• View
• Edit
• History
• Print

Security

(redirected from Main.Security)

Attacks

• Access to other data
  • Filesystem
  • Cookies
  • Environment variables
  • Properties (Java applets restrict which Java properties are readable)
• Writing to the file system
• Denial of service by being in an infinite loop
• See https://www.owasp.org/index.php/Category:Attack for a complete list
• Authentication
  • Identification: Is the host that is supplying the accessor code the host I think it is?
    • Solution: See iotAuth
  • Integrity: Has the accessor code been modified?
    • Solution: Use a cryptographic checksum. Could iotAuth help here?

Tutorial Considerations

The browser tutorial allows the user to type in accessor code and then instantiate this accessor. This brings up security concerns.

Generally, we want to prevent:

• Attacks on the accessors repo server.
• Attackers turning the tutorial page into a data harvester (by redirecting users to the tutorial and implementing data-stealing code).
• Attackers using the tutorial page to create a virus (for example, a Denial of Service accessor).

Relevant concerns from from https://www.owasp.org/index.php/Category:Attack

• Data structure attacks
  • Buffer overflow: Create an excessively long data structure.
• Malicious code
  • Data-sending Trojan horse: Read information from user's machine and send to attacker.
• Injection
  • Code injection: Take advantage of allowed characters, data format, or data amount to run code on system.
  • Comment injection: Comment out the whole page using <!-- .
  • Cross-site scripting (XSS): Load malicious code from external resources.
  • Regular expression DoS: Create a very slowly evaluating regular expression.
  • Server-side includes injection: Take advantage of <!-- to inject commands.
• Path traversal attacks
  • Access unauthorized resources: Manipulate the path to access server data; e.g., by using ../ in the URL.
• Probabilistic techniques
  • Denial of service: Overwhelm a server with requests.

Countermeasures:

• Whitelist characters. (Code injection)
• Prohibit looping constructs such as for, forEach, and while. (Buffer overflow)
• Prohibit HTML-style comments (Comment injection, Server-side includes injection)
• Restrict or prohibit REST accessor (XSS, DoS)
• Prohibit calls to window or document object (Data-sending Trojan horse)
• Prohibit regular expressions (Regular expression DoS)
• Prohibit access to files outside of accessor repo (Unauthorized resources). This applies to all accessor pages.

See Also

• Accessor Authentication
• Cross-Origin Request Blocked
• iotAuth
• Sandbox
• Secure Composition Of Accessors
• Notes