170 likes | 366 Views
Access Control in Web Applications. Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany. U = R I. Agenda. Programming errors and security Access control engineering Metamodel Implementation. Context. Web applications access corporate databases
E N D
Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I
Agenda • Programming errors and security • Access control engineering • Metamodel • Implementation www.ohm-university.eu
Context • Web applications access corporate databases • Hundreds if not thousands of vulnerabilities • Vulnerabilities are symptoms • Few root causes www.ohm-university.eu
Types of Programming Errors [Pfleeger] • Buffer Overflow • int a[3]; a[3]=1; • Incomplete Mediation • February 30; 4,99999999999995 • code injection (SQL, shell, ...) • Time-of-Check-Time-of Use • back-end identifiers (primary key) • no check on parameter returned www.ohm-university.eu
Motivation <form action="../../action/order.php4" method=post name="artikel_0"> <input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'> <input type=hidden name='article[VAT]' value='16'> <input type=hidden name='article[Item_Number]' value='250001'> <input type=hidden name='article[Price]' value='49,90 EUR'> <input type=hidden name='article[Category]' value='/Angebote'> www.ohm-university.eu
“Solution” <form action="../../action/order.php4" method=post name="artikel_0"> <input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'> <input type=hidden name='article[VAT]' value='16'> <input type=hidden name='article[Item_Number]' value='250001'> <input type=hidden name='article[Price]' value='49,90 EUR'> <input type=hidden name='article[Category]' value='/Angebote'> <input type="hidden" name="article[c]" value="fba45a02ebd931ce30a90fe18d263578"> www.ohm-university.eu
Challenges • Access control decisions everywhere • Difficult to • check completeness • audit for correctness • read and understand • Dependencies on other code • Separate AC from app code www.ohm-university.eu
Web application Protection Mechanisms • Reject “illegal” transactions • Interception mechanism Internet Application Firewall Filtering Servlet AOP, MDA before/after methods Parameterized Views SQL Screening www.ohm-university.eu
Business Rule or Security • Show list of customer’s accounts • omit one: business • show one too many: security • Many business rules have security flavor • Challenge: extract security requirements www.ohm-university.eu
Access Control Engineering • Identify access control requirements early • Refine with refining of functional requirements • Automate steps • Verify correctness of refinements • Manually review rule set (audit) www.ohm-university.eu
Security Requirements Engineering [Giorgini] • Object-level modeling • re-use requirements framework • i*/Tropos, KAOS, UML • hard to model more general rules • Meta-level modeling • add new linguistic constructs • UMLSec [Jürjens], Secure UML [Lodderstedt] • integration with MDA www.ohm-university.eu
Observation: User’s “Own” Data • Navigate relations between tables/classes • Restrict access • columns/fields • methods • OO-Views • Parameterized Views [Roichman] • Anchor entity/object www.ohm-university.eu
Temporal Logic • View solution after assignment submitted • Can submit assignment only once • Temporal Logic of Actions vs. Interval Temporal Logic [Janicke] • Traces in database • certain object exists • AC decision depends on current system state www.ohm-university.eu
Modeling Implementation Level • Reachability in relations graph • O(n) • n: # objects in transitive closure (“own” objects) • caching • AC method/fields through facades • additional call indirection • static check • Existence of traces • O(1): hashes, DB indices www.ohm-university.eu
Implementation • specify trace for each temporal quantifier • specify navigation graph for each subject role • Manual • specify object level rules • verify correctness [Hu] • Automatic • generate code www.ohm-university.eu
Conclusion • Time-of-Check-Time-of-Use • Web application partially untrusted • Separate access control from application code • Metamodel • Efficient implementation • Code generation www.ohm-university.eu
References [Pfleeger] C. P. Pfleeger, S. Lawrence Pfleeger: Security in Computing, 4th ed, Prentice Hall PTR, 2006. [Giogini] P. Giorgini, F. Massaci, N. Zannone: Security and Trust Requirements Engineering. [Jürjens] J. Jürjens: Secure Systems Development with UML, Springer Verlag, 2004. [Lodderstedt] T. Lodderstedt, D. Basin, J. Doser: A UML-based Modeling Language for Model Driven Security, in Proc. of UML’02, LNCS 2460, Springer Verlag, 2002. [Roichman] A. Roichman, E. Gudes: Fine-grained Access Control to Web Databases, in Proc. of SACMAT’07, ACM, 2007. [Janicke] H. Janicke, A. Cau, H. Zedan: A note on the formalization of UCON, in Proc. of SACMAT’07, ACM, 2007. [Hu] H.Hu, G.-J. Ahn: Enabling Verification and Conformance Testing for Access Control Model, in Proc. of SACMAT’08, ACM, 2008. www.ohm-university.eu