-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcoins-2015.html
417 lines (315 loc) · 22.3 KB
/
coins-2015.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta charset="utf-8">
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-HF4HSC64G3"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag() {
dataLayer.push(arguments);
}
gtag('js', new Date());
gtag('config', 'G-HF4HSC64G3');
</script>
<title>CloudAppSec@COINS15</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<!-- Le styles -->
<link href="css/bootstrap.css" rel="stylesheet">
<style>
body {
padding-top: 60px;
/* 60px to make the container go all the way to the bottom of the topbar */
}
</style>
<link href="css/bootstrap-responsive.css" rel="stylesheet">
</head>
<body>
<div class="navbar navbar-inverse navbar-fixed-top">
<div class="navbar-inner">
<div class="container">
<a class="brand" href="http://jsflow.net/coins-2015.html">Cloud app security @ COINS Summer School
2015</a>
</div>
</div>
</div>
<div class="hero-unit">
<h2>Cloud app security</h2>
<p>
This page contains information to get you started on challenges provided for the lectures on cloud app security:
<ul>
<li> the <a href="http://ifc-challenge.appspot.com/steps/start">Information flow challenge</a> courtesy of
<a href="http://www.cse.chalmers.se/~andrei">Andrei Sabelfeld</a> at <a href="http://www.chalmers.se">Chalmers</a>, and
<li> the three code injection challenges.
</ul>
</p>
<p>
If you want to play with JSFlow in the browser you can download an (unreleased) experimental version that runs in Firefox. This version might be unstable, since it is under development. Please do not spread further - there is an official release of JSFlow
which will soon include the Firefox extension, Tortoise. <i>If you find
bugs we
appreciate if you report them to us!</i>
<div class="row" align="center">
<a class="btn btn-primary btn-large" href="coins-2015/tortoise.xpi">Downlod Tortoise</a>
</div>
<p>Please note that due to fast changing internal security models Tortoise is guaranteed to work in newer (or older) versions of Firefox. We develop Tortoise on <a href="http://ftp.mozilla.org/pub/firefox/releases/30.0/">Firefox
30</a>.
<p> You might be interested in the slides for <a href="coins-2015/slides-tuesday.pdf">Tuesday</a> and the original slides for <a href="coins-2015/slides-thursday.pdf">Thursday</a>. If you want to download the source of JSFlow or play around
with the online interpreter the head over to <a href="http://www.jsflow.net">jsflow.net</a>
</div>
<div class="container">
<h3> Setup for injection challenges </h3>
<p>
Before you start you need to download Node.js from <a href="http://nodejs.org">nodejs.org</a>. The Hrafn app, the ad service and the analytics service are built using the <a href="http://expressjs.com/">Express</a> web framework. You also
need to download the <a href="coins-2015/hrafn.zip">source code</a> for Hrafn and the other services.
<p>
Once you are set you should see something like the following if you execute <code>node -v</code>
<pre>$ node -v
v0.12.2</pre>
<p> Just to make sure that you have npm as well
<pre>$ npm -v
2.7.4</pre>
<p> If you unzip hrafn.zip you should get three directories
<pre>
hrafn/server
hrafn/adserv
hrafn/analytics</pre>
<h4>hrafn/server</h4>
The server of the main app. Before it can be started the JavaScript libraries it uses must be downloaded and installed. You do this with <code>npm install</code> which should result in something like this
<pre>$npm install
[email protected] node_modules/passport-local
[email protected] node_modules/passport
...
</pre>
<p>Don't worry - nothing will be installed on the system. It's all downloaded into the directory of the app itself. Once the dependencies have been installed you start the server with <code>node index.js</code> which should give
<pre>$ node index.js
Node app is running on port 5000
</pre>
<p> indicating that the server is running and bound to port 5000. You can now browse to <a href="http://localhost:5000">http://localhost:5000</a> and get Hrafn; of course since we are not running the ad service or the analytics
service those won't work.
<h4>hrafn/adserv</h4>
The ad service used by Hrafn. Again you need to run <code>npm install</code> before you can run <code>node
adserv.js</code> which should give
<pre>$ node adserv.js
Node app is running on port 4999</pre>
<p> indicating that the server is running and bound to port 4999.
<h4>hrafn/analytics</h4>
The analytics service used by Hrafn. Again you need to run <code>npm install</code> before you can run <code>node
analytics.js</code> which should give
<pre>$ node analytics.js
Node app is running on port 4888</pre>
<p> indicating that the server is running and bound to port 4888.
<h4>Putting it all together</h4>
Now, if you start all three servers in different console windows you should now be able to play with a working version of <a href="http://localhost:5000">Hrafn</a>!
</div>
<hr>
<div class="container">
<h3>The injection attacks </h3>
<p>
Your challenge is to implement the three injection attacks we have introduced during the lecture. I realize that it may be the case that not all of you have a strong background in JavaScript or the browser API. For this reason the way the ads, the analytics
and Hrafn are implemented to make use of the building blocks you need to perform the attacks. I believe that the code should be self explanatory for a reasonably experienced programmer. If there is something you don't understand ask a friend,
me or Google for a solution - Mozilla Developer Network (MDN) has a lot of useful information.
</div>
<div class="container">
<h4>The analytics service injection attack</h4>
<p>
The simplest attack is the analytics service injection attack, since you are in direct control of the code that the analytics server provides. Create an attack that sends back the credentials to the analytics server.
<p>
Files that you are allowed to modify
<ul>
<li>hrafn/analytics/*</li>
</ul>
</div>
<hr>
<div class="container">
<h4>The ad injection attack</h4>
This attack involves creating a new ad that injects code to steal the credential and send it back to the attacker. There are two main challenges. First, with the risk of giving too much information away - note that scripts injected by modifying <em>innerHTML</em> creates a script node but does not automatically execute it. Second, where will you send the stolen credentials? You are not allowed to change the code of the ad server.
<p>
Files that you are allowed to modify
<ul>
<li>hrafn/adserv/ads/*</li>
<li>hrafn/adserv/public/ads/*</li>
</ul>
<p> Note that the adserver serves the ads in the <em>hrafn/adserv/ads/</em> directory in a round robin fashion in the order provided by the OS.
</div>
<hr>
<div class="container">
<h4>The XSS attack</h4>
The XSS attack is the most powerful one, since it does not require control of any of the services. In fact, since Hrafn allows you to post anonymously you don't even have to have an account. Find a way to craft a message that you post on Hrafn and that
steals the credentials of subsequent logins. Can you make a user automatically post his credentials on Hrafn on login?
<p>
Files that you are allowed to modify
<ul>
<li>None</li>
</ul>
</div>
<hr>
<div class="container">
<h3> Litterature </h3>
<p><a href="http://www.owasp.org">Open Web Application Security Project (OWASP)</a> is a non-profit organisation that contains a lot of interesting information on vulnerabilities and protection mechanism. They also create the OWASP Top 10 list that
lists the most common vulnerabilities.
<p>For information about Cross Site Scripting (XSS) head over to <a href="http://www.cgisecurity.com/xss-faq.html">http://www.cgisecurity.com/xss-faq.html</a>. OWASP also has a <a href="https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet">cheat
sheet</a> on XSS prevention that illustrates well why the current techniques are complex.
<p>
On the topic of what the cloud and its benefits are.
<p>
<div class="row">
<div class="span12">
<a href="https://www.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-28.pdf"> <strong>Above the Clouds: A
Berkeley View of Cloud Computing</strong></a><br> Michael Armbrust, et al. </br>
</div>
</div>
</p>
<p>
A popular science text about the cloud.
<p>
<div class="row">
<div class="span12">
<a href="http://static1.1.sqspcdn.com/static/f/702523/10181434/1294788395300/201101-Hassan.pdf?token=3U2iPHHXJgGKE2qJ6B3%2FwC4drEs%3D">
<strong>Demystifying Cloud Computing</strong></a><br> Qusay F. Hassan </br>
</div>
</div>
</p>
<p>
On web sandboxes the article by Politz, Guha, Krishnamurthi gives good background with multiple pointers to the sandboxes themselves. It's also a very good article that describes an interesting and impressive endevour to verify the correctness of AdSafe.
You can also visit their project page for more information, <a href="http://www.jswebtools.org/adsafety/">http://www.jswebtools.org/adsafety/</a>.
<p>
<div class="row">
<div class="span12">
<a href="http://cs.brown.edu/~sk/Publications/Papers/Published/pgk-type-verif-sandbox-journal/">
<strong>Type-Based
Verification of Web Sandboxes</strong></a><br> Joe Gibbs Politz, Arjun Guha, Shriram Krishnamurthi </br>
</div>
</div>
</p>
<p>On the topic of the dangers of third party scrip inclusion I recommend the article by Nikiforakis et al.
<p>
<div class="row">
<div class="span12">
<a href="https://seclab.cs.ucsb.edu/media/uploads/papers/jsinclusions.pdf"> <strong>You Are What You
Include:
Large-scale Evaluation of Remote JavaScript Inclusions</strong></a><br> Nick Nikiforakis, et al.</br>
</div>
</div>
</p>
<p>For information on information-flow control I recommend the following article written for the Marktoberdorf summer school 2011 as a starting point. It contains references to many of the standard works on both static and
dynamic information-flow control.
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/mod11.pdf"> <strong>A Perspective on Information-Flow
Control</strong></a><br> Daniel Hedin and Andrei Sabelfeld</br>
</div>
</div>
</p>
<p>For information about dynamic taint tracking I recommend the following technical report by Benjamin Livshits
<p>
<div class="row">
<div class="span12">
<a href="http://research.microsoft.com/pubs/176596/tr.pdf"> <strong>Dynamic Taint Tracking in Managed
Runtimes</strong></a><br> Benjamin Livshits</br>
</div>
</div>
</p>
<p>For information on the fundamentals of dynamic information-flow control I recommend the following two articles
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/psi09.pdf"> <strong>From dynamic to static and back: Riding
the
roller coaster of information-flow control research</strong></a><br> Alejandro Russo, Andrei Sabelfeld</br>
</div>
</div>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/csf10.pdf"> <strong>Dynamic vs. Static Flow-Sensitive
Security
Analysis</strong></a><br> Alejandro Russo, Andrei Sabelfeld</br>
</div>
</div>
</p>
<p>For information on how to construct policies in the presence of mutual distrust I recommend, e.g.,
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/asiaccs10.pdf"> <strong>A Decentralized Model for
Information
Flow Control</strong></a><br> Andrew C. Myers, Barbara Liskov</br>
</div>
</div>
</p>
<p>For decentralized policies in the web setting see, e.g.,
<p>
<div class="row">
<div class="span12">
<a href="http://www.cs.cornell.edu/andru/papers/iflow-sosp97/paper.html"> <strong>A Lattice-based
Approach
to Mashup Security</strong></a><br> Jonas Magaszinius, Aslan Askarov, Andrei Sabelfeld</br>
</div>
</div>
</p>
<h4> Work relating to JSFlow </h4>
<p>
If you are interested in JSFlow and its foundations those are the articles that provide the foundations. This is the same list as on the JSFlow main page.
</p>
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/csf15-hybrid.pdf">
<strong>Value-sensitive Hybrid Information Flow Control for a JavaScript-like Language.</strong>
</a> <br> Daniel Hedin, Luciano Bello, and Andrei Sabelfeld </br>
In <em>Proceedings of the IEEE Computer Security Foundations Symposium (CSF)</em> Verona, Italy, July 2015.
</em>
</div>
</div>
</p>
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/sac14.pdf">
<strong>JSFlow: Tracking Information Flow in JavaScript and its APIs.</strong>
</a> <br> Daniel Hedin, Arnar Birgisson, Luciano Bello, and Andrei Sabelfeld </br>
In <em>Proceedings of the ACM Symposium on Applied Computing (SAC)</em>, Gyeongju, Korea, March 2014
</div>
</div>
</p>
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/essos14.pdf">
<strong>Architectures for Inlining Security Monitors in Web Application.</strong>
</a> <br> Jonas Magazinius, Daniel Hedin, and Andrei Sabelfeld </br>
In <em>Proceedings of the International Symposium on Engineering Secure Software and Systems
(ESSoS)</em>, Munich, Germany, February 2014.
</div>
</div>
</p>
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/jsflow-csf12.pdf"><strong>Information-flow security for a
core
of JavaScript.</strong> </a> <br> Daniel Hedin, and Andrei Sabelfeld </br>
In <em>Proceedings of the IEEE Computer Security Foundations Symposium</em>, Harvard University, Cambridge MA, June 25-27, 2012. IEEE Computer Society Press.
</div>
</div>
</p>
<p>
<div class="row">
<div class="span12">
<a href="http://www.cse.chalmers.se/~andrei/jsflow-csf12.pdf"> <strong>Boosting the Permissiveness of
Dynamic Information-Flow Tracking by Testing.</strong> </a> <br> Arnar Birgisson, Daniel Hedin, and Andrei Sabelfeld </br>
In <em>Proceedings of the European Symposium on Research in Computer Security (ESORICS)</em>, Pisa, Italy, September 2012, LNCS, Springer-Verlag.
</div>
</div>
</p>
</div>
<script src="js/jquery.js"></script>
<script src="js/bootstrap.js"></script>
</body>
</html>