1 / 23

Static Analysis of Role-Based Access Control in J2EE Applications

Static Analysis of Role-Based Access Control in J2EE Applications. TAV–WEB 2004 Gleb Naumovich and Paolina Centonze Department of Computer and Information Science Polytechnic University gleb@poly.edu & pcento02@utopia.poly.edu. Introduction.

wbaca
Download Presentation

Static Analysis of Role-Based Access Control in J2EE Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Static Analysis of Role-Based Access Control in J2EE Applications TAV–WEB 2004 Gleb Naumovich and Paolina Centonze Department of Computer and Information Science Polytechnic University gleb@poly.edu & pcento02@utopia.poly.edu

  2. Introduction • New technique for security analysis of J2EE applications • It identifies situations in which too much or too little access is given to security sensitive resources • It uses static analysis to analyze J2EE programs and access control policies with respect to security-sensitive EJB fields

  3. Architecture of J2EE Applications RMI-IIOP RMI-IIOP/local HTTP HTTPServer ServletContainer EJB Container Servlet/JSP Enterprise bean HTTP/HTTPS ProprietaryProtocol RMI-IIOP Client tier Web tier Business tier JDBC Database JDBC Information System tier

  4. Role-Based Access Control in J2EE • In J2EE, resources, are EJB methods, servlets, JSPs, and URLs • Developers and deployers must determine: • Which roles make sense for an application • Which EJB methods and Web resources each role should be allowed to call r1 r2 r3 Protected Resources Roles

  5. EJB Interface and Implementation public interface Gradebook extendsjavax.ejb.EJBObject { public Grade getGrade(Student s, Homework h) throws RemoteException; public Map getAllGrades(Student s) throws RemoteException public void addHomework(Homework h) throws RemoteException; public void removeHomework(Homework h) throws RemoteException; public Set homeworks() throws RemoteException; public void setGrade(Grade g, Student s, Homework h) throws RemoteException; public Grade getGrade(Student s, Homework h) throws RemoteException; public Map getAllGrades(Student s) throws RemoteException } public class StoreBean implements javax.ejb.EntityBean { private Set homeworks; private Map studentsToHomeworksToGrades; public Grade getGrade( Student s, Homework h) { if (! this.homeworks.contains(h)) throw new NoSuchHomeworkException(h); log(); return (Grade) ((Map) this.getAllGrades(s)).get(h); } public Map getAllGrades(Student s) { Map result = (Map) this. studentsToHomeworksToGrades.get(s); if (result == null) throw new NoSuchStudentException(s); return result; } public void log() { // ... } // Other remote methods implemented here } getGrade()getAllGrades() getGrade()getAllGrades() log() Client Remote Interface EJB Class

  6. J2EE Access Policy <assembly-descriptor> <security-role> <description>Students</description> <role-name>Student</role-name> </security-role> <security-role> <description>Teachers</description> <role-name>Professor</role-name> </security-role> <method-permission> <role-name>Professor</role-name> <method> <ejb-name>Gradebook</ejb-name> <method-name> addHomework </method-name> </method> <method> <ejb-name>Gradebook</ejb-name> <method-name> removeHomework </method-name> </method> <method> <ejb-name>Gradebook</ejb-name> <method-name> setGrade </method-name> </method> <method> <ejb-name>Gradebook</ejb-name> <method-name>getAllGrades</method-name> </method> </method-permission> </assembly-descriptor> public interface Gradebook extendsjavax.ejb.EJBObject { public Grade getGrade(Student s, Homework h) throws RemoteException; public Map getAllGrades(Student s) throws RemoteException public void addHomework(Homework h) throws RemoteException; public void removeHomework(Homework h) throws RemoteException; public Set homeworks() throws RemoteException; public void setGrade(Grade g, Student s, Homework h) throws RemoteException; public Grade getGrade(Student s, Homework h) throws RemoteException; public Map getAllGrades(Student s) throws RemoteException } addHomework() removeHomeworks() homeworks() getGrade() setGreade() getAllGrades() Student Professor Client Roles Greadebook Interface

  7. Limitation of theJ2EE Access Control Model • Today, access control is defined in terms of operations on components, instead of data encapsulated and used by the components • This potential inconvenience may lead to security problems and our work intends to solve it

  8. Access Control on Methods May Create Security Problems • Multiple methods for reading and writing the same data Professor setGrade() getAllGrades() removeGrade() getHomeworkGrades() modifyGrade() getMidtermGrades() getAllGrades()getHomeworkGrades()setData()getMidtermGrades()getFinalGrades() • grades Student Security Sensitive Fields

  9. Access Control on DataCan Enhance Security • Access control on data can be more straightforward and convenient, and less error prone Professor read,write • grades read Student Security Sensitive Fields

  10. Static AnalysisCan Help Validate Existing Policies • Even when access control is specified on the basis of methods, it may still be useful to validate the security policy based on the data accessed by these methods Professor setGrade() getAllGrades() removeGrade() getHomeworkGrades() modifyGrade() getMidtermGrades() getAllGrades()getHomeworkGrades()setData()getMidtermGrades()getFinalGrades() • grades Student Security Sensitive Fields

  11. Steps of Our Analysis Points-to Graph Bytecode to be Analyzed input output input Points-to Analyzer Static Analyzer output EJB Fields (Written/Read) input input J2EE AccessPolicy J2EE Security Analyzer output Inconsistencies/ Security Problems Deployer / Analyst

  12. APE Graph • Our analysis requires computation of which EJB fields may be read and/or modified by an EJB method • It uses a points-to graph for computing this information • The specific graph used is the Annotated Points-to Escape (APE) graph of Souter and Pollok • A. L. Souter and L. L. Pollock. The construction of contextual def-use associations for object-oriented systems. IEEE Trans. Softw. Eng., 29(11):1005–1018, 2003 • For our approach to be useful, we also have to analyze fields of primitive types

  13. Example of an APE Graph o3 this public class StoreBean implements javax.ejb.EntityBean { private Map studentsToHomeworksToGrades; // ... public Map getAllGrades(Student s) { TreeMap result = (Map) this. studentsToHomeworksToGrades.get(s); if (result == null) throw new NoSuchStudentException(s); return result; } // ... } entry load studentsToHomeworksToGrades o1 o2 o4 load s result o5 APE Graph for method getAllGrades()

  14. Read/Write for EJB Fields An EJB field f is read/written by a method m if the value of f is accessed/modified by the thread executing m while m is on the call stack m m1 m2 Write/Read field f Thread Executing m

  15. Field Sequences • It is important to analyze the reads/writes of fields of objects that are referenced by EJB fields, beside the EJB fields themselves • A field sequencef0,f1,…,fk is a series of field dereferences, where f0 is an EJB field, and i=1,…,k, fi is a field in one of the possible classes for object fi–1 • Essentially, f0,f1,…,fk represents objects that can potentially be reached from an EJB object via a number of field dereferences public class Semester implements EntityBean { Course calculus; //... } public class Course { Student assistant; //... } public class Student { String name; int ssn; //... } calculus assistant name o1 o2 o3 o4 Field Sequence

  16. A field sequence f0,f1,…,fk is written by a method m if  a prefix f0,…,fj, j ≤ k, of this sequence in the APE graph for m, and the edge for fj is labeled store Determining Whether a Field Sequence May Be Written by a Method EJB field Scenario f0 f1 f2 f3 o0 o4 o1 o2 o3 load load f2 store t f3 o5 o6 Field Sequences Written: f0,f1,f2 f0,f1,f2,f3 Field SequencesPartially Written: f0 f0,f1 u APE graph before statement t.f2 = u

  17. f0,f1,…,fk is read by a method m if this sequence is present in the APE graph and the edge for fkis labeled with load Determining Whether a Field Sequence May Be Read by a Method EJB field f0 f1 f2 f3 f4 o0 o1 o2 o3 o4 o5 load t u Field Sequences Read: f0,f1,f2,f3 Field Sequences Partially Read: f0 f0,f1 f0,f1f2 APE graph after statement u = t.f3

  18. Action of the J2EE Security Analyzer Points-to Graph Bytecode to be Analyzed input output input Points-to Analyzer Static Analyzer Methods to Fields & Access Modes output EJB Field Sequences (R/W) input input J2EE AccessPolicy J2EE Security Analyzer Roles to Methods output Roles Methods Fields & Access Modes Inconsistencies/ Security Problems • grades • (write) Roles to Methodsto Fields & Access Modes Deployer / Analyst setGrade() Student

  19. Computing Field Sequences Accessed By EJB Methods f0, f1 f0, f1 f0, f3, f5 read partially read f2, f3, f4 f2, f3, f4 f4, f2, f5,f7 f4, f2, f5, f7 f0 m2 m1 partially written written f0, f1 f0, f1 m3 read partially read f2, f3, f4 f2, f3, f4 f2, f4, f5, f7 partially written written Field Sequences (Read/Written) EJB Methods

  20. Potential Inconsistencies Detected And Reasons • An inconsistency may indicate that: • Professor should have been granted access to method m3 • Professor should not have been granted access to method m1 • m1 contains a bug: it should not have accessed field grades • m3contains a bug: it should have accessed another security sensitive field, address Professor m1 m3 • grades • ssn • salary write write • address

  21. Current Access Control in J2EE

  22. Future Work • Implement our technique as a tool with a GUI that presents problems to the analysts • Implement a J2EE deployment tool that allows a deployer to specify role-based access control policies in terms of fields, not only methods • The tool will convert specifications based on fields to specifications based on methods using a dependency analysis similar to the one described • Experiment with a variety of Web applications to evaluate the tool’s usefulness

  23. For More Information • e-mail to: gleb@poly.edu & paolina@photon.poly.edu Thank you for you presence and participation!

More Related