Lecture 15 - Web Security

CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
www.cse.psu.edu/~tjaeger/cse497b-s07/

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

Web Server
Entry point for clients
To a variety of services Customized for clients (e.g., via cookies) Supported by complex backend applications (e.g., databases)

Target of attackers
Common protocol Supports a wide range of inputs Complex software interactions Running with high privilege

Q: How does this impact?

Vulnerabilities, Threats, Risks
CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Web Server Deployments

Note the multiple application layers and connection to legacy code

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger

Page

Web Server Software

E.g., IIS 7

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger

Page

Web Server Architecture

Server Components
Generic Services (E.g., SMTP, FTP, etc)

Network

Server Front-End (E.g., IIS)

Application Layer (E.g., Active Server Pages)

Legacy Application

Database Layer (Pick your favorite)

Page

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger

Server-side Scripting
Program placed directly in content, run at during request time and output returned in content
MS active server pages (ASP) PHP mod_perl server-side JavaScript python, ....

Nice at generating output

Dangerous if tied to user input

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger

Page

Dynamic Content Security Largely just applications

Inasmuch as application are secure Command shells, interpreters, are dangerous

Three things to prevent DC vulnerabilities

Validate input
Input often received as part of user supplied data E.g., cookie

Limit program functionality

Don!t leave open ended-functionality

Execute with limited privileges

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger

Page

Web Server Vulnerabilities

Not surprisingly, these are numerous For IIS 5, focus was on function
All services were ON by default Buffer overow -- e.g., Code Red

Interactions between components are complex

HTTP input to database queries SQL Injection -- execute user input directly

Web server permissions

Web servers have broad access Deface web server -- modify server les Compromise system -- modify system les

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger

Page

What can be done?

Checklist for IIS 5
windows.stanford.edu/docs/IISsecchecklist.htm Gives an idea of what must be done for IIS

Some examples
Disable all unnecessary ISAPI lters [services]
Delete DLLs [libraries] associated with disabled lters

Website must never be on the system drive Only necessary services -- only SMTP Remove NTFS write permissions where possible Obscurity
Don!t use obvious names for script and code directories Set default website to extreme security

IIS 7 does does many of these -- automate all?

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Web Server as a Host Security Problem

Adversary!s Goal
Integrity/Secrecy/Availability Get code running on your system
That is under the adversary!s control

Ways to Execute Code

Accessible interfaces
Defense: minimize attack surface

Vulnerable interfaces
Defense: prevent various code injections: buffer overows

Privilege
Attackers want this code to do as much as possible
Defense: minimize its privilege

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger

Page

Canonical (common) DOS - Request Flood

Attack: request ooding
Overwhelm some resource with legitimate requests e.g., web-server, phone system

Note: unintentional ood is called a ash crowd

CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

DOS Prevention - Reverse-Turing Tests

Turing test: measures whether a human can tell the difference between a human or computer (AI) Reverse Turning tests: measures whether a user on the internet is a person, a bot, whatever? CAPTCHA - completely automated public Turing test to tell computers and humans apart
contorted image humans can read, computers can!t image processing pressing SOA, making these harder

Note: often used not just for DOS prevention, but for protecting free services (email accounts)
CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

DOS Prevention - Puzzles

Make the solver present evidence of work done
If work is proven, then process request Note: only useful if request processing signicantly more work than

Puzzle design
Must be hard to solve Easy to Verify

Canonical Example
Puzzle: given x-bits of input r and h(r), where h is a cryptographic hash function Solution: Invert h(r) Q: Assume you are given 108 bits of input for 128-bit hash input, how hard would it be to solve the puzzle?
CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page

Take Away
The complexity of web server (and web client) systems makes ensuring their security complex
A single interface (HTTP) enhances function Lots of services can be accessed which makes attack surface large The variety of inputs via this interface makes detecting malicious input very difcult Privileges available to injected code can be sufcient to take over system

Servers are high prole targets

Valuable info (credit cards, private user data) Represent an entity (denial of service)
CSE497b Introduction to Computer (and Network) Security - Spring 2007 - Professor Jaeger Page