Presentation is loading. Please wait.

Presentation is loading. Please wait.

Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium.

Published byAnnabella Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium."— Presentation transcript:

1 Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium Lieven.Desmet@cs.kuleuven.ac.be

2 2 Overview  Context  Web applications architecture  Web services  Threat modelling for web services  Conclusion and open questions

3 3 Context  Threat modelling for web applications:  Coordinated by Microsoft and PWC  6 research groups:  Università Degli Studi Di Milano (SQL Server)  Technical University of Ilmenau (ASP.NET)  University of Salford (Active Directory)  COSIC, K.U.Leuven (Security Tokens)  DistriNet, K.U.Leuven (Web Services)  Sintef (Threat and Countermeasure Representation)

4 4 Context (2)  Identification and countering the most relevant threats  Focus on threats related to the underlying platform, technologies or programming language  Applicable by developers, particularly for Independent Software Vendors

5 5 Context (3)  Current results of different groups reported in the "Security in Microsoft.Net" panel on CMS2004  Panel papers are available on project's internal website:  http://sobenet.cs.kuleuven.ac.be/usergroup/working/  Presentation of our approach, open for feedback

6 6 Web applications architecture  Web applications:  Distributed applications, using the HTTP protocol  Client-server model:  Browser or rich clients  Server-resident applications on the web and application server  Several server technologies: CGI, PHP, Java Servlets, JSP, ASP.NET, …

7 7 Web applications architecture (2) database server application server FW2FW company network 3 web serverclient FW1 smartcard reader mainframe, application server,... authentication & directory server client tierpresentation tierbusiness tierback-office tier

8 8 Web applications architecture (3) SQL server IIS ASP.NET COM+ FW2FW company network 3 IIS ASP.NET IExplorer.NET Framework FW1 smartcard reader ASP.NET Active Directory

9 9 Web services  Web service = XML messaging based interface to some computing resource, exchanging structured and typed information (↔ classic web application!)  Web services can be used as:  RPC implementation  Document based information flow

10 10 Web services (2)  Web service protocol:  Unidirectional  Asynchronous  Often combined into a bidirectional synchronous protocol  Web service protocol stack:  Transport: HTTP (or FTP,SMTP,…)  Messaging: SOAP  Service description: WSDL  Service discovery: UDDI

11 11 Web services (3)  Communication participants:  Originating node  Receiving node  Possibly some intermediary nodes receiving node originating node intermediate SOAP

12 12 Web services in web applications  Web services in web applications:  Wrapping legacy applications  Better web server – application server separation  Rich clients, interfacing to the server  Integration of building block services  Multistage processing  Virtual organisations  …

13 13 Threat modelling for web services  Our approach:  Defining the web service assets  Systematic STRIDE-based enumeration of threats for a generic web service  Mapping attack entry points to the architecture  Listing countermeasures  Guidelines and questions for countermeasure selection

14 14 Web service assets  Web service assets:  Application specific assets:  specific data, procedures, …  Web service specific technology artefacts:  WSDL files, assemblies, SOAP messages, …  Private information on the client machine  Availability originating node SOAP receiving node

15 15 STRIDE for web services  STRIDE:  S poofing  Both client en server can be spoofed  T ampering  SOAP messages, WSDL descriptions and client/server assemblies  R epudiation  I nformation Disclosure  SOAP messages, WSDL descriptions, client/server assemblies and application specific data  D enial of Service  E levation of privileges originating node SOAP receiving node

16 16 Most relevant threats  Spoofing of client requests  SOAP message replay  SOAP message tampering  WSDL file tampering  Reverse engineering of client assemblies  SOAP message disclosure  WSDL files unnecessarily disclosed  Bad error handling  Server denial of service  Exposing legacy software vulnerabilities  …

17 17 Mapping to the architecture back-end (mainframe, database,...) application server FW2FW company network 3 web serverclient FW1 DMZ Rich client Web server BrowserWeb server SOAP HTTP Application Server SOAP Web serverWrapped Legacy Application SOAP Application Server SOAP Application Server originating node SOAP receiving node

18 18 Countermeasures  Countermeasures:  Authentication  Data protection  Authorization  Input Validation  Others: non-repudiation, sandboxing, secure coding, intrusion/fraud detection, …

19 19 Countermeasures (2)  A lot of countermeasure technologies exist already:  Web service specific:  XML Security (XML Encryption & XML Signature)  WS-Security  SAML  Network specific countermeasures  Operating system specific countermeasures  Platform specific counter measures  …  The major challenge is choosing the right countermeasure technology and applying it correctly.

20 20 Countermeasure selection  Questions/issues for ‘authentication’:  authenticate a user or a machine?  entity authentication or message authentication  delegation needed?  assumptions about the authenticated party  the number of users?  application access to authenticated identities?  integrate in an existing infrastructure?  security versus ease-of-use?  Related with data protection/authorization needs

21 21 Conclusion and open questions  Conclusion:  Importance of threat modelling and countermeasure selection  Applicability of the STRIDE approach  Open questions:  Importance of delegation within web applications  Applicability of current countermeasure selection to developers  Better ways to represent threat modelling and countermeasure enumeration and selection (e.g. CORAS)  Web services are both too easy and too difficult ?

22 22 Credential delegation  No delegation:  Controlled delegation:  Impersonation:  Composite’s delegation:  Traced delegation:. ABCD A BC ABCD A A’ ABCD A AA ABCD A B,AC,B ABCD A B,AC,B,A

23 23 Questions & discussion ?? ? ? ? Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium Lieven.Desmet@cs.kuleuven.ac.be

Download ppt "Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium."

Similar presentations

웹 서비스 개요.

웹 서비스 개요.
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
An Approach to Wrap Legacy Applications into Web Services Wesal Al Belushi, Youcef Baghdadi Department of Computer Science, Sultan Qaboos University, Sultanate.

An Approach to Wrap Legacy Applications into Web Services Wesal Al Belushi, Youcef Baghdadi Department of Computer Science, Sultan Qaboos University, Sultanate.
General introduction to Web services and an implementation example

General introduction to Web services and an implementation example
1 Understanding Web Services Presented By: Woodas Lai.

1 Understanding Web Services Presented By: Woodas Lai.
Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.

Web Services Darshan R. Kapadia Gregor von Laszewski 1http://grid.rit.edu.
Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.

Web Services Nasrullah. Motivation about web service There are number of programms over the internet that need to communicate with other programms over.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 2.
WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.

WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007.
A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Web Service Standards Relevant to SOA

Web Service Standards Relevant to SOA
Presentation 7: Part 1: Web Services Introduced. Outline Definition Overview of Web Services Examples Next Time: SOAP & WSDL.

Presentation 7: Part 1: Web Services Introduced. Outline Definition Overview of Web Services Examples Next Time: SOAP & WSDL.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Distributed components

Distributed components
G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.
CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.

CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.
Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.

Latest techniques and Applications in Interprocess Communication and Coordination Xiaoou Zhang.
Core Web Service Security Patterns

Core Web Service Security Patterns
2006 IEEE International Conference on Web Services ICWS 2006 Overview.

2006 IEEE International Conference on Web Services ICWS 2006 Overview.

Similar presentations

Ads by Google