SlideShare a Scribd company logo

Designing with Capabilities

Scott Wlaschin, profile picture
Scott Wlaschin

The document discusses the importance of capability-based design in API development, emphasizing that good security is inherently linked to good design. It explains how limiting the capabilities of API callers can prevent security risks and encourages practices such as minimizing exposed surface area. The talk integrates principles from both security and design to propose a systematic approach to building secure and flexible interfaces.

Software
Related topics:
Information Security ‱ Insights on Software Development
1 of 98
Downloaded 110 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Designing with capabilities for fun and profit @ScottWlaschin fsharpforfunandprofit.com/cap
Designing with Capabilities
Good security => Complicated I won’t like doing this
Good security => Complicated X
Security for free! ...which is good, because I’m lazy Good security == Good design I like doing this
The topic of this talk Not about OAuth, JWT etc Good security == Good design
Transparent Opaque It’s all about security, right?
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter A counterexample
Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter It’s not just about security... ...hiding irrelevant information is good design!
EVOLUTION OF AN API
Evolution of an API (from the security point of view) Say that the UI needs to set a configuration option (e.g. DontShowThisMessageAgain) How can we stop a malicious caller doing bad things?
Version1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } var filename = config.GetConfigFilename(); // open file // write new config // close file API Caller  A malicious caller has the ability to open and write to any file on the filesystem
Version 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } var writer = config.GetConfigWriter(); // write new config API Caller  A malicious caller can corrupt the config file We control which file is opened
Version 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } config.SetConfig( "DontShowThisMessageAgain", "True"); API Caller  A malicious caller can set the value to a non-boolean
Version 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API  What's to stop a malicious caller changing the connection string when they were only supposed to set the flag?
Version 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API  The caller can *only* do the thing we allow them to do.
Can’t get your work done Too much information passed in Just right Potential for abuse Principle of Least Authority (POLA) Too little information passed in Security spectrum
Evolution of the same API (from the design point of view)
DesignVersion1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } API Bad design: Using a filename means we limit ourselves to file-based config files. Better design: A TextWriter would make the design more mockable.
DesignVersion 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } API Better design: A generic KeyValue store would make implementation choices more flexible. Bad design: Using a TextWriter means exposing a specific storage format
DesignVersion 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } API Bad design: A KeyValue store using strings means possible bugs. So we need to write validation and tests for that  Better design: A statically typed interface means no corruption checking code. 
DesignVersion 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API Bad design: An interface with too many methods violates the ISP. Better design: Reduce the number of available methods to one!
DesignVersion 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API Good design: The caller has no dependencies on anything else. Bonus: easy to mock! 
Can’t do anything Too many dependencies Just right Unnecessary coupling Interface Segregation Principle Too few dependencies Design spectrum
Ak.a. Minimize your surface area (to reduce chance of abuse) OO Design Guidelines Interface Segregation Principle Single Responsibility Principle, etc Security Guidelines Principle of Least Authority (POLA) Ak.a. Minimize your surface area (to reduce coupling, dependencies, etc)
Good security => Good design Good design => Good security
INTRODUCING “CAPABILITIES”
Capability based design ‱ In a cap-based design, the caller can only do exactly one thing -- a "capability". ‱ In the example, the caller has a capability to set the message flag, and that's all. Prevents both maliciousness and stupidity!
A one method interface is a capability interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); }
A one method interface is a function interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } Action<MessageFlag> messageFlagCapability X
Capability-based security in the real world
Designing with Capabilities
Designing with Capabilities
What does “access-control” mean? ‱ Preventing any access at all. ‱ Limiting access to some things only. ‱ Revoking access when you are no longer allowed. ‱ Granting and delegating access to some subset of things. It’s not always about saying no!
Using capabilities to control access to a resource Secret Files Alice Bob X
Alternative for access control
Using auth/RBAC to control access to a resource Secret Files Alice Bob rejected accepted
A weakness in capabilities Secret Files Alice Bob  Anyone with the key can get access.
A weakness in auth/RBAC Secret Files Alice Bob 
A weakness in any security system! Secret Files Alice Bob Do you trust Alice? Then you also trust anyone whom Alice trusts too... (Or whom Alice can be tricked into trusting)
“Don’t prohibit what you can’t prevent”
Supplies Closet Alice Bob Secret Files X Capabilities support decentralized delegation
Supplies Closet Auth/RBAC systems are centralized Alice Bob accepted rejected Bob has only been working there for 6 months 
Auth/RBAC systems are centralized Alice “Please grant Bob access to the supplies closet” “Then revoke access after 20 minutes” Authorization System Can your system do this?
Supplies Closet Auth/RBAC systems are centralized Alice Bob “Here, Bob. You can borrow my swipe card” Credential Sharing
Central systems can revoke access Secret Files Alice rejected
How to revoke access in a cap-based system? Revoke?
How to revoke access in a cap-based system?
Demo: Capabilities as functions
DESIGNING AN API USING CAPABILITIES
Client Service Request Response Tic-Tac-Toe as a service Proper name is "Noughts and Crosses" btw
Tic-Tac-Toe API (obvious version) type TicTacToeRequest = { player: Player row: Row col: Column }
Tic-Tac-Toe API (obvious version) type TicTacToeResponse = { result : MoveResult display: DisplayInfo } type MoveResult = | KeepPlaying | GameWon of Player | GameTied
Demo:Tic-Tac-Toe
What kind of errors can happen? ‱ A player can play an already played move ‱ A player can play twice in a row ‱ A player can forget to check the Result and keep playing
“Make illegal operations unrepresentable” Don’t let me do a bad thing and then tell me off for doing it... Yes, you could return errors, but...
Client Service New Game Available Moves Tic-Tac-Toe service with caps Nine available moves
Client Service 1st move Available Moves Tic-Tac-Toe service with caps Eight available moves
Client Service Available Moves Tic-Tac-Toe service with caps 2nd move Seven available moves
Client Service Available Moves Tic-Tac-Toe service with caps 3rd move Six available moves
Client Service No available Moves Tic-Tac-Toe service with caps Winning move
Tic-Tac-Toe API (cap-based version) type MoveCapability = unit -> TicTacToeResponse type NextMoveInfo = { playerToPlay : Player posToPlay : CellPosition capability : MoveCapability } These are for client information only. The player and position are baked into the capability
Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo
Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo Where did the "request" type go? Where’s the authorization?
Demo: Cap-based Api
What kind of errors can happen? ‱ A player can play an already played move ‱ A player can play twice in a row ‱ A player can forget to check the Result and keep playing Is this good security or good design? All fixed now! 
HATEOAS Hypermedia As The Engine Of Application State “A REST client needs no prior knowledge about how to interact with any particular application or server beyond a generic understanding of hypermedia.” RESTful done right
How NOT to do HATEOAS POST /customers/ GET /customer/42 If you can guess the API you’re doing it wrong Security problem! Also, a design problem – too much coupling.
How to do HATEOAS POST /81f2300b618137d21d / GET /da3f93e69b98 You can only know what URIs to use by parsing the page Each of these URIs is a capability
Demo: HATEOAS
Some Benefits of HATEOAS ‱ Client decoupled from server – The server owns the API model and can change it without breaking any clients – E.g. Change links to point to CDN – E.g. Versioning ‱ Simpler clients in many cases – No need for client-side checking of moves ‱ Explorable API – Choose your own adventure!
Client Service Login Available Capabilities Service API with caps Many available actions initially
Client Service Use a capability Available Capabilities Service API with caps Fewer available actions in a given state
CAPABILITY DRIVEN DESIGN Using these design techniques throughout your domain
Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then any other path has complete access to the database 
Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then it doesn’t have enough context 
Controller/ API Business Logic Database Client Where shall we put the authorization logic? Global Authorizer Are you doing this already?
public class CustomerController : ApiController { readonly ICustomerDb _db; public CustomerController(ICustomerDb db) { _db = db; } [Route("customers/{customerId}")] [HttpGet] [GetCustomerProfileAuth] public IHttpActionResult Get(int customerId) { var custId = new CustomerId(customerId); var cust = _db.GetProfile(custId); var dto = DtoConverter.CustomerToDto(cust); return Ok(dto); }
public interface ICustomerDb { CustomerProfile GetProfile(CustomerId id); void UpdateProfile(CustomerId id, CustomerProfile cust); void CreateAccount(CustomerId id, CustomerProfile cust); void DeleteAccount(CustomerId id); void UpdateLoginEmail(CustomerId id, string email); void UpdatePassword(CustomerId id, string password); } How much authority do you really need?
Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Global Authorizer Every controller has one method
Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Controller /API Business Logic Database Use Case Global Authorizer Vertical slices Don’t mention microservices
Controller /API Business Logic Database Use Case Global Authorizer Services
Delegation of capabilities
Delegation with restriction
type MessageFlag = ShowThisMessageAgain | DontShowThisMessageAgain type ConfigurationCapabilities = { GetMessageFlag : unit -> MessageFlag SetMessageFlag : MessageFlag -> unit GetBackgroundColor : unit -> Color SetBackgroundColor : Color -> unit GetConnectionString : unit -> ConnectionString SetConnectionString : ConnectionString -> unit } ◘
let dontShowMessageAgainDialogBox capabilities = let getFlag,setFlag = capabilities let ctrl= new CheckBox( Text="Don't show this message again") ctrl.Checked <- getFlag() // etc
Demo: Vertical slices and delegation
Controller /API Business Logic Database Global Authorizer Passing capabilities
Controller /API Business Logic Database Global Authorizer Passing tokens Overkill? Too complicated to implement?
Controller /API Business Logic Database Inject a value of specific type Global Authorizer Passing tokens as types Represent tokens by types!
Demo: Using types for access tokens
What have we covered? ‱ Don’t use complicated security patterns – This will ensure that they are never used, or used wrong. – Don’t rely on other people doing the right thing. – Don’t rely on other people reading the documentation! ‱ Do use techniques where you get security for free. – You can be lazy! – You don’t have to remember to do anything.
What have we covered? ‱ Don’t develop first, add security later – Right after you implement the “quality” module ‱ Do use security-driven design – Bonus: get a modular architecture!
What have we covered? ‱ Don’t only do security at the outermost layer ‱ Do use POLA everywhere, which ensures that you have minimal dependencies.
Common questions ‱ How do you pass these capabilities around? – Dependency injection or equivalent ‱ Are you saying that all external IO should be passed around as capabilities? – Yes!You should never access any ambient authority. – You should be doing this anyway for mocking.
Common questions ‱ Won’t there be too many parameters? – Less than you think! – Encourages vertical slices (per use-case, scenario) – “Functional core, imperative shell” ‱ Can’t this be bypassed by reflection or other backdoors? – Yes. This is really all about design not about total security.
Resources for capability-based thinking ‱ LMGTFY “Capability based security” ‱ “Lazy developers guide to secure computing” talk by Marc Stiegler ‱ erights.org ‱ Google's Caja built over JavaScript ‱ Emily, a capability based language (via Ocaml)
Thanks! @ScottWlaschin fsharpforfunandprofit.com/cap Contact me Slides and video here Let us know if you need help with F#

More Related Content

PDF
Redux Sagas - React Alicante
Ignacio MartĂ­n
 
PDF
Railway Oriented Programming
Scott Wlaschin
 
PDF
The Functional Programming Toolkit (NDC Oslo 2019)
Scott Wlaschin
 
PPTX
Javascript Prototypal Inheritance - Big Picture
Manish Jangir
 
PDF
Pipeline oriented programming
Scott Wlaschin
 
PDF
An Introduction to Unit Test Using NUnit
weili_at_slideshare
 
PPSX
Javascript variables and datatypes
Varun C M
 
PDF
Lecture 8 Enterprise Java Beans (EJB)
Fahad Golra
 
Redux Sagas - React Alicante
Ignacio MartĂ­n
 
Railway Oriented Programming
Scott Wlaschin
 
The Functional Programming Toolkit (NDC Oslo 2019)
Scott Wlaschin
 
Javascript Prototypal Inheritance - Big Picture
Manish Jangir
 
Pipeline oriented programming
Scott Wlaschin
 
An Introduction to Unit Test Using NUnit
weili_at_slideshare
 
Javascript variables and datatypes
Varun C M
 
Lecture 8 Enterprise Java Beans (EJB)
Fahad Golra
 

What's hot (20)

PDF
Domain Driven Design with the F# type System -- NDC London 2013
Scott Wlaschin
 
PDF
Functional Design Patterns (DevTernity 2018)
Scott Wlaschin
 
PPT
JavaScript & Dom Manipulation
Mohammed Arif
 
PPTX
Why TypeScript?
FITC
 
PDF
Domain Modeling with FP (DDD Europe 2020)
Scott Wlaschin
 
PPTX
Lab #2: Introduction to Javascript
Walid Ashraf
 
PDF
Introduction to JSON
Kanda Runapongsa Saikaew
 
ODP
Datatype in JavaScript
Rajat Saxena
 
PDF
JavaScript Fetch API
Xcat Liu
 
PDF
Java 8, Streams & Collectors, patterns, performances and parallelization
José Paumard
 
PDF
The Power of Composition (NDC Oslo 2020)
Scott Wlaschin
 
PDF
Git tutorial
Nuttapon Pattanavijit
 
PDF
Introducing Playwright's New Test Runner
Applitools
 
PPTX
JavaScript Promises
L&T Technology Services Limited
 
PDF
Unit testing with JUnit
Thomas Zimmermann
 
PDF
Advanced javascript
Doeun KOCH
 
PDF
In-Depth Model/View with QML
ICS
 
PDF
NEXT.JS
Binumon Joseph
 
PDF
The lazy programmer's guide to writing thousands of tests
Scott Wlaschin
 
PDF
Web 5 | JavaScript Events
Mohammad Imam Hossain
 
Domain Driven Design with the F# type System -- NDC London 2013
Scott Wlaschin
 
Functional Design Patterns (DevTernity 2018)
Scott Wlaschin
 
JavaScript & Dom Manipulation
Mohammed Arif
 
Why TypeScript?
FITC
 
Domain Modeling with FP (DDD Europe 2020)
Scott Wlaschin
 
Lab #2: Introduction to Javascript
Walid Ashraf
 
Introduction to JSON
Kanda Runapongsa Saikaew
 
Datatype in JavaScript
Rajat Saxena
 
JavaScript Fetch API
Xcat Liu
 
Java 8, Streams & Collectors, patterns, performances and parallelization
José Paumard
 
The Power of Composition (NDC Oslo 2020)
Scott Wlaschin
 
Git tutorial
Nuttapon Pattanavijit
 
Introducing Playwright's New Test Runner
Applitools
 
JavaScript Promises
L&T Technology Services Limited
 
Unit testing with JUnit
Thomas Zimmermann
 
Advanced javascript
Doeun KOCH
 
In-Depth Model/View with QML
ICS
 
NEXT.JS
Binumon Joseph
 
The lazy programmer's guide to writing thousands of tests
Scott Wlaschin
 
Web 5 | JavaScript Events
Mohammad Imam Hossain
 
Ad

Similar to Designing with Capabilities (20)

PDF
Designing with capabilities (DDD-EU 2017)
Scott Wlaschin
 
PPTX
Designing Flexibility in Software to Increase Security
lawmoore
 
PPT
Intro to-ssdl--lone-star-php-2013
nanderoo
 
PPTX
Integrating security into Continuous Delivery
Tom Stiehm
 
PPTX
Security Design Concepts
Mohammed Fazuluddin
 
PDF
AppSec in an Agile World
David Lindner
 
PPTX
Design Principles
Kartheek Nagasuri
 
PDF
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
PDF
An Introduction to Secure Application Development
Christopher Frenz
 
PPTX
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Dr. Anish Cheriyan (PhD)
 
PDF
Secure .NET programming
Ante Gulam
 
PPT
Software Security in the Real World
Mark Curphey
 
PPTX
00. introduction to app sec v3
Eoin Keary
 
PPTX
BASC presentation on security and application architecture
wbjwilliams3
 
PDF
04812167
ankushsawarkar
 
PPTX
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PDF
Privileged Access Control & Task Automation: A Win Double of Security and Bus...
Digital Transformation EXPO Event Series
 
PPTX
2009 Dotnet Information Day: More effective c#
Daniel Fisher
 
PDF
ProdSec: A Technical Approach
Jeremy Brown
 
Designing with capabilities (DDD-EU 2017)
Scott Wlaschin
 
Designing Flexibility in Software to Increase Security
lawmoore
 
Intro to-ssdl--lone-star-php-2013
nanderoo
 
Integrating security into Continuous Delivery
Tom Stiehm
 
Security Design Concepts
Mohammed Fazuluddin
 
AppSec in an Agile World
David Lindner
 
Design Principles
Kartheek Nagasuri
 
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
An Introduction to Secure Application Development
Christopher Frenz
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Dr. Anish Cheriyan (PhD)
 
Secure .NET programming
Ante Gulam
 
Software Security in the Real World
Mark Curphey
 
00. introduction to app sec v3
Eoin Keary
 
BASC presentation on security and application architecture
wbjwilliams3
 
04812167
ankushsawarkar
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Privileged Access Control & Task Automation: A Win Double of Security and Bus...
Digital Transformation EXPO Event Series
 
2009 Dotnet Information Day: More effective c#
Daniel Fisher
 
ProdSec: A Technical Approach
Jeremy Brown
 
Ad

More from Scott Wlaschin (20)

PDF
Domain Modeling Made Functional (DevTernity 2022)
Scott Wlaschin
 
PDF
Building confidence in concurrent code with a model checker: TLA+ for program...
Scott Wlaschin
 
PDF
Reinventing the Transaction Script (NDC London 2020)
Scott Wlaschin
 
PDF
The Functional Programmer's Toolkit (NDC London 2019)
Scott Wlaschin
 
PDF
The Power Of Composition (DotNext 2019)
Scott Wlaschin
 
PDF
Domain Modeling Made Functional (KanDDDinsky 2019)
Scott Wlaschin
 
PDF
Four Languages From Forty Years Ago (NewCrafts 2019)
Scott Wlaschin
 
PDF
Four Languages From Forty Years Ago
Scott Wlaschin
 
PDF
The Power of Composition
Scott Wlaschin
 
PDF
F# for C# Programmers
Scott Wlaschin
 
PDF
Thirteen ways of looking at a turtle
Scott Wlaschin
 
PDF
Dr Frankenfunctor and the Monadster
Scott Wlaschin
 
PDF
Enterprise Tic-Tac-Toe
Scott Wlaschin
 
PDF
An introduction to property based testing
Scott Wlaschin
 
PDF
Functional Programming Patterns (NDC London 2014)
Scott Wlaschin
 
PDF
Functional Programming Patterns (BuildStuff '14)
Scott Wlaschin
 
PDF
Swift vs. Language X
Scott Wlaschin
 
PDF
Domain Driven Design with the F# type System -- F#unctional Londoners 2014
Scott Wlaschin
 
PDF
Doge-driven design
Scott Wlaschin
 
PDF
The Theory of Chains
Scott Wlaschin
 
Domain Modeling Made Functional (DevTernity 2022)
Scott Wlaschin
 
Building confidence in concurrent code with a model checker: TLA+ for program...
Scott Wlaschin
 
Reinventing the Transaction Script (NDC London 2020)
Scott Wlaschin
 
The Functional Programmer's Toolkit (NDC London 2019)
Scott Wlaschin
 
The Power Of Composition (DotNext 2019)
Scott Wlaschin
 
Domain Modeling Made Functional (KanDDDinsky 2019)
Scott Wlaschin
 
Four Languages From Forty Years Ago (NewCrafts 2019)
Scott Wlaschin
 
Four Languages From Forty Years Ago
Scott Wlaschin
 
The Power of Composition
Scott Wlaschin
 
F# for C# Programmers
Scott Wlaschin
 
Thirteen ways of looking at a turtle
Scott Wlaschin
 
Dr Frankenfunctor and the Monadster
Scott Wlaschin
 
Enterprise Tic-Tac-Toe
Scott Wlaschin
 
An introduction to property based testing
Scott Wlaschin
 
Functional Programming Patterns (NDC London 2014)
Scott Wlaschin
 
Functional Programming Patterns (BuildStuff '14)
Scott Wlaschin
 
Swift vs. Language X
Scott Wlaschin
 
Domain Driven Design with the F# type System -- F#unctional Londoners 2014
Scott Wlaschin
 
Doge-driven design
Scott Wlaschin
 
The Theory of Chains
Scott Wlaschin
 

Recently uploaded (20)

PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
System and Network Administration Chapter 2
jaramharo
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
AI in Product Development-omnex systems
omnex systems
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 

Designing with Capabilities

  • 1. Designing with capabilities for fun and profit @ScottWlaschin fsharpforfunandprofit.com/cap
  • 3. Good security => Complicated I won’t like doing this
  • 4. Good security => Complicated X
  • 5. Security for free! ...which is good, because I’m lazy Good security == Good design I like doing this
  • 6. The topic of this talk Not about OAuth, JWT etc Good security == Good design
  • 8. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter A counterexample
  • 9. Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos qui ratione voluptatem sequi nesciunt. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Quis autem vel eum iure reprehenderit qui in ea voluptate velit esse quam nihil molestiae consequatur, Temporibus autem quibus Dacei Megasystems Tech Inc necessitatibust aut officiis debitis auteo 2799 E Dragam Suite 7 quisquam saepe Itaque enieti Los Angeles CA 90002 ut et voluptates repudiandae sint et molestiae non recusandae. Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Neque porro quisquam est, qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit, sed quia non numquam eius modi tempora incidunt ut labore et dolore magnam aliquam quaerat voluptatem. Ut enim ad minima veniam, quis nostrum exercitationem ullam corporis suscipit laboriosam, nisi ut aliquid ex ea commodi consequatur? Please deliver this letter It’s not just about security... ...hiding irrelevant information is good design!
  • 11. Evolution of an API (from the security point of view) Say that the UI needs to set a configuration option (e.g. DontShowThisMessageAgain) How can we stop a malicious caller doing bad things?
  • 12. Version1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } var filename = config.GetConfigFilename(); // open file // write new config // close file API Caller  A malicious caller has the ability to open and write to any file on the filesystem
  • 13. Version 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } var writer = config.GetConfigWriter(); // write new config API Caller  A malicious caller can corrupt the config file We control which file is opened
  • 14. Version 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } config.SetConfig( "DontShowThisMessageAgain", "True"); API Caller  A malicious caller can set the value to a non-boolean
  • 15. Version 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API  What's to stop a malicious caller changing the connection string when they were only supposed to set the flag?
  • 16. Version 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API  The caller can *only* do the thing we allow them to do.
  • 17. Can’t get your work done Too much information passed in Just right Potential for abuse Principle of Least Authority (POLA) Too little information passed in Security spectrum
  • 18. Evolution of the same API (from the design point of view)
  • 19. DesignVersion1 Give the caller the configuration file name interface IConfiguration { string GetConfigFilename(); } API Bad design: Using a filename means we limit ourselves to file-based config files. Better design: A TextWriter would make the design more mockable.
  • 20. DesignVersion 2 Give the caller aTextWriter interface IConfiguration { TextWriter GetConfigWriter(); } API Better design: A generic KeyValue store would make implementation choices more flexible. Bad design: Using a TextWriter means exposing a specific storage format
  • 21. DesignVersion 3 Give the caller a key/value interface interface IConfiguration { void SetConfig(string key, string value); } API Bad design: A KeyValue store using strings means possible bugs. So we need to write validation and tests for that  Better design: A statically typed interface means no corruption checking code. 
  • 22. DesignVersion 4 Give the caller a domain-centric interface enum MessageFlag { ShowThisMessageAgain, DontShowThisMessageAgain } interface IConfiguration { void SetMessageFlag(MessageFlag value); void SetConnectionString(ConnectionString value); void SetBackgroundColor(Color value); } API Bad design: An interface with too many methods violates the ISP. Better design: Reduce the number of available methods to one!
  • 23. DesignVersion 5 Give the caller only the interface they need interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } API Good design: The caller has no dependencies on anything else. Bonus: easy to mock! 
  • 24. Can’t do anything Too many dependencies Just right Unnecessary coupling Interface Segregation Principle Too few dependencies Design spectrum
  • 25. Ak.a. Minimize your surface area (to reduce chance of abuse) OO Design Guidelines Interface Segregation Principle Single Responsibility Principle, etc Security Guidelines Principle of Least Authority (POLA) Ak.a. Minimize your surface area (to reduce coupling, dependencies, etc)
  • 26. Good security => Good design Good design => Good security
  • 28. Capability based design ‱ In a cap-based design, the caller can only do exactly one thing -- a "capability". ‱ In the example, the caller has a capability to set the message flag, and that's all. Prevents both maliciousness and stupidity!
  • 29. A one method interface is a capability interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); }
  • 30. A one method interface is a function interface IWarningMessageConfiguration { void SetMessageFlag(MessageFlag value); } Action<MessageFlag> messageFlagCapability X
  • 34. What does “access-control” mean? ‱ Preventing any access at all. ‱ Limiting access to some things only. ‱ Revoking access when you are no longer allowed. ‱ Granting and delegating access to some subset of things. It’s not always about saying no!
  • 35. Using capabilities to control access to a resource Secret Files Alice Bob X
  • 37. Using auth/RBAC to control access to a resource Secret Files Alice Bob rejected accepted
  • 38. A weakness in capabilities Secret Files Alice Bob  Anyone with the key can get access.
  • 39. A weakness in auth/RBAC Secret Files Alice Bob 
  • 40. A weakness in any security system! Secret Files Alice Bob Do you trust Alice? Then you also trust anyone whom Alice trusts too... (Or whom Alice can be tricked into trusting)
  • 41. “Don’t prohibit what you can’t prevent”
  • 43. Supplies Closet Auth/RBAC systems are centralized Alice Bob accepted rejected Bob has only been working there for 6 months 
  • 44. Auth/RBAC systems are centralized Alice “Please grant Bob access to the supplies closet” “Then revoke access after 20 minutes” Authorization System Can your system do this?
  • 45. Supplies Closet Auth/RBAC systems are centralized Alice Bob “Here, Bob. You can borrow my swipe card” Credential Sharing
  • 46. Central systems can revoke access Secret Files Alice rejected
  • 47. How to revoke access in a cap-based system? Revoke?
  • 48. How to revoke access in a cap-based system?
  • 50. DESIGNING AN API USING CAPABILITIES
  • 51. Client Service Request Response Tic-Tac-Toe as a service Proper name is "Noughts and Crosses" btw
  • 52. Tic-Tac-Toe API (obvious version) type TicTacToeRequest = { player: Player row: Row col: Column }
  • 53. Tic-Tac-Toe API (obvious version) type TicTacToeResponse = { result : MoveResult display: DisplayInfo } type MoveResult = | KeepPlaying | GameWon of Player | GameTied
  • 55. What kind of errors can happen? ‱ A player can play an already played move ‱ A player can play twice in a row ‱ A player can forget to check the Result and keep playing
  • 56. “Make illegal operations unrepresentable” Don’t let me do a bad thing and then tell me off for doing it... Yes, you could return errors, but...
  • 57. Client Service New Game Available Moves Tic-Tac-Toe service with caps Nine available moves
  • 58. Client Service 1st move Available Moves Tic-Tac-Toe service with caps Eight available moves
  • 59. Client Service Available Moves Tic-Tac-Toe service with caps 2nd move Seven available moves
  • 60. Client Service Available Moves Tic-Tac-Toe service with caps 3rd move Six available moves
  • 61. Client Service No available Moves Tic-Tac-Toe service with caps Winning move
  • 62. Tic-Tac-Toe API (cap-based version) type MoveCapability = unit -> TicTacToeResponse type NextMoveInfo = { playerToPlay : Player posToPlay : CellPosition capability : MoveCapability } These are for client information only. The player and position are baked into the capability
  • 63. Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo
  • 64. Tic-Tac-Toe API (cap-based version) type TicTacToeResponse = | KeepPlaying of (DisplayInfo * NextMoveInfo list) | GameWon of (DisplayInfo * Player) | GameTied of DisplayInfo Where did the "request" type go? Where’s the authorization?
  • 66. What kind of errors can happen? ‱ A player can play an already played move ‱ A player can play twice in a row ‱ A player can forget to check the Result and keep playing Is this good security or good design? All fixed now! 
  • 67. HATEOAS Hypermedia As The Engine Of Application State “A REST client needs no prior knowledge about how to interact with any particular application or server beyond a generic understanding of hypermedia.” RESTful done right
  • 68. How NOT to do HATEOAS POST /customers/ GET /customer/42 If you can guess the API you’re doing it wrong Security problem! Also, a design problem – too much coupling.
  • 69. How to do HATEOAS POST /81f2300b618137d21d / GET /da3f93e69b98 You can only know what URIs to use by parsing the page Each of these URIs is a capability
  • 71. Some Benefits of HATEOAS ‱ Client decoupled from server – The server owns the API model and can change it without breaking any clients – E.g. Change links to point to CDN – E.g. Versioning ‱ Simpler clients in many cases – No need for client-side checking of moves ‱ Explorable API – Choose your own adventure!
  • 72. Client Service Login Available Capabilities Service API with caps Many available actions initially
  • 73. Client Service Use a capability Available Capabilities Service API with caps Fewer available actions in a given state
  • 74. CAPABILITY DRIVEN DESIGN Using these design techniques throughout your domain
  • 75. Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then any other path has complete access to the database 
  • 76. Controller/ API Business Logic Database Client Where shall we put the authorization logic? But then it doesn’t have enough context 
  • 77. Controller/ API Business Logic Database Client Where shall we put the authorization logic? Global Authorizer Are you doing this already?
  • 78. public class CustomerController : ApiController { readonly ICustomerDb _db; public CustomerController(ICustomerDb db) { _db = db; } [Route("customers/{customerId}")] [HttpGet] [GetCustomerProfileAuth] public IHttpActionResult Get(int customerId) { var custId = new CustomerId(customerId); var cust = _db.GetProfile(custId); var dto = DtoConverter.CustomerToDto(cust); return Ok(dto); }
  • 79. public interface ICustomerDb { CustomerProfile GetProfile(CustomerId id); void UpdateProfile(CustomerId id, CustomerProfile cust); void CreateAccount(CustomerId id, CustomerProfile cust); void DeleteAccount(CustomerId id); void UpdateLoginEmail(CustomerId id, string email); void UpdatePassword(CustomerId id, string password); } How much authority do you really need?
  • 85. type MessageFlag = ShowThisMessageAgain | DontShowThisMessageAgain type ConfigurationCapabilities = { GetMessageFlag : unit -> MessageFlag SetMessageFlag : MessageFlag -> unit GetBackgroundColor : unit -> Color SetBackgroundColor : Color -> unit GetConnectionString : unit -> ConnectionString SetConnectionString : ConnectionString -> unit } ◘
  • 86. let dontShowMessageAgainDialogBox capabilities = let getFlag,setFlag = capabilities let ctrl= new CheckBox( Text="Don't show this message again") ctrl.Checked <- getFlag() // etc
  • 90. Controller /API Business Logic Database Inject a value of specific type Global Authorizer Passing tokens as types Represent tokens by types!
  • 91. Demo: Using types for access tokens
  • 92. What have we covered? ‱ Don’t use complicated security patterns – This will ensure that they are never used, or used wrong. – Don’t rely on other people doing the right thing. – Don’t rely on other people reading the documentation! ‱ Do use techniques where you get security for free. – You can be lazy! – You don’t have to remember to do anything.
  • 93. What have we covered? ‱ Don’t develop first, add security later – Right after you implement the “quality” module ‱ Do use security-driven design – Bonus: get a modular architecture!
  • 94. What have we covered? ‱ Don’t only do security at the outermost layer ‱ Do use POLA everywhere, which ensures that you have minimal dependencies.
  • 95. Common questions ‱ How do you pass these capabilities around? – Dependency injection or equivalent ‱ Are you saying that all external IO should be passed around as capabilities? – Yes!You should never access any ambient authority. – You should be doing this anyway for mocking.
  • 96. Common questions ‱ Won’t there be too many parameters? – Less than you think! – Encourages vertical slices (per use-case, scenario) – “Functional core, imperative shell” ‱ Can’t this be bypassed by reflection or other backdoors? – Yes. This is really all about design not about total security.
  • 97. Resources for capability-based thinking ‱ LMGTFY “Capability based security” ‱ “Lazy developers guide to secure computing” talk by Marc Stiegler ‱ erights.org ‱ Google's Caja built over JavaScript ‱ Emily, a capability based language (via Ocaml)
  • 98. Thanks! @ScottWlaschin fsharpforfunandprofit.com/cap Contact me Slides and video here Let us know if you need help with F#