secure web applications with awa
play

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What - PowerPoint PPT Presentation

Jul 28, 2023 •738 likes •1.09k views

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application Client server program with browser as client Examples: Gmail, Dropbox, Netflix, Zoho,... Server Server Database Client Front Back Browser End

  1. Secure Web Applications with AWA Stéphane Carrez FOSDEM 2019

  2. What is a Web Application ● Client server program with browser as client ● Examples: Gmail, Dropbox, Netflix, Zoho,... Server Server Database Client Front Back Browser End End Javascript PHP, Javascript, SQL, NOSQL, ... HTML, CSS Ruby, Java, ... https://github.com/stcarrez/ada-awa 2

  3. Problems with Web Applications ● Must protect data 1: Validate data 3: Authorize access and protect user’s data 2: Authenticate users Server Server Database Client Back Front Browser End End https://github.com/stcarrez/ada-awa 3

  4. Project history ● Started in 2011 with already 6 releases ● Based on experience building SaaS application (J2EE, Java Server Faces, Hibernate, OAuth) ● Benefit from several J2EE features but in Ada ● Build SaaS applications in Ada https://github.com/stcarrez/ada-awa 4

  5. Applications using AWA ● Personal blog: https://blog.vacs.fr ● Ada France: https://www.ada-france.org https://github.com/Ada-France/ada-france ● Atlas demo: https://demo.vacs.fr/atlas https://github.com/stcarrez/atlas ● Jason: https://vdo.vacs.fr https://github.com/stcarrez/jason https://github.com/stcarrez/ada-awa 5

  6. AWA Architecture Your Web Application Dynamo Ada Web Application Ada Database Ada Ada Security OpenAPI Ada Ada Servlet Objects Server Faces Ada Web Server XML/Ada Ada EL Ada Util Ada Wiki SQLite MySQL PostgreSQL Windows FreeBSD GNU/Linux NetBSD https://github.com/stcarrez/ada-awa 6

  7. AWA Features Functional components Blogs Storages Images Questions Wikis System components Setup Jobs Users Workspaces Events Mails Permissions General purpose components T ags Changelogs Settings Flotcharts T rumbowyg Comments Counters Votes https://github.com/stcarrez/ada-awa 7

  8. AWA Request Flow Servlet Server Faces Client Module Database AWS Filter Servlet GET Do_Filter Do_Get Ada Bean Set_Value Load Get_Value https://github.com/stcarrez/ada-awa 8

  9. Problem 1: Validate Data ● HTTP parameters are passed as String ● Must be validated, verified before being used ● Ada strong typing helps to enforce the validation https://github.com/stcarrez/ada-awa 9

  10. Validation in Request Flow Servlet Server Faces Client Module Database AWS Filter Servlet GET Do_Filter Strongly typed Do_Get Types: Enum, Integer, Date, Float, String, ... Ada Bean Set_Value Request parameter Validation Type: String Load Get_Value https://github.com/stcarrez/ada-awa 10

  11. Ada Server Faces (Java JSR 344) ● MVC web framework ● Render HTML, XML, JSON, Text,…, Ada ● Validate inputs ● Uses XML to describe views https://github.com/stcarrez/ada-awa 11

  12. Ada Server Faces ● Facelets: XHTML files with templating ● Component based interface <f:metadata> <f:viewParam id=’page’ value=’#{wikiView.name}’/> <f:viewAction action='#{wikiView.load}'/> Operation called </f:metadata> before rendering <div> Custom UI <awa:wiki value=”#{wikiView.content}”/> component: </div> render wiki text <div class="wiki-page-footer"> <h:outputFormat styleClass="wiki-page-date" value="#{wikiMsg.wiki_page_info_date}"> <f:param value="#{wikiView.date}"/> Standard UI <f:converter converterId="smartDateConverter"/> component with </h:outputFormat> custom format\ </div> https://github.com/stcarrez/ada-awa 12

  13. Ada EL (Java JSR 245) ● The presentation layer need values from Ada objects ● EL is a simple but powerful expression language ● Java implements EL using introspection → security issue EL expression Ada #{wikiView.title} type Wiki_View_Bean is ... Title : Unbounded_String; ... end record ; https://github.com/stcarrez/ada-awa 13

  14. Ada Beans: get and set values ● Get values for the presentation layer (Ada EL) ● Explicit definition: implement the Bean interface ● Values represented by Object type (can hold most Ada types, including Ada Beans) type Object is private ; type Readonly_Bean is limited interface ; function Get_Value (From : in Readonly_Bean; Name : in String) return Object is abstract ; type Bean is limited interface and Readonly_Bean; procedure Set_Value (From : in out Bean; Name : in String; Value : in Object) is abstract ; https://github.com/stcarrez/ada-awa 14

  15. Ada Beans: method calls ● Declare a table of supported operations ● Implement the Method_Bean interface type Method_Bean is limited interface ; function Get_Methods (From : in Method_Bean) return Method_Binding_Array_Access is abstract ; ● Let Dynamo generate the code procedure Op_Load (Bean : in out Wiki_Page_Bean; Outcome : in out Unbounded_String); package Binding_Wiki_Page_Bean_3 is new ASF.Events.Faces.Actions.Action_Method.Bind (Bean => Wiki_Page_Bean, Method => Op_Load, Name => "load"); https://github.com/stcarrez/ada-awa 15

  16. Ada Beans: factory ● Need creation of Ada Beans for a Web request ● Write function to create the Ada bean instance ● Register the function under a name ● Use XML configuration to declare bean names <managed-bean> <description>...</description> function Create_Wiki_View_Bean <managed-bean-name>wikiView</managed-bean-name> return Util.Beans.Basic.Readonly_Bean_Access; <managed-bean-class>AWA.Wikis.Beans.Wiki_View_Bean</ <managed-bean-scope>request</managed-bean-scope> Register.Register <managed-property> (Plugin => Plugin, <property-name>image_prefix</property-name> Name => "AWA.Wikis.Beans.Wiki_View_Bean", <property-class>String</property-class> Handler => Create_Wiki_View_Bean'Access); <value>#{contextPath}/images/</value> </managed-property> </managed-bean> https://github.com/stcarrez/ada-awa 16

  17. Validation in Request Flow Servlet Server Faces Client Module Database AWS Filter Servlet GET 2: Create the object Do_Filter Do_Get 3: Raise exception Ada Bean 1: Verify validity of ‘page’ parameter to reject parameter Set_Value Load Get_Value <f:metadata> 4: Perform work <f:viewParam id=’page’ value=’#{wikiView.name}’/> or raise exception <f:viewAction action='#{wikiView.load}'/> </f:metadata> https://github.com/stcarrez/ada-awa 17

  18. Solution 1: Validate Data ● Ada Server Faces takes care of data validation: – By providing controls before conversion, – By converting input to Ada final types ● Ada beans are explicitly declared ● Ada bean’s Set_Value called after validation ● Data is stored and represented using Ada types https://github.com/stcarrez/ada-awa 18

  19. Problem 2: Authenticate Users ● Identify known users ● Get credentials for these users ● Registration process for unknown users https://github.com/stcarrez/ada-awa 19

  20. AWA Users Module ● Authenticate users – with OpenID Connect – with email & password ● Provide full registration and invitation process ● Email validation through access key validation https://github.com/stcarrez/ada-awa 20

  21. AWA User, Email and Session https://github.com/stcarrez/ada-awa 21

  22. Ada Security: OpenID Connect ● Authentication framework built on top of OAuth2 ● Authenticate users with OpenID Connect →Google, Facebook, Twitter, ... https://github.com/stcarrez/ada-awa 22

  23. Solution 2: Authenticate Users ● Ada Security provides support for OpenID ● AWA provides some support for user enrollment – Online registration – Invitation of users through secure key https://github.com/stcarrez/ada-awa 23

  24. Problem 3: Authorize Access ● Grant access to authorized users ● Verify before the resource is accessed ● Deny access to unauthorized users https://github.com/stcarrez/ada-awa 24

  25. Authorization in Request Flow Servlet Server Faces Client Module Database AWS Filter Servlet GET Do_Filter Do_Get URL Permission Check Ada Bean Type: String Set_Value Load Get_Value Permission check in views: Data access permission check Hide forbidden operations https://github.com/stcarrez/ada-awa 25

  26. Some Security Concepts ● Policy and policy manager: – security rules to protect the system or resources ● Principal: – the entity that can be authenticated (credentials) ● Permission: – Access to a system or resource https://github.com/stcarrez/ada-awa 26

  27. Ada Security ● Security framework to enforce security policies ● Describe security policies ● Authorize access to resources based on security policy and security context https://github.com/stcarrez/ada-awa 27

  28. Ada Security Model https://github.com/stcarrez/ada-awa 28

  29. Security Policies ● Security policies are checked by a controller ● Use existing policies or write your own type Entity_Controller (Len : Positive) is limited new Security.Controllers.Controller with record Entities : Entity_Type_Array; SQL : String (1 .. Len); end record ; overriding function Has_Permission (Handler : in Entity_Controller; Context : in Security.Contexts.Security_Context'Class; Permission : in Security.Permissions.Permission'Class) return Boolean; https://github.com/stcarrez/ada-awa 29

Recommend

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff &amp; Kenneth R. Van Wyk

753 views • 17 slides
Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

389 views • 26 slides
Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications Estonian Winter School in Computer Science 2016 Overview of this lecture Part 2: ABY Part 3: GSHADE Special Purpose Protocols Generic Protocols

819 views • 52 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon

Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon

Secure by Default Web Applications With Apache Sling Secure by Default Web Applications With Apache Sling Robert Munteanu, Adobe Systems ApacheCon Core 2016 http://robert.muntea.nu @rombert Who I am $DAYJOB Open Source Adobe

610 views • 40 slides
How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing

DIMACS Workshop On Secure Routing March 10, 2010 How Secure are Secure How Secure are Secure Interdomain Routing Protocols? Interdomain Routing Protocols? $ $ Sharon Goldberg Microsoft Research &amp; Boston University y Michael Schapira

701 views • 54 slides
Developing Secure Applications for IBM i Introductions Design and Documentation

Developing Secure Applications for IBM i Introductions Design and Documentation

Developing Secure Applications for IBM i Introductions Design and Documentation Application Ownership and Authority A Simple Security Model Integrity Considerations Resources for Security Officers Questions &amp; Answers

1.06k views • 93 slides
Secure Scuttlebutt: An Identity-Centric Protocol for Subjective and Decentralized Applications

Secure Scuttlebutt: An Identity-Centric Protocol for Subjective and Decentralized Applications

Secure Scuttlebutt: An Identity-Centric Protocol for Subjective and Decentralized Applications Dominic Tarr (SSB, New Zealand) Erick Lavoie (McGill University, Montreal) Aljoscha Meyer (TU Berlin, Germany) Christian Tschudin (U of

501 views • 18 slides
A secure infrastructure for mobile blended learning applications M. Politze, S. Schaffert, B.

A secure infrastructure for mobile blended learning applications M. Politze, S. Schaffert, B.

A secure infrastructure for mobile blended learning applications M. Politze, S. Schaffert, B. Decker IT Center RWTH Aachen University Overview Motivation &amp; Goals Current State Case Studies Lessons Learned Future Work 2

623 views • 20 slides
New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a

New Primitives for Actively-Secure MPC over Rings with Applications to Private Machine Learning a ard 1 Daniel Escudero 1 Tore Frederiksen 2 Marcel Keller 3 Peter Scholl 1 Ivan Damg Nikolaj Volgushev 2 May 19, 2019 1 Aarhus University, Denmark 2

711 views • 32 slides
Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov

Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov

Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,. . . SEC2, Lille, June 30 th , 2015 N. Kosmatov (CEA LIST) Formal Verification for secure Cloud

597 views • 37 slides
Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School in Computer Science 2016 Overview Lecture 1: Introduction to Secure Two-Party Computation Lecture 2: Private Set Intersection Lecture 3: Tools

935 views • 67 slides
InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas

InkTag: Secure Applications on an Untrusted Operating System Paper from The University of Texas at Austin by: Owen S. Hofmann, Kim Sangmann, Alan M. Dunn, Michael Z. Lee, and Emmett Witchel Presented by: Kyle May and Carson Boden Outline

680 views • 26 slides
Semantic Markup for Secure Survivable Enterprise Applications Anya Kim, Amit Khashnobish, Jim

Semantic Markup for Secure Survivable Enterprise Applications Anya Kim, Amit Khashnobish, Jim

Semantic Markup for Secure Survivable Enterprise Applications Anya Kim, Amit Khashnobish, Jim Luo, Bruce Montrose, Myong Kang US Naval Research Laboratory Code 5542 Washington, DC Introduction Service-oriented architectures Relies

390 views • 14 slides
Building Secure Applications Greg Ponto &amp; Tom Shippee Presentation agenda Overview -

Building Secure Applications Greg Ponto &amp; Tom Shippee Presentation agenda Overview -

Esri International User Conference San Diego, California Technical Workshops | July 26, 2012 Building Secure Applications Greg Ponto &amp; Tom Shippee Presentation agenda Overview - Exploring 10.1 architecture Beginners: - Using 10.1

461 views • 28 slides
Secure Data Management: Foundations, Systems and Applications My Journey 1985-Present Dr.

Secure Data Management: Foundations, Systems and Applications My Journey 1985-Present Dr.

Erik Jonsson School of Engineering and Computer Science Distinguished Lecture Series 2017-2018 Secure Data Management: Foundations, Systems and Applications My Journey 1985-Present Dr. Bhavani Thuraisingham The University of Texas at Dallas

552 views • 40 slides
Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin

Electrical and Computer Engineering Department Practical Traffic Analysis Attacks on Secure Messaging Applications Alireza Bahramali, Ramin Soltani, Amir Houmansadr, Dennis Goeckel, Don Towsley University of Massachusetts Amherst Instant

512 views • 40 slides
Exploring the use of Intel SGX for Secure Many-Party Applications SysTEX16 K. A. Kucuk

Exploring the use of Intel SGX for Secure Many-Party Applications SysTEX16 K. A. Kucuk

Exploring the use of Intel SGX for Secure Many-Party Applications SysTEX16 K. A. Kucuk University of Oxford, UK December 12, 2016 Kubilay Ahmet Kucuk, kucuk@cs.ox.ac.uk, University of Oxford Exploring the use of Intel SGX for Secure

607 views • 23 slides
L i s t a l l e r A simple and secure way to distribute 3rd-party applications Matthias

L i s t a l l e r A simple and secure way to distribute 3rd-party applications Matthias

L i s t a l l e r A simple and secure way to distribute 3rd-party applications Matthias Klumpp mak@debian.org matthias@tenstral.net X K C D 9 2 7 Wh y ? P e o p l e w a n t t o h a v e n e w s o f t

373 views • 15 slides
Model-based approaches for the design of secure e-ID card applications Hans Vangheluwe Mohamed

Model-based approaches for the design of secure e-ID card applications Hans Vangheluwe Mohamed

AdapID workshop 26 September 2006 KU Leuven Model-based approaches for the design of secure e-ID card applications Hans Vangheluwe Mohamed Layouni, Ximeng Sun, Miriam Zia Modelling, Simulation and Design Lab McGill University Stefan

683 views • 29 slides
Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University

Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University

Building Secure Decentralized Applications the DECENT Way Haofan Zheng Xiaowei Chu University of California, Santa Cruz Owen Arden Remote Attestation A process for the enclave to gain the trust of a remote service, so that the remote

212 views • 18 slides
Applications of Secure Location Sensing in Healthcare Michael Rushanan, David Russell, Aviel D.

Applications of Secure Location Sensing in Healthcare Michael Rushanan, David Russell, Aviel D.

Applications of Secure Location Sensing in Healthcare Michael Rushanan, David Russell, Aviel D. Rubin Johns Hopkins University Introduction Healthcare Application Benefit patient care, delivery, and safety Protect sensitive patient

774 views • 39 slides
InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan

InkTag: Secure Applications on an Untrusted Operating System Owen Hofmann, Sangman Kim, Alan Dunn, Mike Lee, Emmett Witchel UT Austin You trust your OS... should you? The OS is the software root of trust on most systems The OS is a

1.06k views • 79 slides
Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy

Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy

Deploying Secure Computing for Real-world Applications Dan Bogdanov, PhD Head of Privacy Technology Development Cybernetica dan@cyber.ee The Sharemind Privacy-preserving Computing Platform Components for Privacy Encrypted Privacy

714 views • 28 slides

More recommend