CS526Topic 11: Web Security Part 11 Information Security CS 526 Topic 11 Web Security Part 1.
1 Lecture 11 WWW Security and Java Security Ref. Chapter 11.
-
Upload
tiffany-hodges -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Lecture 11 WWW Security and Java Security Ref. Chapter 11.
1
Lecture 11Lecture 11
WWW Security and WWW Security and Java SecurityJava Security
Ref. Chapter 11Ref. Chapter 11
2
ContentsContents
Part 1: WWW SecurityPart 1: WWW Security IntroductionIntroduction Web browserWeb browser ScriptsScripts Web applicationsWeb applications
Part 2: Java Security Part 2: Java Security Java language featuresJava language features Java platformJava platform Applet vulnerabilitiesApplet vulnerabilities Servlet securityServlet security
3
The properties of WWW The properties of WWW securitysecurity
Separation of program and data is abolished. Separation of program and data is abolished. Executable content (applets) in documents.Executable content (applets) in documents.
Computation is moved to the client. It is now Computation is moved to the client. It is now the client who needs protection from rogue the client who needs protection from rogue content providers. content providers.
Mobile code moves from machine to machine. Mobile code moves from machine to machine. Clients need protection from mobile code; Clients need protection from mobile code; mobile code may need protection from clients mobile code may need protection from clients it is running on.it is running on.
Users are forced to become system Users are forced to become system administrators and policy makers.administrators and policy makers.
4
Web BrowserWeb Browser Is a program that presents the user with a GUI Is a program that presents the user with a GUI
and includes the protocols necessary to connect and includes the protocols necessary to connect to the web.to the web. Presents the attractive web pages;Presents the attractive web pages; Is a service layer for web applications;Is a service layer for web applications; Includes the protocols for communication with web Includes the protocols for communication with web
servers;servers; Manages security relevant information for the client.Manages security relevant information for the client.
Web security modelWeb security model The Client:The Client: The Client’s browser:The Client’s browser: The Server: more about the software.The Server: more about the software.
5
Why are browsers taken as Why are browsers taken as a part of TCB?a part of TCB?
Handle the clients’ web traffic.Handle the clients’ web traffic. Manage the default settings and Manage the default settings and
preferences for client environments. preferences for client environments. Keep a history and a cache of recently Keep a history and a cache of recently
visited pages.visited pages. Encryption and digital signature.Encryption and digital signature. Integrate communications services such as Integrate communications services such as
email.email. May run in system modeMay run in system mode Assume more and more functions of OSAssume more and more functions of OS
6
CGI ScriptsCGI Scripts CGI (Common Gateway Interface) is a CGI (Common Gateway Interface) is a
meta-language for translating URLs or meta-language for translating URLs or HTML forms into runnable programs. HTML forms into runnable programs.
Client Server
executesURL, HTML form
CGI script
7
CGI script security CGI script security problemsproblems
Cat the file| mail client addressCat the file| mail client address
To ask the client to input a file to a To ask the client to input a file to a clientclient
If input a.txt If input a.txt [email protected]@nipissingu.ca | | rm –rf/rm –rf/ it will delete all the files permitted by the it will delete all the files permitted by the
script at the server.script at the server.
8
JavaScriptJavaScriptScripting languages:Scripting languages: expand the capabilities of Web expand the capabilities of Web
pages by supporting interaction pages by supporting interaction most popular Active Scripting most popular Active Scripting
languages are Netscape’s JavaScript languages are Netscape’s JavaScript and Microsoft’s VBScript. and Microsoft’s VBScript.
9
What JavaScript can doWhat JavaScript can do JavaScript resides within HTML documents JavaScript resides within HTML documents
and is executed on the client and is executed on the client Is used primarily to respond to any user events Is used primarily to respond to any user events
such as mouse clicks, navigation and form such as mouse clicks, navigation and form validationvalidation
Saves on client/server interaction and its Saves on client/server interaction and its associated overheads associated overheads
prevent users from sending rogue data that prevent users from sending rogue data that could damage the server, so faster and less could damage the server, so faster and less load on the server load on the server
Examples:Examples: http://psych.fullerton.edu/mbirnbaum/brmic/http://psych.fullerton.edu/mbirnbaum/brmic/
10
JavaScript JavaScript limitationslimitations no compile-time system of classesno compile-time system of classes runtime system is based on a small number of runtime system is based on a small number of
simple data types simple data types only loosely typed so pretty undisciplinedonly loosely typed so pretty undisciplined programmer free to create objects e.g. window, programmer free to create objects e.g. window,
frame, document, and manipulate themframe, document, and manipulate them possible for JavaScript to “pop-up” some possible for JavaScript to “pop-up” some
friendly windows, submit a data form and re-friendly windows, submit a data form and re-forward it to other URL’s (privacy issues)forward it to other URL’s (privacy issues)
Javascript securityJavascript security http://linux.omnipotent.net/article.php?http://linux.omnipotent.net/article.php?
article_id=12426article_id=12426
11
CookiesCookies A message given to a Web browser by a Web A message given to a Web browser by a Web
server. The browser stores the message in a text server. The browser stores the message in a text file. The message is then sent back to the server file. The message is then sent back to the server each time the browser requests a page from the each time the browser requests a page from the server. server.
Client Server
Browser
Cookies
12
Web ApplicationWeb Application
all communication is via web pagesall communication is via web pages HTTP used for getting input from and output to the HTTP used for getting input from and output to the
clientclient Client data is sent to the server using HTML forms Client data is sent to the server using HTML forms
which may include hidden as well as visible data which may include hidden as well as visible data fieldsfields
each page is generated by the web server in each page is generated by the web server in response to input provided by the user at the client response to input provided by the user at the client
Client Server
13
Java Web ApplicationJava Web ApplicationApplets:Applets: Small Java Small Java
programs attached programs attached to web pages which to web pages which are loaded and run are loaded and run in web browsers.in web browsers.
Spice up web pages Spice up web pages by providing user by providing user interaction and interaction and animationanimation
Servlets:Servlets: Programs which Programs which
run on the serverrun on the server Enable web server Enable web server
to respond directly to respond directly to client to client interactioninteraction
Generate HTML in Generate HTML in response to client response to client requestsrequests
14
Client-side Client-side SecuritySecurity Activities(1)Activities(1)
Signing Applet:Signing Applet: is invoked when user hits a buttonis invoked when user hits a button must download all the signing software it must download all the signing software it
needs to compute signature i.e. many needs to compute signature i.e. many class files for implementing RSA class files for implementing RSA
displays a text box for user passworddisplays a text box for user password password needed for access to the user’s password needed for access to the user’s
private signing key (software token or private signing key (software token or hardware token)hardware token)
needs needs trustedtrusted status to access user file status to access user file space: a signed file is used space: a signed file is used
15
the bid, the computed signature the bid, the computed signature and the and the user’s digital certificate user’s digital certificate (read from security token) are (read from security token) are packaged by the signing applet into packaged by the signing applet into an encrypted object an encrypted object
this object is sent to the Server as a this object is sent to the Server as a (hidden) hex-encoded string within (hidden) hex-encoded string within a forma form
Client-side Client-side SecuritySecurity Activities(2)Activities(2)
16
Software v Hardware Software v Hardware tokens(1)tokens(1)
Key GenerationKey Generation Clear advantage if key is generated Clear advantage if key is generated
within secure device; its use can be within secure device; its use can be demonstrated at registration demonstrated at registration
SigningSigning Execution in risky because interrupts, Execution in risky because interrupts,
memory dumps etc can be used to some memory dumps etc can be used to some effect by hackerseffect by hackers
17
Software v Hardware tokens(2)
• Key Storage– Storage allows file to be copied and “brute-
forced” at leisure; copying will not be evident– A Key is tamper evident; obvious if stolen or
lost; – Some protection against brute force attack
(counts unsuccessful login attempts)– A Key affords protection against attackers or
rogue programs stealing information
18
ImplementationImplementationServer processing(1)Server processing(1)
ServerServer
runs servlet requested by client on submission of a runs servlet requested by client on submission of a formform
servlet extracts data from the form and processes servlet extracts data from the form and processes itit including the digital signatureincluding the digital signature
servlet generates html for responding a web pageservlet generates html for responding a web page whether signature valid and if so whether bid is whether signature valid and if so whether bid is
acceptedaccepted
19
ImplementationImplementationServer processing(2)Server processing(2)
What does the server What does the server need in order to verify need in order to verify the digital signature?the digital signature?
signer’s public keysigner’s public key signer’s digital certificatesigner’s digital certificate ability to traverse a certificate ability to traverse a certificate
chain chain
20
Server-side Server-side SecuritySecurity activitiesactivities
When the servlet invoked by a client command When the servlet invoked by a client command the web page receives the encypted object it the web page receives the encypted object it must unpack it to verify the signature using the must unpack it to verify the signature using the included digital certificateincluded digital certificate
Server must access verification software and Server must access verification software and online directories online directories
in practice a certificate in practice a certificate chainchain would need to be would need to be traversed until a traversed until a trustedtrusted CA ( CA (certification certification authority)authority) was encountered was encountered
online CRL (certified resource locator) must be online CRL (certified resource locator) must be checked as part of the verification process.checked as part of the verification process.
22
Part 2 Java SecurityPart 2 Java SecurityHistoryHistory open development/documentation open development/documentation
from 1995 by Sun Microsystems from 1995 by Sun Microsystems (JDK)(JDK)
platform-independence vital to platform-independence vital to program mobile code and executable program mobile code and executable content for the Internet and the Webcontent for the Internet and the Web
as a result sound security features as a result sound security features designed in from the start designed in from the start
23
Aspects of Java SecurityAspects of Java SecurityWe look at these aspects:We look at these aspects: Java language featuresJava language features Java platformJava platform Applet vulnerabilitiesApplet vulnerabilities Servlet securityServlet security
24
Java Language (1)Java Language (1)Java is object oriented:Java is object oriented:
is a “natural” way of thinking, matches the real worldis a “natural” way of thinking, matches the real world data-centric: data objects possess associated methodsdata-centric: data objects possess associated methods
unlike old procedural way of thinking with C and unlike old procedural way of thinking with C and PascalPascal
a class is a template for a data object and its methodsa class is a template for a data object and its methods each class is one kind of objecteach class is one kind of object
every Java program is composed of one or more every Java program is composed of one or more classesclasses
25
Java Language (2)Java Language (2)Java supports inheritanceJava supports inheritance
hierarchy of classes supports hierarchy of classes supports inheritance of behaviour and structureinheritance of behaviour and structure
GUI: windows, dialogue boxes, scroll GUI: windows, dialogue boxes, scroll bars, text boxes, check boxesbars, text boxes, check boxes
very powerful, supporting code re-usevery powerful, supporting code re-use ““write once, run forever”write once, run forever”
26
Security Relevant Security Relevant FeaturesFeatures
1.1. Security aspects of object orientationSecurity aspects of object orientation
2.2. Strong type systemStrong type system
3.3. Sound error handling with exceptionsSound error handling with exceptions
4.4. System keeps track of memory System keeps track of memory management: automatic garbage management: automatic garbage collection collection
Without these properties security holes can exist Without these properties security holes can exist as a result of programmer error or poor design as a result of programmer error or poor design that hackers can exploitthat hackers can exploit
27
1. Object Oriented1. Object Oriented
Aspects relevant to better design for security: Aspects relevant to better design for security: data hidingdata hiding
data items are “hidden” within classesdata items are “hidden” within classes data objects cannot be accessed directly, only through their data objects cannot be accessed directly, only through their
“public” interfaces (some access control at this level) “public” interfaces (some access control at this level) abstractionabstraction
Seeing the big design picture, postponing details of Seeing the big design picture, postponing details of implementationimplementation
programmers cannot access memory directly, must programmers cannot access memory directly, must use object referencesuse object references no pointer arithmetic (the most bug-prone aspects of C and no pointer arithmetic (the most bug-prone aspects of C and
C++)C++)
Makes it hard for rogue code to trawl through memory Makes it hard for rogue code to trawl through memory looking for passwords or credit card numberslooking for passwords or credit card numbers
28
2. Strong Type System2. Strong Type System essential aspect of Java securityessential aspect of Java security
stops arbitrary access to host memorystops arbitrary access to host memory memory access by Java programs is limited to memory access by Java programs is limited to
specific controlled areas having particular specific controlled areas having particular representationsrepresentations
type safety supported by compile-time and run-type safety supported by compile-time and run-time checkingtime checking
E.g. array bounds checks, immutable stringsE.g. array bounds checks, immutable strings
Provides significant protection against buffer Provides significant protection against buffer overflow attacksoverflow attacks
29
3. Error Handling3. Error Handling Handling of error conditions is error-Handling of error conditions is error-
prone!prone! Java’s exception handling allows for Java’s exception handling allows for
neat handling of error conditions neat handling of error conditions without crashing the system.without crashing the system.e.g. If a Java program tries to open a file without the e.g. If a Java program tries to open a file without the
correct privileges, an exception will be “thrown”; there correct privileges, an exception will be “thrown”; there is a logical structure for programmers to “catch” is a logical structure for programmers to “catch” exceptions for a graceful, crash-free, exit.exceptions for a graceful, crash-free, exit.
System crashes can lead to exposure System crashes can lead to exposure of sensitive data.of sensitive data.
30
4. Garbage Collection4. Garbage CollectionSystem keeps track of memory usage System keeps track of memory usage
instead of the programmer.instead of the programmer. Java’s garbage collector uses a low Java’s garbage collector uses a low
priority thread to run silently in the priority thread to run silently in the backgroundbackground
Frees the programmer of the need to Frees the programmer of the need to allocate and de-allocate memory explicitlyallocate and de-allocate memory explicitly
Prevents all sorts of bugs that are difficult Prevents all sorts of bugs that are difficult to eliminate e.g. dangling pointersto eliminate e.g. dangling pointers
31
Platform IndependencePlatform Independence
All java source code (class files) is All java source code (class files) is compiled into portable compiled into portable bytecodebytecode
To execute To execute bytecodebytecode requires a run-time requires a run-time environment, a Java Virtual Machine environment, a Java Virtual Machine (JVM) which interprets the (JVM) which interprets the bytecodebytecode into into the machine code for a particular the machine code for a particular machinemachine
The JVM is an abstract computing The JVM is an abstract computing machine and does not assume any machine and does not assume any particular implementation technology or particular implementation technology or host platformhost platform
32
Basic Security Basic Security ArchitectureArchitecture
In the original Java 1.0 release the In the original Java 1.0 release the distinction between applets and distinction between applets and applications was assumed to be clear:applications was assumed to be clear:
applets are downloaded from an outside applets are downloaded from an outside source to be runsource to be run typically from within a Java enabled browsertypically from within a Java enabled browser activities need to be constrained to a sandboxactivities need to be constrained to a sandbox
applications reside on the local machineapplications reside on the local machine can be trusted can be trusted granted full access to system resources granted full access to system resources
34
ChallengesChallenges
Users cannot rely on prior Users cannot rely on prior acquaintance and trust relationship acquaintance and trust relationship with the source of an applet.with the source of an applet.
Few users are willing to rule Few users are willing to rule personally on each access request personally on each access request made by an applet.made by an applet.
The client’s operating system cannot The client’s operating system cannot be expected to offer any protection.be expected to offer any protection.
35
Language design Language design considerationsconsiderations
It should make it more difficult for It should make it more difficult for programs to create damages.programs to create damages.
The execution environment provides The execution environment provides mechanisms for access control.mechanisms for access control.
The security policies enforced by the The security policies enforced by the execution environment have to be execution environment have to be set correctly.set correctly.
36
Security considerations for Security considerations for appletsapplets
Applets do not get access to the user’s file Applets do not get access to the user’s file system.system.
Applets cannot obtain information about Applets cannot obtain information about the user’s name, email addresses, the user’s name, email addresses, machine configuration, etc.machine configuration, etc.
Applets may make outwards connections Applets may make outwards connections only back to the server they came from.only back to the server they came from.
Applets can only pop-up windows that are Applets can only pop-up windows that are marked ‘untrusted’.marked ‘untrusted’.
Applets cannot re-configure the system. Applets cannot re-configure the system.
37
The Byte Code VerifierThe Byte Code Verifier
It guarantee:It guarantee: The class file is in the proper format;The class file is in the proper format; Stacks will not overflow;Stacks will not overflow; All operands have arguments of the All operands have arguments of the
correct type;correct type; There will be no data conversion There will be no data conversion
between types;between types; All references to other classes are legal. All references to other classes are legal.
38
The Applet Class LoaderThe Applet Class Loader Protect the integrity of the run-time Protect the integrity of the run-time
environment.environment. Applets are not allowed to create their own Applets are not allowed to create their own
class loaders and interfere with each other.class loaders and interfere with each other. Each class loader has its own name space . Each class loader has its own name space . When referring other classes, the applet When referring other classes, the applet
class loader first searches the built-in class loader first searches the built-in classes in the local name space. If not classes in the local name space. If not found, extended to the namespace. found, extended to the namespace. Therefore, no “spoof” happens.Therefore, no “spoof” happens.
39
The Security ManagerThe Security Manager
It is the reference monitor of the It is the reference monitor of the Java security model. Java security model.
It guards a predefined list of critical It guards a predefined list of critical operations and enforces application-operations and enforces application-defined controls over these defined controls over these operations. operations.
40
The SecurityManager The SecurityManager classclass
abstract class SecurityManagerabstract class SecurityManager {{ checkAccess(Thread);checkAccess(Thread); checkAwtEventQueueAccess();checkAwtEventQueueAccess(); checkConnect(String, int);checkConnect(String, int); checkCreateClassLoader();checkCreateClassLoader(); checkExec(String);checkExec(String); checkPropertiesAccess();checkPropertiesAccess(); checkRead(FileDescriptor);checkRead(FileDescriptor); checkWrite(FileDescriptor);checkWrite(FileDescriptor); }} Class MySecurityManager extends SecurityManagerClass MySecurityManager extends SecurityManager {//…{//… }}
41
The Security Policy FilesThe Security Policy Files
When code is loaded or remotely accessed it is When code is loaded or remotely accessed it is assigned permissions based on the security assigned permissions based on the security policy currently in effect for the code and policy currently in effect for the code and access. access.
Jre/lib/security/java.policyJre/lib/security/java.policy A policy file contains a number of grant A policy file contains a number of grant
entries and an optional keystore entry.entries and an optional keystore entry. keystore “keystore.url”, “keystore_type”keystore “keystore.url”, “keystore_type” grant signedBy “signer_names”, codeBase “URL”grant signedBy “signer_names”, codeBase “URL” permission permission_class “target_esource”, permission permission_class “target_esource”,
“action_allowed”, signedBy “signer_names”“action_allowed”, signedBy “signer_names”
42
The Default Java The Default Java SandboxSandbox
The source of an applet may be unknown, so Java The source of an applet may be unknown, so Java 1.0 implemented a 1.0 implemented a sandboxsandbox policy for policy for severelyseverely restricting the “play area” of restricting the “play area” of all applet codeall applet code
May access CPU, its own memory and web May access CPU, its own memory and web server from which it was downloadedserver from which it was downloaded
No access to file storeNo access to file store Byte code verifier subjects code to a series of Byte code verifier subjects code to a series of
teststests
44
Java 1.0: Original Java 1.0: Original Sandbox Model(2)Sandbox Model(2)
Applet code is compiled into bytecode at Applet code is compiled into bytecode at source and downloaded from server to source and downloaded from server to client with HTML for web page.client with HTML for web page.
1)1) Applet is invokedApplet is invoked2)2) Run time environment in browser verifies Run time environment in browser verifies
byte codebyte code3)3) Instantiates the applet class (and other Instantiates the applet class (and other
classes) in a constrained namespaceclasses) in a constrained namespace4)4) Executes the applet within the namespaceExecutes the applet within the namespace5)5) Potentially dangerous calls checked by the Potentially dangerous calls checked by the
security managersecurity manager6)6) Allowed or not depending on originAllowed or not depending on origin
45
Java 1.1 Signed AppletsJava 1.1 Signed Applets JDK 1.1 introduced the concept of JDK 1.1 introduced the concept of trustedtrusted
appletsapplets added support for digital signatures so that added support for digital signatures so that
an applet’s class files, after their an applet’s class files, after their development, could be signed and stored development, could be signed and stored together with their signatures in JAR (Java together with their signatures in JAR (Java Archive) formatArchive) format
JDK allows you to specify which signers are JDK allows you to specify which signers are trustedtrusted
Trusted applets can be treated as local code Trusted applets can be treated as local code and given full system accessand given full system access
46
Java 1.2 (1) Java 1.2 (1) distinction between applets and distinction between applets and
applications disappearsapplications disappears classes judged very much on their own classes judged very much on their own
merits by considering source and signermerits by considering source and signer built-in classes still trustedbuilt-in classes still trusted applets may now be trusted and applets may now be trusted and
applications may be untrustedapplications may be untrusted partially partially trusted code can be placed in a trusted code can be placed in a
specially constructed sandboxspecially constructed sandbox can default to original sandbox modelcan default to original sandbox model
47
Java 1.2 (3)Java 1.2 (3)Provides:Provides: Fine-grained access controlFine-grained access control
Can specify Can specify gradualgradual reduction of sandbox reduction of sandbox constraintsconstraints
AC made easily available to user and developer AC made easily available to user and developer Configurable policyConfigurable policy
Developers and users can set/manage own Developers and users can set/manage own security policiessecurity policies
Ability to type and group permissions in policy-Ability to type and group permissions in policy-oriented constructsoriented constructs
But requires clear attention to POLICY!But requires clear attention to POLICY!
48
Applet VulnerabilitiesApplet VulnerabilitiesInsecure Java applets can be eitherInsecure Java applets can be either Malicious:Malicious: annoying, crashing the annoying, crashing the
browser or DOS - found in the wildbrowser or DOS - found in the wild
Attack:Attack: potentially taking control of potentially taking control of the machine - not found on the the machine - not found on the Internet, but created by researchers Internet, but created by researchers in the labin the lab(see www.rstcorp.com/javasecurity/)(see www.rstcorp.com/javasecurity/)
49
Servlet Security (1)Servlet Security (1)Servlets: Servlets: do not pose the same security do not pose the same security
problems as appletsproblems as applets code is probably local and trusted code is probably local and trusted face the usual threats to Web face the usual threats to Web
servers, often around denial of servers, often around denial of service service
50
Servlet Security (2)Servlet Security (2)Small improvements in security over Small improvements in security over
competing technologies:competing technologies: Run in same process space as server Run in same process space as server
(unlike CGI), only loaded once without (unlike CGI), only loaded once without overhead of loading a different process overhead of loading a different process for each callfor each call
All client requests serviced by separate All client requests serviced by separate threads so faster context switching, so threads so faster context switching, so some protection against DOS attackssome protection against DOS attacks
51
Servlet Security (3)Servlet Security (3) Servlets precompiled into bytecode more Servlets precompiled into bytecode more
compact and less error-pronecompact and less error-prone Improved crash resistance due to Java’s Improved crash resistance due to Java’s
exception handling capabilities which exception handling capabilities which allow for error conditions to be handled allow for error conditions to be handled without crashes (protection for DOS)without crashes (protection for DOS)
Some persistence in memory and can Some persistence in memory and can create durable objects like DB connections create durable objects like DB connections which can service many client requestswhich can service many client requests
Like applets, servlets can be run in a Like applets, servlets can be run in a sandbox on the serversandbox on the server
52
SummarySummary
Developing secure web applicationsDeveloping secure web applications PropertiesProperties Web browsersWeb browsers CGI ScriptsCGI Scripts CookiesCookies
Java securityJava security The language propertiesThe language properties SandboxSandbox Applets and ServletsApplets and Servlets
53
BooksBooks Securing JavaSecuring Java
McGraw & Felten (Wiley)McGraw & Felten (Wiley) Inside Java 2 Platform SecurityInside Java 2 Platform Security
Li Gong (Addison Wesley)Li Gong (Addison Wesley) Inside ServletsInside Servlets
Callaway (Addison Wesley)Callaway (Addison Wesley) Java SecurityJava Security
Oaks (O’Reilly)Oaks (O’Reilly)