17
Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I
| Date post: | 29-Dec-2015 |
| Category: |
Documents |
| Upload: | charles-booker |
| View: | 215 times |
| Download: | 0 times |
Access Control in Web Applications
Peter Trommler
Faculty of Computer Science
Georg Simon Ohm University Nuremberg, Germany
U = R I
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
AgendaProgramming errors and security
Access control engineering
Metamodel
Implementation
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ContextWeb applications access corporate databases
Hundreds if not thousands of vulnerabilities
Vulnerabilities are symptoms
Few root causes
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Types of Programming Errors [Pfleeger]Buffer Overflow
int a[3]; a[3]=1;
Incomplete Mediation
February 30; 4,99999999999995
code injection (SQL, shell, ...)
Time-of-Check-Time-of Use
back-end identifiers (primary key)
no check on parameter returned
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Motivation
<form action="../../action/order.php4" method=post name="artikel_0">
<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>
<input type=hidden name='article[VAT]' value='16'>
<input type=hidden name='article[Item_Number]' value='250001'>
<input type=hidden name='article[Price]' value='49,90 EUR'>
<input type=hidden name='article[Category]' value='/Angebote'>
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
“Solution”
<form action="../../action/order.php4" method=post name="artikel_0">
<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>
<input type=hidden name='article[VAT]' value='16'>
<input type=hidden name='article[Item_Number]' value='250001'>
<input type=hidden name='article[Price]' value='49,90 EUR'>
<input type=hidden name='article[Category]' value='/Angebote'>
<input type="hidden" name="article[c]" value="fba45a02ebd931ce30a90fe18d263578">
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ChallengesAccess control decisions everywhere
Difficult to
check completeness
audit for correctness
read and understand
Dependencies on other code
Separate AC from app code
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Protection MechanismsReject “illegal” transactions
Interception mechanism
Web application
Application FirewallFiltering Servlet
AOP, MDAbefore/after methods
Parameterized ViewsSQL Screening
Internet
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Business Rule or SecurityShow list of customer’s accounts
omit one: business
show one too many: security
Many business rules have security flavor
Challenge: extract security requirements
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Access Control EngineeringIdentify access control requirements early
Refine with refining of functional requirements
Automate steps
Verify correctness of refinements
Manually review rule set (audit)
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Security Requirements Engineering [Giorgini]
Object-level modeling re-use requirements framework
i*/Tropos, KAOS, UML
hard to model more general rules
Meta-level modeling add new linguistic constructs
UMLSec [Jürjens], Secure UML [Lodderstedt]
integration with MDA
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Observation: User’s “Own” DataNavigate relations between tables/classes
Restrict access
columns/fields
methods
OO-Views
Parameterized Views [Roichman]
Anchor entity/object
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Temporal LogicView solution after assignment submitted
Can submit assignment only once
Temporal Logic of Actions vs. Interval Temporal Logic [Janicke]
Traces in database certain object exists
AC decision depends on current system state
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Modeling Implementation LevelReachability in relations graph
O(n)
n: # objects in transitive closure (“own” objects)
caching
AC method/fields through facades
additional call indirection
static check
Existence of traces
O(1): hashes, DB indices
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
Implementationspecify trace for each temporal quantifier
specify navigation graph for each subject role
Manual
specify object level rules
verify correctness [Hu]
Automatic
generate code
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
ConclusionTime-of-Check-Time-of-Use
Web application partially untrusted
Separate access control from application code
Metamodel
Efficient implementation
Code generation
www.ohm-university.eu
Prof. Dr. Peter TrommlerFaculty of Computer Science
References[Pfleeger] C. P. Pfleeger, S. Lawrence Pfleeger: Security in Computing, 4th ed, Prentice Hall PTR, 2006.
[Giogini] P. Giorgini, F. Massaci, N. Zannone: Security and Trust Requirements Engineering.
[Jürjens] J. Jürjens: Secure Systems Development with UML, Springer Verlag, 2004.
[Lodderstedt] T. Lodderstedt, D. Basin, J. Doser: A UML-based Modeling Language for Model Driven Security, in Proc. of UML’02, LNCS 2460, Springer Verlag, 2002.
[Roichman] A. Roichman, E. Gudes: Fine-grained Access Control to Web Databases, in Proc. of SACMAT’07, ACM, 2007.
[Janicke] H. Janicke, A. Cau, H. Zedan: A note on the formalization of UCON, in Proc. of SACMAT’07, ACM, 2007.
[Hu] H.Hu, G.-J. Ahn: Enabling Verification and Conformance Testing for Access Control Model, in Proc. of SACMAT’08, ACM, 2008.
