domain driven security_java_zone2016

Post on 12-Apr-2017

141 Views

Category:

Software

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

Your Business is under Attack; Arm yourself with Domain Driven Security

@danbjson, @DanielDeogun

JavaZone Oslo, Sept 7th 2016

@danbjson, @DanielDeogun #DomainDrivenSecurity

About Us…

Umeå

Malmö

Göteborg

Falun New York

Stockholm

Daniel Deogun Coder and Quality Defender

Dan Bergh JohnssonSecure Domain Philosopher

Omegapoint

@danbjson, @DanielDeogun #DomainDrivenSecurity

Key Take-Aways

• Security through Clarity: Be specific rather than generic.

• Domain knowledge distilled into code makes a difference.

• Be aware of your contexts and boundaries.

@danbjson, @DanielDeogun #DomainDrivenSecurity

What is Domain Driven Security?

“Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.”

- Dan Bergh Johnsson, Dr. John Wilander [2009]http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html

@danbjson, @DanielDeogun #DomainDrivenSecurity

Attacks From A DDD Perspective

Complex Technical

Complex Domain

Simple Domain

Simple Technical

@danbjson, @DanielDeogun #DomainDrivenSecurity

Purchasing “Un-encyclopedia”

[Encyclopedia]

@danbjson, @DanielDeogun #DomainDrivenSecurity

Technical Solution

[Encyclopedia]

OWASP: validate indata

Book Retail Domain

isTrue(qt > 0) if(amount >= 0)

if(!(qty < 0))

input.matches(“[0-9]+”)

if(parseInt(input) > 0)

if(qt > 0)

if(amt > -1)

@danbjson, @DanielDeogun #DomainDrivenSecurity

Analysis á la DDD

• Observation • Quantity is modelled as integer• Quantity is an implicit concept

• Analysis • Modelling is incomplete or missing

@danbjson, @DanielDeogun #DomainDrivenSecurity

Analysis á la DDD

-1 : Integer

-1 : Quantity

OrderLine {ISBN, Quantity}

@danbjson, @DanielDeogun #DomainDrivenSecurity

Quantity made explicit - a good start

public final class Quantity { public final int value;

public Quantity(final int value) { isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value); this.value = value; }

@danbjson, @DanielDeogun #DomainDrivenSecurity

Ubiqutous Domain Primitives

Library of domain primitives • Standard (e.g. ISBN) • Specific (e.g. Quantity)

void buyBook(String, int) void buyBook(ISBN, Quantity)

@danbjson, @DanielDeogun #DomainDrivenSecurity

Another concept made explicit

public final class EmailAddress { public final String value;

public EmailAddress(final String value) { isTrue( ?????????, “Not valid email. Got: %s", value); this.value = value; }

@danbjson, @DanielDeogun #DomainDrivenSecurity

Email according to spec• RFC 5322 3.4 Address Specification (RFC 821, RFC 2821)

• Some OK examples • root@127.0.0.1 • !#$%&'*+-/=?^_`{|}~@omegapoint.se • ”Åsa Sjölander”@omegapoint.se

• Regexp : (?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n) /… 6424 chars

@danbjson, @DanielDeogun #DomainDrivenSecurity

You define Your domain

<script>install…</script>

bla bla ””4534All possible strings

RFC 5322 Emails

root@127.0.0.1

!#$%&'*+-/=?^_`{|}~@omegapoint.se

daniel.deogun@omegapoint.se

Emails in your domain

@danbjson, @DanielDeogun #DomainDrivenSecurity

What is Domain Driven Security?

“Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.”

- Dan Bergh Johnsson, Dr. John Wilander [2009]http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html

@danbjson, @DanielDeogun #DomainDrivenSecurity

History of Domain Driven Security

2009 20162010

Dan Bergh Johnsson John Wilander

Erland Oftedal@Webtonull

OWASP Europe

Daniel Deogun

Industry PracticeDomain Driven Security Coined

JavaZone Jfokus

OPKoKo

Devoxx DDD Europe

Jfokus jDays

OPKoKo DDD eXchange

DDD Summit

Daniel Sawano

Book

Johan ArnörJonas Stendahl

@danbjson, @DanielDeogun #DomainDrivenSecurity

Yes, there will be a book

Working title: ”Secure by Design”Dan Bergh JohnssonDaniel DeogunDaniel Sawano

Manning Publication Manning Early Access Program ~ Oct-Nov Final publication: end of 2017

SHAMELESS PLUG

@danbjson, @DanielDeogun #DomainDrivenSecurity

Attacks From A DDD Perspective

Complex Technical

Complex Domain

Simple Domain

Simple Technical

@danbjson, @DanielDeogun #DomainDrivenSecurity

Injection Flaw

“Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”

- OWASP top 10

@danbjson, @DanielDeogun #DomainDrivenSecurity

The Classics - Dynamic SQL String

SELECT … FROM Users

WHERE username = ‘’OR 1=1--’

AND password = ’anything you want’

Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.

@danbjson, @DanielDeogun #DomainDrivenSecurity

What’s the problem? and solution?

• ‘OR 1=1 -- is not a valid username

• This is implicit in the code

• Needs to be made explicit

• Modelling required

@danbjson, @DanielDeogun #DomainDrivenSecurity

Prepared Statements AKA Parametrised Queries

• SQL Injection is solved by prepared statements

• Other Injection Flaws

• LDAP, Command, XPath, HTTP header …

@danbjson, @DanielDeogun #DomainDrivenSecurity

HTTP Response with Cookie

[https://www.owasp.org/index.php/HTTP_Response_Splitting]

String author = … /* request, database, user setting … */...Cookie cookie = new Cookie("author", author);cookie.setMaxAge(cookieExpiration);response.addCookie(cookie);

HTTP/1.1 200 OK...Set-Cookie: author=Jane Smith

…<html><head><title>The real content</title> ...

@danbjson, @DanielDeogun #DomainDrivenSecurity

HTTP Injection

Hacked ‘author’ value into database/setting …author : "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n..."

HTTP/1.1 200 OK...Set-Cookie: author=Wiley Hacker

HTTP/1.1 200 OK…<html><head><title>Hacked content</title> …...

<html><head><title>The real content</title> ...

[https://www.owasp.org/index.php/HTTP_Response_Splitting]

@danbjson, @DanielDeogun #DomainDrivenSecurity

RFC 2616 HTTP/1.1 Ch 4 HTTP Message

HTTP-message = Request | Response ; HTTP/1.1 messages

generic-message = start-line *(message-header CRLF) CRLF [ message-body ]start-line = Request-Line | Status-Line

message-header = field-name ":" [ field-value ]field-name = tokenfield-value = *( field-content | LWS )field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string>

http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4

@danbjson, @DanielDeogun #DomainDrivenSecurity

DDSec to the Rescue on Injection Flaw

• DDD helps one to separate data from code

• Validating with respect to the model is crucial

@danbjson, @DanielDeogun #DomainDrivenSecurity

A Quick Note On Validation

Validation order • Origin • Length • (Lexeme, content text) • Parsing, content structure • Semantics

- Dr. John Wilander

@danbjson, @DanielDeogun #DomainDrivenSecurity

Attacks From A DDD Perspective

Complex Technical

Complex Domain

Simple Domain

Simple Technical

@danbjson, @DanielDeogun #DomainDrivenSecurity

Context Maps (Strategic DDD)

Order

Order

Order

Purchase

Logistics

Finance

@danbjson, @DanielDeogun #DomainDrivenSecurity

Cross Site Scripting (XSS)

“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”

- OWASP top 10

@danbjson, @DanielDeogun #DomainDrivenSecurity

XSS Example

http://github.com/Omegapoint/facepalm

@danbjson, @DanielDeogun #DomainDrivenSecurity

The Intention from a Domain Perspective

Content

Comment

Browser (write context)

Server (Facepalm)

Browser (read context)

Content

Code

http://github.com/Omegapoint/facepalm

<script>

@danbjson, @DanielDeogun #DomainDrivenSecurity

Broken Context Map

ContentContent

Code

Comment

Browser (write context)

Server (Facepalm)

Browser (read context)

http://github.com/Omegapoint/facepalm

<script>

<script>

<script>

@danbjson, @DanielDeogun #DomainDrivenSecurity

Fix the Broken Map

<script>

<script>

Content

Code

&lt;script&gt;

Browser (write context)

Server (Facepalm)

Browser (read context)

http://github.com/Omegapoint/facepalm

Content

Comment

<script>

@danbjson, @DanielDeogun #DomainDrivenSecurity

SQL Injection vs XSS

@danbjson, @DanielDeogun #DomainDrivenSecurity

Code

SQL Injection vs XSS

Code

@danbjson, @DanielDeogun #DomainDrivenSecurity

2nd order injection

Web

Srv

DB

Log

Log Adm

@danbjson, @DanielDeogun #DomainDrivenSecurity

Preventing Data Leakageread once object [Daniel Sawano]

public final class SensitiveValue implements Externalizable { private final AtomicReference<String> value;

public SensitiveValue(final String value) { this.value = new AtomicReference<>(validated(value)); }

public String value() { return notNull(value.getAndSet(null), "Sensitive value has already been consumed"); }

@Override public String toString() { return "SensitiveValue value = *****"; }

@Override public void read / writeExternal(final ObjectOutput out) throws IOException { throw new UnsupportedOperationException("Not allowed on sensitive value"); }

@danbjson, @DanielDeogun #DomainDrivenSecurity

How did DDSec Help Us?

• DDD gave deeper insight in nature of XSS

• Context mapping allows one to “detect” possible broken maps

• Modeling confidentiality protects against accidental disclosure of sensitive data

@danbjson, @DanielDeogun #DomainDrivenSecurity

Attacks From A DDD Perspective

Complex Technical

Complex Domain

Simple Domain

Simple Technical

@danbjson, @DanielDeogun #DomainDrivenSecurity

Complex Domain Attack

Order

Finance Storage Shipping

-1-1

-1

@danbjson, @DanielDeogun #DomainDrivenSecurity

Payment

Micro-servicing the Monolith

Payment

Policy

InsurancePurchase

@danbjson, @DanielDeogun #DomainDrivenSecurity

Making a change with surgical precision

Payment

Policy

Payment

Confirm

Reject

Giro Bounce

Giro Confirm

Purchase

Bank

Insurance

@danbjson, @DanielDeogun #DomainDrivenSecurity

What we would have done

Payment

Policy

Cash Payment

Confirm

Reject

Giro BounceGiro Confirm

Purchase

Bank

Insurance

Giro Payment

@danbjson, @DanielDeogun #DomainDrivenSecurity

Micro-Service Hell

• We’re moving towards more and more micro-services

• Implemented by separate teams

• How do we guarantee correct context mappings?

@danbjson, @DanielDeogun #DomainDrivenSecurity

Attacks From A DDD Perspective

Complex Technical

Complex Domain

Simple Domain

Simple Technical

@danbjson, @DanielDeogun #DomainDrivenSecurity

Key Take-Aways

• Security through Clarity: Be specific rather than generic.

• Domain knowledge distilled into code makes a difference.

• Be aware of your contexts and boundaries.

@danbjson, @DanielDeogun #DomainDrivenSecurity

Q & A

[Questions]

@danbjson, @DanielDeogun #DomainDrivenSecurity

Thanks

@danbjson, @DanielDeogun

@danbjson, @DanielDeogun #DomainDrivenSecurity

Image References

• [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/

• [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/

top related