantan Chakravorty 5/01/2008 Parallel Programming Laboratory 1 Why have a Machine Layer ? User Code .ci .C .h Charm++ Load balancing Virtualization Scheduler Converse Memory

1.22k views • 22 slides
Profiling Network Performance in Mul5-5er Datacenter Applica5ons

Profiling Network Performance in Mul5-5er Datacenter Applica5ons

Profiling Network Performance in Mul5-5er Datacenter Applica5ons Minlan Yu Scalable Princeton University Net-App Profiler Joint work with Albert

571 views • 29 slides

More recommend