domain driven security_java_zone2016

Your Business is under Attack; Arm yourself with Domain Driven Security

@danbjson, @DanielDeogun

JavaZone Oslo, Sept 7th 2016

@danbjson, @DanielDeogun #DomainDrivenSecurity

About Us…

Umeå

Malmö

Göteborg

Falun New York

Stockholm

Daniel Deogun Coder and Quality Defender

Dan Bergh JohnssonSecure Domain Philosopher

Omegapoint


Key Take-Aways

• Security through Clarity: Be specific rather than generic.

• Domain knowledge distilled into code makes a difference.

• Be aware of your contexts and boundaries.


What is Domain Driven Security?

“Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.”

- Dan Bergh Johnsson, Dr. John Wilander [2009]http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html


Attacks From A DDD Perspective

Complex Technical

Complex Domain

Simple Domain

Simple Technical


Purchasing “Un-encyclopedia”

[Encyclopedia]


Technical Solution

[Encyclopedia]

OWASP: validate indata

Book Retail Domain

isTrue(qt > 0) if(amount >= 0)

if(!(qty < 0))

input.matches(“[0-9]+”)

if(parseInt(input) > 0)

if(qt > 0)

if(amt > -1)


Analysis á la DDD

• Observation • Quantity is modelled as integer• Quantity is an implicit concept

• Analysis • Modelling is incomplete or missing


Analysis á la DDD

-1 : Integer

-1 : Quantity

OrderLine {ISBN, Quantity}


Quantity made explicit - a good start

public final class Quantity { public final int value;

public Quantity(final int value) { isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value); this.value = value; }

…


Ubiqutous Domain Primitives

Library of domain primitives • Standard (e.g. ISBN) • Specific (e.g. Quantity)

void buyBook(String, int) void buyBook(ISBN, Quantity)


Another concept made explicit

public final class EmailAddress { public final String value;

public EmailAddress(final String value) { isTrue( ?????????, “Not valid email. Got: %s", value); this.value = value; }

…


Email according to spec• RFC 5322 3.4 Address Specification (RFC 821, RFC 2821)

• Some OK examples • [email protected] • !#$%&'*+-/=?^_`{|}[email protected] • ”Åsa Sjölander”@omegapoint.se

• Regexp : (?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n) /… 6424 chars


You define Your domain

<script>install…</script>

bla bla ””4534All possible strings

RFC 5322 Emails

[email protected]

!#$%&'*+-/=?^_`{|}[email protected]

[email protected]

Emails in your domain

mailto:[email protected]?subject=


What is Domain Driven Security?

“Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.”

- Dan Bergh Johnsson, Dr. John Wilander [2009]http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html


History of Domain Driven Security

2009 20162010

Dan Bergh Johnsson John Wilander

Erland Oftedal@Webtonull

OWASP Europe

Daniel Deogun

Industry PracticeDomain Driven Security Coined

JavaZone Jfokus

OPKoKo

Devoxx DDD Europe

Jfokus jDays

OPKoKo DDD eXchange

DDD Summit

Daniel Sawano

Book

Johan ArnörJonas Stendahl


Yes, there will be a book

Working title: ”Secure by Design”Dan Bergh JohnssonDaniel DeogunDaniel Sawano

Manning Publication Manning Early Access Program ~ Oct-Nov Final publication: end of 2017

SHAMELESS PLUG



Complex Technical

Complex Domain

Simple Domain

Simple Technical


Injection Flaw

“Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”

- OWASP top 10


The Classics - Dynamic SQL String

SELECT … FROM Users

WHERE username = ‘’OR 1=1--’

AND password = ’anything you want’

Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.


What’s the problem? and solution?

• ‘OR 1=1 -- is not a valid username

• This is implicit in the code

• Needs to be made explicit

• Modelling required


Prepared Statements AKA Parametrised Queries

• SQL Injection is solved by prepared statements

• Other Injection Flaws

• LDAP, Command, XPath, HTTP header …


HTTP Response with Cookie

[https://www.owasp.org/index.php/HTTP_Response_Splitting]

String author = … /* request, database, user setting … */...Cookie cookie = new Cookie("author", author);cookie.setMaxAge(cookieExpiration);response.addCookie(cookie);

HTTP/1.1 200 OK...Set-Cookie: author=Jane Smith

…<html><head><title>The real content</title> ...


HTTP Injection

Hacked ‘author’ value into database/setting …author : "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n..."

HTTP/1.1 200 OK...Set-Cookie: author=Wiley Hacker

HTTP/1.1 200 OK…<html><head><title>Hacked content</title> …...

<html><head><title>The real content</title> ...

[https://www.owasp.org/index.php/HTTP_Response_Splitting]


RFC 2616 HTTP/1.1 Ch 4 HTTP Message

HTTP-message = Request | Response ; HTTP/1.1 messages

generic-message = start-line *(message-header CRLF) CRLF [ message-body ]start-line = Request-Line | Status-Line

message-header = field-name ":" [ field-value ]field-name = tokenfield-value = *( field-content | LWS )field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string>

http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4


DDSec to the Rescue on Injection Flaw

• DDD helps one to separate data from code

• Validating with respect to the model is crucial


A Quick Note On Validation

Validation order • Origin • Length • (Lexeme, content text) • Parsing, content structure • Semantics

- Dr. John Wilander



Complex Technical

Complex Domain

Simple Domain

Simple Technical


Context Maps (Strategic DDD)

Order

Order

Order

Purchase

Logistics

Finance


Cross Site Scripting (XSS)

“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”

- OWASP top 10


XSS Example

http://github.com/Omegapoint/facepalm



The Intention from a Domain Perspective

Content

Comment

Browser (write context)

Server (Facepalm)

Browser (read context)

Content

Code


<script>



Broken Context Map

ContentContent

Code

Comment


Server (Facepalm)



<script>

<script>

<script>



Fix the Broken Map

<script>

<script>

Content

Code

<script>


Server (Facepalm)



Content

Comment

<script>



SQL Injection vs XSS


Code

SQL Injection vs XSS

Code


2nd order injection

Web

Srv

DB

Log

Log Adm


Preventing Data Leakageread once object [Daniel Sawano]

public final class SensitiveValue implements Externalizable { private final AtomicReference<String> value;

public SensitiveValue(final String value) { this.value = new AtomicReference<>(validated(value)); }

public String value() { return notNull(value.getAndSet(null), "Sensitive value has already been consumed"); }

@Override public String toString() { return "SensitiveValue value = *****"; }

@Override public void read / writeExternal(final ObjectOutput out) throws IOException { throw new UnsupportedOperationException("Not allowed on sensitive value"); }


How did DDSec Help Us?

• DDD gave deeper insight in nature of XSS

• Context mapping allows one to “detect” possible broken maps

• Modeling confidentiality protects against accidental disclosure of sensitive data



Complex Technical

Complex Domain

Simple Domain

Simple Technical


Complex Domain Attack

Order

Finance Storage Shipping

-1-1

-1


Payment

Micro-servicing the Monolith

Payment

Policy

InsurancePurchase


Making a change with surgical precision

Payment

Policy

Payment

Confirm

Reject

Giro Bounce

Giro Confirm

Purchase

Bank

Insurance


What we would have done

Payment

Policy

Cash Payment

Confirm

Reject

Giro BounceGiro Confirm

Purchase

Bank

Insurance

Giro Payment


Micro-Service Hell

• We’re moving towards more and more micro-services

• Implemented by separate teams

• How do we guarantee correct context mappings?



Complex Technical

Complex Domain

Simple Domain

Simple Technical


Key Take-Aways

• Security through Clarity: Be specific rather than generic.

• Domain knowledge distilled into code makes a difference.

• Be aware of your contexts and boundaries.


Q & A

[Questions]


Thanks

@danbjson, @DanielDeogun


Image References

• [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/

• [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/

https://creativecommons.org/licenses/by-nc-nd/2.0/

https://creativecommons.org/licenses/by/2.0/

domain driven security_java_zone2016

Software