CSE 127: Computer Security Web Intro
UCSD Winter 2022
Some slides from , , , , and
Copyright By PowCoder代写 加微信 powcoder
Brief: Mitigating side channels Next: Web Intro
Mitigating Cache-based Side Channels
• There’s never a completion solution to avoiding side-channel
attacks. A few mitigations are:
• Application-specific: Disable resource sharing, or isolate applications. One example is page coloring.
• Compiler-based: One example is Biscuit, developed at Georgia Tech. Able to guess misses and alerts the CPU scheduler about abnormal behaviour.
• Redesigning Hardware: Hard due to large overheads involved.
• Other solutions are ASLR (although, easy to defeat by Spectre
and Meltdown)
Overall, secure algorithms still need secure implementation.
Lecture objectives
• Basic understanding of how the web works
• Understand relevant attacker models
• Understand browser same-origin policy
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port query string
HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path fragment id https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
port query string
scheme query string
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com
Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
body (empty)
Anatomy of a response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …
Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …
Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type:text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …
Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type:text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …
Many HTTP methods
• GET: Get the resource at the specified URL.
• POST: Create new resource at URL with payload.
• PUT: Replace current representation of the target resource with request payload.
• PATCH: Update part of the resource.
• DELETE: Delete the specified URL.
GETs should NOT change server state; in practice, they sometimes do
Old browsers don’t send PUT, PATCH, and DELETE
➤ So, almost all side-effecting requests are POSTs; real method hidden in a header or request body
In practice: it’s a mess
In practice: we need state
In practice: we need state
HTTP cookie: small piece of data that a server sends to the browser, who stores it and sends it back with subsequent requests
What is this useful for?
➤ Session management: logins, shopping carts, etc.
➤ Personalization: user preferences, themes, etc.
➤ Tracking: recording and analyzing user behavior
In practice: we need state
HTTP cookie: small piece of data that a server sends to the browser, who stores it and sends it back with subsequent requests
What is this useful for?
➤ Session management: logins, shopping carts, etc.
➤ Personalization: user preferences, themes, etc.
➤ Tracking: recording and analyzing user behavior
Setting cookies in response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: trackingID=3272923427328234 Set-Cookie: userID=F3D947C2
Content-Length: 2543
Some data… whatever …
Setting cookies in response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: trackingID=3272923427328234 Set-Cookie: userID=F3D947C2
Content-Length: 2543
Some data… whatever …
Sending cookie with each request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Cookie: trackingID=3272923427328234
Cookie: userID=F3D947C2
Host: www.example.com
Referer: http://www.google.com?q=dingbats
Sending cookie with each request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Cookie: trackingID=3272923427328234
Cookie: userID=F3D947C2
Host: www.example.com
Referer: http://www.google.com?q=dingbats
Going from HTTP response to code execution…
Basic browser execution model
Each browser window….
➤ Loads content
➤ Parses HTML and runs Javascript
➤ Fetches sub resources (e.g., images, CSS, JavaScript)
➤ Respond to events like onClick, onMouseover, onLoad, setTimeout
Nested execution model
Windows may contain frames from different sources
➤ Frame: rigid visible division
➤ iFrame: floating inline frame
Why use frames?
a to content from another source Browser provides isolation based on frames
Delegate screen
Parent may work even if frame is broken
Nested execution model
Windows may contain frames from diff sources
➤ Frame: rigid visible division
➤ iFrame: floating inline frame
Why use frames?
➤ Delegate screen area to content from another source
➤ Browser provides isolation based on frames
➤ Parent may work even if frame is broken
Document object model (DOM)
Javascript can read and modify page by interacting with DOM
➤ OO interface for reading and writing website content
Includes browser object model
➤ Access window, document, and other state like history, browser navigation, and cookies
https://en.wikipedia.org/wiki/Document_Object_Model
Modifying the DOM using JS
- Item 1