Team: Zekai Gao, Chengyang Wu
We have updated the status milestone for our final project on our blogs. Please go to http://cmaccount.blogs.rice.edu/2013/11/03/milestone-of-final-project/ for more information. Thank you.
A graduate seminar: current topics in computer security
Status Milestone Updated for Final Project
November 3rd, 2013 by cw36Status Update For The Week Ending 10/27/2013
October 27th, 2013 by TanmayProject Name: Country by Country Twitter View
Team: Rima, Jack and Tanmay
We have updated our site with the “Status Update For The Week Ending 10/27/2013 “.
Please visit: http://twitterview.blogs.rice.edu/2013/10/27/status-update-for-the-week-ending-10272013/
Comp527 Final Project Weekly Report Oct 26 2013
October 27th, 2013 by jz33Comp527 Final Project Weekly Report Oct 26 2013
Detection & Sanitization of XSS
Jun Zheng (jz33) Chao Zhang (cz15)
Rice University
Overview
For now, our group focus on figuring out what exactly XSS is, why XSS defense is so significant and, which is more important, what kinds of challenges of XSS sanitization exist in real world industry.
Problem comes from XSS attack
XSS enables attackers to inject client-side script to Web pages viewed by other users. XSS may be used by attackers to bypass access controls such as the same origin policy.
An canonical example from A Systematic Analysis of XSS Sanitization in Web Application Frameworks, consider a blogging Web application emits untrusted content on the Web page. If some developer is not careful, an attacker can use text with <script> tag, which may be verbatim in the server’s output HTML page. As the result, when a user visits this blog page, the user’s Web browser will execute the attacker’s text as script code.
XSS defense
XSS sanitization’s responsibility is to remove dangerous contents from untrusted data.
Challenges of XSS sanitization[1]
1. Context Sensitivity
Sanitization for XSS defense needs to know where untrusted contents appear in the Web application.
2. Nested Contexts
This situation occurs when a string in a Web application’s output can be parsed by multiple sub-parsers in a browser, so this kind of string is nested contexts.
3. Browser Transductions
Browsers can hand data from one sub-parser to another, this transduction can undo sanitization applied on the server.
4. Dynamic Code Evaluation
The chain of edges traversed by browser while parsing a text can be very long because the browser can dynamically evaluate code, so the untrusted content can keep looping through HTML and JavaScript contexts, the untrusted contents can not be determined statically.
5. Character-set Issues
Successfully sanitizing a string needs the sanitizer and browser have the same character-set.
6. Other challenges such as MIME-based XSS, Universal XSS and Mashup Confinement
These are related to sanitization defenses in Web frameworks, so not consider those in final project.
Reference:
[1] A Systematic Analysis of XSS Sanitization in Web Application Frameworks, Joel Weinberger, Prateek Saxena, Devdatta Akhawe, Matthew Finifter, Richard Shin, and Dawn Song
NSA spied 125 billion calls in just one month
October 24th, 2013 by dws5According to a number of news reports, NSA has been collecting 125 billion calls in just one month.
As you can see from the heat map, most of the calls originated from the middle east. So the number of calls that the NSA collected are
Pakistan: 12.76 Billion
Afghanistan: 21.98 Billion
India: 6.28 billion
Iraq: 7.8 billion
Saudi Arabia: 7.8 billion
United States: 3 Billion
Egypt: 1.9 Billion
Iran: 1.73 Billion
Jordan: 1.6 Billion
Germany: 361 Million
France: 70.2 Million
Spain: 61 Million
Italy: 46 Million
Netherlands: 1.8 Million
The rest of the world: Lots and Lots
Total: 124.8 billion.
They were able to capture so much data because phone call, email or chat will take the cheapest path, not the physically most direct path. Much of the world’s communication flow through US.
One intriguing thing I noticed is that how they were able to have enough computing power to process those immense data considering that the budget is only $20M per year. (Were they using EC2 for free?)
Reference
[1] http://cryptome.org/2013/10/nsa-125b-calls.htm
[2] http://cryptome.org/2013/10/nsa-prism-13-1021.pdf
Flash Player now sandboxed for Safari users running OS X Mavericks
October 24th, 2013 by Zekai
If you rushed to upgrade your Mac to OS X Mavericks, congratulations — you’ve just taken a big step forward in web security. Adobe has confirmed that Flash Player is now sandboxed in Safari for Mavericks users, preventing Flash-based malware from accessing code and resources beyond Apple’s browser. The company is taking special advantage of OS X’s new app sandboxing feature, which also minimizes the security risks for other plugins and programs. Safari is undoubtedly late to the party when Flash has been sandboxed for a while in both Chrome andFirefox, but we won’t knock an upgrade that neuters many potential security exploits.
http://www.engadget.com/2013/10/24/flash-player-now-sandboxed-for-safari-users-running-os-mavericks/
Project Update for Week Ending 10/18/13: Country-by-Country Twitter View
October 19th, 2013 by R.TanashTo view our project update, please follow our blog: http://twitterview.blogs.rice.edu/
TOR Stinks…
October 18th, 2013 by TanmayOn October 04, 2013 Edward Snowden leaked a new classified NSA document “TOR Stinks”.
What is TOR?
Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. TOR can be used in research projects (as we are using to measure censorship across various countries. Or can be used by attackers/ terrorists to hide their identity.)
NSA wants to see the users of TOR, monitor the traffic etc. As the TOR nodes are spread across the whole world, it is really hard for them to trace down everyone. But they used 3 main ideas to achieve their goal.
- Tracking cookies of users
- Vulnerabilities from Firefox browser
- Running own hostile (spying) TOR nodes
Even though above ideas sound nice, they cannot solve the problems as this works on a very small fraction of TOR users. They have their own spying nodes, but those are very few and hence the success rate is limited.
The above limitations led them to think in another direction. They thought of “Exploitation Strategy”. The strategy mainly makes the use of TOR worse and eventually it will refrain the users from using TOR. One of the strategy is adding TOR nodes that will respond very slowly. Users will be annoyed by the experience and will stop using TOR. Although this is an evil idea, but I think this can prove effective for them to minimize the number of TOR users.
References:
http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document
http://thehackernews.com/2013/10/nsa-using-browser-cookies-to-track-tor.html
Comp527 Final Project Proposal V2
October 16th, 2013 by jz33
Detection & Sanitization of XSS
Jun Zheng (jz33) Chao Zhang (cz15)
Rice University
Introduction
Cross-site scripting (XSS) is a major computer security violation mostly found in web applications that allows an attacker injects malicious client side scripts, thus makes an impact to server as well as to the browser of other users. For instance, if a web page provides user a textfield to input, instead of typing in “plain” strings, the attacker could input Javascripts or CSS styless or DOMs. If this textfield is without sanitization it can typically results that, an attacker could via the executable codes, gain access privileges to some secrets of the server, or other important informations maintained by the browser on behalf of other users.
Major web application framework vendors provide mechanism or requirements in their products to protect XSS. For example, JSP requires programmer to add “fn:escapeXml()” right before a string that is intended to be plain text.[1] In Spring, programmer is able to set a parameter “defaultHtmlEscape”[2]. And in Django, XSS is protected by “Auto-sanitization”[3], on which mainly our team’s research focus. explore the protection mechanism (sanitization) against XSS in Django, focusing on.
Strategy
First, we do research on analysis of XSS attacks. 2 papers from Weinberger [4][5] made very deep research on this topic, and [6] also provides good summary of existing solutions. Second, as the time limit of this project, out team will mainly focus on Django’s Auto-sanitization mechanism, with its implementation, backend support, working scope, and limitations. Third, out team will design some assistant programs or plug-ins to detect or scan possible XSS attack codes. A good open source example is in [7].
References & Links:
[1] http://www.tutorialspoint.com/jsp/jstl_function_escapexml.htm
[3] https://docs.djangoproject.com/en/dev/topics/security/
[4] Weinberger, J., et al., “A Systematic Analysis of XSS Sanitization in Web Application Frameworks”, Springer-Verlag Berlin Heidelberg 2011
[5] Weinberger, J., et al., “An Empirical Analysis of XSS Sanitization in Web Application Frameworks”, Technical Report No. UCB/EECS-2011-11
[6] Bugeja, Joseph, “A PRAGMATIC POLICY-DRIVEN XSS PROTECTION FRAMEWORK ”, master thesis of Royal Holloway University of London, 2011
Facebook Leaks Info To National Intelligence Agencies
October 16th, 2013 by jz33SAN FRANCISCO — Facebook Chief Executive Mark Zuckerberg came out swinging on revelations that Internet companies have been turning over users’ information to national intelligence agencies.
“Frankly, I think the government blew it,” Zuckerberg said during an onstage interview at the TechCrunch Disrupt conference in San Francisco.
His point: The U.S. government is not striking the right balance between protecting its citizens from terrorism and protecting their civil liberties.
“They blew it on communicating the balance of what they were going for with this,” Zuckerberg said.
Facebook has been reeling from damaging revelations contained in documents leaked by former national intelligence contractor Edward Snowden that the giant social network and other Internet companies allowed government agencies to tap into users’ information.
Zuckerberg denied giving the government direct access to its servers.
He said his No. 1 job is to protect his users’ personal information (a comment that drew some skeptical reactions on social media).
PHOTOS: Should you get the new iPhone? Here’s a handy smartphone guide
Facebook on Monday joined a lawsuit pressing the Obama administration to allow it to disclose more details of its forced cooperation). Google and Microsoft filed suit in June.
Zuckerberg plans to travel to Washington, D.C., next week to meet with top Republican lawmakers. The discussion is expected to include NSA leaks and privacy issues.
Zuckerberg’s remarks on the controversy surrounding the NSA leaks came at the tail end of an interview with technology blogger and investor Michael Arrington. Among the subjects Zuckerberg touched on: Bill Gates as a candidate for CEO of Microsoft (“When I was growing up, Bill Gates was my hero”), his new advocacy for immigration reform (Will it pass? “I’m an optimist,” he said), his personal goal for the year (meet at least one person who does not work at Facebook each day) and Yahoo’s new (and not well-liked) logo.
His best line came in response to the prospect of Twitter going public. Facebook, whose stock briefly hit an all-time high Wednesday, had the biggest technology offering on record in May 2012, but it went anything but smoothly.
“I’m kind of the person you would want to ask last about how to make a smooth IPO,” Zuckerberg said.
The only bit of news from the interview: Instagram is coming to the Facebook Home lock screen.
Zuckerberg said he was surprised that Facebook Home has not yet caught on.
“I definitely think Home is slower in rolling out than I would have hoped,” Zuckerberg said.
But, he added: “We are patient and still fully believe that this is something people will want over time.”
Tizen Security Analysis
October 7th, 2013 by dws5COMP 527 Final Project Research Proposal
Daniel Song and Min Hong Yun
Introduction
The primary focus of the Tizen Framework Security Analysis is to find security vulnerabilities among Tizen platform using static taint analysis. Excessive dependence on Android platform has raised an awareness among the Samsung management which led to creating their own platform ‘Tizen’. However, LiMo based Tizen smartphone OS has embraced Bada’s Open Services Platform without careful inspection of the overall merged architecture. Our goal is to find anything that violates the Tizen security policy using static taint analysis.
Background
Tizen provides API-level access control to safely operate the applications. Any applications using sensitive APIs which may lead to privacy leak must declare their ‘privilege level’ in the manifest file. There are four levels of privileges; Public, Partner, Platform, and one more that is not disclosed. (Even though Samsung developers told us that there are four levels of privileges, only three of them are revealed in the developer document.)
Tizen API Call Graph
APIs regarded as Public can be used by all Tizen application developers. APIs regarded as Partner can only be used by developers registered as partners on the Tizen store. APIs regarded as Platform are used in system APIs for managing the Tizen platform. There is total of 128 privileged APIs that can be invoked by the native application. The privileged APIs are part of the OSP (Bada’s Open Services Platform) library which eventually call C API. C API will then call libc which eventually be a system call. API call graph is directional and cannot directly call the API beneath that API call; OSP library cannot directly call libc and C API cannot call OSP library.
Bad API Call Examples
Goal
Tizen allows both web-based application and native application which can be challenging to propose one big policy that can be applied to both. For this project, we will focus on the native application. We will first migrate from the gcc compiler to the LLVM compiler for the Tizen source code to obtain LLVM bitcode. Then our static taint analysis tool developed by Jisheng Zhao for the LLVM bitcode will be used to draw the whole API graph. Finally, the whole graph API will be analyzed to find any violation in the Tizen security policy.
Reference
[1] https://developer.tizen.org/
Our project site is: http://dwscomp527.blogs.rice.edu