This is a page about using a Fuzzy Risk Analysis methodology based on the security patterns present in a system.
We have analyzed two systems using this methodology.
- The first (nonsecure) system can be found here
- The second (secure) system can be found here
The Security Vulnerabilities of the nonsecure application are here
The secure application to the best of our knowledge does not have any security vulnerabilities, except the unauthorized access to the wsdl file of
a web service
(For the current version of jboss it is not possible to require authentication for the wsdl file. It is under consideration, see
http://jira.jboss.com/jira/browse/JBWS-723 ).
Session cookies should be allowed in the web browser for the
applications to run.
(
Check out how this is done for Mozilla Firefox and IE 6.0)
Prerequisites to run the e-commerce test applications
To run the applications you have to
- get the zip file of jboss 4.0.3 configured
properly for the applications jboss 4.0.3.zip
-
Unzip this file to C:\jboss-4.0.3 (in case you use windows. In case you use another OS you just have to change the build.xml JBOSS_HOME variable for each application appropriately to point to the jboss home directory).
-
install mysql 5.0 which can be found here on the machine which is going to be your database server and
- overwrite the data directory of your mysql server with the directory data,
which can be found as as zip file here, having stopped the mysql service. (After the data directory is overwriten you should of course restart the mysql service).
- Be careful that if you have a mysql server already installed you should save any database you need using mysqldump and after overwriting the mysql directory you should import these databases again! Furthermore, the administrator password for mysql will be overwritten after overwriting the data directory. So it is better to use a machine where no mysql databases has already been created.
-
The applications source should be then dowloaded.
You should also
-
install ant which can be found
here. and
- set the path variable
of your system to include the <ANT_HOME>/bin directory
-
Also a recent java and J2EE version should be installed, which can be found
at the Java Home Page
Deploying and running the e-commerce test applications
To deploy an application you should go to the base directory of
the appropriate application, where the build.xml file resides and
type in the following commands:
- classpath
- ant clean
- ant deploy
Make sure that the classpath.bat includes the correct path for the j2ee.jar
file
Then, in order to start the jboss server you should go to the
<JBOSS_HOME>/bin (example JBOSS_HOME for windows:
C:\jboss-4.0.3) directory and type in:
run -c all
Wait until the server is started and then you can run the desired
application.
The first application runs at:
http://<machine_name_or_ip>:8080/ecommerce/WebStoreFront
The second application runs at:
https://<machine_name_or_ip>:8443/ecommerce/Login
Be notified that the nonsecure and secure applications cannot run at
the same time on the same server. The one application
that you lastly
deployed is the currently running one.
If you get any warnings because the certificate is self-signed
ignore them and choose "Continue to this website" on Internet
Explorer and "I understand the dangers" and "add an exception"
on Mozilla Firefox.
Given usernames, passwords for the e-commerce test applications:
| User
| Password
| Secondary password for second application
| Rights
|
| admin | taf.adag | apa.sprs | Increased |
| programmer | tbp.into | pat.mcpa | Limited |
Risk Analysis Tool
The risk analysis tool developed consists of two simple java applications.
The first (fault tree extraction) application parses an XML file in XMI for UML 1.4 (OMG) format
and produces the fault trees for STRIDE attacks for the system under examination. This output is in files of a format where the fault tree expression is described first and then the fuzzy values for likelihood-exposure-consequences follow.
The second (risk computation) application parses these files and produces risk levels for each category of STRIDE attacks.
The fault tree extraction application can be found here
Running the fault tree extraction application of the risk analysis tool
The steps to be followed are:
1. run classpath.bat
2. Define the attacks based similar to the existing index.txt and the files it indexes
3. Define the output files for the STRIDE fault trees similar to the dumpindex.txt file
4. run "java src/MainProcess <index file> <xml file> <dump index file > where the index file and the dump index file are as described above and the xml file is the xmi file corresponding to the class diagram of the system under examination.
The risk computation application can be found here.
Running the risk computation application of the risk analysis tool
The risk computation application reads the fault trees extracted from the previously descibed application and extracts risks for each category of STRIDE attacks.
The usage of the application is:
java src/FuzzyRisk <Fuzzy Expression Index File> <generalized fuzzy number file> <results file>
The fuzzy expression index file contains the index of the files with the expressions for the fuzzy fault trees similar to the existing index.txt file. The generalized fuzzy numbers file contains the values for the definitions of the generalized fuzzy number levels. The results file is the file where the results are to be written.
Of course you may use existing files for your tests!
We would like to thank the newsgroups Securityfocus.com, Web Application Security mailing list and comp.lang.java.security for letting us organize a contest related to this research and Benjamin Livshits from Stanford University, the winner of the contest!