Transcript Security Aspects of Internet Related Software Engineering

Security Issues
of Internet-Based Systems
herzlichen Dank an Mag. Clemens Bruckmann für die Mithilfe bei der Gestaltung der Folien!
1
Why Care About Security?
• security involves a tradeoff wrt functionality
„turn off every feature you don‘t need“ [Conallen 99]
• is a (non-functional) requirement enabling software to
work properly
• the company needs security in order to prevent
–
–
–
–
loss of crucial information
loss of company goodwill
loss of confidence
extensive costs of interruption of service
• the customer wants security
– confidentiality of private data
2
Scope of Security
• software
– intrinsic threats: bugs, poor configuration
– user threats: lack of robustness, poor authoentication
– third party threats: unauthorized “listening” (hackers),
data corruption (crackers), denial of service (DoS)
attacks, virus infection
• hardware
– theft, destruction, “act of God” (flood, fire)
• the human factor
3
Scope of Security – Consequence
• obscurity is not security
• holistic view of software engineering:
project planning should encompass
– sound programming and configuration
– physical security measures
– security awareness within:
• The development process
• The organization and the team
4
Areas of Risk in a Web Application
downloaded software can damage
system or expose private and
personal information
Client
network traffic can be monitored,
leading to the potential exposure of
sensitive data
Network
Server
• unauthorized access can lead to possible system damage or theft of data
• malicious attacks can render a system inoperable
5
Server-Side Security
• Server is more likely attacked when placed on the
Internet
• Specific risk for Web-Servers: improper
configuration, e.g.
– enabling of optional features not required such as
directory browsing;
– Use of SSI (server-side includes); some SSI’s allow the
axecution of general operating system commands or
scripts
• Advice: look out for OS new patches, read
newsgroups
6
Server-Side Security: Authentication
• establishing someone’s identity based on
– possession
• chip card, hardware token, infrared badge, radio
badge
• biometrics
– knowledge
good password practice is vital!
• password
• ability to decrypt a “challenge” that has been
encrypted with one’s public key
7
Server Side Security: Fields of Risk
•
•
•
•
•
DoS (denial of service) attacks
unchecked buffer exploits
privilege elevation attacks
directory traversal attacks
From outside, or even more dangerous,
from inside, e.g. by annoyed employee
 “task-based authorization”
8
Network Security: Types of Attacks
• Simple “sniffing”
!
Client
Server
Attacker
– intruder listens, but does not modify
communication
9
Network Security: Types of Attacks
• man-in-the-middle attack, “session hijacking”
!
Attacker
Client
Server
– intruder might modify communication
10
Network Security: Firewalls
• filtering certain traffic
Local Network
Firewall
Internet
11
Network Security: Cryptography
• encryption of communication to ensure
– data integrity
• data has not been altered or corrupted
– data confidentiality
• data is intelligible to intended receiver only
– data authenticity
• data comes from an authenticated person
12
Symmetric Encryption Algorithms
• same key for encryption and decryption
– key must be kept secret
– need to exchange the key “out of band”
Key
Sender
Key
Network
Receiver
authenticity,
integrity,
confidentiality
13
Asymmetric Encryption Algorithms
• key pair: public key + private key
– public key to be made widely known,
private key to be kept secret
– still need to verify authenticity of public key
• “out of band” or
• by a certificate from a trusted third party (TTP)
private key of sender
public key of sender
authenticity,
integrity
confidentiality
public key of receiver
Sender
Network
private key of receiver
Receiver
14
Network Security: Virtual Private Networks
Internet
VPN
15
Network Security: Virtual Private
Networks
• Public network (Internet) is used as a private
network
• All members of the private network use
encryption to communicate with other members of
the private network
• Allows for inexpensive access to individuals being
remotely located
• Encryption of network traffic is provided by
infrastructure rather than individual applications.
16
Network Security: SSL, HTTPS
• SSL provides transport layer security
HTTP
Client
HTTPS
Proxy
Origin Server
• HTTPS combines HTTP and SSL
HTTP is an
application layer
protocol
• encrypts network traffic
• may involve authentication via certificates
17
Network Security: Secure Shell (SSH)
• protocol for authentified
– telnet replacement (slogin)
– ftp replacement (sftp)
– tunneling of any protocol
POP3
client
SSH
client
Client
certain protocols
send clear text
passwords over the
network, including
TELNET, FTP, POP3
SSH
daemon
Network
POP3
daemon
Server
18
Network Security: Proxies
• proxies may serve several purposes
–
–
–
–
caching content
filtering requests
converting between different protocols
hiding the identity of the client from the server
• problem with SSL, HTTPS: no client authentication possible
remedy: SSL Proxying – proxy establishes tunnel to server
HTTP
SSL tunneled
through proxy
Client
Network
Proxy
Network
Server
19
Client Side Security: Fields of Risk
• Pure HTML without client-side scripting is
rather secure. Risks are introduced through:
• buggy OS and browser
– VBScript, JScript, JavaScript, Java, ActiveX
controls, plug-ins, MIME-type viewers
• attacks to privacy: cookies, “web bugs”
• Client scripts can collect info on navigation
• viruses, Trojan horses, long-distance dialers
20
Client Side Security: Signed Code
proof of authenticity (not of harmlessness!) of code
receives
Signed Code
Code Code
digest
Signature
signs
Certificate
serves certificate
Client
verifies
authenticity of
signature
serves
verifies
validity of
certificate
issues
certificate
Company
Server
21
Certificate Authority (CA)
Client Side Security: Sandbox
• untrusted internet content resides in a
“sandbox” and is not allowed to perform
potentially dangerous operations
– reading from and writing to the client’s file
system
– starting programs on the client (e.g. format c:)
– making calls to native system functions
(DLL function calls)
22
Client Side Security: JDK 1.0
Source: http://java.sun.com/docs/books/tutorial/security1.2/overview/index.html
23
Client Side Security: JDK 1.1
Source: http://java.sun.com/docs/books/tutorial/security1.2/overview/index.html
24
Client Side Security: JDK 1.2
Source: http://java.sun.com/docs/books/tutorial/security1.2/overview/index.html
25
Client Side Security: ActiveX, Plug-Ins
Web Page
Element
renders
renders
ActiveX control,
Browser Plug-In
Browser
Operating System
26
Client Side Security: ActiveX, Plug-Ins
• An ActiveX control is a compiled module
embedded in an HTML page
• Hence: free access to all client resources
• Principlal security mechanisms:
– Code signing for downloaded ActiveX controls
– Implementation of security measures at the point the
component is being requested to load on the client
– Internet Explorer: Security zones (network domain
subset containing trusted hosts)
27
Planning for Security: Security View
• security view within the architecture model
to enforce the taking into account of
security considerations at an early stage
– may contain users/actors (customers, account
managers, certificate authorities), policies,
certificates, authentication (technology)
28
Security Awareness
• awareness of risks and threats
• security policies
– feasible
– written
– enforced
• model security policies:
http://www.sans.org/newlook/resources/policies/policies.htm
29
Further Acknowledgments
• Jim Conallen, Building Web Applications
with UML, Addison-Wesley 2000,
ISBN 0-201-61577-0.
• Erik Wilde, World Wide Web, Technische
Grundlagen, Springer 1999,
ISBN 3-540-64700-7.
30