Web Security I, II and III (2016-17 Fall/Winter/Spring)

Summary

This is a sequence of the following three courses:

  • Web Security I (ECE-C641), taught in Fall 2016-17
  • Web Security II (ECE-C642), taught in Winter 2016-17
  • Web Security III (ECE-C643), taught in Spring 2016-17

These courses are designed to introduce graduate and qualified undergraduate students to the fundamental principles of web security including current practical attack and defense strategies on the web. This sequence of courses also includes a security-conscious introduction to web technologies and web development, the mathematical foundations of web security and web privacy, and future developments to come in web security. See the complete syllabus below for a more detailed understanding of what is covered in these courses.

These courses will include programming assignments and also exercises using a deliberately insecure web site, allowing students to write programs that exploit vulnerabilities on web sites and learn effective defense strategies.

Textbook

There is no prescribed textbook for these courses. Lecture notes, free online resources, articles published in research journals, and pieces in the mainstream media will together serve as the reading material for the course.

Prerequisites

The courses will involve programming assignments. Programming experience is highly recommended; however, expertise in no particular language is a pre-requisite for this course. The courses will primarily use Python for instructional purposes. However, Python being among the easiest of programming languages to learn, students are not expected to know Python before registering. Python modules and software packages used in these courses will be introduced to students as needed, usually through the homework assignments.

The content of these courses also includes material that uses programming languages most relevant to the web (e.g., JavaScript) and languages used in web development (e.g., HTML and CSS). Knowledge of HTML, CSS and JavaScript is helpful but not required to register for the courses. These courses do not include a full-fledged introduction to these languages; but, the lectures will include an elementary introduction to these languages as necessary in order to explain concepts relevant to web security.

Students are responsible for learning HTML, CSS, JavaScript and Python on their own. However, students will receive guidance in learning what is needed through homework exercises and online tutorials. The third course in the sequence, Web Security III, will require students to engage in either a research project in web security or a software development project in web security.

Syllabus for Web Security I, II and III

The following is the tentative syllabus for this sequence of courses (subject to changes to accommodate topical needs and weather disruptions).

Introduction to web security

  • An introduction to issues in web security and the most common risks and attack strategies including information leakage, cross-site scripting, cross-site request forgery and injection attacks.
  • Introduction to the role of cryptography in web security; introduction to the principles of cryptography.

Symmetric key cryptography

  • Symmetric key cryptography; Data Encryption Standard (DES) and the Advanced Encryption Standard (AES); the history of legal restrictions on cryptography; the history of DES and AES.
  • Triple DES; cipher block chaining; attacks on cryptographic protocols; current practice and future directions.
  • Secret key exchange protocols; the Diffie-Hellman Exchange (DHE); attacks on DHE and countermeasures.

Public key cryptography

  • Fundamentals of number theory; modular arithmetic; Fermat's and Euler's theorems; primality testing; the Chinese Remainder Theorem.
  • Principles of public key cryptography; the RSA algorithm and practical implementation details; the choice of public and private keys.
  • Strategies for attacking RSA; how secure is RSA? Cryptography in practice on the web; the limitations of public key cryptography; future directions.

Authentication

  • Authentication protocols; message integrity; message digests and cryptographic hash algorithms; essential properties of hash functions; MD5; Secure Hash Algorithm (SHA), SHA-2 and SHA-3.
  • Message authentication codes; digital signatures.
  • Digital certificates; certification authorities and certificate chains; certificate revocation. \item Case studies of DigiNotar and Comodo; current practice and future directions.

A security-conscious introduction to web protocols

  • A security-conscious introduction to web protocols, web caching and proxy management.
  • Hypertext Transfer Protocol (HTTP) and TCP/IP; basic syntax of HTTP, request and response messages.

Security issues surrounding URLs

  • The syntax of Uniform Resource Locators (URLs) and its security consequences.
  • Relative URLs; URL shorteners and their risks.

Security issues with HTTP

  • Security issues in HTTP; HTTP Referer header behavior; HTTP cookies; HTTP caching; HTTP proxies.
  • HTTP-based attacks and countermeasures; HTTP response splitting; cache poisoning and page hijacking with HTTP response splitting.
  • HTTP-SMTP interactions; HTTP request smuggling.

A security-conscious introduction to HTML

  • HyperText Markup Language (HTML) and its syntax; early growth of HTML; HTML parsing behavior; HTML content and forms; security basics of HTML; a brief introduction to XMLHTTPRequest.
  • HTML-based attacks and countermeasures; cross-site scripting using HTML; entity-encoding and its significance in HTML.

A security-conscious introduction to JavaScript

  • A security-conscious introduction to JavaScript and its runtime environment; JavaScript contexts; its parsing order, processing order and execution order; JavaScript objects and the concept of prototypes.
  • The Document Object Model (DOM) and the JavaScript object hierarchy; the Window object; security concerns with certain DOM properties.

A security-conscious introduction to CSS

\noindent {\em Week 8:} \\[-18pt]
  • A security-conscious introduction to Cascading Style Sheets (CSS) and its syntax; the CSS parser and security consequences.
  • CSS-based attacks and countermeasures including code injection, clickjacking and history mining.

Encrypted web communications (HTTPS)

  • Transport Layer Security (TLS) and HTTPS; history of the Secure Sockets Layer (SSL); TLS operation; key management in TLS.
  • TLS implementation; TLS protocols; the hashed message authentication code (HMAC).
  • Understanding cipher suites; the future of SSL and TLS.

Attacks on HTTPS

  • Interception attacks against SSL and TLS; brute force and dictionary attacks on TLS; replay and other attacks on TLS; known vulnerabilities of TLS; computational overhead of TLS.
  • Creating an SSL server and obtaining a certificate; using cookies securely on the server-side; connecting to databases securely; achieving server-side protection through redundancy.

Content isolation

  • An introduction to the problem of isolating content in browsers from different origins; the same-origin policy (SOP); what SOP restricts and does not restrict; mechanisms to cross the origin boundaries.
  • A deeper look into the Document Object Model (DOM) and the same-origin policy; attacks based on cross-site scripting.
  • Same-origin policy and session management with HTTP cookies; security policies for cookies; SOP and data theft.

Same origin policies and browser security

  • Web storage and the same-origin policy; local storage and session storage; security consequences; web cookies.
  • Cross-site request forgery (CSRF); token-based validation; the Origin header; login CSRF; countermeasures.
  • Origin inheritance; {\em data:} and {\em about:blank} pages and security implications.
  • History of cross-origin attacks and defenses.

Domain Name Service (DNS)

  • A review of the DNS protocol; resource records; DNS queries and responses; why is DNS important to security?
  • DNS-based attacks: query redirection attacks; DNS rebinding attacks; DNS timing attacks; DNS cache-poisoning attacks; blind response forgery; the Kaminsky attack.

DNS Security Extensions (DNSSEC)

  • Solutions and counter-measures; DNS pinning; source port randomization.
  • DNS Security Extensions (DNSSEC); the goals of DNSSEC; resource records in DNSSEC; the concept of a trust anchor; keys in DNSSEC.
  • Authenticated denial of existence and the NSEC3 record; current DNSSEC deployment; the zone enumeration issue in DNSSEC; the Google DNS; OpenDNS and its protection against phishing; current practice and future directions in DNS.
  • Guarding the domain registration and DNS.

Web privacy

  • Web privacy; differences between privacy, security and anonymity. \item User tracking within a site; tracking across multiple sites; third-party tracking; Google's AdID; defending against tracking; the Do Not Track option.
  • Browser history sniffing; timing attacks on privacy; web storage and privacy; browser fingerprinting; directory traversal issues; file inclusion and remote file inclusion.

Anonymous web browsing

  • Anonymous browsing on the web; privacy vs. anonymity; why anonymity? what anonymity implies; unlinkability and mixes; the mix process and flushing algorithms.
  • Proxies and proxy chaining; virtual private networks.
  • Onion routing and Tor; circuit establishment in onion routing; how Tor works; key management in Tor; the telescopic circuit establishment.

Attacks on anonymity

  • Attacks on Tor; traffic analysis attacks; JavaScript-based attacks on Tor; what Tor can and cannot protect against.
  • De-anonymization of data sets; exploitation of browser uniqueness; mathematical foundations of de-anonymization; anonymous authentication; zero-knowledge proofs.

Illegal web hosting and anonymous publishing

  • Illegal hosting and anonymous publishing; how does someone host illegal content (e.g., calls for democracy under a dictatorship).
  • Distributed hash tables; Freenet and the Dark Freenet.
  • Tor's hidden services; how Tor protects the anonymity of a hidden server; attacks on Tor's hidden services.
  • Botnets and fast-flux proxy networks; algorithmically generated domain fluxes.

Censorship on the web

  • Darknets; criminal web enterprises; denial of service attacks and cyber-extortion; the underground Internet economics of cybercrime.
  • Internet censorship; mechanisms of censorship: blocking by service type, user, content or traffic signature; classes of circumvention strategies: mirror sites, proxies, virtual private networks and Tor-like solutions.
  • Keyword filtering; censorship by forged RSTs and dropped SYN/ACK segments; censorship by DNS spoofing; collateral damage of DNS hijacking; IP address blocking mechanisms: null routing, BGP route poisoning.
  • A detailed case study of the Great Firewall

Circumventing web censorship

  • Tor and censorship: blocking of public relays and bridges; detecting Tor bridges;
  • Circumvention by packet fragmentation; TCP window resizing; flash proxies and pluggable transports; Google as a circumvention tool.
  • Internet surveillance; cybersecurity in international politics; political and corporate policies governing web publishing and Internet freedom; shifts in Internet governance and its implication to censorship and surveillance.

Research directions in web security

  • Research project ideas and development ideas in web security; project options for students in Web Security III.
  • Research perspectives in web security.

Writing secure web software

  • Writing secure software; common software security pitfalls; managing risk; black-box testing; fixing the weakest link; failing gracefully and securely; sand-boxing; using the principle of least privilege.
  • Keeping it simple; incorporating diversity; managing dampness and fairness; building in reciprocity; future directions in browser security.

Mobile web security

  • What is different about mobile? The unique needs of mobile web security.
  • Computational limitations; handling absence of firewalls and security software; mobile web malware.

Elliptic curve cryptography (ECC)

  • The mobile web and elliptic curve cryptography (ECC).
  • Groups, rings and fields; elliptic curves; the Diffie-Hellman Exchange using ECC; elliptic curve arithmetic; encryption and decryption using ECC.
  • ECC in practice; recommended ECC parameters; the efficiency of ECC.

Advanced topics in JavaScript security

  • Security and AJAX (Asynchronous JavaScript with XML); using XMLHttpRequest; JavaScript Object Notation (JSON).
  • XMLHttpRequest and the same-origin policy; security implications of custom HTTP headers in XMLHttpRequest; Cross-Origin Resource Sharing (CORS); simple and non-simple CORS requests.

Server-side security issues

  • Web site back-end programming and network programming in Python; server-side issues in web security.
  • Server configuration issues; case studies of Apache and Nginx.

Brute-force and other attacks

  • Denial-of-Service attacks on the browser; browser limits on execution time, memory use and connections; pop-ups and pop-unders.
  • How attackers attack; the attacker's work bench; reconnaissance; proxy use by attackers; port scanning and vulnerability scanning tools; Metasploit and other penetration testing tools for defense against attackers.

Web-based malware

  • Web-based malware; worms, viruses, spyware and other malware; the web as a vehicle for malware distribution; drive-by download of malware; search worms.
  • Vulnerabilities exploited in web clients and servers: buffer overflow, the stack overflow and the heap overflow; race conditions; SQL injections.

Intrusion detection for web sites

  • Intrusion detection systems for the web.
  • An introduction to approaches to anomaly detection based in information theory, machine learning, statistics, and signatures; feature identification and clustering; principal component analysis.
  • Honeypots and their role in intrusion detection; a brief introduction to the capabilities of Snort.

Security advice for web users and developers

  • Fundamental principles of security for both web hosts and web developers.
  • Protecting your privacy on the web; securing your web browser; security advice for the user.

Research/development project overviews and future directions

  • Overviews of student projects in web security (in Web Security III)
  • More on research perspectives in web security.
  • Future directions in browser software, web development, server management and web hosting.

Grading Policy

The grading in these courses is based on class participation, homework assignments, programming assignments, one mid-term examination and a final examination, each weighted as follows:

Web Security I:

  • Class participation: 5%
  • Weekly homework assignments: 25%
  • Mid-term exam(s): 30%
  • Final examination: 40%

Web Security II:

  • Class participation: 5%
  • Weekly homework assignments: 40%
  • Mid-term exam(s): 25%
  • Final examination: 30%

Web Security III:

  • Class participation: 5%
  • Weekly quizzes: 35%
  • Research project: 30%
  • Development project: 30%

Policy on homework assignments

Homeworks are always due before the beginning of class hours (5pm on Mondays) approximately two weeks after they are assigned. Homeworks submitted after the due date and time will not be accepted, and will be graded at 0 points.

Policy on exams

All exams in the courses will be open-lecture slides. Use of any books or any other material, however, is not permissible. Use of calculators is allowed but use of cellphones, laptops, or any other devices capable of computing are prohibited. The exams will primarily cover material discussed in the lectures and homework assignments.

Policy on Absences

Absence from examinations will be excused only under extraordinary circumstances such as medical or family emergencies. A missed examination without prior approval and without legitimate reasons will be graded at zero points. An absence will be excused only if the student is able to provide legitimate documentation (such as a physician's note). An absence from an examination with prior approval will require the student to take an alternate exam at a later time. Special examinations will not be held earlier or on later dates to accommodate, for example, flight schedules for overseas vacations.

Policy on Academic Honesty

Each student is expected to complete weekly assignments independently; it is not acceptable to copy another student's work or to copy solutions from any other source. Barring action on flagrant violations, an honor system will be assumed.

The following is a partial list of activities that will be considered to constitute academic dishonesty:

  • Presenting the work of another person (fellow student or not) as your own.
  • Cheating in an examination such as through conversations with other students, sharing textbooks, calculators or other materials with another student, using unauthorized material not approved by the instructor, or by inappropriate or unauthorized use of technology such as laptops and cell-phones during an examination.
  • Using or attempting to use the work of another student or providing answers to other students.
  • Failing to take reasonable measures to protect your work from use by other students in assignments, projects or examinations.

Penalties for academic dishonesty will be strictly enforced and will include a lowering of the grade or a failing grade in the course.