Main

June 30, 2005

Writing Secure Web Applications (TS-5111)

Password Vulnerabilities:
A password that can be compromised due to site design rather than a careless user. This can occur on the client, server, or in transit.
Typical Attacks:

  • Internal attacks via disks or backup tapes.
  • External attacks via e-mail snooping or browser memory snooping.

    Scripting Vulnerabilities:
    Research Cross-Site Scripting (XSS) vulnerabilities which could lead to Javascript and JSP injection through form fields. Such a vulnerability could allow an attacker to view the Session information and falsely assume someone else's identity.

    Improper Error Handling Vulnerabilities:
    Mishandling of errors can lead to access being defined, but operations partially or wholly succeeding. Error handling frequently exposes sensitive information. Always validate data going into error messages (beware XSS!). Ensure error checking occurs as early as possible. Ensure errors terminate operations - do not swallow exceptions.

    Insecure Storage Vulnerabilities:
    On-disk or in-memory artifacts improperly secured. Frequently leads to insecure passwords, caches and configurations. The 'phpAnyVote' module stores the username unencrypted in the a cookie, which allows user spoofing. This can be precented by using encryption & signing as needed. User OS security whenever available.

    Injection Flaw Vulnerabilities:
    User input is not validated, mornalized, or escaped and passed to a backend program. Closely related to XSS vulnerabilities. SQL injection is the most well-known example of injection. A way to mitigate the injection threat is to run the server with as few privileges (not root) as possible. Prevention includes normalizing user input early (remove %XX and \0xx escapes), and validate user input early (produce error messages when input invalid).

    Denial of Service Vulnerabilities:
    The site is rendered inaccessible or unusable. Comes in two forms: Distributed DOS, and Basic DOS. DDOS overwhelms the server(s) with intense network activity, and are difficult to defend against. DDOS are often orchestrated using zombie machines. Basic DOS seeks to use up all of a limited resource. Open connections but send no data or slow data. Disconnect or abandon connections abruptly.

    Posted by Scott at 11:41 AM |

    • June 29, 2005

    Mobile Bluetooth Networking with JSR 82 (TS-3234)

    Networks formed using Bluetooth protocol are:

  • Piconet - star topography with one master, and 1-7 slaves
  • Scatternet - extends a Piconet where the master becomes slave to an external node

    JSR 82:
    Lots of software development kits available, some free and others for a fee.

    There is some confusion around the terminology of client and server. In order to be a master node in Bluetooth, you must initiate a connection to slave nodes; however, in Java terminology the initiator is usually called the client, and the receiver is called the server.

    Master-Slave relationships are determined through the "Master=" parameter supplied in a connection string. Supplying "Master=true" indicates an interest in being the master. Supplying "Master=false" means indicates indifference to role.

    Posted by Scott at 4:04 PM |

    • Five Ways to Use BPEL with Java Technology (TS-3532)

    What is BPEL?:
    BPEL is driven by the trends of increasingly demanding users, and increasingly complex infrastructure. JBI looks to support highly connected applications and systems. Declarative programming makes customization of applications easier without "bleeding" into business rules. Goal is to provide a one-to-one mapping from the business owner's process to the application process expressed in a high-level language (BPEL).

    "My First BPEL Process" Demo:
    There is a a BPEL designer plugin for Eclipse (need to check out), and for Oracle JDeveloper. The visual concepts used at design time are available for viewing in the application server console.

    BPEL Interaction Patterns:

  • Syncronous request-response
  • Fire-and-Forget (one-way messaging)
  • Asynchronous request-response
  • Partial processing (acknowlegement response is immediate, but processing results are delivered at a later time)
  • Progress observer (like partial processing, but provides introspection into processing status)

    BPEL & JSF:
    Java Server Faces (JSF) can be used to present BPEL process results in all manner of formats, including HTML, XML, etc.

    Posted by Scott at 3:55 PM |

    • Project Looking Glass - Cool LG3D Apps and How to Write Them (TS-7992)

    LG3D is available from Sun at http://lg3d.dev.java.net/.

    Background:
    Looking Glass is a next generation 3D UI exploration project based on Java technology. It hosts existing 2D apps in a 3D space. It provides APIs for 3D app development and is evolving in the open source community. It was open sourced in 2004 under the GPL.

    Demos (most available on Java.net:
    There is a cool feature that allows navigation of photos using a ferris-wheel analogy controlled by the mouse scroll wheel.

    A scheduling program (CosmoSchedulerD) uses a graphical solar system to indicate temporal proximity (location in ring) and importance (size of planet).

    Virtual desktops are seamlessly integrated, and can be displayed in unison in a panorama view.

    A reference was made to James Burke's "knowlege web" concepts. Events can be linked graphically using a sphere full of linear connections. Demo illustrated events linking Mozart to the helicopter. Goal is to not provide just static information, but provide oportunities to interact richly with the information.

    Creating LG3D Apps:
    Environment is composed of a Background, Taskbar, Global Light, and an all-encompassing Frame3D. It's built entirely upon the Java 3D APIs in J2SE.

    Example:


    
Frame3D frame = new Frame3D();
    
Container3D container = new Container3D();
    
Component 3D comp = new Component3D();
    


    // Creation of a shape - set geometry, 
    
// appearance, texture, animation, etc.
    
comp.addChild(aShape);
    


    // Initialize event handling
    
comp.addListener(anEventListener);
    


    // Initialize animation
    
comp.setAnimation(anAnimation);
    


    container.addChild(comp);
    
frame.addChild(container);
    
frame.changeVisibility(true);
    
frame.changeEnabled(true);

    Moving Forward:
    The 0.7 release was recently made public. It has WebStart support to simplify installation. It has an "App" mode that enables you to run the full LG3D desktop on user's existing desktop (window-mode rather than full-screen).

    Over the next year, the LG3D team plans to enrich the platform by including identity and collaboration features. Also a task-oriented UI will be developed.

    Posted by Scott at 1:30 PM |

    Web Services Security Attacks in Action (TS-5398)

    Presented by Rich Salz from DataPower Technology.

    Goal:
    Understand some types of syntactic and semantic attacks for Web Services applications.

    Definitions:
    Syntactic attack: a "generic XML" attack
    Semantic attack: leveraging the structure and rpocessing rules of SOAP, WS-xxx, or the payload
    XDoS: because of XML (insanely large XML payloads, I assume).

    Simple Syntactic Attacks:
    Could be composed of random bits, not XML.

    Simple Overflows:

  • Huge XML (size, depth, width)
  • Huge element name
  • Huge attribute name
  • Big number of namespaces
  • Huge number of attributes
  • Huge tgext

    DTD Syntax Attacks:

  • XXE: XML External Entity
  • Or, a really big DTD.
  • Million laughts: 2**26 entity expansion:

    Simple Semantic Attacks:

  • Really big schema
  • Really bif stylesheet (don't run untrusted code)
  • XSLT in general

    Semantic Attack: Discovery:
    Expose only what's neccessary. Service discovery is not a great idea, since WSDL could expose vulnerable functionality.

    Semantic Attack: Distributed ID Monte:
    Policy says that message body must be signed. Signature reference uses "URI-#body" to point to the body. Attacker moves the body into a SOAP header. So, the Body is signed, but a false Body is installed in the Header. Don't quite understand the details of this attack since it was poorly explained.

    Posted by Scott at 11:38 AM |

    • What's Happening with JMX Technology (TS-7171)

    JMX is included in the J2SE 5.0 and J2EE 1.4 specifications, and requires no additional labor or modules to get working.

    MBeans:
    An Mbean is a named managed object represent a resource: program module, device, collection of statistics, etc. They consist of attributes (read/write), operations, and notifications that the MBean can send.

    JConsole can be used to track memory usage and interact with MBeans. JConsole is included in J2SE 5.0, but I'm not sure if it's available in any of the 1.4.2 VMs.

    MBeans don't provide the ability to aggregate attributes into Collections; rather, multiple attributes must be exposed separately by the MBean. MXBeans are working to address this problem. However, a problem with MXBeans is that JMX clients must have the Collections classes used by the MXBean object.

    An alternative to both MBeans and MXBeans are Open MBeans which have a Composite Data collection of named and typed items. Types are from the predefined set of Open Types.

    Monitors:
    The JMX API includes threshold monitors, which are already available in Tiger (5.0). A Monitor MBean periodically samples an attribute in one or more other MBeans. It sends a notification is an MBean exceeds its expressed threshold.

    Descriptors:
    Available in Mustang, descriptors allow generic clients (i.e. JConsole) to make inferences about the M(X)Bean attributes. Descriptors can be generated from annotations embedded in MBean classes.

    Remote Clients:
    JMX API for Remote Clients used connectors to support remote access using RMI, IIOP, SOAP, etc. A Web Services Connector (JSR 262) provides access from non-Java clients such as Perl, C#, etc. XML serialization replaces Java serialization since it's an XML Web Service. An additional advantage is that the connector is firewall-friendly. Interestingly, it is a goal for the client to not need to know the servier's data model. This permits a generic client, such as JConsole.

    Two protocol standards are emerging: WS-Management, and WSDM. They both cover distributed management using Web Services. It will be interesting see how notification of remote clients will be provided. One model (push-pull) requires the client to subscribe to events on the server, and then the server contacts the client through a web service exposed on the client-side. Disadvantage here is that

    Posted by Scott at 9:45 AM |

    June 28, 2005

    Java APIs for XML-Based Web Services Addressing: An Overview of JSR 261 (BOF-9061)

    WS-Addressing Core 1.0
    WS-Addressing normalizes the information typically provided by transport protocols and messaging systems (defined as Infoset, with an XML representation). Encpoint Reference generalizes a URI, which need not be a web service.

    Endpoint Reference:
    Address consists of IRI (international version of URI), and is not necessarily a network address. Reference parameters, such as SOAP cookies, are available. Meta-data like are can be exchanged, too.

    Posted by Scott at 9:20 PM |

    Mac OS X and Java Technology: The Ultimate Development and Deployment Platform for J2SE (BOF 9823)

    Presented by Alan Samuel from Apple.

    Java performance on Tiger is measurably better than on Panther due to bug fixes and performance enhancements. This is largely due to the fact that the Java implementation is built upon core OS functionality. Also, the 1.3 implementation was Carbon-based, and subsequent implementations have been Cocoa-based. The Aqua look-and-feel is everywhere since the JVM is built on Cocoa.

    Tiger included three JVM implementations: 1.3.1, 1.4.2 and 5.0. The default JVM is 1.4.2. The default can be specified using the Java Preferences panel.

    G5 performance is more than double the performance on a G4 CPU of comparable frequency. This is due to the use of the 64-bit address space.

    Bonjour for Java is a network-discovery protocol. It's bundled with Tiger, and available for Windows. I'd like to look into the Rendevous APIs for Java.

    Shark can be used to identify hot allocations and hot methods. It works with all Java version (5.0, 1.4.2, 1.3.1). Add -XrunShare to your Java flags, and attach to your Java application to obtain profiling output. It appears that Shark is available only in XCode 2.1, or Tiger.

    Regarding the Intel move, Java 1.3.1 applications need to be compiled with C2 which performs up-front compilation and yields poorer performance. Java 1.4.2 and 5.0 apps use C1 for compilation which uses the Hotspot JIT compiler and require no changes in process.

    Posted by Scott at 8:00 PM |

    Strategies for Securing Java Technology Code (TS-5210)

    Presenter is Mark Lambert from Parasoft (parasoft.com).

    Goal:
    Learn how to develop secure Java technology-based applications and avoid un-authorized access to privileged data.

    Introduction:
    Application security is not the same as network security. Network doesn't control access to data and resources. Therefore, the application needs to defend itself against attacks to prevent misuse of its access mechanisms. Gartner says 75% of hacks happen at the application level. NIST says 92% of vulnerabilities are at the application level. Security issues are often not taken seriously until they result in threats of litigation.

    Misconceptions:

  • Runtime errors are not important - until they expose internal information, or they consume resources. Stack traces need to be kept private and inspected.
  • Penetration testing is the solution - but it's complex, time consuming, and resource intensive.
  • Web services are not vulnerable - but they're often poorly tested and rarely security tested. They are often rushed into production, and the API is potentially open to the world.

    Establish Responsibility:
    Gartner says the developer is 3x more likely than sys-admin to be the culprit of a vulnerability. Ethical hacking is not a good solution since it often results in detection of the symptoms, not the cause.

    Priorities:
    Protecting sensitive data, information integrity, authentication, authorization, and compliance & auditing (HIPPA, SIX, etc).

    Implementing a secure application:
    Prevention can be done through education and coding standards. Inspection is less desirable since it's performed after-the-fact, but still neccessary.

    Inside:
    Code analysis, unit tests

    Outside:
    Penetration tests, regression tests, load tests

    "Inside the Code" Strategies:
    Coding guidelines, code defensively, expose & correct bugs. Goal is to create clean code from the start.

    Coding Guidelines:
    Does not mean "beautification." Protect data from external access, ensure that Java security mechanisms are used properly, identify where data is exposed, identify insecure code. Have a consistent way of applying protection mechanisms.

    Avoid using inner classes since there is no concept of inner classes in the Java byte code; rather, the compiler translates them into package scoped classes. Solution is to make inner classes private. Don't compare classes by name, since replacement classes can be used to insert malicious code. Make classes non-cloneable since cloning bypasses invocation of the constructor. If cloning is required, make the clone method final. Serialization allows hackers to view the full internal state. Define a final writeObject() method, and mark as transient. Avoid returning mutable objects since it could allow the caller to change the state of the object. All classes and methods should be declared final whenever possible, while documenting exceptions.

    Defensive Coding:
    Defensive coding includes maintaining centralization of security mechnisms: logging, software firewalls, and database access. Avoid dangerous functions: native code, and external components (have a consistent policy for accessing external components).

    Defensive firewalls and not network firewalls, but they operate similarly. They ensure that hackers accessing code cannot access certain sections of the program. This can be done by creating a throwable and validating the stack trace to ensure only certain client code can access vulnerable portions of the system.

    All external inputs need to be validated using assertions, "if" statements, and design-by-contract.

    SQL injection can be combatted by using PreparedStatement. ExecuteQuery allows construction of SQL statements that might contain malicious instructions. PreparedStatement includes type-checking of arguments without any additional labor.

    Design by contract tools are capable of generating pre- and post-conditions automatically, creating a firewall-like system.

    A real problem with application-level vulnerabilities is that security bugs are not seen as being in the same class as functional bugs. They often result from unspecified program behavior, so it indicates a mistake as design and implementation time.

    Penetration testing guidelines can be found at OWASP (WebGoat), NIST, PCI, others.

    Implementing a Security Policy:

  • determine risks/threats
  • develop countermeasures as Security Policy
  • implement Security Policy process at code level
  • eliminate security vulnerabilities in code
  • test application from 'outside'
  • address problems found by fixing code
  • regression test

    There are trade-offs between security and optimal performance, following requirements, and achieving milestones.

    Posted by Scott at 2:25 PM |

    • What's New & Cool in JDeveloper (TS-4925)

    Oracle JDeveloper 10G supports the latest J2EE 1.4 specifications. There is also a BPEL Process Manager and Designer (look into). There is support for J2SE 5.0 platform (including editor features), integrated refactoring, code assistance, and improved support for JUnit and Ant.

    There is a history feature in the IDE that can be useful for reversing actions without relying on CVS or some other source control. Apparently there is a CVS client included with 10G, along with SSH support, so there is no need to install the CVS binary if only connecting to a remote CVS repository. I'm wondering if we're using the latest version of JDeveloper 10G (demo was showing the nightly build). It'll remove files from CVS when refactoring the name of a Java class (nice, like IntelliJ).

    EJB 3.0 annotations and descriptor based deployments are supported. Not much more to say on this...

    I need to look into the ability of Java Server Faces (JSR 227) to provide multiple interfaces (Web Services, web app, console) to a single interactive component. It's nice that all of the JSF and Struts configuration files that JDeveloper produces are compatible with any J2EE-compliant application server.

    BPEL integration is included. Interactions with external systems is conducted through "PartnerLink" references. Fault handlers and invocations can be assigned to partner interactions. Switch statements can be placed in-line to direct process flow.

    Posted by Scott at 11:00 AM |

    June 27, 2005

    EJB 3.0 (TS-7969)

    Goal with EJB 3.0 is ease of deployment and configuration. Removed the need for EJBHOmes and EJBObjects. Abstracted JNDI APIs away from the developer and client view. Elimination of the need for deployment descriptors. Utilizes metadata wherever possible. Inversion fo contracts: bean specified what it needs through metadata, container interpositions to provide requested services. Elimination of EJB interfaces, so EJBs are simply plain Java objects providing the business interface. Seems like JNDI is going away...

    A lot of resource management has been done through EJB lifecycle methods (i.e. ejbcreate, ejbremove), which are now being represented by metadata/annotations. Dependency injection is used to obtain things like data sources, environment entries, timer service, other beans, etc.

    Dynamic lookup of EJBs is managed at the Bean class level, and resolved by the container at runtime. Remoteness of EJBs is handled under the covers, with remote exceptions being moved away from client developer unless specified otherwise. Wrapped in an EJBException that's used for both local and remote EJBs.

    Container-managed transactions are used by default. Transactionality can be specified at both the class- and method-levels. Ommiting any transactionality metadata will result in all methods in the class using CMT with required transaction attributes.

    Security issues are usually addressed at the time of deployment, but developers can provide guidance by specifying roles capable of invoking methods.

    Event notification can be handled by specifying callback methods on lifecycle listener class instead of on the bean class. Examples of such are: post-construct, pre-destroy, pre-passivate, and post-activate. This provides for reuse since the same callback class and methods can be used for multiple bean classes.

    Interceptors can be configured to wrap around methods. This allows for manipulation of arguments & results. Interceptors are configured for bean classes using annotations. Interceptors currently cannot be assigned at the method-level.

    Annotations make deployment descriptors unnecessary. The defualt cases don't need to be specified, and commonly used cases can be specified easily. However, deployment descriptors are preferred by some developers and configuration managers. So, deployment descriptors can be used to override annotations specified in code. They can be sparse or full, and are backward compatible with EJB 2.1 descriptors. The bulk of the EJB 3.0 overhaul was directed at the programming model and not so much the deployment quirks.

    Posted by Scott at 3:31 PM |

    Java Business Integration: A Foundation for SOA (TS-7765)

    Enterprise Integration:
    In the past, largely point-to-point. When more than 2 applications emerge, it become difficult to solve. Introduced technical coupling. Messaging is preferred since it leads to a decoupled approach. Brokers reduce connections.

    ESB introduces better management solutions. XML-based messaging provides a cheaper solution with better standardization of message formats.

    SOA is a system structuring principle. Function are available as services: defined interface, maximize decoupling, encourage reuse, enable changes. Increases the likelihood of reuse since they are fewer dependencies. Services are accessed through common protocols. Internet protocols led to web services. SOA implementations can use a variety of protocols.

    Business functions as services decouples those services in terms of their technologies. Functions are re-composable through re-use.

    JBI (JSR 208) was recently finalized, reference implementation is available as open-source software. JBI is a standard meta-container for integrated services. Plug-ins for engines (provide business logic and functions) and bindings (handle communication protocol details). A Normalize Message Router handles communication between engines and bindings. Works with J2SE & J2EE.

    JBI core services include orchestration (BPEL), transformation (XSLT), J2EE features, JMS, etc. JBI providers describe their services through messages, which are primarily XML. Second, providers must describe operations and their dependencies. Operations and services are aggregated and published using WSDL.

    Provide local services: transformation (XSLT), business logic (EJBs), business processes (BPEL). The consumption of services is represented by orchestration functions.

    Bindings components, like engines, are pluggable and can be both consumers and producers. They must not contain business logic. This means that messaging formats are driven by engine service configuration, even though it is handled by bindings. WSDL is used strictly from the producer perspective. XML bindings allow for non-XML message payloads (i.e. images, binary content).

    All communication between the components is conducted through the "normalized message router." Normalized Messages is a WSDL abstract message )WSDL interface operation message definition). It's also composed of properties (metadata): protocol-supplied context information, security tokens, transaction information, and data other components may recognize.

    Message exchanges are based on WSDL 2.0 message exchange patterns. There are two node types: service provider, and service consumer. Almost exclusive an in-out message exchange pattern. There is a lifecycle for each message exchange. Others: one-way, reliable one-way, request-response, and request-optional-response (only return value can be false, indicating invalid input; otherwise, no return value).

    A service engine can be moved to another container or implementation by simply introducing a new binding configuration registered with the Normalize Message Router (NMR). This is the Enterprise Service Bus (ESB).

    Component life cycle leaverages JMX for installation, starting and stopping. Packaging schema is portable, so it can simplify use for all parties.

    Posted by Scott at 2:08 PM |