Repetition Lect 7 • Trusted computing LECT 8 • Java as basic model for signed code • Trusted Computing Group WEB SECURITY • TPM • ARM TrustZone Access control Runtime protection • Mobile Network security • GSM security • UMTS (3G) security • LTE (4G) security 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets WEB Security • Browser/WWW security BROWSER • Web services security SECURITY Modified from Mayra Sacanamboy 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Topics Introduction • Introduction What does World Wide Web security mean? • Web Application For Webmasters: • Components confidence that their site won’t be hacked or used as a • Common Vulnerabilities gateway to get into their LANS • Improving security in Web applications For Web users: it is the ability to browse securely through the web But in general… 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Introduction Web Application • World Wide Web security • Web Application is a client/server software Procedures application that interacts with users or other systems using Effects: Technologies • Infrastructure HTTP(S) . • Client • Network/Transport Practices HTML & CSS Browser HTTP request (web)server Back-end server 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Web Threat Models Some important “Components” • Web attacker 1. Authentication • Control attacker.com 2. Browser Security • Can obtain SSL/TLS certificate for attacker.com ($0) 3. Scripts and Active Code • User visits attacker.com 4. Technologies : e.g. Ajax • Network attacker • Passive: Wireless eavesdropper • Active: Evil router, DNS poisoning • Malware attacker • Attacker escapes browser sandbox 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Cookies Authentication • Used to store state on user’s machine Of a user or entity using GET … • HTTP basic Browser • HTTP digest HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; For secure authentication If expires=NULL: expires = (when expires) ; this session only • SSL (https://...) secure = (only over SSL) Browser GET … Cookie: NAME = VALUE 2014-02-21 EDA625: Ben Smeets 2014-02-21 HTTP is statelessEDA625: Ben protocol;Smeets cookies add state Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user SAME ORIGIN POLICY Set-cookie: auth=val auth=val Store val (SOP) GET restricted.html Cookie: auth=val restricted.html auth=val Check val If YES, YES/NO restricted.html 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Document Object Model (DOM) Browser Same Origin Policy (SOP) • Object-oriented interface used to read and write docs • web page in HTML is (tree) structured data Web sites from different domains cannot interact • DOM provides representation of this hierarchy except in very limited ways • Examples • Properties: document.alinkColor, document.URL, document.forms[ ], • Applies to: document.links[ ], document.anchors[ ] • Cookies: cookie from origin A not visible to origin B • Methods: document.write(document.referrer) • DOM: script from origin A cannot read or set properties for origin B • Also Browser Object Model (BOM) • For DOM access, two origins are the same if and only if • window, document, frames[], history, location, navigator (type and version of browser) tuple ( domain-name, port, and protocol ) is equal Safari note: until 3.0 SOP was only (domain-name, port) 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets SOP Examples Web Browser: the new OS Example HTML at www.lu.com Origins are “similar” to processes Disallowed access: • One origin should not interfere with another <iframe src="http://kth.com"></iframe> alert( frames[0].contentDocument.body.innerHTML ) Cooperation: often sites want to communicate alert( frames[0].src ) • Google AdSense: <script src="http://googlesyndication.com/show_ads.js"> Allowed access: • Mash-ups <img src="http://kth.com/logo.gif"> • Gadget aggregators (e.g. iGoogle or live.com) alert( images[0].height ) • To communicate with B, site A must give B full control: <script src=http://siteB.com/script.html> Navigating child frame is allowed (but reading frame[0].src is not): now script from site B runs in origin of site A frames[0].location.href = “http://mysite.com/” 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Browser Security Scripts and Active Code Scripts Cookie Programs executed on the server side performing Data file originated by a web server, with the advanced operations. client’s information (machine name, keystrokes E.g: perl, c, php, etc the user types, etc) Active Code Types Per-session , secure Programs designed to perform detailed task on the client’s Persistent , nonsecure side. Cookies = vulnerability ~ privacy E.g: javaScript, Java Applets, ActiveX,… • Structure Of A Cookie Domain Flag Path Secure Expiration Name Value www.redhat.com FALSE / FALSE 1154029490 Apache 64.3.40.151.16018996349247480 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Scripts and Active Code Scripts and Active Code Vulnerabilities • Passing unchecked user input to command interpreters: user input is passed to a command shell, allowing remote Misusing interpreters: putting the script interpreter in the users to execute shell commands on the web server. same place as the scripts directory. • Opening files based on unchecked user input. http://www.victim.com/cgi-bin/perl.exe?-e+%27unlink+%3C*%3E%27 • When writing user inputs to disk. Web Server --> perl –e unlink ‘<*>’ Flawed memory management: is in the domain of programming languages that do not perform memory management internally such as c, c++. 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Scripts and Active Code Scripts and Active Code • Security Model • ActiveX ¾Java Applets => sandbox Is a binary code that extend the functionality of a web ¾JavaScript sandbox application; it can take any action as the user. same origin policy Security is partially controlled by the web designer and a object signing third party. ¾ Security Options safe for initializing safe for scripting 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets 3.4 AJAX (Asynchronous JavaScript and AJAX XML) presentation management using XHTML, CSS, and the Synchronous Document Object Model; Asynchronous data retrieval using XMLHttpRequest; and, JavaScript Asynchronous 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Two common vulnerabilities Common Vulnerabilities: XSS • Cross Site Scripting (XSS) Cross Site Scripting (XSS) • Sql Injection An attacker injects malicious code, usually client-side scripts, into web applications from outside sources . Types - Stored - Reflected Due to lack of input/output filtering 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Reflection XSS Common Vulnerabilities 3: result page with Sql Injection embedded script An attacker adds SQL statements through a web application's input fields or hidden parameters to gain 2: form with Trusted server access to resources or make changes to data embedded script 4: cookie 1. Page click Attacker’s server 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Common Vulnerabilities Security Guidelines Sql Injection: • Validate Input and Output • Fail Securely (Closed) SELECT * FROM users WHERE login = ‘Bush‘ AND • Keep it Simple password = '123' • Use and Reuse Trusted Components • Defense in Depth (If it returns something then login!) • Only as Secure as the Weakest Link PHP/PostgreSql Server login syntax • Security By Obscurity Won't Work $sql = "SELECT * FROM users WHERE login = '" . • Least Privilege $formusr . "' AND password = '" . $formpwd . "'"; • Compartmentalization (Separation of Privileges) 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Topics • Federated Identity Management • XML signatures (not treated) WEB SERVICES 2014-02-21 EDA625: Ben Smeets 2014-02-21 EDA625: Ben Smeets Federated Identity Management • refers to having a common set of policies, practices and protocols in place to manage a digital identity and trust into IT users and devices between organizations • Single sign-on (SSO) systems allow a single user authentication process between multiple IT systems or even organizations. • OpenID • SAML: security assertion markup language • XACML: descriptive policy language 2014-02-21 EDA625: Ben Smeets.