Module 2

Hardware Security
Dr. Rasika Naik
Mrs. Arti Sawant
 Introduction

PUF- Physical Unclonable Function can be used to secure hardware products in a flexible way.
Attacks on Hardware
• Physical Attacks
 carried out on the actual device using Hardware tools.
 Also called as Intrusive attack- breaking the device, removing the covered or protective layer on
the device. Eg.- playing with SIM card…like scratching on the SIM card
• Planned Attacks
 Some vulnerability can be deliberately included in the hardware. Eg- Camera installation inside
TV
• Stealing Secret Data
 Many hardware device carries confidential data. (like SIM card carries contacts)
 International Mobile Subscriber Identity (IMSI) and contact details in a SIM card
 Unique identification codes in RFID tags.
 Secret key and other confidential information in smart card.
Securing Hardware

Planned Attack
Types of Attacks
a) Black Box testing (non-invasive type)
The attacker sends an input to the circuit and receives an output.
Based on the Input/output behavior, the attacker decides what kind of algorithm is used.
b) Physical Probing (invasive type)
The attacker plants a probe into the chip itself and reads data off the chip.
It requires sophisticated instrumentation.
c) Reverse Engineering (invasive type)
The attacker acquires the device (eg smart card) and physically exposes the circuit.
Each Layer of the circuit is removed and high resolution photographs are taken.
It requires very sophisticated instrumentation
d) Side Channel Analysis (non-invasive)
The attacker measures sensitive parameters during normal operation of the circuit.
Based on the measurements, some secret values can be inferred.
Typical Countermeasures to prevent Hardware Attacks
a) Obfuscate data in registers and buses
 scramble, encrypt, etc
b) Obfuscate the IC layout
 use 3D stacking, dummy circuitry, etc
c) Add metal mesh on the top of the circuit.
 if the circuit is probed, it will cause a short and the stored data resets.
d) Countermeasures against side channel attacks
 Random noise generator, secret hiding, etc
e) Physical unclonable function (PUF)
 can be used to design low overhead security protocols.
 Side Channel Attacks
Side channel attacks/cryptanalysis is new research area of applied cryptography.
“Side channel attacks/cryptanalysis” are attacks that are based on “Side Channel
Information”.
Side channel information is information that can be retrieved from the encryption device
that is neither the plaintext to be encrypted nor the ciphertext resulting from the encryption
process.
It is known that encryption devices have additional output and often additional inputs
which are not the plaintext or the ciphertext.
Basic idea is to capture unintended leakage of the information during operation. This
information can be exploited to extract key with relatively low efforts.
Encryption devices produce timing information (information about then time that
operations take) that is easily measurable, radiation of various sorts, power consumption
statistics (that can be easily measured as well), and more
Side channel analysis techniques are of concern because the attacks can be mounted
quickly and can sometimes be implemented using readily available hardware
Why important?
• A developer of a secure product has to defend it against all possible attack paths (Software
& Hardware).
• In side channel attack:
The mathematical security of the cryptographic algorithms is not being questioned.
It is the implementation of these algorithms on hardware that is at risk to be broken.
Common Side Channel Attacks

Timing attacks
Simple and Differential Power Analysis
Attacks and Fault Attacks
Timing attacks
 In Timing Attacks, attacker tries to break a cryptosystem by analyzing the
execution time for the overall cryptographic operation.

What does it try to exploit?

 Computation time for a private key operation is dependent on the key in
some way.
 Particularly true for asymmetric key algorithms.(RSA)
Timing attacks
Timing attacks are based on measuring the time it takes for a unit to perform operations
This information can lead to information about the secret keys
 By measuring the amount of time required to perform private key operations, an
attacker might find fixed Diffie-Hellman exponents, factor RSA keys, and break other
cryptosystems
If a unit is vulnerable, the attack is computationally simple and often requires only
known ciphertext
Timing measurements are fed into a statistical model that can provide the guessed key
bit with some degree of certainty
For example, Diffie-Hellman and RSA operations consist of computing R=yx mod n,
where n is public and y can be found by an eavesdropper. The attacker need to find x-
secret. Now y, n, and the computation time are known to the attacker and x stays the
same. Statistical methods will lead to the recovery of the key from these measurements.
Timing attacks: An example
Square and multiply algorithm for modular exponentiation (used in RSA, Diffie-
Hellman)
 Execution time depends linearly on the number of ‘1’ bits of the keys.
 repeated executions with the same key and different inputs can be used.
To perform statistical correlation analysis of timing information.
The key can be recovered completely by multiple experimentation.
For example, Diffie-Hellman and RSA operations consist of computing R=yx mod n,
where n is public and y can be found by an eavesdropper. The attacker need to find x-
secret. Now y, n, and the computation time are known to the attacker and x stays the
same. Statistical methods will lead to the recovery of the key from these measurements.
 Power Consumption Attacks
 A much more effective form of side channel
attack.
These attacks are based on analyzing the power
consumption of the unit/device during the
processing of some cryptographic operation.
What it can yield?
 Information about what the device is doing.
 We can extract key information.
 By either simple or differential analysis of the
power the unit consumes, an attacker can learn
about the processes that are occurring inside the
unit and gain some information that, when
combined with other cryptanalysis techniques, can
assist in the recovery of the secret key
1. Simple Power Analysis (SPA) Attacks
It is generally based on looking at the visual representation of the power
consumption of a unit while an encryption operation is being performed.
Direct interpretation of power consumption measurements collected during
cryptographic operations to learn bits of secret key.
(In Time analysis we can estimate how many number of 1s are there)
Waveforms visually examined (In SPA, we can estimate exact sequence of 1s
and 0s)
SPA can identify big features like rounds of DES/AES, square Vs. multiply in
RSA exponentiation.
It can identify small features like bit value.
SPA is relatively easy to defend against.
1. Simple Power Analysis (SPA) Attacks
The amount of power consumed varies depending on the microprocessor
instruction performed. Large features such as DES rounds, RSA operations,
etc. may be identified, since the operations performed by the microprocessor
vary significantly during different parts of these operations.
SPA can reveal the sequence of instructions executed, it can be used to break
cryptographic implementations in which the execution path depends on the
data being processed, such as: DES key schedule, DES permutations,
Comparisons, Multipliers and Exponentiators.
2. Differential Power Analysis (DPA) Attacks
More complex
Multiple measurements are required.(like some kind of compression of
waveforms, subtraction.. And check if peak is coming or not)
Partition the data and related curves into two sets according to selected bits.
Take the difference and look for peaks or differences.
Can guess/estimate key what can be the bits are there in the key by trial and
error method and by taking measurements, finding peaks. If peak is coming
guess is correct if peak is not coming guess is not correct.
2. Differential Power Analysis (DPA) Attacks
It consist not only of visual but also statistical analysis and error-
correction statistical methods, to obtain information about the keys
DPA usually consists of data collection and data analysis stages that make
extensive use of statistical functions for noise filtering as well as for gaining
additional information about the processes that the unit is performing
For example, to implement a DPA attack, an attacker first observes ‘m’
encryption operations and captures power traces T[1::m][1::k] containing k
samples each. In addition, the attacker records the ciphertexts C[1::m]. No
knowledge of the plaintext is required.
DPA analysis uses power consumption measurements and statistical methods
to determine whether a key block guess K is correct.
 DIFFERENTIAL FAULT ANALYSIS (DFA)
ATTACKS
Fault analysis relates to the ability to investigate ciphers and extract keys by
generating faults in a system that is in the possession of the attacker, or by
natural faults that occur.
Faults are most often caused by changing the voltage, tampering with the clock,
or by applying radiation of various types.
The attacks are based on encrypting the same piece of data twice and
comparing the results. A one-bit difference indicates a fault in one of the
operations. Now, a short computation can be applied for DES, for example, to
identify the round in which the error has occurred.
Another type of Fault Analysis is the Non-Differential Fault Analysis, but this is
based on causing permanent damage to devices for the purpose of extracting
symmetric keys
Preventing Side Channel Attacks
General Data-Independent Calculations: The general feature of making the time needed for
operation execution fixed for every piece of data prevents all timing attacks.
Licensing Modified Algorithms: To design and implement cryptosystems with the
assumption that information will leak. A few companies develop approaches for securing
existing cryptographic algorithms (including RSA, DES, DSA, Diffie-Hellman, El Gamal,
and Elliptic Curve systems) to make systems remain secure even though the underlying
circuits may leak information.
Blinding: If anonymity is important or if further masking is required, a random multiple can
be added to the exponent before each modular exponentiation. This technique may be helpful
in preventing attacks that gain information leaked during the modular exponentiation
operation due to electromagnetic radiation, system performance fluctuations etc.
Avoiding Conditional Branching and Secret Intermediates: Conditional execution, which
depends on input and key data, can easily reveal properties of this data. When all the lines of
code are always running regardless of the input and key bits, the time and power taken to
perform these actions does not depend on the data and therefore does not reveal any of its
properties
 Physically Unclonable Functions (PUF)
• Solution to improve hardware security
• We rely on cryptography as the primary method to protect electronic data
• Yet the budding research field of hardware security has proven
that cryptography as we know it is not all that secure
• Physically Unclonable Functions (PUFs) have emerged as a hardware security
technique that offer everything from improved cryptography to anti-
counterfeiting on ICs
Contd.
• A technique in hardware security that exploits inherent device variations to
produce an unclonable, unique device response to a given input
• On a higher level, a PUF can be thought of as analogous to biometrics for
humans – they are inherent and unique identifiers for every piece of silicon
• From IC to IC, these process variations manifest in ways like differing path
delays, transistor threshold voltages, voltage gains, and countless others.
• While these variations may be random from IC to IC, they are deterministic
and repeatable once known
• PUF exploits this inherent difference in IC behavior to generate a unique
cryptographic key for each IC
• Unlike a conventional cryptographic approach, which uses a single stored key,
PUFs work by implementing challenge-response authentication
• For a given PUF, a specific input, known as a “challenge”, will generate an
output response that is unique to the specific PUF and therefore unclonable
• When hardware is manufactured, the PUF will be fed a series of different
challenges and have its responses recorded
• Through this exercise, the designers know each PUF’s unique response to a
given challenge and can use this information to prevent counterfeiting, create
and store cryptographic keys, and many other security feats
Properties of PUF

• Easy to evaluate: Given PUF and x, it is easy to evaluate y= PUF(x)

• Unique: PUF(x) contains some information about the identity of the physical
entity embedding the PUF

• Unclonable: Given PUF, it is hard to construct a procedure PUF’, where PUF

≠ PUF’ for all x

• One-way: Given only y and corresponding PUF instance, it is hard to find x

such that PUF(x) = y
Example:
Scenario: A standard DRAM cell works with a single capacitor to hold a stored charge as a binary
state, and a pass transistor that controls the flow of charge to and from the capacitor. Due to device
non-idealities, such as transistor subthreshold leakage, the charge on the capacitor tends to leak over
time which causes the cell to lose state. This means that a fully charged DRAM cell representing a
“1” bit value will unwantedly discharge to a “0” bit value over time.
To counteract this, all DRAM cells perform periodic refresh commands which reassert charge to
“refresh” the storage capacitor. A DRAM PUF, on the other hand, works by pausing this refresh for a
longer-than-usual specified interval of time and seeing how the cells have changed state due to
leakage.
Since different cells leak charge at different rates, we can expect to see some cells fully discharge
and change states within a time interval, while others may not have discharged enough to switch
states at all.
Authentication using this process:
In this instance, the “challenge” is the original binary value asserted to an array of DRAM
cells, and the response is the value of that array after the given time interval. This technique
may be used to generate truly random numbers for use in a cryptographic key generation, or it
may be used for device identification for counterfeit protection. In the latter application, an
authenticator may store a database of challenge-response pairs and use this knowledge to
identify counterfeits vs authentic devices.
Benefits of PUFs
• High Security: PUF technology provides a high level of security because the root keys of devices
are never stored in persistent memory, which makes them unclonable and invisible to attackers.
The technology has been stringently tested and certified, amongst others by the US Department of
Defense, several EU Governments, and certification bodies.
• High Flexibility: PUF technology is highly flexible because it removes the need for external key
injection into devices. This significantly simplifies the supply chain by both removing the need for
a trusted party to perform this injection and by allowing key programming to be possible at any
stage of a device’s lifecycle. PUF technology is standard CMOS technology that can be used with
any foundry and process-node technology, which allows designers to reuse their security
architecture regardless of the nodes they are targeting.
• Low Cost: PUF technology does not require dedicated security hardware (such as physically
protected memories) or expensive components like charge pumps, so it comes at a very low cost
compared to traditional methods for key protection. Also, traditional costs for provisioning keys to
devices in trusted facilities do not apply since keys are derived securely inside devices themselves.
Firewall
A firewall is a network security device that monitors incoming and
outgoing network traffic and decides whether to allow or block
specific traffic based on a defined set of security rules
It is first line of defense in network security
They establish a barrier between secured and controlled internal
networks that can be trusted and untrusted outside networks, such as
the Internet.
A firewall can be hardware, software, software-as-a service (SaaS),
public cloud, or private cloud (virtual)
Types of Firewall
Proxy firewall
Stateful inspection firewall
Unified threat management (UTM) firewall
Next-generation firewall (NGFW)
Threat-focused NGFW
Virtual firewall
Cloud Native Firewall
1. Proxy firewall
An early type of firewall device, a proxy firewall serves as the gateway from one network
to another for a specific application. Proxy servers can provide additional functionality
such as content caching and security by preventing direct connections from outside the
network.
2. Stateful inspection firewall
Now thought of as a “traditional” firewall, a stateful inspection firewall allows or blocks
traffic based on state, port, and protocol. It monitors all activity from the opening of a
connection until it is closed. Filtering decisions are made based on both administrator-
defined rules as well as context, which refers to using information from previous
connections and packets belonging to the same connection
3. Unified threat management (UTM) firewall
A UTM device typically combines, in a loosely coupled way, the functions of a stateful
inspection firewall with intrusion prevention and antivirus. It may also include additional
services and often cloud management. UTMs focus on simplicity and ease of use.
4. Next-generation firewall (NGFW)

• Firewalls have evolved beyond simple packet filtering and stateful

inspection. Most companies are deploying next-generation firewalls to block
modern threats such as advanced malware and application-layer attacks.
• Next generation firewall must include:
• Intelligence-based access control with stateful inspection
• Integrated intrusion prevention system (IPS)
• Application awareness and control to see and block risky apps
• Upgrade paths to include future information feeds
• Techniques to address evolving security threats
• URL filtering based on geolocation and reputation
5. Threat-focused NGFW:

 These firewalls include all the capabilities of a traditional NGFW and also provide
advanced threat detection and remediation. With a threat-focused NGFW you can:
 Know which assets are most at risk with complete context awareness
 Quickly react to attacks with intelligent security automation that sets policies and
hardens your defenses dynamically
 Better detect evasive or suspicious activity with network and endpoint event
correlation
 Greatly decrease the time from detection to cleanup with retrospective security that
continuously monitors for suspicious activity and behavior even after initial
inspection
 Ease administration and reduce complexity with unified policies that protect across
the entire attack continuum
6. Virtual firewall:
A virtual firewall is typically deployed as a virtual appliance in a private cloud (VMware
ESXi, Microsoft Hyper-V, KVM) or public cloud (Amazon Web Services or AWS, Microsoft
Azure, Google Cloud Platform or GCP, Oracle Cloud Infrastructure or OCI) to monitor and
secure traffic across physical and virtual networks. A virtual firewall is often a key
component in software-defined networks (SDN).
7. Cloud Native Firewall: Cloud native firewalls are modernizing the way to secure
applications and workload infrastructure at scale. With automated scaling features, cloud
native firewalls enable networking operations and security operations teams to run at agile
speeds.
• Advantages of Cloud Native Firewalls
• Agile and elastic security
• Multi-tenant capability
• Smart load balancing
Backdoors/Trapdoors
A backdoor/trapdoor is a malicious computer program or particular means that provide the
attacker with unauthorized remote access to a compromised system exploiting
vulnerabilities of installed software and bypassing normal authentication.
A backdoor works in background and hides from the user. It is very similar to a virus and
therefore is quite difficult to detect and completely disable.
• A backdoor is one of the most dangerous parasite types, as it allows a malicious person to
perform any possible actions on a compromised computer. The attacker can use a backdoor
to spy on a user,
• manage files,
• install additional software or dangerous threats,
• control the entire system including any present applications or hardware devices,
• shutdown or reboot a computer or
• attack other hosts.
Continue..
Often a backdoor has additional harmful capabilities like keystroke logging,
screenshot capture, file infection, even total system destruction or other
payload
Most backdoors are autonomic malicious programs that must be somehow
installed to a computer.
Some parasites do not require the installation, as their parts are already
integrated into particular software running on a remote host.
Programmers sometimes left such backdoors in their software for diagnostics
and troubleshooting purposes. Hackers often discover these undocumented
features and use them to break into the system.
Intrusion Detection System (IDS)
An intrusion detection system (IDS) is a network security tool that
monitors network traffic and devices for known malicious activity,
suspicious activity or security policy violations.
IDSs can be software applications that are installed on endpoints or
dedicated hardware devices that are connected to the network.
Whatever form it takes, an IDS uses one or both of two primary
threat detection methods: signature-based or anomaly-based
detection.
i. Signature-based detection
Signature-based detection analyzes network packets for attack signatures—
unique characteristics or behaviors that are associated with a specific threat.
A signature-based IDS maintains a database of attack signatures against which
it compares network packets.
If a packet triggers a match to one of the signatures, the IDS flags it.
To be effective, signature databases must be regularly updated with new threat
intelligence as new cyberattacks emerge and existing attacks evolve.
Brand new attacks that are not yet analyzed for signatures can evade signature-
based IDS
ii. Anomaly-based detection
Anomaly-based detection methods use machine learning to create—and
continually refine—a baseline model of normal network activity.
Then it compares network activity to the model and flags deviations
E.g. such as a process that uses more bandwidth than normal, or a device
opening a port
As it reports any abnormal behavior, anomaly-based IDS can often catch new
cyberattacks that might evade signature-based detection
But anomaly-based IDSs may also be more prone to false positives.
Such as an authorized user accessing a sensitive network resource for the first
time, can trigger an anomaly-based IDS.
 Capabilities of intrusion detection systems
Intrusion detection systems monitor network traffic to detect when an attack is being carried out and
identify any unauthorized access.
Monitoring the operation of routers, firewalls, key management servers and files that other security
controls aimed at detecting, preventing or recovering from cyberattacks need.
Providing administrators a way to tune, organize and understand relevant OS audit trails and other logs
that are otherwise difficult to track or parse.
Providing a user-friendly interface so nonexpert staff members can assist with managing system security.
Including an extensive attack signature database against which information from the system can be
matched.
Recognizing and reporting when the IDS detects that system files have been altered.
Generating an alarm and notifying that security has been breached.
Reacting to intruders by blocking them or blocking the server.
Honeypot
It is baiting a trap for hackers
It's a sacrificial computer system that’s intended to attract
cyberattacks, like a decoy. It mimics a target for hackers, and uses
their intrusion attempts to gain information about cybercriminals and
the way they are operating or to distract them from other targets.
The honeypot looks like a real computer system, with applications
and data, fooling cybercriminals into thinking it's a legitimate target.
How honeypots work
 A honeypot could mimic a company's customer billing system - a frequent target of attack for
criminals who want to find credit card numbers. Once the hackers are in, they can be tracked,
and their behavior assessed for clues on how to make the real network more secure.
Honeypots are made attractive to attackers by building in deliberate security vulnerabilities.
Vulnerable ports might be left open to entice attackers into the honeypot environment, rather
than the more secure live network
A honeypot isn't set up to address a specific problem, like a firewall or anti-virus. Instead, it's
an information tool that can help you understand existing threats to your business and spot the
emergence of new threats.
With the intelligence obtained from a honeypot, security efforts can be prioritized and
focused.
Types of honeypots
1. Email traps or spam traps place a fake email address in a hidden location where only
an automated address harvester will be able to find it. Since the address isn't used for
any purpose other than the spam trap, it's 100% certain that any mail coming to it is
spam. All messages which contain the same content as those sent to the spam trap can
be automatically blocked, and the source IP of the senders can be added to a denylist.
2. A decoy database can be set up to monitor software vulnerabilities and spot attacks
exploiting insecure system architecture or using SQL injection, SQL services
exploitation, or privilege abuse.
3. A malware honeypot mimics software apps and APIs to invite malware attacks. The
characteristics of the malware can then be analyzed to develop anti-malware software
or to close vulnerabilities in the API.
4. A spider honeypot is intended to trap webcrawlers ('spiders') by creating web pages
and links only accessible to crawlers. Detecting crawlers can help you learn how to
block malicious bots, as well as ad-network crawlers.
2.2 Various Attack Scenarios and their
Remedies
1. DoS and DDoS attacks: The very common attack - designed to overwhelm
the resources of a system to the point where it is unable to reply to legitimate
service requests.

- A DDoS attack is initiated by a vast array of malware-infected host machines

controlled by the attacker. These are referred to as “denial of service” attacks
because the victim site is unable to provide service to those who want to access
it.
• Prevention against DOS & DDOS:
• Attack surface reduction: Limiting attack surface exposure can help minimize the effect of a DDoS
attack. Several methods for reducing this exposure include restricting traffic to specific locations,
implementing a load balancer, and blocking communication from outdated or unused ports, protocols,
and applications
• Anycast network diffusion: An Anycast network helps increase the surface area of an organization’s
network, so that it can more easily absorb volumetric traffic spikes (and prevent outages) by dispersing
traffic across multiple distributed servers.

• Real-time, adaptive threat monitoring: Log monitoring can help pinpoint potential threats by
analyzing network traffic patterns, monitoring traffic spikes or other unusual activity, and adapting to
defend against anomalous or malicious requests, protocols, and IP blocks.

• Rate limiting: Rate limiting restricts the volume of network traffic over a specific time period,
essentially preventing web servers from getting overwhelmed by requests from specific IP addresses.
Rate limiting can be used to prevent DDoS attacks that use botnets to spam an endpoint with an
abnormal amount of requests at once.
2. MITM Attack
• Man-in-the-middle (MITM) types of cyber attacks refer to breaches
in cybersecurity that make it possible for an attacker to eavesdrop on the data
sent back and forth between two people, networks, or computers. It is called a
“man in the middle” attack because the attacker positions themselves in the
“middle” or between the two parties trying to communicate.
• The two parties involved feel like they are communicating as they normally do.
What they do not know is that the person actually sending the message illicitly
modifies or accesses the message before it reaches its destination.
• Prevention: By using strong encryption on access points or to use a virtual
private network (VPN)
3. Phishing attacks
• It occurs when a malicious actor sends emails that seem to be coming from trusted,
legitimate sources in an attempt to grab sensitive information from the target.
• Phishing attacks combine social engineering and technology and are so-called
because the attacker is, in effect, “fishing” for access to a forbidden area by using
the “bait” of a seemingly trustworthy sender.
• In many cases, the target may not realize they have been compromised, which
allows the attacker to go after others in the same organization without anyone
suspecting malicious activity.
• Prevention: By thinking carefully about the kinds of emails you open and the links
you click on. Pay close attention to email headers, and do not click on anything
that looks suspicious. Check the parameters for “Reply-to” and “Return-path.”
They need to connect to the same domain presented in the email.
4. Injection Attacks
• False data injection attacks inject harmful code and commands into control
systems networks that are not fortified with efficient authentication
mechanisms.
• Such attacks can range from commanding industrial control systems to
performing actions that are outside of safe operating margins, to completely
reconfiguring the control systems’ equipment to perform differently from the
way they are meant to function.
• E.g. SQL injections, XSS attacks etc.
• Prevention: Secured architecture, Secured APIs, Sanitization
5. Session Hijacking
• A session hijacking assault or TCP session hijacking attack happens
when an assailant assumes command over a client's session. At the
point when you sign into a help, for example, your financial
application, a session starts and closures when you log out.
• The assault is otherwise called treat hijacking or treat side-jacking in
light of the fact that it depends on the assailant's information on your
session treat. Albeit any PC session can be seized, program sessions
and web applications are the most widely recognized targets.
Steps

• Commandeering a session Step 1: An imprudent web client signs into a record. The client
might get to a financial balance, a Mastercard webpage, a web-based store, or some other
application or website. In the client's program, the application or site puts an impermanent
"session treat." This treat contains data about the client that empowers the site to keep them
validated and signed in while likewise following their movement during the session. The session
treat stays in the program until the client logs out or is logged out consequently.
• Hijacking a session Step 2: A lawbreaker accesses a legitimate web session. Cybercriminals
utilize an assortment of strategies to take sessions. Numerous normal kinds of session
commandeering include taking the client's session treat, finding the session ID inside the treat,
and afterward utilizing that data to assume command over the session. A session ID is likewise
alluded to as a session key. The crook can assume control over the session without being
recognized on the off chance that they get the session ID.
• Hijacking of a session Step 3: The session criminal is made up for assuming control over the
session. When the first web client has left the session, the criminal can utilize it to perpetrate an
assortment of terrible demonstrations. They can take cash from the client's ledger, purchase
things, take individual data to commit wholesale fraud, or scramble significant information and
request a payoff to recuperate it.
 Prevention
• HTTPS: The use of HTTPS ensures that there is SSL/TLS encryption throughout the session traffic.
Attackers will be unable to intercept the plaintext session ID, even if the victim’s traffic was
monitored. It is advised to use HSTS (HTTP Strict Transport Security) to guarantee complete
encryption.
• HTTPOnly: Setting up an HTTPOnly attribute prevents access to the stored cookies from the client-
side scripts. This can prevent attackers from deploying XSS attacks that rely on injecting Java Scripts
in the browser
• System Updates: Install reputable antivirus software which can easily detect viruses and protect you
from any type of malware (including the malware attackers use to perform session hijacking). Keep
your systems up to date by setting up automatic updates on all your devices.
• Session Management: In order to offer sufficient security, website operators can incorporate web
frameworks, instead of inventing their own session management systems.
• Session Key: It is advised to regenerate session keys after their initial authentication. This renders
the session ID extracted by attackers useless as the ID changes immediately after authentication.
• Identity Verification: Perform additional identity verification from the user beyond the session key.
This includes checking the user's usual IP address or application usage patterns.
 Reflection point
Discuss some common attacks or attacks you
might face earlier? What could be prevention
against it?