tau_logo

Fall 2010

Security, or guaranteeing the expected behavior in face of intended attacks, is an integral aspect of the design and use of modern information systems. The workshop will provide hands-on programming experience in different aspects of computer and communication security.


Main goals:

  • To introduce students to the challenges of writing security-conscious programs and implementing cryptographic protocols.
  • To lead students through an end-to-end software development cycle:
    • defining the project
    • researching for similar projects
    • learning required background (protocols, APIs, environment)
    • designing the methods of implementation
    • actual implementation
    • testing and debugging
    • adjusting project in response to feedback
    • wrapping up the project and presenting it to the world
  • To give students a better understanding of team-based development (as opposed to solo projects): distribution of tasks, source control and integration of code.
  • To learn something new while having fun

Note: The workshop projects will be interesting and "cool" but not easy!

 

General Information:

 

Instructor:  Ran Canetti

Assistant:  Ben Riva

Lecture hours: Tue 10-12, Schreiber 08

Prerequisite: Software 1.

There is no formal prerequisite requirement regarding cryptography or computer security, although some prior background knowledge and affinity will certainly help. Students will be expected to read and learn on their own any concepts and systems that are needed in order to carry out the project successfully.


Methodology

After two introductory lectures, the students will form teams of 1 to 6 students. Each team will choose a project of scope appropriate to its size (See list of projects below.) Project selection should be done as early as possible, but no later than the third meeting.

The first part of the work on the project is devoted to collecting, reading and understanding the background material. This includes understanding the goal, the relevant theoretical background, the tools to be employed, the programming environment. Very importantly, it also includes a literature search on potential similar software that's already available. At the end of this part, each group has to present its plan to the instructors. You will have to explain in detail the implementation design and show understanding of the internals of the project. Emphasis on implementation and specific project goals will be given by the instructors. You are strongly encouraged to have this presentation as soon as possible.

The main part of the work is devoted to implementing the plans made in the first part. You are expected to test the code you wrote, analyze its performance and draw conclusions as to how it can be improved, what features can be added. Throughout the semester we will have three course meetings in which each group will describe its progress to class and will raise for discussion issues encountered while working on the project.

Submission will be done in three steps:

1. Pre-submission. Each group will have a personal meeting with Ran and Ben, presenting their project in action. Although this presentation is part of the grade, it is intended mostly for feedback.

2. Class presentation. On the last two weeks of the semester, each group will present its project to the class.

3. Final submission. Each group will have another personal meeting with Ran and Ben, presenting their project in action. Changes based on feedback from pre-submission and class presentation will be expected.


Requirements

  • Present project plan and get an approval,
  • Participate in class discussions about your project and other projects,
  • Present the project and answer questions, following the guidelines in methodology section.


Grade

The grade will be the sum of two components: The project component and the understanding/participation component. The project grade will be based solely on the quality of the implementation and the demonstration, against the stated goals. This component will be the same for all the participants in the project. The understanding/participation grade is individual and will be based on the Ran and Ben's impression of your understanding of the material in individual meetings and in the project discussion in class meetings. Note that this component can be either positive or negative.


Code sharing policy

Some projects will be encouraged to share information and code; in other cases such sharing will be prohibited. Needless to say, any unauthorized copying or sharing of information will result in a grade penalty or possible disciplinary action. This includes unauthorized use of publicly available code (such as code provided on the Internet) for some of the tasks you are required to implement. When in doubt, ask.


Technical Details

  • In some of the projects you may choose between Windows (2000/XP/Vista), Mac OS or Linux as your OS of choice, but some should be OS-independent.
  • You may write the project in Java or C/C++. If you want to use another programming language, please contact Ran or Ben for approval.
  • Your submission package should be a zip file that includes
    • Source code (well documented), including makefile, etc
      • If possible, generate automatic documentation for your code (e.g., using Javadoc or Doxygen).
    • A readme file explaining how to build your project
    • Compiled executables
    • Design documentation (high level documentation)
    • User documentation
    • Presentation of the project (including previous work, protocol, implementation details, etc)
    • A web page for your project which will be added to this page!


Class tentative outline:

19/10, 26/10

Workshop goals, methodologies and requirements. Intro to security and cryptography (class)

2/11, 9/11

Overview of suggested projects (class)

16/11

Selection of projects (by email)

23/11

Presentations of work plans (class- each project 10 minutes)

21/12

Status reports (class- each project 10 minutes)

11/1, 18/1

Project presentation (class- each project 10 minutes)

25/1

Project submission

 

 

 

Suggested Projects:

 

Below is a tentative list of suggested projects. This list is subject to change. The description below is very terse. More details will be given in class. Projects may be added in the coming weeks. In addition, teams are welcome to propose their own security-related projects. These proposals will of course be subject to approval of the course staff.

 

Analyzing and preventing Ajax attacks (Amdocs, 2-4 students)

General Description: Ajax (Asynchronous Java script and XML) is becoming very popular in modern web applications. Ajax usage in web applications may raise some special security vulnerabilities that require special attention by Ajax developers and application security experts. There aren’t many security tools in the market to help securing Ajax screens. This project goal is to create a tool to help securing Ajax applications.

Topics to be handled by this tool:

-       CSRF – Cross Site Request Forgery. Preventing this kind of attack by sending and checking for a random token, needs special attention in Ajax screens

-       Java script code obfuscation and code encryption

-       Code signing

We expect the student(s) to study and analyze Ajax Security, research to find what tools are available in the market today and come up with a list of features to develop in this tool. From this list, we will select together topics that we’d like to see in this tool.

Goals: To develop an Ajax security tool that mitigates Ajax vulnerabilities as part of a web application at run time.

Prerequisites: Java development background, Application security knowledge, Knowledge of Web application technologies.

File Upload Validator Project (Amdocs, 2-3 students)

General Description: Many applications take advantage of the band width available today and allow users to upload file, either for storage or usage within the flow of the software. This allows the software to be more appealing and interactive with the user. With this great advantage comes a big problem. The uploaded file is a “jack in the box”. It may convey all sorts of trouble within, from viruses to extremely large sizes or injected malicious code. The file is actually a comfortable entry point of the hacker into the application. A “Swiss knife” utility to handle different file types is required. This utility should be the gate keeper for uploaded files into the software and be able to check malicious content, legitimacy, size and any other factors that would indicate the file is safe to use.

Goals: Develop a utility that covers a wide range of files. The utility checks file extension and the correlation between file extension and file content It also checks for malicious code injection and viruses.

Example of things to check.

·         File size

·         File content

·         File extension

·         Target folder for uploads

·         Signature on files

Prerequisites: Java development background, Application security knowledge, Knowledge of Web application technologies.

GlassBox - Scanning web-applications for security vulnerabilities from the inside out (IBM, 2-4 students)

Background: Automatically scanning for web application security vulnerabilities is traditionally performed either using a White-box approach (static analysis) or using a Black-box approach (dynamic analysis). Each of the two approaches has it pros and cons. An exciting new technology called Glass-box is emerging as a way to enjoy the benefits of both approaches and beyond. Glass-box technology allows observing the behavior of the application “from within” while scanning the application, providing the missing bridge between Black-box and White-box. The ability to examine the application from both perspectives at once allows Glass-box to detect security issues that were previously not possible to detect.
A major component in the Glass-box scanner is an agent, which is deployed on the application under test (AUT). The agent is able to inspect the behavior of the AUT and even change its behavior if necessary. The agent communicates with the Black-box scanner, providing it with necessary information (which may not be reflected in the plain HTTP communication).
The Project: The project requires strong students with previous development experience (preferably in JAVA). The students will participate in the implementation of major components in the solution. The implementation requires high skills in JAVA and involves using top of the art instrumentation technologies. The students will be required to provide both technological and algorithmic solutions to problems encountered. Any web application security knowledge will be provided by the Rational application security group, which will work closely with the students. The static analysis group will provide the students with support for the code inspection aspects.


Detecting and protecting against regular expression denial of service attacks (ReDos)
(IBM, 2 students)

Background: A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.
Regular expressions (regexes) provide a concise and flexible means for identifying strings. Common use of regular expressions in web applications is in validation user input to match defined expression such as name, password, email, telephone number and etc. Validation using regexes can be used in either client side or server side. While DoS in the client side will only crash the user's browser, DoS in the server side is a huge threat to an application.
In computer science regular expression is defined as a regular language. Matching a word (string) to a regular language has linear time algorithm, therefore regular expression in their simple definition are not considered a computation problem.
Though, regular expression engines support the backreference option. Backreference refers to a substring previously encountered in the target text. Adding the backreference option converts the language to be NP-Complete language. The best known algorithm to match a word (string) to a NP-complete language is exponential in the worst case.
Regular expression engines in all web languages (Perl, Python, C++, C#, Java, PHP) use an "exponential in the worst case" algorithm, even when the expression itself does not contain backreference option. Due to this property of regular expression engines matching algorithm, there exist Unsafe Regular Expressions. Unsafe regex is an expression that has a payload that the engine run in exponential time, with respect to the payload's length, when trying to match this payload.
Simple example:

 Unsafe regex: ^(a|aa)*$

 Worst case payload: a{N}1 ('N' times the a character follows with the character 1)

 Number of matching tries for this payload is exponential in 'N', therefore the regex engine will run in exponential in 'N' time.

 Trying to match a payload of 'a{99}1' will stuck the regex engine forever.

The main use of backreference is due to its simplicity rather than to its abilities. Therefore, in most cases, a backreference expression can be replaced with a "simple" regular expression.

 


The project: The project will include both research and implementation parts.
Detect and correct unsafe regular expression – 1 student.

Currently there is no automatic way to identify unsafe regular expressions, though it is clear there are deterministic characteristics for such expression.

The first goal of this part is to create a method for identifying unsafe regular expression.

In addition, any unsafe regular expression that is not using backreference should have a matching safe implementation. The second goal of this part is to create a conversion method from an unsafe expression to a safe implementation of the expression.
Create a safe regex library for Java users – 1 student

Currently there exists a java library called Jakarta for working with regular expression as automata. The goal of this part is create an open source regex engine library based on Thompson NFA linear algorithm for a public use.

For more reading please refer to the following article: http://swtch.com/~rsc/regexp/regexp1.html

Prerequisites:

·         Algorithms (67504)

·         Computation and formal languages (67521)


Improving TLS firewall interception mechanism (3-4 students)
The common method by which current firewalls inspect the contents of secured TLS connections between clients inside the firewall and servers outside the firewall is the following: The client (unknowingly) sets up the TLS session with the firewall, and the firewall sets up a different session with the server. This mechanism has many drawbacks, both on the usability side and on the security implications for the client and server.

In this project, we want to implement an alternative approach, where the client explicitly gives the firewall the ability to inspect its secured TLS session, by giving it the encryption key for this session. The idea is to have the client access the SSL/TLS session encryption key from the browser, and safely transport this key to the firewall via a separate secure channel with the firewall.
More specifically, the project is to:

·         Implement a service or a browser plugin for Windows/Linux that extracts (in real time) all generated SSL/TLS session
keys, and forwards them to the firewall

·         Set up a firewall/intrusion detection system that supports TLS man-in-the-middle

·         Add to the firewall the feature of receiving the session keys, matching them to their TLS sessions and decrypting the traffic

·         Measure the performance.

The results, if appropriate, might become part of a research publication describing this solution.


Secure database on the cloud
(3-4 students)
When you store something on the cloud, you can’t assume that its privacy or integrity will be ensured. Hackers, malicious insiders or just lack of security measures can result in leakage of your most sensitive information. The goal of this project is to implement a secure and encrypted database such that the client is capable of querying the database without exposing the decryption key to the cloud provider or anyone else. Moreover, the client is able to test whether the cloud still stores all his data in a very efficient way.

The idea is to implement the protocol over existing database (e.g. MySQL, Amazon SimpleDB). The solution should be based on previous works, including http://www.eecs.harvard.edu/~michaelm/postscripts/acns2005.pdf and/or http://cs.ucla.edu/~rafail/PUBLIC/74.pdf for encrypted databases that support encrypted queries, and http://cseweb.ucsd.edu/~hovav/dist/verstore.pdf and http://eprint.iacr.org/2008/175.pdf for proofs of possession.


Schreiber’s Wall of Sheep
(1-2 students)

People often do not know how much they sacrifice their privacy in public environments. Many Bluetooth devices are left open, laptops are configured to connect to any access point in the area, passwords are sent in clear-text, etc.

In this project you will implement a system that will alert about such weaknesses. Check http://www.wallofsheep.com.

 


General secure multi-party computation protocol
(2-3 students)
Secure multi-party computation is a cryptographic paradigm that allows a set of mutually distrustful parties to perform some joint computation in a way that guarantees correctness of the outputs along with secrecy of local data (to the maximum possible extent). Our current ongoing project works on inputs of circuits, and assumes communication channels are in order. We want to improve those two weaknesses, specifically we want to implement:

1.     A compiler that takes a program written in C-like language and produces a matching circuit.

2.     A reliable broadcast channel or a semi-trusted public board

 

Smart-phones for Security Assessment (1-3 students)
The power of smartphones keeps growing every day. And as those powerful “computers” are common, one may use them to assess security. In example, check BTLocate (
http://btlocate.com), where a nokia smartphone can be used as a low-tech surveillance system.

One possible project is to extend BTLocate to other devices and the do some large experiments with it. A different project could be to write some basic penetration tools for smartphones (e.g., HTTP sniffer that presents the webpage in real-time, add GUI to Metasploit).  Other ideas are welcome.


Your suggested project!

 

Disclaimer

© Copyright 2008 Tel Aviv University All rights reserved.