Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I.

Published byCharles Booker Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I."— Presentation transcript:

1 Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I

2 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Agenda Programming errors and security Access control engineering Metamodel Implementation

3 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Context Web applications access corporate databases Hundreds if not thousands of vulnerabilities Vulnerabilities are symptoms Few root causes

4 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Types of Programming Errors [Pfleeger] Buffer Overflow int a[3]; a[3]=1; Incomplete Mediation February 30; 4,99999999999995 code injection (SQL, shell,...) Time-of-Check-Time-of Use back-end identifiers (primary key) no check on parameter returned

5 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Motivation

6 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu “Solution”

7 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Challenges Access control decisions everywhere Difficult to check completeness audit for correctness read and understand Dependencies on other code Separate AC from app code

8 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Protection Mechanisms Reject “illegal” transactions Interception mechanism Web application Application Firewall Filtering Servlet AOP, MDA before/after methods Parameterized Views SQL Screening Internet

9 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Business Rule or Security Show list of customer’s accounts omit one: business show one too many: security Many business rules have security flavor Challenge: extract security requirements

10 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Access Control Engineering Identify access control requirements early Refine with refining of functional requirements Automate steps Verify correctness of refinements Manually review rule set (audit)

11 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Security Requirements Engineering [Giorgini] Object-level modeling re-use requirements framework i*/Tropos, KAOS, UML hard to model more general rules Meta-level modeling add new linguistic constructs UMLSec [Jürjens], Secure UML [Lodderstedt] integration with MDA

12 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Observation: User’s “Own” Data Navigate relations between tables/classes Restrict access columns/fields methods OO-Views Parameterized Views [Roichman] Anchor entity/object

13 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Temporal Logic View solution after assignment submitted Can submit assignment only once Temporal Logic of Actions vs. Interval Temporal Logic [Janicke] Traces in database certain object exists AC decision depends on current system state

14 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Modeling Implementation Level Reachability in relations graph O(n) n: # objects in transitive closure (“own” objects) caching AC method/fields through facades additional call indirection static check Existence of traces O(1): hashes, DB indices

15 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Implementation specify trace for each temporal quantifier specify navigation graph for each subject role Manual specify object level rules verify correctness [Hu] Automatic generate code

16 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Conclusion Time-of-Check-Time-of-Use Web application partially untrusted Separate access control from application code Metamodel Efficient implementation Code generation

17 Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu References [Pfleeger] C. P. Pfleeger, S. Lawrence Pfleeger: Security in Computing, 4 th ed, Prentice Hall PTR, 2006. [Giogini] P. Giorgini, F. Massaci, N. Zannone: Security and Trust Requirements Engineering. [Jürjens] J. Jürjens: Secure Systems Development with UML, Springer Verlag, 2004. [Lodderstedt] T. Lodderstedt, D. Basin, J. Doser: A UML-based Modeling Language for Model Driven Security, in Proc. of UML’02, LNCS 2460, Springer Verlag, 2002. [Roichman] A. Roichman, E. Gudes: Fine-grained Access Control to Web Databases, in Proc. of SACMAT’07, ACM, 2007. [Janicke] H. Janicke, A. Cau, H. Zedan: A note on the formalization of UCON, in Proc. of SACMAT’07, ACM, 2007. [Hu] H.Hu, G.-J. Ahn: Enabling Verification and Conformance Testing for Access Control Model, in Proc. of SACMAT’08, ACM, 2008.

Download ppt "Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I."

Similar presentations

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.

Alan Shaffer, Mikhail Auguston, Cynthia Irvine, Tim Levin The 7th OOPSLA Workshop on Domain-Specific Modeling October 21-22, 2007 Toward a Security Domain.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
CS3773 Software Engineering Lecture 01 Introduction.

CS3773 Software Engineering Lecture 01 Introduction.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.

Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
WebRatio BPM: a Tool for Design and Deployment of Business Processes on the Web Stefano Butti, Marco Brambilla, Piero Fraternali Web Models Srl, Italy.

WebRatio BPM: a Tool for Design and Deployment of Business Processes on the Web Stefano Butti, Marco Brambilla, Piero Fraternali Web Models Srl, Italy.
Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.

Automated creation of verification models for C-programs Yury Yusupov Saint-Petersburg State Polytechnic University The Second Spring Young Researchers.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.

Model-Driven Design and Administration of Access Control in Enterprise Applications April 2005.
Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.

Building Enterprise Applications Using Visual Studio ®.NET Enterprise Architect.
Robustness Analysis Dr. Neal CIS 480. Outline What is robustness analysis? Key roles in robustness analysis Object types found in discovery Diagramming.

Robustness Analysis Dr. Neal CIS 480. Outline What is robustness analysis? Key roles in robustness analysis Object types found in discovery Diagramming.
WebRatio BPM: a Tool for Design and Deployment of Business Processes on the Web Stefano Butti, Marco Brambilla, Piero Fraternali Web Models Srl, Italy.

WebRatio BPM: a Tool for Design and Deployment of Business Processes on the Web Stefano Butti, Marco Brambilla, Piero Fraternali Web Models Srl, Italy.
CS 290C: Formal Models for Web Software Lecture 6: Model Driven Development for Web Software with WebML Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 6: Model Driven Development for Web Software with WebML Instructor: Tevfik Bultan.
1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.

1 Detecting Logic Vulnerabilities in E- Commerce Applications Presenter: Liu Yin Slides Adapted from Fangqi Sun Computer Science Department College of.
1 Reliable Adaptive Distributed Systems Armando Fox, Michael Jordan, Randy H. Katz, David Patterson, George Necula, Ion Stoica, Doug Tygar.

1 Reliable Adaptive Distributed Systems Armando Fox, Michael Jordan, Randy H. Katz, David Patterson, George Necula, Ion Stoica, Doug Tygar.
1 Scenario-based Analysis of UML Design Class Models Lijun Yu October 4th, 2010 Oslo, Norway.

1 Scenario-based Analysis of UML Design Class Models Lijun Yu October 4th, 2010 Oslo, Norway.
Connecting Diverse Web Search Facilities Udi Manber, Peter Bigot Department of Computer Science University of Arizona Aida Gikouria - M471 University of.

Connecting Diverse Web Search Facilities Udi Manber, Peter Bigot Department of Computer Science University of Arizona Aida Gikouria - M471 University of.
Schedule Viewer A Scheduling Tool for UBC Okanagan Administration Jacob Orr Dr. Ramon Lawrence Bachelor of Science Honours Project.

Schedule Viewer A Scheduling Tool for UBC Okanagan Administration Jacob Orr Dr. Ramon Lawrence Bachelor of Science Honours Project.
Chapter 1 The Systems Development Environment

Chapter 1 The Systems Development Environment
Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Similar presentations

Ads by Google