Category: Security

A sequence of requests and responses from one browser to one site
– session can be long or short
– without session management, users would constantly re-authenticate

Storing session tokens
-browser cookie, embed in URL, hidden form field

Prevent and limit damage of XSS
->
XSS attacks bypass the same origin policy by tricking a site into delivering malicious code along with intended content

Approach: restrict resource loading to a white-list
script-src, connect-src, font-src, frame-src, img-src, media-src, object-src, style-src, default-src

CSP will allow third party widgets(e.g. Google +1 button) to be embedded on your site

Cross origin resource sharing
-A technique for relaxing the same-origin policy, allowing JavaScript on a web page to consume content from a different origin.
-server can inspect origin header and respond with Access-Control-Allow-Origin header

definition of an origin
A combination of URI(UniformResource Identification) scheme hostname, and port number.

Same origin policy for DOM.

Cryptographic Checksums
generate tag: T MACsign(k, SID || name || value)

Malware Attacker:
Attacker escapes browser isolation mechanisms and runs separately under control of OS
Browsers may contain exploitable bugs
often enable remote code execution by web site
even if browsersd were bug-free, still lots of vulnerabilities on the web
XSS, SQLi, CSRF, …

Web Threat Models
Malware Attacker, Network Attacker, Web Attacker

Basic Execution Model
1. Loads content
2. Renders
Processes HTML and scripts to display the page. May involve images, subframes, etc.
3. Response to event

Frame Security
windows may contain frames from different sources
Frame:Rigid division as part of frameset
iFrame: floating inline frame

readCookie, writeCookie

Browsing Context
-A frame with its DOM
-A web worker, which does not have a DOM

Modern structuring mechanisms
-HTML5 iframe sandbox
-content security policy
-cross-origin resource sharing
-HTML5 web workers
-sub resource integrity

DNS: Hierarchical Name Space

root
org, net, edu, com, uk, ca
wisc, ucb, gt, cmu, mit

Client -> locak DNS Resolver -> root&edu DNS server, gatech.edu DNS Server, cc.gatech.edu DNS Server

DNS record types(partial list)
NS: name server
A: address record
MX: address in charge of handling email

DNS responses are cached
DNS negative queries are cached
Cached data periodically times out

Users/hosts trust the host-address mapping provided by DNS

DNS Packet
IP Header, UDP Header, DNS data
Query ID: 16 bit random value

Internet infrastructure
– local and inter-domain routing
– TCP/IP for routing and messaging
– BGP for routing announcements

@Domain name system
find ip address from symbolic name
(www.cc.gatech.edu)

AT&T, CenturyLink, KPN International, NTT Communications, Sprint, Telecom Italia Sparkle, Telia Carrier, Zayo Group, Cogent Communications, Deutsche Telekom AG, Level 3 communications, Orange, Tata Comuunications, Telefonica Global Solutions, Verizon Enterprise Solutions

IP Provides only best effort delivery, it is not guaranteed
Due the connectionless nature of IP, data corruption, packet loss, duplication, and out-of-order delivery can occur.

IP Authentication
– Easy to override using raw sockets
– Libnet: a library for formatting raw packets with arbitrary IP headers

Transmission Control Protocol
Connectiion-oriented, preserves order
Acknowledge receipt; lost packets are resent

Random Initial Sequence Numbers
TCP SYN, ACK, Command, SYN/ACK

Address Resolution Protocol(ARP)
Open Shortest Path First(OSPF)
Border Gateway Protocol(BGP)

Methodology

footprinting: whois, nslookup
scanning: nmap, fping
enumeration: dumpACL, showmount legion, rpcinfo
gaining access: Tcpdump, Lophtcrack NAT
escalating privilege: Johntheripper, getadmin
Pilfering: Rhosts, user data, Config files, registry
Covering tracks: zap, rootkits
Creating back door: cron, at, startup folder netcat, keystroke logger, remote desktop

Target on cyber attacks
defense contractor, restaurant, software

botnets
credit card and bank account theft, ddos and ransomware extortion, click fraud and ad injection, spam, bitcoin mining
carder and cashiers, phishing, counterfeit goods, malware attachments

Deep web(96% of WWW content): it is not indexed by standard search engines
Dark web: web content that exists on darknets
surface web(4% of WWW content): readily available to the public, and searchable with standard search engines

Test to evaluate
-strengths of all security controls

SSL/TLS handshake
RSA Encrypt -> RSA Decrypt

DoS Mitigation
Client puzzle: slow down attacker
Moderately hard problem: given challenge c find x such that
-LSBn(SHA-1 (c || x)) = 0^n
hardness of challenge:n
-decided based on DoS attack volume
Limitations:
-requires changes to both clients and servers
-Hurts low power legitimate clients during attack
CPU power ratio
-high end server / low end cell phone = 8000
-> impossible to scale to hard puzzles
Interesting observation
– Main memory access time ratio
– high end server / low end cell phone = 2
Solution requires many main memory accesses
– dwork-goldberg-naor, crypto
– abadi-burrows-manasse-wobber, acm toit

Traceback
-given set of attack packets
-determine path to source
assumption
-most routers remain uncompromised
-attacker sends many packets

IP header format
-connectionless
-unrerliable
-best effort

version, header length, type of service, total length, identification, flags, fragment offset, time to live, protocol, header checksum, source address of originating host, destination address of target host, options, padding, ip data

TCP
-session based, congestion control, in order delivery
source port, dest port, seq number, ack number, urg, ack, psh, psr, syn, fin, other stuff

TCP handhake
syn: SNc <- randc, ANc <- 0 SYN packets with random source IP addresses Fills up backlog queue on server No further connections possible A classic SYN flood example MS Blaster worm(2003) - SYN flood on port 80 to windowsupdate.com -50 SYN packets every second, each packet is 40 bytes -spoofed source IP:a.b.X.Y where X,Y random Low rate SYN flood defenses Non-solution -increase backlog queue size or decrease timeout Correct solution - sycookies: remove state from server Massive flood
command bot army to flood specific target
20,000 bots can generate 2Gb/sec of SYNs
at web site:
saturates network uplink or network router
random source IP -> attack SYNs look the same as real SYNs

Idea: only forward established TCP connections to site

Stronger attacks: TCP connection flood
Command bot army
-complete TCP connection to web site
-send short HTTP head request
-repeat

will bypass SYN flood protection proxy but
attacker can no longer use random source IPs
reveals location of bot zombies
proxy can now block or rate-limit bots

Javascript-based DDoS:
github.com <- honest end user <- inject imageFlood.js <- popular server imageFlood.js

Function imgflood(){
	var TARGET = ‘victim-website.com/index.php?’
	var rand = Math.floor(Math.random() * 1000)
	var pic = new Image()
	Pic.src = ‘http://’+TARGET+rand+’=val’
}
setInterval(imgflood,10)

subnet spoofing: Generate random addresses within a given address space
random spoofing: Generate 32-bit numbers and stamp packets with them.
fixed spoofing: The spoofed address is the address of the target.

server application: the attack is targeted to a specific application on a server
network access: the attack is used to overload or crash the communication mechanism of a network
infrastructure: the motivation of this attack is a crucial service of a global internet operation, for example core router

application
-> small number of packets -> big effect
application attacks:
DoS bug: Design flaw allowing one Machine to disrupt a service
Dos flood: Command botnet to generate flood of requests
sample Dos at different layers: link, TCP/UDP, application