臺灣博碩士論文加值系統

憑證檔案(Cookie)已是現今許多網站普遍採用之身分驗證及會話(Session)管理機制。在現行標準下，此機制並未提供完善的完整性保護，致使憑證檔案可能遭受兩個攻擊，分別為會話固定攻擊(session fixation)及憑證檔案逐出攻擊(cookie eviction)。這兩種攻擊起因於網路攻擊者可隱藏於可信任網站中的子網域內，導致基於子網域及主網域之間的信任關係遭到破壞所產生的安全性弱點。
本論文提出了一個基於信任網域驗證機制的方式，使得瀏覽器能夠驗證對於修改憑證檔案的要求，以阻擋未被授權的變更。藉由網站管理者將網站中的各個網域分成信任與不信任兩類，並將此資訊分別存到各個網域下，當瀏覽器收到對於憑證檔案的變更請求時，便可藉由此資訊來驗證請求網域是否為經過授權的網域。與其他相關研究不同的是，本論文可在不破壞原先功能的情況下，預防會話固定攻擊及憑證檔案逐出攻擊的發生。對於本論文提出的作法所產生的效能負擔及有效性在論文最後也進行了評估，結果顯示此機制並不會造成過於沉重的效能負擔。

HTTP Cookie is a well-known mechanism for the storage of session and authentication information. However, the current cookie standard does not provide robust integrity protection. Session fixation and cookie eviction are two famous attacks based on the lack of integrity protection for cookies. With cookie sharing technique, attackers at untrusted subdomains of a trusted web site can launch these attacks. This paper proposes a trusted domain verification scheme to equip browsers with the ability to identify unauthorized modifications of authentication cookies. Since web administrators can divide domains in a web site into trusted domains and untrusted domains respectively, browsers can block unauthorized accesses with this information. In contrast to the conventional schemes which can only detect attacks or restrict cookie sharing, trusted domain verification can prevent both session fixation and cookie eviction attacks without breaking the functionality of cookie sharing. The effectiveness and overhead of the proposed scheme is also evaluated.

摘要 I
Abstract II
誌 謝 III
Table of Content IV
List of Figures VI
List of Tables VII
Chapter 1 Introduction 1
1.1. Ways to Set Cookies 1
1.2. Cookie Sharing 1
1.3. Session Fixation 2
1.4. Cookie Eviction 3
1.5. Contribution 4
1.6. Synopsis 5
Chapter 2 Related Work 6
2.1. Server-Side Detection 6
2.2. Client-Side Prevention 8
Chapter 3 Threat Model 11
3.1. Role-based Access Control Model 11
3.2. Basic Model 12
3.3. Threat Model 13
Chapter 4 Proposed Scheme 16
4.1. Protocol of Trusted Domain Verification 16
4.2. Trusted Domain List 17
4.3. Trusted Domain Verification 20
4.4. Defense Discussion 21
Chapter 5 Implementation 22
5.1. Restriction 22
5.2. Backup Approach 23
5.3. Server-side implementation 24
5.4. Backward-Compatibility 25
Chapter 6 Evaluation 27
6.1. Page Generation Overhead 28
6.2. Number of Requests and Responses 30
6.3. Security Analysis 31
6.3.1. Trusted Domain List 32
6.3.2. Trusted Domain Verification 33
6.3.3. Defense Effectiveness 33
Chapter 7 Conclusion 35
Reference 36

[1] D. Kristol and L. Montulli, “HTTP State Management Mechanism,” Internet Engineering Task Force (IETF) RFC 2109, 1997.
[2] J. Kolšek. “Session fixation vulnerability in web-based applications,” http://www.acros.si/papers/session_fixation.pdf, 2002.
[3] A. Barth, C. Jackson, and J.C. Mitchell, “Robust defenses for cross-site request forgery,” Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pp. 75-88, 2008.
[4] Microsoft Developer Network, "Mitigating cross-site scripting with http-only cookies," http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
[5] J. S. Park and R. Sandhu, “Secure Cookies on the Web,” IEEE Internet Computing, 4:36–44, 2000.
[6] A. X. Liu, J. M. Kovacs, C. T. Huang, and M. G.Gouda, “A secure cookie protocol," Proceedings of 14th IEEE International Conference on Computer Communications and Networks (ICCCN), pp. 333-338, 2005.
[7] I. Ayadi, A. Serrouchni, G. Pujolle, “Integrity Cookie Management,” Internet Engineering Task Force (IETF) RFC draft, 2010.
[8] T. Choi and M. G. Gouda, “HTTPI: An HTTP with Integrity,” Proceedings of 20th International Conference on Computer Communications And Networks (ICCCN), 2011.
[9] G. Pujolle, A. Serhrouchni, and I. Ayadi, “Secure session management with cookies,” in Information, Communications and Signal Processing (ICICS), 2009.
[10] I. Ayadi, A. Serhrouchni, G. Pujolle and N. Simoni, “HTTP Session Management: Architecture and Cookies Security,” Proceeding of Conference on Network And Information Systems Security (SAR-SSI), 2011.
[11] M. Johns, B. Braun, M. Schrank, and J. Posegga, “Reliable Protection Against Session Fixation Attacks,” ACM Symposium on Applied Computing, 2011.
[12] Y. Pettersen, “Identifying origin server of HTTP Cookies,” Internet Engineering Task Force (IETF) RFC draft, 2011.
[13] A. Bortz, A. Barth and A. Czeskis, “Origin Cookies: Session Integrity for Web Applications,” Proceedings of the Web 2.0 Security and Privacy (W2SP), 2011.
[14] R. Lundeen, J. Ou, T. Rhodes, “New Ways I’m Going to Hack Your Web App,” 2011. https://media.blackhat.com/bh-ad-11/Lundeen/bh-ad-11-Lundeen-New_Ways_Hack_WebApp-WP.pdf
[15] World Wide Web Consortium, “DOM,” http://www.w3.org/DOM/
[16] L. Huang, Z. Weinberg, C. Evans, and C. Jackson, "Protecting browsers from Cross-Origin CSS attacks," Proceedings of the 17th ACM conference on Computer and Communications Security (CCS), 2010.
[17] H. Bojinov, E. Bursztein, and D. Boneh, "XCS: cross channel scripting and its impact on web applications," Proceedings of the 16th ACM conference on Computer and communications security (CCS), 2009.
[18] A. Barth, “HTTP State Management Mechanism,” Internet Engineering Task Force (IETF) RFC 6265, 2011.
[19] SQLite, “SQLite,” http://www.sqlite.org/
[20] Mozilla Developer Network, “Observer Notifications,” https://developer.mozilla.org/en/Observer_Notifications
[21] M. Van Gundy and H. Chen, “Noncespaces: Using randomization to enforce information flow tracking and thwart cross-site scripting attacks,” Proceedings of the 16th Annual Network & Distributed System Security Symposium (NDSS), 2009.
[22] V.N. Mike Ter Louw, “Blueprint: Robust prevention of cross-site scripting attacks for existing browsers,” Proceeding of the IEEE Symposium on Security and Privacy, pp. 331–346, 2009.
[23] Z. Weinberg, E. Chen, P. R. Jayaraman, and C. Jackson, “I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks,” Proceedings of the IEEE Symposium on Security and Privacy, 2011.
[24] Y. Takamatsu, Y. Kosuga, K. Kono, “Automated Detection of Session Fixation Vulnerabilites,” Proceedings of the 19th International World Wide Web Conference (WWW), 2010.
[25] D. Ferraiolo and D. R. Kuhn, “Role-Based Access Controls,” Proceedings of the 15th National Computer Security Conference (NCSC), page 554-563, 1992.
[26] Alexa, “Alexa Top 500 Sites”, http://www.alexa.com/topsites
[27] C. Visaggio, “Session Management Vulnerabilities in Today’s Web,” Proceeding of the IEEE Symposium on Security and Privacy, 8:48–56, 2010.
[28] Mozilla Foundation, “Public Suffix List,” http://publicsuffix.org/
[29] B. Rios, “Twitter XSS Bug,” http://xs-sniper.com/blog/2010/07/19/twitter-xss-bug/
[30] Y. Zhou and D. Evans, "Why Aren’t HTTP-only Cookies More Widely Deployed?" Proceedings of the Web 2.0 Security and Privacy (W2SP), 2010.