W3C home > Mailing lists > Public > public-ws-addressing@w3.org > November 2004

RE: Composibility problems with refps

From: David Orchard <dorchard@bea.com>
Date: Wed, 24 Nov 2004 09:03:42 -0800
Message-ID: <32D5845A745BFB429CBDBADA57CD41AF0BF3C808@ussjex01.amer.bea.com>
To: "Francisco Curbera" <curbera@us.ibm.com>
Cc: "Christopher B Ferris" <chrisfer@us.ibm.com>, <public-ws-addressing@w3.org>

I never said the hacker figures out how to sign arbitrary documents or
even manipulates the SOAP body.  Geez, stay with me here.  I said the
hacker figured out how to put in a refP into an EPR and then the rest of
the unhacked infrastructure takes care of signing, transmission, etc.

Dave

> -----Original Message-----
> From: public-ws-addressing-request@w3.org
[mailto:public-ws-addressing-
> request@w3.org] On Behalf Of Francisco Curbera
> Sent: Wednesday, November 24, 2004 6:30 AM
> To: David Orchard
> Cc: Christopher B Ferris; public-ws-addressing@w3.org
> Subject: RE: Composibility problems with refps
> 
> 
> Dave,
> 
> I may be wrong about this, since I am no expert in security, but if
the
> hacker figures out how sign arbitrary documents on your behalf then I
will
> guess that SOAP header extensibility will not be at the top of your
list
> of
> problems - certainly not the only one. Hackers will not need to worry
> about
> the SOAP header extensibility model to steal all you money (and maybe
also
> mine); there are already plenty of ways to do this by manipulating the
> good
> old SOAP body. That's what I was trying to say.
> 
> As for IBM's security concerns, so far our experts tell us ref. props
as
> SOAP headers are ok as long as we consistently sign everything, which
you
> need to do in any case.
> 
> Paco
> 
> 
> 
> 
>                       "David Orchard"
>                       <dorchard@bea.com        To:       Francisco
> Curbera/Watson/IBM@IBMUS
>                       >                        cc:       Christopher B
> Ferris/Waltham/IBM@IBMUS, <public-ws-addressing@w3.org>
>                                                Subject:  RE:
Composibility
> problems with refps
>                       11/23/2004 01:27
>                       PM
> 
> 
> 
> 
> 
> Sure, everything can be hacked.  And the sky could fall and we could
all
> die.  So what?  By saying "well hacks happen and then the system is
> totally broken" prevents us from talking about security problems of
> systems.  And that can prevent us from thinking about security and
> making appropriate trade-offs of security vs other properties.
> 
> Extending your analogy, nobody should switch to safer architectures
> (like Java over C++ for the common string hack and stack overflows) or
> operating systems(cough) or strongly typed languages because well,
> that's just too bad if systems get hacked or mistakes are made.
> 
> Signing EPRs doesn't prevent this security problem.  I didn't point
out
> a widespread security failure in the software, I pointed out one
> particular vulnerability that is fairly easily prevented.  In the
> pipeline model that lots of vendors offer, it's pretty simple to
insert
> a ref property well before the signing/encrypting code is applied.
Most
> of the stuff I've seen out of vendors seems to indicate that security
> happens at the touch points to the network - the last node on outbound
> and first node on inbound messages.
> 
> The point about SOAP is that SOAP offers a distributed extensibility
> model with arbitrary ramifications, and the ws-a echoing processing
> model could maliciously take advantage of that open ended
extensibility
> model.  This vulnerability can be prevented in a fairly simple way.
> 
> I'll say again, there is a software vulnerability that is created by
the
> combination of the ws-a processing model and the soap extensibility
> model that can easily be prevented in ws-a.
> 
> I'm surprised that I've now heard two IBMer's now adopt the "no
problem,
> nothing to see, move along" approach to this potential security issue.
> 
> Cheers,
> Dave
> 
> > -----Original Message-----
> > From: Francisco Curbera [mailto:curbera@us.ibm.com]
> > Sent: Tuesday, November 23, 2004 6:13 AM
> > To: David Orchard
> > Cc: Christopher B Ferris; public-ws-addressing@w3.org; public-ws-
> > addressing-request@w3.org
> > Subject: RE: Composibility problems with refps
> >
> > The fact is that everything can be hacked if it is not properly
> protected.
> > This includes SOAP headers but also SOAP bodies. The same model of a
> > server
> > sending opaque data to a client with the explicit understanding that
> the
> > client must include it in messages sent to the server is absolutely
> > pervasive. This for example the case of an order number or a
customer
> id
> > that a merchant sends back to his customer - it could also be a
> complex
> > piece of XML. A hacker with access to the merchant's systems could
> very
> > well figure out how to manipulate that information so that all
> payments
> > are
> > credited to his account for example. Since we assume he even
> understands
> > how to sign EPRs on behalf of anyone, he may just as well understand
> how
> > the internal processing at the merchant site works; the sky is the
> limit
> > then. He may include signed XML in which any conceivable promise is
> made
> > by
> > the merchant to the customer, or vice versa if he hacks the
customer's
> > site. Everything is possible; I just don't see what is so special
> about
> > SOAP headers - maybe that us just me.
> >
> > Having the ability to sign EPRs as well as individual ref. property
> > headers
> > should be more than enough to reasonably put this concern to rest.
> >
> > Paco
> >
> >
> >
> >
> >
> >                       "David Orchard"
> >                       <dorchard@bea.com>              To:
> > Christopher B Ferris/Waltham/IBM@IBMUS
> >                       Sent by:                        cc:
> <public-
> > ws-addressing@w3.org>
> >                       public-ws-addressing-req        Subject:  RE:
> > Composibility problems with refps
> >                       uest@w3.org
> >
> >
> >                       11/22/2004 06:15 PM
> >
> >
> >
> >
> >
> >
> > I'm not worried about ref props/params interfering with WS-* use of
> > headers by a bad interface design.  The owner of the interface
> controls
> > both the use of WS-* specs and the use of RefPs.  They will quickly
> sort
> > out any interface conflicts.  And my guess is that Rule #1 of RefP
> usage
> > will be: Thou shalt not use WS-* QNames in RefPs.
> >
> > I'm more sensitive to the issue 8 concern about ref props/params
being
> > duplicates of user headers, particularly a security hole that allows
a
> > hacker to put a bad RefP into the EPR, ie
> > <SendAssetsToGrandCayman amount="all" fromacct="chris"
> toacct="hacker"/>
> >
> > This security problem isn't covered by signing the EPR but is
covered
> by
> > a wrapper of some kind.
> >
> > Dave
> >
> > > -----Original Message-----
> > > From: public-ws-addressing-request@w3.org
> > [mailto:public-ws-addressing-
> > > request@w3.org] On Behalf Of Christopher B Ferris
> > > Sent: Monday, November 22, 2004 1:10 PM
> > > To: Anish Karmarkar
> > > Cc: Jonathan Marsh; public-ws-addressing@w3.org;
> public-ws-addressing-
> > > request@w3.org; tom@coastin.com
> > > Subject: Re: Composibility problems with refps
> > >
> > >
> > > Anish/Tom,
> > >
> > > But then this means that the refps that under the current design
> > become
> > > SOAP headers, and subject to
> > > the SOAP processing model, would no longer be subject to the SOAP
> > > processing model. I think that this
> > > would be a collossal mistake.
> > >
> > > Frankly, I think that the idea of reference properties/params
> > interfering
> > > with other WS-* use of headers
> > > is a red herring. Of course, it is always possible to do something
> > that
> > > would break any protocol. At most, I could
> > > see adding a note in the spec that recommended caution when
> including
> > any
> > > protocol elements
> > > as reference property/parameters as their subsequent inclusion as
> SOAP
> > > header blocks in messages
> > > addressed to the endpoint *might*, I repeat, *might* conflict with
> > > constraints as to cardinality of such
> > > header blocks in a message, etc.
> > >
> > > I would strongly discourage any thoughts of a wrapper element for
> > > reference property/parameters.
> > >
> > > Cheers,
> > >
> > > Christopher Ferris
> > > STSM, Emerging e-business Industry Architecture
> > > email: chrisfer@us.ibm.com
> > > blog: http://webpages.charter.net/chrisfer/blog.html
> > > phone: +1 508 377 9295
> > >
> > >
> > >
> > > Anish Karmarkar <Anish.Karmarkar@oracle.com>
> > > Sent by: public-ws-addressing-request@w3.org
> > > 11/22/2004 02:03 PM
> > >
> > > To
> > > tom@coastin.com
> > > cc
> > > Jonathan Marsh <jmarsh@microsoft.com>, public-ws-addressing@w3.org
> > > Subject
> > > Re: Composibility problems with refps
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > I agree that would indeed solve the problem -- either refp
specific
> > > header(s) or the use of [to] property.
> > >
> > > -Anish
> > > --
> > >
> > > Tom Rutt wrote:
> > >
> > > >
> > > > As Glen has suggested before, encapsulating the ref parms and
ref
> > props
> > > > in a ws-addressing specific header element would allow arbitrary
> > > > qnames for the ref props and ref parms, without confusion.
> > > >
> > > > Tom Rutt
> > > >
> > > > Anish Karmarkar wrote:
> > > >
> > > >>
> > > >> Yes.
> > > >> Or in the context of SOAP, composability with any specification
> > that
> > > >> uses SOAP header(s) as a mechanism to convey information.
> > > >>
> > > >> -Anish
> > > >> --
> > > >>
> > > >> Jonathan Marsh wrote:
> > > >>
> > > >>> Specifically, you're worried about the case where the
reference
> > > >>> properties and reference parameters are in a namespace used by
> the
> > > >>> reliability, security, etc. mechanisms, right?
> > > >>>
> > > >>>
> > > >>>> -----Original Message-----
> > > >>>> From: public-ws-addressing-request@w3.org [mailto:public-ws-
> > > >>>> addressing-request@w3.org] On Behalf Of Anish Karmarkar
> > > >>>> Sent: Monday, November 15, 2004 11:10 AM
> > > >>>> To: public-ws-addressing@w3.org
> > > >>>> Subject: Composibility problems with refps
> > > >>>>
> > > >>>>
> > > >>>> All,
> > > >>>>
> > > >>>> During last week's concall discussion of issue i008 I took an
> > action
> > > >>>> to
> > > >>>> explain the composibility problem with refps in an email.
This
> > email
> > > >>>> fulfills that action.
> > > >>>>
> > > >>>> WS-Addressing [1] Submission includes [reference properties]
> and
> > > >>>> [reference parameters] in the info models for EPR. These
refps
> > are
> > > >>>> opaque to the consumer. In the SOAP binding of EPR, the refps
> are
> > > >>>> bound
> > > >>>> as individual SOAP header blocks. I.e., a consumer of a EPR
> using
> > > SOAP
> > > >>>> is required to copy the refps as individual SOAP header
blocks
> > > without
> > > >>>> understanding what the blocks mean or do.
> > > >>>>
> > > >>>> Typically SOAP header blocks are part of a SOAP module and
> > express
> > > >>>> certain functionality. For example, WSS, WS-Reliability,
> > > >>>> WS-ReliableMessaging, WS-C, WS-T WS-Context etc, specify
header
> > > blocks
> > > >>>> that have a particular meaning that is conveyed from the
sender
> > to
> > > the
> > > >>>> receiver. Specifications in the realm of Web services are
> > designed to
> > > >>>> be
> > > >>>> composible with other specs. For example, WS-Context can be
> > composed
> > > >>>> with WS-Reliability and WSS.
> > > >>>>
> > > >>>> A consuming application that dereferences an EPR that
contains
> > refps
> > > >>>> may
> > > >>>> have some policies in place wrt to reliability, security,
> > > >>>> coordination,
> > > >>>> transaction, privacy etc. Given that refps may contains any
XML
> > and
> > > >>>> these refps are bound as SOAP header blocks, refps can
> > potentially
> > > >>>> interfere with composibility of WS-Addressing with other WS-*
> > specs
> > > >>>> that
> > > >>>> the consumer may be using. The opacity of the refps prevents
> the
> > > >>>> consumer from making any inferences about the refps in an
EPR.
> > > >>>>
> > > >>>> This issue is slightly different from the security of EPRs --
> > which
> > > >>>> *may* potentially be resolved by requiring the minter of the
> EPR
> > to
> > > >>>> sign
> > > >>>> the EPR.
> > > >>>>
> > > >>>> HTH to clarify the issue.
> > > >>>>
> > > >>>> -Anish
> > > >>>> --
> > > >>>>
> > > >>>>
> > > >>>>
> > > >>>> [1]
> > http://www.w3.org/Submission/2004/SUBM-ws-addressing-20040810/
> > > >>>>
> > > >>>
> > > >>>
> > > >>>
> > > >>
> > > >
> > >
> > >
> > >
> >
> >
> >
> 
> 
> 
Received on Wednesday, 24 November 2004 17:03:56 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:34:59 GMT