Presentation is loading. Please wait.

Presentation is loading. Please wait.

SPPF Batch DOS Considerations Jeremy Barkan Xconnect 28 March 2012 0.

Published byGeorgina Small Modified over 9 years ago

Similar presentations

Presentation on theme: "SPPF Batch DOS Considerations Jeremy Barkan Xconnect 28 March 2012 0."— Presentation transcript:

1 SPPF Batch DOS Considerations Jeremy Barkan Xconnect 28 March 2012 0

2 SPPF & SOAP Security Framework draft – connection oriented, session HTTPS + digest authentication SOAP draft – SOAP over HTTPS with digest authentication Batch requires message security vs. transport security Actors SPPF batch user cases – Registrant - acting in the batch commands – Session client - provides the batch upload – Registry Threats – Malicious XML Document Authorized client, Illegitimate registrant - posts malicious batch request XML document Legitimate registrant - possible Zombie - posts malicious XML document 1

3 Malicious SOAP Documents XML Parsing DOS – Coercive Parsing – Oversize Payload SPPF behavioral DOS on registry – Table scan queries – Massive inserts – Massive roll back at end of long batch Stop and Roll-Back see SOAP Draft http://tools.ietf.org/html/draft-ietf-drinks-spp-protocol-over-soap-01#section- 6.2.5 http://tools.ietf.org/html/draft-ietf-drinks-spp-protocol-over-soap-01#section- 6.2.5 produces resource starvation of the registry http://tools.ietf.org/html/rfc4732#page-5 https://www.owasp.org/index.php/Web_Service_Security_Cheat_Sheet http://msdn.microsoft.com/en-us/library/ff650168.aspx 2

4 Defenses Authenticate Registrant - message security – Require XML Signatures WS-SECURITY [ WS-I Basic Security Profile ] http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html File level Block level – However - WS-Security - high overhead Streaming Processing of WS-Security – http://www.sundaychennai.com/dotnet_iee2011/Server- Side%20Streaming%20Processing%20of%20WS-Security.pdfhttp://www.sundaychennai.com/dotnet_iee2011/Server- Side%20Streaming%20Processing%20of%20WS-Security.pdf Application Level Gateways / WS Firewall – Schema Validation http://www.mendeley.com/research/protecting-web-services-dos- attacks-soap-message-validation/ http://www.mendeley.com/research/protecting-web-services-dos- attacks-soap-message-validati 3

5 SPPF Specific Defenses Deep Inspection – Analysis of batch file before processing Behavioral Analysis – Do these commands make sense for this registrant – Do the commands make sense in sequence – Do the commands make sense given this registrants command history Resource Cost Scrip – Assign a cost to each command – Registrants get a “budget” http://www.cs.columbia.edu/~angelos/Papers/sosmp.pdf 4

6 Implications for SPPF SOAP and Batch Batch processing use cases not covered in use case draft – Failure modes – Security considerations Still maintain should be a separate protocol draft 5

Download ppt "SPPF Batch DOS Considerations Jeremy Barkan Xconnect 28 March 2012 0."

Similar presentations

April 23, 20021 XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.

April 23, XKMS Requirements Update Frederick Hirsch, Mike Just April 23, 2002 Goals Requirements Summary –General, Security Last Call Issues –For.
cetis SWNI: Implementation & Testing By Scott Wilson, CETIS.

cetis SWNI: Implementation & Testing By Scott Wilson, CETIS.
OTP-ValidationService: Summary, Status, and Next Steps OTPS Workshop, February 2006.

OTP-ValidationService: Summary, Status, and Next Steps OTPS Workshop, February 2006.
IHE Profile Proposal: Dynamic Configuration Management October, 2013.

IHE Profile Proposal: Dynamic Configuration Management October, 2013.
1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.

1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.

SOAP & Security IEEE Computer Society Utah Chapter Hilarie Orman - Purple Streak Development Tolga Acar - Novell, Inc. October 24, 2002.
Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.

Web Services and AIXM. Introduction Subramanyam “Subbu” Nadavala Contractor, L-3 Communications FAA Air Traffic Organization (ATO) Information Technology.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.

0 Web Service Security JongSu Bae. 1  Introduction 2. Web Service Security 3. Web Service Security Mechanism 4. Tool Support 5. Q&A  Contents.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.

1 June 1, 2015 Secure access to project budget information for OAR Principal Investigators Eugene F Burger Sylvia Scott Tracey Nakamura John L Forbes PMEL.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou www.netmode.ntua.gr 9/06/2009.

ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou 9/06/2009.
Security in Service Oriented and REST architectures SiliconIndia Java Conference, Nimhans, Bangalore 29 Oct 2010 Srinivas Padmanabhuni, Ph.D. Principal.

Security in Service Oriented and REST architectures SiliconIndia Java Conference, Nimhans, Bangalore 29 Oct 2010 Srinivas Padmanabhuni, Ph.D. Principal.

Similar presentations

Ads by Google