attack surface reduction for web services based on authorization patterns
TRANSCRIPT
KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association
Research Group Cooperation & Management, Institute of Telematics, Department of Informatics
www.kit.edu
Attack Surface Reduction for Web Services based on Authorization Patterns Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck 20.11.2014 – SECURWARE 2014, Lisbon, Portugal
Max Vogler 2
About the authors
Attack Surface Reduction for Web Services based on Authorization Patterns
Sebastian Abeck Roland Steinegger Max Vogler Johannes Schäfer
20.11.14
Max Vogler 3
Outline
Background Motivation Attack surface reduction
1. Set up Access Control Matrix 2. Derive Service Description 3. Create Web Service
Comparison
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Max Vogler 4
Background
Attack Surface Reduction for Web Services based on Authorization Patterns
Attack Surface: Indicator for vulnerability towards external attacks [1] [2]
Authorization Patterns Attribute-Based Access Control [3]
Role-Based Access Control [4]
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Max Vogler 5
Background
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Max Vogler 6
Background
Attack Surface Reduction for Web Services based on Authorization Patterns
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
20.11.14
Max Vogler 7
Motivation
Attack Surface Reduction for Web Services based on Authorization Patterns
@RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { if(getCurrentUser().isAdmin()) { // Administrator is updating a user account } else { // Update the user's own profile, limited to allowed fields } }
20.11.14
HTTP-PUT-Request to www.example.com/users/42
Max Vogler 8
Motivation
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Problems with authorization logic Duplicated Hard to test Opaque for clients è Attack surface is increased
Idea: Split up authorization logic
Goals Reduce attack surface Use authorization patterns Keep functionality
Max Vogler 9
Methodology
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Set up Access Control Matrix
Derive Service
Description
Create Web
Service
Max Vogler 10
Set up Access Control Matrix
Attack Surface Reduction for Web Services based on Authorization Patterns
List resources and operations
Resource r
User profile C R U D
20.11.14
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
Max Vogler 11
Set up Access Control Matrix
Attack Surface Reduction for Web Services based on Authorization Patterns
List attributes
Resource r Subject s
User profile C R U D
Guest(s) Authenticated(s) Owner(s, r) Admin(s)
20.11.14
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
Max Vogler 12
Set up Access Control Matrix
Attack Surface Reduction for Web Services based on Authorization Patterns
Fill out access control matrix
Resource r Subject s
User profile C R U D
Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ●
20.11.14
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
Max Vogler 13
Derive Service Description
User service CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin
Attack Surface Reduction for Web Services based on Authorization Patterns
Resource r Subject s
User profile C R U D
Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ●
20.11.14
Split up operations è Improved testability, reduced attack surface
Max Vogler 14
Create Web Service
Attack Surface Reduction for Web Services based on Authorization Patterns
User service Method URL Query parameters CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin
20.11.14
Max Vogler 15
Create Web Service
Attack Surface Reduction for Web Services based on Authorization Patterns
User service Method URL Query parameters CreateIfGuest POST /users ?auth=Guest ReadIfAuthenticated GET /users ?auth=Authenticated ReadIfOwner GET /users ?auth=Owner ReadIfAdmin GET /users ?auth=Admin UpdateIfOwner PUT /users/{id} ?auth=Owner UpdateIfAdmin PUT /users/{id} ?auth=Admin
20.11.14
Client chooses authorization level actively è Improved transparency, reduced attack surface
Max Vogler 16
Create Web Service
Attack Surface Reduction for Web Services based on Authorization Patterns
@Controller public class UserController { @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ }
20.11.14
HTTP-PUT-Request to www.example.com/users/42?auth=Owner
HTTP-PUT-Request to www.example.com/users/42?auth=Admin
Max Vogler 17
Comparison
Attack Surface Reduction for Web Services based on Authorization Patterns
// Don't do it like this! @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { // If is admin, allow editing all fields, if is owner, allow editing in a limited way } // Split up authorization like this: @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ }
20.11.14
Max Vogler 18
Set up Access Control Matrix
Derive Service
Description
Create Web
Service
Comparison
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Traditional New
public JSONObject update() public JSONObject updateIfOwner() public JSONObject updateIfAdmin()
Opaque authorization logic Transparent authorization logic
Duplicate authorization logic Partitioned authorization logic
+ Improved testability
+ Reduced attack surface
– Difficulties with large number of similar roles
Max Vogler 19
Max Vogler [email protected]
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14
Thank you
Max Vogler 20
Sources
R. Steinegger, J. Schäfer, M. Vogler, and S. Abeck, "Attack Surface Reduction for Web Services based on Authorization Patterns," In Proceedings of SECURWARE 2014 The Eighth International Conference on Emerging Security Information, Systems and Technologies, November 2014, pp. 194-201, ISBN 978-1-61208-376-6
[1] T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack Surface of a Web Application,” In Proceedings of Sicherheit 2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2
[2] M. Howard, “Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, November 2004. [Online]. Available from: http://msdn.microsoft.com/en-us/magazine/cc163882.aspx [retrieved: 23.09.2014]
[3] E. Yuan and J. Tong, “Attribute Based Access Control (ABAC) for Web Services,” in Proceedings of the International Conference on Web Services (ICWS), Jul. 2005, pp. 561–569, doi:10.1109/ICWS.2005.25.
[4] R. Steinegger, “Authentication and authorization patterns in existing security frameworks [Authentifizierungs- und Autorisierungsmuster in bestehenden Sicherheits-Frameworks],” diploma thesis, Karlsruhe Institute of Technology, Karlsruhe, Germany, 2012. German.
Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14