access control in web applications peter trommler faculty of computer science georg simon ohm...
TRANSCRIPT
Access Control in Web Applications
Peter Trommler
Faculty of Computer Science
Georg Simon Ohm University Nuremberg, Germany
U = R I
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
AgendaProgramming errors and security
Access control engineering
Metamodel
Implementation
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ContextWeb applications access corporate databases
Hundreds if not thousands of vulnerabilities
Vulnerabilities are symptoms
Few root causes
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Types of Programming Errors [Pfleeger]Buffer Overflow
int a[3]; a[3]=1;
Incomplete Mediation
February 30; 4,99999999999995
code injection (SQL, shell, ...)
Time-of-Check-Time-of Use
back-end identifiers (primary key)
no check on parameter returned
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Motivation
<form action="../../action/order.php4" method=post name="artikel_0">
<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>
<input type=hidden name='article[VAT]' value='16'>
<input type=hidden name='article[Item_Number]' value='250001'>
<input type=hidden name='article[Price]' value='49,90 EUR'>
<input type=hidden name='article[Category]' value='/Angebote'>
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
“Solution”
<form action="../../action/order.php4" method=post name="artikel_0">
<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>
<input type=hidden name='article[VAT]' value='16'>
<input type=hidden name='article[Item_Number]' value='250001'>
<input type=hidden name='article[Price]' value='49,90 EUR'>
<input type=hidden name='article[Category]' value='/Angebote'>
<input type="hidden" name="article[c]" value="fba45a02ebd931ce30a90fe18d263578">
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ChallengesAccess control decisions everywhere
Difficult to
check completeness
audit for correctness
read and understand
Dependencies on other code
Separate AC from app code
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Protection MechanismsReject “illegal” transactions
Interception mechanism
Web application
Application FirewallFiltering Servlet
AOP, MDAbefore/after methods
Parameterized ViewsSQL Screening
Internet
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Business Rule or SecurityShow list of customer’s accounts
omit one: business
show one too many: security
Many business rules have security flavor
Challenge: extract security requirements
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Access Control EngineeringIdentify access control requirements early
Refine with refining of functional requirements
Automate steps
Verify correctness of refinements
Manually review rule set (audit)
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Security Requirements Engineering [Giorgini]
Object-level modeling re-use requirements framework
i*/Tropos, KAOS, UML
hard to model more general rules
Meta-level modeling add new linguistic constructs
UMLSec [Jürjens], Secure UML [Lodderstedt]
integration with MDA
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Observation: User’s “Own” DataNavigate relations between tables/classes
Restrict access
columns/fields
methods
OO-Views
Parameterized Views [Roichman]
Anchor entity/object
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Temporal LogicView solution after assignment submitted
Can submit assignment only once
Temporal Logic of Actions vs. Interval Temporal Logic [Janicke]
Traces in database certain object exists
AC decision depends on current system state
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Modeling Implementation LevelReachability in relations graph
O(n)
n: # objects in transitive closure (“own” objects)
caching
AC method/fields through facades
additional call indirection
static check
Existence of traces
O(1): hashes, DB indices
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Implementationspecify trace for each temporal quantifier
specify navigation graph for each subject role
Manual
specify object level rules
verify correctness [Hu]
Automatic
generate code
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ConclusionTime-of-Check-Time-of-Use
Web application partially untrusted
Separate access control from application code
Metamodel
Efficient implementation
Code generation
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
References[Pfleeger] C. P. Pfleeger, S. Lawrence Pfleeger: Security in Computing, 4th ed, Prentice Hall PTR, 2006.
[Giogini] P. Giorgini, F. Massaci, N. Zannone: Security and Trust Requirements Engineering.
[Jürjens] J. Jürjens: Secure Systems Development with UML, Springer Verlag, 2004.
[Lodderstedt] T. Lodderstedt, D. Basin, J. Doser: A UML-based Modeling Language for Model Driven Security, in Proc. of UML’02, LNCS 2460, Springer Verlag, 2002.
[Roichman] A. Roichman, E. Gudes: Fine-grained Access Control to Web Databases, in Proc. of SACMAT’07, ACM, 2007.
[Janicke] H. Janicke, A. Cau, H. Zedan: A note on the formalization of UCON, in Proc. of SACMAT’07, ACM, 2007.
[Hu] H.Hu, G.-J. Ahn: Enabling Verification and Conformance Testing for Access Control Model, in Proc. of SACMAT’08, ACM, 2008.