 |
|
|
Abstract
Web Services open a new battlefield across which application security professionals will wage a new war against a familiar list of network security enemies. Attacks that have been successful at lower levels of the network stack reemerge in Web Services. Attacks such as denial of service (DOS) and buffer overflows are just as much a problem in Web Services as they have been in other network contexts. Three real examples of attacks at the XML and Web Services level that have been encountered will be presented. The session will focus on how traditional threats map to the new Web Services paradigm. Countermeasures for each threat will be proposed and participants will learn how they can incorporate them into their applications and networks.
Keywords
Table of Contents
It is almost impossible nowadays to read current articles about information technology without being confronted by security issues: e-mail worms, downloadable viruses, and hacker threats, just to name a few. In the month of September 2003 alone, CNet's news.com site reports on an e-mail virus that hit the United States State Department, a vulnerability in OpenSSH, a new Internet Explorer worm (Gibe.F), and instances of hacking too numerous to report. As systems are more and more connected to each other over the Internet, the number of these attacks - both reported and unreported - is on the rise. The threats are significant today, and are becoming more significant as enterprises use XML and Web services to connect themselves to their customers and business partners.
Automating connections between your applications and those of your customers and business partners is quickly becoming a necessity in today's world. These automated connections enable both new revenue streams (real-time services for your customers, for instance) and a lower cost of ownership than ever before, due to reductions in capital expense, people expense, and integration services. While the business drivers are clear, the technology drivers are just as important: XML and Web services have brought the openness and speed of the World Wide Web to application integration. It's now easier than ever to make direct connections between applications, partners and customers, and those connections are exposing true, mission critical functions. These direct connections to mission critical functions improve business responsiveness and results but simultaneously expose the enterprise to a new class of risks: XML Threats.
Increasingly interconnected networks with increasing numbers of mission critical applications on them mean that it's significantly easier for your trusted partners and customers to integrate with your systems. Development tools like those from Microsoft, BEA and IBM are extremely productive and leverage infrastructure technologies such as PKI. But the successful introduction and use of XML Web services also means that it's significantly easier for untrusted parties to integrate with your systems in ways you don't like, causing privacy breaches for you and your customers, system overloads, or even catastrophic system failures and data loss.
As e-mail worms and downloaded viruses have shown (Nimda, Code Red and MSBlast, just to name a few), even extremely simple attacks have the potential to create disastrous business conditions - and Web services are exposing even more critical corporate assets. This combination of access to critical corporate assets combined with human readable data formats and open standards for integration is very attractive to both entertainment driven and more malicious hackers.
The challenge has now become building systems and organizations that can take advantage of the immediacy of XML and Web services in a way that doesn't put critical assets at risk. In order to develop any security solution, the first step is to develop a threat model: what is it that you're really worried about? One you understand the potential threats and risks, then you can start figuring out how to address those threats with solutions that are on the market today.
The first questions most people ask about Web services threats are these: How are the threats similar to what we've got today? And how are they different?
XML is an open, human readable format for applications to exchange information: it's based on SGML, the same foundation that HTML is based on. This readability is great for understanding what the applications are saying to each other - both for legitimate users as well as hackers. Like HTML, because XML is simple text, it's relatively easy to hijack a bona fide message, modify it slightly, and send it along - the so-called "man in the middle" attack. What's more, since these systems are distributed systems with developers that work for other organizations supplying code, there's a potential for inadvertent attacks - that is, attacks that are caused by innocuous changes to XML that might have major impacts on your servers.
Like any threat model, it's possible to categorize threats in any number of ways. Reactivity's customers categorize threats in one of three ways: (1) updated, XML versions of traditional identity attacks, (2) content-borne attacks with elements in the actual XML payload (XML Viruses), and (3) new application-level versions of operational attacks like XML Denial of Service (XDoS).
Let's face it: Web services are terrifically useful technology that represents the latest in a long line of technology that builds on a more than 50-year computing tradition seeking seamless application interoperability. Unfortunately, malicious hacking has its own tradition very nearly as long; so the first category of threats is traditional identity threats, but updated for Web services.
A request authentication attack takes place when an attacker successfully poses as a legitimate client identity and gains access to the service. This type of attack entails an attacker masquerading as a legitimate identity through theft of a shared secret, username/password pair, PKI certificate, or other identity credential. A simple technique for attacking this way is the dictionary attack where an attacker uses a large number of common words as username/password pairs to gain entry. More generally, brute force attacks can apply not only to username password pairs, but also to any type of credentials.
Conversely, a response authentication attack occurs when a malicious party poses as the service itself, fooling a client into making requests to it directly. One specific type of response authentication attack is known as IP Spoofing.
Authorization attacks are made by someone with valid, authenticated credentials, who somehow gains access to systems that they shouldn't by subverting the access control scheme. Like the two authentication attacks above, authorization attacks typically result in data theft or privacy invasions.
Eavesdropping is one of the simplest techniques for data theft: an unauthorized party listens to conversations between systems and collects their data. Eavesdropping could be done simply to get access to data like credit card account information, or it could be used to hijack identity credentials and start an authentication attack as described above.
Eavesdropping enables both data integrity attacks and replay attacks. Using data obtained by eavesdropping with slight modifications (recall that XML is a text-based, human-readable format) before sending it on its way is known as a data integrity attack. The most basic version is a simple message forgery. Replay attacks occur when a hacker uses stolen messages and continually replays that same message at potentially high rates. Obviously that type of attack could have serious repercussions like server overload.
A brilliance of the World Wide Web is that it uses standard ports for all communications - generally port 80 for all HTTP traffic. Because the Web is useful for every organization, port 80 is typically opened by network administrators to the world, while other ports (like FTP) are guarded more closely. The so-called "port 80 problem" is that viruses and other malicious content can get included inside otherwise innocuous content, and tunneled through port 80 to reach the inside of your organization. This is one of the mechanisms by which worms such as NIMDA and the Code Red (and Code Red 2) virus have caused such disruptions to enterprises over the past several months. Once malicious content is tunneled through port 80, carried by XML, it arrives at your server-side systems and can wreak havoc. Content-borne attacks are also known as XML Viruses or XML Worms.
SQL Injection is the practice of inserting malicious SQL statements into XML in order to disrupt back end systems. New Web services development tools make it very easy for developers, who are generally untrained in security and often enthusiastic over these capabilities, to expose more functionality than is often necessary or prudent. If a Web service that connects to a database doesn't validate SQL, an incoming XML message containing rogue SQL statements could be used to break out of the expected database query and be used to obtain unauthorized information or even destroy data. For example, instead of a legitimate query using an order number to request a shipper's tracking number, the XML message could contain an escape code and a malicious SQL comment to extract all information from the database. An enterprise might think they've got a safe order tracking system, when it's really an invitation to disaster.
But the risks aren't limited to SQL statements and databases: SQL Injection is an example of a broader class of attacks known as Command Injection Attacks. Like using malicious SQL to attack databases, hackers might try to tunnel UNIX commands inside XML in order to exploit other vulnerable systems - any system that has a command-oriented interface.
Buffer overflow attacks have received a great deal of attention outside of XML and Web services (e.g. the Microsoft Office exploit detailed at http://news.com.com/2100-1009-5070929.html). Like SQL injection and command injection, a buffer overflow attack is aimed at the service endpoint and preys on vulnerabilities there - like not setting aside enough memory to deal with a large variety of inputs. Consider a Web service that's designed to take in a list of phone numbers - one way to test the security of the system would be to send in an XML message with a list of a thousand phone numbers - or just one phone number that's a million digits long. Services that aren't designed defensively enough may have problems with this type of input.
Content-borne attacks are generally intended to affect the actual applications that are running Web services, after tunneling unnoticed through the security infrastructure. SQL Insertion is the most well-known of these types of vulnerabilities, but is only one example of a broad class.
The third class of XML and Web services are more operational in nature; they're less about the specifics of what the services are trying to do and more about doing whatever possible to bring them down.
The best known example of this class of attack is the Denial of Service Attack. At the most basic level, denial of service means doing something to consume available resources (e.g. memory, network connections, disk space, CPU cycles, etc.) without doing useful work. The result is that a system spends time doing work on a few useless messages and is unable to service legitimate requests.
Denials of Service have been very difficult to combat at every level of the network stack: they're hard to distinguish from legitimate traffic, and it's tricky to selectively service only legitimate requests. XML Denial of Service (XDoS) attacks have similarly thorny issues. Simple tracking of basic metrics will miss real attacks and potentially block legitimate traffic. The art of defending against XDoS is to detect an attack based on the combinations of metrics that signify an attack - not any one metric looked at in isolation.
One of the first XDoS attacks was the so-called entity expansion attack, in which unprivileged local or remote users could use completely "correct" entity declarations in an XML message to wreak havoc upon unprotected XML 1.0 standard compliant parsers. When a vulnerable parser encountered such a message, recursive entity declarations caused the parser to shut down with an out-of-memory error, or use an inordinate amount of processor cycles. Within the past two years, many XML parser implementations have been modified to address these specific security concerns, but as the Code Red epidemic demonstrated so clearly, systems often remain susceptible long after the availability of patches.
Because Web services are used in conjunction with one another and are often developed by different people, teams or even companies, there is an interesting new type of attack: inadvertent denial of service. All it could take to bring your service down is a programmer on the other end mistakenly sending 100 requests per second instead of 10. Or doing something as simple as inadvertently coding an infinite loop.
Denials of service are an instance of a particularly dangerous type of attack that we categorize here as operational attacks. These attacks tend to result in services being unusable for everyone, and could easily result in a business down situation.
The discouraging part of all this is clear: like every other networked technology, XML and Web services enable a growing and complex set of new threats. The good bit is that they're categorizable into a small number of classes, and are addressable using a few powerful techniques.
So what can be done to prevent, detect and counteract these threats and attacks? Countermeasures fall into three broad categories: (1) repurposing traditional standards and creating new standards, (2) using heuristics to detect attacks, and (3) taking the appropriate actions when you are attacked.
One extremely powerful approach to addressing the security concerns of Web services has been to simultaneously leverage existing security standards while developing new standards that are less susceptible to attacks than prior technologies. An overwhelming majority of Web services today secure the transport layer using the Secure Sockets Layer (SSL). SSL provides a number of benefits, particularly when used in conjunction with Public Key Infrastructure (PKI):
Transport encryption provides confidentiality and integrity for messages while they're traveling over the network (but not when they're static at their source or destination).
Strong authentication via bilateral certificate exchange (i.e. 2-way SSL) provides a cryptographically secure way to verify sender and recipient identity.
The use of unique identifiers in SSL provides a built-in mechanism to guard against replay attacks by only allowing a message to be sent once.
In conjunction with those two previously existing standards (and a host of others), cross-industry standards bodies like OASIS are creating new Web services specific standards to secure traffic and guard against attacks:
XML-Encryption provides persistent, full or partial message encryption, and insures confidentiality both when messages are in transport as well as when they're static and not moving at all.
XML-Digital Signatures are a mechanism that allows a sender to cryptographically sign messages or parts of messages. Those signatures can then be used as authentication credentials or as checks on data integrity.
XML-Schema is a way to describe what the contents of an XML message should be and a way to guard against some content-borne attacks like buffer overflow attempts.
WS-Security is a broad umbrella of standards designed to combine several new standards in an interoperable way to secure SOAP messages. WS-Security includes both those above and others such as WS-Trust, a specification for sharing identity and trust information between organizations. Most of these specifications are relatively early, and are just now beginning to gain broad industry support.
The topic of standards for XML and Web services security is a discussion in its own right. For more insight on XML and Web services standards, please request the Reactivity White Paper at http://www.reactivity.com.
Standards are only part of the story, though - they can't help fully to protect against two important threats: content-borne attacks and XDoS. The first step is detecting when you're under attack, then you can do something about it. The reason that we call these detectors "heuristic" is that while standards are generally used for conditions that you can guarantee, there are a wide variety of attacks that are not as obvious to detect, and for those you need to use techniques like these:
Brute force authentication attack detection. As mentioned above, repeated failures in authentication attempts can indicate that a dictionary attack or more general brute force attack is underway. Being able to detect simple dictionary attacks as well as the more complex general case is critical; that is, based on classes of credentials, including SAML assertions, XML signature, LDAP queries, and SSL certificates.
Content filters. As mentioned above, XML-Schema provides a variety of useful content-oriented function to help insure that the content of the data is really what you're expecting. Unfortunately, it's often impractical to define an XML-Schema so completely that it will guard against all content attacks and XML Viruses. For example, while it's possible to specify that no SQL should be allowed inside any message, it's not reasonable to guarantee that all the schemas in your organization do that. A much easier way is to use content filters: ways of describing content that should never be allowed to tunnel through. One typical way to implement a content filter is to use regular expressions specified across all messages, and to define these regular expressions against all known content-borne attacks.
Advanced XDoS Defense. As mentioned above, Denial of Service attacks are attacks designed to consume inordinate amounts of system resources such as memory, network connections, disk space, or CPU cycles. With Denial of Service, the trick is detection: seeing patterns and determining if it's really an attack or if the system is experiencing legitimate load conditions. In order to do that detection, a number XDoS metrics come into play: the overall message request rate, the number of authentication failures in a given time period, instantaneous and average CPU usage, and the amount of memory that all messages currently in transit are consuming. For each of these factors, good metrics and configurable thresholds are essential. Often a single factor (such as high message rate) might indicate a threat; other times it might be the combination of two or more factors that indicates real issues.
Once you've put standards and detectors into place, you need to operate your Web services - what actions do you need to take in the case of a threat?
Deny by default. The first and most important action isn't a positive action, but more of an attitude. With Web services, since they're exposing your business' most sensitive assets, you want to apply the tightest security filters possible. So if your systems ever see a message where something doesn't look right - the authentication, the body, the timing, anything - the first reaction should be to deny that message and raise an alert.
Human and automated alerting. Ideally when something out of the ordinary is happening to your Web services, you'd like an automated way of knowing whether it's an attack or not. In practice, the only real way to monitor is through a combination of automated and human monitoring. So any countermeasure solution should enable human alerting via e-mail and paging as well as automated alerting using technologies like SNMP, syslog, and integration with Intrusion Detection Systems.
Identity blocking. Once you've identified that an attack is happening and alerted either human or automated systems, the first line of defense is to block that identity from doing any harm. An identity may be something as complex as a specific certificate holder, or as simple as an IP address (or range of addresses). Automatically blocking offending identities for some period of time (and possibly indefinitely) is a key defense mechanism.
Server load management and request throttling. Understanding both front-end (Internet facing) and back-end (server facing) issues is important, and protecting the Web services server is just as critical as detecting malicious attacks. Since real world message traffic is stochastic in nature, simply limiting the size and rate of messages to the back end server is insufficient. Good security systems throttle combine factors of message sizes, back-end server latency, and transport-level error codes to maintain a model of back-end server load, which provides a means of predicting message load a back-end server is capable of handling.
Always log. It's a trite thing to say, but one of the most important pieces of a defense framework is to always collect the information that you need: about normal traffic patterns, about failed attacks, and about successful attacks. You certainly won't need everything you collect all the time, but the existence of the data when you need it, along with tools that enable both you and your partners to collaboratively diagnose issues, is critical.
At this point, we've defined the risks associated with XML and Web services as well as the standards, detectors, and countermeasures for defending against them. All that remains is translating the theory into practice. The Reactivity XML Firewall provides an intuitive, rapid-to-deploy appliance that employs a collection of each of these countermeasures. In particular, the Reactivity XML Firewall is a best-of-breed solution because it combines the following features and characteristics:
It secures XML and Web services traffic quickly and sustainably. The Reactivity XML Firewall provides instant security - it takes seconds to drop into your network and just minutes to connect your mission critical Web services to your customers and partners. By enabling businesses to create and manage complex security policies, the Reactivity XML Firewall enables you to deploy your XML Web services and respond to changes in the business environment.
It implements both standards and heuristics as countermeasures. As mentioned above, securing XML and Web services traffic starts with the standards, but requires a wide variety of heuristic countermeasures as well. Because differentiating attacks from legitimate traffic is often difficult, a system that considers everything in concert with each other in a holistic approach is the only practical solution.
It's deployed external to applications. As with other levels in the technology stack, a properly designed security system will balance application security with security that is run by network operations. For Web services, it's critically important to have security that can be deployed as systems that aren't on the same infrastructure as the Web services themselves in order to avoid them sharing the same vulnerabilities. What's more, deploying in this externalized way provides optimal performance for both the security solution (the XML Firewall) and the services themselves.
It allows early identification of risks early in the transaction processing process. The sooner a risky transaction is quarantined and addressed, the less impact it can have on your network and distributed application. The Reactivity XML Firewall prioritizes security processes to ensure that significant risks fail early rather than after the enterprise has spent considerable resources on the transaction.
It's a hardened security appliance. As this paper points out, security always applies at a variety of levels in the technology stack: from packets to messages, from drivers to applications. As a packaged appliance, the Reactivity XML Firewall is hardened, tested and deployed at each of these levels, providing the most secure solution available on the market today. As your first line of defense to the outside world, having the very best security matters.
XML and Web services are enabling dramatically new and powerful IT processes to match the speed and agility of modern business. As with any technology innovation, they pose risks - some that are old, some newer. Fear of these threats can prevent an enterprise from realizing the business results made possible by XML Web services. The good news is that the risks are well-understood and that technology exists in the market today that implements appropriate countermeasures. For more information about securing your enterprise against XML Threats and about enabling your enterprise to deliver business results by leveraging XML Web services security, please visit us at http://www.reactivity.com.
  |
Design & Development by deepX Ltd. |
