View
219
Download
0
Embed Size (px)
Citation preview
Static Analysis of Role-Based Static Analysis of Role-Based Access Control in J2EE Access Control in J2EE
ApplicationsApplicationsTAV–WEB 2004
Gleb NaumovichGleb Naumovich and Paolina CentonzePaolina CentonzeDepartment of Computer and Information Science
Polytechnic University [email protected] & [email protected]
2
Introduction
• New technique for security analysis of J2EE applications
• It identifies situations in which too much or too little access is given to security sensitive resources
• It uses static analysis to analyze J2EE programs and access control policies with respect to security-sensitive EJB fields
3
Architecture of J2EE Applications
HTTPServer
HTTPServer
ServletContainer
ServletContainer
Servlet/JSPServlet/JSP
EJB ContainerEJB Container
Enterprise bean Enterprise bean
DatabaseDatabase
HTTP/HTTPS
HTTP
ProprietaryProtocol
RMI-IIOP
JDBC
RMI-IIOP/local
RMI-IIOP
JDBC
Information System tier
Business tierWeb tier
Client tier
4
Role-Based Access Control in J2EE
• In J2EE, resources, are EJB methods, servlets, JSPs, and URLs
• Developers and deployers must determine:– Which roles make sense for an application
– Which EJB methods and Web resources each role should be allowed to call
Roles
Protected Resources
r1r1
r2r2
r3r3
5
EJB Interface and Implementationpublic interface Gradebook
extendsjavax.ejb.EJBObject {public Grade getGrade(Student s,
Homework h) throws RemoteException;public Map getAllGrades(Student s)
throws RemoteExceptionpublic void addHomework(Homework h)
throws RemoteException;public void removeHomework(Homework h)
throws RemoteException;public Set homeworks() throws
RemoteException;public void setGrade(Grade g, Student s,
Homework h) throws RemoteException;public Grade getGrade(Student s,
Homework h) throws RemoteException;public Map getAllGrades(Student s)
throws RemoteException}
public class StoreBean implementsjavax.ejb.EntityBean {
private Set homeworks;private Map studentsToHomeworksToGrades;
public Grade getGrade(Student s, Homework h) {if (! this.homeworks.contains(h))
throw newNoSuchHomeworkException(h);
log();return (Grade) ((Map)
this.getAllGrades(s)).get(h);}public Map getAllGrades(Student s) {Map result = (Map) this.
studentsToHomeworksToGrades.get(s);if (result == null)
throw newNoSuchStudentException(s);return result;
} public void log() {
// ... }
// Other remote methods implemented here}
getGrade()getAllGrades()getGrade()getAllGrades()
getGrade()getAllGrades()log()
getGrade()getAllGrades()log()
Remote Interface EJB ClassClient
6
J2EE Access Policy
StudentStudent
ProfessorProfessor
Roles
addHomework()
removeHomeworks()
homeworks()
getGrade()
setGreade()
getAllGrades()Client
Greadebook Interface
<assembly-descriptor><security-role>
<description>Students</description><role-name>Student</role-name>
</security-role><security-role>
<description>Teachers</description><role-name>Professor</role-name>
</security-role><method-permission>
<role-name>Professor</role-name><method>
<ejb-name>Gradebook</ejb-name><method-name>
addHomework</method-name>
</method><method>
<ejb-name>Gradebook</ejb-name><method-name>
removeHomework</method-name>
</method><method>
<ejb-name>Gradebook</ejb-name><method-name>
setGrade</method-name>
</method><method>
<ejb-name>Gradebook</ejb-name><method-name>getAllGrades</method-name>
</method></method-permission>
</assembly-descriptor>
public interface Gradebookextendsjavax.ejb.EJBObject {
public Grade getGrade(Student s,Homework h) throws RemoteException;
public Map getAllGrades(Student s)throws RemoteException
public void addHomework(Homework h)throws RemoteException;
public void removeHomework(Homework h)throws RemoteException;
public Set homeworks() throwsRemoteException;
public void setGrade(Grade g, Student s,Homework h) throws RemoteException;
public Grade getGrade(Student s,Homework h) throws RemoteException;
public Map getAllGrades(Student s)throws RemoteException
}
7
Limitation of theJ2EE Access Control Model
• Today, access control is defined in terms of operations on components, instead of data encapsulated and used by the components
• This potential inconvenience may lead to security problems and our work intends to solve it
8
Access Control on Methods May Create Security Problems
• Multiple methods for reading and writing the same data
setGrade() getAllGrades()removeGrade() getHomeworkGrades() modifyGrade() getMidtermGrades()
Student
Professor
Security Sensitive Fields
getAllGrades()getHomeworkGrades()setData()getMidtermGrades()getFinalGrades()
•grades
9
Access Control on DataCan Enhance Security
• Access control on data can be more straightforward and convenient, and less error prone
•grades
Student
Professor
read,write
read
Security Sensitive Fields
10
Static AnalysisCan Help Validate Existing Policies
• Even when access control is specified on the basis of methods, it may still be useful to validate the security policy based on the data accessed by these methods
•grades
Student
Professor
Security Sensitive Fields
setGrade() getAllGrades()removeGrade() getHomeworkGrades() modifyGrade() getMidtermGrades()
getAllGrades()getHomeworkGrades()setData()getMidtermGrades()getFinalGrades()
11
Steps of Our Analysis
Bytecode to be Analyzed
Bytecode to be Analyzed Static AnalyzerStatic Analyzer
input output
Deployer / Analyst
input
output
Points-to Graph
Points-to Graph Points-to AnalyzerPoints-to Analyzer
input
J2EE Security Analyzer
J2EE Security Analyzer
J2EE AccessPolicy
J2EE AccessPolicy
input
Inconsistencies/Security ProblemsInconsistencies/
Security Problems
output
EJB Fields (Written/
Read)
EJB Fields (Written/
Read)
12
APE Graph
• Our analysis requires computation of which EJB fields may be read and/or modified by an EJB method
• It uses a points-to graph for computing this information
• The specific graph used is the Annotated Points-to Escape (APE) graph of Souter and Pollok– A. L. Souter and L. L. Pollock. The construction of
contextual def-use associations for object-oriented systems. IEEE Trans. Softw. Eng., 29(11):1005–1018, 2003
• For our approach to be useful, we also have to analyze fields of primitive types
13
Example of an APE Graph
o1
this
o2studentsToHomeworksToGrades
o4
result
load
APE Graph for method getAllGrades()
o5
public class StoreBean implementsjavax.ejb.EntityBean {
private Map studentsToHomeworksToGrades;
// ...public Map getAllGrades(Student s) {TreeMap result = (Map) this.
studentsToHomeworksToGrades.get(s);if (result == null)
throw newNoSuchStudentException(s);return result;
}// ...
}
entryload
s
o3
14
Read/Write for EJB Fields
mm m1m1 m2m2 Write/Read field f
Thread Executing m
An EJB field f is read/written by a method m if the value of f is accessed/modified by the thread executing m while m is on the call stack
15
Field Sequences public class Semester implements EntityBean {
Course calculus;//...
}public class Course {
Student assistant;//...
}public class Student {
String name;int ssn;//...
}
Field Sequence
calculus assistant nameo1o1
o2o2
o3o3
o4o4
• It is important to analyze the reads/writes of fields of objects that are referenced by EJB fields, beside the EJB fields themselves• A field sequence f0,f1,…,fk is a series of field dereferences, where f0 is an EJB field, and i=1,…,k, fi is a field in one of the possible classes for object fi–1
• Essentially, f0,f1,…,fk represents objects that can potentially be reached from an EJB object via a number of field dereferences
16
Determining Whether a Field Sequence May Be Written by a Method
• A field sequence f0,f1,…,fk is written by a method m if a prefix f0,…,fj, j ≤ k, of this sequence in the APE graph for m, and the edge for fj is labeled store
o1o1 o2o2 o3o3 o4o4
f1 f2 f3
load
to5o5 o6o6
u
f3
APE graph before statement t.f2 = u
Scenario
o0o0
Field Sequences Written:f0,f1,f2f0,f1,f2,f3Field Sequences Partially Written:f0f0,f1
f2store
EJB field
f0
load
17
Determining Whether a Field Sequence May Be Read by a Method
• f0,f1,…,fk is read by a method m if this sequence is present in the APE graph and the edge for fk is labeled with load
o1o1 o2o2 o3o3 o4o4f1 f2 f3
t
load
APE graph after statement u = t.f3
o0o0
u
Field Sequences Read: f0,f1,f2,f3 Field Sequences Partially Read:f0f0,f1f0,f1f2
o5o5f4
EJB field
f0
18
Action of the J2EE Security Analyzer
Bytecode to be Analyzed
Bytecode to be Analyzed Static AnalyzerStatic Analyzer
input output
Deployer / Analyst
input
output
Points-to Graph
Points-to Graph Points-to AnalyzerPoints-to Analyzer
EJB Field Sequences (R/W)
EJB Field Sequences (R/W)
input
J2EE Security Analyzer
J2EE Security Analyzer
J2EE AccessPolicy
J2EE AccessPolicy
input
Inconsistencies/Security ProblemsInconsistencies/
Security Problems
output
Roles to MethodsRoles to Methods
Methods to Fields& Access Modes Methods to Fields& Access Modes
Roles to Methodsto Fields &
Access Modes
Roles to Methodsto Fields &
Access Modes
RolesRoles MethodsMethods Fields &Access Modes
Fields &Access Modes
Student
•grades(write)setGrade()
19
read
f0, f1
f0, f1f0, f3, f5
partially read
f2, f3, f4
f4, f2, f5,f7
written
f2, f3, f4
partially written
read
f0, f1f0, f1
partially read
f2, f3, f4
f2, f4, f5, f7
written
f2, f3, f4
partially written
f4, f2, f5, f7f0
Computing Field Sequences Accessed By EJB Methods
EJB Methods
m3m3
Field Sequences (Read/Written)
m1m1m2m2
20
Potential Inconsistencies Detected And Reasons
• An inconsistency may indicate that:
1. Professor should have been granted access to method m3
2. Professor should not have been granted access to method m1
3. m1 contains a bug: it should not have accessed field grades
4. m3 contains a bug: it should have accessed another security sensitive field, address
m1m1 m3m3
•grades•ssn•salary
•grades•ssn•salary
Professor
•address
write write
22
Current Access Control in J2EE
METHODS ROLES
setGrade() ProfessorStudent
getAllGrades() ProfessorStudent
setData() ProfessorStudent
23
Future Work
• Implement our technique as a tool with a GUI that presents problems to the analysts
• Implement a J2EE deployment tool that allows a deployer to specify role-based access control policies in terms of fields, not only methods
• The tool will convert specifications based on fields to specifications based on methods using a dependency analysis similar to the one described
• Experiment with a variety of Web applications to evaluate the tool’s usefulness
FIELDS READ WRITE
grades ProfessorStudent
ProfessorStudent
ssn ProfessorStudent
ProfessorStudent
METHODS ROLES
setGrade() ProfessorStudent
getAllGrades() ProfessorStudent
setData() ProfessorStudent
26
For More Information
• e-mail to:e-mail to:
[email protected] & & [email protected]
Thank you for you presence and participation!Thank you for you presence and participation!