CS 361S Web Security Model Vitaly Shmatikov (most slides from the Stanford Web security group)slide 2 Reading Assignment Read “Rookits for JavaScript Environments” and “Beware of Finer-Grained Origins”slide 3 Browser and Network Browser Network OS Hardware website request replyslide 4 HTTP: HyperText Transfer Protocol Used to request and return data • Methods: GET, POST, HEAD, … Stateless request/response protocol • Each request is independent of previous requests • Statelessness has a significant impact on design and implementation of applications Evolution • HTTP 1.0: simple • HTTP 1.1: more complexslide 5 GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT HTTP Request Method File HTTP version Headers Data – none for GET Blank lineslide 6 HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> HTTP Response HTTP version Status code Reason phrase Headers Dataslide 7 Website Storing Info In Browser A cookie is a file created by a website to store information in the browser Browser Server POST login.cgi username and pwd Browser Server GET restricted.html Cookie: NAME=VALUE HTTP is a stateless protocol; cookies add state If expires = NULL, this session only HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (send only over HTTPS)slide 8 What Are Cookies Used For? Authentication • The cookie proves to the website that the client previously authenticated correctly Personalization • Helps the website recognize the user from a previous visit Tracking • Follow the user from site to site; learn his/her browsing behavior, preferences, and so onGoals of Web Security Safely browse the Web • A malicious website cannot steal information from or modify legitimate sites or otherwise harm the user… • … even if visited concurrently with a legitimate site - in a separate browser window, tab, or even iframe on the same webpage Support secure Web applications • Applications delivered over the Web should have the same security properties we require for standalone applications (what are these properties?) slide 9All of These Should Be Safe Safe to visit an evil website Safe to visit two pages at the same time Safe delegation slide 10Security Vulnerabilities in 2011 slide 11 Source: IBM X-ForceTwo Sides of Web Security Web browser • Responsible for securely confining Web content presented by visited websites Web applications • Online merchants, banks, blogs, Google Apps … • Mix of server-side and client-side code – Server-side code written in PHP, Ruby, ASP, JSP… runs on the Web server – Client-side code written in JavaScript… runs in the Web browser • Many potential bugs: XSS, XSRF, SQL injection slide 12slide 13 Where Does the Attacker Live? Browser OS Hardware website Web attacker Network attacker Malware attackerWeb Threat Models Web attacker Network attacker • Passive: wireless eavesdropper • Active: evil Wi-Fi router, DNS poisoning Malware attacker • Malicious code executes directly on victim’s computer • To infect victim’s computer, can exploit software bugs (e.g., buffer overflow) or convince user to install malicious content (how?) – Masquerade as an antivirus program, video codec, etc. slide 14Web Attacker Controls a malicious website (attacker.com) • Can even obtain an SSL/TLS certificate for his site ($0) User visits attacker.com – why? • Phishing email, enticing content, search results, placed by an ad network, blind luck … • Attacker’s Facebook app Attacker has no other access to user machine! Variation: “iframe attacker” • An iframe with malicious content included in an otherwise honest webpage – Syndicated advertising, mashups, etc. slide 15Dangerous Websites Microsoft’s 2006 “Web patrol” study identified hundreds of URLs that could successfully exploit unpatched Windows XP machines • Many interlinked by redirection and controlled by the same major players “But I never visit risky websites” • 11 exploit pages are among top 10,000 most visited • Trick: put up a page with popular content, get into search engines, page then redirects to the exploit site – One of the malicious sites was providing exploits to 75 “innocuous” sites focusing on (1) celebrities, (2) song lyrics, (3) wallpapers, (4) video game cheats, and (5) wrestling slide 16OS vs. Browser Analogies Primitives • System calls • Processes • Disk Principals: Users • Discretionary access control Vulnerabilities • Buffer overflow • Root exploit Primitives • Document object model • Frames • Cookies and localStorage Principals: “Origins” • Mandatory access control Vulnerabilities • Cross-site scripting • Universal scripting Operating system Web browser slide 17slide 18 ActiveX ActiveX “controls” are compiled binaries that reside on the client machine • Downloaded and installed, like any other executable • Activated by an HTML object tag on the page • Run as native binaries, not interpreted by the browser Security model relies on three components • Digital signatures to verify the source of the control • Browser policy can reject controls from network zones • Controls can be marked by author as “safe for initialization” or “safe for scripting” Once accepted, installed and started, no control over execution!slide 19 Installing ActiveX Controls If you install and run, no further control over the code, same access as any other program you installedslide 20 ActiveX Risks From MSDN: • “An ActiveX control can be an extremely insecure way to provide a feature. Because it is a Component Object Model (COM) object, it can do anything the user can do from that computer. It can read from and write to the registry, and it has access to the local file system. From the moment a user downloads an ActiveX control, the control may be vulnerable to attack because any Web application on the Internet
View Full Document