[e-lang] HTTP server in Joe-E, a defensive programming exercise
Tyler Close
tyler.close at gmail.com
Mon Apr 30 23:57:46 EDT 2007
I've gradually been working through the remaining parts of the
Waterken Server, preparing them for release. As I do so, I've been
trying to practice defensive consistency to the greatest extent
possible. I think there's a lot left to learn in terms of how best to
structure and document code for defensive consistency.
I recently got the HTTP server code for the Waterken Server into a
presentable state and further thought that this code might be
interesting to study. Since there's an untrusted client, the remote
HTTP client; and assets to be protected, the server's filesystem,
there are readily understood attack scenarios. Figuring out how to
structure the code such that resistance to particular attacks can be
readily checked is an interesting exercise.
In addition to protecting the server against the remote client, I
additionally attempted to protect separate HTTP requests from each
other. For example, one request may be handled by a separate
server-side agent than a subsequent one. It would be nice to have the
property than one request is unable to interfere with a subsequent
one, aside from DOS issues. Look at the implementation of
org.waterken.net.http.Session to see how I've attempted to implement
this property.
You can download this code from:
http://waterken.sourceforge.net/download.html
(look at the additional files section under the ref_send download link)
In the Waterken Server security review, many of the bugs found were
bugs in this HTTP server code. Guarding against all malformed
input/output is tricky (and tiresome) work. Developing patterns that
limit the possible damage from buggy parsing code is an important
outcome here. I've made some progress here, but suspect there's more
to be made.
There's also been some recent discussion of security-review games
designed to find the dark corners in a codebase. The well-understood
attack scenarios for an HTTP server might make this code a good
playground for trying some of these games.
Tyler
--
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/
Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/
More information about the e-lang
mailing list