Opa @ owasp 2010

OPA: Language Support for a Sane, Safe and Secure Web David Rajchenbach-Teller Head of R&D MLstate David.Teller@mlstate.com OWASP twitter.com/mlstate +33 1 55 43 76 55 June 24th, 2010 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org

What Automated Solutions Miss What it’s all about !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 26

What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 OWASP 2

What it’s all about What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP 6 “Automated vs. Manual: You can’t filter The Stupid” Charles Henderson, David Byrne AppSec DC 2009 + 2010 “Oh, yeah?” The MLstate team AppSec Research 2010 OWASP 2

OPA: Language Support for a Sane, Safe and Secure Web General approach Keeping in the Smart Useful Filtering out the Stupid Fragile Lessons and Future OWASP 3

Web Applications (high-level design) Logics App App Storage Delivery UI User User OWASP 4

Web Applications (what we see) JavaScript Web Web Browser Server PHP? Language Database OWASP 5

Web Applications (what we see) Web Server JavaScript Web Web Web Browser Web Server Server Server PHP? +scripts Who knows? Web Language Language Framework Browser Database Database Database Java? Language OWASP 5

Web Applications (what we see) Web Server JavaScript Config Web Web Web error? Browser Web Server Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Config Database error? Database Database Java? Language OWASP 5

Web Applications (what we see) Web Server Protocol JavaScript ? Config Web Web Web error? Browser Protocol Web Server ? Server Server PHP? +scripts Who knows? Config Web error? Language Language Framework Browser Config error? Protocol Protocol ? ? Config Database error? Database Database Java? Language OWASP 5

Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Config Web Web Web error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Who knows? Config Web XSS error? Language injection SQL Language Framework Browser injection Config error? Protocol Protocol ? Memory Contami ? injection nation Config Database error? Database Database Java? Language OWASP 5

Web Applications (what we see) Web Server Protocol CSRF exploit Protocol JavaScript ? Info leak Contami Config Web Web Web nation error? Browser Protocol Web Server Sniffing ? Server Server Data injection Memory injection PHP? +scripts Protocol Who exploit Known knows? Config Web XSS error? exploit Language injection SQL Language Framework Browser Protocol injection exploit Config error? Protocol Protocol ? Memory Contami ? injection nation Config + Phishing Database error? Protocol + (D)DoS, economic (D)DoS Database Database Java? exploit + Flash, Silverlight, Gears, XPCOM, Language Java(FX), NativeClient, Acrobat, QT... + Keyloggers + ... OWASP 5

The general idea OWASP 6

The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 OWASP 6

The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) OWASP 6

The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. OWASP 6

The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) OWASP 6

The general idea “If you can’t solve the problem, change the problem.” Ferengi Rule of Acquisition #408 “What if the problem is that Joe User is stupid?” (Joe Developer) “It’s not him, it’s you. You should design your tool so that Joe can’t do anything stupid.” Ferengi Rule of Acquisition #408, contd. “What if the problem is that Joe Developer is stupid?” (Joe Meta-Developer) “Haven’t I answered that question already?” Ferengi Rule of Acquisition #408, contd. “...oh, and don’t forget to make sure that Joe can still use the tools!” Ferengi Rule of Acquisition #408, contd. OWASP 6

Web applications (with OPA) Logics OPA App App Storage Delivery UI User User OWASP 7

Web applications (with OPA) Logics OPA App App Untrusted Storage Delivery UI User User OWASP 7

General OPA design OWASP 8

General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up OWASP 8

General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch OWASP 8

General OPA design Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Glue & checks generated automatically No impedance mismatch “Just” a distributed system In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8

General OPA design Joe doesn’t need to know Clean-slate design Based on formal methods Safe languages from the bottom up One language for the whole application Simpler than LAMP Glue & checks generated automatically No impedance mismatch “Just” a distributed system Joe doesn’t need to know In which not all principals are trusted And communications use web standards Security is (mostly) automatic OWASP 8

Hello, web OWASP 10

Hello, web server = one_page_server("Hello, web", -> <>Hello, web</>) 1) Compile Complete web opa hello.opa application. 2) Run ./hello.exe 3) Test browse http://localhost:8080 OWASP 10

URL shortener (22 loc) db /abbrevs: intmap(string) db /abbrevs[_] = "/" make_shorter(url:string):string = key = Db.fresh_key(/abbrevs) do /abbrevs[key] <- url "{key}" _ = @server(make_shorter) do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) urls = parser | "/" dest=Rule.integer -> Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* -> Resource.html("MLstate redirector", <>Please enter a URL you wish to shorten<br/> <input id="origin"/><button onclick={do_shorten}>Shorten</button> <div id="shortened"></div> </>) server = simple_server(urls) OWASP 11

URL shortener (22 loc) db /abbrevs: intmap(string) Database db /abbrevs[_] = "/" make_shorter(url:string):string = key = Db.fresh_key(/abbrevs) do /abbrevs[key] <- url "{key}" _ = @server(make_shorter) Control do_shorten(_) = exec([#shortened <- make_shorter(Page.getVal(#origin))]) UI urls = parser | "/" dest=Rule.integer -> Resource.redirection_page("Please wait a second", <div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest]) | .* -> Resource.html("MLstate redirector", <>Please enter a URL you wish to shorten<br/> <input id="origin"/><button onclick={do_shorten}>Shorten</button> <div id="shortened"></div> </>) server = simple_server(urls) OWASP 11

Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> </div> do exec([#show +<- line ]) Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> <div id="show"></div> <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> ) ) urls = parser .* -> start resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12

Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> </div> do exec([#show +<- line ]) Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> <div id="show"></div> <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> ) ) urls = parser .* -> start resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12

Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> </div> do exec([#show +<- line ]) Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> <div id="show"></div> <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> ) ) urls = parser .* -> start resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12

Nice web chat type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Real-time Resource.full_page(title, body, web <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( UI line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> </div> do exec([#show +<- line ]) Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> <div id="show"></div> <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> ) ) urls = parser .* -> start URLs resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12

There’s more Games Productivity tools Development tools Security applications e-Commerce applications ... OWASP 13

Things we can do (and check!) OWASP 14

Things we can do (and check!) Programmable security policies Ajax SOAP Complex database ... XML processing Comet Fine-grained sessions Time-unlimited rollback Distribution Multitasking Higher-order database User interface Concurrent transactions WSDL Higher-order programming Data history Capabilities OWASP 14

Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> </div> do exec([#show +<- line ]) Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> <div id="show"></div> <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> ) ) urls = parser .* -> start resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16

Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) All insertions user_update(x:mess) = ( = ( are checked user_update(x:mess) line = <div class="opa-line"> line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> <div class="opa-message">{x.message}</div></div> </div> </div> do exec([#show +<- line ]) Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) do exec([#show +<- line ]) ) Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show)) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> <div id="show"></div> <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> ) ) urls = parser .* -> start resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16

Transparent protections All communications type mess = {id: string; message: string} are checked room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) room) styled_page(title, body) = ( Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> </div> do exec([#show +<- line ]) Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> <div id="show"></div> <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> ) ) urls = parser .* -> start resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16

Transparent protections type mess = {id: string; message: string} room = Network.empty():Network.network(mess) connect(callback) = Network.add(Session.make_callback(callback), room) make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) styled_page(title, body) = ( Resource.full_page(title, body, <link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, []) ) user_update(x:mess) = ( line = <div class="opa-line"> <div class="opa-wrap"><div class="opa-user">{x.id}:</div> <div class="opa-message">{x.message}</div></div> </div> do exec([#show +<- line ]) Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show) ) start(connexion) = ( id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown") broadcast = make_broadcaster(id) styled_page("Chat", //Display styled_page("Chat", //Display <script onload={_ -> connect()}/> <script onload={_ -> connect()}/> <div id="header"><div id="logo"></div></div> Per-user <div id="show"></div> <div id="header"><div id="logo"></div></div> capability?* <input id="entry"/> <div class="opa-button" onclick={broadcast}>Send!</div> <div id="show"></div> ) <input id="entry"/> ) <div class="opa-button" onclick={broadcast}>Send!</div> urls = parser .* -> start ) resources = @static_include_directory("resources") server = Server.make(Resource.add_auto_server(resources, urls)) OWASP 16

More A1-Injection A6-Security Misconﬁguration A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage A3-Broken Authentication and A8-Failure to Restrict URL Access Session Management A4-Insecure Direct Object A9-Insufﬁcient Transport Layer References Protection A5-Cross Site Request Forgery A10-Unvalidated Redirects and (CSRF) Forwards OWASP 17

progress) What Automated Solutions Miss !!Theoretical "!Logic flaws (business and application) "!Design flaws "!The Stupid !!Practical "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) "!Cross-Site Request Forgery (CSRF) "!Uncommon or custom infrastructure "!Authorization enforcement "!Abstract information leakage OWASP OWASP 16 18 6

progress) What Automated Solutions Miss ^ other !!Theoretical "!Logic flaws (business and application) (in progress) "!Design flaws "!The Stupid (what we do best) !!Practical (been there, done that) "!Difficulty interacting with Rich Internet Applications (RIA) "!Complex variants of common attacks (SQL Injection, XSS, etc) (been there, done that) "!Cross-Site Request Forgery (CSRF) (in progress) "!Uncommon or custom infrastructure (abstract&specify them away!) "!Authorization enforcement (been there, done that) "!Abstract information leakage (been there, done that) OWASP OWASP 16 18 6

Theoretical foundations Building on 30+ years of research in formal methods & language theory. Key for precise analysis. Key for precise optimizations. OWASP 20

False positives False positives are annoying but not that bad -- as long as they are predictable and there’s a workaround. Experienced developers make safety/security mistakes quite often. False positives often later reveal themselves as true positives. OWASP 21

Future Eliminate CSRF. Extend per-application security policy. Extend per-library/per-data safety policy. Plenty of additional features! Hiring you? OWASP 22

That’s all, folks! http://www.mlstate.com OWASP 23

That’s all, folks! Thanks and apologies to David Byrne & Charles Anderson for hijacking their slides http://www.mlstate.com OWASP 23

Opa @ owasp 2010

by IamYoric on Jun 28, 2010

Accessibility

Categories

Upload Details

Usage Rights

Statistics

Opa @ owasp 2010 Presentation Transcript