Repetition Lect 7

• Trusted computing LECT 8 • Java as basic model for signed code • Trusted Computing Group WEB SECURITY • TPM • ARM TrustZone Access control Runtime protection • Mobile Network security • GSM security • UMTS (3G) security • LTE (4G) security

2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets

WEB Security

• Browser/WWW security BROWSER

• Web services security SECURITY Modified from Mayra Sacanamboy

2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Topics Introduction

• Introduction What does security mean? • Web Application For Webmasters: • Components confidence that their site won’t be hacked or used as a • Common Vulnerabilities gateway to get into their LANS • Improving security in Web applications For Web users: it is the ability to browse securely through the web

But in general…

2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets

Introduction Web Application

• World Wide Web security • Web Application is a client/server software Procedures application that interacts with users or other systems using Effects: Technologies • Infrastructure HTTP(S) . • Client • Network/Transport Practices HTML & CSS Browser HTTP request

(web)server Back-end server

2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Web Threat Models Some important “Components”

• Web attacker 1. Authentication • Control attacker.com 2. Browser Security • Can obtain SSL/TLS certificate for attacker.com ($0) 3. Scripts and Active Code • User visits attacker.com 4. Technologies : e.g. Ajax

• Network attacker • Passive: Wireless eavesdropper • Active: Evil router, DNS poisoning

• Malware attacker • Attacker escapes browser sandbox

2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets

Cookies Authentication • Used to store state on user’s machine Of a user or entity using GET … • HTTP basic Browser • HTTP digest HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; For secure authentication If expires=NULL: expires = (when expires) ; this session only • SSL (https://...) secure = (only over SSL)

Browser GET … Cookie: NAME = VALUE

2014-02-21 EDA625: Ben Smeets 2014-02-21 HTTP is statelessEDA625: Ben protocol;Smeets cookies add state Cookie authentication

Browser Web Server Auth server

POST login.cgi Username & pwd Validate user SAME ORIGIN POLICY Set-cookie: auth=val auth=val Store val (SOP)

GET restricted. Cookie: auth=val restricted.html auth=val Check val

If YES, YES/NO restricted.html

2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets

Document Object Model (DOM) Browser Same Origin Policy (SOP)

• Object-oriented interface used to read and write docs • web page in HTML is (tree) structured data Web sites from different domains cannot interact • DOM provides representation of this hierarchy except in very limited ways

• Examples • Properties: document.alinkColor, document.URL, document.forms[ ], • Applies to: document.links[ ], document.anchors[ ] • Cookies: cookie from origin A not visible to origin B • Methods: document.write(document.referrer) • DOM: script from origin A cannot read or set properties for origin B

• Also Browser Object Model (BOM) • For DOM access, two origins are the same if and only if • window, document, frames[], history, location, navigator (type and version of browser) tuple ( domain-name, port, and protocol ) is equal

Safari note: until 3.0 SOP was only (domain-name, port)

2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets SOP Examples : the new OS Example HTML at www.lu.com Origins are “similar” to processes Disallowed access: • One origin should not interfere with another alert( frames[0].contentDocument.body.innerHTML ) Cooperation: often sites want to communicate alert( frames[0].src ) • Google AdSense: