Final Exam Web Security

Trojan Horses

> An apparently benign application, which has some hidden malicious functionality > runs with the privileges of the victim user > may have any malicious functionality > Usually spread using social-engineering techniques => distributing free (but illegal) copies of commercial software => sending as an e-mail attachment => drive-by download: authorized by the user without understanding the consequences

Router directory

- Public list of available onion routers and their public keys - Initiator needs to select a large and diverse set of routers to prevent analysis

Onion Routing in practice

- Select a set of '_____' routers and from a virtual circuit (path to the responder) - Each ___ router sees only the preceding and following nodes - May be malicious trying to infer identities => colluding with malicious routers may use traffic analysis to infer identities

IP address spoofing

- Sending IP packets with a fake source address - no verification defined in the basic internet protocol - some upper layer protocols provide protection against address spoofing => Legitimate use for testing (stress testing servers) => (D)DoS attack ==> Circumventing address-based access control (firewalls) - DNS Cache poisoning attack

Flooding a Server

- Sending a large number of TCP SYN packets from various spoofed Source IP Addresses => traffic saturates the network link of the victim => packets from spoofed IP addresses look the same as legitimate connections => could use other junk packets (ICMP Echo Request) - In most implementations the number of pending connections is limited => non-malicious users will not be able to connect

Ingress filtering

- Service providers may forward only packets with legitimate source addresses => described in IETF BCP (Best Current Practices) 38 and 84 => defined by IETF RFC 2827 and 3704

Static code analysis challenges

- State space explosion => state space grows exponentially in the number of variables of inputs ==> must consider ranges and abstractions - Unknown environment => inputs, scheduling of parallel execution, etc.. - Correctness is undecidable in general => some outputs are either undecidable or false positive/negative.

Principles of Massive flooding using botnets

- Victim cannot decipher which clients are malicious - IoT devices like DVRs, Cameras, - OVH French ISP (1 TBPS attack) - Dyn DNS provider => hundreds of thousands of IoT devices, targeted authorized authoritative DNS servers

blacklists

- input validation - do not allow inputs on this list - list of known bad inputs - low impact on usability

whitelists

- input validation - list of known good inputs - only allow inputs on it - usually more secure

dynamic

- input: typically binary compiled code - black box approach - find vulnerabilities by executing the code with various inputs - detects that problem occurs

IP Packet Fragmentation Attack

1.) Suppose that the firewall > allows connections on SMTP (TCP port 25) > denies connection on Telnet (TCP port 23) 2.) First Packet > Fragmentation Offset = 0 > More Fragment = 1 > TCP header: destination port = 25 => allow 3.) Second Packet > Fragmentation Offset = 2 (second packet overwrites all but the first 2 bytes of the previous packet) > More fragment = 0 > TCP header fragment: destination port = 23 ==> Firewall allows the second packet because it is just a fragment (not a full header) ===> IP packet reassembled at host and received at port 23

IPS

=> Also called Intrusion Detection and Prevention System (IDPS) => can actively prevent or block intrusions (e.g, block IP addresses, drop packets)

Types of Intrusion Detection systems

> Advantage and disadvantage

Resident Virus

> remains in memory as part of the OS > may overwrite interrupt handlers and other functions

Backdoor

> secret entrypoint into a system or program the circumvents the usual security access procedures > maintenance hook: legitimate use for debugging and testing > asymmetric backdoor: can be used only by the developer, even if the implementation becomes public > may be introduced by a malicious compiler

Independent Malware

> self-contained programs that can be run by the operating system

chroot development and testing

> set up a complete environment in a directory and chroot into it before running the software that is under development or testing

Filter Secure Computing Mode

seccomp-bpf int seccomp(SECCOMP_SET_MODE_FILTER, 0, &filter) > Extension to secure computing mode that enables more fine-grained filtering of system calls e.g.. Berkeley Filter and is used by Google Chrome, Firefox, vsftpd

Other amplification attacks

- Network Time Protocol (NTP): 500x amplification ratio - Lightweight Directory Access Protocol (LDAP): 50x amplification ratio - Simple Service Discovery Protocol (SSDP): 31x amplification - Github (1.35 TBPS at 126.9 million packets per second (largest to date) - Using memcached servers with UDP: 51,000 AMPR

Sandboxes Vulnerability

- Potentially vulnerable applications that are exposed to untrusted data (PDF viewer, e-mail client, web browser) - client-side scripts (JavaScript) on webpages, macros - plug-ins, extensions, smartphone applications

Upstream Filtering and DDOS-resistant hosting

- In case of an attack, traffic may be redirected to a 'cleaning server', which filters malicious traffic and sends only non-malicious traffic to the actual server => cleaning server may be implemented as an application -level proxy - DDOS resistant hosting may be provided using content delivery networks => cloudFlare, Axamai, incapsula

Virtual circuit setup

- Initiator establishes a connection and a symmetric session key with the first onion router => two-way tunnel - tunnel is used to establish a connection and session key with the second router, and so on, until the responder is reached.

static

- Input: Source code - white-box approach - find vulnerabilities by considering possible executions of the code - halting problem - finds the root cause of the problem

Smurf amplification attack

- Internet Control Message Protocol - Supporting protocol in the IP suite for error message and operational information - On receiving an Echo Request message, a host should reply with an Echo reply.

chroot disadvantages

- All or nothing access to parts of a file system - does not prevent network access, communicating with other processes, hogging system resources (CPU time and memory>

Information Flow analysis

- Assigns a security level to each source - Each object inherits the security levels of the sources and other objects from which it is derived. - Used to detect the leakage of confidential information

TCP connection Flood

- Attacking computers establish TCP connection and send HTTP requests - Slowloris Attack => attacking computer sends a partial HTTP request => then periodically sends new HTTP header fields => server needs to keep track of HTTP connections <= Can blacklist the attacking computer

Web application security scanners

- Automated black-box testing for them - Crawls a website by following the hyperlinks and tries exploiting common types (SQL injection, XSS, CSRF) ADV. - Does not require any security expertise - finds the most common vulnerabilities - language/platform independent DIS. - not guaranteed to find all the vulnerabilities ( must use many) - May produce false positives

Fraggle Amplification Attack

- Based on UDP protocols there are used for testing - ECHO protocol (UDP port 7) => receiver sends back an identical copy of the received data - ECHO protocol (UDP port 19): upon receiving a UDP packet, the receiver sends back a random number of (0...512) of characters

DMZ layouts

- Can have dual firewalls - Dedicated hardware devices => special hardware and software for filtering => adv. : performance => dis. : expensive and harder to manage

CAPTCHA Limitations

- Cannot protect against low-level attacks (massive flooding attacks) - Attacker may circumvent CAPTCHA => cheap labor or machine learning algorithms to solve CAPTCHAs => 2010 => 1000 CAPTCHAs for as low 1 USD. ==> Attacker may also set up its own site that reposts the target site's CAPTCHAs - May present Accessibility problems for users with disabilities (visually impaired or color-blind users) - Audio CAPTCHAs ore often provided as an alternative - If multiple CAPTCHA techniques are available, an attacker will opt for the one that is easiest to defeat - Some users may have hearing and visual impairment

Botnet

- Collection of remotely controlled compromised ("Zombie") computers - Zombies may be laptop, desktop, IoT devices

Anonymity, motivation, principles, and practical challenges of onion routing

- Conceal the identities of communication parties - Anonymous communication over a computer network - Packets are encapsulated in multiple layers of encryption - Developed in the 1990's by Naval Research and DARPA

Compartmentalization

- Divide the system into compartments and isolate them from each other => limit the impact of a compromise

Dynamic Code Analysis

- Executes program over a set of test inputs and observe exceptions => for each exception, check if it could be exploited by an attacker - Test Suite => fuzzing: Generates semi-automatically invalid, unexpected, or random inputs Advantages - Precise: there is no abstraction or approximation - no false positives Disadvantage: Can test only those execution paths that are reachable by the test input.

Types of Errors with IDS

- False positive => False alarm => wasting admins. time / effort - False negative => undetected attack

application front-end hardware

- Filter network traffic using high-performance dedicated hardware before it reaches the servers - Does not protect against bandwidth exhaustion

TOR the onion router

- Free software implementation of the idea - directs traffic through a worldwide free, volunteer network of onion routers - maintained by the TOR project - Trusted Directory Servers - Public keys and addresses of these servers are hardcoded into the software - maintains a list of active onion routers (with addresses and public keys) - Every OR is connected to every other OR through SSL/TLS - Anyone may install and choose not to be an exit router.

Responder Anonymity: Location Hidden Services

- Hidden services are identified by public keys => pseudo-DNS name => publickey.onion - Responder (server) selects some ORs to be introduction points => first, builds circuits to these ORs => second publishes the public key and the list of Introduction Points (signed using its private key in a distributed hash table stored by the ORs ) - User may contact a responder using its public key => first, retrieves the Introduction Points from the distributed hash table => then, selects a Rendezvous Point and tells the responder about it through one of the Introduction points => finally, the user and the responder establish circuit through the Rendezvous Point

Reflection

- IP address spoofing => attacker sends packets with fake source-addresses => recipient will believe the the packets originate from the fake source

Mitigation of Amplification Attacks

- Prevent routers from forwarding packets directed to broadcast addresses <= default standard configuration - Prevent hosts from responding to requests => Echo and Character Generator services are typically disabled

Application layer firewall motivation and functionality

> Basic packet inspection considers only the first four networking layers (up to transport layer) > Application-layer firewall => understands certain application-level protocols (FTP, DNS, HTTP) => rules can be defined in terms of these protocols ==> limit HTTP requests to certain paths or limit FTP to certain commands > Proxying Firewall => Application-layer firewalls are sometimes implemented as proxies => client TCP connection is received by the proxy, which then connects to the actual server => proxy can inspect and forward traffic

Logic bombs

> Code embedded in a legitimate program which explodes when certain conditions are met (e.g, time, presence of some files, hostnames) > may alter or delete data, system functionality > example: in 1996 an employee of OMEGA Engineering set a logic bomb when he was fired, deleting software that ran manufacturing operations, causing losses exceeding $10 million

Basic functionality of Firewalls

> Decision: whether to allow or deny some traffic is based on a set of rules (e.g, allow connections to the web server but deny connections to other machines)

adware

> Displaying unwanted advertisement to the user (pop-up windows, injecting into web pages) > legitimate use: advertisement-supported non-malicious software

Isolation based on Unix Access control

> Each user has a user ID and a set of group memberships > When a user starts a process, the process inherits the user's user ID and set of group memberships > each file has => user ID and a group ID => read, write, and execution rights for user, group, and others Sandboxing: Run untrusted code as an unprivileged user => for example, use setups to run an executable as a dummy user => dummy user's access can be restricted using traditional UNIX access control => Using Linux namespaces, the running process can be further separated

rootkits

> Enables unauthorized access to a computer system > hides its own existence Used by attackers after compromising a system > provides a backdoor for easy reentry > keeps the compromise hidden from operators => persistent and stealthy compromise > needs root (admin) access > manually or automatically

chroot security

> If an attacker compromises a process running in a 'chroot jail' then it can access and modify only the files inside the jail EXAMPLE > HTTP, e-mail, and FTP servers (Postfix and OpenSSH SFTP) ==> before handling a client, chroot into a directory and relinquish root privileges

Drive-by Downloads

> Malicious websites may exploit vulnerabilities to download and install malware without user interaction > vulnerability can be in the web browser or some plugin (PDF reader, Java, Flash Player)

Motivation for Intrusion Detection Systems

> Malware : virus, worm, logic bomb, Trojan horse, backdoor (trapdoor), worm, exploit, spyware, key logger, adware, rootkit, zombie > Can install malware via PDF reader, Java, Flash Player, > Spyware, Adware, Ransomware, Scareware, payment, Crypto-ransomware, and Rootkit

viruses

> Parasitic self-replication malware Phases of Operation > dormant: virus is waiting for an external event > propagation: virus places copies of itself into other executables and files > triggering: virus is activated by some external event > execution: virus executes the payload, which performs malicious actions

Conficker (2008)

> Propagated through the internet using software vulnerabilities in Windows through local networks using weak passwords, or through removable drives > infected 9-15 million computers

Types of Intrusion Detection Systems Signature-based vs anomaly-based

> Signature-based (misuse detection): detect specific patterns (e.g, byte sequences in traffic or instruction sequences in malware) => can detect only known attacks > Anomaly-based: detect 'abnormal' behavior => prone to false-positive errors

Snort Open-Source

> Snort is a free and open-source network intrusion detection system => can detect a variety of attacks based on signatures => can be extended with custom rules and plug-ins => owned and developed by Cisco network traffic => packet decoder => preprocessor => detection engine => logging and alerting

Scareware

> Threaten or deceive users (fake antivirus) > Browser locking => load hundreds of iframe => user will think that the webpage cannot be closed.

Virtual Machines

> Used for sandboxes > Mostly used in cloud computing <iframe src ='untrusted.html' sandbox></iframe> => disable plugins => blocks script execution => blocks form submission => treat contents as if it was from a globally unique origin => blocks navigating the top level window or other frames on the page (excluding child frames of the sandboxed content) => blocks popup window

Infection Targets

> boot sector: targets the boot sector or Master Boot Record of the host's hard drive or removable media > executable files: targets binary executable files > documents (macro viruses): targets word processor and spreadsheet documents that support embedding macro programs (Microsoft office)

Payload

> carried by the worm or downloaded from a server > may perform other tasks (spyware, ransomware, botnet)

spyware

> collect information about the user > may record keystrokes, mouse clicks, browsing activity > attacker can use it to collect personal information (e.g, social security number, financial information, credit card numbers)

Berkeley Packet Filter

> enables user-space processes to filter network packets using filter programs > in seccomp, it is used to filter system calls (each call is a struct seccomp_data) > &filter points to a struct soc_fprog, which contains the filter program

Parasitic Malware

> fragments of code that cannot exist independently of some actual program > Executed with the infected program > both may carry a payload

Basic issues of stateless firewalls

> must track the state of every connection > IP Packet Fragmentation attack > computationally more demanding > complex => more error-prone implementation

Crypto-ransomware

> ransomware encrypts file using a random symmetric key > symmetric key is encrypted using the attacker's public key and then deleted > attacker decrypts the symmetric key in exchange for payment

idea of using proof-of-work to limit the impact of misbehaving nodes

A misbehaving node in theory could fork and build a chain longer than the longest chain and then tamper with the chain. So, in order to prevent this from happening proof of work is in place, each time a new block created there must be a computationally difficult problem solved. - Each block has a nonce value--chosen by the block creator - SHA-256 Hash value of each block to start with a certain number of zeroes. - Creating a block means trying a lot of different nonce values => mining Therefore, an attacker requires more computational power than all of the nodes that follow the longest chain.

Ingress filtering Network Address Translation (NAT)

Address translation has an inherent "Source validation side effect" - Forwarding based validation

Firewall Limitations

Cannot Protect Against: > attacks that bypass it (USB drive with malware) > internal-threats (disgruntled employee) Can be a single point of failure > Just like any other machine, a firewall can have vulnerabilities > If the security of an entire network depends on a firewall, then compromising the firewall can have devastating effects

botnet

Collection of computers controlled through the internet > legal application: distributed computing > illegal application: taking advantage of compromised "zombie" computers Used to send spam e-mail or perform click fraud. Collect personal information -> spyware Attack other systems (DDOS)

Basic of Idea of Intrusion Detection Systems

Application or device that monitors a network or system for malicious activity. > malicious activity is reported to the administrators (send an alarm and log activity)

principle of taint analysis

Attempts to identify which variables and objects can be modified by untrusted user input. - Source of the value of a variable is untrustworthy (network packets, user files, user input) - Any derived from above is also __________ - If passed to a function without sanitization then possible vulnerability - Information flow analysis e.g. untrusted user input => terminal => network => files => running program => ...

DDOS

Availability: information and system functionality is available to authorized entities. - Resource exhaustion => attacker uses up all of the victim's resources => nothing left for serving authorized entities (may crash the system) =>Attacker may exhaust bandwidth, computational power, memory, etc..

Motivation for firewalls

Because systems can consist of hundreds or thousands of computing devices (both servers and clients) and have open ports that are accessible from the internet, plus various operating systems running various services, implemented by various software, various software versions, configurations. Challenge: - Keeping everything patched and properly configured is very expensive or impossible - on the other hand an attacker may easily scan the network for vulnerabilities

Principle least-privilege

Each module should have only the minimum set of privileges needed to serve its purpose

ransomware

Holds a computer system or data hostage > disable access to the computer system or certain files on it (screen locking, browser locking) > may also threaten to publish the victim's files online Payment > computer system or data is released upon payment > payment through Bitcoin, premium-rate text messages, wire transfers

Purpose of iframe sandbox

HTML5 iframe Sandbox Manually allow some features <iframe src="untrusted.html" sandbox="allow-forms"></iframe> allow-forms: allows form submission allow-popups: allows displaying pop-ups allow-same-origin: treats content as being from the same origin allow-scripts: allows script execution allow-top-navigation: allows the iframe content to navigate its top-level browsing context

Client Puzzles

Idea: Slow down attackers with computational problems - Before submitting a request, each client must solve a computationally challenging problem - Example problem: given a cryptographic hash function H and a challenge X, find a solution Y such the the first N bits of H(X|Y) are all zeros => random X is a solution with probability 2^-N => client must compute 2^(N-1) hash values on average to solve the problem - Hardness N can be tweaked based on server load (~ attack magnitude)

How taint checking works in practice

If static analysis => rewrite source code if vulnerability is found If dynamic analysis => keep track of the tainted variables during run time and throw an exception.

Halting problem

Impossible to determine if a program will finish running eventually or if it will run forever.

DMZ idea

More secure, attacker must compromise / bypass two firewalls => misconfiguration has lower impact Three-legged model => Internet must pass firewall to get to e-mail server and web-server => internal network must pass through firewall to go to internet => internal network must pass through firewall to get to e-mail and web-server

File inclusion Vulnerability local file inclusion exploits

Local: web server loads a local file > Directory Traversal - attacker may read any file to which the web server process has access > Uploading PHP code to the web server - enables the attacker to execute arbitrary code on the web server - example website allowing users to upload images without checking their content > Example of injecting PHP code without file upload > Ineffective prevention: include('lib/' . $_GET['language'] . '.php'); > Prevention: do not trust user input at all -- always validate input before using it -- do not use values directly

Ingress filtering Static Packet Filtering

Manually Configure filtering based on addresses allocated by upstream network

Vulnerability Scanners basic properties

Modes - Unauthenticated => blackbox testing, performs the scan as an attacker - Authenticated => scanner can log in to some services and test local vulnerabilities

Principles defense-in-depth

Multiple Layers of Security - Attacker has to circumvent all of them to compromise - Examples : multi-factor user authentication, firewalls, etc..

Types of Intrusion Detection Systems Network-based vs host-based

Network-based IDS > monitors network traffic Host-based IDS > monitors activity on a host (e.g., file modifications and processes)

Morris Worm (1988)

One of the first worms propagating through the internet. - UNIX finder and sendmail, weak passwords

Stateless

Packet filtering > Apply rules to every incoming / outgoing packet individually > advantage: does not need to track state => simpler > disadvantage: limited functionality, must process rules for every packet

File inclusion Vulnerability causes

Passing invalidate user input to functions that load files

CAPTCHAS

Problem: differentiating malicious clients from honest ones Solution: differentiate by verifying that connections are from humans CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) - Challenge-response test used to determine if a client is human => reverse Turing test (judge is a computer) - typically based on hard AI problems, such as image recognition (character recognition)

File inclusion Vulnerability basic remote

Remote: web server loads a file from another server Attacker may run arbitrary PHP code on the vulnerable web server Prevention in PHP: disable allow_url_include > disabled by default in newer versions > prevents the inclusion of remote files

Techniques for Hiding Rootkit

Rootkit must be installed and run on the compromised system => without hiding, it might appear as a file or running process. Modifying system commands and applications > ls: lists files in a directory => modify to omit the rootkit files > ps: lists running processes => modify to omit the rootkit process Modifying or disabling event logging > system logs may provide evidence of an attack => remove log entries Disabling anti-virus and anti-rootkit software Modifying the kernel, system drivers and other core parts of the OS > rootlets may tamper with any system call, security mechanism

worms

Runs independently, without host program or file > Propagates a copy of itself to other systems ==> Exploiting vulnerabilities such as weak passwords ==> over the internet, local computer network, through removable media (USB drives) ==> e-mail worm: propagating as e-mail attachments

vulnerability scanners purpose

Scans a host or entire (sub)network for vulnerabilities. - Find hosts and find open ports on each host - Determine what service is running on each port and try to determine which software product and version implements the service - test for known vulnerabilities, unsafe configurations, or information leakage => list of vulnerabilities must be updated

Sandboxes Typical Usage

Security mechanism for separating a running program (or one part of a running program) from the remainder of the system - Typically used to run untested or untrusted code (possibly from untrusted sources) - Has limited access to system resources (Files, memory, network) => reduce the impact of the security vulnerabilities in sandboxed software

Stateful differences

Session filtering > Apply rules only to the first (few) packet of each connection > advantage: advanced functionality, does not need to process every packet > disadvantage: must track the state of every connection

Idea of reaching consensus using the longest chain

The idea is that if there is to be a newly created block and the same time by two different parties then the chain is forked and which ever party has the longest chain is the one that wins. Hence, the newly created block is added to the longest chain and the shorter chain's blocks are orphaned (not used).

susceptible PHP functions

include(file), require(file), include_once(file), require_once(file) > parse the content of the specified file > used to load PHP libraries, classes, etc...

Chroot Jail

int chroot(const char *path) > Available on all UNIX operating systems > Changes the root directory from '/' to the given path for the process > Can be performed only by a root user > By Definition it should be undoable => however, a root user can get out => drop root privileges before executing the untrusted code AFTER chroot, nothing outside the new root directory is available => system libraries and commands (libc, bash) cannot be used, unless a copy was made available in the new root

Linux Secure Computing Mode

int seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL) > Sandboxing tool in the Linux kernel ==> kernel version 2.6.12 > once a process enters seccomp mode, it cannot make any system calls except for => exit(...), sigreturn(...) => read(int filedescriptor, ...) => write(int filedescriptor, ...) ==> read and write files that were opened before entering seccomp mode Typical Usage: open necessary files and network connections, and enter seccomp mode