ModSecurity Breach

ModSecurity Blog

« Web Application Firewall Use Cases Update | Main | Three ModSecurity Rule Language Annoyances »

Enough with Default Allow in Web Applications!

The title of this blog post is also the title of a research paper we are currently working on. Although the paper is still in draft form, we've decided to circulate it widely (download here) because we believe a public exposure in this early stage would benefit it significantly. Also, as you will see from the paper, for the proposed concept to succeed it must have support from many diverse groups of users. What do we want to achieve? Let's look at the summary:

The default allow deployment model, which is commonly used to implement
and deploy web applications, is the cause of numerous security problems. We propose
a method of modelling web applications in a platform-agnostic way to adopt
a default deny model instead, removing several classes of vulnerability altogether
and significantly reducing the attack surface of many others. Our approach is best
adopted during development, but can be nearly as efficient as an afterthought, or
when used at deployment time.

Our main problem is with these three things:

  1. HTTP (in a wider sense, taken to mean all specifications needed to develop and deploy web applications) has grown to be quite complex, but although applications generally use a very small subset they are still expected to support every single feature.
  2. Many applications are treated as simple collections of files (if it's on the filesystem it's part of application), and this is creating all sorts of issues.
  3. Applications do not specify their external interfaces. This is really a consequence of the above two problems. Applications cannot specify external interfaces because they are all implicit.

The bottom line is that we have a chance to create a beautifully positioned protection layer (between web servers and applications), which would not only increase security overall, but turn applications into verifiable components with external contracts that can be enforced.

We propose a use of a platform-independent format to document what applications are willing to accept from the outside world, with the following use cases envisioned:

  1. Creation of full application models, which reduce application attack surface. Such models can be created by application developers (which is preferred) or by application users (which, we expect, could happen with very popular and/or open source applications).
  2. Creation of partial application models for use in virtual patching.
  3. Automated creation of application models through traffic analysis.

In addition to the paper itself, we are planning to release an open source profiling tool (which I will announce next week) to help with the third use case and automate the creation of positive security models (also known as the learning feature of web application firewalls).

Download Enough With Default Allow in Web Applications!

Update (4 Aug 2008): Changed links to point to the final version (reviewed, spell-checked and branded) of the paper. The follow up post is here.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00e5512c9d3a883300e553ba59888834

Listed below are links to weblogs that reference Enough with Default Allow in Web Applications!:

I agree, however the constraints that you will face are monumental given the aversion

Ivan:

So glad to see this finally coming public. I spent some time a few years ago hacking up modsec, mod_rewrite, and mod_proxy_html to do this, and wished I'd had time to spend working on doing it the right way. Glad to see someone has! Looking forward to mod_profiler's release.

A wise man once wrote... "A journey of a 1,000 miles begins with but one step". Ivan I would like to applaud your team's efforts in taking things in the right direction. As Jack said though - it's going to be an uphill battle but one I have been preaching for >2yrs... so it's not new :-)

At least now I have a credible industry "expert" to reference in my slides. w00t.

Great idea. I have often thought of securing various web apps like ShawnM did. It would be great to have an easy documented file format to do this.

The comments to this entry are closed.

Calendar

November 2010
Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

Feeds

Atom Feed

Search

Categories

Recent Entries

Archives