CSC2031 Security Programming Revision Slides 2024-25 PDF

Exam Revision Slides CSC2031 Security Programming From Newcastle. For the world. Topic 1 Security Foundations CSC2031 Security Programming From Newcastle. For the world. CSC2031 What is computer security? There is no single definition of computer security: Computer security, also called cybersecurity, is the protection of computer systems and information from harm, theft, and unauthorized use (Britannica). Computer security, cybersecurity, digital security, or information technology security (IT security) is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide (Wikipedia). Computer security, also referred to as cybersecurity, involves protecting computer systems and networks from information disclosure, theft, or damage to their hardware, software, or electronic data (Lenovo). Computer security is the protection system that is installed in computer systems to protect important data and information that is stored in the computer from unauthorized access, misuse of information and data, and information and data theft (Knowledgehut). In essence, computer security is about the protection of computer systems from bad stuff. Protection involves preventing, detecting and reacting to unauthorized actions by computer system users. From Newcastle. For the world. CSC2031 Why is computer security important? The UK’s National Cyber Security Centre (NCSC) states: Computer security is important because smartphones, computers and the internet are now such a fundamental part of modern life, that it's difficult to imagine how we'd function without them. From online banking and shopping, to email and social media, it's more important than ever to take steps that can prevent cyber criminals getting hold of our accounts, data, and devices. From Newcastle. For the world. CSC2031 Why is computer security important? Computer Systems are Valuable Targets Much of the data we use or store in computer systems such as bank account numbers, credit card information, passwords, work related documents or sheets, etc. is of a sensitive nature. Our wellbeing (comfort, safety, health, welfare, prosperity, success, contentment) is dependent on the security of this data. As well as personal information, data can relate to: Protected health information (PHI). Intellectual property. Government. Industry. University. This data is valuable to cyber criminals. From Newcastle. For the world. CSC2031 Why is computer security important? Computer Systems have many Security Threats Data present in a computer may be stolen. Data present in a computer may be misused or altered by unauthorised intrusion. Malicious intents are a key factor in computer security, for example: Malicious users can modify and change a program's source code, Malicious users can use someone else’s pictures or email accounts to create derogatory content such as fake, misleading and offensive social accounts. Malicious users might crash someone’s computer system to create data loss. Malicious users can use your computer for attacking other computers, websites or networks for creating havoc. From Newcastle. For the world. CSC2031 THREAT: Using computers to attack other computers A bot (web robot), is a software application that runs automated tasks (scripts) over the Internet. A bot is created when malware (programming to remotely control a computer) is placed onto a target computer. A botnet (robot network) is a network of malware infected computers running one or more bots. Legitimate access to a website is hampered or denied by botnet sending so many requests to the website’s server, the server becomes overloaded, becomes slow, or even crashes. This is a Distributed Denial of Service (DDOS) attack. From Newcastle. For the world. CSC2031 Why is computer security important? Cybercrime is Growing Without security, computer systems and their owners (individuals, organisations, nation states) cannot defend themselves against data breaches. Data theft is the most expensive and fastest-growing segment of cybercrime. According to the Ninth Annual Cost of Cybercrime Study from Accenture and the Ponemon Institute (2019): ‘the average cost of cybercrime for an organization has increased by $1.4 million over the last year to $13.0 million and the average number of data breaches rose by 11% to 145’ According to researchers at Cybersecurity Ventures, the cost of cybercrime was predicted to hit $8 trillion in 2023, growing to $10.5 trillion by 2025. From Newcastle. For the world. CSC2031 Why is computer security important? Cybercrime Comes With a Cost A lack of security can particularly damage organisations in a range of ways including: Economic Cost - Theft of intellectual property, corporate information, disruption in trading, and the cost of repairing damaged systems. Reputational Cost - Loss of consumer trust, loss of current and future customers to competitors, and poor media coverage. Regulatory Cost – The General Data Protection Regulation (GDPR) and other data protection laws mean that organisations can suffer from large regulatory fines or sanctions because of poor data protection. Meta – fined $1.3 Billion, Amazon – fined $823 Million, WhatsApp – fined $248 Million, BA – fined £20 Million. From Newcastle. For the world. CSC2031 What is it we are really trying to protect? Previously we said computer security is about the protection of computer systems from bad stuff. But what is the fundamental purpose of a computer system? A computer is an electronic device for inputting, outputting, storing and processing data. A computer is an electronic device that processes data according to instructions that are provided by computer programs. A computer is a programmable device that stores, retrieves, and processes data. A computer is a device for working with data. Underneath it all, it is really the data we want to protect. Protecting computer systems is about ensuring those systems input, output, store and process data in an authorized way. From Newcastle. For the world. CSC2031 How can data be compromised? Security literature commonly highlight three main ways data can be compromised or breached. 1. The unauthorized disclosure of data. 2. The unauthorized modification of data. 3. The unauthorized withholding of data. From Newcastle. For the world. CSC2031 What are the Key Properties of Computer security? Computer security is concerned with providing and maintaining three key properties to protect against the three main ways data can be compromised or breached. 1. Confidentiality - protects against the unauthorized disclosure of data. 2. Integrity – protects against the unauthorized modification of data. 3. Availability - protects against the unauthorized withholding of data. These properties form what is commonly called the CIA triad. The emphasis of the CIA Triad is the prevention of unauthorised actions. From Newcastle. For the world. CSC2031 The CIA Triad The CIA Triad is a common model that forms the basis for the development of secure computer systems. The Confidentiality, Integrity, and Availability of data is crucial to the secure operation of computer systems. Ideally, when all three properties have been met, the security profile of a computer system is stronger and better equipped to handle security threats. From Newcastle. For the world. CSC2031 Confidentiality The confidentiality of data is maintained if the data is kept private or restricted as intended. Only authorised users can access specific data. Users without proper authorisation should be prevented from accessing confidential data. Confidentiality can be more important than the other goals, for example when: The value of the data depends on limiting access to it. Data is proprietary data of a company. Data is a record of people’s personal activities or includes personal and financial information of a company’s customers. From Newcastle. For the world. CSC2031 Integrity The integrity of data is maintained only if the data is authentic, accurate, and reliable. Only authorised users should be able to modify specific data when needed. Users without proper authorisation should be prevented from tampering with data. Integrity can be more important than the other goals, for example when: Data must be accurate and consistent. Inaccurate and inconsistent data loses value. Data is financial data - Integrity is typically the highest concern in banking systems. From Newcastle. For the world. CSC2031 Availability The availability of data is maintained if the data can be used or obtained. Data should be available to authorised users when needed. Even if data is kept confidential and its integrity maintained, it is often useless unless it is available to those who need it. Users without proper authorisation should be prevented from withholding data. Availability can be more important than the other goals, for example when: Data must be sent or seen – e.g., an urgent government press release or medical emergency. From Newcastle. For the world. CSC2031 Unavailability – Ransomware Attacks Ransomware: a type of malware which prevents access to devices and the data stored on them, usually by encrypting the data files. A criminal group will then demand a ransom in exchange for decryption. From Newcastle. For the world. CSC2031 More Security Properties As well as the CIA Triad, other concepts can be seen in the literature as necessary properties of secure computer systems. Authentication Determining whether someone or something is, in fact, who or what it says it is. Only once users are authenticated can they be given the correct authorisations to access protected resources such as data. Will will look at authentication later in much more detail. From Newcastle. For the world. CSC2031 More Security Properties Non-repudiation The ability to ensure that someone cannot deny or contest responsibility for their action(s) The provision of unforgeable evidence that a specific action occurred. For example, assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of the sender's identity. Neither can later deny having processed the data. Non-repudiation is closely related to accountability such that users should be responsible for their actions. This is necessary because even authorised actions can lead to a violation of security. From Newcastle. For the world. CSC2031 Repudiation - It Wasn’t Me Repudiation – the denial of the truth or validity of something. From Newcastle. For the world. CSC2031 What are threats, vulnerabilities, and risk? When talking about security, it is important to understand three concepts, and the relationship between them: Threat: A potential negative action or event that has the potential to harm a computer system. Vulnerability: A weakness in a computer system that can be exploited by a threat to deliver a successful attack. Risk: The potential (or chance) for loss or damage when a threat exploits a vulnerability. Often represented as Risk = Threat x Vulnerability As security practitioners we want to reduce or even eliminate risk by implementing security properties (as seen on previous slides) into computer systems. From Newcastle. For the world. CSC2031 How do we do Computer Security? Previously said computer security is a about protecting data which involves preventing, detecting, and reacting to unauthorized actions by users of computer systems. There are many aspects to computer security including: Network security, Endpoint security, Information security, Cloud security, IoT security, Mobile security, Application security. Computer security is also multilayered: physical security, security processes and policies, technical security. From a practical viewpoint, computer security involves: Controlling physical access to computer hardware. Controlling malpractice by users, whether intentional, accidental, or due to them being tricked into deviating from secure procedures. Protecting against harm that may come via network access, bad data, or code injection. From Newcastle. For the world. Topic 2 Authentication CSC2031 Security Programming From Newcastle. For the world. Introduction There are many cases where applications need to be able to process requests from individual users wanting to interact with the application at the same time. Arguably all requests will have some aspect of security, many relating to the concept of Authorisation. Imagine a user U requests to carry out action A on object O. Authorisation is about checking if user U is allowed to carry out action A on object O and returning a YES or NO response (True/False). This is determined by a set of authorisation rules, or authorisation policy. Before such questions can be answered, it is necessary to know with a high degree of confidence who user U is. If we can’t be certain who a user is, how can we make correct authorisation decisions about what they are allowed to do? CSC2031 Security Programming 24 Authentication Authentication is the process or action of verifying the identity of a user. In other words, is the user authentic; are they in fact, who they say they are? Users must declare their identity by presenting evidence to prove they are who they say they are. Like presenting a passport– only once identity has been verified can the question of whether you can enter the country be assessed. Evidence presented is called an Authentication Factor which can be put into one of three categories. Knowledge Factor – something you know, e.g., password Possession Factor – something you have, e.g., smart card Inherence Factor – something you are, e.g., fingerprint CSC2031 Security Programming 25 Authentication in Applications Applications may have a mixture of public (home page, shopping pages) and protected areas (account page, payment page, admin page). If so, all users should be forced to authenticate themselves before they can access protected areas of a system or application. Authentication mechanisms check to see if a user's credentials match existing credentials stored in a database of authorised (or registered) users. User authentication is commonly enforced just the once with the user’s identity being remembered through their interaction with the application. This is not always the case however as some applications require re-authentication before certain actions (e.g., bank transfers). CSC2031 Security Programming 26 Authentication vs Authorisation The terms authentication and authorisation are often used interchangeably. While they may often be implemented together (access control) the two functions are distinct. Authentication is the process of validating the identity of a registered user before allowing authorised access to protected resources. Authorisation is the process of validating that the authenticated user has been granted permission to access the requested resources. The authentication process always comes before the authorisation process. Note that a user can be authenticated but not be authorised (i.e., fail to be given access to a resource if the user is not granted permission to access it). We will look at authorisation in the next topic. CSC2031 Security Programming 27 Authenticating Users CSC2031 Security Programming 28 Authenticating Users Now that users can create accounts with an application it is possible to authenticate users against those accounts. Remember: users’ identities must be verified (authenticated) before user actions can be authorised. A common way to authenticate users is to force them to enter their login credentials. Login credentials must be a combination of data that is unique to a single user. If an account is found that contains that unique combination of data, the user is authenticated. Traditional login credentials consist of just 2 things: An identifier unique to the user (e.g., username or email). A secret only know by the user (e.g., password). CSC2031 Security Programming 29 Authentication Vulnerabilities CSC2031 Security Programming 30 Authentication Vulnerabilities Authentication can be broken when an attacker is able to be authenticated as a legitimate user. This can happen for instance when login credentials: Can be guessed. Can be worked out. Are exposed. Are leaked, and the hacker gets access to them. Basic login credentials consist of a username and password. Usernames are often public and fairly easy to find (e.g., email address) Passwords should be secret but are often the weak spot. CSC2031 Security Programming 31 Brute Force Attacks A Brute Force search (or exhaustive search) is a problem- solving technique that consists of trying all possible solutions to a problem until a correct solution (if it exists) is found. Hackers can use this tried and tested approach to find a password that works amongst a set of possible passwords This trial-and-error approach is called a Brute Force Attack. A simple brute force attack involves logically guessing passwords. CSC2031 Security Programming 32 Guessing Passwords Users often choose passwords that are easy to remember (BUT also weak and easy to guess). Most common passwords. 1. Password 6. Password1 2. 123456 7. 12345 3. 123456789 8. 1234567890 4. 12345678 9. 1234 5. 1234567 10. Qwerty123 When changing passwords, users often modify previous password. 1234 → 1234* → 1234** CSC2031 Security Programming 33 Logically Guessing Passwords Users often choose passwords that have a personal meaning. Children and pet names Memorable places Birthdays Sports teams Hobbies Many people (over) share this information on social media and can be found with a little digging. CSC2031 Security Programming 34 Automated Brute Force Attacks Hackers can use software tools to automate brute force attacks. Set of possible passwords could be very large making attack time-consuming and manually infeasible. Login POST requests are continually sent to the target server containing the username and a potential password from a set of generated possible passwords. The attack is successful if the response contains (or does not contain) some indication that the application has been logged into (e.g., a text identify amongst HTML). The most basic software-based brute force attack is known as a Dictionary Attack. The name comes from hackers running through dictionaries and amending words with special characters and numbers. This type of attack is typically time-consuming and has a low chance of success compared to newer, more effective attack methods (e.g., AI-based attacks). CSC2031 Security Programming 35 Exposing Passwords People interact with many applications that require a password. People are generally not good at remembering lots of things (including complex passwords). This can increase the likely hood of exposed passwords. Users are more likely to write passwords down. Trade-off Simple passwords easy to guess/brute force vs Complex passwords more likely to be exposed. CSC2031 Security Programming 36 Leaking Passwords Users often shared passwords for many reasons: Save cost – share streaming service login credentials. Get work done – work may be delegated to someone who needs access to a system or account they shouldn’t have. Own login credentials not working. Passwords stored by applications can and are leaked, often with severe consequences. Both maliciously and accidentally CSC2031 Security Programming 37 Strengthening Authentication Common security mechanisms to help strengthen authentication include: Password security: strong password policy, auto-generate strong passwords, password expiration, etc. CAPTCHA: verifying the presence of a human. Limiting login attempts: locking a user account after n login attempts. Multifactor authentication: one-time pins, time-based pins, biometrics, etc. Notification of unrecognised login: users notified and asked to confirm login was genuine if a login attempt is made from an unrecognised device, location or IP address. CSC2031 Security Programming 38 Password Security CSC2031 Security Programming 39 Password Policies A Password Policy sets the rules that passwords for an application or system must meet, such as length and type of characters allowed and disallowed. Additionally, the password policy might specify that a password is disallowed if it contains a term that is in a dictionary of unwanted terms. This is known as blacklisting. More precisely, a Password Policy defines the password strength rules that are used to determine whether a new password is valid. A password strength rule is a rule to which a password must conform. For example, a password strength rule might specify that the minimum number of characters of a password must be 5. A password strength rule might also specify that the maximum number of characters is 10. CSC2031 Security Programming 40 Password Policies In summary, a password policy can enforce things like: Minimum and maximum length. Character restrictions. Frequency of password reuse. Disallowed usernames or user IDs Specify a minimum password age. There is no one standard policy for passwords. It can be easy to see why users struggle to remember passwords which are then prone to exposure. CSC2031 Security Programming 41 Password Policies There is lots of guidance on creating strong (hard to crack) passwords. The current advice from the UK’s National Cyber Security Centre (NCSC) is to create a password by combining three random words: CSC2031 Security Programming 42 Password Policies Most applications still enforce password policies with rules such as length and type of characters allowed and disallowed. For example, a password policy could be enforced with the following strength rules: 1. The password must be at least 5 characters in length. 2. The password must be at most 10 characters in length. 3. The password must contain a number between 0 and 9. 4. The password must contain an uppercase letter. CSC2031 Security Programming 43 Regular Expressions (Regex) It may be the case that characters in a String must follow some specific pattern or sequence to be valid. For example, a serial number: D24xyz-34FGH Serial number must start with an Uppercase letter followed by 2 digits, followed by 3 lowercase letters, followed by a dash, followed by 2 digits, followed by 3 uppercase letters. Programming languages make use of regular expressions (regex) for pattern matching. A regex is a String of text that defines patterns or sequences that must be found within Strings in order to validate them. CSC2031 Security Programming 44 Validating Character Existence What if we just want to check if one or more character types exist (or don’t exist) in a String? That is, order or position is not important nor actual value, just type existence (or non-existence). This check is needed when creating passwords that must contain a combination of certain character types. Rule Validation Checks 3. Must contain a number between 0 and 9 Contains at least 1 digit in set [0 - 9] 4. Must contain an uppercase letter Contains at least 1 character in set [A - Z] Does a password String contain at least one digit? Does a password String contain at least one uppercase letter? CSC2031 Security Programming 45 Regex Lookaheads A regex generally matches from left to right (beginning to end) of a String. The regex pointer moves left to right checking each character of a String. Therefore, the order of characters in a String being validated is important. This type of regex is known as a regex literal. So how can a String be checked to find if it contains one or more character types without caring about character position? We can use something called a Lookahead assertion (statement). Lookaheads assert what’s to the right rather than from left to right. The regex pointer doesn’t move but instead looks ahead at the characters in a String. CSC2031 Security Programming 46 Regex Lookaheads The formal syntax of a lookahead is: (?=pattern) A pattern may consist of anything that may be used in a regex literal. Anything may be (or a combination of): Single characters. Metacharacters. Special sequences. Sets. CSC2031 Security Programming 47 Automatically Create Strong Passwords Modern browsers can recognise data fields for creating passwords. Browsers may offer an automatically generated strong password. Generated passwords are complex. Browsers may also save passwords (password manager) Considerations: Generated password may not meet password policy. Can be bypassed with user’s own password choice. Generated passwords are hard to remember. Generated passwords are easily forgotten. User ends up with multiple passwords. CSC2031 Security Programming 48 Password Strength Checkers User registration processes often have a password strength checker. Another approach to enforcing a (less rigid) password policy. A password that does not meet all the rules may still be valid although weaker. CSC2031 Security Programming 49 Password Recovery Web applications typically include a ‘forgotten password’ link. Users are instructed to reset their password – create a new one. Instructions usually sent to the user’s email account. Considerations: Users may not be allowed to reuse a previous password. App needs to store previous passwords. User ends up with multiple passwords. Resetting passwords becomes a regular occurrence. CSC2031 Security Programming 50 Changing Passwords Enforced Changes Web applications dealing with sensitive data may force users to change their password at set intervals. Every 30, 60, or 90 days are typical. Considerations: Users may not be allowed to reuse a previous password. App needs to store previous passwords. User ends up with multiple passwords. Resetting passwords becomes a regular occurrence. CSC2031 Security Programming 51 Changing Passwords Unenforced Changes Web applications typically allow users to change their existing password. The existing password may have been compromised. Or, users may be given a default password when creating account. Function is typically found on the user account/profile page. Considerations: Users may not be allowed to reuse a previous password. App needs to store previous passwords. User ends up with multiple passwords. Resetting passwords becomes a regular occurrence. CSC2031 Security Programming 52 Re-entering Passwords Web applications dealing with sensitive data may force users to reauthenticate. When accessing a specific area of the application. After a specific time interval. When taking a specific action (e.g., bank transfer) CSC2031 Security Programming 53 CAPTCHA CSC2031 Security Programming 54 CAPTCHA The primary objective of CAPTCHA is to obstruct automated attacks, such as brute force attacks. CAPTCHA is a challenge-response mechanism used to differentiate between human users and automated bots. CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart. CAPTCHAs provide challenges that are difficult for computers to complete but relatively easy for humans. CAPTCHA does not provide additional layers of authentication beyond verifying human presence. CSC2031 Security Programming 55 Text-based CAPTCHA CAPTCHAs may be text-based: Text-based CAPTCHAs have been shown to be vulnerable. Jeff Yan & Ahmad Sala El Ahmad: A Low-cost Attack on a Microsoft CAPTCHA (CCS 2008) CSC2031 Security Programming 56 Image-based CAPTCHA Image-based CAPTCHAs were developed to replace text-based ones. Typically, image-based CAPTCHAs require users to select images matching a theme or to identify images that don’t fit. Image-based CAPTCHAs are typically easier for humans to interpret than text-based. However, these tools present distinct accessibility issues for visually impaired users. For bots, image-based CAPTCHAs are more difficult than text to interpret because they require both image recognition and semantic classification. But AI is now being employed to beat them: CSC2031 Security Programming 57 Modern CAPTCHA CAPTCHAs are ever changing to try and beat the bots. CSC2031 Security Programming 58 Drawbacks of CAPTCHA The overwhelming benefit of CAPTCHA is that it is highly effective against all but the most sophisticated bots (e.g., AI based-bots). However, CAPTCHA mechanisms can negatively affect the user experience of web applications which needs careful consideration: Disruptive and frustrating for users. May be difficult to understand or use for some audiences. Some CAPTCHA types do not support all browsers. Some CAPTCHA types are not accessible to users who view a website using screen readers or assistive devices. There is a range of automated technologies, including APIs, browser plug-ins and extensions that enable attackers to bypass or solve CAPTCHA challenges. CSC2031 Security Programming 59 reCAPTCHA Hosted by Google, reCAPTCHA is a CAPTCHA software program. Because reCAPTCHA is free to integrate into web applications, a wide adoption has resulted, making it the Internet’s standard CAPTCHA program. There are 2 versions of image-based reCAPTCHA: 1. Asking users to select images matching a theme. 2. Tick a checkbox “I’m not a robot”. If bots fail the test or attempt to access without identification, they will be blocked from interacting with the web application. CSC2031 Security Programming 60 Limiting Authentication Attempts CSC2031 Security Programming 61 Limiting Authentication Attempts A common threat to an authentication process is a brute force attack (password-guessing attack). One way to block brute force attacks is to lock accounts after a defined number of incorrect authentication attempts. Account lockouts can last a specific duration, such as one hour, or the accounts could remain locked until manually unlocked by an administrator. Note however, account lockout is not always the best solution, because someone could easily abuse the security measure and deliberately lock out hundreds of user accounts. In fact, some web sites experience so many attacks that they are unable to enforce a lockout policy because they would constantly be unlocking customer accounts. CSC2031 Security Programming 62 Tracking Authentication Attempts Client requests and server responses are stateless. Each request and response is independent. They do not ‘know’ what happened in previous requests or responses. So how do we keep track of the number of invalid authentication attempts a user has had? Especially when dealing with many users. Database storage has too many overheads. Python Flask provides sessions. A session is an object that allows you to store information specific to a user (client) from one request to the next. A session persists state across requests. A session may take the form of a client-side cookie or a server-side token. A session is associated with a user’s browser/client and not individual users using the same browser instance. CSC2031 Security Programming 63 Limiting Authentication Attempts Brute force attacks can be slowed by limiting the number authentication attempts that can be made within a given timeframe (e.g., 5 per minute). This approach is called rate limiting. Rate limiting can also be used to impede other attacks (e.g., Denial of Service attacks). CSC2031 Security Programming 64 Rate Limiting Breach If a rate limit is breached a 429 error is raised. https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/429 A default error webpage is shown as a result. Without custom error message With custom error message CSC2031 Security Programming 65 Multi Factor Authentication CSC2031 Security Programming 66 Multi Factor Authentication Multi Factor Authentication (MFA) is an authentication process commonly implemented in applications that have high exposure to security risks. MFA requires multiple proofs (factors) of identity to authenticate a user Other factors are needed because as we have seen, passwords by themselves, aren’t always safe. A hacker needs to know or have more factors to authenticate as a genuine user. Requiring extra factors provides a higher degree of confidence that the user is who they say they are. Internet banking applications usually require an extra authentication factor alongside a username/password such as a numerical code or letters from a word. Numerical codes are often sent via text, personal code generating device, or authenticator application. University Microsoft based applications now use this. CSC2031 Security Programming 67 Numerical Code Generators A text Personal code generating device Authenticator application CSC2031 Security Programming 68 Additional Authentication Factors There are a variety of authentication factors that are often added to strengthen the authentication process. Some examples: One-time password (OTP) – A unique password which can only be used once. This is typically a short string of numbers generated based on a secret stored in a physical device such as a USB token or a smartphone. Upon authentication, the one-time password is verified against the OTP vendor’s service in the cloud. Digital (PKI) certificates – A digital certificate, issued by a trusted certificate authority, is installed on the device or in the user’s browser. The identity provider can check for the presence of valid certificates as well as revoke them at any time. Only a browser with a valid certificate will be allowed to log in. Biometrics – fingerprints, retinal scanner, etc. Identity card – inserted into keyboard for example (the NHS use these). CSC2031 Security Programming 69 Time Based Pins One common MFA technique used today is Time Based Pins. Users are required to enter a PIN (Personal Identification Number) within a short timeframe, typically 30 to 60 seconds. PINs are generated by software applications or hardware devices with a very precise clock. The security lies in the fact that the PIN is only valid for a short period of time. A new PIN is generated once the previous PIN becomes invalid. CSC2031 Security Programming 70 Time Based Pin Generation For time-based PINs to work, both the web server and authenticator application need to: Possess a shared secret – a random key of 32 characters in length. Have matching clocks – the current timestamp is combined with the random key to generate a PIN. Using the same random key and timestamp, the web server and authenticator application can independently generate the same PIN at the same time, as long as the clocks match. We will consider two approaches to implementing the generation of time-based PINs in a Flask application. Manual – random keys are generated in the console and typed into an authenticator application. Automated – random keys are generated by the application and converted to a QR code which is scannable by the authenticator application. A consideration is whether MFA should be enforced or a user’s choice. We will consider the former. CSC2031 Security Programming 71 Topic 3 Authorisation CSC2031 Security Programming From Newcastle. For the world. Introduction Many IT systems and applications are required to ensure users can only access certain things and carry out certain actions according to who they are and what job role they hold. This can be accomplished through the process of authorisation. Authorisation involves validating that an authenticated user has been granted permission to access the requested resource(s). Granting or denying access to system resources based on user identities and access rules. This is why a user’s identity must be validated first, through the process of authentication. Authorisation decisions can include users who have not been authenticated. Such users are often referred to as Anonymous users as opposed to authenticated users. Anonymous users may be able to do things authenticated users cannot (e.g., register an account, login) CSC2031 Security Programming 73 Authorisation Process In general, an authorisation process can be broken down into 2 distinct phases: 1. Definition phase – defining a set of authorisation rules (authorisation policy) that state what access rights users have and under what circumstances. User access rights are often referred to as user privileges or user permissions. 2. Enforcement phase – ensuring access rights are followed according to the authorisation policy. Authorisation sounds like a simple problem but is very difficult and complex to implement correctly. There can be huge numbers of users whose access rights must be enforced correctly. Complexities may lead to users who do not have all the access rights they need to complete their work tasks or have some access rights they don’t need to complete their work tasks. Users may have multiple job roles which come with different privileges and may lead to authorisation conflicts. Users may try and by-pass authorisation mechanisms when they get in the way. Production and security becomes a trade-off. Both can suffer as a result. CSC2031 Security Programming 74 Authorisation Definition Authorisation rules are defined and collected to form an authorisation policy. All organisations should have an authorisation policy (a.k.a. information security policy, access policy). Authorisation rules may be part of a wider (paper-based) security policy. Authorisation rules are designed by security experts, business leaders, industry guidance (e.g., Cyber Essentials), law, etc. Authorisation rules tend to be high-level and lack detail in practice. User access to application X must maintain confidentiality of company data It can be left to the programming team to interpret and implement authorisation rules at the code level hence why authorisation is not always perfect. We will consider lower-level authorisation rules, for example: A user may not edit the post created by another user Only anonymous users can attempt to log in Only an Admin user may access the Database Administrator page CSC2031 Security Programming 75 Authorisation Enforcement In security theory, user access is controlled by a system wide module called a reference monitor. The reference monitor verifies a user request against a table of permitted access types for each system resource. If the access request complies with the authorisation policy, it is permitted (authorised) or denied otherwise. A reference monitor should be NEAT: Non-bypassable Rules cannot be broken Evaluable Rules can be analysed for correctness Always-invoked Rules are always enforced Tamperproof Rules cannot be changed by an unauthorised user Authorisation issues can arise if the monitor is not NEAT. For example, if the reference monitor can be bypassed, then the authorisation process might be ignored. Enforcing authorisation rules in practice is often referred to as access control. In our case, authorisation rules will be enforced using various approaches interlaced across application code. CSC2031 Security Programming 76 Authorisation Vulnerabilities CSC2031 Security Programming 77 Authorisation Issues Developers frequently underestimate the difficulty of implementing a reliable authorisation mechanism. Many authorisation schemes are not deliberately designed, but simply evolve along with the application. In these cases, authorisation rules are inserted in various locations all over the code. As an application nears deployment, the ad hoc collection of rules becomes so unwieldy that it is almost impossible to understand and evaluate for correctness. Many of these flawed authorisation schemes are not difficult for experienced hackers to discover and exploit. Hackers can test and find what requests for accessing sensitive functions or data are granted in error. Hackers might be able to change or delete data, perform unauthorised actions, or even take over site administration. The consequences of a flawed authorisation scheme can be devastating. CSC2031 Security Programming 78 Authorisation Issues Hackers test applications to find reference monitors that are not NEAT: Can be bypassed. Implemented incorrectly. Not always-invoked. Can be tampered with. A reference monitor should be NEAT: Non-bypassable. Evaluable. Always-invoked. Tamperproof. CSC2031 Security Programming 79 Missing Authorisation Previously, we said that users must be authenticated before any authorisation rules can be enforced. We have not really implemented any authorisation rules or enforcement mechanisms (access control). Although account data can only be seen by the respective logged in user. This means users who are either authenticated or anonymous can access any webpage of our applications. All users can access any webpage via links in the main menu. All users can access any webpage by entering or changing URLs in the browser bar (path traversal). All users can access blog functionality including creating posts, viewing all posts, editing and deleting any posts. All users can access the Database Administration page, create, view and edit database content. All users can access the Security Administration page (content yet to implement but will include security logs). Authenticated users can try registering an account and logging in after they have already completed these actions. Anonymous users can try to logout. CSC2031 Security Programming 80 Path Traversal Most web applications restrict user access so they can only access a specific portion of the file-system. This is called the web document root or CGI root (Common Gateway Interface root) directory. These directories contain the files intended for users to access and the executables necessary to drive the web application functionality (e.g., templates and view functions). The Path Traversal attack technique allows an attacker access to files, directories, and commands that potentially reside outside the web document root directory. An attacker may manipulate a URL entered in a browser in such a way that a web application will reveal the contents of arbitrary files anywhere on the web server. Any device that exposes an HTTP-based interface is potentially vulnerable to Path Traversal. Users may also use this technique to access areas inside the web document root for which they are not authorised. For example, an end user trying to access administration areas. CSC2031 Security Programming 81 Path Traversal Path Traversal Attack Directory Traversal Attack CSC2031 Security Programming 82 Path Traversal To access files or execute commands anywhere on the file-system, path traversal attacks will utilise the ability of special-characters sequences. The most basic Path Traversal attack uses the../ special-character sequence to alter the resource location requested in the URL.../ typically means ‘go up one directory’ - dir1/dir1.2/dir1.2.1/../ == dir1/dir1.2/../ is useful because references to resources can be written without having to use the full path. A path traversal attack is sometimes called a dot dot slash attack. Although most popular web servers will prevent using../ to escape the web document root, alternate encodings of../ may bypass security filters.../ can be represented by: %2e%2e%2f %2e%2e/..%2f CSC2031 Security Programming 83 Path Traversal Valid URL to get a document: http://some_site.com/get-files.jsp?file=report.pdf URL is modified to execute a path traversal attack: http://some_site.com/get-files.jsp?file=../../../../../password_file It’s also possible to include files and scripts located on an external web application: http://some_site.com/some-page?page=http://other-site.com/other-page.html/malicious-code.php CSC2031 Security Programming 84 Authorisation Issues All web servers and applications are susceptible to some authorisation issue(s). Even if a web application does not take user input, if it is not configured properly, hackers could gain access to sensitive files, deface webpages, or perform other mischief. The implementation of a reliable and NEAT authorisation system can bring about unwanted attention. For example, administrative interfaces become attractive targets. In many instances, web applications support a variety of administrative roles to allow finer granularity of site administration (e.g., database, security, HR). Web application administrators are authorised to access and process sensitive data, manage users, etc. Due to their power, administrative interfaces are frequently prime targets for attack by both outsiders and insiders. CSC2031 Security Programming 85 Managing User Access CSC2031 Security Programming 86 Adding Authorisation Authorisation rules can be applied by considering users in different states. Currently, all users can access any webpage via menu links or by entering URLs in the browser. Let’s first consider users who are either anonymous or authenticated and apply some authorisation rules. Anonymous users Authenticated users Cannot access Account Cannot access Registration Cannot access View Posts Cannot access Login Cannot access Create Post Cannot update a post Cannot delete a post Cannot access Security Cannot access DB Admin Cannot access Logout 87 CSC2031 Security Programming Adding Authorisation – Menu Links Menu links can be easily hidden by enclosing their code with appropriate IF statements. If current user is authenticated show links x, y, and z. If current user is anonymous show links a, b, and c. Menu for anonymous users Menu for authenticated users CSC2031 Security Programming 88 Missing Authorisation – View Functions All users can still access any webpage by entering or changing URLs in the browser bar (path traversal). Remember, each URL in a Flask application maps to a unique view function using the route decorator. Access to view functions by anonymous users can be prevented. The Flask-Login package provides the @login_required decorator. from flask_login import login_required The @login_required decorator can simply be added to any view functions that only authenticated users are authorised to access. CSC2031 Security Programming 89 Missing Authorisation – View Functions Login manager redirects anonymous user to Login page CSC2031 Security Programming 90 Role Based Access Control CSC2031 Security Programming 91 Role Based Access Control So far, we have looked at authorisation at the individual user level, but authorisations can also be enforced for groups of users. Role-based access control (RBAC) is a method quite commonly used within organisations for enforcing authorisation rules based on the job roles of users. Users are assigned to roles in an IT system or application and thereby limit user access to just the computer resources a use r needs or should have to carry out their job functions or tasks. Roles can be varied: end user, admin, security, IT technician, programmer, student, lecturer, head of school, HR, etc, Organisations that depend on RBAC are often better able to secure their sensitive data and critical applications. CSC2031 Security Programming 92 Role Based Access Control More precisely, system-based roles can be thought of a collection of predefined privileges or permissions It follows that a user's assigned role determines the permissions that individual is granted. RBAC can help to ensure users with lower-level roles can't access sensitive information or perform high- level tasks. This is a best practice to limit users to the minimum required role necessary for them to complete their assigned tasks. This is known as the Principle of Least Privilege. Before implementing RBAC, the requirements of users need to be evaluated, based on several factors, before grouping those users into roles that satisfy those requirements. Requirements include authorisation, responsibility, job competency and the resources they require to perform their duties. This is often a very complex process and difficult to get right. RBAC can cause conflicts and usability issues, especially in scenarios where users can have more than one role. CSC2031 Security Programming 93 RBAC Benefits Improved operational efficiency. Enhanced compliance. Gives administrators increased visibility. Reduces costs in terms of resources used. Decreased risk of breaches and data leakage. To succeed with RBAC, its implementation process should be treated as a series of steps: 1. Understanding business needs 2. Planning the scope of implementation 3. Defining roles 4. Implementation CSC2031 Security Programming 94 Implementing RBAC – Roles Decorator We saw how to prevent view function access for anonymous users by using the @login_required decorator. We also need to prevent view function access for roles that are not authorised access. Flask-login does not provide a decorator for this purpose. We need to create our own custom decorator. This can be done by implementing a special kind of function, called a wrapper function. All the decorators we have used so far are wrapper functions. Decorators can be used to inject additional functionality to existing functions. CSC2031 Security Programming 95 RBAC Issues There are, as you will find with many security techniques, challenges with using RBAC in practice. Role Explosion – when the level of granularity needed for access control is too detailed resulting in many many roles which become hard to manage. Somewhat rigid - once deployed, it is hard to react to changing security threats and risks. Scalability & Dynamism - in the rush to onboard new people a situation can arise where organisation charts and job definitions have not been updated or clearly defined. RBAC may require a costly redesign to get it back on track. Expensive and Difficult Implementation – if RBAC is decided upon as a solution, the duplication of servers and other infrastructures which support RBAC may be found to be prohibitive in terms of cost and complexity. CSC2031 Security Programming 96 Logging User Events CSC2031 Security Programming 97 Event Logging and Monitoring Security event logging and monitoring are two parts of a singular process that is integral to the maintenance of a secure computer system. Every activity on a system, from logins to sending an email, can be considered a security event. All these events should be logged to monitor behaviour, especially user behaviour, in a system. When it comes to monitoring logs, security teams will look for signs of unauthorised activities. All suspicious data activities are typically reported to key personnel for immediate action. Suspicious data activities may also be stored centrally for further analysis of long-term trends. CSC2031 Security Programming 98 Event Logging and Monitoring Security event logging and monitoring can only work when it is part of an effective data collection and analysis process. Security logs often contain a mass of data to the point where it will be near impossible for a human to effectively identify threats within it. This means there will often be missed security incidents, false flags, and duplicate information. This also means that the key to an effective security logging and monitoring process is the ability to filter out unnecessary information and focus solely on critical events that could compromise the integrity and/or availability of confidential information. An effective log data collection and analysis process should incorporate tools to quickly and easily review audit logs for evidence of critical events. CSC2031 Security Programming 99 Critical Event Examples Reconnaissance – where adversaries perform research on computing environments that could be their next target. Weaponisation – an intrusion within a computing environment where adversaries have decided to take action against a network and IT systems. Exploit delivery – the manifestation of an exploit against a vulnerability within a network or IT systems. Installation of malware – observed when an adversary has modified native functionality in a computing environment to maintain persistence. Command and Control – when criminal hackers gain access to a server and systems and effectively take control of a computing environment. CSC2031 Security Programming 100 Benefits of Event Logging and Monitoring Implementing a robust system of security logging and monitoring within computing environments including web applications brings several benefits: Security logging and monitoring for the detection of security breaches: Most organisations are afflicted by different types of security events. Security logging and monitoring can help guard against malicious external threats while also guarding against internal misuse s of information. Threats can be detected in real-time to facilitate fast intervention. Security logging and monitoring for event reconstruction: Even if a breach should occur, audit trails can facilitate a reconstruction of the events leading up to the incursion. Security personnel will have a clear idea of how the breach occurred, how to rectify vulnerabilities, and what steps are needed to prevent it from happening again. CSC2031 Security Programming 101 Benefits of Event Logging and Monitoring Security logging and monitoring for faster recovery: Downtime of systems is extremely costly to organisations. Audit logs can create a fast and effective recovery process. They can help to reconstruct data files which were lost or corrupted by reverse engineering from the changes recorded in the logs. CSC2031 Security Programming 102 Topic 4 Cryptography CSC2031 Security Programming From Newcastle. For the world. Cryptography Basics CSC2031 Security Programming 104 Cryptography Basics We have seen how to store data in a database but what is the security issue? Data is being stored in the database in readable plain text. Obviously, this can be a major security vulnerability, especially when the data is sensitive such as a password. It is important to store data in a way that prevents it from being read by hackers and others. Even if sensitive data is compromised it should be unreadable (without an infeasible amount of time and effort) Cryptography is all about scrambling/encoding data so it cannot be read. More formally: Cryptography is the process of hiding or coding information so that it can only be read by the person(s) authorised to do so. For example, the String MY SECRET TEXT can be scrambled using some secret process and stored as JV PBZOBQ QBUQ We will look at scrambling plain text data sent over a network in a later topic. CSC2031 Security Programming 105 Cryptography Basics We will explore some basic cryptography to scramble stored data. Modern cryptography is a very large subject derived from complex mathematical concepts. You will have the opportunity at Stage 3 or Masters level to study the background and theory of cryptography. Luckily for us, Python provides cryptographic libraries that remove most of the underlying mathematical complexities. Some basic definitions: Plaintext - data in its human readable form. Ciphertext - data in its unreadable or encrypted form. Encryption - the act of scrambling plaintext into unreadable ciphertext. Decryption - the act of unscrambling unreadable ciphertext into plaintext. Hashing – the act of converting plain text into a unique, irreversible value. CSC2031 Security Programming 106 Hashing CSC2031 Security Programming 107 Hashing Hashing is a process that transforms some given data into a random fixed-length value. The hashing process does not use keys like encryption (coming later). The transformation process is encapsulated within a hash function. The resulting random fixed-length value is called a hash value (hash digest, message digest). Hashing is a one-way process that cannot be directly reversed. Data stays confidential even if it is exposed or breached. Hashing is generally used for data integrity and verification. Alice sends a message to Bob, together with the hash value of the message. On receipt, Bob calculates the hash value of the message. If the hash value Bob calculates matches the hash value sent by Alice, Bob knows the message hasn’t been tampered with in transit. CSC2031 Security Programming 108 Examples of Hash Usage Preserves file integrity during file sharing, downloading, or copying processes. It ensures that files are intact and have not been tampered with. Digital signatures almost always require the calculation of a cryptographic hash. A digital signature is an electronic, encrypted, stamp of authentication on digital information such as email messages, or electronic documents. Hashing guarantees the efficiency and security of digital signature schemes. Cryptocurrency systems use hashing to protect them from DDoS attacks and other abuses. Password verification commonly uses cryptographic hashes. Hash digests prevent passwords from being compromised. During the user authentication process, a system will compare the user-entered password’s hashes with its own stored values. CSC2031 Security Programming 109 Hashing Process The algorithms encapsulated inside hashing functions generate a hash value for each data input. Using a hash algorithm a, one unique input string s should have one unique hash value v. In other words, the unique hash value v should always be generated each time the input string s is hashed by an algorithm a. 1st hash: Pwd123456 → $2b$12$PAfzzy5kDyq./xB6I4tf7ee6OuIggmwD5hwNg7lVlb/VrsxJGC1pO 2nd hash: Pwd123456 → $2b$12$PAfzzy5kDyq./xB6I4tf7ee6OuIggmwD5hwNg7lVlb/VrsxJGC1pO N hash: Pwd123456 → $2b$12$PAfzzy5kDyq./xB6I4tf7ee6OuIggmwD5hwNg7lVlb/VrsxJGC1pO In rare cases, different data inputs may have the identical hash value. This results in what is known as a hash collision and could potentially be exploited by hackers. A defining feature of any hashing algorithm is how collision resistant it is. Modern hashing algorithms are typically complex enough to avoid collisions. CSC2031 Security Programming 110 Cracking Hashes There are some situations where a hacker can work out the plain text value from a given hash value (crack a hash). A hacker could find a user’s password by doing the following: Select a password they think the user has chosen (e.g.password1!). Calculate the hash of the password Compare the hash they calculated to the hash value of the user’s password. If they match, the hacker has correctly "cracked" the hash and now knows the plaintext value of the user’s password. Usually, the hacker will repeat this process with a list of large number of potential candidate passwords. While the number of permutations can be enormous, with high-speed hardware (such as GPUs) and cloud services with many servers for rent, the cost to a hacker is relatively small to do successful hash cracking, especially when best practices for hashing are not followed. CSC2031 Security Programming 111 Rainbow Tables A common technique to try and crack hashes is to use rainbow tables. Rainbow tables are large databases of precomputed hashes and their corresponding plain text passwords. Rainbow tables can be very effective and fast, as they eliminate the need to perform hashing calculations on the fly. However, rainbow tables also have some limitations: Can require a lot of storage space. Specific to a certain hashing algorithm and character set. Ineffective against hashes that use salt or other alterations (coming next). CSC2031 Security Programming 112 Strengthening Hashes Salting A salt is a unique, randomly generated string that is added to each password as part of the hashing process. Different salts will result in different hash values even if the value being hashed is the same. A hacker salts and crack hashes one at a time using the respective salt rather than calculating a hash once and comparing it against every stored hash. Modern hashing algorithms automatically salt the passwords, so no additional steps are required when using them. Peppering A pepper can be used in addition to salting to provide an additional layer of protection. Peppering prevents an attacker from being able to crack hashes if they gain access to the hash values. Essentially, hash values are encrypted (scrambled) with the pepper acting as the encryption key. Peppers are shared between stored hashes unlike the unique salts and so must be stored separately in a secret vault. CSC2031 Security Programming 113 Encryption CSC2031 Security Programming 114 Encryption Encryption is a process of scrambling some given data, so the data becomes undecipherable (ciphertext). The encryption process does use a key or keys unlike hashing. The data scrambling process or algorithm is encapsulated within an encryption function. A specific encryption algorithm used is often referred to as Cipher. Encryption is two-way process, such that plaintext can be transformed into ciphertext (encryption) and the ciphertext can be transformed back to the original plaintext (decryption). Every encryption function will have a corresponding decryption function. Encryption is generally used for data confidentiality and protection. Alice encrypts a messages with a key and sends it to Bob. On receipt, Bob decrypts the message with a key. Alice and Bob know the message has not been read in transit. CSC2031 Security Programming 115 Examples of Encryption Usage In a nutshell, encryption protects users and their data from cybercriminals. Encryption is used to protect web traffic moving between clients and servers from interventions and snooping. Virtual Private Networks (VPNs) use encryption to protect data transmitted over a network (and masks IP addresses) VPNs are extremely useful on unsecure public Wi-Fi networks, which are often popular with hackers. End-to-end encryption is used in instant messaging services to protect the privacy of conversations. Examples: WhatsApp, iMessage, Threema. File encryption protects file content so that no one can access them even if they intercept the files in transit or accesses them in storage. Data can be encrypted at different levels within a database (from individual datapoints to a whole database). CSC2031 Security Programming 116 Encryption Keys Unlike hashing, encryption requires a unique piece of information called an encryption key. An encryption key determines how the plaintext is transformed into ciphertext and vice versa. Keys are typically generated by random number generators, or computer algorithms that mimic random number generators. Each key is specific to a specific encryption function. Keys are unique and difficult to replicate or crack. Keys are represented as a String of bits. Longer keys are harder to crack. Common key lengths are 128 bits for symmetric-key algorithms and 2048 bits for asymmetric-key algorithms. CSC2031 Security & Programming Paradigms 117 Encryption Methods Symmetric-key encryption (Private-key encryption) The same key is used for encryption and decryption. The key must be kept secret. Asymmetric-key encryption (Public-key encryption) Different keys are used for encryption and decryption. The keys are mathematically related but it is computationally not feasible to find one from another. The encryption key can be made public (openly shared). The decryption key must be kept secret. CSC2031 Security & Programming Paradigms 118 Symmetric vs Asymmetric Encryption Asymmetric cryptography is more advanced than symmetric encryption. Both are still in use today and can be used in tandem in some situations. This is because each approach comes with advantages and disadvantages. Two big trade-offs exist between symmetric and asymmetric encryption: speed and security. Symmetric encryption is faster to run. Symmetric encryption keys are shorter than asymmetric keys (e.g., 128 bits vs 2048 bits) Symmetric encryption uses one key. Asymmetric encryption can provide a security advantage. Asymmetric Private key is derived from public key so does not have to be shared. Symmetric encryption uses one private key which risks interception in situations where it must be shared. CSC2031 Security & Programming Paradigms 119 Use Cases: Symmetric or Asymmetric Symmetric Encryption Typically used when speed is the priority over increased security, although symmetric encryption still offers a high level of security. Banking: Encrypting credit card information or other personally identifiable information (PII) required for transactions.. Data storage: Encrypting data stored on a device when that data is not being transferred. Asymmetric Encryption Typically used when increased security is the priority over speed and when identity verification is required, as the latter is not something symmetric cryptography supports. Digital signatures: Confirming identity for someone to sign a document. Blockchain: Confirming identity to authorize transactions for cryptocurrency. Public key infrastructure (PKI): Governing encryption keys through the issuance and management of digital certificates. CSC2031 Security & Programming Paradigms 120 Use Cases: Symmetric and Asymmetric Both symmetric and asymmetric encryption can be combined to improve speed and security at once. Symmetric encryption is used to encrypt the bulk of the information. Asymmetric encryption is then used to encrypt the symmetric encryption/decryption key. SSL/TLS: Asymmetric encryption is used to encrypt a single-use symmetric encryption key, which in turn gets used to encrypt/decrypt the contents of the Internet browsing session. Mobile chat systems: Asymmetric encryption is used to verify the identity of participants at the start of a conversation and then symmetric encryption to encrypt the ongoing contents of the conversation. CSC2031 Security & Programming Paradigms 121 Breaking Encryption Breaking encryption, or cryptography analysis, refers to the techniques used to defeat cryptographic systems and gain access to the underlying data without the key. Symmetric Key Encryption Attacks – security relies on the secrecy of the key Brute force attacks – trying every possible key until the correct one is found Known plaintext attacks – derive key having access to both plaintext and ciphertext. Differential cryptanalysis – deducing how a key is generated by observing how differences in key generation input impacts the key generation output. Asymmetric Key Encryption Attacks – security relies on the secrecy of the secret key Mathematical attacks – exploit the mathematical relationships between the public and private keys. Side channel attacks – exploit information from the physical implementation of the encryption system, e.g. timing information, power consumption. Electromagnetic leaks, or even sound. CSC2031 Security Programming 122 Strengthening Encryption Eliminate outdated encryption ciphers. Older encryption methods, such as the outdated Data Encryption Standard (DES) and Triple DES is no longer recommended. Use the longest possible encryption keys. The maximum key length permitted by the cipher being used is recommended to make it harder for encryption to be cracked. Encrypt in a layered approach. Take a database for example: Encrypting each column, followed by each table, and finally, the entire database can make it infeasible to crack. Hold secret keys to encrypted data. As well as the encryption cipher, key management must also be secure by using specific key management systems for example. CSC2031 Security Programming 123 Topic 5 Software & Web Security CSC2031 Security Programming From Newcastle. For the world. Output Generation CSC2031 Security Programming From Newcastle. For the world. Data Input Threats There are many types of data and many ways that data can be input into a computer system or application. What is the major challenge? IMPORTANT: Much of this data may be unknown, untrusted or insecure; and may be malicious – TRUST NOTHING! Malicious input can be interpreted and processed as part of a normal query or command that generates some output. It can be difficult to detect a malicious user who is trying to attack a system or application. Improper handling or not checking data input before processing is a leading contributor of critical vulnerabilities existing in today’s systems and applications. CSC2031 Security Programming Injection Attacks Inputting malicious data into a system or application is a primary attack method. A common attack method is for an attacker to input some malicious data into an application. Malicious input gets injected into a command or query statement which is then interpreted and processed by an application. This type of attack is called an Injection Attack. Injection attacks are amongst the oldest and most dangerous attacks and are considered a major problem, particularly in web security. Open Web Application They are still listed as one of the top web application security risks in the OWASP Top 10. Security Project (OWASP) is a non-profit foundation Injection attacks are not only very dangerous but also widespread, especially in legacy applications. that works to improve the Legacy system - a system often based on outdated technologies, but critical to day-to-day operations. security of software. Injection attacks are very well understood (including by attackers). There are many freely available and reliable tools that allow even inexperienced attackers to abuse these vulnerabilities automatically. CSC2031 Security Programming Injection Attacks Injection attacks can have many negative impacts: data theft data loss loss of data integrity denial of service full system compromise Injection attacks refer to a broad class of attacks, including: SQL Injection Cross-site Scripting Format String CSC2031 Security Programming SQL Injection Structured Query Language (SQL) is a programming language for storing and processing information in a relational database. Commands such as SELECT, UPDATE, DELETE, INSERT INTO, CREATE TABLE, etc. Return values for all columns from the User table: SELECT * FROM User; Return values for first and last name columns from the User table: SELECT firstname, lastname FROM User; Return values for first and last name columns from row in User table where user ID is 1: SELECT firstname, lastname FROM User WHERE email = [email protected]; Attacks can try and inject malicious data into genuine SQL queries (especially String concatenation-based queries) to cause some negative or compromising action. Query: SELECT firstname, lastname FROM User WHERE email = [email protected]; Coded query: db.session.execute('SELECT firstname, lastname FROM User WHERE email = ' + user_email); This input data could be malicious CSC2031 Security Programming SQL Injection To get the SELECT data, a hacker needs to make the WHERE clause to always equate to true. db.session.execute('SELECT firstname, lastname FROM User WHERE email = ' + user_email); Hacker wants access to this Hacker doesn’t Inject input to make know value of this this part equal true In an SQL driven application: user_email = getRequestString(form.email.data); db.session.execute('SELECT firstname, lastname FROM User WHERE email = ' + user_email); Assume hacker submits: 'john@email OR 1=1' Query becomes: 'SELECT firstname, lastname FROM User WHERE email = john@email OR 1=1' The SQL query will return (and expose) the selected data for all rows in the User table. The attack works because 1=1 is True (for every row). CSC2031 Security Programming SQL Injection Demo Assume an authentication process using String-based SQL queries: statement = "SELECT * FROM users WHERE email='"+form.email.data+"' AND password='"+form.password.data+"'" connection = db.session.connection() user = connection.execute(text(statement)).first() if user: login user return redirect (to home page) return redirect (to login page) CSC2031 Security Programming SQL Injection Demo statement = "SELECT * FROM users WHERE Assume an account exists with [email protected] but password is unknown email='"+form.email.data+"' AND password='"+form.password.data+"'" After submission, statement becomes: statement = "SELECT * FROM users WHERE email='[email protected]' AND password='123456'" User is logged in if authenticated or returned to login page if not. CSC2031 Security Programming SQL Injection Demo Assume an account exists with statement = "SELECT * FROM users WHERE [email protected] but password is unknown email='"+form.email.data+"' AND password='"+form.password.data+"'" After submission, statement becomes: statement = "SELECT * FROM users WHERE email='[email protected]' AND password='hacked' OR '1=1'" User is logged in as if authenticated because both sides of AND condition are True. CSC2031 Security Programming Preventing SQL Injection We have seen hackers can use SQL injection on an application if it has dynamic database queries that use user supplied input and string concatenation. To avoid SQL injection vulnerabilities, application code should: Prevent malicious SQL input from being included in executed queries (Solution: input validation). Avoid using dynamic queries with string concatenation (Solution: prepared statements with parameterised queries). You have already been using prepared statements with parameterised queries! user = User.query.filter_by(email=form.email.data, password=form.password.data).first() And some input validation (e.g. password policy rules). But more input validation coming soon. CSC2031 Security Programming Cross Site Scripting Cross-Site Scripting (XSS) attacks are another type of injection attack, in which malicious scripts are injected into vulnerable web applications. The malicious script is included with dynamic content delivered as markup text (e.g., HTML) to a victim’s browser following a request by the victim to the web application. XXS attacks take advantage of the fact that browsers cannot distinguish between legitimate and malicious markup but rather execute whatever markup they receive. So, rather than attacking a victim directly, a hacker can exploit a vulnerability in a web application the victim visits and gets the application to deliver the malicious script. Vulnerabilities that allow these attacks to succeed are quite widespread. CSC2031 Security Programming Cross Site Scripting Cross-Site Scripting (XSS) attacks occur when: Data from an untrusted source is entered into a Web application, most frequently via a web request (form submission or parameterised URL). The data is included in dynamic content that is sent to a web user without being validated for malicious content. The malicious content sent to the web browser often takes the form of a segment of JavaScript, but may also include HTML, Flash, or any other type of code that the browser may execute. The variety of attacks based on XSS is almost limitless, but they commonly include: Transmitting private data, like cookies or other session information, to the hacker. Redirecting genuine users to web content controlled by the hacker. Performing other malicious operations on a genuine user’s machine under the guise of the vulnerable site. CSC2031 Security Programming XXS Demo Genuine posts are stored and rendered normally. CSC2031 Security Programming XXS Demo Malicious posts are stored and cause JavaScript to be executed. CSC2031 Security Programming Preventing XXS We have seen hackers can inject scripts into and executed on an application that use user supplied input. To avoid XXS vulnerabilities, application code should: Prevent malicious script type input from being included in executed queries (Solution: input validation). Ensure input is interpreted as text instead of code (Solution: automatic encoding and escaping functions). The Flask framework has built in automatic encoding and escaping. Flask automatically escapes variables when they are rendered in templates using the Jinja syntax {{... }} And provides input validation. But more input validation coming soon. CSC2031 Security Programming Format Strings Many programming languages use what is called format strings to insert values into a string of text. There are typically three components for this action: Format Function: a function which converts a primitive variable into a readable String (e.g., printf, fprintf) Format String: a String argument of a format function which contains text and format parameters. Format String Parameter: defines the type of conversion of the format function (e.g., %x, %d) Format String parameter (signed integer) Primitive variable int x = 60; printf('Decimal value of x is: %d', x); In programming 'Decimal value of x is: 60' Argument languages like C, variables are saved in the stack. printf('Hexadecimal value of y is: %x', x); 'Hexadecimal value of x is: 3c' Format String parameter (hexadecimal integer) CSC2031 Security Programming Format String Attack Format string actions can be exploited if the Format function does not have an argument (and prints user input directly). printf("some text" + form.input.data); printf(form.input.data); A Format String parameter, like %x, could be inserted into the printed String which is subsequently parsed by the Format Function. The %x in the input data is evaluated as a command (Format String Attack). When printf() sees the first %x specifier, it simply refers to the form.input.data = "%x %x %x %x %x"; stack and reads the first variable it finds after the format string. printf(form.input.data); "b26d7db8 b26d7dc8 120 0 38df7e78" This behaviour will be repeated for all five %x specifiers revealing variable values, function return addresses, etc., from the stack. As well as read data from the stack, a hacker can launch a format String attack to execute code or cause an exception. CSC2031 Security Programming Format String Attack Prevention We have seen hackers can inject Format String parameters into user input-based format Stings to reveal data from the stack. To avoid Format String vulnerabilities: Specify a format string as part of program, not as an input. If possible, make the format string a constant and extract all the variable parts (e.g., user input) as other arguments to the format function. Include input validation. printf("%s", "some text" + form.input.data); printf("%s", form.input.data); form.input.data = "%x %x %x %x %x"; printf("%s", form.input.data); "%x %x %x %x %x" Format String parameters %x are converted to Strings not executed as commands CSC2031 Security Programming Input Validation The primary reason for injection and overflow vulnerabilities is usually insufficient validation of user input. User-supplied data is not validated, filtered, or sanitized by the application. Input validation, also known as data validation, is the proper checking or testing of any input supplied by a user or another system. Because it is difficult to detect a malicious user who is trying to attack software, applications should check and validate all input, especially if the data is from an untrusted source. Automated testing of all parameters, headers, URL, cookies, JSON, SOAP, and XML data inputs is strongly encouraged. Although not a guaranteed defence, input validation can considerably lower the impact of an injection attack. Input validation can also help prevent non-malicious data that is improperly formed from entering a system. CSC2031 Security Programming 143 Whitelisting and Blacklisting Input validation can employ whitelisting or blacklisting. Whitelisting defines allowed data while everything else is denied by default. Blacklisting defines unallowed data while everything else is allowed by default. More mistakes tend to occur when using blacklisting. Need to know ALL bad inputs which may be ever changing/updating. As a result, it is usually preferable to whitelist data. Getting whitelisting may deny genuine data whilst getting blacklisting wrong may allow malicious data. It is far better to deny genuine data than allow malicious data. CSC2031 Security Programming 144 Implementing Input Validation Programs may require all sorts of different input such as basic numbers, someone's age, a date, an email address, web page, uploaded file. Input should be checked against a set of validation characteristics such as its type (e.g., string, integer) and value (e.g., size, form or pattern) to prevent security issues like injection attacks. There are many ways to implement input validation: It can be done at the client-side coded with HTML, handled with pure JavaScript or a specialist JavaScript library such as Jquery. It could be done server-side within view functions, form validators, or using a server filter. Once input validation has been added, a form will not be submitted (if client-side) or processed (if server-side) until all validation characteristics are satisfied or valid. CSC2031 Security Programming 145 Memory Management CSC2031 Security Programming From Newcastle. For the world. Bounds Checking An out of bounds read occurs when a program reads data past the end, or before the beginning, of the intended buffer (e.g. an array). An out of bounds write occurs when a program writes data past the end, or before the beginning, of the intended buffer. Bounds checking is a method of detecting whether a variable is within some bounds before it is used. This is commonly used to check that a variable used as an array index is within the bounds of the array (index check). A failed bounds check usually generates some kind of exception signal. For example, an erroneous out of bounds read in Java: String str = "My String"; String object is an array of chars [index 0 to 8] System.out.println(str.charAt(9)); Exception in thread "main" java.lang.StringIndexOutOfBoundsException: String index out of range: 9 CSC2031 Security Programming Buffer Overflow Attack Certain languages such as C and C++ have no bounds checking. Wikipedia: ‘[C and C++] provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. Why? It’s considered time consuming - an overhead some programmers don’t think is required! No bounds checking gives rise to Buffer Ov

CSC2031 Security Programming Revision Slides 2024-25 PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue