Get documents about "XML Intrusion Prevention
Document Sample
_XML Intrusion Prevention
Blake Dournaee
Senior Security Architect
Sarvega, Inc.
blake@sarvega.com
April 2005
1
_Agenda
_ Level Setting
» Lingo, Requirements, Categories, Definitions
_ General Threat Model
_ Structural Threats
» Problem Examples
» Typical Countermeasures
_ Semantic Threats
» Problem Examples
» Typical Countermeasures
_ SOAP and the Universal Tunnel
_ Summary / Q&A
2
_XIP – XML Intrusion Prevention
_ XIP - The theory and practice of protecting against XML
Content Attacks
_ XML Message Sent to an application to put the system in a
state beneficial to the attacker
» Deliberate Attacks (Active Attacker)
» Inadvertent Attacks (Software Bug)
_ XML Web Service Architectural Assumption
» Different than Web Application Security
» XML/HTTP or SOAP/HTTP
» Similar attack types (SQL Injection, Buffer Overflow)
» Different Architecture
» App-to-App interaction using XML messages wrapped in SOAP
envelopes
3
_The Threats: Lingo
_ Coercive Parsing _ Oversize Payloads
_ Content Tampering _ Replay Attacks
_ Parameter Tampering _ External Entity Attacks
_ SQL/XQuery Injection _ Buffer Overflow
_ XML Virus _ XDOS
_ X-Malware _ Recursive Payloads
_ Code Injection _ Routing Detour
_ Malicious Morphing _ WSDL Scanning
_ Schema Poisoning
4
XML Web Services Architecture
DB
Web Service (Partner) DMZ Application
Infrastructure
SOAP
Internet
HTTP HTTP
SSL/ TLS SOAP SOAP SOAP
G/W LAN External Content Internal Web
SSL/ TLS Router Switches Firewall Switch Firewall Server Application
SOAP
Servers
Web
Service
Client SOAP
Message SOAP Payloads
SOAP Envelope
can carry arbitrary
SOAP header XML and flow
Digital Signature
freely over port 80
SOAP Body
XML Encryption
5
_XML Threat Model
Application
XML Payload
HTTP
TCP
6
_XIP Device Requirements
_ XIP Device: The firewall or IDS system
responsible for XIP.
_ Two Requirements
» Resiliency: An XIP device should never crash or cause a denial-of-
service condition when processing bad XML data.
» Content Scrutiny: An XIP device should never pass on XML content
that will blow out a downstream entity or cause it to perform unauthorized
functions
_ Theme: Protect itself and protect its application
domain
7
XIP Device
DB
Web Service (Partner) DMZ Application
Infrastructure
SOAP
Internet
HTTP HTTP
SSL/ TLS SOAP SOAP SOAP
G/W LAN External Content Internal Web
SSL/ TLS Router Switches Firewall Switch Firewall Server Application
SOAP
Servers
Web
Service
Client SOAP
Message
XIP Device
SOAP Envelope
SOAP header
Digital Signature
SOAP Body
XML Encryption
8
_XML Threat Model
Application
Encoding Threats
Structural Threats
Grammar Validation Threats
XML Payload Semantic Threats
External Entity Threats
XML Security Threats
Algorithmic Threats
HTTP
TCP
9
_XML Threat Details
_ Encoding Threats
» Threats related to naïve or broken XML parsers not designed to handle
encodings correctly
» Failure to maintain encoding information for an XML document
_ Structural Threats
» Threats related to the structure of the XML document, such as oversized
payloads and components
_ Grammar Validation Threats
» Threats related to schema validation or equivalent
_ Semantic Threats
» Code Injection, SQL injection – any threat that manipulates the representation of
the XML document to change the semantics
_ External Entity Threats
» Manipulation of the XML processor de-reference external URIs
_ XML Security Threats
» Misapplication of XML Security such as XML Digital Signatures and XML
Encryption
_ Algorithmic Threats
» DoS Attacks that take advantage of the underlying XML processor
implementations (such as a hash table attack)
10
_Structural Threats
... it is important to realize that any lock can be picked with a
big enough hammer.
- Sun System & Network Admin manual
11
Structural Threat: Huge
Document
<Envelope>
<Header>
<wsse:Security>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>…
<Signature>…</Signature>
</wsse:Security>
</Header>
<Body>
<GetStockQuote>
<Ticker>CSCO</Ticker>
<GetStockQuote>
</Body>
</Envelope> 12
Structural Threat: Weird
Structure
<Envelope>
<Header>
<wsse:Security>
<Attack a1=“1” a2=“1” a3=“1” a4=“1” a5=“1” a6=“1”…
<Attack>
<Attack>
<Attack>
<Attack>....
<Signature>…</Signature>
</wsse:Security>
</Header>
<Body>
<GetStockQuote>
<Ticker>CSCO</Ticker>
<GetStockQuote>
</Body>
</Envelope>
13
Structural Threat: Huge Binary
Blobs
<Envelope>
<Header>
<wsse:Security>
<Attack>hbCBDZXJ0aWZpY2F0aW9uIEF1dGhv
xMDMxODU4MzRaMFwxCzAJBgNVBAYT
1cml0eSwgSW5jLjErMCkGA1UECxMi
1dGhvcml0eTCBmzANBgkqhkiG9w0B
sbsZwmdu41QUDaSiCnHJ/lj+O7Kwp….
<Signature>…</Signature>
</wsse:Security>
</Header>
<Body>
<GetStockQuote>
<Ticker>CSCO</Ticker>
<GetStockQuote>
</Body>
</Envelope>
14
Structural Threats: Why?
_ Why should a large or oversize payload cause a problem?
_ Why haven‟t we seen these types of threats with “regular”
network traffic?
» Answer: The attacker is relying on inefficient XML parsing models
» DOM Based Parsing
15
Parsing: SOAP Document
Example
<S:Envelope
xmlns:S="http://www.w3.org/2001/12/soap-
envelope">
<S:Body Id="MsgBody">
<fn:Order
xmlns:fn="http://www.foo.com/fakens">
<Item>Pool Table</Item>
<Quantity>1</Quantity>
<AccountNumber>123456789</AccountNumber>
<Price>$800.00</Price>
</fn:Order>
</S:Body>
</S:Envelope>
16
DOM Example
Document
<Envelope>
<Text> <Body> <Text>
<Text> <Order> <Text>
<Text> <Item> <Text> <Quant> <Text> <Acct Num> <Text> <Price> <Text>
<Text> <Text> <Text> <Text>
All are subtypes of ‘Node’
17
DOM Parsing Memory
Requirements
DOM Memory Usage
1000
Java Heap (MB)
800
600 Xerces 2.6.2
400 (RH 9.0)
200
0
B
B
B
B
0M
0M
M
M
25
50
10
15
File Size18
SAX Specific Exploits
_ What about stream-based parsing?
» In general, less vulnerable
_ Usage dependent
» Context-free filtering
» Overlapped parsing and consumption
» Stream replay and storage
19
Context-Free Filtering
_ Single element search
_ Event Callbacks Required
» startDocument() / endDocument()
» startElement() / endElement()
_ All other data is filtered and lost
XML E1,E2,E3,…,En Trash
?
Application
20
Overlapped Parsing and
Consumption
_ Ordered Processing
» Read XML in chunks and then process
» Simple content models with repetition
» Very little content caching
XML E1,E2,E3,…,En Trash
Application
21
Stream Replay and Storage
_ Context-sensitive SAX parsing
_ Caching (replay) of complete documents or
subdocuments
_ Can approach DOM-like memory usage
XML E1,E2,E3,E4,E5,E6,E7,…,En Trash
Application
In-memory
22
XML Parsing Conclusions
_ DOM parsing is a memory hog
_ SAX parsing can be a memory hog
» Usage dependent
23
_Typical Countermeasures
_ W3C Schema Validation
» Standardized grammar validation
» Validate the document against a schema to
ensure that it matches
24
Schema Validation Problems
_ Parsing Precondition
» Paradox: You have to parse before you validate
_ Extensible Standard Schemas
» Schema is not “by design” a security feature
25
_Parsing Precondition
_ Logical split between parsing and validation
» Naïve implementations parse first and then validate
second, when it is too late
» Smarter implementations can begin schema validation
while parsing, but can‟t finish until parsing finishes
» Sequence of elements a, b, & c: I need to parse to the end
to see if the element “c” is present.
_ Pathological nodes are always parsed before
validated
_ Schema validation comes „too late‟
_ Special checks outside of schema validation (limit
enforcement) are required
26
XML Schema Extensibility
_ Value in general, extensible content models
» Not practical to be so restrictive
<xs:any processContents=“lax"
maxOccurs="unbounded"/>
» Weakest Link Property
» An attacker only needs to find one extensibility
point
_ Explicit schema hardening breaks standards
» Hardened schemas are vulnerable if not protected
by a digital signature or trusted source
27
OASIS WS-Security Schema
Example
<xsd:complexType name="SecurityHeaderType">
<xsd:sequence>
<xsd:any processContents="lax" minOccurs="0“
maxOccurs="unbounded">
<xsd:annotation>
<xsd:documentation>The use of "any" is to allow
extensibility and different forms of security
data.</xsd:documentation>
</xsd:annotation>
</xsd:any>
</xsd:sequence>
<xsd:anyAttribute namespace="##other“
processContents="lax" />
</xsd:complexType>
28
Schema Validation: Inadequate
_ Schema valid <wsse:Security> element:
<wsse:Security xmlns:wsse=
“http://www.docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd”
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>
<Attack>DoS</Attack>…
</wsse:Security>
29
_Structural Threat Prevention:
Requirements
_ Wire speed Limit Enforcement for XML Parsing
» Oversize payloads
» Oversized element names, attribute names and processing
instruction target names.
» Limiting the maximum number of attributes per element.
» Limiting the depth (nesting) of elements.
» Limits on the size of the processing instructions, comments,
single CDATA items, and attribute values
_ Wire speed Schema Validation for hardened
schemas
_ Wire speed XPath Filtering
» Used to filter XML based on known traffic
30
_Semantic Threats
31
SQL Injection Example
_ Assume that a query is being run as follows:
query = "select count(*) from users
where userName=‘ " & userName & “ '
and userPass=‘ " & password & “ ‘ "
_ Boolean short-circuiting techniques
select count(*) from users where
userName='john' and userPass='' or 1=1
--'
32
SQL Injection
_ Web Applications are highly susceptible
» Weak typing of Web-based languages
» Ease of use vs. Security
» Ad-hoc coercion of data-types
_ SOAP-based applications are less susceptible
» Easier to enforce stronger typing with SOAP
» SOAP faults may return extra information
» <faultstring> element returns stack traces
33
SOAP: SQL Injection Example
<soap:Envelope xmlns:soap=“ “>
<soap:Body>
<fn:PerformFunction xmlns:fn=“ “>
<fn:uid>8123</fn:uid>
<fn:password>
‟or 1=1 or password=„
</fn:password>
</fn:PerformFunction>
</soap:Body>
</soap:Envelope>
_ Strong typing mitigates the attack on the
uid parameter
34
SOAP Array Attack
<soap:Envelope xmlns:soap=“ “>
<soap:Body>
<fn:PerformFunction xmlns:fn=“ “ xmlns:ns=“ “>
<DataSet xsi:type="ns:Array"
ns:arrayType="xsd:string[100000]">
<item xsi:type="xsd:string">Data1</item>
<item xsi:type="xsd:string">Data2</item>
<item xsi:type="xsd:string">Data3</item>
</DataSet>
</fn:PerformFunction>
</soap:Body>
</soap:Envelope>
_ DoS Condition with memory pre-
allocation
35
_Typical Countermeasures
_ W3C Schema Validation
» Standardized Grammar validation
» Schema <pattern> Facet / Regular Expressions
» Stronger Schema datatypes
_ Application Checks
» Strong typing and input validation can prevent
SQL injection style attacks
36
Schema Validation Problems
_ Manual Schema Modification
» Stronger typing must be manually added to schemas
» Breaks standards
» Highly Tedious
» Incomplete Protection
_ Regex Capabilities inadequate
37
<Pattern> Facet Example
<xs:simpleType name="zipcode">
<xs:restriction base="xs:string">
<xs:pattern value="[0-9]{5}(-[0-9]{4})?"/>
</xs:restriction>
</xs:simpleType>
_ You must specify the entire value space
_ Logical negation of an expression not possible
_ Can‟t say: “Don‟t allow any documents with SELECT,
WHERE, OR, 1=1” within element X.
38
_Semantic Threat Prevention:
Requirements
_ Wire speed word filter
» Case blind or case sensitive
_ Regex filter
» Scanning for double dash, single quote, & hash
_ SOAP Attachment Scanning
» Case blind or case sensitive
_ Wire speed Schema Validation for hardened
schemas
39
_XML & Web Services: The
Universal Tunnel
40
_De-Perimiterization
XML Web Services are more than just a
different class of network traffic
XML Web Services represents a crucial
paradigm shift of the network perimeter.
XML Web Services provide a universal
tunnel
41
_Network Targets
Circa 1995 Circa 2005
_ SLIP/PPP _ VPN (IPSec/SSL)
_ FTP _ SCP
_ Telnet _ SSH
_ Gopher _ RDP
_ IMAP _ SRTP
_ POP _ IMAPS
_ rlogin _ SMTP
_ HTTP _ HTTPS
_ SMTP _ SOAP/XML
42
_Universal Tunnel Problems
_ “I need to get this file to you and can‟t wait for the
network guys to open up FTP, just download my
WSDL and build a client for it…”
» In principle, secure versions of existing protocols can be re-
implemented quite easily over XML Web Services
_ XML Web Services platforms provide quick and easy
deployment of services
_ Future prediction: Open Source XML Web Services
implementing existing network protocols
» FTP/Telnet/SSH/SCP/RDP/IMAP…
43
_Security Cycle
1995: Proliferation of Deployed protocols
are porus and provide 2005: Proliferation of
Internet-based Secure Replacements; XML
Protocols multi-vector attack
opportunities Web Services developed
XML Web Services and the
universal tunnel
44
_Summary
_ Multiple Threat categories for XML
_ Structural threats need limit enforcement
_ Semantic threats need regex and word
filtering
_ Both threats are mitigated by schema
validation
_ All of it needs wire speed processing
_ SOAP is a Universal Tunnel
» XML is more than a “type” of traffic
45
