Web Security

Edward Chow

Why web servers attract attackers?

publicity: recognized by a lot of people in very short time.
commerce: sensitive financial information in web server.
proprietary information: web servers distribute information internally to members and externally to partners.
network access: web servers are used by people both inside and outside.

Why web servers are vulnerable?

server extensibility
browser extensibility: ActiveX, Java, Javascript, VBscript, helper applications.
through disruption of services on TCP/IP protocols: denial of service attack.
complication of support: web browsers require external services such as DNS
pace of development: software are released without extensive testing. Bugs in those software were explored.

What is a "secure web server"?

Software vendors: a program implements cryptographic protocols so that information transferred between web server and browser cannot be eavesdropped upon.
Users: a web server that safeguards any personal info (privacy), avoid downloading viruses or rogue programs.
Companies: a web server that resists attack from Internet or insider (traitors)

Three Major parts of Web Security Problem:

Securing the web server and the data on it.

continue operation
data will not be modified without authorization
information only distributed to the right individuals

Securing information that travels between web server and the user.

user info (usrname,passwords, financial information) cannot be read, modified, or destroyed by others.

Securing the user's own computer.

download will not cause damages
information download is controlled according to license agreement/copyright.

This leads to the challenges of

verifying the ID of users to the server
verifying the ID of servers to the user
ensuring msgs between client and server deliver in time, reliably, without replay
logging/auditing

Securing Web Server

The computer itself must be secured using traditional computer security techniques. (login, authorized access to hw and sw)
minimize the number of services provided by the host that run the web server.
administration access use Kerberized Telnet, SecureID, S/key, or ssh.

Securing Information in Transit

physically secure the network to avoid eavesdropping.
hide information
encrypt information: e.g., SSL (Secure Socket Layer)

Digital certificates eliminate some of needs for SSL (username, password sending)

Securing User's Computer

Chaos Computer Club's VBasic demonstration of an ActiveX component for electronic fund transfer.
Download viewer that dial out to east Europe
Many other examples to follow
Digital watermarking for preventing illegal copy?

Typical Credit Card Transaction

How SSL protects on-line transaction

Threats of doing business on Internet

User's risks from the above example

personal information being used by

con artists
merchants (for user's buying habits)

computer damages

Merchants' risks

being invaded, internal information leaked
illegal use of customer credit card info
reverse charge orders
alter the store's DB or WWW page for incorrect orders or lower prices...

DMZ Firewall

Figure

Risk Management

Reduce risk as much as practical and has backup measure to recover quickly.
Security is not simply a product that can be purchased
Security must be an integrated part of an organization's operation.

List of specific programs that should never use as helper applications:

MS Word: due to Visual Basic extension in Word can be used to execute many commands on your system.
MS Excel: also due to the Visual Basic extension.
Any program that include MS Visual Basic scripting language
Perl
Python
Tcl/Tk
UNIX shells (sh, csh, tcsh)
COMMAND.COM, the DOS shell
Postscript other than GhostView: There are postscript command that can open, read, and delete files. GhostView by default runs in "safe" mode and disables those commands.

Examples of Data Driven Attack

Malicious data to a normally well-behaved application to produce undesirable results.
Pretend to be an inquiry from the user's legitimate system software

ask password with Javascript
ask to re-enter the credit card and expiration date
ask to reload browser software.

Solution for these social engineering attack is education. 1995 AOL modified email interface to include message that reminded users "AOL staff will never ask for your password or billing information."

Key Generation Flaw

Netscape key generation flaw found by Ian Goldberg, David Wagner, Eric Brewer of UC Berkeley.(9/17/95)
Instead of using user's mouse motions as seeds for the random number generator, it used

time-of-day clock
Navigator's process number,
and other information that was trivial to determine.

The Netscape certificate server later adopted the use of mouse motions to generate the seed for the random number for the private key generation.

Java Security Flaw

1996, Drew Dean, Ed Felton, and Dan Wallach of Princeton University found that by exploiting the multiple names in DNS entry, they can have the Netscape Navigator 2.0 Java Run-time allow the download from machines within the firewall. The original design goal was only allow download from the original web server where the home page was downloaded.

Javascript Bug

Early version of Javascript implementation in Navigator 2.0 allow visiting history, email address to be fill into HTML form (hidden) and then transferred out.

Harassing Mailto Hyperlink

Early version of Navigator 2.0 allows mail to be sent (to high profile site such as whitehouse.gov) without user's interaction.

As results of frequent error, US Naval Research Lab in fall 1996 recommended that Navigator not be used. 10/2/96 US Navy and Microsoft announced the Navy chose IE as its official web browser.

3/3/97 Paul Greene of Worcester Polytechnic Institute in MA, create a web page,when viewed by IE 3.0 and 3.0.1, allows any program to be run on user's machine. The problem is that IE 3.0 and 3.0.1 felt "safe" to open file of type .URL and .LNK.

Java Operation Cycle

Java Safety (Reliability)

Provide automatic memory management
has working garbage collection, no manual memory managing using malloc() and free(). No memory leaks. No misuse.
built-in bounds checking on all strings and arrays. No buffer overruns.
no pointers.
single inheritance. easier to understand.
strongly typed
sophisticated exception handling system.

This leads to fewer bugs. But fewer bugs do not imply that the Java program is more secure.

Java Security

A safe programming language alone can not protect users from malicious programs.
We need to limit what downloaded program can do.
Java Security Techniques:

Java Sandbox

Java programs are prohibited from
directly manipulating a computer's hardware
making direct calls to the computer's OS.
They run on a virtual computer inside a restrict virtual space.

Like children playing in a protection "sandbox":

Can build or break things within but not get hurt or hurting outside world.

SecurityManager class

This special class is designed to be called before any "dangerous" operation is executed.
It determines whether those operations are allowed.
Those operations are carried out by special classes such as File-OutputStream.

Class Loader

One way to attack the security is to disable the SecurityManager class or replace it with a more permissive one.
To prevent this type of attacks, the Class Loader examines classes to make sure that they do not violate the run-time system.

Bytecode Verifier

Make sure the bytecode are created by compiling a valid Java program?
and the downloaded program

doesn't forge pointers.
doesn't violate access restrictions.
doesn't violate the type of any objects.

It was implemented as ad hoc checks.

Three Original Java Security Policies

Donot run Java program
Run Java programs with different privileges depending on the source of the program.

severe restrictions on programs downloaded from web
no restrictions on programs loaded from user's hard drive.

No restriction on Java programs.

Most users chose policy 2.
Reasons for the restrictions on downloaded Java applet in HotJava.

Restriction	Reason
Cannot read contents of files or directories on the client computer.	Protect the confidentiality of information on the user's computer.
Cannot write, rename, or delete files on the client computer.	Protect the user's data from unauthorized modification.
Cannot initiate a network connection to a computer other than the computer from which the Java applet was downloaded.	Prevents a downloaded applet from probing for security problems behind an organization firewall.
Cannot receive network connections.	Prevents an applet from appearing to be a legitimate server on an organization's internal network.
Cannot display a window without a special "untrusted" border.	Prevents applets from creating windows that appear to be system windows.
Cannot create a ClassLoader or SecurityManger.	Prevents subverting the Java type checking system and disabling all Java security checks.
Cannot run system programs.	Prevent running arbitrary code.

Possible Security Policies on Network Connections

No network connectivity.
Limited network connectivity. could only open connections to the host from which it was downloaded.
Limited network connectivity. could only open connections to a host whose name appears in a set of preapproved hosts.
Limited network connectivity. could only open connections on a specified port or ports.
No restrictions for applets downloaded from particular machines (internal server), but still place restrictions on applets downloaded from other sources.
No restrictions for "signed" applets. Applets signed by approved secret key have full access to the computer's resources. Unsigned applets are restricted. E.g., applet from specific vendor are allowed.
Unlimited connectivity.

Navigator 4.0 Java Policy

open Java sandbox, allowing applets more functionality and flexibility.
on communicator menu, there are java console and security info menuitems.
In the security info window, the navigator menu allows you to control Navigator security settings
The java/javascript menu allow you to control access by Java applets and

JavaScript scripts.

It uses digital signatures and digitally signed capabilities. You can edit privileges of certificates.

Java Security Problems Discovered by SIP group

Spring 96, Secure Internet Programming research group, Edward Felton, Drew Dean and Dan Wallach found http://www.cs.princeton.edu/sip/
Bugs related to Java run-time systems

bugs that violate Java's type system
class library bug enable hostile applet to learn "private" info, set browser setting

Java language design flaws

Java's security model was never formally specified --> cannot be verified.
security depends on the integrity of Java type system, which in terms depends on the proper functioning of SecurityManager (500lines) and Bytecode Verifier (3500lines, first implemenations).
only operational definition exist "valid bytecode is bytecode that passes the bytecode verifier"

Their comments: outside security reviews before product release.
Suggestions:

Public variables should not be writable across name spaces.
Java's package mechanism should help enforce security policy.
Java byte code should be simpler to check and formally verify.

Java DNS policy dispute

According to the Java security policy, download applet can only initiate connections to the same computer fro which it is downloaded.

Sun considers that mean any computer that share an IP address with the computer from which the applet was downloaded.
SIP group showed the Sun's definition open to DNS spoofing. The computer can be fooled to believe any arbitrary IP address shared the same DNS name, through a rogue DNS server. Then the applet can open connection to any machine behind the firewall.
SIP group suggested the connection be allowed only to the machine with the orignal download machine IP address.

Java Security Feature

Java-run time can be used to enforced the security policy: e.g.,
restrict network connection port no. that can be open
logging of applet downloading and action including all system/network access, bytecode itself. (This allows the attack to be recontructed)
IE3.01 has c:\windows\java\javalog.txt as log
IE 4 and Navigator 4 has java console and security info.

Javascript

used to be Livescript.
allow HTML file to command the browser, can

create new window,
create HTML content,
fill out fields of a form,
jump to new URLs.
change the content of HTML page,
compute math results and other functions.
earlier version can display moving banner in status line

JavaScript Security

inherently more secure than Java or other programming languages. Reasons:

no methods for directly access file system.
no methods for directly opening connections to otehr computer on the network.

But Netscape is developing capability-based system with code signing for more flexibility in assigning privileges.
Today the main security is in two areas:

denial of service attacks
privacy violations.

Example of Denial Service Attack

fibonacci loop, http://owl.uccs.edu/~cs401/security/denial.htm.
same thing for a loop with a lot of alert() call.
These can be embed in other web pages.
Java and Javascript can command large amount of system resources.
TCP Syn Flooding attach on ISP (9/6/96)
Both IE and Navigator can break out a running Java or Javascript program.
Only exit will terminate it.