+ All Categories
Home > Documents > Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm...

Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm...

Date post: 29-Dec-2015
Category:
Upload: charles-booker
View: 215 times
Download: 0 times
Share this document with a friend
Popular Tags:
17
Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I
Transcript

Access Control in Web Applications

Peter Trommler

Faculty of Computer Science

Georg Simon Ohm University Nuremberg, Germany

U = R I

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

AgendaProgramming errors and security

Access control engineering

Metamodel

Implementation

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

ContextWeb applications access corporate databases

Hundreds if not thousands of vulnerabilities

Vulnerabilities are symptoms

Few root causes

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Types of Programming Errors [Pfleeger]Buffer Overflow

int a[3]; a[3]=1;

Incomplete Mediation

February 30; 4,99999999999995

code injection (SQL, shell, ...)

Time-of-Check-Time-of Use

back-end identifiers (primary key)

no check on parameter returned

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Motivation

<form action="../../action/order.php4" method=post name="artikel_0">

<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>

<input type=hidden name='article[VAT]' value='16'>

<input type=hidden name='article[Item_Number]' value='250001'>

<input type=hidden name='article[Price]' value='49,90 EUR'>

<input type=hidden name='article[Category]' value='/Angebote'>

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

“Solution”

<form action="../../action/order.php4" method=post name="artikel_0">

<input type=hidden name='article[Title]' value='Card Reader Combo USB read/write'>

<input type=hidden name='article[VAT]' value='16'>

<input type=hidden name='article[Item_Number]' value='250001'>

<input type=hidden name='article[Price]' value='49,90 EUR'>

<input type=hidden name='article[Category]' value='/Angebote'>

<input type="hidden" name="article[c]" value="fba45a02ebd931ce30a90fe18d263578">

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

ChallengesAccess control decisions everywhere

Difficult to

check completeness

audit for correctness

read and understand

Dependencies on other code

Separate AC from app code

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Protection MechanismsReject “illegal” transactions

Interception mechanism

Web application

Application FirewallFiltering Servlet

AOP, MDAbefore/after methods

Parameterized ViewsSQL Screening

Internet

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Business Rule or SecurityShow list of customer’s accounts

omit one: business

show one too many: security

Many business rules have security flavor

Challenge: extract security requirements

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Access Control EngineeringIdentify access control requirements early

Refine with refining of functional requirements

Automate steps

Verify correctness of refinements

Manually review rule set (audit)

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Security Requirements Engineering [Giorgini]

Object-level modeling re-use requirements framework

i*/Tropos, KAOS, UML

hard to model more general rules

Meta-level modeling add new linguistic constructs

UMLSec [Jürjens], Secure UML [Lodderstedt]

integration with MDA

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Observation: User’s “Own” DataNavigate relations between tables/classes

Restrict access

columns/fields

methods

OO-Views

Parameterized Views [Roichman]

Anchor entity/object

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Temporal LogicView solution after assignment submitted

Can submit assignment only once

Temporal Logic of Actions vs. Interval Temporal Logic [Janicke]

Traces in database certain object exists

AC decision depends on current system state

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Modeling Implementation LevelReachability in relations graph

O(n)

n: # objects in transitive closure (“own” objects)

caching

AC method/fields through facades

additional call indirection

static check

Existence of traces

O(1): hashes, DB indices

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

Implementationspecify trace for each temporal quantifier

specify navigation graph for each subject role

Manual

specify object level rules

verify correctness [Hu]

Automatic

generate code

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

ConclusionTime-of-Check-Time-of-Use

Web application partially untrusted

Separate access control from application code

Metamodel

Efficient implementation

Code generation

www.ohm-university.eu

Prof. Dr. Peter TrommlerFaculty of Computer Science

References[Pfleeger] C. P. Pfleeger, S. Lawrence Pfleeger: Security in Computing, 4th ed, Prentice Hall PTR, 2006.

[Giogini] P. Giorgini, F. Massaci, N. Zannone: Security and Trust Requirements Engineering.

[Jürjens] J. Jürjens: Secure Systems Development with UML, Springer Verlag, 2004.

[Lodderstedt] T. Lodderstedt, D. Basin, J. Doser: A UML-based Modeling Language for Model Driven Security, in Proc. of UML’02, LNCS 2460, Springer Verlag, 2002.

[Roichman] A. Roichman, E. Gudes: Fine-grained Access Control to Web Databases, in Proc. of SACMAT’07, ACM, 2007.

[Janicke] H. Janicke, A. Cau, H. Zedan: A note on the formalization of UCON, in Proc. of SACMAT’07, ACM, 2007.

[Hu] H.Hu, G.-J. Ahn: Enabling Verification and Conformance Testing for Access Control Model, in Proc. of SACMAT’08, ACM, 2008.


Recommended