Static Analysis of RoleBased Access Control in J2EE Applications

1
Static Analysis of Role-Based Access Control in
J2EE Applications

• TAVWEB 2004
• Gleb Naumovich and Paolina Centonze
• Department of Computer and Information Science
• Polytechnic University
• gleb_at_poly.edu pcento02_at_utopia.poly.edu

2
Introduction

• New technique for security analysis of J2EE
  applications
• It identifies situations in which too much or too
  little access is given to security sensitive
  resources
• It uses static analysis to analyze J2EE programs
  and access control policies with respect to
  security-sensitive EJB fields

3
Architecture of J2EE Applications
RMI-IIOP
RMI-IIOP/local
HTTP




HTTPServer
ServletContainer
EJB Container
Servlet/JSP
Enterprise bean
HTTP/HTTPS
ProprietaryProtocol
RMI-IIOP
Client tier
Business tier
Web tier
JDBC
Database
JDBC
Information System tier
4
Role-Based Access Control in J2EE

• In J2EE, resources, are EJB methods, servlets,
  JSPs, and URLs
• Developers and deployers must determine
• Which roles make sense for an application
• Which EJB methods and Web resources each role
  should be allowed to call

r1
r2
r3
Protected Resources
Roles
5
EJB Interface and Implementation
public interface Gradebook extendsjavax.ejb.EJBO
bject public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException public void addHomework(Homework
h) throws RemoteException public void
removeHomework(Homework h) throws
RemoteException public Set homeworks()
throws RemoteException public void
setGrade(Grade g, Student s, Homework h) throws
RemoteException public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException
public class StoreBean implements javax.ejb.Enti
tyBean private Set homeworks private Map
studentsToHomeworksToGrades public Grade
getGrade( Student s, Homework h) if (!
this.homeworks.contains(h)) throw
new NoSuchHomeworkException(h) log() ret
urn (Grade) ((Map) this.getAllGrades(s)).get(h)
public Map getAllGrades(Student s) Map
result (Map) this. studentsToHomeworksToGrades
.get(s) if (result null) throw
new NoSuchStudentException(s) return
result public void log() // ...
// Other remote methods implemented here
getGrade()getAllGrades()
getGrade()getAllGrades() log()
Remote Interface
Client
EJB Class
6
J2EE Access Policy
ltassembly-descriptorgt ltsecurity-rolegt ltdescript
iongtStudentslt/descriptiongt ltrole-namegtStudentlt/r
ole-namegt lt/security-rolegt ltsecurity-rolegt lt
descriptiongtTeacherslt/descriptiongt ltrole-namegtPr
ofessorlt/role-namegt lt/security-rolegt ltmethod-per
missiongt ltrole-namegtProfessorlt/role-namegt ltmet
hodgt ltejb-namegtGradebooklt/ejb-namegt ltmethod-
namegt addHomework lt/method-namegt lt/method
gt ltmethodgt ltejb-namegtGradebooklt/ejb-namegt
ltmethod-namegt removeHomework lt/method-namegt
lt/methodgt ltmethodgt ltejb-namegtGradebooklt/ej
b-namegt ltmethod-namegt setGrade lt/method-
namegt lt/methodgt ltmethodgt ltejb-namegtGradeboo
klt/ejb-namegt ltmethod-namegtgetAllGradeslt/method-
namegt lt/methodgt lt/method-permissiongt lt/assembly
-descriptorgt
public interface Gradebook extendsjavax.ejb.EJBO
bject public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException public void addHomework(Homework
h) throws RemoteException public void
removeHomework(Homework h) throws
RemoteException public Set homeworks()
throws RemoteException public void
setGrade(Grade g, Student s, Homework h) throws
RemoteException public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException
addHomework() removeHomeworks() homeworks() getGra
de() setGreade() getAllGrades()
Student
Professor
Client
Roles
Greadebook Interface
7
Limitation of theJ2EE Access Control Model

• Today, access control is defined in terms of
  operations on components, instead of data
  encapsulated and used by the components
• This potential inconvenience may lead to security
  problems and our work intends to solve it

8
Access Control on Methods May Create Security
Problems

• Multiple methods for reading and writing the same
  data

Professor
setGrade() getAllGrades() removeGrade()
getHomeworkGrades() modifyGrade()
getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMi
dtermGrades()getFinalGrades()

• grades

Student
Security Sensitive Fields
9
Access Control on DataCan Enhance Security

• Access control on data can be more
  straightforward and convenient, and less error
  prone

Professor
read,write

• grades

read
Student
Security Sensitive Fields
10
Static AnalysisCan Help Validate Existing
Policies

• Even when access control is specified on the
  basis of methods, it may still be useful to
  validate the security policy based on the data
  accessed by these methods

Professor
setGrade() getAllGrades() removeGrade()
getHomeworkGrades() modifyGrade()
getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMi
dtermGrades()getFinalGrades()

• grades

Student
Security Sensitive Fields
11
Steps of Our Analysis
Points-to Graph
Bytecode to be Analyzed
input
output
input
Points-to Analyzer
Static Analyzer
output
EJB Fields (Written/Read)
input
input
J2EE AccessPolicy
J2EE Security Analyzer
output
Inconsistencies/ Security Problems
Deployer / Analyst
12
APE Graph

• Our analysis requires computation of which EJB
  fields may be read and/or modified by an EJB
  method
• It uses a points-to graph for computing this
  information
• The specific graph used is the Annotated
  Points-to Escape (APE) graph of Souter and Pollok
• A. L. Souter and L. L. Pollock. The construction
  of contextual def-use associations for
  object-oriented systems. IEEE Trans. Softw. Eng.,
  29(11)10051018, 2003
• For our approach to be useful, we also have to
  analyze fields of primitive types

13
Example of an APE Graph
o3
this
public class StoreBean implements javax.ejb.Enti
tyBean private Map studentsToHomeworksToGrades
// ... public Map getAllGrades(Student s)
TreeMap result (Map) this. studentsToHomewo
rksToGrades.get(s) if (result
null) throw new NoSuchStudentException(s)
return result // ...
entry
load
studentsToHomeworksToGrades
o1
o2
o4
load
s
result
o5
APE Graph for method getAllGrades()
14
Read/Write for EJB Fields
An EJB field f is read/written by a method m if
the value of f is accessed/modified by the
thread executing m while m is on the call stack
m
m1
m2
Write/Read field f
Thread Executing m
15
Field Sequences

• It is important to analyze the reads/writes of
  fields of objects that are referenced by EJB
  fields, beside the EJB fields themselves
• A field sequence f0,f1,,fk is a series of
  field dereferences, where f0 is an EJB field, and
  ?i1,,k, fi is a field in one of the possible
  classes for object fi1
• Essentially, f0,f1,,fk represents objects that
  can potentially be reached from an EJB object via
  a number of field dereferences

public class Semester implements EntityBean
Course calculus //... public class Course
Student assistant //... public class
Student String name int ssn //...
calculus
assistant
name
o1
o2
o3
o4
Field Sequence
16
Determining Whether a Field Sequence May Be
Written by a Method

• A field sequence f0,f1,,fk is written by a
  method m if ? a prefix f0,,fj, j k, of this
  sequence in the APE graph for m, and the edge for
  fj is labeled store

EJB field
Scenario

f1
f2
f3
f0
o0
o1
o2
o3
o4
load
load
f2
store

t
f3
o5
o6
Field Sequences Written f0,f1,f2 f0,f1,f2,f3 Fiel
d Sequences Partially Written f0 f0,f1
u
APE graph before statement t.f2 u
17
Determining Whether a Field Sequence May Be Read
by a Method

• f0,f1,,fk is read by a method m if this sequence
  is present in the APE graph and the edge for fk
  is labeled with load

EJB field
f0
f1
f2
f3
f4
o0
o1
o2
o3
o4
o5
load
t
u
Field Sequences Read f0,f1,f2,f3 Field
Sequences Partially Read f0 f0,f1 f0,f1f2
APE graph after statement u t.f3
18
Action of the J2EE Security Analyzer
Points-to Graph
Bytecode to be Analyzed
input
output
input
Points-to Analyzer
Static Analyzer
Methods to Fields Access Modes
output
EJB Field Sequences (R/W)
input
input
J2EE AccessPolicy
J2EE Security Analyzer
Roles to Methods
output
Roles
Methods
Fields Access Modes
Inconsistencies/ Security Problems

• grades
• (write)

Roles to Methodsto Fields Access Modes
Deployer / Analyst
setGrade()
Student
19
Computing Field Sequences Accessed By EJB Methods
f0, f1
f0, f1
f0, f3, f5
read
partially read
f2, f3, f4
f2, f3, f4
f4, f2, f5,f7
f4, f2, f5, f7
f0
m1
m2
partially written
written
f0, f1
f0, f1
m3
read
partially read
f2, f3, f4
f2, f3, f4
f2, f4, f5, f7
partially written
written
Field Sequences (Read/Written)
EJB Methods
20
Potential Inconsistencies Detected And Reasons

• An inconsistency may indicate that
• Professor should have been granted access to
  method m3
• Professor should not have been granted access to
  method m1
• m1 contains a bug it should not have accessed
  field grades
• m3 contains a bug it should have accessed
  another security sensitive field, address

Professor
m1
m3

• grades
• ssn
• salary

write
write

• address

21
Summary

• A new static analysis technique for validating
  the standard role-based access control policies
  used with Enterprice JavaBeans in J2EE
  applications
• It allows the analyst to mark fields in EJBs as
  security sensitive
• The analysis computes the read/write access to
  such fields for all methods in the EJB interfaces
  that can be called by untrusted clients
• These accesses are then integrated with role
  information to obtain which fields can be
  accessed by which roles through which methods
• Finally, a simple check is performed to identify
  potential security inconsistencies

22
Current Access Control in J2EE
23
Future Work

• Implement our technique as a tool with a GUI that
  presents problems to the analysts
• Implement a J2EE deployment tool that allows a
  deployer to specify role-based access control
  policies in terms of fields, not only methods
• The tool will convert specifications based on
  fields to specifications based on methods using a
  dependency analysis similar to the one described
• Experiment with a variety of Web applications to
  evaluate the tools usefulness

24
Related Work...

• D. Ferraiolo and R. Kuhn. Role-based access
  controls. In 15th NIST-NCSC National Computer
  Security Conference, pages 554563, 1992.
• L. Koved, M. Pistoia, and A. Kershenbaum. Access
  rights analysis for Java. In Proceedings of the
  17th ACM SIGPLAN conference on Object-oriented
  programming, systems, languages, and
  applications, pages 359-372. ACM Press,2002.
• G. Naumovich. A conservative algorithm for
  computing the flow of permissions in Java
  programs. In proceedings of the International
  Symposium on Software Testing and Analysis, pages
  3343, July 2003

25
Related Work

• A. L. Souter and L. L. Pollock. The construction
  of contextual def-use associations for
  object-oriented systems. IEEE Trans. Softw. Eng.,
  29(11)10051018, 2003.
• M. Pistoia, N. Nagaratnam, L. Koved, and A.
  Nadalin. Enterprise Java Security Building
  Secure J2EE Applications. Addison-Wesley,
  Reading, MA, 2004

26
For More Information

• e-mail to
• gleb_at_poly.edu paolina_at_photon.poly.edu
• Thank you for you presence and participation!

27
The Complexity of theEJB Security Analysis

• The worst-case running time is exponential in the
  length of the field sequences used to identifying
  sensitive data
• We expect that the length of the field sequences
  will be bounded by a small constant

28
The Complexity of theEJB Security Analysis

• The worst-case complexity depends on
• The size of the APE graphs for the methods in
  EJBInterfaces
• The number of EJB methods
• The length of the sensitive fields in the set S
• The worst-case complexity of the EJB security
  analysis is
• where F is the number of
  fields in all classes in the CUA, N is the number
  of all nodes in the largest APE graph, and Q is
  the size of the longest sequence in S.

29
Application of This Workto Web Services
Technology

• A Web service is a program that exposes some
  interfaces, each of which describes a collection
  of network-accessible methods based on open
  Internet standards
• Web services execute in the untrusted environment
  of the Internet, security of such applications
  is an extremely important issue
• Since Web services are often implemented as EJBs,
  this work applies in particular to role-based
  access control for J2EE-based Web services