Massachusetts Institute of Technology. The course of lectures # ???. "Security of computer systems." Nikolai Zeldovich, James Mykens. 2014

 
Computer Systems Security is a course on developing and implementing secure computer systems. Lectures cover threat models, attacks that threaten security, and security techniques based on recent scientific work. Topics include operating system security (OS), capabilities, information flow management, language security, network protocols, hardware protection and security in web applications.
 
 
Lecture 1: "Introduction: threat models" Part 1 / Part 2 / Part 3
 
Lecture 2: "Control of hacker attacks" Part 1 / Part 2 / Part 3
 
Lecture 3: "Buffer overflow: exploits and protection" Part 1 / Part 2 / Part 3
 
Lecture 4: "Division of Privileges" Part 1 / Part 2 / Part 3
 
Lecture 5: "Where are the errors of security systems" Part 1 / Part 2
 
Lecture 6: "Opportunities" Part 1 / Part 2 / Part 3
 
Lecture 7: "Sandbox Native Client" Part 1 / Part 2 / Part 3
 
Lecture 8: "The model of network security" Part 1 / Part 2 / Part 3 https://www.quirksmode.org/ , but if you want to be happy, better not go there. There are actually documented all these awful inconsistencies that browsers do when a user presses a key. On this site you can check what happens.
 
 
In any case, in this lecture we will focus on the client side of the web application. In particular, we'll look at how you can isolate content coming from different web providers, which must somehow coexist on the same machine and in the same browser. There is a fundamental difference between what you usually think about the application on the desktop and what you think about the web application.
 
 
In abstract terms, most of the desktop applications you use can be perceived as a product of one developer, for example, Microsoft. Or, perhaps you are using the TurboTax software from Mr. and Mrs. TurboTax, and so on and so forth. But when you look at a web application, what visually look like to you is actually a heap of applications of different content from a bunch of different developers.
 
 
 
 
For example, you go to the CNN page, it seems to you that everything here is located on one tab. But each of those visual things that you see, in fact, can come from someone else. Let's look at a very simple example.
 
 
Let's say we went to the Internet at http://foo.com/index.html . What does the page we are considering consist of?
 
 
 
 
At the top may be advertising, which may have been uploaded with ads.com. On the left can be located an analytical unit, for example, from google.com. These libraries are very popular for tracking the number of people who have downloaded this page, for monitoring which links people click on, with which parts of the page they are more interested in interacting, and so on.
 
 
On the right, you may have another jаvascript library, say jQuery, which comes from cdn.foo.com. This is some content provided for the job foo.com.
 
 
jQuery is a very popular library for manipulating GUIs, so jQuery is available on a variety of sites, although they get it from different places. Further on this page you can see some HTML text data, buttons for the user, text fields, and so on, and so on. So it's just plain HTML on the page.
 
 
Then you can see what they call the embedded jаvascript code from foo.com. For example, we have an opening tag at the top, and jаvascript code is embedded directly in the middle between them. In our case, there is what is called the built-in jаvascript - this is the top part of the picture.
 
 
At the bottom of the line, I'll draw what we call a jаvascript script, because the content there is equal to something that resides on the remote server. This is what is called the external definition of jаvascript content. The script and the built-in code differ from each other, and on our page there is built-in jаvascript from foo.com.
 
 
 
 
And one more thing that can be here is a frame. A frame can be thought of as a separate jаvascript universe. This is slightly equivalent to a process in UNIX. Maybe this frame comes from facebook.com/likethis.html and inside it we have built-in jаvascript from Facebook.
 
 
Further we can have some f.jpeg images, which also come with facebook.com . So, all this looks like a single tab, although it consists of different content that can potentially be based on completely different principles. Therefore, you can ask a whole bunch of interesting questions about the application that looks like this.
 
 
 
 
For example, can this analytic code google.com haveaccess to the contents of jаvascript, which is in the code of jQuery. In the first approximation, perhaps it seems a bad idea, because these two parts of the code came from different places. But then again, maybe it's actually good, because, apparently, foo.com has placed both of these libraries here so that they can work with each other. So who knows?
 
 
Another question that you might have is whether the analytics code can actually interact with the text placed in the bottom block of HTML. For example, can the analytics code influence the event handlers?
 
 
jаvascript is a managed single-threaded model, so each frame has an event loop that is constantly being processed - key processes occur here, network event timers work and the like. And if this jаvascript code notices that there are still some handlers trying to control these same events, then it will get rid of them.
 
 
So who should be able to define event handlers for this HTML? First, google.com should be able to do this. This can also be foo.com, or maybe not.
 
Another question is what links this Facebook frame to the common, big frame foo.com? The Facebook frame is HTTPS, that is, secure, foo.com is HTTP, that is, an insecure connection. So how can these two things interact?
 
 
To answer these questions, browsers use a security model called the same-origin policy, or a policy of the same origin. This is a kind of vague goal, because many things that relate to web security are rather vague, because nobody knows what they are doing. But the basic idea is that two websites should not have the ability to interfere with each other's work if they do not want it. Thus, it was easier to determine what this intervention meant, when the Internet itself was simpler. But as we continue to add new APIs, it is becoming harder and harder for us to understand what the goal of the non-intervention policy means. For example, it is obviously bad if two websites that do not trust each other will be able to display their data on a common display. This seems clearly a bad thing, and it's obviously a good thing that when two websites that want to collaborate are able to share data in some safe way.
 
 
You could hear about mixed sites, this is exactly what I said. Therefore, on the Internet you will meet with such things, when someone takes data from a Google map and places the location of trucks with products on them. Thus, you have this amazing "puree", which allows you to eat cheaply and at the same time avoid salmonella. But how exactly are composites of this type created?
 
 
There are other complicated things. For example, if jаvascript comes from origin X inside the origin Y page, what should the contents of this code be? Thus, a strategy that uses a policy of the same origin can approximately be described as follows.
 
 
Each resource is assigned its own source of origin, and jаvascript code can only access resources that have such a source. This is a top-level strategy, which is used by politicians of the same origin.
 
 
But the devil lies in the details, so there are a lot of exceptions, which we will consider in a second. But before we continue, let's define what is the origin.
 
In principle, the origin is a network protocol scheme plus the host name plus the port. For example, we might have something like http: //foo.com/index.html.
 
 
 
 
So, the scheme of our network protocol is HTTP, the hostname is foo.com, and port 80. In this case, the port is implicit. A port is a server-side port that the user uses to connect to the server. So if you see a URL with an HTTP scheme where there is no explicitly specified port, then port 80 is used here.
 
 
If you look at something like https: //foo.com/index.html, then these two addresses have the same host name, but in fact they have different schemes - the https protocol against http. In addition, there is an implicit presence of port 44? which is the default port for the secure HTTPS protocol. So, these two URLs have different origins.
 
 
For the last example, consider the site http: //bar.com:8181/
 
 
The ellipsis after the slash indicates that these things do not matter in relation to a policy of the same origin, at least with respect to this very simple example.
 
We see that we have an HTTP scheme, the hostname is bar.com, and here we have an explicitly specified port. In this case, this is a non-standard port of 8181. In fact, this is the source of origin. Roughly speaking, one can think of origin as a UID in Unix, where the frame is treated as a process.
 
 
Thus, there are four basic ideas underlying the implementation of policies of the same origin for the browser.
 
 
The first idea: each source of origin has a client part of the resource. This client part is a cookies. Cookies can be viewed as a very simple way to implement a state in such a non-persistent protocol, like HTTP.
 
 
Basically, a cookie is a tiny file that is associated with every original source. Later we will talk a little about this specifics.
 
 
But the basic idea is that when a browser sends a request to a specific site, it includes any cookies the client has for that site. And these cookies can be used for such things as remembering the password.
 
 
For example, if you are going to an e-commerce site, these cookies may contain a mention of the goods in the user's shopping cart and so on.
 
 
Thus, cookies are one thing that each origin origin can be associated with. In addition, you perceive the repository of object models of DOM documents as another source of these resources. This is a fairly new interface, but it already has a key importance as an interface for structuring HTML and XML documents.
 
 
Thus, the DOM store allows you to tell the source: "Let me bind this key, which is a string, with this given value, which is also a string."
 
 
Another thing related to origin is the jаvascript namespace. This namespace defines which functions and interfaces are available to the source of origin.
 
 
Some of these interfaces include, for example, prototypes of strings and the like. Then the application can actually fill the jаvascript namespace with other content.
 
Still there is such a thing as the DOM tree. As you know, DOM stands for "Document Object Model". And the Dom tree is, in fact, a reflection of HTML on the page using jаvascript.
 
 
 
 
So, you can imagine that at the top the DOM tree has an HTML node, below is the node for the head header tag of the head message and the node for the body tag of the body message and so on.
 
 
 
 
So many dynamic web pages change because of the jаvascript code, which can access the data of this structure in jаvascript that reflects the HTML content.
 
Thus, you can imagine that the animation on the browser page is due to the modification of some nodes of the tree in order to implement different organizations of different tabs. That's what a DOM tree is. There is also a visual display area, which, as we will see later, interacts very strangely with the same source-of-origin policy, and so on and so forth.
 
 
Thus, at a high level, each source has access to some set of client resources of the types we listed.
 
 
The second idea is that each frame gets the origin of its URL. As I mentioned earlier, the frame is roughly the same as the process in Unix. This is a kind of namespace that combines a bunch of other different resources.
 
 
The third idea is that scripts, or jаvascript code, are executed with the authority corresponding to the authority of the origin of the frame.
 
 
This means that when foo.com imports a jаvascript file from bar.com, the jаvascript file will be able to act with the authority of foo.com. Roughly speaking, this is similar to what happens in the Unix world when you need to run a binary file belonging to someone else's home directory. This is something that must be carried out in accordance with your privileges.
 
 
The fourth idea is passive content. By passive content I mean images or CSS files, that is, things that do not contain executable code.
 
 
 
 
Thus, passive content gets zero powers from the browser. In a second I will explain the subtleties of the fourth idea. Returning to our example, you can see that the Google Analytics script and the jQuery script can access all kinds of content inside foo.com. For example, they can read and write cookies, they can attach the event handler to the buttons, and so on.
 
 
If we look at the Facebook frame and its relation to the larger foo.com frame, then we will see that they are from different sources, because they have different schemes here. They have different host names and different ports. This means that in the first approximation they are isolated from each other. But they can interact with each other if they use an interface called Post Message. It allows two different frames to exchange asynchronous immutable messages with each other.
 
 
 
 
So think about this Post Message as a method that allows Facebook to send a string, not a link, up, to the foo.com frame. Please note that if foo.com does not want to receive these messages, Facebook will not be able to send it anything to it, since in order for this piece to work, you need the consent of both parties.
 
 
Note that the jаvascript code here, in the Facebook frame, can not issue an XML request to the HTTP server foo.com, because network destinations also have these sources of origin that are associated with them. Because Facebook.com does not have the same origin as foo.com, it can not asynchronously retrieve material from it using an HTML request.
 
 
The last thing we can see is the image of the advertisement at the top, here is ads.com. This is what obeys the fourth idea, just an image that does not have executable code. So it is clear that the browser will not give him any authority.
 
 
You may think that we are discussing nonsense - well, how can images have or do not have authority, because they can not do anything!
 
 
The fact is that there are security considerations. This is the subtlety that hides in the 4th idea.
 
 
28:00 min
 
 
Continuation:
 
 
Course MIT "Security of computer systems." Lecture 8: "The model of network security", part 2
 
 

 
The full version of the course is available at here .
 
 
Thank you for staying with us. Do you like our articles? Want to see more interesting materials? Support us by placing an order or by recommending to friends, 30% discount for Hubr users on the unique analogue entry-level servers, which was invented by us for you: The whole truth about VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps from $ 20 or how to divide the server correctly? (options are available with RAID1 and RAID1? up to 24 cores and up to 40GB DDR4).
 
 
VPS (KVM) E5-2650 v4 (6 Cores) 10GB DDR???GB SSD 1Gbps until December Free of charge when paying for a period of six months, you can order here .
 
 
Dell R730xd is 2 times cheaper? Only we have 2 x Intel Dodeca-Core Xeon E5-2650v???GB DDR4 6x480GB SSD 1Gbps 100 TV from $ 249 in the Netherlands and the USA! Read about that How to build a building infrastructure. class with the use of servers Dell R730xd E5-2650 v4 cost 9000 euros for a penny?