代写代考 CSE 127: Computer Security Web Intro

CSE 127: Computer Security Web Intro

UCSD Winter 2022
Some slides from , , , , and

Copyright By PowCoder代写 加微信 powcoder

Brief: Mitigating side channels Next: Web Intro

Verifying Constant-Time Implementations

Mitigating Cache-based Side Channels
• There’s never a completion solution to avoiding side-channel
attacks. A few mitigations are:
• Application-specific: Disable resource sharing, or isolate applications. One example is page coloring.
• Compiler-based: One example is Biscuit, developed at Georgia Tech. Able to guess misses and alerts the CPU scheduler about abnormal behaviour.
• Redesigning Hardware: Hard due to large overheads involved.
• Other solutions are ASLR (although, easy to defeat by Spectre
and Meltdown)
Overall, secure algorithms still need secure implementation.

Lecture objectives
• Basic understanding of how the web works
• Understand relevant attacker models
• Understand browser same-origin policy

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path
https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
scheme port query string

HTTP protocol
• Protocol from 1989 that allows fetching of resources (e.g., HTML documents)
• Resources have a uniform resource location (URL):
domain path fragment id https://cseweb.ucsd.edu:443/classes/fa19/cse127-ab/lectures?nr=7&lang=en#slides
port query string

scheme query string

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

HTTP protocol
• Clients and servers communicate by exchanging individual messages (as opposed to a stream of data).
http://example.com

Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats

Anatomy of a request
path version GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com
Referer: http://www.google.com?q=dingbats
body (empty)

Anatomy of a response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type:text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Anatomy of a response
status code
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type:text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: …
Content-Length: 2543
Some data… whatever …

Many HTTP methods
• GET: Get the resource at the specified URL.
• POST: Create new resource at URL with payload.
• PUT: Replace current representation of the target resource with request payload.
• PATCH: Update part of the resource.
• DELETE: Delete the specified URL.

GETs should NOT change server state; in practice, they sometimes do
Old browsers don’t send PUT, PATCH, and DELETE
➤ So, almost all side-effecting requests are POSTs; real method hidden in a header or request body
In practice: it’s a mess

In practice: we need state

In practice: we need state
HTTP cookie: small piece of data that a server sends to the browser, who stores it and sends it back with subsequent requests
What is this useful for?
➤ Session management: logins, shopping carts, etc.
➤ Personalization: user preferences, themes, etc.
➤ Tracking: recording and analyzing user behavior

In practice: we need state
HTTP cookie: small piece of data that a server sends to the browser, who stores it and sends it back with subsequent requests
What is this useful for?
➤ Session management: logins, shopping carts, etc.
➤ Personalization: user preferences, themes, etc.
➤ Tracking: recording and analyzing user behavior

Setting cookies in response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: trackingID=3272923427328234 Set-Cookie: userID=F3D947C2
Content-Length: 2543
Some data… whatever …

Setting cookies in response
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: trackingID=3272923427328234 Set-Cookie: userID=F3D947C2
Content-Length: 2543
Some data… whatever …

Sending cookie with each request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Cookie: trackingID=3272923427328234
Cookie: userID=F3D947C2
Host: www.example.com
Referer: http://www.google.com?q=dingbats

Sending cookie with each request
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Cookie: trackingID=3272923427328234
Cookie: userID=F3D947C2
Host: www.example.com
Referer: http://www.google.com?q=dingbats

Going from HTTP response to code execution…

Basic browser execution model
Each browser window….
➤ Loads content
➤ Parses HTML and runs Javascript
➤ Fetches sub resources (e.g., images, CSS, JavaScript)
➤ Respond to events like onClick, onMouseover, onLoad, setTimeout

Nested execution model
Windows may contain frames from different sources
➤ Frame: rigid visible division
➤ iFrame: floating inline frame
Why use frames?
a to content from another source Browser provides isolation based on frames
Delegate screen
Parent may work even if frame is broken

Nested execution model
Windows may contain frames from diff sources
➤ Frame: rigid visible division
➤ iFrame: floating inline frame
Why use frames?
➤ Delegate screen area to content from another source
➤ Browser provides isolation based on frames
➤ Parent may work even if frame is broken

Document object model (DOM)
Javascript can read and modify page by interacting with DOM
➤ OO interface for reading and writing website content
Includes browser object model
➤ Access window, document, and other state like history, browser navigation, and cookies
https://en.wikipedia.org/wiki/Document_Object_Model

Modifying the DOM using JS

  • Item 1
  • Modifying the DOM using JS

    • Item 1

    • const list
      const newItem = document.createElement(‘li’); const newText = document.createTextNode(‘Item 2’); list.appendChild(newItem); newItem.appendChild(newText)
      = document.getElementById(‘t1′);

      Modifying the DOM using JS

      • Item 1

      • const list
        const newItem = document.createElement(‘li’); const newText = document.createTextNode(‘Item 2’); list.appendChild(newItem); newItem.appendChild(newText)
        = document.getElementById(‘t1′);

        Modern websites are complicated

        Modern websites are complicated

        Lecture objectives
        • Basic understanding of how the web works
        • Understand relevant attacker models
        • Understand browser same-origin policy

        Network attacker
        Relevant attacker models
        http://example.com
        http://example.com

        Network attacker
        Relevant attacker models
        http://example.com
        http://example.com
        https://letsencrypt.org/stats/

        Network attacker
        Relevant attacker models
        http://example.com
        http://example.com

        Network attacker
        Relevant attacker models
        http://example.com
        Web attacker
        http://example.com
        https://evil.com
        https://evil.com

        Relevant attacker models
        Gadget attacker
        Web attacker with capabilities to inject limited content into honest page
        https://example.com
        example.com

        Most of our focus: web attacker
        https://evil.com
        https://evil.com

        And variants of it
        example.com
        example.com
        example.com

        Lecture objectives
        • Basic understanding of how the web works
        • Understand relevant attacker models
        • Understand browser same-origin policy

        Web security model
        Safely browse the web in the presence of attackers
        ➤ The browser is the new OS analogy
        Process 1 Process 2 Page 1 Page 2
        4chan.org bank.ch
        files/sockets cookies/fetch

        Web security model
        Safely browse the web in the presence of attackers
        ➤ The browser is the new OS analogy
        Process 1 Process 2 Page 1 Page 2
        4chan.org bank.ch
        files/sockets cookies/fetch

        Web security model
        Safely browse the web in the presence of attackers ➤ The browser is the new OS analogy
        Process 1 Process 2
        VM + UIDs + seccomp-bpf
        files/sockets
        cookies/fetch
        UIDs + ACLs

        Web security model
        Safely browse the web in the presence of attackers ➤ The browser is the new OS analogy
        Process 1 Process 2
        VM + UIDs + seccomp-bpf
        files/sockets
        cookies/fetch
        UIDs + ACLs

        Web security model
        Safely browse the web in the presence of attackers ➤ The browser is the new OS analogy
        Process 1 Process 2
        VM + UIDs + seccomp-bpf
        files/sockets
        cookies/fetch
        UIDs + ACLs

        Same origin policy (SOP)
        Origin: isolation unit/trust boundary on the web ➤ (scheme, domain, port) triple derived from URL
        SOP goal: isolate content of different origins
        ➤ Confidentiality: script contained in evil.com should not be able to read data in bank.ch page
        ➤ Integrity: script from evil.com should not be able to modify the content of bank.ch page

        There is no one SOP There is a same-origin policy for…
        ➤ message passing (via postMessage)
        ➤ network access
        ➤ CSS and fonts

        程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com