Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Whether this is about ha.ckers.org, sla.ckers.org or some other project you are interested in or want to talk about, throw it in here to get feedback. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
RBAC for JEE web applications
Posted by: euronymous
Date: November 30, 2007 05:57AM

Hi guys

as I know that I can find really good experts in this powerful forum, I wanna ask you a suggestion.

I'm starting my bachelor thesis in Italy :), and of course I wanna research something about security.

I was thinking in a way to apply RBAC access control mechanisms on JEE applications, in a different way: Java1.2 security model already use something like RBAC in his AccessController/securityManager implementations, and I did research about it months ago, creating a tool that can determine, in a programmatic way, the policies needed to let's work a java program under the security manager...

good research, good results, but not enough for me..

as I'm more and more interested in web apps security, I wanna research something about it in my thesis...

I was in a way to apply RBAC on input variables validations, but not filtering <%>' and so on like always...in a different way, like saying "the variable ID si a numeric counter, that MUST do that and not other things..."

I know that maybe my explanations is not so clear, that's because I don't have a clear idea about it...I'm reading a lot of whitepaper about RBAC, Java security...

Maybe YOU have some suggestions for me...

hoping in your replies

All the Best guys

+++eat, fuck, hack+++

Options: ReplyQuote
Re: RBAC for JEE web applications
Posted by: rsnake
Date: December 09, 2007 09:24PM

If I'm understanding you, you are talking about type safety? As in if I have a number I am only allowed to use it as a number? Or something like when you take input from a website don't look at global variables but use a type safe constructor to pull in the data as whatever type of variable it needs to be, not whatever type of variable they put in.

So in PERL pseudo code it would be the difference between

#EG: whatever.com/asdf.cgi?number=4
my $var = $ENV{QUERY_STRING}
my @chunks =~ split (/=/, $var);
my $num = $chunks[1];

and

my $num = $QSTRING{"number", int};

Where in the first example you'd still have to insure that it actually was a number and wasn't null terminated, in case you eventually did something with that, etc...

Or am I misunderstanding you?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: RBAC for JEE web applications
Posted by: euronymous
Date: December 15, 2007 03:52PM

Hi Robert..

yes you are understanding me...that was my first idea...
I know it's not easy to implement, and maybe the benefits are not so clear from the first time you read my post, but with my surprise it got your attention :)

Actually, as I wrote here http://sla.ckers.org/forum/read.php?3,18395 , I've directed the research of my thesis on session management.
Maybe it can become interesting study how to apply RBAC on session Management...

you see, my ideas are maybe a bit crazy, but who know if finally I will get something?
usually ideas come in my mind casually...so...

anyway do you think the idea on RBAC used to enforce something like type safety could be good?
I mean...Javascript, that is usually the main problem for a lot of web applications, as you know doesn't have the type safety that - for instance - Java has...so it can be interesting trying to force Javascript (maybe at deploy-time, with the production of some XML-like rules) to be more "typed".

I have to think about it...

let's me know your thoughts man

thanks so much

Michele

+++eat, fuck, hack+++

Options: ReplyQuote
Re: RBAC for JEE web applications
Posted by: rsnake
Date: December 31, 2007 03:40PM

Type safety is a huge problem, so yes, anything that can fix that would shut down lots of holes like SQL injection, command injection, and XSS.

My oooooonly problem with stuff like this is that because it's not standard in the language (whichever language we are talking about) itself it'll never be widely adopted. For it to really solve some problems it would have to become native in the code that they know and use every day, and you'd have to warn them when they use unsafe declarations. All you can hope is that some of the major software vendors pick it up in future versions because otherwise it's more of an academic exercise than a real world solution.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: RBAC for JEE web applications
Posted by: euronymous
Date: January 04, 2008 02:30AM

yep you're right rsnake...
in fact I've switched thesis theme on another one...

Session management from a hacker's perspective (ahah, and my prof too was surprised by the thesis name)...anyway, I'm researching a lot on session management, especially related to JEE application servers...

it was Achim Hoffmann, a contributor of WASC, that suggested me the theme...I've been contacted from microsoft research too man, but you can Imagine, as a Linux-BSD (and from 10 days a Leopard) user, how I can feel when i just listen the Microsoft word.:)

anyway,,,session management seems more and more interesting, especially because apart from use IP-session correlation and other tricks, there is not so much on defense possibilities...

I've found the main admin web-interface of my university (used to see your exams, and other stuff) been vulnerable to session fixation...

And I can also see that there is not so much material about session management (except the two RFCs about cookies, some white papers - the one about session fixation so famous -, and some book chapters like in WebApp hackers handbook from Dafydd)....so it could be interesting doing research on it

other thing: in few days, to finish my bachelor, I will start some research at CNR about Java WS security and reliability...I quite never heard you speak about web services...do you think are not so mature for the web now? or you think that is convenient to use them just in some particular applications?

well...

when you're a bit free let's me know :)

thanks rsnake

+++eat, fuck, hack+++

Options: ReplyQuote
Re: RBAC for JEE web applications
Posted by: rsnake
Date: January 04, 2008 11:05AM

I think Web services are here to stay. You're not getting away from them, regardless of safety, so we're going to have to learn how to make them secure. There's all kinds of secure web services projects out there though. OASIS is probably the biggest. Take a look at SAML and the like for more details. I don't work on that stuff much, because it's a pretty new and people can't seem to get their act together to agree on the best standard, so I'm sort of waiting for that fallout before I start commenting - lest my advice be moot in the next revision.

Regarding session management - you should also look at SSL session IDs and browser certificates. Not that I'm in love with those, but they will help supplement your paper. I'm not sure what specific information I can give you until I see your paper, but it does sound interesting!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: RBAC for JEE web applications
Posted by: euronymous
Date: January 04, 2008 12:16PM

thanks so much Robert

and thanks to A******* too...

you're great guys, helping me to know more and more...:)
I will keep you informed on my research an thesis....
I will be a bit busy with the last exams, but I will preserve some time to read sla.ckers, ha.ckers and wasc mailing list :)


SSL session IDs seems interesting too...I will keep it in mind

thanks guys

Alla Prossima (from italy :))

+++eat, fuck, hack+++



Edited 2 time(s). Last edit at 01/04/2008 02:17PM by euronymous.

Options: ReplyQuote


Sorry, only registered users may post in this forum.