Application of XML Schema in Web Services Security

Sridhar Guthula

W3C XML Schema 1.0 User Experiences

06-21-2005

QuickTree Inc. 2

About me

• 10 years in enterprise software business• XML focus since 1998• Projects

– XML Schema 1.0 validation engine, SOAP security framework,  XSLT 1.0 compiler, hardware based XML Parser.

– Large XML based language for a declarative constraint engine

– Storing XML documents in a RDBMS– XML Schemas for Catalog Services, XML based

RPCs and Workflows Systems

QuickTree Inc. 3

QuickTree SOAP Security Module (SSM)

• Designed from the ground up with OEM integration in mind, the SSM hides the complexities of XML processing and allows network equipment like Firewalls, SSL VPN devices and Load Balancers to inspect and secure Web Services traffic

QuickTree Inc. 4

SOAP Security in the Network

QuickTree Inc. 5

Features

• XML Denial of Service Prevention  - Checking for XML well-formedness, nested element depth, element length, message size, external entities, attribute length, etc

• WSDL Based Access Control  - Limit a user or group's access to particular services or operations defined in the WSDL file

• SOAP Structural and Parameter Validation - Prevent mal-structured SOAP messages and apply parameter validation using type checking with full support for regex based schema types

• SQL and Command Injection Protection  - Detect and block command injection attacks, commonly hidden as valid parameters

• Streaming mode interface - XML messages can be forwarded to the QuickTree module as they come in without blocking

QuickTree Inc. 6

QuickTree SOAP Security Module (SSM)

QuickTree Inc. 7

User Experience

QuickTree Inc. 8

WSDL Based validation

• XML Schema 1.0 validation engine (‘C’ based)• Generate schema by combining WSDL, XML Schema

and SOAP• Streaming and Hardwarized• Structural Validation vs Data-type validation • ACLs • Issues

– Schema Specification– XML Schemas with multiple target namespaces – xsi:type and encoding style – Mapping WSDL/SOAP types to XML Schema types (Ex:

soapenc:arrayType)– Versioning

QuickTree Inc. 9

Compliance Levels

• Support compliance/conformance levels (like internationalization standards)– Structural validation and/or Data-type validation– Data-centric or Content-centric

• Lack of different compliance levels causes vendors to claims full XML Schema compliance.

• Reduced user confusion and reduced cost in investigating vendor compliance.

QuickTree Inc. 10

XML Denial of Service Prevention

• Checking for XML well-formedness, nested element depth, element length, message size, external entities, attribute length, etc

• Most of the XML Schema designers do not consider security

• Policies – QuickTree provides global and User-specific

• Implementation through inheritance, facets

QuickTree Inc. 11

Validating Canonical XML

• Support for validating canonical XML

• Canonical form of a valid xml instance should be valid

QuickTree Inc. 12

Views or Aspects

• Given XML Schemas viewed in a different light by different users (network admin, application engineer, customer)

• Support for different aspects on the same XML Schema

• Example: Security aspect– Conformance/Compliance Levels: only do structural

validation– Ignore Order/Canonicalization: canonical form of a

valid xml instance should be valid– DoS configuration values– Xsi:type support

QuickTree Inc. 13

Contact Info

Sridhar Guthula

855 Embedded Way

San José, CA 95138-1018

USA

408-979-4800

sguthula@quicktree.com

QuickTree Inc. 14

Q & A