Access Control in Web Applications - PowerPoint PPT Presentation

About This Presentation
Title:

Access Control in Web Applications

Description:

Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I Agenda Programming errors and ... – PowerPoint PPT presentation

Number of Views:110
Avg rating:3.0/5.0
Slides: 18
Provided by: Samer7
Category:

less

Transcript and Presenter's Notes

Title: Access Control in Web Applications


1
Access Control in Web Applications
  • Peter Trommler
  • Faculty of Computer Science
  • Georg Simon Ohm University Nuremberg, Germany

U R I
2
Agenda
  • Programming errors and security
  • Access control engineering
  • Metamodel
  • Implementation

3
Context
  • Web applications access corporate databases
  • Hundreds if not thousands of vulnerabilities
  • Vulnerabilities are symptoms
  • Few root causes

4
Types of Programming Errors Pfleeger
  • Buffer Overflow
  • int a3 a31
  • Incomplete Mediation
  • February 30 4,99999999999995
  • code injection (SQL, shell, ...)
  • Time-of-Check-Time-of Use
  • back-end identifiers (primary key)
  • no check on parameter returned

5
Motivation
ltform action"../../action/order.php4"
methodpost name"artikel_0"gt ltinput typehidden
name'articleTitle' value'Card Reader Combo
USB read/write'gt ltinput typehidden
name'articleVAT' value'16'gt ltinput
typehidden name'articleItem_Number'
value'250001'gt ltinput typehidden
name'articlePrice' value'49,90 EUR'gt ltinput
typehidden name'articleCategory'
value'/Angebote'gt
6
Solution
ltform action"../../action/order.php4"
methodpost name"artikel_0"gt ltinput typehidden
name'articleTitle' value'Card Reader Combo
USB read/write'gt ltinput typehidden
name'articleVAT' value'16'gt ltinput
typehidden name'articleItem_Number'
value'250001'gt ltinput typehidden
name'articlePrice' value'49,90 EUR'gt ltinput
typehidden name'articleCategory'
value'/Angebote'gt ltinput type"hidden"
name"articlec" value"fba45a02ebd931ce30a90fe18
d263578"gt
7
Challenges
  • Access control decisions everywhere
  • Difficult to
  • check completeness
  • audit for correctness
  • read and understand
  • Dependencies on other code
  • Separate AC from app code

8
Protection Mechanisms
  • Reject illegal transactions
  • Interception mechanism

Internet
Application Firewall Filtering Servlet
AOP, MDA before/after methods
Parameterized Views SQL Screening
9
Business Rule or Security
  • Show list of customers accounts
  • omit one business
  • show one too many security
  • Many business rules have security flavor
  • Challenge extract security requirements

10
Access Control Engineering
  • Identify access control requirements early
  • Refine with refining of functional requirements
  • Automate steps
  • Verify correctness of refinements
  • Manually review rule set (audit)

11
Security Requirements Engineering Giorgini
  • Object-level modeling
  • re-use requirements framework
  • i/Tropos, KAOS, UML
  • hard to model more general rules
  • Meta-level modeling
  • add new linguistic constructs
  • UMLSec Jürjens, Secure UML Lodderstedt
  • integration with MDA

12
Observation Users Own Data
  • Navigate relations between tables/classes
  • Restrict access
  • columns/fields
  • methods
  • OO-Views
  • Parameterized Views Roichman
  • Anchor entity/object

13
Temporal Logic
  • View solution after assignment submitted
  • Can submit assignment only once
  • Temporal Logic of Actions vs. Interval Temporal
    Logic Janicke
  • Traces in database
  • certain object exists
  • AC decision depends on current system state

14
Modeling Implementation Level
  • Reachability in relations graph
  • O(n)
  • n objects in transitive closure (own
    objects)
  • caching
  • AC method/fields through facades
  • additional call indirection
  • static check
  • Existence of traces
  • O(1) hashes, DB indices

15
Implementation
  • specify trace for each temporal quantifier
  • specify navigation graph for each subject role
  • Manual
  • specify object level rules
  • verify correctness Hu
  • Automatic
  • generate code

16
Conclusion
  • Time-of-Check-Time-of-Use
  • Web application partially untrusted
  • Separate access control from application code
  • Metamodel
  • Efficient implementation
  • Code generation

17
References
  • Pfleeger C. P. Pfleeger, S. Lawrence Pfleeger
    Security in Computing, 4th ed, Prentice Hall PTR,
    2006.
  • Giogini P. Giorgini, F. Massaci, N. Zannone
    Security and Trust Requirements Engineering.
  • Jürjens J. Jürjens Secure Systems Development
    with UML, Springer Verlag, 2004.
  • Lodderstedt T. Lodderstedt, D. Basin, J. Doser
    A UML-based Modeling Language for Model Driven
    Security, in Proc. of UML02, LNCS 2460, Springer
    Verlag, 2002.
  • Roichman A. Roichman, E. Gudes Fine-grained
    Access Control to Web Databases, in Proc. of
    SACMAT07, ACM, 2007.
  • Janicke H. Janicke, A. Cau, H. Zedan A note on
    the formalization of UCON, in Proc. of SACMAT07,
    ACM, 2007.
  • Hu H.Hu, G.-J. Ahn Enabling Verification and
    Conformance Testing for Access Control Model, in
    Proc. of SACMAT08, ACM, 2008.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Access Control in Web Applications" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!