domain driven security_java_zone2016
TRANSCRIPT
Your Business is under Attack; Arm yourself with Domain Driven Security
@danbjson, @DanielDeogun
JavaZone Oslo, Sept 7th 2016
@danbjson, @DanielDeogun #DomainDrivenSecurity
About Us…
Umeå
Malmö
Göteborg
Falun New York
Stockholm
Daniel Deogun Coder and Quality Defender
Dan Bergh JohnssonSecure Domain Philosopher
Omegapoint
@danbjson, @DanielDeogun #DomainDrivenSecurity
Key Take-Aways
• Security through Clarity: Be specific rather than generic.
• Domain knowledge distilled into code makes a difference.
• Be aware of your contexts and boundaries.
@danbjson, @DanielDeogun #DomainDrivenSecurity
What is Domain Driven Security?
“Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.”
- Dan Bergh Johnsson, Dr. John Wilander [2009]http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html
@danbjson, @DanielDeogun #DomainDrivenSecurity
Attacks From A DDD Perspective
Complex Technical
Complex Domain
Simple Domain
Simple Technical
@danbjson, @DanielDeogun #DomainDrivenSecurity
Purchasing “Un-encyclopedia”
[Encyclopedia]
@danbjson, @DanielDeogun #DomainDrivenSecurity
Technical Solution
[Encyclopedia]
OWASP: validate indata
Book Retail Domain
isTrue(qt > 0) if(amount >= 0)
if(!(qty < 0))
input.matches(“[0-9]+”)
if(parseInt(input) > 0)
if(qt > 0)
if(amt > -1)
@danbjson, @DanielDeogun #DomainDrivenSecurity
Analysis á la DDD
• Observation • Quantity is modelled as integer• Quantity is an implicit concept
• Analysis • Modelling is incomplete or missing
@danbjson, @DanielDeogun #DomainDrivenSecurity
Analysis á la DDD
-1 : Integer
-1 : Quantity
OrderLine {ISBN, Quantity}
@danbjson, @DanielDeogun #DomainDrivenSecurity
Quantity made explicit - a good start
public final class Quantity { public final int value;
public Quantity(final int value) { isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value); this.value = value; }
…
@danbjson, @DanielDeogun #DomainDrivenSecurity
Ubiqutous Domain Primitives
Library of domain primitives • Standard (e.g. ISBN) • Specific (e.g. Quantity)
void buyBook(String, int) void buyBook(ISBN, Quantity)
@danbjson, @DanielDeogun #DomainDrivenSecurity
Another concept made explicit
public final class EmailAddress { public final String value;
public EmailAddress(final String value) { isTrue( ?????????, “Not valid email. Got: %s", value); this.value = value; }
…
@danbjson, @DanielDeogun #DomainDrivenSecurity
Email according to spec• RFC 5322 3.4 Address Specification (RFC 821, RFC 2821)
• Some OK examples • [email protected] • !#$%&'*+-/=?^_`{|}[email protected] • ”Åsa Sjölander”@omegapoint.se
• Regexp : (?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n) /… 6424 chars
@danbjson, @DanielDeogun #DomainDrivenSecurity
You define Your domain
<script>install…</script>
bla bla ””4534All possible strings
RFC 5322 Emails
!#$%&'*+-/=?^_`{|}[email protected]
Emails in your domain
@danbjson, @DanielDeogun #DomainDrivenSecurity
What is Domain Driven Security?
“Domain Driven Security is about taking ideas from DDD and using them as tools to address security concerns, even though the tools were not originally designed specifically for security issues.”
- Dan Bergh Johnsson, Dr. John Wilander [2009]http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html
@danbjson, @DanielDeogun #DomainDrivenSecurity
History of Domain Driven Security
2009 20162010
Dan Bergh Johnsson John Wilander
Erland Oftedal@Webtonull
OWASP Europe
Daniel Deogun
Industry PracticeDomain Driven Security Coined
JavaZone Jfokus
OPKoKo
Devoxx DDD Europe
Jfokus jDays
OPKoKo DDD eXchange
DDD Summit
Daniel Sawano
Book
Johan ArnörJonas Stendahl
@danbjson, @DanielDeogun #DomainDrivenSecurity
Yes, there will be a book
Working title: ”Secure by Design”Dan Bergh JohnssonDaniel DeogunDaniel Sawano
Manning Publication Manning Early Access Program ~ Oct-Nov Final publication: end of 2017
SHAMELESS PLUG
@danbjson, @DanielDeogun #DomainDrivenSecurity
Attacks From A DDD Perspective
Complex Technical
Complex Domain
Simple Domain
Simple Technical
@danbjson, @DanielDeogun #DomainDrivenSecurity
Injection Flaw
“Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
- OWASP top 10
@danbjson, @DanielDeogun #DomainDrivenSecurity
The Classics - Dynamic SQL String
SELECT … FROM Users
WHERE username = ‘’OR 1=1--’
AND password = ’anything you want’
Warning! This is just an example. Do not store passwords in plain text. Do not use relational databases for user management.
@danbjson, @DanielDeogun #DomainDrivenSecurity
What’s the problem? and solution?
• ‘OR 1=1 -- is not a valid username
• This is implicit in the code
• Needs to be made explicit
• Modelling required
@danbjson, @DanielDeogun #DomainDrivenSecurity
Prepared Statements AKA Parametrised Queries
• SQL Injection is solved by prepared statements
• Other Injection Flaws
• LDAP, Command, XPath, HTTP header …
@danbjson, @DanielDeogun #DomainDrivenSecurity
HTTP Response with Cookie
[https://www.owasp.org/index.php/HTTP_Response_Splitting]
String author = … /* request, database, user setting … */...Cookie cookie = new Cookie("author", author);cookie.setMaxAge(cookieExpiration);response.addCookie(cookie);
HTTP/1.1 200 OK...Set-Cookie: author=Jane Smith
…<html><head><title>The real content</title> ...
@danbjson, @DanielDeogun #DomainDrivenSecurity
HTTP Injection
Hacked ‘author’ value into database/setting …author : "Wiley Hacker\r\nHTTP/1.1 200 OK\r\n..."
HTTP/1.1 200 OK...Set-Cookie: author=Wiley Hacker
HTTP/1.1 200 OK…<html><head><title>Hacked content</title> …...
<html><head><title>The real content</title> ...
[https://www.owasp.org/index.php/HTTP_Response_Splitting]
@danbjson, @DanielDeogun #DomainDrivenSecurity
RFC 2616 HTTP/1.1 Ch 4 HTTP Message
HTTP-message = Request | Response ; HTTP/1.1 messages
generic-message = start-line *(message-header CRLF) CRLF [ message-body ]start-line = Request-Line | Status-Line
message-header = field-name ":" [ field-value ]field-name = tokenfield-value = *( field-content | LWS )field-content = <the OCTETs making up the field-value and consisting of either *TEXT or combinations of token, separators, and quoted-string>
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4
@danbjson, @DanielDeogun #DomainDrivenSecurity
DDSec to the Rescue on Injection Flaw
• DDD helps one to separate data from code
• Validating with respect to the model is crucial
@danbjson, @DanielDeogun #DomainDrivenSecurity
A Quick Note On Validation
Validation order • Origin • Length • (Lexeme, content text) • Parsing, content structure • Semantics
- Dr. John Wilander
@danbjson, @DanielDeogun #DomainDrivenSecurity
Attacks From A DDD Perspective
Complex Technical
Complex Domain
Simple Domain
Simple Technical
@danbjson, @DanielDeogun #DomainDrivenSecurity
Context Maps (Strategic DDD)
Order
Order
Order
Purchase
Logistics
Finance
@danbjson, @DanielDeogun #DomainDrivenSecurity
Cross Site Scripting (XSS)
“XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.”
- OWASP top 10
@danbjson, @DanielDeogun #DomainDrivenSecurity
XSS Example
http://github.com/Omegapoint/facepalm
@danbjson, @DanielDeogun #DomainDrivenSecurity
The Intention from a Domain Perspective
Content
Comment
Browser (write context)
Server (Facepalm)
Browser (read context)
Content
Code
http://github.com/Omegapoint/facepalm
<script>
@danbjson, @DanielDeogun #DomainDrivenSecurity
Broken Context Map
ContentContent
Code
Comment
Browser (write context)
Server (Facepalm)
Browser (read context)
http://github.com/Omegapoint/facepalm
<script>
<script>
<script>
@danbjson, @DanielDeogun #DomainDrivenSecurity
Fix the Broken Map
<script>
<script>
Content
Code
<script>
Browser (write context)
Server (Facepalm)
Browser (read context)
http://github.com/Omegapoint/facepalm
Content
Comment
<script>
@danbjson, @DanielDeogun #DomainDrivenSecurity
SQL Injection vs XSS
@danbjson, @DanielDeogun #DomainDrivenSecurity
Code
SQL Injection vs XSS
Code
@danbjson, @DanielDeogun #DomainDrivenSecurity
2nd order injection
Web
Srv
DB
Log
Log Adm
@danbjson, @DanielDeogun #DomainDrivenSecurity
Preventing Data Leakageread once object [Daniel Sawano]
public final class SensitiveValue implements Externalizable { private final AtomicReference<String> value;
public SensitiveValue(final String value) { this.value = new AtomicReference<>(validated(value)); }
public String value() { return notNull(value.getAndSet(null), "Sensitive value has already been consumed"); }
@Override public String toString() { return "SensitiveValue value = *****"; }
@Override public void read / writeExternal(final ObjectOutput out) throws IOException { throw new UnsupportedOperationException("Not allowed on sensitive value"); }
@danbjson, @DanielDeogun #DomainDrivenSecurity
How did DDSec Help Us?
• DDD gave deeper insight in nature of XSS
• Context mapping allows one to “detect” possible broken maps
• Modeling confidentiality protects against accidental disclosure of sensitive data
@danbjson, @DanielDeogun #DomainDrivenSecurity
Attacks From A DDD Perspective
Complex Technical
Complex Domain
Simple Domain
Simple Technical
@danbjson, @DanielDeogun #DomainDrivenSecurity
Complex Domain Attack
Order
Finance Storage Shipping
-1-1
-1
@danbjson, @DanielDeogun #DomainDrivenSecurity
Payment
Micro-servicing the Monolith
Payment
Policy
InsurancePurchase
@danbjson, @DanielDeogun #DomainDrivenSecurity
Making a change with surgical precision
Payment
Policy
Payment
Confirm
Reject
Giro Bounce
Giro Confirm
Purchase
Bank
Insurance
@danbjson, @DanielDeogun #DomainDrivenSecurity
What we would have done
Payment
Policy
Cash Payment
Confirm
Reject
Giro BounceGiro Confirm
Purchase
Bank
Insurance
Giro Payment
@danbjson, @DanielDeogun #DomainDrivenSecurity
Micro-Service Hell
• We’re moving towards more and more micro-services
• Implemented by separate teams
• How do we guarantee correct context mappings?
@danbjson, @DanielDeogun #DomainDrivenSecurity
Attacks From A DDD Perspective
Complex Technical
Complex Domain
Simple Domain
Simple Technical
@danbjson, @DanielDeogun #DomainDrivenSecurity
Key Take-Aways
• Security through Clarity: Be specific rather than generic.
• Domain knowledge distilled into code makes a difference.
• Be aware of your contexts and boundaries.
@danbjson, @DanielDeogun #DomainDrivenSecurity
Q & A
[Questions]
@danbjson, @DanielDeogun #DomainDrivenSecurity
Thanks
@danbjson, @DanielDeogun
@danbjson, @DanielDeogun #DomainDrivenSecurity
Image References
• [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/
• [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/