attack surface reduction for web services based on authorization patterns

20
KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association Research Group Cooperation & Management, Institute of Telematics, Department of Informatics www.kit.edu Attack Surface Reduction for Web Services based on Authorization Patterns Roland Steinegger, Johannes Schäfer, Max Vogler , Sebastian Abeck 20.11.2014 – SECURWARE 2014, Lisbon, Portugal

Upload: max-vogler

Post on 13-Jul-2015

134 views

Category:

Internet


1 download

TRANSCRIPT

KIT – University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association

Research Group Cooperation & Management, Institute of Telematics, Department of Informatics

www.kit.edu

Attack Surface Reduction for Web Services based on Authorization Patterns Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck 20.11.2014 – SECURWARE 2014, Lisbon, Portugal

Max Vogler 2

About the authors

Attack Surface Reduction for Web Services based on Authorization Patterns

Sebastian Abeck Roland Steinegger Max Vogler Johannes Schäfer

20.11.14

Max Vogler 3

Outline

  Background   Motivation   Attack surface reduction

  1. Set up Access Control Matrix   2. Derive Service Description   3. Create Web Service

  Comparison

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14

Max Vogler 4

Background

Attack Surface Reduction for Web Services based on Authorization Patterns

Attack Surface: Indicator for vulnerability towards external attacks [1] [2]

Authorization Patterns   Attribute-Based Access Control [3]

Role-Based Access Control [4]

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14

Max Vogler 5

Background

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14

Max Vogler 6

Background

Attack Surface Reduction for Web Services based on Authorization Patterns

User profile operations

Guest

Authenticated User

Profile Owner

Admin

Register

View profile

Edit profile

20.11.14

Max Vogler 7

Motivation

Attack Surface Reduction for Web Services based on Authorization Patterns

@RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { if(getCurrentUser().isAdmin()) { // Administrator is updating a user account } else { // Update the user's own profile, limited to allowed fields } }

20.11.14

HTTP-PUT-Request to www.example.com/users/42

Max Vogler 8

Motivation

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14

  Problems with authorization logic   Duplicated   Hard to test   Opaque for clients   è Attack surface is increased

  Idea: Split up authorization logic

 Goals   Reduce attack surface   Use authorization patterns   Keep functionality

Max Vogler 9

Methodology

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14

Set up Access Control Matrix

Derive Service

Description

Create Web

Service

Max Vogler 10

Set up Access Control Matrix

Attack Surface Reduction for Web Services based on Authorization Patterns

  List resources and operations

Resource r

User profile C R U D

20.11.14

User profile operations

Guest

Authenticated User

Profile Owner

Admin

Register

View profile

Edit profile

Max Vogler 11

Set up Access Control Matrix

Attack Surface Reduction for Web Services based on Authorization Patterns

  List attributes

Resource r Subject s

User profile C R U D

Guest(s) Authenticated(s) Owner(s, r) Admin(s)

20.11.14

User profile operations

Guest

Authenticated User

Profile Owner

Admin

Register

View profile

Edit profile

Max Vogler 12

Set up Access Control Matrix

Attack Surface Reduction for Web Services based on Authorization Patterns

  Fill out access control matrix

Resource r Subject s

User profile C R U D

Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ●

20.11.14

User profile operations

Guest

Authenticated User

Profile Owner

Admin

Register

View profile

Edit profile

Max Vogler 13

Derive Service Description

  User service CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin

Attack Surface Reduction for Web Services based on Authorization Patterns

Resource r Subject s

User profile C R U D

Guest(s) ● Authenticated(s) ● Owner(s, r) ● ● Admin(s) ● ●

20.11.14

Split up operations è Improved testability, reduced attack surface

Max Vogler 14

Create Web Service

Attack Surface Reduction for Web Services based on Authorization Patterns

User service Method URL Query parameters CreateIfGuest ReadIfAuthenticated ReadIfOwner ReadIfAdmin UpdateIfOwner UpdateIfAdmin

20.11.14

Max Vogler 15

Create Web Service

Attack Surface Reduction for Web Services based on Authorization Patterns

User service Method URL Query parameters CreateIfGuest POST /users ?auth=Guest ReadIfAuthenticated GET /users ?auth=Authenticated ReadIfOwner GET /users ?auth=Owner ReadIfAdmin GET /users ?auth=Admin UpdateIfOwner PUT /users/{id} ?auth=Owner UpdateIfAdmin PUT /users/{id} ?auth=Admin

20.11.14

Client chooses authorization level actively è Improved transparency, reduced attack surface

Max Vogler 16

Create Web Service

Attack Surface Reduction for Web Services based on Authorization Patterns

@Controller public class UserController { @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ }

20.11.14

HTTP-PUT-Request to www.example.com/users/42?auth=Owner

HTTP-PUT-Request to www.example.com/users/42?auth=Admin

Max Vogler 17

Comparison

Attack Surface Reduction for Web Services based on Authorization Patterns

// Don't do it like this! @RequestMapping(method = PUT, value = "users/{id}") @PreAuthorize("isOwnerOf(#id) || isAdmin()") public JSONObject update() { // If is admin, allow editing all fields, if is owner, allow editing in a limited way } // Split up authorization like this: @RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner") @PreAuthorize("isOwnerOf(#id)") public JSONObject updateIfOwner() { /* ... */ } @RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin") @PreAuthorize("isAdmin()") public JSONObject updateIfAdmin() { /* ... */ }

20.11.14

Max Vogler 18

Set up Access Control Matrix

Derive Service

Description

Create Web

Service

Comparison

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14

Traditional New

public JSONObject update() public JSONObject updateIfOwner() public JSONObject updateIfAdmin()

Opaque authorization logic Transparent authorization logic

Duplicate authorization logic Partitioned authorization logic

+ Improved testability

+ Reduced attack surface

– Difficulties with large number of similar roles

Max Vogler 19

Max Vogler [email protected]

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14

Thank you

Max Vogler 20

Sources

  R. Steinegger, J. Schäfer, M. Vogler, and S. Abeck, "Attack Surface Reduction for Web Services based on Authorization Patterns," In Proceedings of SECURWARE 2014 The Eighth International Conference on Emerging Security Information, Systems and Technologies, November 2014, pp. 194-201, ISBN 978-1-61208-376-6

  [1] T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack Surface of a Web Application,” In Proceedings of Sicherheit 2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2

  [2] M. Howard, “Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, November 2004. [Online]. Available from: http://msdn.microsoft.com/en-us/magazine/cc163882.aspx [retrieved: 23.09.2014]

  [3] E. Yuan and J. Tong, “Attribute Based Access Control (ABAC) for Web Services,” in Proceedings of the International Conference on Web Services (ICWS), Jul. 2005, pp. 561–569, doi:10.1109/ICWS.2005.25.

  [4] R. Steinegger, “Authentication and authorization patterns in existing security frameworks [Authentifizierungs- und Autorisierungsmuster in bestehenden Sicherheits-Frameworks],” diploma thesis, Karlsruhe Institute of Technology, Karlsruhe, Germany, 2012. German.

Attack Surface Reduction for Web Services based on Authorization Patterns 20.11.14