Add to collection(s) Add to saved
  1. Math
  2. Calculus

Formal Tools for Web Services Security

advertisement 
DIMACS workshop, May 5—6 2005
Formal Tools for
Web Services Security
Cédric Fournet
Microsoft Research, Cambridge
joint work with
Karthik Bhargavan, Andy Gordon, Greg O’Shea,
Riccardo Pucella, Ricardo Corin
MSRC Samoa: Details, papers, tools, pointers at http://Securing.WS
Our starting point (2003)
Two parallel trends over past five years:

Rapid invention and deployment of XML-based
crypto protocols for securing web services




Flexible message formats for interop
Enables home-grown protocols
New crypto protocols are often wrong, XML or not
Sustained and successful effort to develop
formalisms and tools to verify crypto protocols


(Dolev&Yao, BAN,) FDR, Athena, Isabelle, ProVerif, …
At MSRC: spi, sjoin, Cryptyc, applied pi calculus, …
Timely opportunity to develop tools for validating
standards-based XML crypto protocols
Web Services Security


SOAP level security aims to provide end-to-end,
compositional application-level security,
independently of transport protocol
Fresh standards:




Security Roadmap
WS-Security, May 2004 (Draft: Apr 2002)
WS-Trust, WS-SecureConversation,
WS-SecurityPolicy,…
A grammar for SOAP-based security protocols



Automated processing of security headers
Informal semantics except for XML syntax
Security tokens = wire format for claims and evidence

Keys, certificates, x509 signatures, Kerberos tickets,…
Securing SOAP Messages
UsernameToken assumes
both parties know Alice’s
secret password p
<Envelope>
<Header>
<Security>
<UsernameToken Id=1>
<Security> header
<Username>“Alice"
defined by OASIS
<Nonce>"mTbzQM84RkFqza+lIes/xw=="
Each DigestValue is a
WS-Security 2004
<Created>"2004-09-01T13:31:50Z"
cryptographic hash of
includes identity
<Signature>
the URI target
tokens, signatures,
<SignedInfo>
<SignatureMethod Algorithm=hmac-sha1>
encrypted message
<Reference URI=#2>
parts
<DigestValue>"U9sBHidIkVvKA4vZo0gGKxMhA1g=“
<SignatureValue>"8/ohMBZ5JwzYyu+POU/v879R01s="
<KeyInfo>
Dozens of
<SecurityTokenReference>
implementations,
<Reference URI=#1 ValueType=UsernameToken>
including Microsoft <Body Id=2>
hmacsha1(key, SignedInfo)
Web Services
<StockQuoteRequest>
<symbols>
where
Enhancements
<Symbol>"FABRIKAM"
keypsha1(p+nonce+created)
(WSE)
<Symbol>"CONTOSO"
Attacks on SOAP security

Web services vulnerable to same sorts of attacks as
conventional websites


Buffer overruns, denial of service, SQL injection, etc
New concerns: flexible, XML-based protocols


Web services developers can design and deploy
their own application-specific security protocols
XML message format open to rewriting attacks




Much like classic active attackers (Needham-Schroeder ’78)
Opponent can redirect, replay, modify, impersonate
New: message processing is driven by a flexible,
semi-structured message format
Flexibility is usually bad news for security

We have found a range of problems in specs & code,
thus motivating our research on theory and tools
A Signed SOAP Message Before...
Message to bank’s web
service says: “Transfer $1000
to Bob, signed Alice”
<Envelope>
<Header>
<Security>
<UsernameToken Id=2>
<Username>Alice</>
Bank can verify the
<Nonce>cGxr8w2AnBUzuhLzDYDoVw==</>
signature has been
<Created>2003-02-04T16:49:45Z</>
computed using key
<Signature>
<SignedInfo>
derived from Alice’s
<Reference URI= #1><DigestValue>Ego0...</>
secret password
<SignatureValue>vSB9JU/Wr8ykpAlaxCx2KdvjZcc=</>
<KeyInfo>
<SecurityTokenReference><Reference URI=#2/>
<Body Id=1>
<TransferFunds>
<beneficiary>Bob</>
<amount>1000</>
and After an XML Rewriting Attack
Charlie has intercepted and
rewritten this message
<Envelope>
<Header>
<Security>
<UsernameToken Id=2>
The indirect signature of the
<Username>Alice</>
body, now hidden in
<Nonce>cGxr8w2AnBUzuhLzDYDoVw==</>
<Created>2003-02-04T16:49:45Z</>
BogusHeader, may still
<Signature>
appear valid
<SignedInfo>
<Reference URI= #1><DigestValue>Ego0...</>
<SignatureValue>vSB9JU/Wr8ykpAlaxCx2KdvjZcc=</>
<KeyInfo>
<SecurityTokenReference><Reference URI=#2/>
<BogusHeader>
<Body Id=1>
Although Alice’s password
<TransferFunds>
<beneficiary>Bob</>
has not been broken, the
<amount>1000</>
message now reads
<Body>
“Transfer $5000 to Charlie,
<TransferFunds>
<beneficiary>Charlie</>
signed Alice”
<amount>5000</>
The Samoa Project: Tools

If misconfigured or mis-implemented, WS-Security
protocols vulnerable to XML rewriting attacks

TulaFale — shows the absence of such attacks
given a description of the protocol



Policy generator/analyzer — produces TulaFale
from declarative XML policy files that drive WSE 2.0



First analysis tool for XML-based crypto protocols
Automatic analysis of hand-written models via
applied pi calculus and Bruno Blanchet’s ProVerif tool
Hence, can directly analyze WSE 2.0 configurations
First source-based formal verification of interoperable
implementations of crypto protocols
Policy advisor — runs 35+ queries for security
errors found in reviews of sample policies
TulaFale
TulaFale: a language for WS-Sec
We designed TulaFale, a
programming language to
model WSE protocols and
hand-wrote models for a
series of WSE protocols
(POPL’04, FMCO’03)
TulaFale =
pi + XML + predicates + assertions
What TulaFale does
TulaFale
script
predicate
library
WSE 1.0 out of the box
TulaFale
C# code
intermediate pi-calculus
WSE 1.0
CLR
(IL)
SOAP
processing
ProVerif Analyzer
OK, or
[B. Blanchet]
No because…
Pi Calculus & Cryptography

Milner, Parrow, Walker (1989)


Computation is name-passing
between parallel processes on
named channels. Each name
has a mobile scope.
Spi calculus: Pi + cryptographic
operations (Abadi Gordon 1999)



Mobile scopes can represent
local keys and fresh nonces
Processes represent protocol configurations
Contexts represent active attackers

Applied Pi: Pi + equational theory (Abadi Fournet 2001)

There is a generally-useful theory (equivalences, proofs)

Using tools such as ProVerif (Blanchet 2001—), we can mix
manual and automated proofs of various security properties
Example: A Secure RPC

A typical system model:




Threat model: an active attacker, in control of
network, but knowing none of:




A single certification authority (CA) issuing X.509 public-key
certificates for services, signed with the CA's private key.
Two servers, each equipped with a public key certified by
the CA and exporting an arbitrary number of web services
Multiple clients, acting on behalf of human users
The private key of the CA
The private key of any public key certified by the CA
The password of any user in the database
Security goals: authentication of each message;
and correlation of request and response
An intended run of the protocol
Server(sx,cert,S)
Client(kr,U)
begin C1 (U,S,id1,t1,b1)
isMsg1(-,U,S,id1,t1,b1)
end C1 (U,S,id1,t1,b1)
begin C2 (U,S,id1,t1,b1,id2,t2,b2)
isMsg2(-,S,id1,id2,t2,b2)
end C2 (U,S,id1,t1,b1,id2,t2,b2)
Msg 1 includes signature of
S,id1,t1,b1 under key derived
from username token for U
Msg 2 includes signature
of id1,id2,t2,b2 under
public key of S
pi+XML+predicates+assertions
TulaFale predicates
defined by Horn clauses
with message patterns
For example, this
predicate is used
in two ways,
to construct and
parse Message 1
TulaFale messages are
terms in a many-sorted
algebra with sorts:
pi+XML+predicates+assertions
TulaFale library
includes predefined
predicates for XML
signatures and
encryption
For example, this
predicate uses these
predicates to check
structure of Message 1
pi+XML+predicates+assertions
The implicit attacker, running in parallel, can:
 Send and receive on the soap channel
 Generate arbitrarily many users and services
 Initiate arbitrarily many sessions
pi+XML+predicates+assertions
By sending a message on
init, the attacker can pick
any payload and destination
Each begin-event marks
the intent to send a message
Messages are exchanged on a public SOAP channel
Each end-event marks
the intent to accept a message as valid
Some Tulafale queries
We also run basic reachability
queries (sanity checks)
We verify two correspondence properties from
end-events to begin-event with matching
contents (including both messages for C2)
Suppose a client does not sign the message identifier id1...
Opponent
Client(kr,U)
Server(sx,cert,S)
begin C1 (U,S,id1,t1,b1)
isMsg1(-,U,S,
id1,t1,b1)
Copy
end C1 (U,S,id1,t1,b1)
id1:=id2,
Replay
isMsg1(-,U,S,
id2,t1,b1)
end C1 (U,S,id2,t1,b1)
Pair (id1,t1) uniquely identifies the message only if id1 and t1 are signed
We found and fixed faults like this in preliminary WSE samples
What else might go wrong?
Opponent
Client(kr,U)
isMsg1(-,U,S,
id1,t1,b1)
Call 1
SOAP
Fault
Call 2,
re-using
id1
Server(sx,cert,S)
begin C2 (U,S,id1,t1,b1,id2,t2,b2)
isMsg2(-,S,id1,
id2,t2,b2)
isMsg1(-,U,S,
id1,t1’,b1’)
isMsg2(-,S,id1,
id2,t2,b2)
end C2 (U,S,id1,t1’,b1’,id2,t2,b2)
If the client doesn’t generate fresh id1’s, then message
correlation (C2) fails; the tool easily finds this bug
Secure Conversations
A TulaFale Summer Case Study

WS-Security provides basic mechanisms to secure
SOAP traffic, one message at a time


If a SOAP interaction consists of multiple, related
messages, WS-Security alone may be inefficient,
and does not secure session integrity


Signing and encryption keys derived from long-lived
secrets like passwords or private keys
Standard idea: establish short-lived session key
Recent specs describe this idea at the SOAP-level


WS-SecureConversation defines security contexts,
used to secure sessions between two parties
WS-Trust defines how security contexts are issued and
obtained
A Typical System
1. RST
STS
Trust
2. RSTR
SCT
Client
SCs
S
C
Secure
Conv
3. “Session Exchanges”
…
Service
STS = Security Token Server
SC = Security Context
RST = Request Security Token
SCT = SC Token
RSTR = RST Response
Open-Ended Conversations
begin Cn

Service
Client
get
SC
get
SC
end Cn
begin C’n
end C’n
for n ¸ 0

We prove authentication
for
whole sessions
We rely on some
combination of manual
and automated proofs
Discussion

A first formal analysis of WS-Trust and
WS-SecureConversation



As is common, these specs:



XML syntax and automation very effective,
against a demanding, realistic attacker model
Approx 1000 lines of script – too large for manual proofs
focus on message formats for interoperability
are non-committal regarding security,
for example, no clear spec of contents of SCs
By making modes, data, and goals explicit, we
found design and implementation bugs
Policy-Based Security
Security Policies

Clients, services use XML files to pick security mechanisms
 Located
in same IIS virtual directory
<Policy
Id=“Msg1">
<All>
 Describe protocols to use for different services
<Confidentiality>
 Simple
declarative description of deployed protocols
<TokenInfo>



<SecurityToken>
No
need to look at messy C# code
<TokenType>X509v3</>
We analyze policy files collected from client and servers
<Claims><SubjectName>S</></>
Easy
to get them wrong
<MessageParts>Body()</>
<Integrity>
 Many policies are insecure
<TokenInfo>
 Combination of policies may have unexpected effects
<SecurityToken>
<TokenType>UsernameToken</>
<Claims><SubjectName>U</></>
<MessageParts>Body() Header("To") Header("MessageId”)</>
Modelling Security Policies
In WSE 2.0, WS-SecurityPolicy
files drive security; hence, we
can generate TulaFale directly
from implementation files
(CCS’04)
What our tools do
spec L of a
secure link
Generator C(-)
Analyzer S(-,-)
WSE 2.0 out of the box
C# code
policy config
C(L)
WSE 2.0
CLR
(IL)
SOAP
processing
Static
warnings
predicate
library
TulaFale script
S(C(L),L)
TulaFale
ProVerif
(pi calculus)
OK, or
No because…
Security for Any Client Policy?

Theorem: If a service uses a link-generated policy, then
irrespective of the client policies, the resulting configuration
preserves request authentication and response secrecy

Hence, naïve clients cannot break service authentication

Proof:


Combination of automated proofs and manual reasoning
Hint: Even the weakest send policy preserves
secrecy of passwords and signing keys
WSE2 Policy Advisor
(demo)
Summary

Web services security specs encourage extreme flexibility




We bridge the gap between theoretical pi threat model
and XML as used in WS security protocols




Put effort into real samples & implementations, found bugs
Obtained theorems about wire-level protocols
Exploited automation for authentication & secrecy properties
We develop tools for the automated analysis of
security for deployed systems based on crypto protocols



Message formats, composable protocols, configurations
Specs and implementations are only just emerging
Attacks and proofs are subtle: tool support needed
Proving protocols secure in isolation is not enough
Our tools find attacks, verify configs, generate safe configs
Good place to develop formal tools, get positive results

Standard message formats, composition, wide applicability
Details, papers, tools, pointers at http://Securing.WS
Related documents
Significant Concepts in the MYP
Significant Concepts in the MYP
Ibo Culture vs
Ibo Culture vs
Things Fall Apart Global Studies Name __________________________________________
Things Fall Apart Global Studies Name __________________________________________
IB Physics SL 11 2013-2014
IB Physics SL 11 2013-2014
IB subject guide - University System of Georgia
IB subject guide - University System of Georgia
Download
advertisement