Scott Wlaschin, profile picture
Uploaded byScott Wlaschin
PDF, PPTX14,299 views

Designing with Capabilities

The document discusses the importance of capability-based design in API development, emphasizing that good security is inherently linked to good design. It explains how limiting the capabilities of API callers can prevent security risks and encourages practices such as minimizing exposed surface area. The talk integrates principles from both security and design to propose a systematic approach to building secure and flexible interfaces.

Embed presentation

Download as PDF, PPTX
Designing with capabilities for fun and profit @ScottWlaschin fsharpforfunandprofit.com/cap
Good security => Complicated I won’t like doing this
Good security => Complicated X
Security for free! ...which is good, because I’m lazy Good security == Good design I like doing this
The topic of this talk Not about OAuth, JWT etc Good security == Good design
Transparent Opaque It’s all about security, right?
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter A counterexample
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter It’s not just about security... ...hiding irrelevant information is good design!
EVOLUTION OF AN API
Evolution of an API (from the security point of view) Say that the UI needs to set a configuration option (e.g. DontShowThisMessageAgain) How can we stop a malicious caller doing bad things?
Version1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } var filename = config.GetConfigFilename(); // open file // write new config // close file API Caller  A malicious caller has the ability to open and write to any file on the filesystem
Version 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } var writer = config.GetConfigWriter(); // write new config API Caller  A malicious caller can corrupt the config file We control which file is opened
Version 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } config.SetConfig( "DontShowThisMessageAgain", "True"); API Caller  A malicious caller can set the value to a non-boolean
Version 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API  What's to stop a malicious caller changing the connection string when they were only supposed to set the flag?
Version 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API  The caller can *only* do the thing we allow them to do.
Can’t get your work done Too much information passed in Just right Potential for abuse Principle of Least Authority (POLA) Too little information passed in Security spectrum
Evolution of the same API (from the design point of view)
DesignVersion1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } API Bad design: Using a filename means we limit ourselves to file-based config files. Better design: A TextWriter would make the design more mockable.
DesignVersion 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } API Better design: A generic KeyValue store would make implementation choices more flexible. Bad design: Using a TextWriter means exposing a specific storage format
DesignVersion 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } API Bad design: A KeyValue store using strings means possible bugs. So we need to write validation and tests for that  Better design: A statically typed interface means no corruption checking code. 
DesignVersion 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API Bad design: An interface with too many methods violates the ISP. Better design: Reduce the number of available methods to one!
DesignVersion 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API Good design: The caller has no dependencies on anything else. Bonus: easy to mock! 
Can’t do anything Too many dependencies Just right Unnecessary coupling Interface Segregation Principle Too few dependencies Design spectrum
Ak.a. Minimize your surface area (to reduce chance of abuse) OO Design Guidelines Interface Segregation Principle Single Responsibility Principle, etc Security Guidelines Principle of Least Authority (POLA) Ak.a. Minimize your surface area (to reduce coupling, dependencies, etc)
Good security => Good design Good design => Good security
INTRODUCING “CAPABILITIES”
Capability based design • In a cap-based design, the caller can only do exactly one thing -- a "capability". • In the example, the caller has a capability to set the message flag, and that's all. Prevents both maliciousness and stupidity!
A one method interface is a capability interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); }
A one method interface is a function interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } Action<MessageFlag> messageFlagCapability X
Capability-based security in the real world
What does “access-control” mean? • Preventing any access at all. • Limiting access to some things only. • Revoking access when you are no longer allowed. • Granting and delegating access to some subset of things. It’s not always about saying no!
Using capabilities to control access to a resource Secret Files Alice Bob X
Alternative for access control
Using auth/RBAC to control access to a resource Secret Files Alice Bob rejected accepted
A weakness in capabilities Secret Files Alice Bob  Anyone with the key can get access.
A weakness in auth/RBAC Secret Files Alice Bob 
A weakness in any security system! Secret Files Alice Bob Do you trust Alice? Then you also trust anyone whom Alice trusts too... (Or whom Alice can be tricked into trusting)
“Don’t prohibit what you can’t prevent”
Supplies Closet Alice Bob Secret Files X Capabilities support decentralized delegation
Supplies Closet Auth/RBAC systems are centralized Alice Bob accepted rejected Bob has only been working there for 6 months 
Auth/RBAC systems are centralized Alice “Please grant Bob access to the supplies closet” “Then revoke access after 20 minutes” Authorization System Can your system do this?
Supplies Closet Auth/RBAC systems are centralized Alice Bob “Here, Bob. You can borrow my swipe card” Credential Sharing
Central systems can revoke access Secret Files Alice rejected
How to revoke access in a cap-based system? Revoke?
How to revoke access in a cap-based system?
Demo: Capabilities as functions
DESIGNING AN API USING CAPABILITIES
Client Service Request Response Tic-Tac-Toe as a service Proper name is "Noughts and Crosses" btw
Tic-Tac-Toe API (obvious version) type TicTacToeRequest = { player: Player row: Row col: Column }
Tic-Tac-Toe API (obvious version) type TicTacToeResponse = { result : MoveResult display: DisplayInfo } type MoveResult = | KeepPlaying | GameWon of Player | GameTied
Demo:Tic-Tac-Toe
What kind of errors can happen? • A player can play an already played move • A player can play twice in a row • A player can forget to check the Result and keep playing
“Make illegal operations unrepresentable” Don’t let me do a bad thing and then tell me off for doing it... Yes, you could return errors, but...
Client Service New Game Available Moves Tic-Tac-Toe service with caps Nine available moves
Client Service 1st move Available Moves Tic-Tac-Toe service with caps Eight available moves
Client Service Available Moves Tic-Tac-Toe service with caps 2nd move Seven available moves
Client Service Available Moves Tic-Tac-Toe service with caps 3rd move Six available moves
Client Service No available Moves Tic-Tac-Toe service with caps Winning move
Tic-Tac-Toe API (cap-based version) type MoveCapability = unit -> TicTacToeResponse type NextMoveInfo = { playerToPlay : Player posToPlay : CellPosition capability : MoveCapability } These are for client information only. The player and position are baked into the capability
Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo
Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo Where did the "request" type go? Where’s the authorization?
Demo: Cap-based Api
What kind of errors can happen? • A player can play an already played move • A player can play twice in a row • A player can forget to check the Result and keep playing Is this good security or good design? All fixed now! 
HATEOAS Hypermedia As The Engine Of Application State “A REST client needs no prior knowledge about how to interact with any particular application or server beyond a generic understanding of hypermedia.” RESTful done right
How NOT to do HATEOAS POST /customers/ GET /customer/42 If you can guess the API you’re doing it wrong Security problem! Also, a design problem – too much coupling.
How to do HATEOAS POST /81f2300b618137d21d / GET /da3f93e69b98 You can only know what URIs to use by parsing the page Each of these URIs is a capability
Demo: HATEOAS
Some Benefits of HATEOAS • Client decoupled from server – The server owns the API model and can change it without breaking any clients – E.g. Change links to point to CDN – E.g. Versioning • Simpler clients in many cases – No need for client-side checking of moves • Explorable API – Choose your own adventure!
Client Service Login Available Capabilities Service API with caps Many available actions initially
Client Service Use a capability Available Capabilities Service API with caps Fewer available actions in a given state
CAPABILITY DRIVEN DESIGN Using these design techniques throughout your domain
Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then any other path has complete access to the database 
Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then it doesn’t have enough context 
Controller/ API Business Logic Database Client Where shall we put the authorization logic? Global Authorizer Are you doing this already?
public class CustomerController : ApiController { readonly ICustomerDb _db; public CustomerController(ICustomerDb db) { _db = db; } [Route("customers/{customerId}")] [HttpGet] [GetCustomerProfileAuth] public IHttpActionResult Get(int customerId) { var custId = new CustomerId(customerId); var cust = _db.GetProfile(custId); var dto = DtoConverter.CustomerToDto(cust); return Ok(dto); }
public interface ICustomerDb { CustomerProfile GetProfile(CustomerId id); void UpdateProfile(CustomerId id, CustomerProfile cust); void CreateAccount(CustomerId id, CustomerProfile cust); void DeleteAccount(CustomerId id); void UpdateLoginEmail(CustomerId id, string email); void UpdatePassword(CustomerId id, string password); } How much authority do you really need?
Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Global Authorizer Every controller has one method
Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Global Authorizer Vertical slices Don’t mention microservices
Controller /API Business Logic Database Use Case Global Authorizer Services
Delegation of capabilities
Delegation with restriction
type MessageFlag = ShowThisMessageAgain | DontShowThisMessageAgain type ConfigurationCapabilities = { GetMessageFlag : unit -> MessageFlag SetMessageFlag : MessageFlag -> unit GetBackgroundColor : unit -> Color SetBackgroundColor : Color -> unit GetConnectionString : unit -> ConnectionString SetConnectionString : ConnectionString -> unit } ◘
let dontShowMessageAgainDialogBox capabilities = let getFlag,setFlag = capabilities let ctrl= new CheckBox( Text="Don't show this message again") ctrl.Checked <- getFlag() // etc
Demo: Vertical slices and delegation
Controller /API Business Logic Database Global Authorizer Passing capabilities
Controller /API Business Logic Database Global Authorizer Passing tokens Overkill? Too complicated to implement?
Controller /API Business Logic Database Inject a value of specific type Global Authorizer Passing tokens as types Represent tokens by types!
Demo: Using types for access tokens
What have we covered? • Don’t use complicated security patterns – This will ensure that they are never used, or used wrong. – Don’t rely on other people doing the right thing. – Don’t rely on other people reading the documentation! • Do use techniques where you get security for free. – You can be lazy! – You don’t have to remember to do anything.
What have we covered? • Don’t develop first, add security later – Right after you implement the “quality” module • Do use security-driven design – Bonus: get a modular architecture!
What have we covered? • Don’t only do security at the outermost layer • Do use POLA everywhere, which ensures that you have minimal dependencies.
Common questions • How do you pass these capabilities around? – Dependency injection or equivalent • Are you saying that all external IO should be passed around as capabilities? – Yes!You should never access any ambient authority. – You should be doing this anyway for mocking.
Common questions • Won’t there be too many parameters? – Less than you think! – Encourages vertical slices (per use-case, scenario) – “Functional core, imperative shell” • Can’t this be bypassed by reflection or other backdoors? – Yes. This is really all about design not about total security.
Resources for capability-based thinking • LMGTFY “Capability based security” • “Lazy developers guide to secure computing” talk by Marc Stiegler • erights.org • Google's Caja built over JavaScript • Emily, a capability based language (via Ocaml)
Thanks! @ScottWlaschin fsharpforfunandprofit.com/cap Contact me Slides and video here Let us know if you need help with F#

More Related Content

PDF
The lazy programmer's guide to writing thousands of tests
byScott Wlaschin
 
PDF
Dr Frankenfunctor and the Monadster
byScott Wlaschin
 
PDF
Reinventing the Transaction Script (NDC London 2020)
byScott Wlaschin
 
PDF
Enterprise Tic-Tac-Toe
byScott Wlaschin
 
PDF
Spring security oauth2
byaxykim00
 
PDF
Functional Programming Patterns (NDC London 2014)
byScott Wlaschin
 
PPT
Lecture 5 sorting and searching
byNada G.Youssef
 
PPTX
[Webinar] Qt Test-Driven Development Using Google Test and Google Mock
byICS
 
The lazy programmer's guide to writing thousands of tests
byScott Wlaschin
 
Dr Frankenfunctor and the Monadster
byScott Wlaschin
 
Reinventing the Transaction Script (NDC London 2020)
byScott Wlaschin
 
Enterprise Tic-Tac-Toe
byScott Wlaschin
 
Spring security oauth2
byaxykim00
 
Functional Programming Patterns (NDC London 2014)
byScott Wlaschin
 
Lecture 5 sorting and searching
byNada G.Youssef
 
[Webinar] Qt Test-Driven Development Using Google Test and Google Mock
byICS
 

What's hot

PDF
김민욱, (달빛조각사) 엘릭서를 이용한 mmorpg 서버 개발, NDC2019
bymin woog kim
 
PDF
Functional Programming 101 with Scala and ZIO @FunctionalWorld
byJorge Vásquez
 
PDF
Odoo - From v7 to v8: the new api
byOdoo
 
PDF
The aggregate function - from sequential and parallel folds to parallel aggre...
byPhilip Schwarz
 
PDF
KGC 2016 오픈소스 네트워크 엔진 Super socket 사용하기
by흥배 최
 
PDF
JAVA PROGRAMMING - The Collections Framework
byJyothishmathi Institute of Technology and Science Karimnagar
 
PDF
Secrets of Performance Tuning Java on Kubernetes
byBruno Borges
 
PDF
Multi thread game server
byOnGameServer
 
PPTX
Breath first Search and Depth first search
byKirti Verma
 
PPTX
Capabilities for Resources and Effects
byMartin Odersky
 
PPTX
Large Scale Graph Analytics with JanusGraph
byP. Taylor Goetz
 
PPTX
Building secure applications with keycloak
byAbhishek Koserwal
 
PDF
객체지향 개념 (쫌 아는체 하기)
bySeung-June Lee
 
PPTX
Large Scale Graph Analytics with JanusGraph
byDataWorks Summit
 
PPTX
How Hashmap works internally in java
byRamakrishna Joshi
 
PPTX
Docker 로 Linux 없이 Linux 환경에서 개발하기
byiFunFactory Inc.
 
PPTX
Testing an onion architecture - done right
byMichel Schudel
 
PPTX
Exception handling in java
byLovely Professional University
 
PPT
GCGC- CGCII 서버 엔진에 적용된 기술 (7) - Multiple Inhertance
by상현 조
 
PPSX
Java annotations
byFAROOK Samath
 
김민욱, (달빛조각사) 엘릭서를 이용한 mmorpg 서버 개발, NDC2019
bymin woog kim
 
Functional Programming 101 with Scala and ZIO @FunctionalWorld
byJorge Vásquez
 
Odoo - From v7 to v8: the new api
byOdoo
 
The aggregate function - from sequential and parallel folds to parallel aggre...
byPhilip Schwarz
 
KGC 2016 오픈소스 네트워크 엔진 Super socket 사용하기
by흥배 최
 
JAVA PROGRAMMING - The Collections Framework
byJyothishmathi Institute of Technology and Science Karimnagar
 
Secrets of Performance Tuning Java on Kubernetes
byBruno Borges
 
Multi thread game server
byOnGameServer
 
Breath first Search and Depth first search
byKirti Verma
 
Capabilities for Resources and Effects
byMartin Odersky
 
Large Scale Graph Analytics with JanusGraph
byP. Taylor Goetz
 
Building secure applications with keycloak
byAbhishek Koserwal
 
객체지향 개념 (쫌 아는체 하기)
bySeung-June Lee
 
Large Scale Graph Analytics with JanusGraph
byDataWorks Summit
 
How Hashmap works internally in java
byRamakrishna Joshi
 
Docker 로 Linux 없이 Linux 환경에서 개발하기
byiFunFactory Inc.
 
Testing an onion architecture - done right
byMichel Schudel
 
Exception handling in java
byLovely Professional University
 
GCGC- CGCII 서버 엔진에 적용된 기술 (7) - Multiple Inhertance
by상현 조
 
Java annotations
byFAROOK Samath
 

Similar to Designing with Capabilities

PDF
ProdSec: A Technical Approach
byJeremy Brown
 
PPTX
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
PPTX
Security Design Concepts
byMohammed Fazuluddin
 
PDF
An Introduction to Secure Application Development
byChristopher Frenz
 
PDF
Designing with capabilities (DDD-EU 2017)
byScott Wlaschin
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
PDF
AppSec in an Agile World
byDavid Lindner
 
PPTX
Design Principles
byKartheek Nagasuri
 
PPTX
Designing Flexibility in Software to Increase Security
bylawmoore
 
PDF
Secure .NET programming
byAnte Gulam
 
PPTX
00. introduction to app sec v3
byEoin Keary
 
PPT
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
PPT
Software Security in the Real World
byMark Curphey
 
PPTX
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
PDF
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
PPTX
2009 Dotnet Information Day: More effective c#
byDaniel Fisher
 
PPTX
Integrating security into Continuous Delivery
byTom Stiehm
 
PPTX
BASC presentation on security and application architecture
bywbjwilliams3
 
PDF
Privileged Access Control & Task Automation: A Win Double of Security and Bus...
byDigital Transformation EXPO Event Series
 
PDF
04812167
byankushsawarkar
 
ProdSec: A Technical Approach
byJeremy Brown
 
Information Security and the SDLC
byBDPA Charlotte - Information Technology Thought Leaders
 
Security Design Concepts
byMohammed Fazuluddin
 
An Introduction to Secure Application Development
byChristopher Frenz
 
Designing with capabilities (DDD-EU 2017)
byScott Wlaschin
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
byRyan Elkins
 
AppSec in an Agile World
byDavid Lindner
 
Design Principles
byKartheek Nagasuri
 
Designing Flexibility in Software to Increase Security
bylawmoore
 
Secure .NET programming
byAnte Gulam
 
00. introduction to app sec v3
byEoin Keary
 
Intro to-ssdl--lone-star-php-2013
bynanderoo
 
Software Security in the Real World
byMark Curphey
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
Streamlining AppSec Policy Definition.pptx
bytmbainjr131
 
2009 Dotnet Information Day: More effective c#
byDaniel Fisher
 
Integrating security into Continuous Delivery
byTom Stiehm
 
BASC presentation on security and application architecture
bywbjwilliams3
 
Privileged Access Control & Task Automation: A Win Double of Security and Bus...
byDigital Transformation EXPO Event Series
 
04812167
byankushsawarkar
 

More from Scott Wlaschin

PDF
Thirteen ways of looking at a turtle
byScott Wlaschin
 
PDF
Domain Driven Design with the F# type System -- F#unctional Londoners 2014
byScott Wlaschin
 
PDF
Building confidence in concurrent code with a model checker: TLA+ for program...
byScott Wlaschin
 
PDF
Domain Modeling Made Functional (DevTernity 2022)
byScott Wlaschin
 
PDF
The Functional Programming Toolkit (NDC Oslo 2019)
byScott Wlaschin
 
PDF
Pipeline oriented programming
byScott Wlaschin
 
PDF
Functional Design Patterns (DevTernity 2018)
byScott Wlaschin
 
PDF
The Functional Programmer's Toolkit (NDC London 2019)
byScott Wlaschin
 
PDF
Domain Modeling with FP (DDD Europe 2020)
byScott Wlaschin
 
PDF
Functional Programming Patterns (BuildStuff '14)
byScott Wlaschin
 
PDF
The Power of Composition
byScott Wlaschin
 
PDF
Domain Modeling Made Functional (KanDDDinsky 2019)
byScott Wlaschin
 
PDF
The Power Of Composition (DotNext 2019)
byScott Wlaschin
 
PDF
Four Languages From Forty Years Ago (NewCrafts 2019)
byScott Wlaschin
 
PDF
An introduction to property based testing
byScott Wlaschin
 
PDF
F# for C# Programmers
byScott Wlaschin
 
PDF
Swift vs. Language X
byScott Wlaschin
 
PDF
Four Languages From Forty Years Ago
byScott Wlaschin
 
PDF
The Power of Composition (NDC Oslo 2020)
byScott Wlaschin
 
PDF
Doge-driven design
byScott Wlaschin
 
Thirteen ways of looking at a turtle
byScott Wlaschin
 
Domain Driven Design with the F# type System -- F#unctional Londoners 2014
byScott Wlaschin
 
Building confidence in concurrent code with a model checker: TLA+ for program...
byScott Wlaschin
 
Domain Modeling Made Functional (DevTernity 2022)
byScott Wlaschin
 
The Functional Programming Toolkit (NDC Oslo 2019)
byScott Wlaschin
 
Pipeline oriented programming
byScott Wlaschin
 
Functional Design Patterns (DevTernity 2018)
byScott Wlaschin
 
The Functional Programmer's Toolkit (NDC London 2019)
byScott Wlaschin
 
Domain Modeling with FP (DDD Europe 2020)
byScott Wlaschin
 
Functional Programming Patterns (BuildStuff '14)
byScott Wlaschin
 
The Power of Composition
byScott Wlaschin
 
Domain Modeling Made Functional (KanDDDinsky 2019)
byScott Wlaschin
 
The Power Of Composition (DotNext 2019)
byScott Wlaschin
 
Four Languages From Forty Years Ago (NewCrafts 2019)
byScott Wlaschin
 
An introduction to property based testing
byScott Wlaschin
 
F# for C# Programmers
byScott Wlaschin
 
Swift vs. Language X
byScott Wlaschin
 
Four Languages From Forty Years Ago
byScott Wlaschin
 
The Power of Composition (NDC Oslo 2020)
byScott Wlaschin
 
Doge-driven design
byScott Wlaschin
 

Recently uploaded

PPTX
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
PDF
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
PPTX
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
PDF
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
PDF
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
PDF
apidays Australia 2025 | APIs in Government: A blueprint to automating Busine...
byapidays
 
PDF
apidays Australia 2025 | Designing with workflows: Using Arazzo and OpenAPI f...
byapidays
 
PDF
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
PDF
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
PPTX
apidays Australia 2025 | Advanced GraphQL Security with AI Driven Threat Dete...
byapidays
 
PDF
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
PDF
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
PDF
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
PDF
IoT/OT Security: Penetration Testing for an Expanding Attack Surface.pdf
byCybernetic Global Intelligence
 
PDF
09920-2 JE40CP MB 48.4GY02.021 Schematic Acer Aspire 4741.pdf
bydakjuel1
 
PDF
contusion pulmonar y antibiotico en el atls
byMARIAPETRONILAMONTAO
 
PDF
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
PPTX
Anomalies in Relational Database Management systems.pptx
byamutham12
 
apidays Australia 2025 | Hey man, which one will deploy much faster, API or kid?
byapidays
 
Edge AI vs Cloud AI: Why Frontend Developers Must Master On-Device Machine Le...
byWorkfall hire developers
 
wAIred_RabobankWRProducts__22012026.pptx
bySimonedeGijt
 
A Complete Guide to Progressive Web App and Their Development
byMaxtra Technologies
 
Introduction to Microsoft 365 Security and Compliance.pdf
byjohnsonsouza5
 
apidays Australia 2025 | APIs in Government: A blueprint to automating Busine...
byapidays
 
apidays Australia 2025 | Designing with workflows: Using Arazzo and OpenAPI f...
byapidays
 
What-Every-Tech-Leader-Needs-to-Know-About-AI-in-2025.pdf
byrishabhxbohra
 
Projectlify: Everything You Need to Get Things Done
byRafal Ksiazek
 
apidays Australia 2025 | Advanced GraphQL Security with AI Driven Threat Dete...
byapidays
 
Gojek Clone Business Strategy: From Launch to Scale
byV3CUBE TECHNOLABS
 
Salesforce Careers in 2026_ Trends, Certifications, and Must-Have Skills
byDele Amefo
 
Malware_Detection_A_Framework_for_Reverse_Engineered_Android_Applications_Thr...
byKiritiyadavGoskula
 
IoT/OT Security: Penetration Testing for an Expanding Attack Surface.pdf
byCybernetic Global Intelligence
 
09920-2 JE40CP MB 48.4GY02.021 Schematic Acer Aspire 4741.pdf
bydakjuel1
 
contusion pulmonar y antibiotico en el atls
byMARIAPETRONILAMONTAO
 
Postmates Clone App Delivery Service Business Solution.pdf
byV3CUBE TECHNOLABS
 
Anomalies in Relational Database Management systems.pptx
byamutham12
 

Designing with Capabilities

  • 1.
    Designing with capabilities forfun and profit @ScottWlaschin fsharpforfunandprofit.com/cap
  • 3.
    Good security =>Complicated I won’t like doing this
  • 4.
    Good security =>Complicated X
  • 5.
    Security for free! ...whichis good, because I’m lazy Good security == Good design I like doing this
  • 6.
    The topic ofthis talk Not about OAuth, JWT etc Good security == Good design
  • 7.
  • 8.
    Sed ut perspiciatisunde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter A counterexample
  • 9.
    Sed ut perspiciatisunde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter It’s not just about security... ...hiding irrelevant information is good design!
  • 10.
  • 11.
    Evolution of anAPI (from the security point of view) Say that the UI needs to set a configuration option (e.g. DontShowThisMessageAgain) How can we stop a malicious caller doing bad things?
  • 12.
    Version1 Give the callerthe configuration file name interface IConfiguration { string GetConfigFilename(); } var filename = config.GetConfigFilename(); // open file // write new config // close file API Caller  A malicious caller has the ability to open and write to any file on the filesystem
  • 13.
    Version 2 Give thecaller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } var writer = config.GetConfigWriter(); // write new config API Caller  A malicious caller can corrupt the config file We control which file is opened
  • 14.
    Version 3 Give thecaller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } config.SetConfig( "DontShowThisMessageAgain", "True"); API Caller  A malicious caller can set the value to a non-boolean
  • 15.
    Version 4 Give thecaller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API  What's to stop a malicious caller changing the connection string when they were only supposed to set the flag?
  • 16.
    Version 5 Give thecaller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API  The caller can *only* do the thing we allow them to do.
  • 17.
    Can’t get your workdone Too much information passed in Just right Potential for abuse Principle of Least Authority (POLA) Too little information passed in Security spectrum
  • 18.
    Evolution of thesame API (from the design point of view)
  • 19.
    DesignVersion1 Give the callerthe configuration file name interface IConfiguration { string GetConfigFilename(); } API Bad design: Using a filename means we limit ourselves to file-based config files. Better design: A TextWriter would make the design more mockable.
  • 20.
    DesignVersion 2 Give thecaller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } API Better design: A generic KeyValue store would make implementation choices more flexible. Bad design: Using a TextWriter means exposing a specific storage format
  • 21.
    DesignVersion 3 Give thecaller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } API Bad design: A KeyValue store using strings means possible bugs. So we need to write validation and tests for that  Better design: A statically typed interface means no corruption checking code. 
  • 22.
    DesignVersion 4 Give thecaller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API Bad design: An interface with too many methods violates the ISP. Better design: Reduce the number of available methods to one!
  • 23.
    DesignVersion 5 Give thecaller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API Good design: The caller has no dependencies on anything else. Bonus: easy to mock! 
  • 24.
    Can’t do anything Too manydependencies Just right Unnecessary coupling Interface Segregation Principle Too few dependencies Design spectrum
  • 25.
    Ak.a. Minimize yoursurface area (to reduce chance of abuse) OO Design Guidelines Interface Segregation Principle Single Responsibility Principle, etc Security Guidelines Principle of Least Authority (POLA) Ak.a. Minimize your surface area (to reduce coupling, dependencies, etc)
  • 26.
    Good security =>Good design Good design => Good security
  • 27.
  • 28.
    Capability based design •In a cap-based design, the caller can only do exactly one thing -- a "capability". • In the example, the caller has a capability to set the message flag, and that's all. Prevents both maliciousness and stupidity!
  • 29.
    A one methodinterface is a capability interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); }
  • 30.
    A one methodinterface is a function interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } Action<MessageFlag> messageFlagCapability X
  • 31.
  • 34.
    What does “access-control”mean? • Preventing any access at all. • Limiting access to some things only. • Revoking access when you are no longer allowed. • Granting and delegating access to some subset of things. It’s not always about saying no!
  • 35.
    Using capabilities to controlaccess to a resource Secret Files Alice Bob X
  • 36.
  • 37.
    Using auth/RBAC to controlaccess to a resource Secret Files Alice Bob rejected accepted
  • 38.
    A weakness incapabilities Secret Files Alice Bob  Anyone with the key can get access.
  • 39.
    A weakness inauth/RBAC Secret Files Alice Bob 
  • 40.
    A weakness inany security system! Secret Files Alice Bob Do you trust Alice? Then you also trust anyone whom Alice trusts too... (Or whom Alice can be tricked into trusting)
  • 41.
    “Don’t prohibit what youcan’t prevent”
  • 42.
  • 43.
    Supplies Closet Auth/RBAC systems are centralized Alice Bobaccepted rejected Bob has only been working there for 6 months 
  • 44.
    Auth/RBAC systems are centralized Alice “Pleasegrant Bob access to the supplies closet” “Then revoke access after 20 minutes” Authorization System Can your system do this?
  • 45.
    Supplies Closet Auth/RBAC systems are centralized Alice Bob “Here,Bob. You can borrow my swipe card” Credential Sharing
  • 46.
    Central systems canrevoke access Secret Files Alice rejected
  • 47.
    How to revokeaccess in a cap-based system? Revoke?
  • 48.
    How to revokeaccess in a cap-based system?
  • 49.
  • 50.
  • 51.
    Client Service Request Response Tic-Tac-Toe asa service Proper name is "Noughts and Crosses" btw
  • 52.
    Tic-Tac-Toe API (obviousversion) type TicTacToeRequest = { player: Player row: Row col: Column }
  • 53.
    Tic-Tac-Toe API (obviousversion) type TicTacToeResponse = { result : MoveResult display: DisplayInfo } type MoveResult = | KeepPlaying | GameWon of Player | GameTied
  • 54.
  • 55.
    What kind oferrors can happen? • A player can play an already played move • A player can play twice in a row • A player can forget to check the Result and keep playing
  • 56.
    “Make illegal operations unrepresentable” Don’tlet me do a bad thing and then tell me off for doing it... Yes, you could return errors, but...
  • 57.
    Client Service New Game AvailableMoves Tic-Tac-Toe service with caps Nine available moves
  • 58.
    Client Service 1st move AvailableMoves Tic-Tac-Toe service with caps Eight available moves
  • 59.
    Client Service Available Moves Tic-Tac-Toeservice with caps 2nd move Seven available moves
  • 60.
    Client Service Available Moves Tic-Tac-Toeservice with caps 3rd move Six available moves
  • 61.
    Client Service No available Moves Tic-Tac-Toeservice with caps Winning move
  • 62.
    Tic-Tac-Toe API (cap-basedversion) type MoveCapability = unit -> TicTacToeResponse type NextMoveInfo = { playerToPlay : Player posToPlay : CellPosition capability : MoveCapability } These are for client information only. The player and position are baked into the capability
  • 63.
    Tic-Tac-Toe API (cap-basedversion) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo
  • 64.
    Tic-Tac-Toe API (cap-basedversion) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo Where did the "request" type go? Where’s the authorization?
  • 65.
  • 66.
    What kind oferrors can happen? • A player can play an already played move • A player can play twice in a row • A player can forget to check the Result and keep playing Is this good security or good design? All fixed now! 
  • 67.
    HATEOAS Hypermedia As TheEngine Of Application State “A REST client needs no prior knowledge about how to interact with any particular application or server beyond a generic understanding of hypermedia.” RESTful done right
  • 68.
    How NOT todo HATEOAS POST /customers/ GET /customer/42 If you can guess the API you’re doing it wrong Security problem! Also, a design problem – too much coupling.
  • 69.
    How to doHATEOAS POST /81f2300b618137d21d / GET /da3f93e69b98 You can only know what URIs to use by parsing the page Each of these URIs is a capability
  • 70.
  • 71.
    Some Benefits ofHATEOAS • Client decoupled from server – The server owns the API model and can change it without breaking any clients – E.g. Change links to point to CDN – E.g. Versioning • Simpler clients in many cases – No need for client-side checking of moves • Explorable API – Choose your own adventure!
  • 72.
    Client Service Login Available Capabilities Service APIwith caps Many available actions initially
  • 73.
    Client Service Use a capability Available Capabilities ServiceAPI with caps Fewer available actions in a given state
  • 74.
    CAPABILITY DRIVEN DESIGN Usingthese design techniques throughout your domain
  • 75.
    Controller/ API Business Logic Database Client Where shallwe put the authorization logic? But then any other path has complete access to the database 
  • 76.
    Controller/ API Business Logic Database Client Where shallwe put the authorization logic? But then it doesn’t have enough context 
  • 77.
    Controller/ API Business Logic Database Client Where shallwe put the authorization logic? Global Authorizer Are you doing this already?
  • 78.
    public class CustomerController: ApiController { readonly ICustomerDb _db; public CustomerController(ICustomerDb db) { _db = db; } [Route("customers/{customerId}")] [HttpGet] [GetCustomerProfileAuth] public IHttpActionResult Get(int customerId) { var custId = new CustomerId(customerId); var cust = _db.GetProfile(custId); var dto = DtoConverter.CustomerToDto(cust); return Ok(dto); }
  • 79.
    public interface ICustomerDb { CustomerProfileGetProfile(CustomerId id); void UpdateProfile(CustomerId id, CustomerProfile cust); void CreateAccount(CustomerId id, CustomerProfile cust); void DeleteAccount(CustomerId id); void UpdateLoginEmail(CustomerId id, string email); void UpdatePassword(CustomerId id, string password); } How much authority do you really need?
  • 80.
  • 81.
  • 82.
  • 83.
  • 84.
  • 85.
    type MessageFlag = ShowThisMessageAgain| DontShowThisMessageAgain type ConfigurationCapabilities = { GetMessageFlag : unit -> MessageFlag SetMessageFlag : MessageFlag -> unit GetBackgroundColor : unit -> Color SetBackgroundColor : Color -> unit GetConnectionString : unit -> ConnectionString SetConnectionString : ConnectionString -> unit } ◘
  • 86.
    let dontShowMessageAgainDialogBox capabilities= let getFlag,setFlag = capabilities let ctrl= new CheckBox( Text="Don't show this message again") ctrl.Checked <- getFlag() // etc
  • 87.
  • 88.
  • 89.
  • 90.
    Controller /API Business Logic Database Inject a value ofspecific type Global Authorizer Passing tokens as types Represent tokens by types!
  • 91.
    Demo: Using types foraccess tokens
  • 92.
    What have wecovered? • Don’t use complicated security patterns – This will ensure that they are never used, or used wrong. – Don’t rely on other people doing the right thing. – Don’t rely on other people reading the documentation! • Do use techniques where you get security for free. – You can be lazy! – You don’t have to remember to do anything.
  • 93.
    What have wecovered? • Don’t develop first, add security later – Right after you implement the “quality” module • Do use security-driven design – Bonus: get a modular architecture!
  • 94.
    What have wecovered? • Don’t only do security at the outermost layer • Do use POLA everywhere, which ensures that you have minimal dependencies.
  • 95.
    Common questions • Howdo you pass these capabilities around? – Dependency injection or equivalent • Are you saying that all external IO should be passed around as capabilities? – Yes!You should never access any ambient authority. – You should be doing this anyway for mocking.
  • 96.
    Common questions • Won’tthere be too many parameters? – Less than you think! – Encourages vertical slices (per use-case, scenario) – “Functional core, imperative shell” • Can’t this be bypassed by reflection or other backdoors? – Yes. This is really all about design not about total security.
  • 97.
    Resources for capability-basedthinking • LMGTFY “Capability based security” • “Lazy developers guide to secure computing” talk by Marc Stiegler • erights.org • Google's Caja built over JavaScript • Emily, a capability based language (via Ocaml)
  • 98.