1

Security Issuesof Internet-Based Systems

herzlichen Dank an Mag. Clemens Bruckmann für die Mithilfe bei der Gestaltung der Folien!

2

Why Care About Security?

• security involves a tradeoff wrt functionality„turn off every feature you don‘t need“ [Conallen 99]

• is a (non-functional) requirement enabling software to work properly

• the company needs security in order to prevent– loss of crucial information– loss of company goodwill– loss of confidence– extensive costs of interruption of service

• the customer wants security– confidentiality of private data

3

Scope of Security

• software– intrinsic threats: bugs, poor configuration– user threats: lack of robustness, poor authoentication– third party threats: unauthorized “listening” (hackers),

data corruption (crackers), denial of service (DoS) attacks, virus infection

• hardware– theft, destruction, “act of God” (flood, fire)

• the human factor

4

Scope of Security – Consequence

• obscurity is not security

• holistic view of software engineering:project planning should encompass– sound programming and configuration– physical security measures– security awareness within:

• The development process

• The organization and the team

5

Areas of Risk in a Web Application

Client Network Server

downloaded software can damage system or expose private and

personal information

network traffic can be monitored, leading to the potential exposure

of sensitive data

• unauthorized access can lead to possible system damage or theft of data• malicious attacks can render a system inoperable

6

Server-Side Security

• Server is more likely attacked when placed on the Internet

• Specific risk for Web-Servers: improper configuration, e.g.– enabling of optional features not required such as

directory browsing;– Use of SSI (server-side includes); some SSI’s allow the

axecution of general operating system commands or scripts

• Advice: look out for OS new patches, read newsgroups

7

Server-Side Security: Authentication

• establishing someone’s identity based on– possession

• chip card, hardware token, infrared badge, radio badge

• biometrics

– knowledge• password

• ability to decrypt a “challenge” that has been encrypted with one’s public key

good password practice is vital!

8

Server Side Security: Fields of Risk

• DoS (denial of service) attacks

• unchecked buffer exploits

• privilege elevation attacks

• directory traversal attacks

• From outside, or even more dangerous, from inside, e.g. by annoyed employee “task-based authorization”

9

• Simple “sniffing”

– intruder listens, but does not modify communication

Network Security: Types of Attacks

!Client

Attacker

Server

10

Network Security: Types of Attacks

• man-in-the-middle attack, “session hijacking”

– intruder might modify communication

!

ClientAttacker

Server

11

Network Security: Firewalls

• filtering certain traffic

Local Network InternetFirewall

12

Network Security: Cryptography

• encryption of communication to ensure– data integrity

• data has not been altered or corrupted

– data confidentiality• data is intelligible to intended receiver only

– data authenticity• data comes from an authenticated person

13

Symmetric Encryption Algorithms

• same key for encryption and decryption– key must be kept secret– need to exchange the key “out of band”

Key Key

NetworkSender Receiver

authenticity, integrity,

confidentiality

14

Asymmetric Encryption Algorithms

• key pair: public key + private key– public key to be made widely known,

private key to be kept secret– still need to verify authenticity of public key

• “out of band” or

• by a certificate from a trusted third party (TTP)

public key of receiver private key of receiverNetwork

private key of sender public key of sender

Sender Receiver

authenticity, integrity

confidentiality

15

Network Security: Virtual Private Networks

VPN

Internet

16

Network Security: Virtual Private Networks

• Public network (Internet) is used as a private network

• All members of the private network use encryption to communicate with other members of the private network

• Allows for inexpensive access to individuals being remotely located

• Encryption of network traffic is provided by infrastructure rather than individual applications.

17

Network Security: SSL, HTTPS

• SSL provides transport layer security

Client Proxy Origin Server

• HTTPS combines HTTP and SSL• encrypts network traffic• may involve authentication via certificates

HTTP is an application layer

protocol

HTTP HTTPS

18

Network Security: Secure Shell (SSH)

• protocol for authentified– telnet replacement (slogin)– ftp replacement (sftp)– tunneling of any protocol

certain protocols send clear text

passwords over the network, including

TELNET, FTP, POP3

Client Server

POP3client

SSHclient

SSHdaemon

POP3daemon

Network

19

Network Security: Proxies

• proxies may serve several purposes– caching content– filtering requests– converting between different protocols– hiding the identity of the client from the server

• problem with SSL, HTTPS: no client authentication possibleremedy: SSL Proxying – proxy establishes tunnel to server

Client ServerNetwork NetworkProxy

HTTP

SSL tunneled through proxy

20

Client Side Security: Fields of Risk

• Pure HTML without client-side scripting is rather secure. Risks are introduced through:

• buggy OS and browser– VBScript, JScript, JavaScript, Java, ActiveX

controls, plug-ins, MIME-type viewers

• attacks to privacy: cookies, “web bugs”• Client scripts can collect info on navigation• viruses, Trojan horses, long-distance dialers

21

Client Side Security: Signed Code

proof of authenticity (not of harmlessness!) of code

Client CompanyServer

Certificate Authority (CA)

issuescertificate

Code Codedigest

Signed Code

Signaturesigns

servesreceives

Certificate

verifiesvalidity ofcertificate

serves certificate

verifiesauthenticity of

signature

22

Client Side Security: Sandbox

• untrusted internet content resides in a “sandbox” and is not allowed to perform potentially dangerous operations– reading from and writing to the client’s file

system– starting programs on the client (e.g. format c:)– making calls to native system functions

(DLL function calls)

23

Client Side Security: JDK 1.0

Source: http://java.sun.com/docs/books/tutorial/security1.2/overview/index.html

24

Client Side Security: JDK 1.1

Source: http://java.sun.com/docs/books/tutorial/security1.2/overview/index.html

25

Client Side Security: JDK 1.2

Source: http://java.sun.com/docs/books/tutorial/security1.2/overview/index.html

26

Client Side Security: ActiveX, Plug-Ins

Operating System

BrowserActiveX control,Browser Plug-In

Web Page

Element

renders renders

27

Client Side Security: ActiveX, Plug-Ins

• An ActiveX control is a compiled module embedded in an HTML page

• Hence: free access to all client resources• Principlal security mechanisms:

– Code signing for downloaded ActiveX controls

– Implementation of security measures at the point the component is being requested to load on the client

– Internet Explorer: Security zones (network domain subset containing trusted hosts)

28

Planning for Security: Security View

• security view within the architecture model to enforce the taking into account of security considerations at an early stage– may contain users/actors (customers, account

managers, certificate authorities), policies, certificates, authentication (technology)

29

Security Awareness

• awareness of risks and threats

• security policies– feasible– written– enforced

• model security policies:http://www.sans.org/newlook/resources/policies/policies.htm

30

Further Acknowledgments

• Jim Conallen, Building Web Applications with UML, Addison-Wesley 2000,ISBN 0-201-61577-0.

• Erik Wilde, World Wide Web, Technische Grundlagen, Springer 1999,ISBN 3-540-64700-7.