Analysis of attacks on content security policies

Cross-site scripting attacks are a major threat to web applications. Such attacks are used to inject undesirable content into web pages. The Content Security Policy is an approach to mitigate content injection and secure websites. The security mechanism is added to the HTTP header and prohibits the execution of inline scripts, whitelists resources and bans dangerous JavaScript functions. CSP is a client side protection and is enforced by the browser. The real-world adoption of the Content Security Policy is investigated due to the promising protection of CSP against cross-site scripting, having an adoption rate of 2.5% for the one million most popular sites in 2018. Unfortunately, the effort to make websites CSP compatible is high and results in a trade-off between security and functionality. Additionally, the security of CSP against content injection cannot keep its promises. In literature 94.72% of all investigated real-world policies are bypassed due to unsafe endpoints in the whitelist and other vulnerabilities. Finally, these numbers require changes in the use and concept of CSP.Cross-Site-Scripting Attacken sind eine große Bedrohung für Webapplikationen. Solche Angriffe werden genutzt, um unerwünschte Inhalte in Webseiten einzuschleusen. Die Content Security Policy ist ein Ansatz um die Auswirkung von Content Injection abzuschwächen und Website sicherer zu machen. Der Sicherheitsmechanismus wird dem HTTP Header hinzugefügt und blockiert die Ausführung von Inlineskripten, fügt Ressourcen einer Whitelist hinzu und verbietet gefährliche JavaScript Funktionen. CSP ist ein Schutz auf Seite des Clients und wird vom Browser ausgeführt. Die Adaptionsrate der Content Security Policy wird anhand echter Zahlen untersucht, da der Schutz von CSP gegenüber Cross-Site-Scripting als vielversprechend gilt und bereits von 2.5% von den ein Million meistbesuchtesten Websites in 2018 implementiert ist. Leider führt der hohe Aufwand eine Website CSP kompatibel zu machen zu einem Kompromiss zwischen Sicherheit und Funktionalität. Zusätzlich kann das Sicherheitsversprechen, das CSP als Schutz gegen Content Injection bietet, nicht eingehalten werden. In der Fachliteratur werden 94.72% aller untersuchten Policies durch unsichere Endpunkte in der Whitelist und andere Lücken ausgehebelt. Schlussendlich fordern solche Zahlen Veränderungen in der Anwendung und im Konzept von CSP

On the Use of Migration to Stop Illicit Channels

Side and covert channels (referred to collectively as illicit channels) are an insidious affliction of high security systems brought about by the unwanted and unregulated sharing of state amongst processes. Illicit channels can be effectively broken through isolation, which limits the degree by which processes can interact. The drawback of using isolation as a general mitigation against illicit channels is that it can be very wasteful when employed naively. In particular, permanently isolating every tenant of a public cloud service to its own separate machine would completely undermine the economics of cloud computing, as it would remove the advantages of consolidation. On closer inspection, it transpires that only a subset of a tenant's activities are sufficiently security sensitive to merit strong isolation. Moreover, it is not generally necessary to maintain isolation indefinitely, nor is it given that isolation must always be procured at the machine level. This work builds on these observations by exploring a fine-grained and hierarchical model of isolation, where fractions of a machine can be isolated dynamically using migration. Using different units of isolation allows a system to isolate processes from each other with a minimum of over-allocated resources, and having a dynamic and reconfigurable model enables isolation to be procured on-demand. The model is then realised as an implemented framework that allows the fine-grained provisioning of units of computation, managing migrations at the core, virtual CPU, process group, process/container and virtual machine level. Use of this framework is demonstrated in detecting and mitigating a machine-wide covert channel, and in implementing a multi-level moving target defence. Finally, this work describes the extension of post-copy live migration mechanisms to allow temporary virtual machine migration. This adds the ability to isolate a virtual machine on a short term basis, which subsequently allows migrations to happen at a higher frequency and with fewer redundant memory transfers, and also creates the opportunity of time-sharing a particular physical machine's features amongst a set of tenants' virtual machines

Declarative design and enforcement for secure cloud applications

The growing demands of users and industry have led to an increase in both size and complexity of deployed software in recent years. This tendency mainly stems from a growing number of interconnected mobile devices and from the huge amounts of data that is collected every day by a growing number of sensors and interfaces. Such increase in complexity imposes various challenges -- not only in terms of software correctness, but also with respect to security. This thesis addresses three complementary approaches to cope with the challenges: (i) appropriate high-level abstractions and verifiable translation methods to executable applications in order to guarantee flawless implementations, (ii) strong cryptographic mechanisms in order to realize the desired security goals, and (iii) convenient methods in order to incentivize the correct usage of existing techniques and tools. In more detail, the thesis presents two frameworks for the declarative specification of functionality and security, together with advanced compilers for the verifiable translation to executable applications. Moreover, the thesis presents two cryptographic primitives for the enforcement of cloud-based security properties: homomorphic message authentication codes ensure the correctness of evaluating functions over data outsourced to unreliable cloud servers; and efficiently verifiable non-interactive zero-knowledge proofs convince verifiers of computation results without the verifiers having access to the computation input.Die wachsenden Anforderungen von Seiten der Industrie und der Endbenutzer verlangen nach immer komplexeren Softwaresystemen -- größtenteils begründet durch die stetig wachsende Zahl mobiler Geräte und die damit wachsende Zahl an Sensoren und erfassten Daten. Mit wachsender Software-Komplexität steigen auch die Herausforderungen an Korrektheit und Sicherheit. Die vorliegende Arbeit widmet sich diesen Herausforderungen in Form dreier komplementärer Ansätze: (i) geeignete Abstraktionen und verifizierbare Übersetzungsmethoden zu ausführbaren Anwendungen, die fehlerfreie Implementierungen garantieren, (ii) starke kryptographische Mechanismen, um die spezifizierten Sicherheitsanforderungen effizient und korrekt umzusetzen, und (iii) zweckmäßige Methoden, die eine korrekte Benutzung existierender Werkzeuge und Techniken begünstigen. Diese Arbeit stellt zwei neuartige Abläufe vor, die verifizierbare Übersetzungen von deklarativen Spezifikationen funktionaler und sicherheitsrelevanter Ziele zu ausführbaren Cloud-Anwendungen ermöglichen. Darüber hinaus präsentiert diese Arbeit zwei kryptographische Primitive für sichere Berechnungen in unzuverlässigen Cloud-Umgebungen. Obwohl die Eingabedaten der Berechnungen zuvor in die Cloud ausgelagert wurden und zur Verifikation der Berechnungen nicht mehr zur Verfügung stehen, ist es möglich, die Korrektheit der Ergebnisse in effizienter Weise zu überprüfen