Browser Security Model
|
|
- Karin Holmes
- 6 years ago
- Views:
Transcription
1 CS155 Sprig 2017 Browser Security Model Joh Mitchell
2 Top Web Vulerabilities
3 Historical Web Vulerabilities "I the Wild" Data from aggregator ad validator of NVD-reported vulerabilities
4 Historical Web vs System vulerabilities XSS peak Declie i % web vuls sice % i > 37% i Big declie i SQL Ijectio vulerabilities
5 Five lectures o Web security Browser security model The browser as a OS ad executio platform Protocols, isolatio, commuicatio, Web applicatio security Applicatio pitfalls ad defeses Sessio maagemet ad user autheticatio How users autheticate to web sites Browser-server mechaisms for maagig state Cotet security policies Additioal mechaisms for sadboxig ad security HTTPS: goals ad pitfalls (after Crypto lecture) Network issues ad browser protocol hadlig This 2.5-week sectio could fill a etire course
6 Web programmig poll Familiar with basic html? Developed a web applicatio usig: Apache? PHP? Ruby? Pytho? SQL? JavaScript? CSS? JSON? Kow about: postmessage? NaCl? Webworkers? CSP? WebView? Resource:
7 Goals of web security Safely browse the web Visit a variety of web sites without icurrig harm w Cofidetiality: o stole iformatio w Itegrity: Site A caot compromise sessio at Site B Support secure web apps Apps provided over the web ca have same security properties as stad-aloe applicatios Support secure mobile apps Web protocols ad cotet stadards are used as back ed of may mobile apps
8 Web security threat model System Alice Web Attacker Sets up malicious site visited by victim; o cotrol of etwork
9 Network security threat model Network Attacker System Itercepts ad cotrols etwork commuicatio Alice
10 Alice System Web Attacker Alice System Network Attacker
11 Web Threat Models Web attacker Cotrols attacker.com Ca obtai SSL/TLS certificate for attacker.com User visits attacker.com w Or: rus attacker s Facebook app, etc. Network attacker Passive: Wireless eavesdropper Active: Evil router, DNS poisoig Malware attacker Attacker escapes browser isolatio mechaisms ad ru separately uder cotrol of OS
12 Malware attacker Browsers may cotai exploitable bugs Ofte eable remote code executio by web sites Google study: [the ghost i the browser 2007] w Foud Trojas o 300,000 web pages (URLs) w Foud adware o 18,000 web pages (URLs) Eve if browsers were bug-free, still lots of vulerabilities associated with the web NOT OUR FOCUS IN THIS PART OF COURSE All vulerabilities o previous slide: XSS, SQLi, CSRF,
13 Outlie Http Rederig cotet Isolatio Commuicatio Navigatio Security User Iterface Cookies Frames ad frame bustig
14 HTTP
15 URLs Global idetifiers of etwork-retrievable documets Example: Protocol Fragmet Hostame Port Path Query Special characters are ecoded as hex: %0A = ewlie %20 or + = space, %2B = + (special exceptio)
16 HTTP Request Method File HTTP versio Headers GET /idex.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Laguage: e Coectio: Keep-Alive User-Aget: Mozilla/1.22 (compatible; MSIE 2.0; Widows 95) Host: Referer: Blak lie Data oe for GET GET : o side effect POST : possible side effect
17 HTTP Respose HTTP versio Status code Reaso phrase Headers HTTP/ OK Date: Su, 21 Apr :20:42 GMT Server: Microsoft-Iteret-Iformatio-Server/5.0 Coectio: keep-alive Cotet-Type: text/html Last-Modified: Thu, 18 Apr :39:05 GMT Set-Cookie: Cotet-Legth: 2543 Data <HTML> Some data... whatever...</html> Cookies
18 RENDERING CONTENT
19 Rederig ad evets Basic browser executio model Each browser widow or frame w Loads cotet w Reders it Processes HTML ad scripts to display page May ivolve images, subframes, etc. w Respods to evets Evets ca be User actios: OClick, OMouseover Rederig: OLoad, OBeforeUload Timig: settimeout(), cleartimeout()
20 Example <!DOCTYPE html> <html> <body> <h1>my First Web Page</h1> <p>my first paragraph.</p> <butto oclick="documet.write(5 + 6)">Try it</butto> </body> </html> Source:
21 Example
22 Documet Object Model (DOM) Object-orieted iterface used to read ad write docs web page i HTML is structured data DOM provides represetatio of this data structure Examples Properties: documet.alikcolor, documet.url, documet.forms[ ], documet.liks[ ], documet.achors[ ] Methods: documet.write(documet.referrer) Icludes Browser Object Model (BOM) widow, documet, frames[], history, locatio, avigator (type ad versio of browser)
23 Chagig HTML usig Script, DOM Some possibilities createelemet(elemetname) createtextnode(text) appedchild(ewchild) removechild(ode) HTML Example: Add a ew list item: <ul id="t1"> <li> Item 1 </li> </ul> var list = documet.getelemetbyid('t1') var ewitem = documet.createelemet('li') var ewtext = documet.createtextnode(text) list.appedchild(ewitem) ewitem.appedchild(ewtext)
24 Example <!DOCTYPE html> <html> <body> <h1>my First Web Page</h1> <p>my First Paragraph</p> <p id="demo"></p> <script> documet.getelemetbyid("demo").ierhtml = 5 + 6; </script> </body> </html> Source:
25 Basic web fuctioality HTML Image Tags <html> <p> </p> <img src= height="50" width="100"> </html> Displays this ice picture è Security issues?
26 Security cosequeces Image tag security issues Commuicate with other sites <img src= > Hide resultig image <img src= height= 1" width= 1"> Spoof other sites Add logos that fool a user Importat Poit: A web page ca sed iformatio to ay site Q: what threat model are we talkig about here?
27 Basic web fuctioality JavaScript oerror Basic fuctio Triggered whe error occurs loadig a documet or a image Example <img src="image.gif" oerror="alert('the image could ot be loaded.') > Rus oerror hadler if image does ot exist ad caot load
28 Basic web fuctioality JavaScript timig Sample code <html><body><img id="test" style="display: oe"> <script> var test = documet.getelemetbyid( test ); var start = ew Date(); test.oerror = fuctio() { var ed = ew Date(); alert("total time: " + (ed - start)); } test.src = " </script> </body></html> Whe respose header idicates that page is ot a image, the browser stops ad otifies JavaScript via the oerror hadler.
29 Security cosequece Port scaig behid firewall JavaScript ca: Request images from iteral IP addresses w Example: <img src= :8080 /> Use timeout/oerror to determie success/failure Figerprit webapps usig kow image ames Server 1) show me dacig pigs! sca 2) check this out Malicious Web page 3) port sca results sca Browser sca Firewall
30 Remote scriptig Goal: commuicate betwee cliet-side app ruig i browser ad server-side app, without reloadig Methods Java Applet/ActiveX cotrol/flash w Ca make HTTP requests ad iteract with cliet-side JavaScript code, but some aspects may be browser specific XML-RPC w ope, stadards-based techology that requires XML-RPC libraries o server ad i your cliet-side code. Simple HTTP via a hidde IFRAME w IFRAME with a script o your web server is by far the easiest of the three remote scriptig optios Importat Poit: A page ca maitai bi-directioal commuicatio with browser (util user closes/quits) See:
31 Simple remote scriptig example cliet.html: RPC by passig argumets to server.html i query strig <script type="text/javascript"> fuctio hadlerespose() { alert('this fuctio is called from server.html') } </script> <iframe id="rsiframe" ame="rsiframe" style="width:0px; height:0px; border: 0px" src="blak.html"> </iframe> <a href="server.html" target="rsiframe">make RPC call</a> server.html: aother page o same server, could be server.php, etc <script type="text/javascript"> widow.paret.hadlerespose() </script> RPC ca be doe siletly i JavaScript, passig ad receivig argumets
32 ISOLATION
33 Frame ad iframe Widow may cotai frames from differet sources Frame: rigid divisio as part of frameset iframe: floatig ilie frame iframe example <iframe src="hello.html" width=450 height=100> If you ca see this, your browser does't uderstad IFRAME. </iframe> Why use frames? Delegate scree area to cotet from aother source Browser provides isolatio based o frames Paret may work eve if frame is broke
34 Widows ad frames iteract 34
35 Aalogy Operatig system Primitives System calls Processes Disk Pricipals: Users Discretioary access cotrol Vulerabilities Buffer overflow Root exploit Web browser Primitives Documet object model Frames Cookies / localstorage Pricipals: Origis Madatory access cotrol Vulerabilities Cross-site scriptig Cross-site request forgery Cache history attacks
36 Policy Goals Safe to visit a evil web site Safe to visit two pages at the same time Address bar distiguishes them Allow safe delegatio
37 Browser security mechaism A B A A B Each frame of a page has a origi Origi = protocol://host:port Frame ca access its ow origi Network access, Read/write DOM, Storage (cookies) Frame caot access data associated with a differet origi
38 Compoets of browser security policy Frame-Frame relatioships cascript(a,b) w Ca Frame A execute a script that maipulates arbitrary/otrivial DOM elemets of Frame B? canavigate(a,b) w Ca Frame A chage the origi of cotet for Frame B? Frame-pricipal relatioships readcookie(a,s), writecookie(a,s) w Ca Frame A read/write cookies from site S? See
39 Library import excluded from SOP <script src= =a.com></script> VeriSig Script has privileges of imported page, NOT source server. Ca script other pages i this origi, load more scripts Other forms of importig
40 Domai Relaxatio chat.facebook.com facebook.com chat.facebook.com Origi: scheme, host, (port), hassetdomai Try documet.domai = documet.domai
41 Additioal mechaisms Site A Site B Cross-origi etwork requests Site A cotext Access-Cotrol-Allow-Origi: <list of domais> Site B cotext Access-Cotrol-Allow-Origi: * Cross-origi cliet side commuicatio Cliet-side messagig via avigatio (old browsers) postmessage (moder browsers)
42 COMMUNICATION
43 widow.postmessage API for iter-frame commuicatio Supported i stadard browsers A etwork-like chael betwee frames Add a cotact Share cotacts
44 postmessage sytax frames[0].postmessage("attack at daw!", " widow.addevetlisteer("message", fuctio (e) { if (e.origi == " {... e.data... } }, false); Attack at daw! Facebook Aecdote
45 Why iclude targetorigi? What goes wrog? frames[0].postmessage("attack at daw!"); Messages set to frames, ot pricipals Whe would this happe? 45
46 NAVIGATION 46
47 A Guiski Attack awglogi widow.ope(" "awglogi");
48 What should the policy be? Child Siblig Frame Bust Descedat 48
49 Legacy Browser Behavior Browser IE 6 (default) IE 6 (optio) IE7 (o Flash) IE7 (with Flash) Firefox 2 Safari 3 Opera 9 HTML 5 Policy Permissive Child Descedat Permissive Widow Permissive Widow Child
50 Widow Policy Aomaly top.frames[1].locatio = " top.frames[2].locatio = "
51 Legacy Browser Behavior Browser IE 6 (default) IE 6 (optio) IE7 (o Flash) IE7 (with Flash) Firefox 2 Safari 3 Opera 9 HTML 5 Policy Permissive Child Descedat Permissive Widow Permissive Widow Child
52 Adoptio of Descedat Policy Browser IE7 (o Flash) IE7 (with Flash) Firefox 3 Safari 3 Opera 9 HTML 5 Policy Descedat Descedat Descedat Descedat (may policies) Descedat
53 Whe is it safe to type my password? SECURITY USER INTERFACE
54 Safe to type your password? 54
55 Safe to type your password? 55
56 Safe to type your password? 56
57 Safe to type your password??????? 57
58 Safe to type your password? 58
59 Mixed Cotet: HTTP ad HTTPS Problem Page loads over HTTPS, but has HTTP cotet Network attacker ca cotrol page IE: displays mixed-cotet dialog to user Flash files over HTTP loaded with o warig (!) Note: Flash ca script the embeddig page Firefox: red slash over lock ico (o dialog) Flash files over HTTP do ot trigger the slash Safari: does ot detect mixed cotet Da will talk about this later.
60 Mixed Cotet: HTTP ad HTTPS silly dialogs
61 Mixed cotet ad etwork attacks Old sites: after logi all cotet over HTTPS Developer error: Somewhere o bak site write <script src= </script> Active etwork attacker ca ow hijack ay sessio Better way to iclude cotet: <script src=// </script> served over the same protocol as embeddig page
62 Lock Ico 2.0 Exteded validatio (EV) certs Promiet security idicator for EV certificates ote: EV site loadig cotet from o-ev site does ot trigger mixed cotet warig
63 Fially: the status Bar Trivially spoofable <a href= oclick= this.href = ; > PayPal</a>
64 COOKIES: CLIENT STATE 64
65 Cookies Used to store state o user s machie Browser If expires=null: this sessio oly POST HTTP Header: Set-cookie: NAME=VALUE ; Server domai = (who ca read) ; expires = (whe expires) ; secure = (oly over SSL) Browser POST Cookie: NAME = VALUE Server HTTP is stateless protocol; cookies add state
66 Cookie autheticatio Browser Web Server Auth server POST logi.cgi Userame & pwd Validate user Set-cookie: auth=val auth=val Store val GET restricted.html Cookie: auth=val If YES, restricted.html restricted.html auth=val YES/NO Check val
67 Cookie Security Policy Uses: User autheticatio Persoalizatio User trackig: e.g. Doubleclick (3 rd party cookies) Origi is the tuple <domai, path> Ca set cookies valid across a domai suffix
68 Secure Cookies Browser GET HTTP Header: Set-cookie: NAME=VALUE ; Secure=true Server Provides cofidetiality agaist etwork attacker Browser will oly sed cookie back over HTTPS but o itegrity Ca rewrite secure cookies over HTTP Þ etwork attacker ca rewrite secure cookies Þ ca log user ito attacker s accout
69 httpoly Cookies Browser GET HTTP Header: Set-cookie: NAME=VALUE ; httpoly Server Cookie set over HTTP(s), but ot accessible to scripts caot be read via documet.cookie Helps prevet cookie theft via XSS but does ot stop most other risks of XSS bugs
70 FRAMES AND FRAME BUSTING
71 Frames Embed HTML documets i other documets <iframe ame= myframe src= > This text is igored by most browsers. </iframe>
72 Frame Bustig Goal: prevet web page from loadig i a frame example: opeig logi page i a frame will display correct passmark image Frame bustig: if (top!= self) top.locatio.href = locatio.href
73 Better Frame Bustig Problem: Javascript OUload evet <body ouload="javascript: cause_a_abort;)"> Try this istead: if (top!= self) top.locatio.href = locatio.href else { code of page here }
74 Eve better (after ~2010) Set X-Frame-Optios HTTP respose header Tell browser ot to reder a page i a <frame> or <iframe> Esurig that cotet is ot embedded ito other sites. Use optios "DENY", "SAMEORIGIN", or "ALLOW-FROM uri" Browser DENY/SAMEORIGIN Support Itroduced ALLOW-FROM Support Itroduced Chrome Supports CSP frameacestors istead Firefox (Gecko) ( ) 18.0 Iteret Explorer Opera Safari 4.0 Wo't support - Supports CSP frame-acestors is
75 Summary Http Rederig cotet Isolatio Commuicatio Navigatio Security User Iterface Cookies Frames ad frame bustig
Browser Security Model
CS155 Spring 2016 Browser Security Model John Mitchell Acknowledgments: Lecture slides are from the Computer Security course thought by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationBrowser Security Model
CS155 Spring 2015 Browser Security Model John Mitchell Web vs System vulnerabilities XSS peak Decline in % web vulns since 2009 49% in 2010 -> 37% in 2011. Big decline in SQL Injection vulnerabilities
More informationBrowser Security Model
CS155 Spring 2014 Browser Security Model John Mitchell Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities Web vs System vulnerabilities XSS peak!
More informationWeb Application Security. * Original slides were prepared by John Mitchell
Web Applicatio Security * Origial slides were prepared by Joh Mitchell Goals of web security Safely browse the web Users should be able to visit a variety of web sites, without icurrig harm: w No stole
More informationWeb Application Security. * Original slides were prepared by John Mitchell
Web Applicatio Security * Origial slides were prepared by Joh Mitchell Goals of web security Safely browse the web Users should be able to visit a variety of web sites, without icurrig harm: w No stole
More informationBrowser code isolation
CS 155 Sprig 2018 Browser code isolatio Joh Mitchell Topic of this class meetig How ca we use sophisticated isolatio ad iteractio betwee compoets to develop flexible, iterestig web applicatios, while protectig
More informations642 web security computer security adam everspaugh
s642 computer security web security adam everspaugh ace@cs.wisc.edu review memory protections / data execution prevention / address space layout randomization / stack protector Sandboxing / Limit damage
More informationRunning Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.
CSE 127 Winter 2008 Security Collin Jackson Running Remote Code is Risky Compromise Host Write to file system Interfere with other processes Steal information Read file system Read information associated
More informationArchitectural styles for software systems The client-server style
Architectural styles for software systems The cliet-server style Prof. Paolo Ciacarii Software Architecture CdL M Iformatica Uiversità di Bologa Ageda Cliet server style CS two tiers CS three tiers CS
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationPhishing and Malicious JavaScript
Phishing and Malicious JavaScript Outline Phishing and online identity theft Deception through web technology Underground economy what thieves are after Mischief and deception Accessing local state Reading
More informationOracle Server. What s New in this Release? Release Notes
Oracle email Server Release Notes Release 5.2 for Widows NT May 2001 Part No. A90426-01 These release otes accompay Oracle email Server Release 5.2 for Widows NT. They cotai the followig topics: What s
More informationWeb Security. CS642: Computer Security. Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu
Web Security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu Liberal borrowing from Mitchell, Boneh, Stanford CS 155 University of Wisconsin CS 642
More informationWeb Security. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu
Web Security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu Liberal borrowing from Mitchell, Boneh, Stanford CS 155 University of Wisconsin CS 642
More informationAnnouncements. Schedule. Homework 1 was due on Monday... quesgons? Homework 2 will be assigned as soon as I can
Announcements Schedule Web security part 1 today, part 2 in two weeks Next week: guest lecture by David Parter on Oct 15 Lecture cancelled on Oct 17 Crypto secgon will start on Oct 24 Homework 1 was due
More informationComputers and Scientific Thinking
Computers ad Scietific Thikig David Reed, Creighto Uiversity Chapter 15 JavaScript Strigs 1 Strigs as Objects so far, your iteractive Web pages have maipulated strigs i simple ways use text box to iput
More informationWeston Anniversary Fund
Westo Olie Applicatio Guide 2018 1 This guide is desiged to help charities applyig to the Westo to use our olie applicatio form. The Westo is ope to applicatios from 5th Jauary 2018 ad closes o 30th Jue
More informationCS 111: Program Design I Lecture 19: Networks, the Web, and getting text from the Web in Python
CS 111: Program Desig I Lecture 19: Networks, the Web, ad gettig text from the Web i Pytho Robert H. Sloa & Richard Warer Uiversity of Illiois at Chicago April 3, 2018 Goals Lear about Iteret Lear about
More informationAvid Interplay Bundle
Avid Iterplay Budle Versio 2.5 Cofigurator ReadMe Overview This documet provides a overview of Iterplay Budle v2.5 ad describes how to ru the Iterplay Budle cofiguratio tool. Iterplay Budle v2.5 refers
More informationBasic allocator mechanisms The course that gives CMU its Zip! Memory Management II: Dynamic Storage Allocation Mar 6, 2000.
5-23 The course that gives CM its Zip Memory Maagemet II: Dyamic Storage Allocatio Mar 6, 2000 Topics Segregated lists Buddy system Garbage collectio Mark ad Sweep Copyig eferece coutig Basic allocator
More informationWorkflow model GM AR. Gumpy. Dynagump. At a very high level, this is what gump does. We ll be looking at each of the items described here seperately.
Workflow model GM AR Gumpy RM Dyagump At a very high level, this is what gump does. We ll be lookig at each of the items described here seperately. User edits project descriptor ad commits s maitai their
More informationWeb OS Switch Software
Web OS Switch Software BBI Quick Guide Nortel Networks Part Number: 213164, Revisio A, July 2000 50 Great Oaks Boulevard Sa Jose, Califoria 95119 408-360-5500 Mai 408-360-5501 Fax www.orteletworks.com
More informationCMSC Computer Architecture Lecture 12: Virtual Memory. Prof. Yanjing Li University of Chicago
CMSC 22200 Computer Architecture Lecture 12: Virtual Memory Prof. Yajig Li Uiversity of Chicago A System with Physical Memory Oly Examples: most Cray machies early PCs Memory early all embedded systems
More informationBike MS: 2013 Participant Center guide
Bike MS: 2013 Participat Ceter guide bikems.org 1 Why use Olie Fudraisig Tools? Usig olie tools makes fudraisig easier Table of Cotets Participats who use persoal pages raise more moey! Bike MS $883 v.
More informationBike MS: 2014 Participant Center guide
Bike MS: 2014 Participat Ceter guide bikems.org 1 Table of Cotets Why Use Olie Fudraisig Tools... 2 Participat Ceter... 3 Guide to Olie Fudraisig... 3 Edit Persoal Page... 5 Address Book... 7 Email Messages...
More informationCustomer Portal Quick Reference User Guide
Customer Portal Quick Referece User Guide Overview This user guide is iteded for FM Approvals customers usig the Approval Iformatio Maagemet (AIM) customer portal to track their active projects. AIM is
More informationPython Programming: An Introduction to Computer Science
Pytho Programmig: A Itroductio to Computer Sciece Chapter 6 Defiig Fuctios Pytho Programmig, 2/e 1 Objectives To uderstad why programmers divide programs up ito sets of cooperatig fuctios. To be able to
More informationSystem and Software Architecture Description (SSAD)
System ad Software Architecture Descriptio (SSAD) Diabetes Health Platform Team #6 Jasmie Berry (Cliet) Veerav Naidu (Project Maager) Mukai Nog (Architect) Steve South (IV&V) Vijaya Prabhakara (Quality
More informationGuide to Applying Online
Guide to Applyig Olie Itroductio Respodig to requests for additioal iformatio Reportig: submittig your moitorig or ed of grat Pledges: submittig your Itroductio This guide is to help charities submit their
More informationWeb Security [SSL/TLS and Browser Security Model]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCS 5450 HTTP. Vitaly Shmatikov
CS 5450 HTTP Vitaly Shmatikov Browser and Network Browser OS Hardware request reply website Network slide 2 HTML A web page includes Base HTML file Referenced objects (e.g., images) HTML: Hypertext Markup
More informationBIKE MS: 2015 PARTICIPANT CENTER GUIDE
BIKE MS: 2015 PARTICIPANT CENTER GUIDE bikems.org 1 Table of Cotets Why Use Olie Fudraisig Tools... 2 Participat Ceter... 3 Guide to Olie Fudraisig... 3 Edit Persoal Page... 5 Address Book... 7 Email Messages...
More informationUsing the Keyboard. Using the Wireless Keyboard. > Using the Keyboard
1 A wireless keyboard is supplied with your computer. The wireless keyboard uses a stadard key arragemet with additioal keys that perform specific fuctios. Usig the Wireless Keyboard Two AA alkalie batteries
More informationJava net programming II
Java et programmig II https://docs.oracle.com/javase/tutorial/etworkig/sockets/ Overview The problem Basic backgroud: TCP/IP, ports, Cliet/Server, sockets Commuicatio with sockets java.et (overview) Simple
More informationMOTIF XF Extension Owner s Manual
MOTIF XF Extesio Ower s Maual Table of Cotets About MOTIF XF Extesio...2 What Extesio ca do...2 Auto settig of Audio Driver... 2 Auto settigs of Remote Device... 2 Project templates with Iput/ Output Bus
More informationGlobal Support Guide. Verizon WIreless. For the BlackBerry 8830 World Edition Smartphone and the Motorola Z6c
Verizo WIreless Global Support Guide For the BlackBerry 8830 World Editio Smartphoe ad the Motorola Z6c For complete iformatio o global services, please refer to verizowireless.com/vzglobal. Whether i
More informationCSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno
CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli,
More informationWeb Security: Session management and CSRF
Web Security: Sessio maagemet ad CSRF CS 161: Computer Security Prof. Raluca Ada Popa April 5, 2018 Credit: this deck is a combiatio of my slides ad slide adaptatios from previous offerigs of this course
More informationPanel for Adobe Premiere Pro CC Partner Solution
Pael for Adobe Premiere Pro CC Itegratio for more efficiecy The makes video editig simple, fast ad coveiet. The itegrated pael gives users immediate access to all medialoopster features iside Adobe Premiere
More informationBEA WebLogic Process Integrator
BEA WebLogic Process Itegrator A Compoet of BEA WebLogic Itegratio BEA WebLogic Process Itegrator Studio Olie Help BEA WebLogic Process Itegrator Release 2.0 Documet Editio 2.0 July 2001 Copyright Copyright
More informationChapter 1. Introduction to Computers and C++ Programming. Copyright 2015 Pearson Education, Ltd.. All rights reserved.
Chapter 1 Itroductio to Computers ad C++ Programmig Copyright 2015 Pearso Educatio, Ltd.. All rights reserved. Overview 1.1 Computer Systems 1.2 Programmig ad Problem Solvig 1.3 Itroductio to C++ 1.4 Testig
More informationBaan Tools User Management
Baa Tools User Maagemet Module Procedure UP008A US Documetiformatio Documet Documet code : UP008A US Documet group : User Documetatio Documet title : User Maagemet Applicatio/Package : Baa Tools Editio
More informationCSC 220: Computer Organization Unit 11 Basic Computer Organization and Design
College of Computer ad Iformatio Scieces Departmet of Computer Sciece CSC 220: Computer Orgaizatio Uit 11 Basic Computer Orgaizatio ad Desig 1 For the rest of the semester, we ll focus o computer architecture:
More informationΤεχνολογία Λογισμικού
ΕΘΝΙΚΟ ΜΕΤΣΟΒΙΟ ΠΟΛΥΤΕΧΝΕΙΟ Σχολή Ηλεκτρολόγων Μηχανικών και Μηχανικών Υπολογιστών Τεχνολογία Λογισμικού, 7ο/9ο εξάμηνο 2018-2019 Τεχνολογία Λογισμικού Ν.Παπασπύρου, Αν.Καθ. ΣΗΜΜΥ, ickie@softlab.tua,gr
More information3.1 Overview of MySQL Programs. These programs are discussed further in Chapter 4, Database Administration. Client programs that access the server:
3 Usig MySQL Programs This chapter provides a brief overview of the programs provided by MySQL AB ad discusses how to specify optios whe you ru these programs. Most programs have optios that are specific
More informationBEA WebLogic XML/Non-XML Translator
BEA WebLogic XML/No-XML Traslator A Compoet of BEA WebLogic Itegratio Plug-I Guide BEA WebLogic XML/No-XML Traslator Release 2.0 Documet Editio 2.0 July 2001 Copyright Copyright 2001 BEA Systems, Ic. All
More informationWeb Applica+on Security
Web Applica+on Security Raluca Ada Popa Feb 25, 2013 6.857: Computer and Network Security See last slide for credits Outline Web basics: HTTP Web security: Authen+ca+on: passwords, cookies Security amacks
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationGoals of the Lecture UML Implementation Diagrams
Goals of the Lecture UML Implemetatio Diagrams Object-Orieted Aalysis ad Desig - Fall 1998 Preset UML Diagrams useful for implemetatio Provide examples Next Lecture Ð A variety of topics o mappig from
More informationChapter 11 Web-based Information Systems
Prof. Dr.-Ig. Stefa Deßloch AG Heterogee Iformatiossysteme Geb. 36, Raum 329 Tel. 0631/205 3275 dessloch@iformatik.ui-kl.de Chapter 11 Web-based Iformatio Systems TP Applicatio Architecture Frot-ed program
More informationBAAN IVc/BaanERP. Conversion Guide Oracle7 to Oracle8
BAAN IVc/BaaERP A publicatio of: Baa Developmet B.V. P.O.Box 143 3770 AC Bareveld The Netherlads Prited i the Netherlads Baa Developmet B.V. 1999. All rights reserved. The iformatio i this documet is subject
More informationOutline n Introduction n Background o Distributed DBMS Architecture
Outlie Itroductio Backgroud o Distributed DBMS Architecture Datalogical Architecture Implemetatio Alteratives Compoet Architecture o Distributed DBMS Architecture o Distributed Desig o Sematic Data Cotrol
More informationTerm Project Report. This component works to detect gesture from the patient as a sign of emergency message and send it to the emergency manager.
CS2310 Fial Project Loghao Li Term Project Report Itroductio I this project, I worked o expadig exercise 4. What I focused o is makig the real gesture recogizig sesor ad desig proper gestures ad recogizig
More informationn Learn how resiliency strategies reduce risk n Discover automation strategies to reduce risk
Chapter Objectives Lear how resiliecy strategies reduce risk Discover automatio strategies to reduce risk Chapter #16: Architecture ad Desig Resiliecy ad Automatio Strategies 2 Automatio/Scriptig Resiliet
More informationUniform Resource Locators (URL)
The World Wide Web Web Web site consists of simply of pages of text and images A web pages are render by a web browser Retrieving a webpage online: Client open a web browser on the local machine The web
More informationBEA Tuxedo. Creating CORBA Client Applications
BEA Tuxedo Creatig CORBA Cliet Applicatios BEA Tuxedo 8.0 Documet Editio 8.0 Jue 2001 Copyright Copyright 2001 BEA Systems, Ic. All Rights Reserved. Restricted Rights Leged This software ad documetatio
More informationWeb Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech
Web Security advanced topics on SOP Yan Huang Credits: slides adapted from Stanford and Cornell Tech Same Origin Policy protocol://domain:port/path?params Same Origin Policy (SOP) for DOM: Origin A can
More informationUnit 4. NFS and Samba
it 4 F ad amba oa Warre F (etwork File ystem) F allows remote access to files o a Liux system he F cliet logs ito the F server ad mouts the exported directories i at a local l mout poit hared files ca
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationBasic Design Principles
+ Basic Desig Priciples + Assigmet 2: Your studet web site 1. Baer 2. Your ame 3. Your accout umber 4. A lik to aother web page, preferably oe useful to you i this class 5. A photo, preferably of you 6.
More informationCS 111: Program Design I Lecture 18: Web and getting text from it
CS 111: Program Desig I Lecture 18: Web ad gettig text from it Robert H. Sloa & Richard Warer Uiversity of Illiois at Chicago October 25, 2016 Goals Lear about Iteret ad how to access it directly from
More informationAvid recommends that you read all the information in this ReadMe file thoroughly before installing or using any new software release.
PostDeko for Editors Versio 8.4 ReadMe Importat Iformatio Avid recommeds that you read all the iformatio i this ReadMe file thoroughly before istallig or usig ay ew software release. Importat: Search the
More informationFirewall and IDS. TELE3119: Week8
Firewall ad IDS TELE3119: Week8 Outlie Firewalls Itrusio Detectio Systems (IDSs) Itrusio Prevetio Systems (IPSs) 8-2 Example Attacks Disclosure, modificatio, ad destructio of data Compromise a host ad
More informationNeolane Social Marketing. Neolane v6.1
Neolae Social Marketig Neolae v6.1 This documet, ad the software it describes, are provided subject to a Licese Agreemet ad may ot be used or copied outside of the provisios of the Licese Agreemet. No
More informationGetting Started. Getting Started - 1
Gettig Started Gettig Started - 1 Issue 1 Overview of Gettig Started Overview of Gettig Started This sectio explais the basic operatios of the AUDIX system. It describes how to: Log i ad log out of the
More informationStructuring Redundancy for Fault Tolerance. CSE 598D: Fault Tolerant Software
Structurig Redudacy for Fault Tolerace CSE 598D: Fault Tolerat Software What do we wat to achieve? Versios Damage Assessmet Versio 1 Error Detectio Iputs Versio 2 Voter Outputs State Restoratio Cotiued
More informationBrowser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationUser Guide. Using Caliber Datamart
User Guide Usig Caliber Datamart 11.1.0 Copyright 2013 Micro Focus. All Rights Reserved. Portios Copyright 1998-2009 Borlad Software Corporatio (a Micro Focus compay). All other marks are the property
More informationChapter 11. Friends, Overloaded Operators, and Arrays in Classes. Copyright 2014 Pearson Addison-Wesley. All rights reserved.
Chapter 11 Frieds, Overloaded Operators, ad Arrays i Classes Copyright 2014 Pearso Addiso-Wesley. All rights reserved. Overview 11.1 Fried Fuctios 11.2 Overloadig Operators 11.3 Arrays ad Classes 11.4
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationChapter 9. Pointers and Dynamic Arrays. Copyright 2015 Pearson Education, Ltd.. All rights reserved.
Chapter 9 Poiters ad Dyamic Arrays Copyright 2015 Pearso Educatio, Ltd.. All rights reserved. Overview 9.1 Poiters 9.2 Dyamic Arrays Copyright 2015 Pearso Educatio, Ltd.. All rights reserved. Slide 9-3
More informationBEA WebLogic Enterprise. Using the WebLogic EJB Deployer
BEA WebLogic Eterprise Usig the WebLogic EJB Deployer WebLogic Eterprise 5.0 Documet Editio 5.0 December 1999 Copyright Copyright 1999 BEA Systems, Ic. All Rights Reserved. Restricted Rights Leged This
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informations642 web security computer security adam everspaugh
adam everspaugh ace@cs.wisc.edu s642 computer security web security today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement: No class
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 5.1: Web Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Wil Robertson (Northeastern) John Mitchell
More informationNetwork Time Protocol (NTP)
Network Time Protocol (NTP) Quick ad Dirty for AfNOG 2018 (Michuki Mwagi) Origial slides by Ayitey Bulley About NTP Network Time Protocol project http://tp.org NTP is a protocol desiged to sychroize the
More informationK-NET bus. When several turrets are connected to the K-Bus, the structure of the system is as showns
K-NET bus The K-Net bus is based o the SPI bus but it allows to addressig may differet turrets like the I 2 C bus. The K-Net is 6 a wires bus (4 for SPI wires ad 2 additioal wires for request ad ackowledge
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ slide 1 Browser and Network Browser OS Hardware request reply website Network slide 2 Web
More informationAppendix D. Controller Implementation
COMPUTER ORGANIZATION AND DESIGN The Hardware/Software Iterface 5 th Editio Appedix D Cotroller Implemetatio Cotroller Implemetatios Combiatioal logic (sigle-cycle); Fiite state machie (multi-cycle, pipelied);
More informationBEA WebLogic Commerce Server. Registration and User Processing Package
BEA WebLogic Commerce Server Registratio ad User Processig Package BEA WebLogic Commerce Server 3.2 Documet Editio 3.2 December 2000 Copyright Copyright 2000 BEA Systems, Ic. All Rights Reserved. Restricted
More informationBE Software Upgrades to ITALYCS 5. It s in the. Software
BE Software Upgrades to ITALYCS 5 It s i the Software UPGRADES WE OFFER Brampto Egieerig is offerig customers with ITALYCS 2 ad ITALYCS 4 systems the opportuity to upgrade their existig systems to the
More informationParabolic Path to a Best Best-Fit Line:
Studet Activity : Fidig the Least Squares Regressio Lie By Explorig the Relatioship betwee Slope ad Residuals Objective: How does oe determie a best best-fit lie for a set of data? Eyeballig it may be
More informationAdapter for Mainframe
BEA WebLogic Java Adapter for Maiframe Workflow Processig Guide Release 5.0 Documet Date: Jauary 2002 Copyright Copyright 2002 BEA Systems, Ic. All Rights Reserved. Restricted Rights Leged This software
More informationBaan Finance Financial Statements
Baa Fiace Fiacial Statemets Module Procedure UP041A US Documetiformatio Documet Documet code : UP041A US Documet group : User Documetatio Documet title : Fiacial Statemets Applicatio/Package : Baa Fiace
More informationBEA Tuxedo. Using the BEA Tuxedo Workstation Component
BEA Tuxedo Usig the BEA Tuxedo Workstatio Compoet BEA Tuxedo Release 7.1 Documet Editio 7.1 May 2000 Copyright Copyright 2000 BEA Systems, Ic. All Rights Reserved. Restricted Rights Leged This software
More informationCode Review Defects. Authors: Mika V. Mäntylä and Casper Lassenius Original version: 4 Sep, 2007 Made available online: 24 April, 2013
Code Review s Authors: Mika V. Mätylä ad Casper Lasseius Origial versio: 4 Sep, 2007 Made available olie: 24 April, 2013 This documet cotais further details of the code review defects preseted i [1]. of
More informationChapter 4 Threads. Operating Systems: Internals and Design Principles. Ninth Edition By William Stallings
Operatig Systems: Iterals ad Desig Priciples Chapter 4 Threads Nith Editio By William Stalligs Processes ad Threads Resource Owership Process icludes a virtual address space to hold the process image The
More informationL I N U X. Unit 6 S Y S T E M DHCP & DNS (BIND) A D M I N I S T R A T I O n DPW
it 6 HCP & (B) oa Warre HCP ervice yamically assigs a P address to requestig machies P addresses are leased scope of addresses ca be assiged or excluded from assigmet HCP servers do ot talk to each other
More informationJoLetter 6.7. JoLauterbach Software GmbH. Mail and merge with QuarkXPress. JoLauterbach Software GmbH. Stolzingstraße 4a Bayreuth Germany
JoLetter 6.7 Mail ad merge with QuarkXPress JoLauterbach Software GmbH Stolzigstraße 4a 95445 Bayreuth Germay Telefo: +49-921-730 3363 Fax: +49-921-730 3394 E-Mail: ifo@jolauterbach.com Iteret: http://www.jolauterbach.com
More informationWeb Application Security
CS 155 Sprig 2017 Web Applicatio Security Joh Mitchell Lecture outlie Itroductio Commad ijectio Three mai vulerabilities ad defeses SQL ijectio (SQLi) Cross-site request forgery (CSRF) Cross-site scriptig
More informationOne advantage that SONAR has over any other music-sequencing product I ve worked
*gajedra* D:/Thomso_Learig_Projects/Garrigus_163132/z_productio/z_3B2_3D_files/Garrigus_163132_ch17.3d, 14/11/08/16:26:39, 16:26, page: 647 17 CAL 101 Oe advatage that SONAR has over ay other music-sequecig
More informationWYSE Academic Challenge Sectional Computer Science 2005 SOLUTION SET
WYSE Academic Challege Sectioal Computer Sciece 2005 SOLUTION SET 1. Correct aswer: a. Hz = cycle / secod. CPI = 2, therefore, CPI*I = 2 * 28 X 10 8 istructios = 56 X 10 8 cycles. The clock rate is 56
More informationCSI 3140 WWW Structures, Techniques and Standards. Cascading Style Sheets (CSS)
CSI 3140 WWW Structures, Techiques ad Stadards Cascadig Style Sheets (CSS) Motivatio whtml markup ca be used to represet Sematics: h1 meas that a elemet is a top-level headig Presetatio: h1 elemets look
More informationLifeBook P Series Notebook BIOS BIOS SETUP UTILITY
BIOS SECTION P1510 LifeBook P7000 Notebook BIOS LifeBook P Series Notebook BIOS BIOS SETUP UTILITY The BIOS Setup Utility is a program that sets up the operatig eviromet for your otebook. Your BIOS is
More informationSession Initiated Protocol (SIP) and Message-based Load Balancing (MBLB)
F5 White Paper Sessio Iitiated Protocol (SIP) ad Message-based Load Balacig (MBLB) The ability to provide ew ad creative methods of commuicatios has esured a SIP presece i almost every orgaizatio. The
More informationCopyright 2013 Trend Micro Incorporated. All rights reserved.
Tred Micro reserves the right to make chages to this documet ad to the products described herei without otice. Before istallig or usig the software, please review the readme files, release otes, ad the
More informationWeb Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin
Web Attacks, con t CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 22, 2011 Announcements See Still confused
More informationDefinitions. Error. A wrong decision made during software development
Debuggig Defiitios Error A wrog decisio made durig software developmet Defiitios 2 Error A wrog decisio made durig software developmet Defect bug sometimes meas this The term Fault is also used Property
More information