access control in web applications
DESCRIPTION
Access Control in Web Applications. Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany. U = R I. Agenda. Programming errors and security Access control engineering Metamodel Implementation. Context. Web applications access corporate databases - PowerPoint PPT PresentationTRANSCRIPT
Access Control in Web Applications
Peter TrommlerFaculty of Computer Science
Georg Simon Ohm University Nuremberg, Germany
U = R I
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
AgendaProgramming errors and security
Access control engineering
Metamodel
Implementation
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ContextWeb applications access corporate databases
Hundreds if not thousands of vulnerabilities
Vulnerabilities are symptoms
Few root causes
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Types of Programming Errors [Pfleeger]Buffer Overflow
int a[3]; a[3]=1;
Incomplete Mediation February 30; 4,99999999999995
code injection (SQL, shell, ...)
Time-of-Check-Time-of Use back-end identifiers (primary key)
no check on parameter returned
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Motivation
<form action="../../action/order.php4" method=post name="artikel_0">
<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>
<input type=hidden name='article[VAT]' value='16'>
<input type=hidden name='article[Item_Number]' value='250001'>
<input type=hidden name='article[Price]' value='49,90 EUR'>
<input type=hidden name='article[Category]' value='/Angebote'>
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
“Solution”
<form action="../../action/order.php4" method=post name="artikel_0">
<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>
<input type=hidden name='article[VAT]' value='16'>
<input type=hidden name='article[Item_Number]' value='250001'>
<input type=hidden name='article[Price]' value='49,90 EUR'>
<input type=hidden name='article[Category]' value='/Angebote'>
<input type="hidden" name="article[c]" value="fba45a02ebd931ce30a90fe18d263578">
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ChallengesAccess control decisions everywhere
Difficult to check completeness
audit for correctness
read and understand
Dependencies on other code
Separate AC from app code
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Protection MechanismsReject “illegal” transactions
Interception mechanism
Web application
Application FirewallFiltering Servlet
AOP, MDAbefore/after methods
Parameterized ViewsSQL Screening
Internet
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Business Rule or SecurityShow list of customer’s accounts
omit one: business
show one too many: security
Many business rules have security flavor
Challenge: extract security requirements
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Access Control EngineeringIdentify access control requirements early
Refine with refining of functional requirements
Automate steps
Verify correctness of refinements
Manually review rule set (audit)
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Security Requirements Engineering [Giorgini]Object-level modeling
re-use requirements framework i*/Tropos, KAOS, UML hard to model more general rules
Meta-level modeling add new linguistic constructs UMLSec [Jürjens], Secure UML [Lodderstedt] integration with MDA
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Observation: User’s “Own” DataNavigate relations between tables/classes
Restrict access columns/fields
methods
OO-Views Parameterized Views [Roichman]
Anchor entity/object
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Temporal LogicView solution after assignment submittedCan submit assignment only onceTemporal Logic of Actions vs. Interval Temporal Logic [Janicke]Traces in database
certain object exists
AC decision depends on current system state
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Modeling Implementation LevelReachability in relations graph
O(n)
n: # objects in transitive closure (“own” objects)
caching
AC method/fields through facades additional call indirection
static check
Existence of traces O(1): hashes, DB indices
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Implementationspecify trace for each temporal quantifier
specify navigation graph for each subject role
Manual specify object level rules
verify correctness [Hu]
Automatic generate code
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ConclusionTime-of-Check-Time-of-Use
Web application partially untrusted
Separate access control from application code
Metamodel
Efficient implementation
Code generation
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
References[Pfleeger] C. P. Pfleeger, S. Lawrence Pfleeger: Security in Computing, 4th ed, Prentice Hall PTR, 2006.[Giogini] P. Giorgini, F. Massaci, N. Zannone: Security and Trust Requirements Engineering.[Jürjens] J. Jürjens: Secure Systems Development with UML, Springer Verlag, 2004.[Lodderstedt] T. Lodderstedt, D. Basin, J. Doser: A UML-based Modeling Language for Model Driven Security, in Proc. of UML’02, LNCS 2460, Springer Verlag, 2002.[Roichman] A. Roichman, E. Gudes: Fine-grained Access Control to Web Databases, in Proc. of SACMAT’07, ACM, 2007.[Janicke] H. Janicke, A. Cau, H. Zedan: A note on the formalization of UCON, in Proc. of SACMAT’07, ACM, 2007.[Hu] H.Hu, G.-J. Ahn: Enabling Verification and Conformance Testing for Access Control Model, in Proc. of SACMAT’08, ACM, 2008.