jueves, 27 de marzo de 2014

Application Security Presentation

Introduction

I have implemented a package called "Application Security" to provide a domain-independent security model which you can easily instantiate in your applications. It is based in patterns from the Application Security Pattern System introduced by J. Yoder and J. Barcalow in a PLoP (Pattern Language of Programs - a workshop for pattern researchers) paper in 1997, which contains about 290 citations as of today.

Web sites with user registration, e-mail confirmation, forgot password, password rules and validation makes heavy use of ApplicationSecurity. It is a completely independent package (not tied with a particular web framework) providing all user management - roles, groups, etc. - access control based on IP addresses.

Disclaimer

Although acceptable for my security requirements, the software security world is a neverending story. To recognize the whole dimension of this territory, I have collected a short summary of the most cited security pattern literature:
  • J. Yoder and J. Barcalow: One of the first security pattern languages, 7 patterns.
  • Kienze et. at.: Contains 29 security patterns.
  • The Open Group: 13 patterns.
  • Braga et. al: Oriented to cryptographic software API.
  • Romanosky et. al: 8 security design patterns.
  • Weiss M. Patterns for web applications. In: Proceedings of the 10th conference on pattern languages of programming (PLoP ’03); 2003.
  • Kienzle D, Elder M. Security patterns for web application development, University of Virginia technical report; 2002

Installation

The interactive way to install the package is using the Configuration Browser in Pharo 3. Also you can evaluate the following script which perform the same action:
Gofer it
  smalltalkhubUser: 'hernan' project: 'ApplicationSecurity';
  configurationOf: 'ApplicationSecurity';
  loadStable.
The Configuration automatically loads the stable versions for FFI and Nacl.

Passwords

The Application Security package contains two hasher adapters, one is the hashing provided by Grease (a package for cross-smalltalk compatibility including convenience methods), this is a SHA-1 (160-bit, 20-byte hash value) and another one which is enabled by default using Nacl cryptographic library, which uses SHA-512 through the libsodium binding for Pharo. And of course, to prevent rainbow table attacks in case of a breach, all passwords are salted.

User model

Contains following main classes:
  • Registered user: A valid and registered user in the system.
  • Candidate user: Users currently not validated or confirmed, this is for example a user which is registering. It handles regitration identifier and expired regitrations.
  • User group: To group users sharing common property
  • User registration: Maintains candidate registration information such as URL link's unique identifier for verification (during a period of time) and the candidate object.

Network

Application Security also contains Network security utilities to do access control based on IP addresses:
  • ASIPAddress : Represents an IP address.
  • ASIPAddressClass : For representing IPv4 address classes. This class is not intended to be used for doing subnetting (scaling, allocation, etc.).
  • ASIPAddressList : Access control list used for representing classful network architecture for IPv4 addresses. This class is not intended to be used for doing subnetting (scaling, allocation, etc.)
An IPAddress is a helper class to support querying IP address range (ASIPAddress). Follow some examples to set up useful list for filtering machines based on their IP addresses:
" Build a denied IP list for IP addresses in class A "
ASIPAddressList new denyClassA.

" Build a denied IP list for IP addresses in class A and B "
ASIPAddressList new 
 denyClassA;
 denyClassB;
 yourself.

" Deny private IP addresses from classes A, B and C 
the following address ranges:
 10.0.0.0 - 10.255.255.255
 172.16.0.0 - 172.31.255.255
 192.168.0.0 - 192.168.255.255 "
ASIPAddressList new denyPrivateIPAddresses.

" To deny a specific IP address: "
ASIPAddressList new deny: #('8.8.8.8').

Repository

The repository is responsible for the persistency of secured objects. This covers queries as well as set modifications (insert/delete). Currently it is based in the FUEL serialization package, but there is plan to make it adatable to other serializers.
| myRepo |
myRepo := ASRepository new.
myRepo isValidPendingRegistrationId: '6pe62ek45lvxhd0xawvcueceo'. " => false "
myRepo defaultAdministrator " => ASUser "
Following posts will contain details about usage of the CheckPoint API, IMO the most interesting feature of the package. In the meantime, I will be glad of hearing about your impressions and comments.