Chapter 6: Hostile Code - PowerPoint PPT Presentation

1 / 13
About This Presentation
Title:

Chapter 6: Hostile Code

Description:

Chapter 6: Hostile Code Guide to Computer Network Security Scripting technology is making the Web interactive and automated as Web servers accept inputs from users ... – PowerPoint PPT presentation

Number of Views:93
Avg rating:3.0/5.0
Slides: 14
Provided by: Josep440
Learn more at: https://www.utc.edu
Category:

less

Transcript and Presenter's Notes

Title: Chapter 6: Hostile Code


1
Chapter 6 Hostile Code
  • Guide to Computer Network Security

2
  • Scripting technology is making the Web
    interactive and automated as Web servers accept
    inputs from users and respond to user inputs.
  • It has also introduced a huge security problem to
    an already security burdened cyberspace.
  • Hostile scripts, embedded in Web pages, as well
    as HTML formatted e-mail, attachments, and
    applets introduce a new security paradigm in
    cyberspace security.
  • Security problems are introduced in two areas
    at the server and at the client.

3
Introduction to the Common Gateway Interface (CGI)
  • The Common Gateway Interface, or CGI, is a
    standard to specify a data format that servers,
    browsers, and programs must use in order to
    exchange information.
  • A program written in any language that uses this
    standard to exchange data between a Web server
    and a clients browser is a CGI script.
  • A CGI script is an external gateway program to
    interface with information servers such as HTTP
    or Web servers and client browsers.

4
  • CGI scripts are great in that they allow the web
    servers to be dynamic and interactive with the
    client browser as the server receives and accepts
    user inputs and responds to them in a measured
    and relevant way to satisfy the user
  • CGI programs are of two types those written in
    programming languages such as C/C and Fortran
    that can be compiled to produce an executable
    module stored on the server, and scripts
    written in scripting languages such as PERL,
    Java, and Unix shell.

5
  • CGI scripts written in scripting languages are
    not complied like those in non-scripting
    languages. Instead, they are text code
    which is interpreted by the interpreter on the
    information server or in the browser and run
    right away
  • Both CGI programs or scripts, when executed at
    the information server, help organize information
    for both the server and the client.
  • CGI scripts go beyond dynamic form filling to
    automating a broad range of services in search
    engines and directories like making download
    available, granting access rights to users, and
    order confirmation.

6
CGI Scripts in a Three-Way Handshake
  • Server CGI Interface
  • The CGI scripts reside on the server side and are
    executed by the server to respond to the client
    demands.
  • An interface in Figure 2, separates the server
    and the script, and consists of information from
    the server supplied to the script that includes
    input variables extracted from an HTTP header
    from the client and information from
    the script back to the server.
  • Output information from the server to the
    script and from the script to the server is
    passed through environment variables and through
    script command lines which inputs that instruct a
    script to do certain tasks such as search and
    query.

7
CGI Script Security Issues
  • A CGI script is an open gateway that allows
    anyone anywhere to run an executable program on a
    server and even send their own programs to run
    on the server.
  • Yet CGI scripting is the fastest growing
    component of the Internet
  • It presents security problems to cyberspace in
    several ways including

8
  • Program development During program development,
    CGI scripts are written in high level programming
    language and complied before being executed or
    they are written in a scripting language and they
    are interpreted before they are executed. In
    either way, because programming complexity and
    owing to lack of program development discipline,
    errors introduced into the program are difficult
    to find, especially in non-compiled scripts.
  • Transient nature of execution When CGI scripts
    come into the server, they run as separate
    processes from that of the host server. Although
    this is good because it isolates the server from
    most script errors, the imported scripts may
    introduce hostile code into the server.
  • Cross-pollination The hostile code introduced
    into the server by a transient script can
    propagate into other server applications and can
    even be re-transmitted to other servers by a
    script bouncing off this server or originating
    from this server.
  • Resource-guzzling Scripts that are resource
    intensive could cause a security problem to a
    server with limited resources.
  • Remote execution Since servers can send CGI
    scripts to execute on surrogate servers, both
    the sending and receiving servers are
    left open to hostile code usually transmitted
    by the script.

9
  • All these situations present a possible security
    threat when one breaks into a script. Broken
    scripts are extremely dangerous as they
  • May allow an attacker access to the systems
    password file for decryption.
  • May allow mailing of a map of the system which
    gives the attacker more time offline to analyze
    the systems vulnerabilities
  • May allow starting a login server on a high port
    and telneting in.
  • May allow a distributed denial of service attack
    against the server.
  • May allow erasing or altering the servers log
    files.

10
  • Other security threats may include
  • Malicious code provided by one client for another
    client This can happen, for example, in sites
    that host discussion groups where one client can
    embed malicious HTML tags in a message intended
    for another client.
  • Malicious code sent inadvertently by a client
    When a client sends malicious data intended to be
    used only by itself. This occurs when the client
    relies on an untrustworthy source of information
    when submitting a request.

11
Web Script Security Issues
  • There are now thousands of Web scripts doing a
    variety of web services from form filling to
    information gathering. Most of these scripts
    either transient or reside on Web servers.
  • Because of popularity and widespread use, most
    client and server Web browsers today have the
    capability to interpret scripts embedded in Web
    pages downloaded from a Web server.
  • Most browsers are installed with the capability
    to run scripts enabled by default.

12
Dealing with the Script Security Problems
  • The love of Web automation is not likely to
    change soon and the future of a dynamic Web is
    here to stay.
  • More and more programs written for the Web are
    interacting with networked clients and servers,
    raising the fear of a possibility that clients
    and servers may be attacked by these programs
    using embedded scripts to gain unauthorized
    access.
  • It is, therefore, necessary to be aware of the
    following
  • Script command line statements Scripting
    languages such as PERL, PHP, and the Bourne shell
    pass information needed to perform tasks through
    command line statements which are then executed
    by an interpreter. This can be very dangerous.
  • Clients may use special characters in input
    strings to confuse other clients, servers, or
    scripts.
  • Problems with server-side include user-created
    documents in NCSA HTTPd that provide simple
    information, such as current date, the file's
    last modification date, and the size or last
    modification of other files, to clients on the
    fly. Sometimes this information can provide a
    powerful interface to CGI. In an unfortunate
    situation, server-side scripts are a security
    risk because they let clients execute
    dangerous commands on the server.

13
  • To avoid these problems
  • use only the data from a CGI, only if it will not
    harm the system
  • check all data into or out of the script to
    make sure that it is safe.
Write a Comment
User Comments (0)
About PowerShow.com