Peter Firmstone wrote:
_Unicast Discovery v2 - Unmarshalling Attack with Registrar proxy._
During unicast discovery, we have the option of using SSL, Kerberos or
x500 discovery implementations, unfortunately, if the unicast
discovery implementation being used doesn't comply with constraints
for Authentication and Confidentiality, the constraints are re tried
against the unmarshalled registrar proxy, bypassing the security
benefits these implementations provide.
It appears that the above statement is incorrect.
The following information comes from existing documentation, code
inspection and some additional unit tests I've constructed.
Security can be maintained, provided discovery constraints are set
correctly and can prevent the unmarshalling attacks by an unknown
registrar proxy.
Constraints set during discovery are just as powerful and compatible
with those used by jeri.
MethodConstraints are set against various methods, containing
InvocationConstraints, that are required or preferred.
Constraints are tested in 3 layers
The class DiscoveryConstraints is used to test for and satisfy the
following constraints, which are tested against the lower TCP / IP
Multicast layer:
* UnicastSocketTimeout
* ConnectionAbsoluteTime
* MulticastMaxPacketSize
* DiscoveryProtocolVersion
* MulticastTimeToLive
There are two x500 multicast implementations that support the additional
constraints for:
The multicast request protocol:
* Integrity
* ClientAuthentication
* ClientMaxPrincipal
* ClientMaxPrincipalType
* ServerMinPrincipal - trivial support (ServerAuthentication and
Delegation not supported)
* DelegationAbsoluteTime - trivial support
* DelegationRelativeTime - trivial support
The multicast announcement protocol:
* Integrity
* ServerAuthentication
* ServerMinPrincipal
* DelegationAbsoluteTime - trivial support (ClientAuthentication and
Delegation not supported
* DelegationRelativeTime - trivial support
* ClientMaxPrincipal - trivial support
* ClientMaxPrincipalType -trivial support
* ClientMinPrincipal -trivial support
* ClientMinPrincipalType -trivial support
DiscoveryConstraints.getUnfulfilledConstraints() filters out any
constraints that can be satisfied by the lower layer and don't need to
be satisfied by upper layers, however it also returns constraints that
must be satisfied by the lower layer as well as upper layers.
The next layer consists of various Client and Server implementations,
plaintext, kerberos, ssl, https that implement UnicastDiscoveryClient or
UnicastDiscoveryServer.
Various constraints are supported based on the provider in use, note
that multiple providers can be selected from, based on their
compatibility with the set of constraints provided.
ConstraintAlternatives also provides a list of constraints from which
one must be satisfied (like an OR separated list).
For example ssl unicast discovery supports the same constraints as the
jeri tls/ ssl endpoint:
* ClientAuthentication
* ClientMaxPrincipal
* ClientMaxPrincipalType
* ClientMinPrincipal
* ClientMinPrincipalType
* Confidentiality
* ConfidentialityStrength
* ConnectionAbsoluteTime
* ConnectionRelativeTime
* ConstraintAlternatives
* Delegation
* DelegationAbsoluteTime
* DelegationRelativeTime
* Integrity
* InvocationConstraints
* ServerAuthentication
* ServerMinPrincipal;
The top layer is the Marshalling layer, only the Integrity constraint is
passed up by EndpointInternals.getUnfulfilledConstraints and must be
satisfied by all layers, when set on relevant MethodConstraints.
LookupDiscovery performs Multicast discovery and Unicast retrieval of
registrar Proxy's using any provider or protocol.
LookupLocatorDiscovery performs Unicast retrieval of registrar proxy's
using any provider or protocol.
ConstrainableLookupLocator performs Unicast retrieval of registrar
proxy's using any provider or protocol.
LookupLocator performs Unicast retrieval of registrar proxy's using
Discovery V1 only.
Kerberos can be subjected to timing attacks, the most secure providers are:
x500 sha-1 with dsa or rsa for multicast discovery (although sha-1 is
getting weaker now and probably should be supplemented with a stronger
hash), still this should be quite reasonable for a private network.
tls/ssl Provider for Unicast Discovery
tls/ssl Provider for Jeri
https Provider for Unicast Discovery
https Profider for Jeri.
With the right constraints, it is possible to prevent an unmarshalling
attack by an unknown registrar proxy, authentication, authorisation,
confidentiality and integrity is checked / performed prior to
unmarshalling the proxy.
If the registrar (lookup service) also requires client authentication
and authorisation, then services must be authorised prior to submitting
their proxy's.
If we can place a limit on codebase downloads, or provide secure
codebase services (needs discovery), sign our River release jars
(prevents package private access) and throw in DNS-SRV discovery too,
then we could challenge existing cloud services with a highly secure
cloud platform (provided the os and hardware underneath are also secure).
It may also be desirable to place downloaded code into a local jvm,
separate from client code.
Cheers,
Peter.
