Static Analysis of RoleBased Access Control in J2EE Applications - PowerPoint PPT Presentation

About This Presentation
Title:

Static Analysis of RoleBased Access Control in J2EE Applications

Description:

APE Graph ... The specific graph used is the Annotated Points-to Escape (APE) graph of Souter and Pollok ... The size of the APE graphs for the methods in ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 24
Provided by: paol54
Category:

less

Transcript and Presenter's Notes

Title: Static Analysis of RoleBased Access Control in J2EE Applications


1
Static Analysis of Role-Based Access Control in
J2EE Applications
  • TAVWEB 2004
  • Gleb Naumovich and Paolina Centonze
  • Department of Computer and Information Science
  • Polytechnic University
  • gleb_at_poly.edu pcento02_at_utopia.poly.edu

2
Introduction
  • New technique for security analysis of J2EE
    applications
  • It identifies situations in which too much or too
    little access is given to security sensitive
    resources
  • It uses static analysis to analyze J2EE programs
    and access control policies with respect to
    security-sensitive EJB fields

3
Architecture of J2EE Applications
RMI-IIOP
RMI-IIOP/local
HTTP




HTTPServer
ServletContainer
EJB Container
Servlet/JSP
Enterprise bean
HTTP/HTTPS
ProprietaryProtocol
RMI-IIOP
Client tier
Business tier
Web tier
JDBC
Database
JDBC
Information System tier
4
Role-Based Access Control in J2EE
  • In J2EE, resources, are EJB methods, servlets,
    JSPs, and URLs
  • Developers and deployers must determine
  • Which roles make sense for an application
  • Which EJB methods and Web resources each role
    should be allowed to call

r1
r2
r3
Protected Resources
Roles
5
EJB Interface and Implementation
public interface Gradebook extendsjavax.ejb.EJBO
bject public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException public void addHomework(Homework
h) throws RemoteException public void
removeHomework(Homework h) throws
RemoteException public Set homeworks()
throws RemoteException public void
setGrade(Grade g, Student s, Homework h) throws
RemoteException public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException
public class StoreBean implements javax.ejb.Enti
tyBean private Set homeworks private Map
studentsToHomeworksToGrades public Grade
getGrade( Student s, Homework h) if (!
this.homeworks.contains(h)) throw
new NoSuchHomeworkException(h) log() ret
urn (Grade) ((Map) this.getAllGrades(s)).get(h)
public Map getAllGrades(Student s) Map
result (Map) this. studentsToHomeworksToGrades
.get(s) if (result null) throw
new NoSuchStudentException(s) return
result public void log() // ...
// Other remote methods implemented here
getGrade()getAllGrades()
getGrade()getAllGrades() log()
Remote Interface
Client
EJB Class
6
J2EE Access Policy
ltassembly-descriptorgt ltsecurity-rolegt ltdescript
iongtStudentslt/descriptiongt ltrole-namegtStudentlt/r
ole-namegt lt/security-rolegt ltsecurity-rolegt lt
descriptiongtTeacherslt/descriptiongt ltrole-namegtPr
ofessorlt/role-namegt lt/security-rolegt ltmethod-per
missiongt ltrole-namegtProfessorlt/role-namegt ltmet
hodgt ltejb-namegtGradebooklt/ejb-namegt ltmethod-
namegt addHomework lt/method-namegt lt/method
gt ltmethodgt ltejb-namegtGradebooklt/ejb-namegt
ltmethod-namegt removeHomework lt/method-namegt
lt/methodgt ltmethodgt ltejb-namegtGradebooklt/ej
b-namegt ltmethod-namegt setGrade lt/method-
namegt lt/methodgt ltmethodgt ltejb-namegtGradeboo
klt/ejb-namegt ltmethod-namegtgetAllGradeslt/method-
namegt lt/methodgt lt/method-permissiongt lt/assembly
-descriptorgt
public interface Gradebook extendsjavax.ejb.EJBO
bject public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException public void addHomework(Homework
h) throws RemoteException public void
removeHomework(Homework h) throws
RemoteException public Set homeworks()
throws RemoteException public void
setGrade(Grade g, Student s, Homework h) throws
RemoteException public Grade getGrade(Student
s, Homework h) throws RemoteException public
Map getAllGrades(Student s) throws
RemoteException
addHomework() removeHomeworks() homeworks() getGra
de() setGreade() getAllGrades()
Student
Professor
Client
Roles
Greadebook Interface
7
Limitation of theJ2EE Access Control Model
  • Today, access control is defined in terms of
    operations on components, instead of data
    encapsulated and used by the components
  • This potential inconvenience may lead to security
    problems and our work intends to solve it

8
Access Control on Methods May Create Security
Problems
  • Multiple methods for reading and writing the same
    data

Professor
setGrade() getAllGrades() removeGrade()
getHomeworkGrades() modifyGrade()
getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMi
dtermGrades()getFinalGrades()
  • grades

Student
Security Sensitive Fields
9
Access Control on DataCan Enhance Security
  • Access control on data can be more
    straightforward and convenient, and less error
    prone

Professor
read,write
  • grades

read
Student
Security Sensitive Fields
10
Static AnalysisCan Help Validate Existing
Policies
  • Even when access control is specified on the
    basis of methods, it may still be useful to
    validate the security policy based on the data
    accessed by these methods

Professor
setGrade() getAllGrades() removeGrade()
getHomeworkGrades() modifyGrade()
getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMi
dtermGrades()getFinalGrades()
  • grades

Student
Security Sensitive Fields
11
Steps of Our Analysis
Points-to Graph
Bytecode to be Analyzed
input
output
input
Points-to Analyzer
Static Analyzer
output
EJB Fields (Written/Read)
input
input
J2EE AccessPolicy
J2EE Security Analyzer
output
Inconsistencies/ Security Problems
Deployer / Analyst
12
APE Graph
  • Our analysis requires computation of which EJB
    fields may be read and/or modified by an EJB
    method
  • It uses a points-to graph for computing this
    information
  • The specific graph used is the Annotated
    Points-to Escape (APE) graph of Souter and Pollok
  • A. L. Souter and L. L. Pollock. The construction
    of contextual def-use associations for
    object-oriented systems. IEEE Trans. Softw. Eng.,
    29(11)10051018, 2003
  • For our approach to be useful, we also have to
    analyze fields of primitive types

13
Example of an APE Graph
o3
this
public class StoreBean implements javax.ejb.Enti
tyBean private Map studentsToHomeworksToGrades
// ... public Map getAllGrades(Student s)
TreeMap result (Map) this. studentsToHomewo
rksToGrades.get(s) if (result
null) throw new NoSuchStudentException(s)
return result // ...
entry
load
studentsToHomeworksToGrades
o1
o2
o4
load
s
result
o5
APE Graph for method getAllGrades()
14
Read/Write for EJB Fields
An EJB field f is read/written by a method m if
the value of f is accessed/modified by the
thread executing m while m is on the call stack
m
m1
m2
Write/Read field f
Thread Executing m
15
Field Sequences
  • It is important to analyze the reads/writes of
    fields of objects that are referenced by EJB
    fields, beside the EJB fields themselves
  • A field sequence f0,f1,,fk is a series of
    field dereferences, where f0 is an EJB field, and
    ?i1,,k, fi is a field in one of the possible
    classes for object fi1
  • Essentially, f0,f1,,fk represents objects that
    can potentially be reached from an EJB object via
    a number of field dereferences

public class Semester implements EntityBean
Course calculus //... public class Course
Student assistant //... public class
Student String name int ssn //...
calculus
assistant
name
o1
o2
o3
o4
Field Sequence
16
Determining Whether a Field Sequence May Be
Written by a Method
  • A field sequence f0,f1,,fk is written by a
    method m if ? a prefix f0,,fj, j k, of this
    sequence in the APE graph for m, and the edge for
    fj is labeled store

EJB field
Scenario

f1
f2
f3
f0
o0
o1
o2
o3
o4
load
load
f2
store

t
f3
o5
o6
Field Sequences Written f0,f1,f2 f0,f1,f2,f3 Fiel
d Sequences Partially Written f0 f0,f1
u
APE graph before statement t.f2 u
17
Determining Whether a Field Sequence May Be Read
by a Method
  • f0,f1,,fk is read by a method m if this sequence
    is present in the APE graph and the edge for fk
    is labeled with load

EJB field
f0
f1
f2
f3
f4
o0
o1
o2
o3
o4
o5
load
t
u
Field Sequences Read f0,f1,f2,f3 Field
Sequences Partially Read f0 f0,f1 f0,f1f2
APE graph after statement u t.f3
18
Action of the J2EE Security Analyzer
Points-to Graph
Bytecode to be Analyzed
input
output
input
Points-to Analyzer
Static Analyzer
Methods to Fields Access Modes
output
EJB Field Sequences (R/W)
input
input
J2EE AccessPolicy
J2EE Security Analyzer
Roles to Methods
output
Roles
Methods
Fields Access Modes
Inconsistencies/ Security Problems
  • grades
  • (write)

Roles to Methodsto Fields Access Modes
Deployer / Analyst
setGrade()
Student
19
Computing Field Sequences Accessed By EJB Methods
f0, f1
f0, f1
f0, f3, f5
read
partially read
f2, f3, f4
f2, f3, f4
f4, f2, f5,f7
f4, f2, f5, f7
f0
m1
m2
partially written
written
f0, f1
f0, f1
m3
read
partially read
f2, f3, f4
f2, f3, f4
f2, f4, f5, f7
partially written
written
Field Sequences (Read/Written)
EJB Methods
20
Potential Inconsistencies Detected And Reasons
  • An inconsistency may indicate that
  • Professor should have been granted access to
    method m3
  • Professor should not have been granted access to
    method m1
  • m1 contains a bug it should not have accessed
    field grades
  • m3 contains a bug it should have accessed
    another security sensitive field, address

Professor
m1
m3
  • grades
  • ssn
  • salary

write
write
  • address

21
Summary
  • A new static analysis technique for validating
    the standard role-based access control policies
    used with Enterprice JavaBeans in J2EE
    applications
  • It allows the analyst to mark fields in EJBs as
    security sensitive
  • The analysis computes the read/write access to
    such fields for all methods in the EJB interfaces
    that can be called by untrusted clients
  • These accesses are then integrated with role
    information to obtain which fields can be
    accessed by which roles through which methods
  • Finally, a simple check is performed to identify
    potential security inconsistencies

22
Current Access Control in J2EE
23
Future Work
  • Implement our technique as a tool with a GUI that
    presents problems to the analysts
  • Implement a J2EE deployment tool that allows a
    deployer to specify role-based access control
    policies in terms of fields, not only methods
  • The tool will convert specifications based on
    fields to specifications based on methods using a
    dependency analysis similar to the one described
  • Experiment with a variety of Web applications to
    evaluate the tools usefulness

24
Related Work...
  • D. Ferraiolo and R. Kuhn. Role-based access
    controls. In 15th NIST-NCSC National Computer
    Security Conference, pages 554563, 1992.
  • L. Koved, M. Pistoia, and A. Kershenbaum. Access
    rights analysis for Java. In Proceedings of the
    17th ACM SIGPLAN conference on Object-oriented
    programming, systems, languages, and
    applications, pages 359-372. ACM Press,2002.
  • G. Naumovich. A conservative algorithm for
    computing the flow of permissions in Java
    programs. In proceedings of the International
    Symposium on Software Testing and Analysis, pages
    3343, July 2003

25
Related Work
  • A. L. Souter and L. L. Pollock. The construction
    of contextual def-use associations for
    object-oriented systems. IEEE Trans. Softw. Eng.,
    29(11)10051018, 2003.
  • M. Pistoia, N. Nagaratnam, L. Koved, and A.
    Nadalin. Enterprise Java Security Building
    Secure J2EE Applications. Addison-Wesley,
    Reading, MA, 2004

26
For More Information
  • e-mail to
  • gleb_at_poly.edu paolina_at_photon.poly.edu
  • Thank you for you presence and participation!

27
The Complexity of theEJB Security Analysis
  • The worst-case running time is exponential in the
    length of the field sequences used to identifying
    sensitive data
  • We expect that the length of the field sequences
    will be bounded by a small constant

28
The Complexity of theEJB Security Analysis
  • The worst-case complexity depends on
  • The size of the APE graphs for the methods in
    EJBInterfaces
  • The number of EJB methods
  • The length of the sensitive fields in the set S
  • The worst-case complexity of the EJB security
    analysis is
  • where F is the number of
    fields in all classes in the CUA, N is the number
    of all nodes in the largest APE graph, and Q is
    the size of the longest sequence in S.

29
Application of This Workto Web Services
Technology
  • A Web service is a program that exposes some
    interfaces, each of which describes a collection
    of network-accessible methods based on open
    Internet standards
  • Web services execute in the untrusted environment
    of the Internet, security of such applications
    is an extremely important issue
  • Since Web services are often implemented as EJBs,
    this work applies in particular to role-based
    access control for J2EE-based Web services
Write a Comment
User Comments (0)
About PowerShow.com