Return to book
Review this book
About the author
Introduction
1. Access Control
2. Authentication
3. Biometrics
4. Crypto Engineering
- 4.1. Software Crypto
- 4.2. Hardware Crypto
5. Malware
- 5.1. Virus
- 5.2. Worm
- 5.3. Trojan Horse
- 5.4. Writing Virus
- 5.5. Rootkits
- 5.6. Anti-virus software
- 5.7. Inside popular software
6. Protecting Clients
7. Security and Usability
- 7.1. User Interface (UI)
- 7.2. Passwords
- 7.3. Cognitive Experiment
- 7.4. Insider Attacks
8. Secure Programming
- 8.1. Buffer overflow
  - 8.1.1. Buffer Overflow Protections
  - 8.1.2. Exploit Buffer Overflow
- 8.2. Secure C practice
- 8.3. secure-sensitive program
9. Physical Security
10. (Web Service) Architecture
- 10.1. Contents and Scripts
11. Confinements
- 11.1. chroot
- 11.2. JVM
- 11.3. Network Identity
- 11.4. Virtual Machine
- 11.5. Sandbox
12. Program Structure
- 12.1. Case study: 4.3BSD FTP Daemon
- 12.2. Case study: mailer
- 12.3. Case study: Web Browser
13. Security Analysis
- 13.1. Construction vs. Destruction
- 13.2. Analyze individual programs
- 13.3. Analyze overall system
- 13.4. Software Engineering Code of Ethics
- 13.5. Tools part 1: OS system calls
- 13.6. Tools part 2: fuzzing and more
- 13.7. Reconnaissance
14. The Internet of Things
- 14.1. Embedded Systems (Smart Devices)
- 14.2. Internet of Things Architecture
- 14.3. Case study: Thermostat
15. Logging
- 15.1. Loggin in practice
- 15.2. Log Incidents
- 15.3. Case study: PHP4 web server attack
16. After An Attack
- 16.1. Analyze a hacked system
- 16.2. Deleted Files
- 16.3. Monitor Intrusion
- 16.4. Conclusion
17. System Structure
- 17.1. Case study: build an e-commerce
- 17.2. Network Operation Center
- 17.3. Router Link Weakness
- 17.4. Remote Access
- 17.5. Question: store credit card number in database?
- 17.6. General Principle
18. Exams
- 18.1. Fall 2014 Midterm
- 18.2. Fall 2013 Midterm
- 18.3. Fall 2010 Midterm
- 18.4. Fall 2008 Midterm

Security Architecture and Engineering

(Web Service) Architecture

Web service is an operation system:

Access Control

Manage process

Database connection

Can web server benefit from OS access control?

What UIDs does the server run under?

Difference between Effective UID and Real UID

Normally these are the same, but if a program with a set-uid bit set is run, then while the real UID remains that of the user who ran it, the effective UID is that of the user who owns the file.

Berkely history of web

Most Unix system reserve < 1024 must have ROOT access to connect to those ports
Web servers listen on port 80, so something HAS TO be root in order for web server to start running.
Shedding priviege: Apache starts web server as root, then forks and sheds privileges (lower privileges).
Apache serving web pages as non-priviledged user "www"
User files are NOT owned by www.

Challenges of designing web server

Web server is an OS

Design for large-scale system
Web server should be up most time
Error-resiliency is fundamental for designing web server
Be smart about restart and retry is crucial for highly reliable systems.
Rollback and recovery: design for system reliability in the very beginning. E.x. to design a phone network, I must make sure that phone switch is up running, if one phone cuts out, it eliminates the phone, but phone switch is up on running.

File permissions

If the user of the process is not root, it can't open protected files.
Give web server least privilege needed.
Use OS to protect system against web server.
Dijstra's Turing award:

underestimate a programmer's ability to get stuff right.

.htaccess

From Wikipedia:

A .htaccess (hypertext access) file is a directory-level configuration file supported by several web servers, that allows for decentralized management of web server configuration. They are placed inside the web tree, and are able to override a subset of the server's global configuration for the directory that they are in, and all sub-directories.[1]

The original purpose of .htaccess—reflected in its name—was to allow per-directory access control, by for example requiring a password to access the content. Nowadays however, the .htaccess files can override many other configuration settings including content type and character set, CGI handlers, etc.

Human Problems

Say sys admin doesn't figure the permissions for files the way user wanted, user configures .htaccess that overrides system access control settings.
Apache solution: have a configuration that determines who wins the access control (htaccss or system permission)
System admin can get the permissions wrong!

Web server security features

Root (www) should not own contents of users
"Are scripts allowed to run?"
In general, all scripts run with the same permissions.
Scripts can interfere with each other:

All the CGI scripts will run as the same user, so they have potential to conflict with other scripts.

Restricting scripts

Allow scripts only in certain directories.
suEXEC runs to switch users to run.
suEXEC has > 20 checks before switch users, for example:
- suEXEC is only executable by www
- is the directory NOT writable by anyone else?

Safety pratice

Do not permit execution of C or C++ programs
Use web server access control
Challenge: if all scripts run with the same permission, and if local users have read-access to user content, how can a user do safe upload?
Script access control is difficult

TLS encryption

Used by most e-commerce
TLS applies public-key encryption
How to store key on a computer?

Store in computer x--,---,--- It's owned by root, and reads in at startup before changing UIDs.

Authentication

Two basic types: passwords and client-side certificates.
Passwords should never be used without encrypting the network connection.
Ultimately, the client's identity is Apache UID.

Phishing:

trick people into sending their passwords to the wrong site.
People could check the site's certificate
Safety pratice

Use a password manager such as 1password!

Lessons

Web servers are very hard to secure
Tool: OS permissions, application ACLs, script language security, and more.