Title: Access Control in Web Applications
1Access Control in Web Applications
- Peter Trommler
- Faculty of Computer Science
- Georg Simon Ohm University Nuremberg, Germany
U R I
2Agenda
- Programming errors and security
- Access control engineering
- Metamodel
- Implementation
3Context
- Web applications access corporate databases
- Hundreds if not thousands of vulnerabilities
- Vulnerabilities are symptoms
- Few root causes
4Types of Programming Errors Pfleeger
- Buffer Overflow
- int a3 a31
- Incomplete Mediation
- February 30 4,99999999999995
- code injection (SQL, shell, ...)
- Time-of-Check-Time-of Use
- back-end identifiers (primary key)
- no check on parameter returned
5Motivation
ltform action"../../action/order.php4"
methodpost name"artikel_0"gt ltinput typehidden
name'articleTitle' value'Card Reader Combo
USB read/write'gt ltinput typehidden
name'articleVAT' value'16'gt ltinput
typehidden name'articleItem_Number'
value'250001'gt ltinput typehidden
name'articlePrice' value'49,90 EUR'gt ltinput
typehidden name'articleCategory'
value'/Angebote'gt
6Solution
ltform action"../../action/order.php4"
methodpost name"artikel_0"gt ltinput typehidden
name'articleTitle' value'Card Reader Combo
USB read/write'gt ltinput typehidden
name'articleVAT' value'16'gt ltinput
typehidden name'articleItem_Number'
value'250001'gt ltinput typehidden
name'articlePrice' value'49,90 EUR'gt ltinput
typehidden name'articleCategory'
value'/Angebote'gt ltinput type"hidden"
name"articlec" value"fba45a02ebd931ce30a90fe18
d263578"gt
7Challenges
- Access control decisions everywhere
- Difficult to
- check completeness
- audit for correctness
- read and understand
- Dependencies on other code
- Separate AC from app code
8Protection Mechanisms
- Reject illegal transactions
- Interception mechanism
Internet
Application Firewall Filtering Servlet
AOP, MDA before/after methods
Parameterized Views SQL Screening
9Business Rule or Security
- Show list of customers accounts
- omit one business
- show one too many security
- Many business rules have security flavor
- Challenge extract security requirements
10Access Control Engineering
- Identify access control requirements early
- Refine with refining of functional requirements
- Automate steps
- Verify correctness of refinements
- Manually review rule set (audit)
11Security Requirements Engineering Giorgini
- Object-level modeling
- re-use requirements framework
- i/Tropos, KAOS, UML
- hard to model more general rules
- Meta-level modeling
- add new linguistic constructs
- UMLSec Jürjens, Secure UML Lodderstedt
- integration with MDA
12Observation Users Own Data
- Navigate relations between tables/classes
- Restrict access
- columns/fields
- methods
- OO-Views
- Parameterized Views Roichman
- Anchor entity/object
13Temporal Logic
- View solution after assignment submitted
- Can submit assignment only once
- Temporal Logic of Actions vs. Interval Temporal
Logic Janicke - Traces in database
- certain object exists
- AC decision depends on current system state
14Modeling Implementation Level
- Reachability in relations graph
- O(n)
- n objects in transitive closure (own
objects) - caching
- AC method/fields through facades
- additional call indirection
- static check
- Existence of traces
- O(1) hashes, DB indices
15Implementation
- specify trace for each temporal quantifier
- specify navigation graph for each subject role
- Manual
- specify object level rules
- verify correctness Hu
- Automatic
- generate code
16Conclusion
- Time-of-Check-Time-of-Use
- Web application partially untrusted
- Separate access control from application code
- Metamodel
- Efficient implementation
- Code generation
17References
- Pfleeger C. P. Pfleeger, S. Lawrence Pfleeger
Security in Computing, 4th ed, Prentice Hall PTR,
2006. - Giogini P. Giorgini, F. Massaci, N. Zannone
Security and Trust Requirements Engineering. - Jürjens J. Jürjens Secure Systems Development
with UML, Springer Verlag, 2004. - Lodderstedt T. Lodderstedt, D. Basin, J. Doser
A UML-based Modeling Language for Model Driven
Security, in Proc. of UML02, LNCS 2460, Springer
Verlag, 2002. - Roichman A. Roichman, E. Gudes Fine-grained
Access Control to Web Databases, in Proc. of
SACMAT07, ACM, 2007. - Janicke H. Janicke, A. Cau, H. Zedan A note on
the formalization of UCON, in Proc. of SACMAT07,
ACM, 2007. - Hu H.Hu, G.-J. Ahn Enabling Verification and
Conformance Testing for Access Control Model, in
Proc. of SACMAT08, ACM, 2008.