jueves, 27 de marzo de 2014

Application Security Presentation


I have implemented a package called "Application Security" to provide a domain-independent security model which you can easily instantiate in your applications. It is based in patterns from the Application Security Pattern System introduced by J. Yoder and J. Barcalow in a PLoP (Pattern Language of Programs - a workshop for pattern researchers) paper in 1997, which contains about 290 citations as of today.

Web sites with user registration, e-mail confirmation, forgot password, password rules and validation makes heavy use of ApplicationSecurity. It is a completely independent package (not tied with a particular web framework) providing all user management - roles, groups, etc. - access control based on IP addresses.


Although acceptable for my security requirements, the software security world is a neverending story. To recognize the whole dimension of this territory, I have collected a short summary of the most cited security pattern literature:
  • J. Yoder and J. Barcalow: One of the first security pattern languages, 7 patterns.
  • Kienze et. at.: Contains 29 security patterns.
  • The Open Group: 13 patterns.
  • Braga et. al: Oriented to cryptographic software API.
  • Romanosky et. al: 8 security design patterns.
  • Weiss M. Patterns for web applications. In: Proceedings of the 10th conference on pattern languages of programming (PLoP ’03); 2003.
  • Kienzle D, Elder M. Security patterns for web application development, University of Virginia technical report; 2002


The interactive way to install the package is using the Configuration Browser in Pharo 3. Also you can evaluate the following script which perform the same action:
Gofer it
  smalltalkhubUser: 'hernan' project: 'ApplicationSecurity';
  configurationOf: 'ApplicationSecurity';
The Configuration automatically loads the stable versions for FFI and Nacl.


The Application Security package contains two hasher adapters, one is the hashing provided by Grease (a package for cross-smalltalk compatibility including convenience methods), this is a SHA-1 (160-bit, 20-byte hash value) and another one which is enabled by default using Nacl cryptographic library, which uses SHA-512 through the libsodium binding for Pharo. And of course, to prevent rainbow table attacks in case of a breach, all passwords are salted.

User model

Contains following main classes:
  • Registered user: A valid and registered user in the system.
  • Candidate user: Users currently not validated or confirmed, this is for example a user which is registering. It handles regitration identifier and expired regitrations.
  • User group: To group users sharing common property
  • User registration: Maintains candidate registration information such as URL link's unique identifier for verification (during a period of time) and the candidate object.


Application Security also contains Network security utilities to do access control based on IP addresses:
  • ASIPAddress : Represents an IP address.
  • ASIPAddressClass : For representing IPv4 address classes. This class is not intended to be used for doing subnetting (scaling, allocation, etc.).
  • ASIPAddressList : Access control list used for representing classful network architecture for IPv4 addresses. This class is not intended to be used for doing subnetting (scaling, allocation, etc.)
An IPAddress is a helper class to support querying IP address range (ASIPAddress). Follow some examples to set up useful list for filtering machines based on their IP addresses:
" Build a denied IP list for IP addresses in class A "
ASIPAddressList new denyClassA.

" Build a denied IP list for IP addresses in class A and B "
ASIPAddressList new 

" Deny private IP addresses from classes A, B and C 
the following address ranges: - - - "
ASIPAddressList new denyPrivateIPAddresses.

" To deny a specific IP address: "
ASIPAddressList new deny: #('').


The repository is responsible for the persistency of secured objects. This covers queries as well as set modifications (insert/delete). Currently it is based in the FUEL serialization package, but there is plan to make it adatable to other serializers.
| myRepo |
myRepo := ASRepository new.
myRepo isValidPendingRegistrationId: '6pe62ek45lvxhd0xawvcueceo'. " => false "
myRepo defaultAdministrator " => ASUser "
Following posts will contain details about usage of the CheckPoint API, IMO the most interesting feature of the package. In the meantime, I will be glad of hearing about your impressions and comments.