Network and web security modeling and analysis
Abstract/Contents
- Abstract
- Security modeling and analysis centers on identifying the interaction between three aspects of a system: normal operational behavior, including any security defenses, the system adversary's power, and the properties that constitute system security. In finite-state model-checking, the interactions between system operations and attacker powers can be exhaustively enumerated by an automated tool, allowing security violations to be automatically detected. We use security modeling to analyze the security of DNSSEC network protocol and to design and verify App Isolation, a Web-security technique employing browser-based isolation of web-applications to prevent common attacks such as Cross-Site Scripting, Cross-Site Request Forgery, Session Fixation, etc. We model three levels of the DNSSEC hierarchy using the Murphi model checker and discover a few weaknesses, surrounding the NSEC3 opt-out mechanism and temporal consistency of DNS records, that may allow attackers to inject their records into a DNSSEC system. App Isolation relies on two principles, State Isolation and Entry-point restriction, to provide browser-based protection for high-security web applications, such as online banking. Our modeling, done in the Alloy language, demonstrates that these two principals provided together can effectively mitigate reflected XSS, CSRF, click-jacking, session fixation, and rendering engine hijacking, and that without each other each principal alone cannot prevent attacks from a hijacked rendering engine. In addition to formal checking, we discuss our evaluation of the effectiveness of several commercial black-box Web application vulnerability scanners at detecting common Web application vulnerabilities, both on a synthetic testbed and a set of 27 Web applications built by 9 freelancers and 18 startups. We find that, as a class, black-box web application vulnerability scanners can detect textbook reflected XSS and type-1 SQL-injection vulnerabilities at about 50% success rate, but are ineffective at detected stored vulnerabilities and interpreting client-side languages such as Javascript, both for simple crawling and for vulnerability detection.
Description
Type of resource | text |
---|---|
Form | electronic; electronic resource; remote |
Extent | 1 online resource. |
Publication date | 2014 |
Issuance | monographic |
Language | English |
Creators/Contributors
Associated with | Bau, Jason |
---|---|
Associated with | Stanford University, Department of Electrical Engineering. |
Primary advisor | Boneh, Dan |
Primary advisor | Mitchell, John |
Thesis advisor | Boneh, Dan |
Thesis advisor | Mitchell, John |
Thesis advisor | Dill, David L |
Advisor | Dill, David L |
Subjects
Genre | Theses |
---|
Bibliographic information
Statement of responsibility | Jason Bau. |
---|---|
Note | Submitted to the Department of Electrical Engineering. |
Thesis | Thesis (Ph.D.)--Stanford University, 2014. |
Location | electronic resource |
Access conditions
- Copyright
- © 2014 by Jason Hsi-Chieh Bau
- License
- This work is licensed under a Creative Commons Attribution Non Commercial 3.0 Unported license (CC BY-NC).
Also listed in
Loading usage metrics...