Compositional Evolution of Secure Services with Aspects CESSA Compositional Evolution of Secure Services using Aspects ANR project no. 09-SEGI-002-01 Demonstrator for ERP Abstract. One of the CESSA Project’s main goals is to provide mechanisms that provide clear separation of security functionality from other concerns in Service Oriented Architectures using the Aspect-Oriented Programming paradigm. In this document, we report on the application of the methodologies and techniques de- veloped by CESSA to address diverse security problems in distributed enterprise service-oriented software. Among other contributions, we automate the mitigation of security vulnerabilities in web services, the enforcement of privacy policies, and provide security for collaborations using the REST web service de facto standard. Deliverable No. I3.3 Task No. 3 Type Deliverable Dissemination Public Status Final Version 1.0 Date 11 Jan. 2013 Authors Julien Massiera, Jean-Christophe Pazzaglia, Anderson Santana de Oliveira, Theodoor Scholte, Jakub Sendor, Gabriel Serme (SAP); Yves Roudier, Muhammad Sabir Idrees (Eurecom) Contents 1 Introduction 5 2 Adaptive Security 7 2.1 Context and Motivation . .7 2.2 Services . .7 2.3 Security . .8 2.4 Aspect-Oriented Programming . .9 2.5 Architecture proposal . .9 2.6 Application Example . 11 2.7 Related work . 14 2.8 Summary . 15 3 Aspects for the Correction of Security Vulnerabilities in Web Services and Applica- tions 16 3.1 Context and Motivation . 16 3.2 An agile approach . 17 3.3 Architecture . 18 3.4 Static analysis . 20 3.4.1 Static Analysis Process . 20 3.4.2 Multiple vulnerability analysis . 21 3.5 Assisted Remediation . 23 3.5.1 Methdoology . 24 3.5.2 Constraints from Aspect-Oriented Programming . 26 3.6 Related work . 27 3.7 Summary . 28 4 Automated Prevention of Input Validation Vulnerabilities in Web Applications 30 4.1 Introduction . 30 4.2 Preventing input validation vulnerabilities . 31 4.2.1 Output sanitization . 31 4.2.2 Input validation . 32 4.2.3 Discussion . 32 4.3 Output Sanitization and Input Validation . 33 2 4.4 IPAAS . 34 4.4.1 Parameter Extraction . 35 4.4.2 Parameter Analysis . 35 4.4.3 Runtime Enforcement . 36 4.4.4 Prototype Implementation . 37 4.4.5 Discussion . 38 4.5 Evaluation . 38 4.5.1 Vulnerabilities . 39 4.5.2 Automated Parameter Analysis . 39 4.5.3 Static Analyzer . 41 4.5.4 Impact . 43 4.6 Related Work . 44 4.6.1 Input validation . 44 4.6.2 Attack detection and prevention . 45 4.6.3 Vulnerability analysis . 46 4.7 Summary . 46 5 Enabling Message Security for RESTful Services 47 5.1 Context . 47 5.2 REST Security Protocol . 48 5.2.1 Message Security Model . 48 5.2.2 PKI-based message exchange . 48 5.2.3 The REST Security principle . 48 5.2.4 Message Signature . 50 5.2.5 Message Encryption . 51 5.2.6 Signature and Encryption . 53 5.2.7 Multiparts . 54 5.3 Comparison to WS-Security . 55 5.3.1 Environment & Methodology . 55 5.3.2 Size comparison . 56 5.3.3 Processing performance comparison . 59 5.4 Related Work . 60 5.5 Summary . 61 6 Automating Privacy Enforcement in Cloud Platforms 62 6.1 Context and Motivation . 62 6.2 Privacy-Aware Applications in the Cloud . 64 6.2.1 Use case . 64 6.2.2 Background: Privacy Policy Language . 65 6.3 Privacy Enhanced Application Programming . 67 6.3.1 Programming Model . 67 6.3.2 Implementation . 68 6.4 Related Works . 71 3 6.5 Summary . 72 7 Concluding Remarks 74 7.1 Acknowledgments . 74 Bibliography 75 4 Chapter 1 Introduction One of the CESSA Project’s main goals is to provide mechanisms that provide clear separation of security functionality from other concerns in Service Oriented Architectures using the Aspect- Oriented Programming paradigm. In this document, we report on several application of the methodologies and techniques developed by CESSA to address diverse security problems around service oriented architectures. Although ERP (Enterprise Resource Planning), remains the foundation of SAP’s reputation and one of the company’s major product lines, we focused on developing proof of concepts over the software platform the company is providing today. The SAP Netweaver Cloud1 allows to build web applications and services in a dedicated development environment based on Eclipse. The developed service oriented artifacts can be deployed over the SAP cloud infrastructure, what characterized the solution as a Platform as a Service. We have chosen to maintain the title of the deliverable as suggested in the description of work for ease of reference and for coherence with respect to the document. Therefore this deliverable brings several contributions around securing SOA’s with Aspect-Oriented techniques either vertically or horizontally, mainly reporting the work executed in the context of the Tasks 3.2 “Security-related aspects and aspect interfaces for use cases” and 3.3 “Design and development of a proof of concept implementation for enterprise information systems”. We summarize these contributions and outline the remainder of the current deliverable as follows : • Chapter 2 proposes a framework for security mechanisms adaptation when services are involved by using Aspect-Oriented-Programming (AOP) concepts that can be applied to SCM applications. The novelty is the expressivity of security policy at a global level and the enforcement at a local level, through a specific and distributed aspect model that has a larger semantic to catch up events relevant for business usage and dedicated to security concerns. This work has been published at WSSCM2011 [99]. • Chapter 3 introduces an integrated Eclipse plug-in to assist developers in the detection and mitigation of security vulnerabilities using Aspect-Oriented Programming early in the development life-cycle. The work is a combination of static analysis and protection code 1http://scn.sap.com/community/developer-center/cloud-platform 5 generation during the development phase. We leverage the developer interaction with the integrated tool to obtain more knowledge about the system, and to report back a better overview of the different security aspects already applied. This work appeared at the SE- CURWARE 2012 [97], where it has received the best paper award2. • Chapter 4 brings a novel technique for preventing the exploitation of XSS and SQL in- jection vulnerabilities based on automated data type detection of input parameters. IPAAS automatically and transparently augments otherwise insecure web application development environments with input validators that result in significant and tangible security improve- ments for real systems. Specifically, IPAAS automatically (i) extracts the parameters for a web application; (ii) learns types for each parameter by applying a combination of machine learning over training data and a simple static analysis of the application; and (iii) auto- matically applies robust validators for each parameter to the web application with respect to the inferred types. These validators, which can be seen as message interceptors, act around web services and applications, making input validation an aspectualized concern. This work has appeared in COMPSAC 2012 [94]. • Chapter 5 presents the REST security protocol to provide secure service communication to RESTful web services, as the mainstream service providers nowadays are shifting to REST-based services in the detriment of SOAP-based ones. REST proposes a lightweight approach to consume resources with no specific encapsulation, thus lacking of meta-data descriptions for security requirements. Currently, the security of RESTful services relies on ad-hoc security mechanisms (whose implementation is error-prone) or on the transport layer security (offering poor flexibility). The chapter also provides performance analysis when compared to equivalent WS-Security configuration. This work was published in the research track of ICWS 2012 [98]. • Chapter 6 experiments with vertical composition for the enforcement of privacy policies in SOA. The enforcement of privacy policies is facilitated in a Platform as a Service. Cloud service developers can use simple “aspect” annotations in the code to indicate where per- sonally identifiable information is being handled, prior to the application deployment in the cloud. The evaluation of user defined preferences is performed by trustful components generated by the platform, releasing developers from the creation of ad hoc mechanisms for privacy enforcement. This work was published in the proceedings of the Data Privacy Management Workshop [114]. • Chapter 7 concludes the deliverable. 2http://www.iaria.org/conferences2012/AwardsSECURWARE12.html 6 Chapter 2 Adaptive Security 2.1 Context and Motivation An SCM application can be viewed as a long chain process along which goods have to pass through mandatory gates. It involves various devices, from embedded systems like sensors to large-scale servers in backend systems. Sensors usages are dedicated to data collection and signal triggering. They try to capture real-world status and measure it. Backend systems allow for data processing but need to adapt to all devices communicating with them, as each can have a different communication protocol and data format. The heterogeneity of platforms and software used in devices makes it difficult to manage simple security rules, especially across a supply chain. In order to deal with the multiple possi- bilities and not to interfere with the business part of software, one might want to describe security behavior for one system that adapts to security capabilities of systems communicating with it. To do so, we propose an architecture that allows correct modularization of security concerns to quickly intervene in applications and make them adapt to the conditions they can face up to. The application uses the SOA architectural style to provide a loosely-coupled platform where entities can integrate with each other. In the following sections, we start by explaining the dif- ferent concepts we are using in our proposed architecture. Namely, Web Services and SOA concepts, security properties we aim to express in an adaptive manner and also AOP (Aspect- oriented programming) paradigm.