Documenting threats and vulnerabilities in a web services infrastructure

quicksandwalleyeInternet και Εφαρμογές Web

31 Οκτ 2013 (πριν από 3 χρόνια και 10 μήνες)

84 εμφανίσεις

Documenting threats and vulnerabilities in
a web services infrastructure

Lieven Desmet

DistriNet Research Group, Katholieke Universiteit Leuven, Belgium

Lieven.Desmet@cs.kuleuven.ac.be

2

Overview


Context


Web applications architecture


Web services


Threat modelling for web services


Conclusion and open questions

3

Context


Threat modelling for web applications:


Coordinated by Microsoft and PWC


6 research groups:


Università Degli Studi Di Milano (SQL Server)


Technical University of Ilmenau (ASP.NET)


University of Salford (Active Directory)


COSIC, K.U.Leuven (Security Tokens)


DistriNet, K.U.Leuven (Web Services)


Sintef (Threat and Countermeasure Representation)

4

Context (2)


Identification and countering the most relevant
threats


Focus on threats related to the underlying
platform, technologies or programming language


Applicable by developers, particularly for
Independent Software Vendors


5

Context (3)


Current results of different groups reported in the
"Security in Microsoft .Net" panel on CMS2004


Panel papers are available on project's internal
website:


http://sobenet.cs.kuleuven.ac.be/usergroup/working/




Presentation of our approach, open for feedback

6

Web applications architecture


Web applications:


Distributed applications, using the HTTP protocol


Client
-
server model:


Browser or rich clients


Server
-
resident applications on the web and application
server


Several server technologies: CGI, PHP, Java
Servlets, JSP, ASP.NET, …


7

Web applications architecture (2)


database

server

application

server

FW2

FW

company network

3

web server

client

FW1

smartcard

reader

mainframe,

application

server, ...

authentication

& directory

server

client tier

presentation tier

business tier

back
-
office tier

8

Web applications architecture (3)


SQL

server

IIS

ASP.NET

COM+

FW2

FW

company network

3

IIS

ASP.NET

IExplorer

.NET Framework

FW1

smartcard

reader

ASP.NET

Active

Directory

9

Web services


Web service = XML messaging based interface
to some computing resource, exchanging
structured and typed information (↔ classic web
application!)



Web services can be used as:


RPC implementation


Document based information flow

10

Web services (2)


Web service protocol:


Unidirectional


Asynchronous


Often combined into a bidirectional synchronous protocol



Web service protocol stack:


Transport: HTTP (or FTP,SMTP,…)


Messaging: SOAP


Service description: WSDL


Service discovery: UDDI


11

Web services (3)


Communication participants:


Originating node


Receiving node


Possibly some intermediary nodes

receiving

node

originating

node

intermediate

intermediate

SOAP

SOAP

SOAP

12

Web services in web applications


Web services in web applications:


Wrapping legacy applications


Better web server


application server separation


Rich clients, interfacing to the server


Integration of building block services


Multistage processing


Virtual organisations




13


Threat modelling for web services


Our approach:


Defining the web service assets


Systematic STRIDE
-
based enumeration of threats
for a generic web service


Mapping attack entry points to the architecture


Listing countermeasures


Guidelines and questions for countermeasure
selection

14

Web service assets


Web service assets:


Application specific assets:


specific data, procedures, …


Web service specific technology artefacts:


WSDL files, assemblies, SOAP messages, …


Private information on the client machine


Availability


originating

node

SOAP

receiving

node

15

STRIDE for web services


STRIDE:


S
poofing


Both client en server can be spoofed


T
ampering


SOAP messages, WSDL descriptions and client/server assemblies


R
epudiation


I
nformation Disclosure


SOAP messages, WSDL descriptions, client/server assemblies and
application specific data


D
enial of Service


E
levation of privileges

originating

node

SOAP

receiving

node

16

Most relevant threats


Spoofing of client requests


SOAP message replay


SOAP message tampering


WSDL file tampering


Reverse engineering of client assemblies


SOAP message disclosure


WSDL files unnecessarily disclosed


Bad error handling


Server denial of service


Exposing legacy software vulnerabilities




17

Mapping to the architecture

back
-
end

(mainframe,

database, ...)

application

server

FW2

FW

company network

3

web server

client

FW1

DMZ

Rich client

Web server

Browser

Web server

SOAP

HTTP

Application Server

SOAP

Web server

Wrapped Legacy Application

SOAP

Application Server

Application Server

SOAP

Application Server

originating

node

SOAP

receiving

node

18

Countermeasures


Countermeasures:


Authentication


Data protection


Authorization


Input Validation


Others: non
-
repudiation, sandboxing, secure coding,
intrusion/fraud detection, …


19

Countermeasures (2)


A lot of countermeasure technologies exist already:


Web service specific:


XML Security (XML Encryption & XML Signature)


WS
-
Security


SAML


Network specific countermeasures


Operating system specific countermeasures


Platform specific counter measures






The major challenge is choosing the right countermeasure
technology and applying it correctly.


20

Countermeasure selection


Questions/issues for ‘authentication’:


authenticate a user or a machine?


entity authentication or message authentication


delegation needed?


assumptions about the authenticated party


the number of users?


application access to authenticated identities?


integrate in an existing infrastructure?


security versus ease
-
of
-
use?


Related with data protection/authorization needs

21

Conclusion and open questions


Conclusion:


Importance of threat modelling and countermeasure selection


Applicability of the STRIDE approach



Open questions:


Importance of delegation within web applications


Applicability of current countermeasure selection to developers


Better ways to represent threat modelling and countermeasure
enumeration and selection (e.g. CORAS)



Web services are both too easy and too difficult ?

22

Credential delegation


No delegation:




Controlled delegation:




Impersonation:




Composite’s delegation:




Traced delegation:





.

A

B

C

D

A

B

C

A

B

C

D

A

A’

A’

A

B

C

D

A

A

A

A

B

C

D

A

B,A

C,B

A

B

C

D

A

B,A

C,B,A

23

Questions & discussion

?

?

?

?

?

Lieven Desmet

DistriNet Research Group, Katholieke Universiteit Leuven, Belgium

Lieven.Desmet@cs.kuleuven.ac.be