Transcript CSCE 790 – Secure Database Systems

CSCE 201
Web Browser Security
Fall 2015
Web Evolution

Past: Human usage
– HTTP
– Static Web pages (HTML)

Current: Human and some automated usage
– Interactive Web pages
– Web Services (WSDL, SOAP, SAML)
– Semantic Web (RDF, OWL, RuleML, Web
databases)
– XML technology (data exchange, data representation)

Future: Semantic Web Services
CSCE 201 - Farkas
2
ARE THE EXISTING SECURITY
MECHANISMS SUFFICIENT TO
PROVIDE DATA AND APPLICATION SECURITY OF
THE NEXT GENERATION WEB?
CSCE 201 - Farkas
3
Information Assurance
Fraud
Information hiding
Privacy
Protocol Analysis
Access control
Applications
Data provenance
Semantic web security
Data mining
Security
Biometrics
Trust
Computer epidemic
Policy making
Encryption
Anonymity
Inference Control
CSCE 201 - Farkas
Negotiation
Formal models
4
Web Browser
Software with simple role:
 Connect to a web address
 Fetch and display content from that address
 Send data from a user to that address
CSCE 522 - Farkas
5
Security Issues for Browsers
 Often connect to many addresses instead of only



the address show in address bar
Fetching data have to access many locations to
obtain pictures, audio or linked content.
Browser can be malicious or can be corrupted to
have malicious functionality
Many browsers support add-ins to add new feature
but these add-ins can include malicious code
CSCE 522 - Farkas
6
Security Issues for Browsers
 Data display involve many commands that control



rendering, positioning, motion, layering and even
invisibility
Browser can access any data on user’s computer, it
generally run with the same privileges as the user
Browsers connect users to outside networks, but
few users can monitor what is transmitted
Browser’s effect is immediate and transitory
CSCE 522 - Farkas
7
Browser Attacks
There are 3 attack vectors:
 Target the operating system so it will obstruct the
browser’s correct and secure functioning
 Target the browser or its component, add-ons or
plug-ins, so the browser’s activity is altered
 Intercept or modify communication to or from the
browser
CSCE 522 - Farkas
8
Internet Attacks

Download browser code
 Privacy attack
 Web site attack during surfing
 Email
CSCE 201 - Farkas
9
Download browser code

JavaScript, Java, ActiveX
Internet
HTML document
With JavaScript
Web Server
CSCE 201 - Farkas
Download
HTML document
With JavaScript
Run JavaScript
User’s computer
10
JavaScript

Not for standalone applications -- Resides
inside HTML documents
 Interpreted into machine understandable
code
 Can be downloaded automatically
– Cannot read, write, create, delete, or list files
– Has no networking capabilities
– Can: capture and send user information
CSCE 201 - Farkas
11
Java
Complete programming language –
standalone applications
 Java applets: downloaded with HTML
 Can perform processing

– May harm computer

Defense: sandbox
 Signed vs. unsigned Java applets
CSCE 201 - Farkas
12
ActiveX

Rules defining how applications under the
Windows OS should share information
 ActiveX controls (ad-ons):
– Specific ways of implementing ActiveX
– Can be activated through scripting languages or
by HTML commands

Can perform functions similar to Java
applets but directly access OS
 Signed vs. unsigned
CSCE 201 - Farkas
13
Privacy Attacks

Cookies: Web site to track whether a user
has previously visited the site
– User specific information, stored on the user’s
computer
– First-party cookie vs. third-party cookie
– Can reveal browsing habits of the individuals

Adware: delivers unsolicitated advertising
content
– Pop-up windows
CSCE 201 - Farkas
14
Attacks while surfing

Safe surfing? Passive surfing?
 Redirecting web traffic:
– Typing mistakes
– Attacker: registering “wrong” URLs

Drive-by downloads
– Use scripting to download malicious content
– Spreading at an alarming rate
CSCE 201 - Farkas
15
Internet Defenses

Popup blocker
 Browser settings, e.g., IE Web browser:
– Configure your browser’s security and privacy
–
–
–
–
settings
Keep your browser updated
Sign up for alerts
Be cautious when installing plug-ins
Install security plug-ins
CSCE 201 - Farkas
16
Next Class

Application Security
 M. Mimoso, XcodeGhost Malware Stirring
Up More Trouble,
https://threatpost.com/xcodeghost-malwarestirring-up-more-trouble/114778/
CSCE 201 - Farkas
17