Download presentation
Presentation is loading. Please wait.
Published byCharles Booker Modified over 9 years ago
1
Access Control in Web Applications Peter Trommler Faculty of Computer Science Georg Simon Ohm University Nuremberg, Germany U = R I
2
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Agenda Programming errors and security Access control engineering Metamodel Implementation
3
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Context Web applications access corporate databases Hundreds if not thousands of vulnerabilities Vulnerabilities are symptoms Few root causes
4
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Types of Programming Errors [Pfleeger] Buffer Overflow int a[3]; a[3]=1; Incomplete Mediation February 30; 4,99999999999995 code injection (SQL, shell,...) Time-of-Check-Time-of Use back-end identifiers (primary key) no check on parameter returned
5
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Motivation
6
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu “Solution”
7
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Challenges Access control decisions everywhere Difficult to check completeness audit for correctness read and understand Dependencies on other code Separate AC from app code
8
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Protection Mechanisms Reject “illegal” transactions Interception mechanism Web application Application Firewall Filtering Servlet AOP, MDA before/after methods Parameterized Views SQL Screening Internet
9
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Business Rule or Security Show list of customer’s accounts omit one: business show one too many: security Many business rules have security flavor Challenge: extract security requirements
10
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Access Control Engineering Identify access control requirements early Refine with refining of functional requirements Automate steps Verify correctness of refinements Manually review rule set (audit)
11
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Security Requirements Engineering [Giorgini] Object-level modeling re-use requirements framework i*/Tropos, KAOS, UML hard to model more general rules Meta-level modeling add new linguistic constructs UMLSec [Jürjens], Secure UML [Lodderstedt] integration with MDA
12
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Observation: User’s “Own” Data Navigate relations between tables/classes Restrict access columns/fields methods OO-Views Parameterized Views [Roichman] Anchor entity/object
13
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Temporal Logic View solution after assignment submitted Can submit assignment only once Temporal Logic of Actions vs. Interval Temporal Logic [Janicke] Traces in database certain object exists AC decision depends on current system state
14
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Modeling Implementation Level Reachability in relations graph O(n) n: # objects in transitive closure (“own” objects) caching AC method/fields through facades additional call indirection static check Existence of traces O(1): hashes, DB indices
15
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Implementation specify trace for each temporal quantifier specify navigation graph for each subject role Manual specify object level rules verify correctness [Hu] Automatic generate code
16
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu Conclusion Time-of-Check-Time-of-Use Web application partially untrusted Separate access control from application code Metamodel Efficient implementation Code generation
17
Prof. Dr. Peter Trommler Faculty of Computer Science www.ohm-university.eu References [Pfleeger] C. P. Pfleeger, S. Lawrence Pfleeger: Security in Computing, 4 th ed, Prentice Hall PTR, 2006. [Giogini] P. Giorgini, F. Massaci, N. Zannone: Security and Trust Requirements Engineering. [Jürjens] J. Jürjens: Secure Systems Development with UML, Springer Verlag, 2004. [Lodderstedt] T. Lodderstedt, D. Basin, J. Doser: A UML-based Modeling Language for Model Driven Security, in Proc. of UML’02, LNCS 2460, Springer Verlag, 2002. [Roichman] A. Roichman, E. Gudes: Fine-grained Access Control to Web Databases, in Proc. of SACMAT’07, ACM, 2007. [Janicke] H. Janicke, A. Cau, H. Zedan: A note on the formalization of UCON, in Proc. of SACMAT’07, ACM, 2007. [Hu] H.Hu, G.-J. Ahn: Enabling Verification and Conformance Testing for Access Control Model, in Proc. of SACMAT’08, ACM, 2008.
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.