Opa @ owasp 2010

OPA: Language Support for a
Sane, Safe and Secure Web

David Rajchenbach-Teller
Head of R&D
MLstate
David.Teller@mlstate.com
OWASP twitter.com/mlstate
+33 1 55 43 76 55
June 24th, 2010

Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation
http://www.owasp.org

What Automated Solutions Miss
What it’s all about

!!Theoretical
"!Logic flaws (business and application)
"!Design flaws
"!The Stupid
!!Practical
"!Difficulty interacting with Rich Internet Applications (RIA)
"!Complex variants of common attacks (SQL Injection, XSS,
etc)
"!Cross-Site Request Forgery (CSRF)
"!Uncommon or custom infrastructure
"!Authorization enforcement
"!Abstract information leakage
OWASP
OWASP 26

What it’s all about What Automated Solutions Miss

!!Theoretical
"!Design flaws
"!The Stupid
!!Practical
etc)
OWASP 6

“Automated vs. Manual: You can’t filter The Stupid”
Charles Henderson, David Byrne
AppSec DC 2009 + 2010

OWASP 2

What it’s all about What Automated Solutions Miss

!!Theoretical
"!Design flaws
"!The Stupid
!!Practical
etc)
OWASP 6

“Automated vs. Manual: You can’t filter The Stupid”
Charles Henderson, David Byrne
AppSec DC 2009 + 2010

“Oh, yeah?”
The MLstate team
AppSec Research 2010

OWASP 2

OPA: Language Support for a Sane, Safe and
Secure Web

General approach
Keeping in the Smart Useful
Filtering out the Stupid Fragile
Lessons and Future

OWASP 3

Web Applications
(high-level design)

Logics

App App

Storage Delivery
UI

User User

OWASP 4

Web Applications
(what we see)

JavaScript

Web Web
Browser Server
PHP?

Language

Database

OWASP 5

Web Applications
(what we see) Web
Server
JavaScript

Web Web
Web
Browser Web
Server
Server
Server
PHP?
+scripts
Who
knows?

Web Language
Language
Framework
Browser

Database
Database
Database
Java?

Language

OWASP 5

Web Applications
(what we see) Web
Server
JavaScript

Config
Web Web
Web
error?

Browser Web
Server
Server
Server
PHP?
+scripts
Who
knows?
Config
Web error? Language
Language
Framework
Browser
Config
error?

Config

Database
error?

Database
Database
Java?

Language

OWASP 5

Web Applications
(what we see) Web
Server
Protocol
JavaScript ?
Config
Web Web
Web
error?

Browser Protocol Web
Server
?
Server
Server
PHP?
+scripts
Who
knows?
Config
Web error? Language
Language
Framework
Browser
Config
error? Protocol Protocol
?
?

Config

Database
error?

Database
Database
Java?

Language

OWASP 5

Web Applications
(what we see) Web
Server Protocol
CSRF exploit
Protocol
JavaScript ?
Info leak
Config
Web Web
Web
error?

Server
Sniffing
?
Server
Server
Data
injection
Memory
injection

PHP?
+scripts
Who
knows?
Config
Web XSS error? Language
injection SQL Language
Framework
Browser injection

Config
? Memory
Contami
? injection
nation

Config

Database
error?

Database
Database
Java?

Language

OWASP 5

Web Applications
(what we see) Web
Server Protocol
CSRF exploit
Protocol
JavaScript ?
Info leak
Contami Config
Web Web
Web
nation error?

Server
Sniffing
?
Server
Server
Data
injection
Memory
injection

PHP?
+scripts
Protocol Who
exploit Known knows?
Config
Web XSS error?
exploit
Language
injection SQL Language
Framework
Browser Protocol
injection

exploit
Config
? Memory
Contami
? injection
nation

Config

+ Phishing Database
error? Protocol

+ (D)DoS, economic (D)DoS Database
Database
Java?
exploit

+ Flash, Silverlight, Gears, XPCOM, Language
Java(FX), NativeClient, Acrobat, QT...
+ Keyloggers
+ ... OWASP 5

The general idea

OWASP 6

The general idea

“If you can’t solve the problem, change the problem.”
Ferengi Rule of Acquisition #408

OWASP 6

The general idea


“What if the problem is that Joe User is stupid?”
(Joe Developer)

OWASP 6

The general idea


(Joe Developer)

“It’s not him, it’s you. You should design your tool so
that Joe can’t do anything stupid.”
Ferengi Rule of Acquisition #408, contd.

OWASP 6

The general idea


(Joe Developer)


“What if the problem is that Joe Developer is stupid?”
(Joe Meta-Developer)

OWASP 6

The general idea


(Joe Developer)


“What if the problem is that Joe Developer is stupid?”
(Joe Meta-Developer)

“Haven’t I answered that question already?”

“...oh, and don’t forget to make sure that Joe can
still use the tools!”

OWASP 6

Web applications
(with OPA)

Logics
OPA

App App

Storage Delivery
UI

User User

OWASP 7

Web applications
(with OPA)

Logics
OPA

App App

Untrusted Storage Delivery
UI

User User

OWASP 7

General OPA design

OWASP 8

General OPA design
Clean-slate design
Based on formal methods
Safe languages from the bottom up

OWASP 8

General OPA design

One language for the whole application
Glue & checks generated automatically
No impedance mismatch

OWASP 8

General OPA design

One language for the whole application

“Just” a distributed system
In which not all principals are trusted
And communications use web standards
Security is (mostly) automatic
OWASP 8

General OPA design Joe doesn’t need
to know


One language for the whole application Simpler than LAMP


“Just” a distributed system Joe doesn’t need
to know

In which not all principals are trusted
And communications use web standards
Security is (mostly) automatic
OWASP 8

Secure Web

General approach

OWASP 9

Hello, web

OWASP 10

Hello, web

server = one_page_server("Hello, web", -> <>Hello, web</>)

1) Compile
Complete web
opa hello.opa application.

2) Run
./hello.exe

3) Test
browse http://localhost:8080

OWASP 10

URL shortener (22 loc)

db /abbrevs: intmap(string)
db /abbrevs[_] = "/"

make_shorter(url:string):string =
  key = Db.fresh_key(/abbrevs)
  do /abbrevs[key] <- url
  "{key}"
_ = @server(make_shorter)

do_shorten(_) =
exec([#shortened <- make_shorter(Page.getVal(#origin))])

urls = parser
| "/" dest=Rule.integer ->
    Resource.redirection_page("Please wait a second",
<div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest])
| .* ->
    Resource.html("MLstate redirector",
    <>Please enter a URL you wish to shorten<br/>
    <input id="origin"/><button onclick={do_shorten}>Shorten</button>
    <div id="shortened"></div>
    </>)

server = simple_server(urls)
OWASP 11

URL shortener (22 loc)

db /abbrevs: intmap(string)
Database
db /abbrevs[_] = "/"

make_shorter(url:string):string =
  key = Db.fresh_key(/abbrevs)
  do /abbrevs[key] <- url
  "{key}"
_ = @server(make_shorter) Control

do_shorten(_) =
exec([#shortened <- make_shorter(Page.getVal(#origin))])
UI
urls = parser
| "/" dest=Rule.integer ->
    Resource.redirection_page("Please wait a second",
<div class="loading">(loading...)</>,{address_moved},0,/abbrevs[dest])
| .* ->
    Resource.html("MLstate redirector",
    <>Please enter a URL you wish to shorten<br/>
    <input id="origin"/><button onclick={do_shorten}>Shorten</button>
    <div id="shortened"></div>
    </>)

server = simple_server(urls)
OWASP 11

Nice web chat
type mess = {id: string; message: string}
room = Network.empty():Network.network(mess)
connect(callback) = Network.add(Session.make_callback(callback), room)
make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room)

styled_page(title, body) = (
  Resource.full_page(title, body,
<link rel="stylesheet" type="text/css" href="resources/css.css" />, {success}, [])
)

user_update(x:mess) = (
  line = <div class="opa-line">
    <div class="opa-wrap"><div class="opa-user">{x.id}:</div>
    <div class="opa-message">{x.message}</div></div>
  </div>
  do exec([#show +<- line ])
  Page.set_scroll_top(#show, Page.get_height(#show)+Page.get_scroll_top(#show))
)

start(connexion) = (
   id = String.sub(0, 8, Server.get_user(connexion) ? "Unknown")
   broadcast = make_broadcaster(id)
   styled_page("Chat",  //Display
     <script onload={_ -> connect()}/>
     <div id="header"><div id="logo"></div></div>
     <div id="show"></div>
     <input id="entry"/>
     <div class="opa-button" onclick={broadcast}>Send!</div>
   )

)

urls      = parser .* -> start
resources = @static_include_directory("resources")
server    = Server.make(Resource.add_auto_server(resources, urls)) OWASP 12

Nice web chat

)

user_update(x:mess) = ( UI
  </div>
)

     <input id="entry"/>
   )

)


Nice web chat

styled_page(title, body) = ( Real-time
web
)

  </div>
)

     <input id="entry"/>
   )

)


Nice web chat

styled_page(title, body) = ( Real-time
web
)

  </div>
)

     <input id="entry"/>
   )

)

urls      = parser .* -> start URLs

There’s more

Games

Productivity tools

Development tools

Security applications

e-Commerce applications

...

OWASP 13

Things we can do (and check!)

OWASP 14

Things we can do (and check!)

Programmable security policies
Ajax SOAP Complex database
...
XML processing
Comet
Fine-grained sessions Time-unlimited rollback
Distribution
Multitasking
Higher-order database
User interface Concurrent transactions
WSDL
Higher-order programming
Data history
Capabilities

OWASP 14

Secure Web

General approach

OWASP 15

Transparent protections


)

  </div>
  Page.set_scroll_top(Page.get_height(#show)+Page.get_scroll_top(#show), #show)
)

     <input id="entry"/>
   )
)




)

All insertions
user_update(x:mess) = ( = ( are checked
user_update(x:mess)
  </div>
  </div>   do exec([#show +<- line ])
)
) start(connexion) = (
     <input id="entry"/>
   )
)


All communications
are checked
make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)},
make_broadcaster(id) = _ -> Network.broadcast({~id message=Page.get_value(#entry)}, room) room)
)

  </div>
)

     <input id="entry"/>
   )
)




)

  </div>
)


Per-user
     <div
id="header"><div id="logo"></div></div> capability?*
     <input id="entry"/>
     )
   <input id="entry"/>
)
)

More

A1-Injection A6-Security Misconﬁguration

A2-Cross Site Scripting (XSS) A7-Insecure Cryptographic Storage

A3-Broken Authentication and
A8-Failure to Restrict URL Access
Session Management
A4-Insecure Direct Object A9-Insufﬁcient Transport Layer
References Protection
A5-Cross Site Request Forgery A10-Unvalidated Redirects and
(CSRF) Forwards

OWASP 17

progress)


!!Theoretical
"!Design flaws
"!The Stupid
!!Practical
etc)
OWASP
OWASP 16
18
6

progress)


^
other
!!Theoretical
"!Logic flaws (business and application) (in progress)

"!Design flaws
"!The Stupid (what we do best)
!!Practical (been there, done that)
etc) (been there, done that)

"!Cross-Site Request Forgery (CSRF) (in progress)
"!Uncommon or custom infrastructure (abstract&specify them away!)
"!Authorization enforcement (been there, done that)

"!Abstract information leakage (been there, done that)
OWASP
OWASP 16
18
6

Secure Web

General approach

OWASP 19

Theoretical foundations

Building on 30+ years of research in formal
methods & language theory.

Key for precise analysis.

Key for precise optimizations.

OWASP 20

False positives

False positives are annoying but not that bad --
as long as they are predictable and there’s a
workaround.

Experienced developers make safety/security
mistakes quite often.

False positives often later reveal themselves as
true positives.

OWASP 21

Future

Eliminate CSRF.

Extend per-application security policy.

Extend per-library/per-data safety policy.

Plenty of additional features!

Hiring you?

OWASP 22

That’s all, folks!

http://www.mlstate.com

OWASP 23

That’s all, folks!

Thanks and apologies to David Byrne & Charles Anderson
for hijacking their slides

http://www.mlstate.com

OWASP 23

Opa @ owasp 2010

More Related Content

Similar to Opa @ owasp 2010 (20)

Recently uploaded (20)

Opa @ owasp 2010

Editor's Notes