7.2 Validation | Software Fortresses: Modeling Enterprise Architectures

Validation refers to the checking and rechecking of user input. One of the tricks that Bart learns in bad-guy school is how to exploit weaknesses in the guard, especially guards in Internet fortresses . In this scenario, Bart doesn't try to bypass Gwen the guard; he tries to trick her into doing something she shouldn't do. There are two ruses Bart will use to try to trick Gwen into becoming his willing accomplice.

In the first approach, Bart tries to overwhelm Gwen with large amounts of data, hoping to overwrite her allocated memory buffers. Bart sends much more data to Gwen than she is expecting. If Gwen doesn't check for this data excess, Bart can turn Gwen into his personal zombie. Gwen will now do anything Bart asks! And since Gwen is a trusted member of the inner sanctum, whatever Gwen asks, the rest of the fortress, having no idea that Gwen is now under the hypnotic spell of Bart, will do. Effectively, Bart has control of the entire fortress.

The technical term for Gwen's zombielike condition is a buffer overflow . Buffer overflows are probably the most common approach used by hackers to attack both presentation and Web service fortresses. The attacker enters large amounts of data into form fields, hoping to overwrite the memory addresses that control program flow. This approach allows a hacker to hijack the presentation (or Web service) fortress processes.

If Bart is thwarted in his attempt to cause Gwen's memory buffers to overflow, his next approach will be to send in scam data. Scam data is data that Bart hopes Gwen will pass to the inner fortress workers as real data, and that he further hopes will convince those workers to do something they normally wouldn't do.

For example, let's say that one of the parameters Gwen is expecting is an account ID. Gwen will pass that account ID on to an inner worker ”say, Walt ”who will subtract an amount from that account. Assume that Walt will find the account in the database using the SQL statement "Select * from accounts where accountID = account", where account is the parameter that Gwen passed through.

Bart is expected to pass in a string like "12345", which then will be passed through Gwen. But we know what Bart is like. Suppose that instead of passing in "12345", Bart passes in the string "1@". Now the SQL statement becomes "Select * from accounts where accountID = 1@". If the database interprets the @ character as a wildcard, then Bart will be able to subtract money from every account in the database. This is not exactly something that Walt would willingly do.

It is Gwen's responsibility to worry about unexpected characters in input fields. Unexpected characters are the sign of scam data attacks. If Gwen finds, for example, a quotation mark within a field that is expected to contain a user name , she must assume that she is under scam data attack. If user names should contain only letters , numbers , and underscores, then Gwen must treat any character that is not one of these as signaling a scam data attack.

Gwen needs to be highly suspicious of all user input. She must check each string character by character. She must examine the length of every string to be sure it meets length constraints. Gwen can never know what input is coming from a bona fide user and what input is coming from Bart the Bad.

If Gwen finds herself under attack, either by attempted buffer overflow or by scam data, she should take appropriate actions. She should not try to fix the data and then send it on to Walt the worker. She should reject the infogram containing the scam data in its entirety. If possible, she might want to take evasive actions to guard against further attacks. In an extreme case, she might even want to shut herself and her fortress down, sacrificing her own life to protect the greater good of the enterprise.