Positive Security
Positive security model is a comprehensive security mechanism that provides an independent input validation envelope to an application. By defining rules for every parameter in every page in the application the application is protected by an additional security envelop independent from its code. For example, the following rules in ModSecurity rule language provide such comprehensive security to Exchange Outlook Web Access login page:
SecDefaultAction "log,deny,phase:2"
<LocationMatch "^/exchweb/bin/auth/owaauth.dll$">
SecRule REQUEST_METHOD !POST
SecRuleARGS:destination"!^....$"
(full regular expression left out for simplicity)
SecRule ARGS:flags "[0-9]{1,2}"
SecRule ARGS:username "[0-9a-zA-Z]{,256}"
SecRule ARGS:password ".{,256}"
SecRule ARGS:SubmitCreds "!Log.On"
SecRule ARGS:trusted "!(0|4)"
</LocationMatch>
Learning
The limitation of this model is that it requires deep knowledge of the application and a considerable on going effort to maintain the rule set. The maintainer needs to define such rules for each parameter and page in the application. Essentially the rules have to follow closely the application and every change in the application requires a modification to the rule set as well.
In order to reduce the effort required, different learning mechanisms have been implemented. In a session based learning approach [[i]] rules are dynamically created based on previous transactions in the session. Specifically, based on forms returned by the web server the WAF generates validation rules for input submitted using this form by a user, validating field existence, length and special attributes such as "hidden" or "read-only". Other dynamic validation rules include rules limiting the allowed URLs only to those appearing in links in previous pages and rules limiting cookie values. However, this approach is limited since the information sent by the server does not convey all the information required to generate a rule. For example, the type of a parameter is not available. Furthermore, this method became nearly obsolete with the major shift to client side scripting, interactive web front ends such as AJAX [find] and web services. In all these technologies the client sends requests that are not based on previous server responses or are hard to determine from the responses.
More recently anomaly based learning approach [[ii]] was suggested. In anomaly based approach an input validation profile is created for an application based on observing real usage traffic and determining normal usage patterns. As with most anomaly based detection techniques, the key challenges are differentiating between attacks and non malicious abnormal traffic, not including in the normal usage profile information derived from attacks and compensating for time based variability in the usage profile.
Differentiating attack traffic from non malicious abnormal traffic is a major challenge for monitoring systems, but is less severe for protection only systems as many non attack abnormal requests can be blocked as they would not generate useful results. The problem can be further reduced by using a detected anomaly only as an indicator and determining an attack only based on multiple indicators, both anomaly based and other.
Virtual Patching
Another training method for a positive security model is external patching, also known as "just-in-time patching" or "virtual patching" is a limited protection method that has importance due to the common software lifecycle management process in organizations. The later a vulnerability is found in the development and deployment process the price of fixing it gets higher as it disrupts the development process and delays deployment. If the vulnerability is found after an application is deployed the problem is bigger as taking the application off line may be impossible, forcing the organization to leave the application operative and incur the risk.
A WAF can be used to provide protection from a specific vulnerability without modifying the application. To do that, a rule is created and implemented in the WAF that provides additional validation to the specific field vulnerable.
For example, if the user name field in an application is vulnerable to SQL injection [[iii]] attack, and the usernames are alphanumeric in the specific application, the following rule, in ModSecurity rules language, would provide an external patch:
<LocationMatch "^/login.php$">
SecRule ARGS:username "!^\w+$""deny,log"
</LocationMatch>
[i]. AppShield: Next Generation Reverse Proxy for a Secure Web Environment, 2002,
www.gradian.co.uk/Resource_Lib/Sanctum/Reverse%20Proxies.pdf
[ii]. Anomaly Detection of Web-based Attacks, Christopher Kruegel & Giovanni Vigna, Reliable Software Group, University of California, Santa Barbara, October 2003,
http://www.cs.ucsb.edu/~vigna/publications/2003_kruegel_vigna_ccs03.pdf
[iii]. SQL Injection Attacks by Example, Steve Friedl, Jan 13th 2005, http://www.unixwiz.net/techtips/sql-injection.html