Domain driven security_java_zone2016

Your Business is under Attack;
Arm yourself with Domain Driven Security
@danbjson, @DanielDeogun
JavaZone
Oslo, Sept 7th 2016

@danbjson, @DanielDeogun #DomainDrivenSecurity
About Us…
Umeå
Malmö
Göteborg
Falun
New York
Stockholm
Daniel Deogun
Coder and Quality Defender
Dan Bergh Johnsson
Secure Domain Philosopher
Omegapoint

Key Take-Aways
• Security through Clarity: Be speciﬁc rather than generic.
• Domain knowledge distilled into code makes a difference.
• Be aware of your contexts and boundaries.

What is
Domain Driven Security?
“Domain Driven Security is about taking ideas from
DDD and using them as tools to address security
concerns, even though the tools were not originally
designed speciﬁcally for security issues.”
- Dan Bergh Johnsson, Dr. John Wilander [2009]
http://dearjunior.blogspot.be/2009/09/introducing-domain-driven-security.html

Attacks From A DDD
Perspective
Complex Technical
Complex
Domain
Simple Domain
Simple
Technical

Purchasing  
“Un-encyclopedia”
[Encyclopedia]

Technical Solution
[Encyclopedia]
OWASP: validate indata
Book Retail
Domain
isTrue(qt > 0) if(amount >= 0)
if(!(qty < 0))
input.matches(“[0-9]+”)
if(parseInt(input) > 0)
if(qt > 0)
if(amt > -1)

Analysis á la DDD
• Observation
• Quantity is modelled as integer
• Quantity is an implicit concept
• Analysis
• Modelling is incomplete or missing

Analysis á la DDD
-1 : Integer
-1 : Quantity
OrderLine {ISBN, Quantity}

Quantity made explicit -
a good start
public final class Quantity {
public final int value;
public Quantity(final int value) {
isTrue(value > 0, "Quantity must be greater than zero. Got: %s", value);
this.value = value;
}
…

Ubiqutous Domain
Primitives
Library of domain primitives
• Standard (e.g. ISBN)
• Speciﬁc (e.g. Quantity)
void buyBook(String, int) void buyBook(ISBN, Quantity)

Another concept made explicit
public final class EmailAddress {
public final String value;
public EmailAddress(final String value) {
isTrue( ?????????, “Not valid email. Got: %s", value);
this.value = value;
}
…

Email according to spec
• RFC 5322 3.4 Address Speciﬁcation (RFC 821, RFC 2821)
• Some OK examples
• root@127.0.0.1
• !#$%&'*+-/=?^_`{|}~@omegapoint.se
• ”Åsa Sjölander”@omegapoint.se
• Regexp : (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[
["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:
[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:r
n)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])
+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:
".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?
[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r
]|.|(?:(?:rn)?[ t]))*"(?:(?:rn) /… 6424 chars

You define Your domain
<script>install…</script>
bla bla ””4534
All possible strings
RFC 5322 Emails
root@127.0.0.1
!#$%&'*+-/=?^_`{|}~@omegapoint.se
daniel.deogun@omegapoint.se
Emails in your domain

History of
Domain Driven Security
2009 20162010
Dan Bergh Johnsson
John Wilander
Erland Oftedal 
@Webtonull
OWASP Europe
Daniel Deogun
Industry PracticeDomain Driven Security Coined
JavaZone
Jfokus
OPKoKo
Devoxx
DDD Europe
Jfokus
jDays
OPKoKo
DDD eXchange
DDD Summit
Daniel Sawano
Book
Johan Arnör
Jonas Stendahl

Yes, there will be a book
Working title: ”Secure by Design”
Dan Bergh Johnsson
Daniel Deogun
Daniel Sawano
Manning Publication
Manning Early Access Program ~ Oct-Nov
Final publication: end of 2017
SHAMELESS PLUG

Injection Flaw
“Injection ﬂaws, such as SQL, OS, and LDAP injection
occur when untrusted data is sent to an interpreter as
part of a command or query. The attacker’s hostile data
can trick the interpreter into executing unintended
commands or accessing data without proper
authorization.”
- OWASP top 10

The Classics -
Dynamic SQL String
SELECT … FROM Users
WHERE username = ‘’OR 1=1--’
AND password = ’anything you want’
Warning! This is just an example. Do not store passwords in plain text.
Do not use relational databases for user management.

What’s the problem?
and solution?
• ‘OR 1=1 -- is not a valid username
• This is implicit in the code
• Needs to be made explicit
• Modelling required

Prepared Statements
AKA Parametrised Queries
• SQL Injection is solved by prepared
statements
• Other Injection Flaws
• LDAP, Command, XPath, HTTP header …

HTTP Response with Cookie
[https://www.owasp.org/index.php/HTTP_Response_Splitting]
String author = … /* request, database, user setting … */
...
Cookie cookie = new Cookie("author", author);
cookie.setMaxAge(cookieExpiration);
response.addCookie(cookie);
HTTP/1.1 200 OK
...
Set-Cookie: author=Jane Smith
…
<html><head><title>The real content</title> ...

HTTP Injection
Hacked ‘author’ value into database/setting …
author : "Wiley HackerrnHTTP/1.1 200 OKrn..."
HTTP/1.1 200 OK
...
Set-Cookie: author=Wiley Hacker
HTTP/1.1 200 OK
…
<html><head><title>Hacked content</title> …
...
<html><head><title>The real content</title> ...
[https://www.owasp.org/index.php/HTTP_Response_Splitting]

RFC 2616 HTTP/1.1
Ch 4 HTTP Message
HTTP-message = Request | Response ; HTTP/1.1 messages
generic-message = start-line
*(message-header CRLF)
CRLF
[ message-body ]
start-line = Request-Line | Status-Line
message-header = field-name ":" [ field-value ]
field-name = token
field-value = *( field-content | LWS )
field-content = <the OCTETs making up the field-value
and consisting of either *TEXT or combinations
of token, separators, and quoted-string>
http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4

DDSec to the Rescue on
Injection Flaw
• DDD helps one to separate data from
code
• Validating with respect to the model is
crucial

A Quick Note On
Validation
Validation order
• Origin
• Length
• (Lexeme, content text)
• Parsing, content structure
• Semantics
- Dr. John Wilander

Context Maps
(Strategic DDD)
Order
Order
Order
Purchase
Logistics
Finance

Cross Site Scripting (XSS)
“XSS ﬂaws occur whenever an application takes untrusted
data and sends it to a web browser without proper
validation or escaping. XSS allows attackers to execute
scripts in the victim’s browser which can hijack user
sessions, deface web sites, or redirect the user to malicious
sites.”
- OWASP top 10

XSS Example
http://github.com/Omegapoint/facepalm

The Intention from a
Domain Perspective
Content
Comment
Browser (write context)
Server (Facepalm)
Browser (read context)
Content
Code
<script>

Broken Context Map
Content
Content
Code
Comment
Server (Facepalm)
<script>
<script>
<script>

Fix the Broken Map
<script>
<script>
Content
Code
<script>
Server (Facepalm)
Content
Comment
<script>

SQL Injection vs XSS

Code
SQL Injection vs XSS
Code

2nd order injection
Web
Srv
DB
Log
Log
Adm

Preventing Data Leakage 
read once object [Daniel Sawano]
public final class SensitiveValue implements Externalizable {
private final AtomicReference<String> value;
public SensitiveValue(final String value) {
this.value = new AtomicReference<>(validated(value));
}
public String value() {
return notNull(value.getAndSet(null), "Sensitive value has already been consumed");
}
@Override
public String toString() {
return "SensitiveValue value = *****";
}
@Override
public void read / writeExternal(final ObjectOutput out) throws IOException {
throw new UnsupportedOperationException("Not allowed on sensitive value");
}

How did DDSec Help Us?
• DDD gave deeper insight in nature of XSS
• Context mapping allows one to “detect” possible
broken maps
• Modeling conﬁdentiality protects against accidental
disclosure of sensitive data

Complex Domain Attack
Order
Finance Storage Shipping
-1
-1
-1

Payment
Micro-servicing the
Monolith
Payment
Policy
InsurancePurchase

Making a change with
surgical precision
Payment
Policy
Payment
Conﬁrm
Reject
Giro Bounce
Giro Conﬁrm
Purchase
Bank
Insurance

What we would have done
Payment
Policy
Cash Payment
Conﬁrm
Reject
Giro Bounce
Giro Conﬁrm
Purchase
Bank
Insurance
Giro Payment

Micro-Service Hell
• We’re moving towards more and more
micro-services
• Implemented by separate teams
• How do we guarantee correct context
mappings?

Q & A
[Questions]

Thanks
@danbjson, @DanielDeogun

Image References
• [Questions - https://flic.kr/p/9ksxQa] by Damián Navas under license https://creativecommons.org/licenses/by-nc-nd/2.0/
• [Encyclopedia - https://www.flickr.com/photos/stewart/461099066] by Stewart Butterfield under license https://creativecommons.org/licenses/by/2.0/

Domain driven security_java_zone2016

More Related Content

What's hot

Viewers also liked

Similar to Domain driven security_java_zone2016

More from Omegapoint Academy

Recently uploaded

Domain driven security_java_zone2016