Title: Static Analysis of RoleBased Access Control in J2EE Applications
1Static Analysis of Role-Based Access Control in
J2EE Applications
- TAVWEB 2004
- Gleb Naumovich and Paolina Centonze
- Department of Computer and Information Science
- Polytechnic University
- gleb_at_poly.edu pcento02_at_utopia.poly.edu
2 Introduction
- New technique for security analysis of J2EE
applications - It identifies situations in which too much or too
little access is given to security sensitive
resources - It uses static analysis to analyze J2EE programs
and access control policies with respect to
security-sensitive EJB fields
3Architecture of J2EE Applications
RMI-IIOP
RMI-IIOP/local
HTTP
HTTPServer
ServletContainer
EJB Container
Servlet/JSP
Enterprise bean
HTTP/HTTPS
ProprietaryProtocol
RMI-IIOP
Client tier
Business tier
Web tier
JDBC
Database
JDBC
Information System tier
4 Role-Based Access Control in J2EE
- In J2EE, resources, are EJB methods, servlets,
JSPs, and URLs - Developers and deployers must determine
- Which roles make sense for an application
- Which EJB methods and Web resources each role
should be allowed to call
r1
r2
r3
Protected Resources
Roles
5EJB Interface and Implementation
public interface Gradebook extendsjavax.ejb.EJBO
bject public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException public void addHomework(Homework
h) throws RemoteException public void
removeHomework(Homework h) throws
RemoteException public Set homeworks()
throws RemoteException public void
setGrade(Grade g, Student s, Homework h) throws
RemoteException public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException
public class StoreBean implements javax.ejb.Enti
tyBean private Set homeworks private Map
studentsToHomeworksToGrades public Grade
getGrade( Student s, Homework h) if (!
this.homeworks.contains(h)) throw
new NoSuchHomeworkException(h) log() ret
urn (Grade) ((Map) this.getAllGrades(s)).get(h)
public Map getAllGrades(Student s) Map
result (Map) this. studentsToHomeworksToGrades
.get(s) if (result null) throw
new NoSuchStudentException(s) return
result public void log() // ...
// Other remote methods implemented here
getGrade()getAllGrades()
getGrade()getAllGrades() log()
Remote Interface
Client
EJB Class
6J2EE Access Policy
ltassembly-descriptorgt ltsecurity-rolegt ltdescript
iongtStudentslt/descriptiongt ltrole-namegtStudentlt/r
ole-namegt lt/security-rolegt ltsecurity-rolegt lt
descriptiongtTeacherslt/descriptiongt ltrole-namegtPr
ofessorlt/role-namegt lt/security-rolegt ltmethod-per
missiongt ltrole-namegtProfessorlt/role-namegt ltmet
hodgt ltejb-namegtGradebooklt/ejb-namegt ltmethod-
namegt addHomework lt/method-namegt lt/method
gt ltmethodgt ltejb-namegtGradebooklt/ejb-namegt
ltmethod-namegt removeHomework lt/method-namegt
lt/methodgt ltmethodgt ltejb-namegtGradebooklt/ej
b-namegt ltmethod-namegt setGrade lt/method-
namegt lt/methodgt ltmethodgt ltejb-namegtGradeboo
klt/ejb-namegt ltmethod-namegtgetAllGradeslt/method-
namegt lt/methodgt lt/method-permissiongt lt/assembly
-descriptorgt
public interface Gradebook extendsjavax.ejb.EJBO
bject public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException public void addHomework(Homework
h) throws RemoteException public void
removeHomework(Homework h) throws
RemoteException public Set homeworks()
throws RemoteException public void
setGrade(Grade g, Student s, Homework h) throws
RemoteException public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException
addHomework() removeHomeworks() homeworks() getGra
de() setGreade() getAllGrades()
Student
Professor
Client
Roles
Greadebook Interface
7Limitation of theJ2EE Access Control Model
- Today, access control is defined in terms of
operations on components, instead of data
encapsulated and used by the components - This potential inconvenience may lead to security
problems and our work intends to solve it
8Access Control on Methods May Create Security
Problems
- Multiple methods for reading and writing the same
data
Professor
setGrade() getAllGrades() removeGrade()
getHomeworkGrades() modifyGrade()
getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMi
dtermGrades()getFinalGrades()
Student
Security Sensitive Fields
9Access Control on DataCan Enhance Security
- Access control on data can be more
straightforward and convenient, and less error
prone
Professor
read,write
read
Student
Security Sensitive Fields
10Static AnalysisCan Help Validate Existing
Policies
- Even when access control is specified on the
basis of methods, it may still be useful to
validate the security policy based on the data
accessed by these methods
Professor
setGrade() getAllGrades() removeGrade()
getHomeworkGrades() modifyGrade()
getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMi
dtermGrades()getFinalGrades()
Student
Security Sensitive Fields
11Steps of Our Analysis
Points-to Graph
Bytecode to be Analyzed
input
output
input
Points-to Analyzer
Static Analyzer
output
EJB Fields (Written/Read)
input
input
J2EE AccessPolicy
J2EE Security Analyzer
output
Inconsistencies/ Security Problems
Deployer / Analyst
12APE Graph
- Our analysis requires computation of which EJB
fields may be read and/or modified by an EJB
method - It uses a points-to graph for computing this
information - The specific graph used is the Annotated
Points-to Escape (APE) graph of Souter and Pollok - A. L. Souter and L. L. Pollock. The construction
of contextual def-use associations for
object-oriented systems. IEEE Trans. Softw. Eng.,
29(11)10051018, 2003 - For our approach to be useful, we also have to
analyze fields of primitive types
13Example of an APE Graph
o3
this
public class StoreBean implements javax.ejb.Enti
tyBean private Map studentsToHomeworksToGrades
// ... public Map getAllGrades(Student s)
TreeMap result (Map) this. studentsToHomewo
rksToGrades.get(s) if (result
null) throw new NoSuchStudentException(s)
return result // ...
entry
load
studentsToHomeworksToGrades
o1
o2
o4
load
s
result
o5
APE Graph for method getAllGrades()
14Read/Write for EJB Fields
An EJB field f is read/written by a method m if
the value of f is accessed/modified by the
thread executing m while m is on the call stack
m
m1
m2
Write/Read field f
Thread Executing m
15 Field Sequences
- It is important to analyze the reads/writes of
fields of objects that are referenced by EJB
fields, beside the EJB fields themselves - A field sequence f0,f1,,fk is a series of
field dereferences, where f0 is an EJB field, and
?i1,,k, fi is a field in one of the possible
classes for object fi1 - Essentially, f0,f1,,fk represents objects that
can potentially be reached from an EJB object via
a number of field dereferences -
public class Semester implements EntityBean
Course calculus //... public class Course
Student assistant //... public class
Student String name int ssn //...
calculus
assistant
name
o1
o2
o3
o4
Field Sequence
16Determining Whether a Field Sequence May Be
Written by a Method
- A field sequence f0,f1,,fk is written by a
method m if ? a prefix f0,,fj, j k, of this
sequence in the APE graph for m, and the edge for
fj is labeled store
EJB field
Scenario
f1
f2
f3
f0
o0
o1
o2
o3
o4
load
load
f2
store
t
f3
o5
o6
Field Sequences Written f0,f1,f2 f0,f1,f2,f3 Fiel
d Sequences Partially Written f0 f0,f1
u
APE graph before statement t.f2 u
17Determining Whether a Field Sequence May Be Read
by a Method
- f0,f1,,fk is read by a method m if this sequence
is present in the APE graph and the edge for fk
is labeled with load
EJB field
f0
f1
f2
f3
f4
o0
o1
o2
o3
o4
o5
load
t
u
Field Sequences Read f0,f1,f2,f3 Field
Sequences Partially Read f0 f0,f1 f0,f1f2
APE graph after statement u t.f3
18Action of the J2EE Security Analyzer
Points-to Graph
Bytecode to be Analyzed
input
output
input
Points-to Analyzer
Static Analyzer
Methods to Fields Access Modes
output
EJB Field Sequences (R/W)
input
input
J2EE AccessPolicy
J2EE Security Analyzer
Roles to Methods
output
Roles
Methods
Fields Access Modes
Inconsistencies/ Security Problems
Roles to Methodsto Fields Access Modes
Deployer / Analyst
setGrade()
Student
19Computing Field Sequences Accessed By EJB Methods
f0, f1
f0, f1
f0, f3, f5
read
partially read
f2, f3, f4
f2, f3, f4
f4, f2, f5,f7
f4, f2, f5, f7
f0
m1
m2
partially written
written
f0, f1
f0, f1
m3
read
partially read
f2, f3, f4
f2, f3, f4
f2, f4, f5, f7
partially written
written
Field Sequences (Read/Written)
EJB Methods
20Potential Inconsistencies Detected And Reasons
- An inconsistency may indicate that
- Professor should have been granted access to
method m3 - Professor should not have been granted access to
method m1 - m1 contains a bug it should not have accessed
field grades - m3 contains a bug it should have accessed
another security sensitive field, address
Professor
m1
m3
write
write
21Summary
- A new static analysis technique for validating
the standard role-based access control policies
used with Enterprice JavaBeans in J2EE
applications - It allows the analyst to mark fields in EJBs as
security sensitive - The analysis computes the read/write access to
such fields for all methods in the EJB interfaces
that can be called by untrusted clients - These accesses are then integrated with role
information to obtain which fields can be
accessed by which roles through which methods - Finally, a simple check is performed to identify
potential security inconsistencies
22Current Access Control in J2EE
23 Future Work
- Implement our technique as a tool with a GUI that
presents problems to the analysts - Implement a J2EE deployment tool that allows a
deployer to specify role-based access control
policies in terms of fields, not only methods - The tool will convert specifications based on
fields to specifications based on methods using a
dependency analysis similar to the one described - Experiment with a variety of Web applications to
evaluate the tools usefulness
24Related Work...
- D. Ferraiolo and R. Kuhn. Role-based access
controls. In 15th NIST-NCSC National Computer
Security Conference, pages 554563, 1992. - L. Koved, M. Pistoia, and A. Kershenbaum. Access
rights analysis for Java. In Proceedings of the
17th ACM SIGPLAN conference on Object-oriented
programming, systems, languages, and
applications, pages 359-372. ACM Press,2002. - G. Naumovich. A conservative algorithm for
computing the flow of permissions in Java
programs. In proceedings of the International
Symposium on Software Testing and Analysis, pages
3343, July 2003
25Related Work
- A. L. Souter and L. L. Pollock. The construction
of contextual def-use associations for
object-oriented systems. IEEE Trans. Softw. Eng.,
29(11)10051018, 2003. - M. Pistoia, N. Nagaratnam, L. Koved, and A.
Nadalin. Enterprise Java Security Building
Secure J2EE Applications. Addison-Wesley,
Reading, MA, 2004
26For More Information
- e-mail to
- gleb_at_poly.edu paolina_at_photon.poly.edu
- Thank you for you presence and participation!
27The Complexity of theEJB Security Analysis
- The worst-case running time is exponential in the
length of the field sequences used to identifying
sensitive data - We expect that the length of the field sequences
will be bounded by a small constant
28 The Complexity of theEJB Security Analysis
- The worst-case complexity depends on
- The size of the APE graphs for the methods in
EJBInterfaces - The number of EJB methods
- The length of the sensitive fields in the set S
- The worst-case complexity of the EJB security
analysis is - where F is the number of
fields in all classes in the CUA, N is the number
of all nodes in the largest APE graph, and Q is
the size of the longest sequence in S.
29Application of This Workto Web Services
Technology
- A Web service is a program that exposes some
interfaces, each of which describes a collection
of network-accessible methods based on open
Internet standards - Web services execute in the untrusted environment
of the Internet, security of such applications
is an extremely important issue - Since Web services are often implemented as EJBs,
this work applies in particular to role-based
access control for J2EE-based Web services