SlideShare a Scribd company logo

Security Policy Management: Easy as PIE

Download as PPTX, PDF
Ian Haken
Ian Haken

Presented at AppSec EU 2015 in Amsterdam. http://sched.co/37oK Presentation recording is available on YouTube: https://www.youtube.com/watch?v=75Xtb0lzyWw There are many security frameworks for web applications such as Content Security Policy (CSP), the Java Security Manager, and Spring Security. Effective use of these tools can mitigate or even eliminate entire classes of defects, but despite this they don't see widespread, standard use. This presentation discusses why this is, and focuses on one particular obstacle: defining a good security policy is hard. As part of this talk we present a new open-source tool, Policy Instantiation & Enforcement (PIE). PIE is designed as a generic tool which hooks into security managers and generates effective, simple, and verifiable security policies.

Software
1 of 53
Security Policy Management: Easy as PIE Ian Haken
What I’m Talking About Today • A look at security policies in applications – I will mostly be speaking in the context of Java web applications, though much is general. • How security managers are used in practice – Or, more precisely, how they aren’t used. • A slice of PIE – A new FOSS tool for building and managing security policies for Java applications. Security Policy Management: Easy as PIE Ian Haken 2
What is a Security Policy? • A security policy defines the “resources” an application can access • Access is usually conditioned on context – Is the user authenticated? – What role(s) does the user posses? – What is the origin of the resource access request? 3 Security Policy Management: Easy as PIE Ian Haken
An Idealized Security Policy Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt No Authentication (AuthN) ✓ Guest ✓ ✓ User ✓ ✓ ✓ Admin ✓ ✓ 4 Security Policy Management: Easy as PIE Ian Haken
A More Realistic Security Policy 5 Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt No AuthN Internal IP ✓ External IP ✓ ✓ Guest Internal IP ✓ ✓ External IP ✓ User Internal IP ✓ ✓ External IP ✓ ✓ ✓ Admin Internal IP ✓ ✓ External IP ✓ ✓ Security Policy Management: Easy as PIE Ian Haken
An Even More Realistic Security Policy 6 Security Policy Management: Easy as PIE Ian Haken Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt Private Public Beta Features Production Features Projections History Potential Clients Current Clients No AuthN Internal IP ✓ ✓ External IP ✓ ✓ Guest Internal IP ✓ ✓ ✓ External IP ✓ User Internal IP ✓ ✓ ✓ ✓ External IP ✓ ✓ ✓ ✓ Admin Internal IP ✓ ✓ ✓ ✓ ✓ ✓ External IP ✓ ✓ ✓ ✓ ✓
Security Managers • A Security Manager is a component which enforces the relevant security policy. – Database and filesystem access control lists – Firewall rules – Android permissions framework – Content Security Policy (CSP) – The Java Security Manager – Spring Security 7 Security Policy Management: Easy as PIE Ian Haken
Content Security Policy • A defense-in-depth solution which, if well- implemented in an application, could eliminate some XSS • For each page, CSP whitelists origins for which content can be loaded. • Since script/CSS/image/etc content is (usually) static, this means only trusted content is loaded. 8 Security Policy Management: Easy as PIE Ian Haken
Java Security Manager • In the JDK since 1.0 (1996) • Most common use-case is to sandbox untrusted code, i.e. web applets, Google App Engine, and dynamic analyzers. • Enforces a security policy when accessing system resources, e.g. filesystem, network sockets, process invocation, thread creation, reflection, class loader, etc. 9 Security Policy Management: Easy as PIE Ian Haken
Spring Security • Framework for managing user authentication and authorization controls • Highly flexible and customizable • Supports lots of other web application protections: CSRF, session fixation, etc. • Can use annotations to define method- level authorization checks 10 Security Policy Management: Easy as PIE Ian Haken
In General • Security Managers enforce policies and often add a layer of protection to applications • If utilized properly, they can mitigate or even eliminate entire classes of vulnerabilities 11 Security Policy Management: Easy as PIE Ian Haken
A Use Case: Struts 2 • Struts 2 has been plagued (at least 12 remote code execution CVEs) by issues related to OGNL-injection. • Example: Roller 5.0.0 uses Struts 2.2.1 $> curl -s -X GET -G http://localhost:8080/roller/roller-ui/login.rol --data-urlencode "pageTitle=${(#_memberAccess["allowStaticMethodAccess "]=true,@java.lang.Runtime@getRuntime().exec(‘calc'),'') }" 12 Security Policy Management: Easy as PIE Ian Haken
A Use Case: Struts 2 • A first pass for one issue used a regex to blacklist disallowed characters. It blocked one attack but remained open to others:1 “The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases…” • The current codebase uses a regex whitelist to prevent OGNL-injection 13 1Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html Security Policy Management: Easy as PIE Ian Haken
A Use Case: Struts 2 • If you’re supporting a legacy Struts 2 app and can’t upgrade, you need an additional layer of protection. • The current version doesn’t have known exploits, but are we sure there’s no intersection between the whitelist and malicious OGNL? 14 Security Policy Management: Easy as PIE Ian Haken
A Use Case: Struts 2 • For both legacy and current Struts 2 apps, the Java SM with a strong security policy can mitigate your overall risk: – Disallows unused OGNL directives – Disallows class loader manipulation – Disallows process invocation – Disallows arbitrary filesystem access – … 15 Security Policy Management: Easy as PIE Ian Haken
Awesome! 16 • Security managers add a layer of defense – They can protect legacy code with known vulnerabilities – Or current code with unknown vulnerabilities. • They’re widely available and have been around for years. Security Policy Management: Easy as PIE Ian Haken
Awesome! 17 So every web application out there is using these things, right? Security Policy Management: Easy as PIE Ian Haken
The State of CSP • As of April 27, 2015, in the Alexa Top 500 sites, only 2.7% are using CSP. – And of those, more than 60% include ‘unsafe- eval’ or ‘unsafe-inline’ for script-src. • Across the wider web, utilization drops further. Informal reports suggest less than 0.5% of sites use CSP. 18 Security Policy Management: Easy as PIE Ian Haken
The State of the Java Security Manager • As aforementioned, used is several places as a sandboxing mechanism. • Prevalence is hard to measure; it’s bundled with the JDK, and usually has no fingerprint when used server-side. • But anecdotally, no production system that I or anyone I know has seen uses it on top of trusted applications. 19 Security Policy Management: Easy as PIE Ian Haken
Why Aren’t These Tools Getting Used? • Performance Impact? – 2004 paper by Herzog and Shahmehrir2 showed 5% to 100% time increase per resource access in Java Security Manager • However, this difference is marginal given the overhead of typical web applications, in particular network request/response time, and the low density of security manager-relevant operations. – CSP adds ~0.02ms per resource load in FF.3 20 Security Policy Management: Easy as PIE Ian Haken
Why Aren’t These Tools Getting Used? • Ease-of-use – Difficult to write a policy • What permissions do you need to add? • What parts of the application need those permissions? – Difficult to validate a policy • Should you really be whitelisting dxgmaaybvjuttx.cloudfront.net or should it be *.cloudfront.net? 21 Security Policy Management: Easy as PIE Ian Haken
Why Aren’t These Tools Getting Used? • Ease-of-use – Keeping it up-to-date • What if a developer changes the data path? • What if hostnames get changed? • What if you upgrade a dependency? 22 Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat Tomcat ships with a security manager policy which provides sane defaults and isolation between applications. 23 $> ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat 24 Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat 25 $> cat catalina.out [ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ... Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate ComponentProvider.java:213) ... 39 more Security Policy Management: Easy as PIE Ian Haken
[ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ... Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate ComponentProvider.java:213) ... 39 more Using Security Manager with Tomcat 26 $> cat catalina.out Security Policy Management: Easy as PIE Ian Haken "java.lang.RuntimePermission" "accessDeclaredMembers" org.springframework.core.type.classreading .AnnotationAttributesReadingVisitor
Using Security Manager with Tomcat 27 Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat 28 $> cat catalina.policy ... // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat So what “CodeBase” needs the permission? The class which threw the exception was org.springframework.core.annotation.AnnotationUtils In Pebble’s lib directory, there is: 29 spring-core-3.0.3.RELEASE.jar spring-security-core-3.0.3.RELEASE.jar spring-web-3.0.3.RELEASE.jar spring-security-web-3.0.3.RELEASE.jar spring-context-3.0.3.RELEASE.jar spring-beans-3.0.3.RELEASE.jar spring-aop-3.0.3.RELEASE.jar spring-asm-3.0.3.RELEASE.jar spring-tx-3.0.3.RELEASE.jar spring-expression-3.0.3.RELEASE.jar spring-security-config-3.0.3.RELEASE.jar spring-security-openid-3.0.3.RELEASE.jar Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat After much trial and tribulation you’ll (maybe) figure out that you need to append the following to catalina.policy: grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-asm-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-beans-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-context-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-core-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-web-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; 30 Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat 31 $> ./shutdown.sh; ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat 32 Dig Through the Tomcat Log Figure Out The Correct Permissions to Add $> ./shutdown.sh $> ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken
Using Security Manager with Tomcat • To load Pebble’s homepage, you’ll need to add 84 permissions. – Distributed across 16 JARs. • And at this point, you haven’t even gotten to system-resource intensive actions: – Adding blog entries, file uploads, creating new users… 33 Security Policy Management: Easy as PIE Ian Haken
Introducing PIE • PIE (Policy Instantiation & Enforcement) aims to be a tool for painlessly building a security policy for your application. • It’s FOSS: github.com/coverity/pie • It’s modular: Java Security Manager and CSP are two modules currently working with PIE out-of-the-box. 34 Security Policy Management: Easy as PIE Ian Haken
What is PIE? • Has a learning mode which observes the execution of your application in order to automatically generate a security policy. • Automatically simplifies/collapses the policy, making it easy to manually verify. • A maven plugin integrates PIE into development and QA, making sure policy issues show up early in the SDLC 35 Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Generation 36 Container (e.g. Tomcat) webapp.war PIE JVM Java Security ManagerJava Security Manager pie.sm.policy Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Enforcement 37 Container (e.g. Tomcat) webapp.war PIE JVM Java Security ManagerJava Security Manager pie.sm.policy Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Generation 38 Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Generation 39 $> mvn verify -Pselenium Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Generation $> head -n 20 pie.sm.policy "file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar": { "java.io.FilePermission": { "/home/ihaken/pebble/*": { "read": {} }, "/home/ihaken/pebble/blogs/default/-": { "delete,read,write": {} }, "/home/ihaken/pebble/realm/*": { "read,write": {} }, "/home/ihaken/tomcats/pebble/temp": { "read": {} }, "/home/ihaken/tomcats/pebble/temp/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/images/*": { "write": {} } }, "java.lang.RuntimePermission": { "accessDeclaredMembers": { "": {} }, "defineClassInPackage.java.lang": { "": {} } }, "java.lang.reflect.ReflectPermission": { "suppressAccessChecks": { "": {} } }, "java.net.SocketPermission": { "resolve": { "ihaken-wrkst": {} } }, 40 Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Simplification "file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons- fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/upload_00000000.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000001.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000002.tmp": { "delete": {}, "read": {} }, ... 41 Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Simplification "file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons- fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/*": { “delete,read”: {} } }, ... 42 $> wc -l pie.sm.policy* 1785 pie.sm.policy 83 pie.sm.policy.simple Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Verification • So you’ve built the perfect security policy… – It’s not too restrictive – It’s not too permissive – It’s already out-of-date • How can I make sure today’s security policy doesn’t break tomorrow’s build? 43 Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Verification • Bake PIE into your QA process! • You’re already thoroughly testing your application. (Right?) • Let’s not only verify that the policy doesn’t break anything… • Let’s also automatically update the policy with any observed violations. 44 Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Verification <plugin> <groupId>com.coverity.security.pie</groupId> <artifactId>pie-maven-plugin</artifactId> <version>1.0.0</version> <configuration> <serverUrl>http://localhost:18885/my-app</serverUrl> <pieConfig>pieConfig.properties</pieConfig> </configuration> <executions><execution><goals> <goal>build-policy</goal> </goals></execution></executions> </plugin> 45 Security Policy Management: Easy as PIE Ian Haken PIE has a Maven plugin so you can integrate it into your build/test pipeline.
Maven PIE PIE: Policy Verification 46 Container webapp.war PIE SeleniumGrid SauceLabs etc. pie.sm.policy pie.csp.policy pie.foo.policy Security Policy Management: Easy as PIE Ian Haken
PIE: Policy Verification • The PIE Maven plugin will… – Record the start-time of the test-run – After the test-run is complete, query the server for any policy violations – If there were violations: • Update and simplify the policy • Fail the Maven build 47 Security Policy Management: Easy as PIE Ian Haken
What Frameworks Does PIE Support? • Running Servlet 3.0 (E.g. Tomcat)? – Just drop the war in your container’s lib directory, or include PIE as a Maven dependency. • Using Dropwizard? – Add the Maven dependency and one line to your app’s config. (Details in the docs) • Other frameworks easily added. 48 Security Policy Management: Easy as PIE Ian Haken
Extensibility • Out-of-the-box support for – Java Security Manager – CSP • These are written as modules; use them as a guide to write your own! – The PIE project includes an example of integrating with application-specific usage of Spring Security 49 Security Policy Management: Easy as PIE Ian Haken
A Reprise: Struts 2 Remember our vulnerable version of Roller? $> cp pieConfig.learning.properties ../lib/pieConfig.properties $> ./startup.sh; mvn verify -Pselenium; ./shutdown.sh $> cp pieConfig.enforce.properties ../lib/pieConfig.properties $> ./startup.sh $> curl -X GET –G … $> tail -n 1 ../logs/catalina.out Observed violation: ("ognl.OgnlInvokePermission" "invoke.com.opensymphony.xwork2.ognl.SecurityMemberAcc ess.setAllowStaticMethodAccess") 50 Security Policy Management: Easy as PIE Ian Haken
Conclusions • Tools exist for securing your web apps, but generally they aren’t getting used. – Why not? It’s a discussion we should have. • Our hypothesis: barrier to entry and associated risk is too high. • PIE is an attempt to address these issues. – Try it, use it, fork it, provide feedback! 51 Security Policy Management: Easy as PIE Ian Haken
Thank You 52 Security Policy Management: Easy as PIE Ian Haken https://github.com/coverity/pie
References 53 1. Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html 2. Performance of the Java security manager http://rewerse.net/publications/download/REWE RSE-RP-2005-141.pdf 3. A Faster Content Security Policy (CSP) https://blog.mozilla.org/security/2014/09/10/fast er-csp/ Security Policy Management: Easy as PIE Ian Haken

Recommended

Kaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICES
Kaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICESKaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICES
Kaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICES
Kaseya
 
POLICY MANAGEMENT
POLICY MANAGEMENTPOLICY MANAGEMENT
POLICY MANAGEMENT
Bipin Gupta
 
Business policy and strategic management
Business policy and strategic managementBusiness policy and strategic management
Business policy and strategic management
Naresh Shah
 
Business policy & strategic management
Business policy & strategic managementBusiness policy & strategic management
Business policy & strategic management
Shashankdiv
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk Encryption
Ian Haken
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 

Recommended

Kaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICES
Kaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICESKaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICES
Kaseya Connect 2012 - POLICY MANAGEMENT BEST PRACTICES
Kaseya
 
POLICY MANAGEMENT
POLICY MANAGEMENTPOLICY MANAGEMENT
POLICY MANAGEMENT
Bipin Gupta
 
Business policy and strategic management
Business policy and strategic managementBusiness policy and strategic management
Business policy and strategic management
Naresh Shah
 
Business policy & strategic management
Business policy & strategic managementBusiness policy & strategic management
Business policy & strategic management
Shashankdiv
 
Attacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk EncryptionAttacking Windows Authentication and BitLocker Full Disk Encryption
Attacking Windows Authentication and BitLocker Full Disk Encryption
Ian Haken
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
ComplianceQuest1
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
masabamasaba
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
masabamasaba
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Philip Schwarz
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
PearlKirahMaeRagusta1
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
Fatema Valibhai
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
Jittipong Loespradit
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
Anusha Are
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
Jhone kinadey
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
ICS
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
ThousandEyes
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
KiaraTiradoMicha
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
ryanfarris8
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 

More Related Content

Recently uploaded

Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
Presentation.STUDIO
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Recently uploaded (20)

A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
AI & Machine Learning Presentation Template
AI & Machine Learning Presentation TemplateAI & Machine Learning Presentation Template
AI & Machine Learning Presentation Template
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
Pharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodologyPharm-D Biostatistics and Research methodology
Pharm-D Biostatistics and Research methodology
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdfAzure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf
 
ManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide DeckManageIQ - Sprint 236 Review - Slide Deck
ManageIQ - Sprint 236 Review - Slide Deck
 

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Featured (20)

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 

Security Policy Management: Easy as PIE

  • 2. What I’m Talking About Today • A look at security policies in applications – I will mostly be speaking in the context of Java web applications, though much is general. • How security managers are used in practice – Or, more precisely, how they aren’t used. • A slice of PIE – A new FOSS tool for building and managing security policies for Java applications. Security Policy Management: Easy as PIE Ian Haken 2
  • 3. What is a Security Policy? • A security policy defines the “resources” an application can access • Access is usually conditioned on context – Is the user authenticated? – What role(s) does the user posses? – What is the origin of the resource access request? 3 Security Policy Management: Easy as PIE Ian Haken
  • 4. An Idealized Security Policy Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt No Authentication (AuthN) ✓ Guest ✓ ✓ User ✓ ✓ ✓ Admin ✓ ✓ 4 Security Policy Management: Easy as PIE Ian Haken
  • 5. A More Realistic Security Policy 5 Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt No AuthN Internal IP ✓ External IP ✓ ✓ Guest Internal IP ✓ ✓ External IP ✓ User Internal IP ✓ ✓ External IP ✓ ✓ ✓ Admin Internal IP ✓ ✓ External IP ✓ ✓ Security Policy Management: Easy as PIE Ian Haken
  • 6. An Even More Realistic Security Policy 6 Security Policy Management: Easy as PIE Ian Haken Resource/ Role Stock Prices Investment Demo My Portfolio Total Assets Under Mgmt Private Public Beta Features Production Features Projections History Potential Clients Current Clients No AuthN Internal IP ✓ ✓ External IP ✓ ✓ Guest Internal IP ✓ ✓ ✓ External IP ✓ User Internal IP ✓ ✓ ✓ ✓ External IP ✓ ✓ ✓ ✓ Admin Internal IP ✓ ✓ ✓ ✓ ✓ ✓ External IP ✓ ✓ ✓ ✓ ✓
  • 7. Security Managers • A Security Manager is a component which enforces the relevant security policy. – Database and filesystem access control lists – Firewall rules – Android permissions framework – Content Security Policy (CSP) – The Java Security Manager – Spring Security 7 Security Policy Management: Easy as PIE Ian Haken
  • 8. Content Security Policy • A defense-in-depth solution which, if well- implemented in an application, could eliminate some XSS • For each page, CSP whitelists origins for which content can be loaded. • Since script/CSS/image/etc content is (usually) static, this means only trusted content is loaded. 8 Security Policy Management: Easy as PIE Ian Haken
  • 9. Java Security Manager • In the JDK since 1.0 (1996) • Most common use-case is to sandbox untrusted code, i.e. web applets, Google App Engine, and dynamic analyzers. • Enforces a security policy when accessing system resources, e.g. filesystem, network sockets, process invocation, thread creation, reflection, class loader, etc. 9 Security Policy Management: Easy as PIE Ian Haken
  • 10. Spring Security • Framework for managing user authentication and authorization controls • Highly flexible and customizable • Supports lots of other web application protections: CSRF, session fixation, etc. • Can use annotations to define method- level authorization checks 10 Security Policy Management: Easy as PIE Ian Haken
  • 11. In General • Security Managers enforce policies and often add a layer of protection to applications • If utilized properly, they can mitigate or even eliminate entire classes of vulnerabilities 11 Security Policy Management: Easy as PIE Ian Haken
  • 12. A Use Case: Struts 2 • Struts 2 has been plagued (at least 12 remote code execution CVEs) by issues related to OGNL-injection. • Example: Roller 5.0.0 uses Struts 2.2.1 $> curl -s -X GET -G http://localhost:8080/roller/roller-ui/login.rol --data-urlencode "pageTitle=${(#_memberAccess["allowStaticMethodAccess "]=true,@java.lang.Runtime@getRuntime().exec(‘calc'),'') }" 12 Security Policy Management: Easy as PIE Ian Haken
  • 13. A Use Case: Struts 2 • A first pass for one issue used a regex to blacklist disallowed characters. It blocked one attack but remained open to others:1 “The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() method didn't cover other cases…” • The current codebase uses a regex whitelist to prevent OGNL-injection 13 1Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html Security Policy Management: Easy as PIE Ian Haken
  • 14. A Use Case: Struts 2 • If you’re supporting a legacy Struts 2 app and can’t upgrade, you need an additional layer of protection. • The current version doesn’t have known exploits, but are we sure there’s no intersection between the whitelist and malicious OGNL? 14 Security Policy Management: Easy as PIE Ian Haken
  • 15. A Use Case: Struts 2 • For both legacy and current Struts 2 apps, the Java SM with a strong security policy can mitigate your overall risk: – Disallows unused OGNL directives – Disallows class loader manipulation – Disallows process invocation – Disallows arbitrary filesystem access – … 15 Security Policy Management: Easy as PIE Ian Haken
  • 16. Awesome! 16 • Security managers add a layer of defense – They can protect legacy code with known vulnerabilities – Or current code with unknown vulnerabilities. • They’re widely available and have been around for years. Security Policy Management: Easy as PIE Ian Haken
  • 17. Awesome! 17 So every web application out there is using these things, right? Security Policy Management: Easy as PIE Ian Haken
  • 18. The State of CSP • As of April 27, 2015, in the Alexa Top 500 sites, only 2.7% are using CSP. – And of those, more than 60% include ‘unsafe- eval’ or ‘unsafe-inline’ for script-src. • Across the wider web, utilization drops further. Informal reports suggest less than 0.5% of sites use CSP. 18 Security Policy Management: Easy as PIE Ian Haken
  • 19. The State of the Java Security Manager • As aforementioned, used is several places as a sandboxing mechanism. • Prevalence is hard to measure; it’s bundled with the JDK, and usually has no fingerprint when used server-side. • But anecdotally, no production system that I or anyone I know has seen uses it on top of trusted applications. 19 Security Policy Management: Easy as PIE Ian Haken
  • 20. Why Aren’t These Tools Getting Used? • Performance Impact? – 2004 paper by Herzog and Shahmehrir2 showed 5% to 100% time increase per resource access in Java Security Manager • However, this difference is marginal given the overhead of typical web applications, in particular network request/response time, and the low density of security manager-relevant operations. – CSP adds ~0.02ms per resource load in FF.3 20 Security Policy Management: Easy as PIE Ian Haken
  • 21. Why Aren’t These Tools Getting Used? • Ease-of-use – Difficult to write a policy • What permissions do you need to add? • What parts of the application need those permissions? – Difficult to validate a policy • Should you really be whitelisting dxgmaaybvjuttx.cloudfront.net or should it be *.cloudfront.net? 21 Security Policy Management: Easy as PIE Ian Haken
  • 22. Why Aren’t These Tools Getting Used? • Ease-of-use – Keeping it up-to-date • What if a developer changes the data path? • What if hostnames get changed? • What if you upgrade a dependency? 22 Security Policy Management: Easy as PIE Ian Haken
  • 23. Using Security Manager with Tomcat Tomcat ships with a security manager policy which provides sane defaults and isolation between applications. 23 $> ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken
  • 24. Using Security Manager with Tomcat 24 Security Policy Management: Easy as PIE Ian Haken
  • 25. Using Security Manager with Tomcat 25 $> cat catalina.out [ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ... Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate ComponentProvider.java:213) ... 39 more Security Policy Management: Easy as PIE Ian Haken
  • 26. [ERROR] ContextLoader - Context initialization failed <org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")>org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: URL [jar:file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble- 2.6.4.jar!/net/sourceforge/pebble/dao/file/StaticPageType.class]; nested exception is java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") ... Caused by: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers") at java.security.AccessControlContext.checkPermission(AccessControlContext.java:372) at java.security.AccessController.checkPermission(AccessController.java:559) at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) at java.lang.Class.checkMemberAccess(Class.java:2281) at java.lang.Class.getDeclaredMethods(Class.java:1859) at org.springframework.core.annotation.AnnotationUtils.getAnnotationAttributes(AnnotationUtils.java:270) at org.springframework.core.type.classreading.AnnotationAttributesReadingVisitor.visitEnd(AnnotationAttributesReadingVisitor.java:135) at org.springframework.asm.ClassReader.a(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.asm.ClassReader.accept(Unknown Source) at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54) at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80) at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:101) at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidate ComponentProvider.java:213) ... 39 more Using Security Manager with Tomcat 26 $> cat catalina.out Security Policy Management: Easy as PIE Ian Haken "java.lang.RuntimePermission" "accessDeclaredMembers" org.springframework.core.type.classreading .AnnotationAttributesReadingVisitor
  • 27. Using Security Manager with Tomcat 27 Security Policy Management: Easy as PIE Ian Haken
  • 28. Using Security Manager with Tomcat 28 $> cat catalina.policy ... // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; Security Policy Management: Easy as PIE Ian Haken
  • 29. Using Security Manager with Tomcat So what “CodeBase” needs the permission? The class which threw the exception was org.springframework.core.annotation.AnnotationUtils In Pebble’s lib directory, there is: 29 spring-core-3.0.3.RELEASE.jar spring-security-core-3.0.3.RELEASE.jar spring-web-3.0.3.RELEASE.jar spring-security-web-3.0.3.RELEASE.jar spring-context-3.0.3.RELEASE.jar spring-beans-3.0.3.RELEASE.jar spring-aop-3.0.3.RELEASE.jar spring-asm-3.0.3.RELEASE.jar spring-tx-3.0.3.RELEASE.jar spring-expression-3.0.3.RELEASE.jar spring-security-config-3.0.3.RELEASE.jar spring-security-openid-3.0.3.RELEASE.jar Security Policy Management: Easy as PIE Ian Haken
  • 30. Using Security Manager with Tomcat After much trial and tribulation you’ll (maybe) figure out that you need to append the following to catalina.policy: grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-asm-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-beans-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-context-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-core-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; grant codeBase "file:${catalina.base}/webapps/pebble-2.6.4/WEB-INF/lib/spring-web-3.0.3.RELEASE.jar" { permission java.lang.RuntimePermission "accessDeclaredMembers"; }; 30 Security Policy Management: Easy as PIE Ian Haken
  • 31. Using Security Manager with Tomcat 31 $> ./shutdown.sh; ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken
  • 32. Using Security Manager with Tomcat 32 Dig Through the Tomcat Log Figure Out The Correct Permissions to Add $> ./shutdown.sh $> ./startup.sh -security Security Policy Management: Easy as PIE Ian Haken
  • 33. Using Security Manager with Tomcat • To load Pebble’s homepage, you’ll need to add 84 permissions. – Distributed across 16 JARs. • And at this point, you haven’t even gotten to system-resource intensive actions: – Adding blog entries, file uploads, creating new users… 33 Security Policy Management: Easy as PIE Ian Haken
  • 34. Introducing PIE • PIE (Policy Instantiation & Enforcement) aims to be a tool for painlessly building a security policy for your application. • It’s FOSS: github.com/coverity/pie • It’s modular: Java Security Manager and CSP are two modules currently working with PIE out-of-the-box. 34 Security Policy Management: Easy as PIE Ian Haken
  • 35. What is PIE? • Has a learning mode which observes the execution of your application in order to automatically generate a security policy. • Automatically simplifies/collapses the policy, making it easy to manually verify. • A maven plugin integrates PIE into development and QA, making sure policy issues show up early in the SDLC 35 Security Policy Management: Easy as PIE Ian Haken
  • 36. PIE: Policy Generation 36 Container (e.g. Tomcat) webapp.war PIE JVM Java Security ManagerJava Security Manager pie.sm.policy Security Policy Management: Easy as PIE Ian Haken
  • 37. PIE: Policy Enforcement 37 Container (e.g. Tomcat) webapp.war PIE JVM Java Security ManagerJava Security Manager pie.sm.policy Security Policy Management: Easy as PIE Ian Haken
  • 38. PIE: Policy Generation 38 Security Policy Management: Easy as PIE Ian Haken
  • 39. PIE: Policy Generation 39 $> mvn verify -Pselenium Security Policy Management: Easy as PIE Ian Haken
  • 40. PIE: Policy Generation $> head -n 20 pie.sm.policy "file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/pebble-2.6.4.jar": { "java.io.FilePermission": { "/home/ihaken/pebble/*": { "read": {} }, "/home/ihaken/pebble/blogs/default/-": { "delete,read,write": {} }, "/home/ihaken/pebble/realm/*": { "read,write": {} }, "/home/ihaken/tomcats/pebble/temp": { "read": {} }, "/home/ihaken/tomcats/pebble/temp/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/*": { "delete,write": {} }, "/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/themes/user-default/images/*": { "write": {} } }, "java.lang.RuntimePermission": { "accessDeclaredMembers": { "": {} }, "defineClassInPackage.java.lang": { "": {} } }, "java.lang.reflect.ReflectPermission": { "suppressAccessChecks": { "": {} } }, "java.net.SocketPermission": { "resolve": { "ihaken-wrkst": {} } }, 40 Security Policy Management: Easy as PIE Ian Haken
  • 41. PIE: Policy Simplification "file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons- fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/upload_00000000.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000001.tmp": { "delete": {}, "read": {} }, "/home/ihaken/tomcats/pebble/temp/upload_00000002.tmp": { "delete": {}, "read": {} }, ... 41 Security Policy Management: Easy as PIE Ian Haken
  • 42. PIE: Policy Simplification "file:/home/ihaken/tomcats/pebble/webapps/pebble-2.6.4/WEB-INF/lib/commons- fileupload-1.0.jar": { "java.io.FilePermission": { "/home/ihaken/tomcats/pebble/temp/*": { “delete,read”: {} } }, ... 42 $> wc -l pie.sm.policy* 1785 pie.sm.policy 83 pie.sm.policy.simple Security Policy Management: Easy as PIE Ian Haken
  • 43. PIE: Policy Verification • So you’ve built the perfect security policy… – It’s not too restrictive – It’s not too permissive – It’s already out-of-date • How can I make sure today’s security policy doesn’t break tomorrow’s build? 43 Security Policy Management: Easy as PIE Ian Haken
  • 44. PIE: Policy Verification • Bake PIE into your QA process! • You’re already thoroughly testing your application. (Right?) • Let’s not only verify that the policy doesn’t break anything… • Let’s also automatically update the policy with any observed violations. 44 Security Policy Management: Easy as PIE Ian Haken
  • 47. PIE: Policy Verification • The PIE Maven plugin will… – Record the start-time of the test-run – After the test-run is complete, query the server for any policy violations – If there were violations: • Update and simplify the policy • Fail the Maven build 47 Security Policy Management: Easy as PIE Ian Haken
  • 48. What Frameworks Does PIE Support? • Running Servlet 3.0 (E.g. Tomcat)? – Just drop the war in your container’s lib directory, or include PIE as a Maven dependency. • Using Dropwizard? – Add the Maven dependency and one line to your app’s config. (Details in the docs) • Other frameworks easily added. 48 Security Policy Management: Easy as PIE Ian Haken
  • 49. Extensibility • Out-of-the-box support for – Java Security Manager – CSP • These are written as modules; use them as a guide to write your own! – The PIE project includes an example of integrating with application-specific usage of Spring Security 49 Security Policy Management: Easy as PIE Ian Haken
  • 50. A Reprise: Struts 2 Remember our vulnerable version of Roller? $> cp pieConfig.learning.properties ../lib/pieConfig.properties $> ./startup.sh; mvn verify -Pselenium; ./shutdown.sh $> cp pieConfig.enforce.properties ../lib/pieConfig.properties $> ./startup.sh $> curl -X GET –G … $> tail -n 1 ../logs/catalina.out Observed violation: ("ognl.OgnlInvokePermission" "invoke.com.opensymphony.xwork2.ognl.SecurityMemberAcc ess.setAllowStaticMethodAccess") 50 Security Policy Management: Easy as PIE Ian Haken
  • 51. Conclusions • Tools exist for securing your web apps, but generally they aren’t getting used. – Why not? It’s a discussion we should have. • Our hypothesis: barrier to entry and associated risk is too high. • PIE is an attempt to address these issues. – Try it, use it, fork it, provide feedback! 51 Security Policy Management: Easy as PIE Ian Haken
  • 52. Thank You 52 Security Policy Management: Easy as PIE Ian Haken https://github.com/coverity/pie
  • 53. References 53 1. Struts 2 Security Bulletin S2-022: https://struts.apache.org/docs/s2-022.html 2. Performance of the Java security manager http://rewerse.net/publications/download/REWE RSE-RP-2005-141.pdf 3. A Faster Content Security Policy (CSP) https://blog.mozilla.org/security/2014/09/10/fast er-csp/ Security Policy Management: Easy as PIE Ian Haken