代写代考 CSE 127: Computer Security Web Intro

CSE 127: Computer Security Web Intro

UCSD Winter 2022
Some slides from , , , , and

Copyright By PowCoder代写 加微信 powcoder

Brief: Mitigating side channels Next: Web Intro

Verifying Constant-Time Implementations

Mitigating Cache-based Side Channels
• There’s never a completion solution to avoiding side-channel
attacks. A few mitigations are:
• Application-specific: Disable resource sharing, or isolate applications. One example is page coloring.
• Compiler-based: One example is Biscuit, developed at Georgia Tech. Able to guess misses and alerts the CPU scheduler about abnormal behaviour.
• Redesigning Hardware: Hard due to large overheads involved.
• Other solutions are ASLR (although, easy to defeat by Spectre
and Meltdown)
Overall, secure algorithms still need secure implementation.

Lecture objectives
• Basic understanding of how the web works
• Understand relevant attacker models
• Understand browser same-origin policy

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port query string

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path fragment id https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
port query string

scheme query string

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
body (empty)

Anatomy of a response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type:text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type:text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Many HTTP methods
• GET: Get the resource at the specified URL.
• POST: Create new resource at URL with payload.
• PUT: Replace current representation of the target resource with request payload.
• PATCH: Update part of the resource.
• DELETE: Delete the specified URL.

GETs should NOT change server state; in practice, they sometimes do
Old browsers don’t send PUT, PATCH, and DELETE
➤ So, almost all side-effecting requests are POSTs; real method hidden in a header or request body
In practice: it’s a mess

In practice: we need state

In practice: we need state
HTTP cookie: small piece of data that a server sends to the browser, who stores it and sends it back with subsequent requests
What is this useful for?
➤ Session management: logins, shopping carts, etc.
➤ Personalization: user preferences, themes, etc.
➤ Tracking: recording and analyzing user behavior

In practice: we need state
HTTP cookie: small piece of data that a server sends to the browser, who stores it and sends it back with subsequent requests
What is this useful for?
➤ Session management: logins, shopping carts, etc.
➤ Personalization: user preferences, themes, etc.
➤ Tracking: recording and analyzing user behavior

Setting cookies in response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: trackingID=3272923427328234 Set-Cookie: userID=F3D947C2
Content-Length: 2543
Some data… whatever …

Setting cookies in response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: trackingID=3272923427328234 Set-Cookie: userID=F3D947C2
Content-Length: 2543
Some data… whatever …

Sending cookie with each request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Cookie: trackingID=3272923427328234
Cookie: userID=F3D947C2
Host: www.example.com
Referer: http://www.google.com?q=dingbats

Sending cookie with each request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Cookie: trackingID=3272923427328234
Cookie: userID=F3D947C2
Host: www.example.com
Referer: http://www.google.com?q=dingbats

Going from HTTP response to code execution…

Basic browser execution model
Each browser window….
➤ Loads content
➤ Parses HTML and runs Javascript
➤ Fetches sub resources (e.g., images, CSS, JavaScript)
➤ Respond to events like onClick, onMouseover, onLoad, setTimeout

Nested execution model
Windows may contain frames from different sources
➤ Frame: rigid visible division
➤ iFrame: floating inline frame
Why use frames?
a to content from another source Browser provides isolation based on frames
Delegate screen
Parent may work even if frame is broken

Nested execution model
Windows may contain frames from diff sources
➤ Frame: rigid visible division
➤ iFrame: floating inline frame
Why use frames?
➤ Delegate screen area to content from another source
➤ Browser provides isolation based on frames
➤ Parent may work even if frame is broken

Document object model (DOM)
Javascript can read and modify page by interacting with DOM
➤ OO interface for reading and writing website content
Includes browser object model
➤ Access window, document, and other state like history, browser navigation, and cookies
https://en.wikipedia.org/wiki/Document_Object_Model

Modifying the DOM using JS

• Item 1

Modifying the DOM using JS

• Item 1


const list
const newItem = document.createElement(‘li’); const newText = document.createTextNode(‘Item 2’); list.appendChild(newItem); newItem.appendChild(newText)
= document.getElementById(‘t1′);

Modifying the DOM using JS

• Item 1


const list
const newItem = document.createElement(‘li’); const newText = document.createTextNode(‘Item 2’); list.appendChild(newItem); newItem.appendChild(newText)
= document.getElementById(‘t1′);

Modern websites are complicated

Modern websites are complicated

Lecture objectives
• Basic understanding of how the web works
• Understand relevant attacker models
• Understand browser same-origin policy

Network attacker
Relevant attacker models
http://example.com
http://example.com

Network attacker
Relevant attacker models
http://example.com
http://example.com
https://letsencrypt.org/stats/

Network attacker
Relevant attacker models
http://example.com
http://example.com

Network attacker
Relevant attacker models
http://example.com
Web attacker
http://example.com
https://evil.com
https://evil.com

Relevant attacker models
Gadget attacker
Web attacker with capabilities to inject limited content into honest page
https://example.com
example.com

Most of our focus: web attacker
https://evil.com
https://evil.com

And variants of it
example.com
example.com
example.com

Lecture objectives
• Basic understanding of how the web works
• Understand relevant attacker models
• Understand browser same-origin policy

Web security model
Safely browse the web in the presence of attackers
➤ The browser is the new OS analogy
Process 1 Process 2 Page 1 Page 2
4chan.org bank.ch
files/sockets cookies/fetch

Web security model
Safely browse the web in the presence of attackers
➤ The browser is the new OS analogy
Process 1 Process 2 Page 1 Page 2
4chan.org bank.ch
files/sockets cookies/fetch

Web security model
Safely browse the web in the presence of attackers ➤ The browser is the new OS analogy
Process 1 Process 2
VM + UIDs + seccomp-bpf
files/sockets
cookies/fetch
UIDs + ACLs

Web security model
Safely browse the web in the presence of attackers ➤ The browser is the new OS analogy
Process 1 Process 2
VM + UIDs + seccomp-bpf
files/sockets
cookies/fetch
UIDs + ACLs

Web security model
Safely browse the web in the presence of attackers ➤ The browser is the new OS analogy
Process 1 Process 2
VM + UIDs + seccomp-bpf
files/sockets
cookies/fetch
UIDs + ACLs

Same origin policy (SOP)
Origin: isolation unit/trust boundary on the web ➤ (scheme, domain, port) triple derived from URL
SOP goal: isolate content of different origins
➤ Confidentiality: script contained in evil.com should not be able to read data in bank.ch page
➤ Integrity: script from evil.com should not be able to modify the content of bank.ch page

There is no one SOP There is a same-origin policy for…
➤ message passing (via postMessage)
➤ network access
➤ CSS and fonts

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com