Introduction CS 239 Security for Networks and System
Download
Report
Transcript Introduction CS 239 Security for Networks and System
Advanced Research Issues in
Security: Web Security and
Privacy
CS 236
On-Line MS Program
Networks and Systems Security
Peter Reiher
Spring, 2008
CS 236, Spring 2008
Lecture 19
Page 1
Outline
• Web security
• Privacy issues in modern computer systems
CS 236, Spring 2008
Lecture 19
Page 2
Web Security
• Lots of Internet traffic is related to the
web
• Much of it is financial in nature
• Also lots of private information flow
around web applications
• An obvious target for attackers
CS 236, Spring 2008
Lecture 19
Page 3
The Web Security Problem
• Many users interact with many servers
• Most parties have little other relationship
• Increasingly complex things are moved via the
web
• No central authority
• Many developers with little security experience
• Many critical elements originally designed with no
thought to security
• Sort of a microcosm of the overall security
problem
Lecture 19
CS 236, Spring 2008
Page 4
Aspects of the Web Problem
CS 236, Spring 2008
Lecture 19
Page 5
Who Are We Protecting?
The clients
From the server
From
the
client
The client
The server
From each other
CS 236, Spring 2008
Lecture 19
Page 6
What Are We Protecting?
• The client’s private data
• The server’s private data
• The integrity (maybe secrecy) of their
transactions
• The client and server’s machines
• Possibly server availability
– For particular clients?
CS 236, Spring 2008
Lecture 19
Page 7
Some Real Threats
• Buffer overflows and other
compromises
– Client attacks server
• SQL injection
– Client attacks server
• Malicious downloaded code
– Server attacks client
CS 236, Spring 2008
Lecture 19
Page 8
More Threats
• Cross-site scripting
– Clients attack each other
• Threats based on non-transactional
nature of communication
– Client attacks server
• Denial of service attacks
– Threats on server availability
(usually)
CS 236, Spring 2008
Lecture 19
Page 9
Compromise Threats
• Much the same as for any other
network application
• Web server might have buffer
overflow
– Or other remotely usable flaw
• Not different in character from any
other application’s problem
CS 236, Spring 2008
Lecture 19
Page 10
What Makes It Worse
• Web servers are complex
• They often also run supporting code
– Which is often user-visible
• Large, complex code base is likely to
contain such flaws
• Nature of application demands
allowing remote use
CS 236, Spring 2008
Lecture 19
Page 11
Solution Approaches
•
•
•
•
Patching
Use good code base
Minimize code server executes
Maybe restrict server access
– When that makes sense
• Lots of testing and evaluation
CS 236, Spring 2008
Lecture 19
Page 12
SQL Injection Attacks
• Many web servers have backing
databases
– Much of their information stored in
database
• Web pages are built (in part) based on
queries to database
– Possibly using some client input . . .
CS 236, Spring 2008
Lecture 19
Page 13
SQL Injection Mechanics
• Server plans to build a SQL query
• Needs some data from client to build it
– E.g., client’s user name
• Server asks client for data
• Client, instead, provides a SQL fragment
• Server inserts it into planned query
– Leading to a “somewhat different” query
CS 236, Spring 2008
Lecture 19
Page 14
An Example
“select * from mysql.user
where username = ‘ “ . $uid . “ ‘ and
password=password(‘ “. $pwd “ ‘);”
• Intent is that user fills in his ID and
password
• What if he fills in something else?
‘or 1=1; -- ‘
CS 236, Spring 2008
Lecture 19
Page 15
What Happens Then?
• $uid has the string substituted, yielding
“select * from mysql.user
where username = ‘ ‘ or 1=1; -- ‘ ‘ and
password=password(‘ “. $pwd “ ‘);”
• This evaluates to true
– Since 1 does indeed equal 1
– And -- comments out rest of line
• If script uses truth of statement to determine
valid login, attacker has logged in
CS 236, Spring 2008
Lecture 19
Page 16
Basis of SQL Injection Problem
•
•
•
•
Unvalidated input
Server expected plain data
Got back SQL commands
Didn’t recognize the difference and went
ahead
• Resulting in arbitrary SQL query being sent
to its database
– With its privileges
CS 236, Spring 2008
Lecture 19
Page 17
Solution Approaches
• Carefully examine all input
– To filter out injected SQL
• Use database access controls
– Of limited value
• Randomization of SQL keywords
– Making injected SQL meaningless
CS 236, Spring 2008
Lecture 19
Page 18
Malicious Downloaded Code
• Modern web relies heavily on downloaded
code
– Full language and scripting language
• Instructions downloaded from server to
client
– Run by client on his machine
– Using his privileges
• Without defense, script could do anything
CS 236, Spring 2008
Lecture 19
Page 19
Types of Downloaded Code
• Java
– Full programming language
• Scripting languages
– Java Script
– VB Script
– ECMAScript
– XSLT
CS 236, Spring 2008
Lecture 19
Page 20
Solution Approaches
• Disable scripts
– Not very popular
• Use secure scripting languages
– Also not popular
– Particularly with code writers
• Isolation mechanisms
– VM or application-based
• Vista mandatory access control
CS 236, Spring 2008
Lecture 19
Page 21
Cross-Site Scripting
• XSS
• Many sites allow users to upload information
– Blogs, photo sharing, Facebook, etc.
– Which gets permanently stored
– And displayed
• Attack based on uploading a script
• Other users inadvertently download it
– And run it . . .
CS 236, Spring 2008
Lecture 19
Page 22
The Effect of XSS
• Arbitrary malicious script executes on
user’s machine
• In context of his web browser
– At best, runs with privileges of the
site storing the script
– Often likely to run at full user
privileges
CS 236, Spring 2008
Lecture 19
Page 23
Why Is XSS Common?
• Use of scripting languages widespread
– For legitimate purposes
• Most users leave them enabled in
browser
• Only a question of getting user to run
your script
– Often only requires fetching URL
CS 236, Spring 2008
Lecture 19
Page 24
Typical Effects of XSS Attack
• Most commonly used to steal personal
information
– That is available to legit web site
– User IDs, passwords, credit card
numbers, etc.
• Such information often stored in
cookies at client side
CS 236, Spring 2008
Lecture 19
Page 25
Solution Approaches
• Don’t allow uploading of scripts
– Usually by carefully analyzing
uploaded data
• Provide some form of protection in
browser
CS 236, Spring 2008
Lecture 19
Page 26
Exploiting Statelessness
• HTTP is designed to be stateless
• But many useful web interactions are
stateful
• Various tricks used to achieve statefulness
– Usually requiring programmers to
provide the state
– Often trying to minimize work for the
server
CS 236, Spring 2008
Lecture 19
Page 27
A Simple Example
• Web sites are set up as graphs of links
• You start at some predefined point
– A top level page, e.g.
• And you traverse links to get to other pages
• But HTTP doesn’t “keep track” of where
you’ve been
– Each request is simply the name of a link
CS 236, Spring 2008
Lecture 19
Page 28
Why Is That a Problem?
• What if there are unlinked pages on the
server?
• Should a user be able to reach those
merely by naming them?
• Is that what the site designers
intended?
CS 236, Spring 2008
Lecture 19
Page 29
A Concrete Example
• The ApplyYourself system
• Used by colleges to handle student
applications
• For example, by Harvard Business
School in 2005
• Once admissions decisions made,
results available to students
CS 236, Spring 2008
Lecture 19
Page 30
What Went Wrong?
• Pages representing results were created as
decisions were made
• Stored on the web server
– But not linked to anything, since results
not yet released
• Some appliers figured out how to craft
URLs to access their pages
– Finding out early if they were admitted
CS 236, Spring 2008
Lecture 19
Page 31
Another Example
• A e-commerce site that uses a shopping cart
paradigm
– Users collect things they plan to buy in a
shopping cart
• HTTP won’t help maintain state
• So Cartman software stored shopping cart
state in a cookie
– Which wasn’t encrypted . . .
CS 236, Spring 2008
Lecture 19
Page 32
What Went Wrong?
• The cookie held the names of the
products
– And the offered prices
• Cookies were kept by users
– Presented on each web request
• Users could alter cookies to set their
own prices
CS 236, Spring 2008
Lecture 19
Page 33
Another Example
• Airlines offer on-line choice of seats to
users buying tickets
• Different seats offered to different people
– Depending on price, frequent flyer status,
etc.
• Users consult map to choose seat
– Choice represented in HTTP message
CS 236, Spring 2008
Lecture 19
Page 34
What Went Wrong?
• Since HTTP is stateless, no memory of
seat map that was sent to a user
• If user crafts URL asking for seat he
wasn’t offered,
• System doesn’t know it wasn’t offered
• Allowed users to request seats the
airline didn’t want to offer to them
CS 236, Spring 2008
Lecture 19
Page 35
The Common Thread
• No protocol memory of what came before
• So no protocol way to determine that
response matches request
• Could be built into the application that
handles requests
• But frequently isn’t
– Or is wrong
CS 236, Spring 2008
Lecture 19
Page 36
Solution Approaches
• Get better programmers
– Or better programming tools
• Back end system that maintains and
compares state
• Front end program that observes
requests and responses
– Producing state as a result
CS 236, Spring 2008
Lecture 19
Page 37