W3C home > Mailing lists > Public > public-ws-addressing@w3.org > November 2004

RE: Composibility problems with refps

From: Martin Gudgin <mgudgin@microsoft.com>
Date: Wed, 24 Nov 2004 11:57:46 -0800
Message-ID: <DD35CC66F54D8248B6E04232892B6338040F7ABE@RED-MSG-43.redmond.corp.microsoft.com>
To: "David Orchard" <dorchard@bea.com>, "Francisco Curbera" <curbera@us.ibm.com>
Cc: "Christopher B Ferris" <chrisfer@us.ibm.com>, <public-ws-addressing@w3.org>

 

> -----Original Message-----
> From: David Orchard [mailto:dorchard@bea.com] 
> Sent: 24 November 2004 18:41
> To: Martin Gudgin; Francisco Curbera
> Cc: Christopher B Ferris; public-ws-addressing@w3.org
> Subject: RE: Composibility problems with refps
> 
> I think it's just a) because b) is done by default in most 
> cases, where
> the security stuff just signs whatever it's given and it's at 
> the end of
> the pipeline - like Rich showed.

But your still talking about comprimising the pipeline itself. It's not
an attack someone could mount on the wire.

>   Very few systems that I've heard of
> have the software that generates message content (particularly EPRs)
> secure it right away - which would prevent the hole that I'm talking
> about.

I'm not sure what you mean by 'right away'. Do you mean before it first
appears on the wire? Or while it's in the processing pipeline?

> 
> And it's not inserting into arbitrary parts of the message, 
> it's just in
> an EPR.  
> 
> So, the hacker would have to be able to:
> a) inject arbitrary XML into EPR(s) in a message.

I'm confused. Are we talking about securing the wsa:EndpointReference
element? Or the headers which are inserted into a message? Or both?

> 
> And this problem is prevented in WS-A by requiring that REFps are not
> echoed directly and unmodified as soap header blocks.

I'm not sure how this helps plug the security hole.

> 
> It seems hard to quantify the risk of this.  One approach is 
> to say "oh
> well, so sad".  Another approach is to do some work in a spec 
> to prevent
> the problem.  

I'm still not quite seeing exactly what that problem is.

:-(

Gudge

> 
> Cheers,
> Dave
> 
> > -----Original Message-----
> > From: Martin Gudgin [mailto:mgudgin@microsoft.com]
> > Sent: Wednesday, November 24, 2004 9:20 AM
> > To: David Orchard; Francisco Curbera
> > Cc: Christopher B Ferris; public-ws-addressing@w3.org
> > Subject: RE: Composibility problems with refps
> > 
> > But in order to do that, the hacker would have to have 
> enough control
> > over the system to
> > 
> > a) inject arbitrary XML into (parts of) the message.
> > b) get the security infrastructure to sign stuff from a)
> > 
> > If a system is compromised enough to allow a) and b) then I 
> think it's
> > toast.
> > 
> > Gudge
> > 
> > > -----Original Message-----
> > > From: public-ws-addressing-request@w3.org
> > > [mailto:public-ws-addressing-request@w3.org] On Behalf Of
> > > David Orchard
> > > Sent: 24 November 2004 17:04
> > > To: Francisco Curbera
> > > Cc: Christopher B Ferris; public-ws-addressing@w3.org
> > > Subject: RE: Composibility problems with refps
> > >
> > >
> > > I never said the hacker figures out how to sign arbitrary 
> documents
> or
> > > even manipulates the SOAP body.  Geez, stay with me here.  I said
> the
> > > hacker figured out how to put in a refP into an EPR and then
> > > the rest of
> > > the unhacked infrastructure takes care of signing, transmission,
> etc.
> > >
> > > Dave
> > >
> > > > -----Original Message-----
> > > > From: public-ws-addressing-request@w3.org
> > > [mailto:public-ws-addressing-
> > > > request@w3.org] On Behalf Of Francisco Curbera
> > > > Sent: Wednesday, November 24, 2004 6:30 AM
> > > > To: David Orchard
> > > > Cc: Christopher B Ferris; public-ws-addressing@w3.org
> > > > Subject: RE: Composibility problems with refps
> > > >
> > > >
> > > > Dave,
> > > >
> > > > I may be wrong about this, since I am no expert in security, but
> if
> > > the
> > > > hacker figures out how sign arbitrary documents on your
> > > behalf then I
> > > will
> > > > guess that SOAP header extensibility will not be at the top of
> your
> > > list
> > > > of
> > > > problems - certainly not the only one. Hackers will not
> > > need to worry
> > > > about
> > > > the SOAP header extensibility model to steal all you money
> > > (and maybe
> > > also
> > > > mine); there are already plenty of ways to do this by
> > > manipulating the
> > > > good
> > > > old SOAP body. That's what I was trying to say.
> > > >
> > > > As for IBM's security concerns, so far our experts tell us
> > > ref. props
> > > as
> > > > SOAP headers are ok as long as we consistently sign
> > > everything, which
> > > you
> > > > need to do in any case.
> > > >
> > > > Paco
> > > >
> > > >
> > > >
> > > >
> > > >                       "David Orchard"
> > > >                       <dorchard@bea.com        To:      
>  Francisco
> > > > Curbera/Watson/IBM@IBMUS
> > > >                       >                        cc:
> > > Christopher B
> > > > Ferris/Waltham/IBM@IBMUS, <public-ws-addressing@w3.org>
> > > >                                                Subject:  RE:
> > > Composibility
> > > > problems with refps
> > > >                       11/23/2004 01:27
> > > >                       PM
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Sure, everything can be hacked.  And the sky could fall and we
> could
> > > all
> > > > die.  So what?  By saying "well hacks happen and then the system
> is
> > > > totally broken" prevents us from talking about security problems
> of
> > > > systems.  And that can prevent us from thinking about 
> security and
> > > > making appropriate trade-offs of security vs other properties.
> > > >
> > > > Extending your analogy, nobody should switch to safer
> architectures
> > > > (like Java over C++ for the common string hack and stack
> > > overflows) or
> > > > operating systems(cough) or strongly typed languages 
> because well,
> > > > that's just too bad if systems get hacked or mistakes are made.
> > > >
> > > > Signing EPRs doesn't prevent this security problem.  I didn't
> point
> > > out
> > > > a widespread security failure in the software, I pointed out one
> > > > particular vulnerability that is fairly easily 
> prevented.  In the
> > > > pipeline model that lots of vendors offer, it's pretty simple to
> > > insert
> > > > a ref property well before the signing/encrypting code 
> is applied.
> > > Most
> > > > of the stuff I've seen out of vendors seems to indicate
> > > that security
> > > > happens at the touch points to the network - the last node
> > > on outbound
> > > > and first node on inbound messages.
> > > >
> > > > The point about SOAP is that SOAP offers a distributed
> extensibility
> > > > model with arbitrary ramifications, and the ws-a echoing
> processing
> > > > model could maliciously take advantage of that open ended
> > > extensibility
> > > > model.  This vulnerability can be prevented in a fairly simple
> way.
> > > >
> > > > I'll say again, there is a software vulnerability that 
> is created
> by
> > > the
> > > > combination of the ws-a processing model and the soap
> extensibility
> > > > model that can easily be prevented in ws-a.
> > > >
> > > > I'm surprised that I've now heard two IBMer's now adopt the "no
> > > problem,
> > > > nothing to see, move along" approach to this potential
> > > security issue.
> > > >
> > > > Cheers,
> > > > Dave
> > > >
> > > > > -----Original Message-----
> > > > > From: Francisco Curbera [mailto:curbera@us.ibm.com]
> > > > > Sent: Tuesday, November 23, 2004 6:13 AM
> > > > > To: David Orchard
> > > > > Cc: Christopher B Ferris; public-ws-addressing@w3.org;
> public-ws-
> > > > > addressing-request@w3.org
> > > > > Subject: RE: Composibility problems with refps
> > > > >
> > > > > The fact is that everything can be hacked if it is 
> not properly
> > > > protected.
> > > > > This includes SOAP headers but also SOAP bodies. The same
> > > model of a
> > > > > server
> > > > > sending opaque data to a client with the explicit
> > > understanding that
> > > > the
> > > > > client must include it in messages sent to the server is
> > > absolutely
> > > > > pervasive. This for example the case of an order number or a
> > > customer
> > > > id
> > > > > that a merchant sends back to his customer - it could 
> also be a
> > > > complex
> > > > > piece of XML. A hacker with access to the merchant's systems
> could
> > > > very
> > > > > well figure out how to manipulate that information so that all
> > > > payments
> > > > > are
> > > > > credited to his account for example. Since we assume he even
> > > > understands
> > > > > how to sign EPRs on behalf of anyone, he may just as well
> > > understand
> > > > how
> > > > > the internal processing at the merchant site works; the sky is
> the
> > > > limit
> > > > > then. He may include signed XML in which any conceivable
> > > promise is
> > > > made
> > > > > by
> > > > > the merchant to the customer, or vice versa if he hacks the
> > > customer's
> > > > > site. Everything is possible; I just don't see what is so
> special
> > > > about
> > > > > SOAP headers - maybe that us just me.
> > > > >
> > > > > Having the ability to sign EPRs as well as individual
> > > ref. property
> > > > > headers
> > > > > should be more than enough to reasonably put this concern to
> rest.
> > > > >
> > > > > Paco
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >                       "David Orchard"
> > > > >                       <dorchard@bea.com>              To:
> > > > > Christopher B Ferris/Waltham/IBM@IBMUS
> > > > >                       Sent by:                        cc:
> > > > <public-
> > > > > ws-addressing@w3.org>
> > > > >                       public-ws-addressing-req
> > > Subject:  RE:
> > > > > Composibility problems with refps
> > > > >                       uest@w3.org
> > > > >
> > > > >
> > > > >                       11/22/2004 06:15 PM
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > I'm not worried about ref props/params interfering with
> > > WS-* use of
> > > > > headers by a bad interface design.  The owner of the interface
> > > > controls
> > > > > both the use of WS-* specs and the use of RefPs.  They
> > > will quickly
> > > > sort
> > > > > out any interface conflicts.  And my guess is that Rule #1 of
> RefP
> > > > usage
> > > > > will be: Thou shalt not use WS-* QNames in RefPs.
> > > > >
> > > > > I'm more sensitive to the issue 8 concern about ref 
> props/params
> > > being
> > > > > duplicates of user headers, particularly a security hole
> > > that allows
> > > a
> > > > > hacker to put a bad RefP into the EPR, ie
> > > > > <SendAssetsToGrandCayman amount="all" fromacct="chris"
> > > > toacct="hacker"/>
> > > > >
> > > > > This security problem isn't covered by signing the EPR but is
> > > covered
> > > > by
> > > > > a wrapper of some kind.
> > > > >
> > > > > Dave
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: public-ws-addressing-request@w3.org
> > > > > [mailto:public-ws-addressing-
> > > > > > request@w3.org] On Behalf Of Christopher B Ferris
> > > > > > Sent: Monday, November 22, 2004 1:10 PM
> > > > > > To: Anish Karmarkar
> > > > > > Cc: Jonathan Marsh; public-ws-addressing@w3.org;
> > > > public-ws-addressing-
> > > > > > request@w3.org; tom@coastin.com
> > > > > > Subject: Re: Composibility problems with refps
> > > > > >
> > > > > >
> > > > > > Anish/Tom,
> > > > > >
> > > > > > But then this means that the refps that under the current
> design
> > > > > become
> > > > > > SOAP headers, and subject to
> > > > > > the SOAP processing model, would no longer be subject
> > > to the SOAP
> > > > > > processing model. I think that this
> > > > > > would be a collossal mistake.
> > > > > >
> > > > > > Frankly, I think that the idea of reference 
> properties/params
> > > > > interfering
> > > > > > with other WS-* use of headers
> > > > > > is a red herring. Of course, it is always possible to
> > > do something
> > > > > that
> > > > > > would break any protocol. At most, I could
> > > > > > see adding a note in the spec that recommended caution when
> > > > including
> > > > > any
> > > > > > protocol elements
> > > > > > as reference property/parameters as their subsequent
> > > inclusion as
> > > > SOAP
> > > > > > header blocks in messages
> > > > > > addressed to the endpoint *might*, I repeat, *might*
> > > conflict with
> > > > > > constraints as to cardinality of such
> > > > > > header blocks in a message, etc.
> > > > > >
> > > > > > I would strongly discourage any thoughts of a wrapper
> > > element for
> > > > > > reference property/parameters.
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Christopher Ferris
> > > > > > STSM, Emerging e-business Industry Architecture
> > > > > > email: chrisfer@us.ibm.com
> > > > > > blog: http://webpages.charter.net/chrisfer/blog.html
> > > > > > phone: +1 508 377 9295
> > > > > >
> > > > > >
> > > > > >
> > > > > > Anish Karmarkar <Anish.Karmarkar@oracle.com>
> > > > > > Sent by: public-ws-addressing-request@w3.org
> > > > > > 11/22/2004 02:03 PM
> > > > > >
> > > > > > To
> > > > > > tom@coastin.com
> > > > > > cc
> > > > > > Jonathan Marsh <jmarsh@microsoft.com>,
> > > public-ws-addressing@w3.org
> > > > > > Subject
> > > > > > Re: Composibility problems with refps
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > I agree that would indeed solve the problem -- either refp
> > > specific
> > > > > > header(s) or the use of [to] property.
> > > > > >
> > > > > > -Anish
> > > > > > --
> > > > > >
> > > > > > Tom Rutt wrote:
> > > > > >
> > > > > > >
> > > > > > > As Glen has suggested before, encapsulating the ref parms
> and
> > > ref
> > > > > props
> > > > > > > in a ws-addressing specific header element would
> > > allow arbitrary
> > > > > > > qnames for the ref props and ref parms, without confusion.
> > > > > > >
> > > > > > > Tom Rutt
> > > > > > >
> > > > > > > Anish Karmarkar wrote:
> > > > > > >
> > > > > > >>
> > > > > > >> Yes.
> > > > > > >> Or in the context of SOAP, composability with any
> > > specification
> > > > > that
> > > > > > >> uses SOAP header(s) as a mechanism to convey information.
> > > > > > >>
> > > > > > >> -Anish
> > > > > > >> --
> > > > > > >>
> > > > > > >> Jonathan Marsh wrote:
> > > > > > >>
> > > > > > >>> Specifically, you're worried about the case where the
> > > reference
> > > > > > >>> properties and reference parameters are in a
> > > namespace used by
> > > > the
> > > > > > >>> reliability, security, etc. mechanisms, right?
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>> -----Original Message-----
> > > > > > >>>> From: public-ws-addressing-request@w3.org
> > > [mailto:public-ws-
> > > > > > >>>> addressing-request@w3.org] On Behalf Of Anish Karmarkar
> > > > > > >>>> Sent: Monday, November 15, 2004 11:10 AM
> > > > > > >>>> To: public-ws-addressing@w3.org
> > > > > > >>>> Subject: Composibility problems with refps
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> All,
> > > > > > >>>>
> > > > > > >>>> During last week's concall discussion of issue
> > > i008 I took an
> > > > > action
> > > > > > >>>> to
> > > > > > >>>> explain the composibility problem with refps 
> in an email.
> > > This
> > > > > email
> > > > > > >>>> fulfills that action.
> > > > > > >>>>
> > > > > > >>>> WS-Addressing [1] Submission includes [reference
> > > properties]
> > > > and
> > > > > > >>>> [reference parameters] in the info models for 
> EPR. These
> > > refps
> > > > > are
> > > > > > >>>> opaque to the consumer. In the SOAP binding of
> > > EPR, the refps
> > > > are
> > > > > > >>>> bound
> > > > > > >>>> as individual SOAP header blocks. I.e., a consumer of a
> EPR
> > > > using
> > > > > > SOAP
> > > > > > >>>> is required to copy the refps as individual SOAP header
> > > blocks
> > > > > > without
> > > > > > >>>> understanding what the blocks mean or do.
> > > > > > >>>>
> > > > > > >>>> Typically SOAP header blocks are part of a SOAP module
> and
> > > > > express
> > > > > > >>>> certain functionality. For example, WSS, 
> WS-Reliability,
> > > > > > >>>> WS-ReliableMessaging, WS-C, WS-T WS-Context 
> etc, specify
> > > header
> > > > > > blocks
> > > > > > >>>> that have a particular meaning that is 
> conveyed from the
> > > sender
> > > > > to
> > > > > > the
> > > > > > >>>> receiver. Specifications in the realm of Web 
> services are
> > > > > designed to
> > > > > > >>>> be
> > > > > > >>>> composible with other specs. For example, 
> WS-Context can
> be
> > > > > composed
> > > > > > >>>> with WS-Reliability and WSS.
> > > > > > >>>>
> > > > > > >>>> A consuming application that dereferences an EPR that
> > > contains
> > > > > refps
> > > > > > >>>> may
> > > > > > >>>> have some policies in place wrt to 
> reliability, security,
> > > > > > >>>> coordination,
> > > > > > >>>> transaction, privacy etc. Given that refps may contains
> any
> > > XML
> > > > > and
> > > > > > >>>> these refps are bound as SOAP header blocks, refps can
> > > > > potentially
> > > > > > >>>> interfere with composibility of WS-Addressing with
> > > other WS-*
> > > > > specs
> > > > > > >>>> that
> > > > > > >>>> the consumer may be using. The opacity of the
> > > refps prevents
> > > > the
> > > > > > >>>> consumer from making any inferences about the 
> refps in an
> > > EPR.
> > > > > > >>>>
> > > > > > >>>> This issue is slightly different from the security
> > > of EPRs --
> > > > > which
> > > > > > >>>> *may* potentially be resolved by requiring the
> > > minter of the
> > > > EPR
> > > > > to
> > > > > > >>>> sign
> > > > > > >>>> the EPR.
> > > > > > >>>>
> > > > > > >>>> HTH to clarify the issue.
> > > > > > >>>>
> > > > > > >>>> -Anish
> > > > > > >>>> --
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>>
> > > > > > >>>> [1]
> > > > > http://www.w3.org/Submission/2004/SUBM-ws-addressing-20040810/
> > > > > > >>>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>>
> > > > > > >>
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> > >
> 
Received on Wednesday, 24 November 2004 19:58:01 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 18:35:00 GMT