1David Evanshttp://www.cs.virginia.edu/evansCS150: Computer ScienceUniversity of VirginiaComputer ScienceLecture 35: Lecture 35: Cookie Monsters Cookie Monsters and and SemiSemi--Secure Secure WebsitesWebsites2Lecture 34: Cookie MonstersSecure Programmingcs150“Honor System” ProgrammingAll your users are nice and honestNothing terribly bad happens if your program misbehavescs205“Real World” ProgrammingSome users are mean and dishonestBad things happen if your program misbehavesEnough to (hopefully) make you dangerous!3Lecture 34: Cookie MonstersBuffer Overflowsint main (void) {int x = 9;char s[4];gets(s);printf ("s is: %s\n“, s);printf ("x is: %d\n“, x);}Stacks[0]s[1]s[2]s[3]xreturn addressC Programabcdefgh...4Lecture 34: Cookie MonstersBuffer Overflowsint main (void) {int x = 9;char s[4];gets(s);printf ("s is: %s\n“, s);printf ("x is: %d\n“, x);}> gcc -o bounds bounds.c> boundsabcdefghijkls is: abcdefghijklx is: 9> boundsabcdefghijklms is: abcdefghijklmnx is: 1828716553> boundsabcdefghijklns is: abcdefghijklnx is: 1845493769> boundsaaa... [a few thousand characters]crashes shell(User input)= 0x6d000009= 0x6e000009Note: your results may vary (depending on machine, compiler, what else is running, time of day, etc.). This is what makes C fun!What does this kind of mistake look like in a popular server?5Lecture 34: Cookie MonstersCode Red6Lecture 34: Cookie MonstersSecurity in cs150Can you have a Buffer Overflow vulnerability in Scheme, Charme, LazyCharme, StaticCharme, or Python?No (unless there is a bug in the underlying implementation)! Memory is managed by the interpreter, so you don’t have to allocate it, or worry about how much space you have.27Lecture 34: Cookie MonstersWeb Application Security• Malicious users can send bad input to your application• Authentication: most interesting applications need user logins8Lecture 34: Cookie MonstersCross-Site ScriptingPython Code:Evaluate using Python interpreter, send outputPythonInterpretertoClientDatabaseSQL CommandValues#!/uva/bin/python...Output pages containinformation provided by other users!9Lecture 34: Cookie MonstersCross-Site Scripting Demouser: evanspassword: $1$79756$Fq4bh/ajnBmzIX.12GPnL0 <script language="javascript">function button(){while (1) alert("I 0wn you!")}</script><BODY onLoad="button()"> Enter Review:10Lecture 34: Cookie MonstersPreventing Cross-Site Scripting• Never never never ever trust users!• Everything you generate from user input needs to be checked and sanitized (remove the tags)For your ps9 websites, you may assume all users are bound by the UVa Honor Code and won’t do anything evil. But, don’t forget how irresponsible it is to put something like this on the web!11Lecture 34: Cookie MonstersAuthentication12Lecture 34: Cookie MonstersHow do you authenticate?• Something you know– Password• Something you have– Physical key (email account?, transparency?)• Something you are– Biometrics (voiceprint, fingerprint, etc.)Serious authentication requires at least 2 kinds313Lecture 34: Cookie MonstersEarly Password SchemesLx.Ly.xdavefidoalyssaPasswordUserIDschemerbenLogin: alyssaPassword: spotFailed login. Guess again.Login does direct password lookup and comparison.14Lecture 34: Cookie MonstersLogin: alyssaPassword: fidoTerminalTrusted SubsystemEveLogin Processlogin sends <“alyssa”, “fido”>15Lecture 34: Cookie MonstersPassword Problems• Need to store the passwords– Dangerous to rely on database being secure• Need to transmit password from user to host– Dangerous to rely on Internet being confidentialTodayLater Class16Lecture 34: Cookie MonstersFirst Try: Encrypt PasswordsencryptK(“schemer”)benPasswordUserIDencryptK(“Lx.Ly.x”)daveencryptK(“fido”)alyssaProblem if Kisn’t so secret: decryptK(encryptK(P)) = P• Instead of storing password, store password encrypted with secret K.• When user logs in, encrypt entered password and compare to stored encrypted password.17Lecture 34: Cookie MonstersHashing9876543210“neanderthal”“dog”H (char s[]) = (s[0] – ‘a’) mod 10“horse”Many-to-one: maps a large number of values to a small number of hash valuesEven distribution: for typical data sets, probability of (H(x) = n) = 1/N where N is the number of hash values and n = 0..N – 1.Efficient: H(x) is easy to compute.18Lecture 34: Cookie MonstersCryptographic Hash FunctionsOne-wayGiven h, it is hard to find xsuch that H(x) = h.Collision resistanceGiven x, it is hard to find y ≠xsuch that H(y) = H(x).419Lecture 34: Cookie MonstersExample One-Way FunctionInput: two 100 digit numbers, x and yOutput: the middle 100 digits of x * yGiven x and y, it is easy to calculate f (x, y) = select middle 100 digits (x * y)Given f (x, y) hard to find x and y.20Lecture 34: Cookie MonstersA Better Hash Function?• H(x) = encryptx(0)• Weak collision resistance?– Given x, it should be hard to find y ≠x such that H(y) = H(x).– Yes – encryption is one-to-one. (There is no such y.)• A good hash function?– No, its output is as big as the message!21Lecture 34: Cookie MonstersActual Hashing Algorithms• Based on cipher block chaining– Start by encrypting 0 with the first block– Use the next block to encrypt the previous block• SHA [NIST95] – 512 bit blocks, 160-bit hash• MD5 [Rivest92] – 512 bit blocks, produces 128-bit hash– This is what we use in HoosHungry– It has been broken! 22Lecture 34: Cookie MonstersHashed Passwordsmd5(“schemer”)benPasswordUserIDmd5(“Lx.Ly.x”)davemd5(“fido”)alyssa23Lecture 34: Cookie MonstersDictionary Attacks• Try a list of common passwords– All 1-4 letter words– List of common (dog) names– Words from dictionary– Phone numbers, license plates– All of the above in reverse• Simple dictionary attacks retrieve most user-selected passwords• Precompute H(x) for all dictionary entries24Lecture 34: Cookie Monsters(at least) 86% of users are dumb and dumber14%Other (possibly good passwords)15%Words in dictionaries or names18%Six lowercase letters21%Five same-case letters14%Four alphabetic letters14%Three characters2%Two characters0.5%Single ASCII character(Morris/Thompson 79)525Lecture 34: Cookie MonstersSalt of the Earth93224371125SaltDES+25(0, “schemer”, 2437)benPasswordUserIDDES+25(0, “Lx.Ly.x”, 932)daveDES+25(0, “Lx.Ly.x”, 1125)alyassaHow much harder is the off-line dictionary attack?DES+ (m, key, salt) is an encryption algorithm that encrypts in a way that depends on