web security computer security peter reiher december 9
play

Web Security Computer Security Peter Reiher December 9, 2014 - PowerPoint PPT Presentation

Apr 03, 2024 •143 likes •859 views

Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall 2014 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow

  1. Web Security Computer Security Peter Reiher December 9, 2014 Lecture 15 Page 1 CS 136, Fall 2014

  2. Web Security • Lots of Internet traffic is related to the web • Much of it is financial in nature • Also lots of private information flow around web applications • An obvious target for attackers Lecture 15 Page 2 CS 136, Fall 2014

  3. The Web Security Problem • Many users interact with many servers • Most parties have little other relationship • Increasingly complex things are moved via the web • No central authority • Many developers with little security experience • Many critical elements originally designed with no thought to security • Sort of a microcosm of the overall security problem Lecture 15 Page 3 CS 136, Fall 2014

  4. Aspects of the Web Problem Lecture 15 Page 4 CS 136, Fall 2014

  5. Who Are We Protecting? Everyone From the network The clients From the server A client’s interaction with one server From the From his interaction client with another server The client The server From each other Lecture 15 Page 5 CS 136, Fall 2014

  6. What Are We Protecting? • The client’s private data • The server’s private data • The integrity (sometimes also secrecy) of their transactions • The client and server’s machines • Possibly server availability – For particular clients? Lecture 15 Page 6 CS 136, Fall 2014

  7. Some Real Threats • Buffer overflows and other compromises – Client attacks server • Web based social engineering attacks – Client or server attacks client • SQL injection – Client attacks server • Malicious downloaded code – Server attacks client Lecture 15 Page 7 CS 136, Fall 2014

  8. More Threats • Cross-site scripting – Clients attack each other • Threats based on non-transactional nature of communication – Client attacks server • Denial of service attacks – Threats on server availability (usually) Lecture 15 Page 8 CS 136, Fall 2014

  9. Yet More Threats • Browser security – Protecting interactions from one site from those with another – One server attacks client’s interactions with another • Data transport issues – The network attacks everyone else • Certificates and trust issues – Varied, but mostly server attacks client Lecture 15 Page 9 CS 136, Fall 2014

  10. Compromise Threats • Much the same as for any other network application • Web server might have buffer overflow – Or other remotely usable flaw • Not different in character from any other application’s problem – And similar solutions Lecture 15 Page 10 CS 136, Fall 2014

  11. What Makes It Worse • Web servers are complex • They often also run supporting code – Which is often user-visible • Large, complex code base is likely to contain such flaws • Nature of application demands allowing remote use Lecture 15 Page 11 CS 136, Fall 2014

  12. Solution Approaches • Patching • Use good code base • Minimize code that the server executes • Maybe restrict server access – When that makes sense • Lots of testing and evaluation – Many tools for web server evaluation Lecture 15 Page 12 CS 136, Fall 2014

  13. Compromising the Browser • Essentially, the browser is an operating system – You can do almost anything through a browser – It shares resources among different “processes” • But it does not have most OS security features • While having some of the more dangerous OS functionality – Like arbitrary extensibility – And supporting multiple simultaneous mutually untrusting processes Lecture 15 Page 13 CS 136, Fall 2014

  14. But My Browser Must Be OK . . . • After all, I see the little lock icon at the bottom of the page • Doesn’t that mean I’m safe? • Alas, no • What does that icon mean, and what is the security implication? Lecture 15 Page 14 CS 136, Fall 2014

  15. The Lock Icon • This icon is displayed by your browser when a digital certificate checks out • A web site provided a certificate attesting to its identity • The certificate was properly signed by someone your browser trusts • That’s all it means Lecture 15 Page 15 CS 136, Fall 2014

  16. What Are the Implications? • All you know is that the web site is who it claims to be – Which might not be who you think it is – Maybe it’s amozon.com , not amazon.com – Would you notice the difference? • Only to the extent that a trusted signer hasn’t been careless or compromised – Some have been, in the past Lecture 15 Page 16 CS 136, Fall 2014

  17. Another Browser Security Issue • What if you’re accessing your bank account in one browser tab • And a site showing silly videos of cats in another? • What if one of those videos contains an attack script? • Can the evil cat script steal your bank account number? Lecture 15 Page 17 CS 136, Fall 2014

  18. Same Origin Policy • Meant to foil such attacks • Built into all modern browsers – And also things like Flash • Basically, pages from a single origin can access each other’s stuff • Pages from a different origin cannot • Particularly relevant to cookies Lecture 15 Page 18 CS 136, Fall 2014

  19. Web Cookies • Essentially, data a web site asks your browser to store • Sent back to that web site when you ask for another service from it • Used to set up sessions and maintain state (e.g., authentication status) • Lots of great information about your interactions with sites in the cookies Lecture 15 Page 19 CS 136, Fall 2014

  20. Same Origin Policy and Cookies • Script from one domain cannot get the cookies from another domain – Prevents the evil cat video from sending authenticated request to empty your bank account • Domain defined by DNS domain name, application protocol – Sometimes also port Lecture 15 Page 20 CS 136, Fall 2014

  21. SQL Injection Attacks • Many web servers have backing databases – Much of their information stored in a database • Web pages are built (in part) based on queries to a database – Possibly using some client input . . . Lecture 15 Page 21 CS 136, Fall 2014

  22. SQL Injection Mechanics • Server plans to build a SQL query • Needs some data from client to build it – E.g., client’s user name • Server asks client for data • Client, instead, provides a SQL fragment • Server inserts it into planned query – Leading to a “somewhat different” query Lecture 15 Page 22 CS 136, Fall 2014

  23. An Example “select * from mysql.user where username = ‘ “ . $uid . “ ‘ and password=password(‘ “. $pwd “ ‘);” • Intent is that user fills in his ID and password • What if he fills in something else? ‘or 1=1; -- ‘ Lecture 15 Page 23 CS 136, Fall 2014

  24. What Happens Then? • $uid has the string substituted, yielding “select * from mysql.user where username = ‘ ‘ or 1=1; -- ‘ ‘ and password=password(‘ “. $pwd “ ‘);” • This evaluates to true – Since 1 does indeed equal 1 – And -- comments out rest of line • If script uses truth of statement to determine valid login, attacker has logged in Lecture 15 Page 24 CS 136, Fall 2014

  25. Basis of SQL Injection Problem • Unvalidated input • Unvalidated input • Server expected plain data • Got back SQL commands • Didn’t recognize the difference and went ahead • Resulting in arbitrary SQL query being sent to its database – With its privileges Lecture 15 Page 25 CS 136, Fall 2014

  26. Some Example Attacks • 130 million credit card numbers stolen in 2009 with SQL injection attack • Used to steal 1 million Sony passwords • Yahoo lost 450,000 passwords to a SQL injection in 2012 • Successful SQL injections on Bit9, British Royal Navy, PBS • Ruby on Rails and Drupal content management system had ones recently Lecture 15 Page 26 CS 136, Fall 2014

  27. Solution Approaches • Carefully examine all input • Use database access controls • Avoid using SQL in web interfaces • Parameterized variables Lecture 15 Page 27 CS 136, Fall 2014

  28. Examining Input for SQL • SQL is a well defined language • Generally web input shouldn’t be SQL • So look for it and filter it out • Problem : proliferation of different input codings makes the problem hard • Problem : some SQL control characters are widely used in real data – E.g., apostrophe in names Lecture 15 Page 28 CS 136, Fall 2014

  29. Using Database Access Controls • SQL is used to access a database • Most databases have decent access control mechanisms • Proper use of them limits damage of SQL injections • Problem : may be hard to set access controls to prohibit all dangerous queries Lecture 15 Page 29 CS 136, Fall 2014

  30. Avoid SQL in Web Interfaces • Never build a SQL query based on user input to web interface • Instead, use predefined queries that users can’t influence • Typically wrapped by query-specific application code • Problem : may complicate development Lecture 15 Page 30 CS 136, Fall 2014

  31. Use Parameterized Variables • SQL allows you to set up code so variables are bound parameters • Parameters of this kind aren’t interpreted as SQL • Pretty much solves the problem, and is probably the best solution Lecture 15 Page 31 CS 136, Fall 2014

Recommend

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136,

Network Security Computer Security Peter Reiher November 4, 2014 Lecture 9 Page 1 CS 136, Fall 2014 Outline Network security characteristics and threats Denial of service attacks Traffic control mechanisms Firewalls

797 views • 67 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Spring 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

844 views • 56 slides
Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1

Network Security CS 136 Computer Security Peter Reiher February 21, 2008 Lecture 11 Page 1 CS 136, Winter 2008 Outline Basics of network security Definitions Sample attacks Defense mechanisms Lecture 11 Page 2 CS 136,

613 views • 50 slides
Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher April 1, 2014 Lecture 1 Page 1 CS 136, Spring 2014 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.18k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 8, 2008 Lecture 1 Page 1 CS 136, Winter 2008 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

1.19k views • 72 slides
Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136,

Introduction CS 136 Computer Security Peter Reiher January 10, 2017 Lecture 1 Page 1 CS 136, Winter 2017 Purpose of Class To introduce students to computer security issues To familiarize students with secure software development

599 views • 57 slides
Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher

Layer Optimization: Security and Privacy CS 118 Computer Network Fundamentals Peter Reiher Lecture 18 CS 118 Page 1 Winter 2016 Another type of layer deficiency Some layers of protocol do not provide any security or privacy What if

708 views • 59 slides
More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS

More on Malware CS 136 Computer Security Peter Reiher March 4, 2008 Lecture 14 Page 1 CS 136, Winter 2008 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Some

701 views • 53 slides
Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136,

Malicious Software Computer Security Peter Reiher November 25, 2014 Lecture 12 Page 1 CS 136, Fall 2014 Outline Introduction Viruses Trojan horses Trap doors Logic bombs Worms Botnets Spyware Malware

838 views • 67 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 19 Page 1 CS 236 Online Putting It All Together Weve talked a lot about security principles And about security problems And

209 views • 17 slides
Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture

Network Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 9 Page 1 CS 236 Online Some Important Network Characteristics for Security Degree of locality Media used Protocols used Lecture 9

156 views • 11 slides
Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3

Introduction to Cryptography CS 136 Computer Security Peter Reiher January 17, 2017 Lecture 3 Page 1 CS 136, Winter 2017 Outline What is data encryption? Cryptanalysis Basic encryption methods Substitution ciphers

1.16k views • 66 slides
Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L. Reiher {pahp, reiher}@cs.ucla.edu Laboratory for Advanced Systems Research (LASR) University of California Los Angeles The 3 rd Workshop on Cyber

314 views • 28 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1

Introduction CS 236 Advanced Computer Security Peter Reiher April 1, 2008 Lecture 1 Page 1 CS 236, Spring 2008 Outline Subject of class Class topics and organization Reading material Class web page Grading Projects

838 views • 50 slides
Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014

Privacy Computer Security Peter Reiher December 11, 2014 Lecture 16 Page 1 CS 136, Fall 2014 Privacy Data privacy issues Network privacy issues Some privacy solutions Lecture 16 Page 2 CS 136, Fall 2014 What Is Privacy?

789 views • 63 slides
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Outline Desirable characteristics of ciphers Stream and block ciphers Cryptographic modes Uses of

475 views • 29 slides
Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 3 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 3 Page 1 CS 236 Online Mandatory Access Control and the Real World For a long time, things like Bell-La Padula were hard to run

220 views • 6 slides
Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1

Cryptographic Keys CS 136 Computer Security Peter Reiher October 16, 2014 Lecture 5 Page 1 CS 136, Fall 2014 Outline Properties of keys Key management Key servers Certificates Lecture 5 Page 2 CS 136, Fall 2014

1.02k views • 68 slides
Prolog to Lecture 16 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 16 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 16 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 16 Page 1 CS 236 Online Security Evaluations and the US Government The US government runs lots of computers and networks Its a

263 views • 8 slides
Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS

Intrusion Detection Computer Security Peter Reiher November 18, 2014 Lecture 11 Page 1 CS 136, Fall 2014 Outline Introduction Characteristics of intrusion detection systems Some sample intrusion detection systems Lecture 11

737 views • 63 slides
Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 4 Page 1 CS 236 Online Brute Force Attacks, the iPhone, and the FBI Recently lots of news about the FBI needing to crack an iPhone It

85 views • 8 slides

More recommend