Number 2201 ISSN: 2163-839X (online) Gleb Tsipursky Having ...
Static Analysis of Role-Based Access Control in J2EE Applications TAV–WEB 2004 Gleb...
23
Static Analysis of Static Analysis of Role-Based Access Role-Based Access Control in J2EE Control in J2EE Applications Applications TAV–WEB 2004 Gleb Naumovich Gleb Naumovich and Paolina Paolina Centonze Centonze Department of Computer and Information Science Polytechnic University [email protected] & [email protected]
-
date post
21-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of Static Analysis of Role-Based Access Control in J2EE Applications TAV–WEB 2004 Gleb...
Static Analysis of Role-Based Static Analysis of Role-Based Access Control in J2EE Access Control in J2EE
ApplicationsApplicationsTAV–WEB 2004
Gleb NaumovichGleb Naumovich and Paolina CentonzePaolina CentonzeDepartment of Computer and Information Science
Polytechnic University [email protected] & [email protected]
2
Introduction
• New technique for security analysis of J2EE applications
• It identifies situations in which too much or too little access is given to security sensitive resources
• It uses static analysis to analyze J2EE programs and access control policies with respect to security-sensitive EJB fields
Paolina Centonze
So here it is where I should also introduce how our work is connected with Web Services. So I will say that most of the time Web Services are implemented as EJBs, and our work applies in particular to Role-Based access control of J2EE-based Web Services.
3
Architecture of J2EE Applications
HTTPServer
HTTPServer
ServletContainer
ServletContainer
Servlet/JSPServlet/JSP
EJB ContainerEJB Container
Enterprise bean Enterprise bean
DatabaseDatabase
HTTP/HTTPS
HTTP
ProprietaryProtocol
RMI-IIOP
JDBC
RMI-IIOP/local
RMI-IIOP
JDBC
Information System tier
Business tierWeb tier
Client tier
Paolina Centonze
Here I introduce that our analysis deals iether if we have EJB methods invocation trough RMI-IIOP( remote invocation) or if the EJB methods invocation is local meaning in the same container.
4
Role-Based Access Control in J2EE
• In J2EE, resources, are EJB methods, servlets, JSPs, and URLs
• Developers and deployers must determine:– Which roles make sense for an application
– Which EJB methods and Web resources each role should be allowed to call
Roles
Protected Resources
r1r1
r2r2
r3r3
Paolina Centonze
SLIDE n4:here I will introduce the general idea of Role-Some definitions:1. A user: is an entity to which are given some or all right accesses to protected resources.2. A permission: is the right to give access to protected resources to users. 3. A Role is a set of permissions4. Group: is a set of users based access controll.Here I should say that in our analysis we focous only of protecting EJB methods Note: in J2SE the resources that can be protected are files, sockets, os, JVM, etc...and who is going to enforce those permission accesses is the security manager. So by default nodody has the right to access those resources, but as soon the security manager is set only those specified users can access those resources(JASS). So for this rason it said that permissions are positive. In J2EE in addition to this option we have the possibility to protect other resources(EJB methods, servlets, JSPs, and URLs). If no access controll is enforced to those resources then all (users) any role defined in the access policy can access those protected resources. But as soon as an access is restricted then only those roles can access those protected resources.Here I should define the Role Based-Access Control Here I should mention that in our analysis we consider only protecting EJB methods r4 since has not been mapped to any protected resources this specific role may access only unprotected resources.
5
EJB Interface and Implementationpublic interface Gradebook
extendsjavax.ejb.EJBObject {public Grade getGrade(Student s,
Homework h) throws RemoteException;public Map getAllGrades(Student s)
throws RemoteExceptionpublic void addHomework(Homework h)
throws RemoteException;public void removeHomework(Homework h)
throws RemoteException;public Set homeworks() throws
RemoteException;public void setGrade(Grade g, Student s,
Homework h) throws RemoteException;public Grade getGrade(Student s,
Homework h) throws RemoteException;public Map getAllGrades(Student s)
throws RemoteException}
public class StoreBean implementsjavax.ejb.EntityBean {
private Set homeworks;private Map studentsToHomeworksToGrades;
public Grade getGrade(Student s, Homework h) {if (! this.homeworks.contains(h))
throw newNoSuchHomeworkException(h);
log();return (Grade) ((Map)
this.getAllGrades(s)).get(h);}public Map getAllGrades(Student s) {Map result = (Map) this.
studentsToHomeworksToGrades.get(s);if (result == null)
throw newNoSuchStudentException(s);return result;
} public void log() {
// ... }
// Other remote methods implemented here}
getGrade()getAllGrades()getGrade()getAllGrades()
getGrade()getAllGrades()log()
getGrade()getAllGrades()log()
Remote Interface EJB ClassClient
Paolina Centonze
Here I should say more clearly the introduction of EJB Interfaces: The main idea here is to say: Each EJB application has EJB interfaces that are used for all communications between EJB objects and clients. This is possible by making call to EJB methods that are declared in EJB Interfaces. So in this way it is possible to protect the access to sensitive data trough these EJB interfaces. In fact, only those EJB methods that are declared in the EJB interfaces can be access directly by a client. On the right side there is an example of an Bean class which it is used for any EJB application. It contains the implementation of all the EJB methods that are declared in the EJB Interfaces. However, it can contain other methods that are not declared in the EJB so those methods cannot be called directly by a client, as I have in the example. So, this important for our analysis because our entry points will be only those methods declared in the EJB Interfaces( That is just a Note: Each EJB class is associated with a Home Interface (object) that can be used by clients to obtain references to EJB interfaces objects corresponding to the EJB objects of this class. So an EJB home is thus a factory object from the perspective of clients )
6
J2EE Access Policy
StudentStudent
ProfessorProfessor
Roles
addHomework()
removeHomeworks()
homeworks()
getGrade()
setGreade()
getAllGrades()Client
Greadebook Interface
<assembly-descriptor><security-role>
<description>Students</description><role-name>Student</role-name>
</security-role><security-role>
<description>Teachers</description><role-name>Professor</role-name>
</security-role><method-permission>
<role-name>Professor</role-name><method>
<ejb-name>Gradebook</ejb-name><method-name>
addHomework</method-name>
</method><method>
<ejb-name>Gradebook</ejb-name><method-name>
removeHomework</method-name>
</method><method>
<ejb-name>Gradebook</ejb-name><method-name>
setGrade</method-name>
</method><method>
<ejb-name>Gradebook</ejb-name><method-name>getAllGrades</method-name>
</method></method-permission>
</assembly-descriptor>
public interface Gradebookextendsjavax.ejb.EJBObject {
public Grade getGrade(Student s,Homework h) throws RemoteException;
public Map getAllGrades(Student s)throws RemoteException
public void addHomework(Homework h)throws RemoteException;
public void removeHomework(Homework h)throws RemoteException;
public Set homeworks() throwsRemoteException;
public void setGrade(Grade g, Student s,Homework h) throws RemoteException;
public Grade getGrade(Student s,Homework h) throws RemoteException;
public Map getAllGrades(Student s)throws RemoteException
}
7
Limitation of theJ2EE Access Control Model
• Today, access control is defined in terms of operations on components, instead of data encapsulated and used by the components
• This potential inconvenience may lead to security problems and our work intends to solve it
Paolina Centonze
SLIDE n7:I will say that later I will give specific examples for what we mean for security holes, or maybe a can just say very quickly that for security holes we mean security problems in which some protected data have been accessed by some untrusted users
8
Access Control on Methods May Create Security Problems
• Multiple methods for reading and writing the same data
setGrade() getAllGrades()removeGrade() getHomeworkGrades() modifyGrade() getMidtermGrades()
Student
Professor
Security Sensitive Fields
getAllGrades()getHomeworkGrades()setData()getMidtermGrades()getFinalGrades()
•grades
9
Access Control on DataCan Enhance Security
• Access control on data can be more straightforward and convenient, and less error prone
•grades
Student
Professor
read,write
read
Security Sensitive Fields
Paolina Centonze
SLIDE 9:Here I will say that the access control directly on data is more natural and so less error prone. It would be nice if J2EE offered access control on data. The deployer would just have to select field grades and give Professor read and write permission on it, and Student only read permission. An inconsistency such as the one seen in the previous slide could not happen.
10
Static AnalysisCan Help Validate Existing Policies
• Even when access control is specified on the basis of methods, it may still be useful to validate the security policy based on the data accessed by these methods
•grades
Student
Professor
Security Sensitive Fields
setGrade() getAllGrades()removeGrade() getHomeworkGrades() modifyGrade() getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMidtermGrades()getFinalGrades()
Paolina Centonze
SLIDE n10:Here I should make clear even in the case where the access is specified on operations our Static Analysis will help the analyst and the deployer to identify what are the methods that access this data. For example, the method setData() has a name that seems to have nothing to do with grades, yet it writes the field grades.
11
Steps of Our Analysis
Bytecode to be Analyzed
Bytecode to be Analyzed Static AnalyzerStatic Analyzer
input output
Deployer / Analyst
input
output
Points-to Graph
Points-to Graph Points-to AnalyzerPoints-to Analyzer
input
J2EE Security Analyzer
J2EE Security Analyzer
J2EE AccessPolicy
J2EE AccessPolicy
input
Inconsistencies/Security ProblemsInconsistencies/
Security Problems
output
EJB Fields (Written/
Read)
EJB Fields (Written/
Read)
12
APE Graph
• Our analysis requires computation of which EJB fields may be read and/or modified by an EJB method
• It uses a points-to graph for computing this information
• The specific graph used is the Annotated Points-to Escape (APE) graph of Souter and Pollok– A. L. Souter and L. L. Pollock. The construction of
contextual def-use associations for object-oriented systems. IEEE Trans. Softw. Eng., 29(11):1005–1018, 2003
• For our approach to be useful, we also have to analyze fields of primitive types
Paolina Centonze
SLIDE 11here be ready to answer some questions:1) What is Points-to graph?Is a specific graph created by Points-to analysis which return a set of object to a referece variable may point during run time.
13
Example of an APE Graph
o1
this
o2studentsToHomeworksToGrades
o4
result
load
APE Graph for method getAllGrades()
o5
public class StoreBean implementsjavax.ejb.EntityBean {
private Map studentsToHomeworksToGrades;
// ...public Map getAllGrades(Student s) {TreeMap result = (Map) this.
studentsToHomeworksToGrades.get(s);if (result == null)
throw newNoSuchStudentException(s);return result;
}// ...
}
entryload
s
o3
Paolina Centonze
14
Read/Write for EJB Fields
mm m1m1 m2m2 Write/Read field f
Thread Executing m
An EJB field f is read/written by a method m if the value of f is accessed/modified by the thread executing m while m is on the call stack
Paolina Centonze
SLIDE 13:here I should give more a precise example for this picture
15
Field Sequences public class Semester implements EntityBean {
Course calculus;//...
}public class Course {
Student assistant;//...
}public class Student {
String name;int ssn;//...
}
Field Sequence
calculus assistant nameo1o1
o2o2
o3o3
o4o4
• It is important to analyze the reads/writes of fields of objects that are referenced by EJB fields, beside the EJB fields themselves• A field sequence f0,f1,…,fk is a series of field dereferences, where f0 is an EJB field, and i=1,…,k, fi is a field in one of the possible classes for object fi–1
• Essentially, f0,f1,…,fk represents objects that can potentially be reached from an EJB object via a number of field dereferences
Paolina Centonze
just make sure that the figure is correctHere don’t spend any time to talk about the example on the left, just say about the definitions
16
Determining Whether a Field Sequence May Be Written by a Method
• A field sequence f0,f1,…,fk is written by a method m if a prefix f0,…,fj, j ≤ k, of this sequence in the APE graph for m, and the edge for fj is labeled store
o1o1 o2o2 o3o3 o4o4
f1 f2 f3
load
to5o5 o6o6
u
f3
APE graph before statement t.f2 = u
Scenario
o0o0
Field Sequences Written:f0,f1,f2f0,f1,f2,f3Field Sequences Partially Written:f0f0,f1
f2store
EJB field
f0
load
17
Determining Whether a Field Sequence May Be Read by a Method
• f0,f1,…,fk is read by a method m if this sequence is present in the APE graph and the edge for fk is labeled with load
o1o1 o2o2 o3o3 o4o4f1 f2 f3
t
load
APE graph after statement u = t.f3
o0o0
u
Field Sequences Read: f0,f1,f2,f3 Field Sequences Partially Read:f0f0,f1f0,f1f2
o5o5f4
EJB field
f0
18
Action of the J2EE Security Analyzer
Bytecode to be Analyzed
Bytecode to be Analyzed Static AnalyzerStatic Analyzer
input output
Deployer / Analyst
input
output
Points-to Graph
Points-to Graph Points-to AnalyzerPoints-to Analyzer
EJB Field Sequences (R/W)
EJB Field Sequences (R/W)
input
J2EE Security Analyzer
J2EE Security Analyzer
J2EE AccessPolicy
J2EE AccessPolicy
input
Inconsistencies/Security ProblemsInconsistencies/
Security Problems
output
Roles to MethodsRoles to Methods
Methods to Fields& Access Modes Methods to Fields& Access Modes
Roles to Methodsto Fields &
Access Modes
Roles to Methodsto Fields &
Access Modes
RolesRoles MethodsMethods Fields &Access Modes
Fields &Access Modes
Student
•grades(write)setGrade()
Paolina Centonze
As I have shown before the steps of our analysis, the EJB Field Sequences is a mapping of Methods to Field Sequences (w/r) and the J2EE Access Policy is also another mapping for Roles to Methods, now these two mapping together will be given to the J2EE Security Analyzer which will give us another mapping of Roles to Methods to Fields, so that the analyst can have a better understanding if there are any inconsistencies such as the following description: If the Role of Student has been mapped to the method of setGrades() which will access the filed grades that maybe an indication of a security problem if the intention was to protect that field grades from been written by the Role of Student
19
read
f0, f1
f0, f1f0, f3, f5
partially read
f2, f3, f4
f4, f2, f5,f7
written
f2, f3, f4
partially written
read
f0, f1f0, f1
partially read
f2, f3, f4
f2, f4, f5, f7
written
f2, f3, f4
partially written
f4, f2, f5, f7f0
Computing Field Sequences Accessed By EJB Methods
EJB Methods
m3m3
Field Sequences (Read/Written)
m1m1m2m2
20
Potential Inconsistencies Detected And Reasons
• An inconsistency may indicate that:
1. Professor should have been granted access to method m3
2. Professor should not have been granted access to method m1
3. m1 contains a bug: it should not have accessed field grades
4. m3 contains a bug: it should have accessed another security sensitive field, address
m1m1 m3m3
•grades•ssn•salary
•grades•ssn•salary
Professor
•address
write write
22
Current Access Control in J2EE
METHODS ROLES
setGrade() ProfessorStudent
getAllGrades() ProfessorStudent
setData() ProfessorStudent
23
Future Work
• Implement our technique as a tool with a GUI that presents problems to the analysts
• Implement a J2EE deployment tool that allows a deployer to specify role-based access control policies in terms of fields, not only methods
• The tool will convert specifications based on fields to specifications based on methods using a dependency analysis similar to the one described
• Experiment with a variety of Web applications to evaluate the tool’s usefulness
FIELDS READ WRITE
grades ProfessorStudent
ProfessorStudent
ssn ProfessorStudent
ProfessorStudent
METHODS ROLES
setGrade() ProfessorStudent
getAllGrades() ProfessorStudent
setData() ProfessorStudent
26
For More Information
• e-mail to:e-mail to:
[email protected] & & [email protected]
Thank you for you presence and participation!Thank you for you presence and participation!
