Chapter 23: Analysis and Development of Green-Aware Security Mechanisms for Modern Internet Applications - PowerPoint PPT Presentation

1 / 29
About This Presentation
Title:

Chapter 23: Analysis and Development of Green-Aware Security Mechanisms for Modern Internet Applications

Description:

HANDBOOK ON GREEN INFORMATION AND COMMUNICATION SYSTEMS Chapter 23: Analysis and Development of Green-Aware Security Mechanisms for Modern Internet Applications – PowerPoint PPT presentation

Number of Views:65
Avg rating:3.0/5.0
Slides: 30
Provided by: Neera8
Category:

less

Transcript and Presenter's Notes

Title: Chapter 23: Analysis and Development of Green-Aware Security Mechanisms for Modern Internet Applications


1
Chapter 23 Analysis and Development of
Green-Aware Security Mechanisms for Modern
Internet Applications
HANDBOOK ON GREEN INFORMATION AND COMMUNICATION
SYSTEMS
  • 1Luca Caviglione and 2,3Alessio Merlo
  • 1ISSIA-CNR, Italy
  • 2E-campus University, Novedrate, Italy
  • 3DIST- University of Genoa, Italy

2
Energy consumption of SN and devices
  • Social Networks (SNs) are one of the big
    phenomenon of Web 2.0, making Internet becoming
    always more an Internet of People.
  • Users can ubiquitously access SN from different
    devices (laptop, handheld devices, top box
    devices, )
  • Access to SN is made through non standardized
    solutions.
  • Web 2.0 and SN also contribute in the increased
    energy consumption of Internet that it is now
    responsible for a relevant portion of CO2
    emission.

3
Security issues in SN
  • Security in SN is a complex and cross-layer issue
    (from network layer to application layer), due
    to
  • the huge amount of personal data to protect
  • the ubiquity of SNs.
  • Security in SNs is currently obtained by
    combining heterogeneous (and often overlapping)
    specific security solutions.
  • SN security is also not standardized and hard to
    evaluate
  • security solutions waste resources due to their
    overlapping.
  • Security in SNs is nowadays also an energy
    consumption issue.

4
Green Security and SNs
  • Thus, SNs combine an Energy-consumption problem
    and a Security problem
  • By intersecting these two issues together with
    architectural problems related to Web 2.0, a new
    kind of space arise.
  • Green-Aware Security is a new research field
    aimed at tackling this intersection.

5
Five Main Contributions
  • Introducing security issues of Web 2.0 (in the
    sense of SN) at network layer
  • Pointing out vulnerabilities and security flaws
    at application layer of SNs applications
  • Showing by example how focused attacks can
    exploit vulnerabilities in SNs
  • Formalizing the concept of energy-awareness for
    security mechanisms
  • Providing an early model of energy-consumption in
    terms of security.

6
Mobile and social
  • The spread of SNs is spurred by a full mobility
    support, allowing the user to access SNs through
    mobile devices, desktop PC, set top boxes and so
    on
  • In addition, access from mobile is constrained by
    battery duration, which constitutes a new attack
    surface.
  • Moreover, access to SN is granted by
    heterogeneous and often incompatible clients,
    thus resulting in a very balkanized scenario.
  • Assessing security and possible threats is harder
    than in other Web apps.

7
SNs in a nutshell
  • SNs are very popular since
  • they allow to share user-generated contents in a
    quick and simple way, also by providing the
    needed hosting and authoring tools
  • they offer different features to support
    user-to-user communications (i.e. Instant
    Messaging)
  • they enable the creation of new software services
    through a set of APIs.

8
SNs in a nutshell /2
  1. current SNs are open (i.e., a user in a SN can
    interact with similar platforms operated by
    different providers)
  2. they are highly interactive and they support
    real-time features
  3. as a consequence of a solid mobility support,
    many SNs offer also localization services, making
    them suitable to be used jointly with geo-tagged
    information.

9
Main Security Hazards of SNs
  • Previous features increase also new security
    hazards
  • simple distribution of personal information
    leading to possible attacks à-la social
    engineering
  • due to complex or incoherent privacy and security
    settings, users can reveal their topographical
    location, thus reflecting in breaches into
    physical security as well

10
Security Hazards in SNs /2
  • the joint utilization of different/specialized
    services can bring to a new type of attacks based
    upon multiple profile fusion. Also, such amount
    of information can ease the automatic and massive
    user profiling, thus reducing privacy
  • accessing SNs from mobile devices, mostly
    performed via the IEEE 802.11, accounts for
    additional risks in terms of attacks due to the
    joint utilization of weak security standards and
    unencrypted application layer protocols

11
Security Hazards in SNs /3
  • since mobile devices are often battery operated,
    a new class of battery-draining attacks arise
  • the integration of third-party Web application
    can lead to many possible hazards, and creates
    new security breaches
  • to provide the proper degree of interactivity and
    sophisticated user-interfaces, specific design
    patterns are adopted. But, they increase the risk
    of attacks such as request forgeries

12
Security Hazards in SNs /4
  • the availability of SN applications from a
    variety of appliances (e.g., mobile gaming
    consoles) may foster new kind of attacks based
    upon stack misbehaviors, or protocol
    fingerprinting. For instance, many devices do not
    have a full-featured TCP/IP stack and could
    exhibit erratic or exploitable behaviors.
  • Thus, security issues on SNs are cross-layers
    (application, network, devices) and strongly
    relies on the heterogeneity of actors and media
    they are related with.

13
Application Layer Security Issues
  • SNs are essentially Web Applications. Thus they
    suffer from weakness related to client/server
    paradigm and native Web technologies (i.e. HTTP,
    SQL, AJAX, JavaScript, PHP, JSP, ASP, ).
  • According to OWASP, the most dangerous
    vulnerabilities for Web Apps are Injection, XSS,
    Broken Authentication, Insecure Object Reference,
    XSRF, Security Misconfiguration, Insecure
    Cryptographic Storage, Failure to restrict URL
    access, Insufficient Transport Layer protection
    and Unvalidated Redirect and Forward.

14
Network Layer Security Issues
  • At the network layer, SNs may suffer from
    different vulnerabilities which take to gather
    information
  • by exploiting the use of HTTP over IEEE 802.11
    channels
  • by retrieving information from HTML pages and
    in-line objects
  • since SNs have a typical traffic pattern, it is
    possible to gather information also from ciphered
    traffic
  • Devices used to connect to SNs may not have a
    complete TCP/IP stack, reducing security.

15
Exploiting SNs flaws
  • We investigated how a subset of OWASP
    vulnerabilities may be exploited on a SN.
  • To this aim, we built a toy model of a simple SN
    (denoted as AllTogether) to investigate the
    impact of
  • Injection
  • XSS
  • Broken Authentication
  • XSRF

16
The AllTogether toy Scenario
  • AllTogether is a sample model where each logged
    user can
  • navigate his profile
  • update his profile
  • adding/removing friends
  • chat with friends
  • exchange messages with all users
  • specify visibility policies for portions of
    his/her profile with a single friend granularity.

17
Exploiting Injection in AllTogether
  • SQL Injection can be used to force the adding of
    a malicious user as a friend of a victim one
  • This is possible if no check are made on the
    friend name which may contain another SQL
    statement
  • Correct query INSERT INTO Friends VALUES (John
    Doe, Jane Doe)
  • Injected query INSERT INTO Friends VALUES (John
    Doe, Jane Doe) INSERT INTO Friends VALUES
    (John Doe, Eve )

18
Exploiting XSS in AllTogether
  • Users update profile using HTML forms. A
    malicious user can embed JS code in an HTML of
    his profile as follows
  • 39010353XXX ltscript language"javascript"
    type"text/javascript"gtalert(document.cookie)lt/sc
    riptgt
  • A user accessing that field will execute
    automatically the JS code through his browser, if
    proper control on HTML fields are not executed on
    the SN side.

19
Exploiting Broken Auth in AllTogether
  • SNs use password retrieval services which are
    generally based on a shared secret (e.g. the
    surname of the users mother)
  • A user is challenged to answer correctly to the
    secret question in order to change his
    credentials
  • Many of these information are available on posts
    and profile
  • Malicious user can discover such information by
    crawling the SN graph

20
Exploiting XRSF in AllTogether
  • The XSRF attack can force a user to perform an
    unwanted action, inadvertently
  • SN APIs are public and method for friend addition
    may be well known by any user
  • A malicious user can force a victim to visit an
    URL (e.g. through a message) that, once executed
    by the victim, invokes the APIs method for adding
    a friendship relation
  • In order to successfully exploit XSRF, the victim
    user must be logged to the SN.

21
Heterogeneous Security and Energy Consumption
  • Attacks to an OSN (as those explained for the
    AllTogether toy example scenario) are hardly
    managed by a single security mechanism, thus
    security in OSN is generally granted by a set o
    different solutions.
  • Besides, successful attacks have impacts also on
    energy consumption as well as on data privacy,
    integrity and confidentiality.
  • Thus, both these different aspects should be
    considered taking to a new approach to security.

22
Towards Green Security
  • Security mechanisms account for energy
    consumption at different levels, putting an
    overhead within the computing infrastructure
  • Optimal and non-overlapping security solutions
    sufficient for countering network and application
    security issues is required but not sufficient in
    the near future
  • Energy-consumption perspective must be taken also
    into account.

23
Green Security and Green Newtorking
  • The complexity of SNs consequently increases the
    resources required to the network, since users
    connects from different devices, often at the
    same time
  • Thus, also security requirements increases due to
    the complexity of clients for accessing the SN
  • In general, this reflects into an amount of power
    consumption, due both to service complexity and
    security

24
Towards a new problem space
  • A new kind of green-aware security issues arise
  • security mechanisms may require proper
    architectural elements to be placed in the
    network
  • in order to secure communications additional
    signaling could be needed
  • such protocols and mechanisms can reflect in
    additional software layers increasing consumption
    through additional CPU usage
  • users access the Internet both via wireless and
    wired access networks. Thus, security mechanisms
    could be deployed at different layers. 

25
A Green Perspective in Securing SNs
  • SNs are protected by means of a combination
    overlapping security mechanisms, designed without
    taking into account energy costs.
  • Such security mechanisms (e.g. IDS, Antivirus)
    currently significantly lowers the battery of
    mobile devices.
  • Modeling and assessing the energy consumption of
    current mechanisms and designing new green-aware
    solutions is our proposal.

26
Green Security an Early Model
  •  

27
Green Security an early model /2
  •  

28
Green Security an early model /3
  •  

29
Conclusions
  • In this Chapter, we
  • Analyzed security issues related to SNs
  • Pointed out interrelations between Green
    Computing, Security and SNs
  • Argued that current approaches to securing SNs
    are not optimized in terms of energy consumption
  • Proposed a new research trend aimed at greening
    the development of future security solutions.
  • Future developments
  • sperimental measurements of actual energy
    consumption of security mechanisms
  • Modeling and designing green-aware security
    solutions.
Write a Comment
User Comments (0)
About PowerShow.com