An Algorithmic An Algorithmic Approach to Approach to Authorization Rules Authorization Rules Conflict Resolution in Conflict Resolution in Software Security Software Security Weider D. Yu Weider D. Yu Ellora Nayak Ellora Nayak San Jose State University San Jose State University San Jose (Silicon Valley), San Jose (Silicon Valley), California, USA California, USA
33
Embed
An Algorithmic Approach to Authorization Rules Conflict Resolution in Software Security
An Algorithmic Approach to Authorization Rules Conflict Resolution in Software Security. Weider D. Yu Ellora Nayak San Jose State University San Jose (Silicon Valley), California, USA. Topics. Purpose Security in Web Services Web Service Authorization Requirements - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
An Algorithmic An Algorithmic Approach to Approach to
Authorization Rules Authorization Rules Conflict Resolution in Conflict Resolution in
Software SecuritySoftware SecurityWeider D. YuWeider D. YuEllora NayakEllora Nayak
San Jose State UniversitySan Jose State UniversitySan Jose (Silicon Valley), California, San Jose (Silicon Valley), California,
PurposePurpose To propose a framework for To propose a framework for
implementing authorization in Web implementing authorization in Web Services.Services.
To provide a generalized and To provide a generalized and reusable approach that provides the reusable approach that provides the flexibility to manage fast flexibility to manage fast authorization rule updates. authorization rule updates.
Current Authorization Current Authorization ImplementationImplementation
Web Service User
Business Provider (e.g. IT dept of
Bank )
Security Architect
Independent Software Vendor
Requests for a new web
service
Discuss about users needs
Decide on security features
Testing & QA
Get the requirements
Security requirements passed to developer
Validates application against user requirements
I need a new service to graph the growth of my stock.
This is possible by developing a new module accessing customer database.
Only authorized personnel should access the service. Customer can authorize over phone to access their data.What is a funds growth graph? Can I switch off the access flag to prevent unauthorized access?
Requirements of an Requirements of an Authorization FrameworkAuthorization Framework
Isolation of authorization module Isolation of authorization module from the rest of the Web Service from the rest of the Web Service application.application.
Automated authorization code Automated authorization code generation and integration.generation and integration.
Simple and powerful authorization Simple and powerful authorization and access control language for and access control language for security administrators.security administrators.
Proposed FrameworkProposed Framework The framework is composed of:The framework is composed of:
An authorization specification language (ARSL) used An authorization specification language (ARSL) used to specify authorization and access control policies.to specify authorization and access control policies.
A compiler used to automatically generate A compiler used to automatically generate authorization modules in High-Level Language authorization modules in High-Level Language (HLL) from the above policies.(HLL) from the above policies.
Dynamic Link Library (DLL) modules compiled from Dynamic Link Library (DLL) modules compiled from the HLL code and linked with existing Web Service.the HLL code and linked with existing Web Service.
The authorization layer is separated from the The authorization layer is separated from the Web Service application.Web Service application.
Authorization and access control rules can be Authorization and access control rules can be changed without affecting other Web Service changed without affecting other Web Service application code.application code.
Authorization Rule Authorization Rule Specification Language Specification Language
((ARSLARSL)) ARSL is a special high-level ARSL is a special high-level
specification language to specify specification language to specify authorization rules.authorization rules.
Based on mathematical predicate logic:Based on mathematical predicate logic: It is a knowledge representation type It is a knowledge representation type
of language. of language. The language syntax is suitable for The language syntax is suitable for
stating facts and deriving additional stating facts and deriving additional facts.facts.
Language SyntaxLanguage Syntax Authorization Rule: Authorization Rule:
quantifier [(function_1) op (function_2) …op quantifier [(function_1) op (function_2) …op (function_N) (function_N) => Access (service)]=> Access (service)]
Left hand side terms of the rule are used to Left hand side terms of the rule are used to specify conditions that must be verified for the specify conditions that must be verified for the authorization to hold.authorization to hold.
Example: Example: “ “All employees who are not teller have access to All employees who are not teller have access to
the service to open account.”the service to open account.”
((forall x)[ NOT Role_TELLER( x) forall x)[ NOT Role_TELLER( x) =>Access(OPEN_ACT)];=>Access(OPEN_ACT)]; where:where: Role_TELLER() Role_TELLER() macro macro OPEN_ACT OPEN_ACT service name service name
Design RequirementsDesign Requirements Provide a way to specify string, Boolean, Provide a way to specify string, Boolean,
numeric constants, and variables. numeric constants, and variables. Provide a way to define individual Provide a way to define individual
components that combine to give rules. components that combine to give rules. Facilitate combining individual clauses Facilitate combining individual clauses
(or macros) to derive authorization rules.(or macros) to derive authorization rules. Provide basic logical and arithmetic Provide basic logical and arithmetic
operators.operators. Be complete enough to express any Be complete enough to express any
Delimiter: Delimiter: Semicolon is used to terminate rulesSemicolon is used to terminate rules ExampleExample: (forall x) [CurrentTime(x) > 900 AND CurrentTime (x) < : (forall x) [CurrentTime(x) > 900 AND CurrentTime (x) <
Language Constructs Language Constructs (cont.)(cont.)
PredicatePredicate:: A unary predicate, A unary predicate, AccessAccess, which , which
takes as argument the service name: takes as argument the service name: Access (ServiceName).Access (ServiceName).
During code generation, calls to During code generation, calls to AccessAccess (ServiceName)(ServiceName) is translated is translated to the function call to the function call ‘‘AccessServiceName (UserId)AccessServiceName (UserId)’.’.
Language Constructs Language Constructs (cont.)(cont.)
MacrosMacros: : Subroutines for an access rule. Subroutines for an access rule. Defined in terms of user data, such as Defined in terms of user data, such as
his/her location, role etc. his/her location, role etc. Evaluated in isolation and do not specify Evaluated in isolation and do not specify
an access rule. an access rule. Example: Example: [Location(x) ==”Sunnyvale” OR Location(x) [Location(x) ==”Sunnyvale” OR Location(x)
Easy to express - Simple and easy to use Easy to express - Simple and easy to use constructs to express authorizations constructs to express authorizations rules.rules.
Scalability - Easy to adapt to the growth Scalability - Easy to adapt to the growth of authorization rules due to of authorization rules due to organizational or environmental changes.organizational or environmental changes.
Manageability – Modification is applied to Manageability – Modification is applied to all Web Services. all Web Services.
Reusability – Code can be easily Reusability – Code can be easily understood and modified for reuse.understood and modified for reuse.
Scenario-2Scenario-2 Branch Manager and Accountant have Branch Manager and Accountant have
access to banking service after office hours, access to banking service after office hours, others can only access the service during others can only access the service during office hours. office hours.
RuleRule:: (forall x) [(Role_BRM(x) OR (forall x) [(Role_BRM(x) OR
Role_ACC(x)) AND NOT Role_ACC(x)) AND NOT Office_Hours(x)) => Office_Hours(x)) => Access(ACCESS_TIME)];Access(ACCESS_TIME)];
Code generated for the above rule is:Code generated for the above rule is: bool AccessACCESS_TIME( int userid ) bool AccessACCESS_TIME( int userid ) {{ return ((Role_BRM (userid)|| Role_ACC (userid)) &&return ((Role_BRM (userid)|| Role_ACC (userid)) && ! Office_Hours(userid) );! Office_Hours(userid) ); }}
Conflict ResolutionConflict Resolution Conflict resolution on authorization rules Conflict resolution on authorization rules
is achieved by conflict prevention and is achieved by conflict prevention and detection.detection.
Conflict DetectionConflict Detection:: User (Security Admin) can use the “–D” User (Security Admin) can use the “–D”
compiler option to generate code for compiler option to generate code for conflict detection.conflict detection.
On detecting a conflict, user can On detecting a conflict, user can manually correct the conflicting rules.manually correct the conflicting rules.
All Access and Deny rules are evaluated All Access and Deny rules are evaluated to a decision to allow or deny the access to a decision to allow or deny the access of a resource.of a resource.
Conflict PreventionConflict Prevention It is the default option used in the ARSL It is the default option used in the ARSL
compiler.compiler. Based on the priority of input authorization Based on the priority of input authorization
rules for a given resource:rules for a given resource: If there exists more than one rule for a If there exists more than one rule for a
given resource, the order of rule given resource, the order of rule occurrences is used as the order of priority.occurrences is used as the order of priority.
All resources must have a default rule at All resources must have a default rule at the end of input file.the end of input file.
ARSL uses an algorithm to prevent conflicts.ARSL uses an algorithm to prevent conflicts.
Algorithm Used for Conflict Algorithm Used for Conflict PreventionPrevention
InputsInputs: A set of authorization rules : A set of authorization rules given in a priority order.given in a priority order.
OutputOutput: A single authorization rule : A single authorization rule resolving conflicts based on the resolving conflicts based on the priority.priority.
Current_Predicate = Predicate of Rule Current_Predicate = Predicate of Rule nn
Current_Action = Action of Rule n Current_Action = Action of Rule n
FOR i = n-1 to 1 DOFOR i = n-1 to 1 DO BEGINBEGIN IF Action of Rule I == IF Action of Rule I ==
Current_Action Current_Action THEN THEN Current_Predicate = Current_Predicate = (Predicate of Rule i)(Predicate of Rule i) OR (Current_Predicate)OR (Current_Predicate) ELSEELSE
Current_Predicate = Current_Predicate = NOT (Predicate of Rule i) NOT (Predicate of Rule i) AND (Current_Predicate) AND (Current_Predicate) ENDIFENDIF
/* Convert deny rules to access rules /* Convert deny rules to access rules */*/
IF (Current_Action == ”Deny”)IF (Current_Action == ”Deny”) THENTHEN Current_Predicate = NOT Current_Predicate = NOT
Using the prevention algorithm, the resultant authorization rule is:
i=4:NOT (Country(x) ==”Germany” AND Age(x) < 21 AND Item(x)
== “Liquor”) AND True) => Access(Item)i=3: NOT (Country(x) ==”USA” AND Age(x) < 18 AND Item(x) ==
“Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True ))=> Access(Item)
i=2:( Prescription(x) == “Item” ) OR (NOT (Country(x) ==”USA”
AND Age(x) < 18 AND Item(x) == “Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True )))=> Access(Item)
i=1:NOT (CreditCard(x) == “INVALID”) AND (( Prescription(x) ==
“Item” ) OR (NOT (Country(x) ==”USA” AND Age(x) < 18 AND Item(x) == “Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True) )))=> Access(Item)
Features of the AlgorithmFeatures of the Algorithm Output is a single logical expression.Output is a single logical expression. Authorization function call returns as soon Authorization function call returns as soon
as one of the rules is true. as one of the rules is true. Execution time is less.Execution time is less.
Future Work and Future Work and ConclusionConclusion
Port the compiler to generate more HLL Port the compiler to generate more HLL code other than C#.code other than C#.
Provide options to dynamically select Provide options to dynamically select language and platform options.language and platform options.
Decoupling security policies from Web Decoupling security policies from Web Service specific functionality helps in Service specific functionality helps in improving Web Service security.improving Web Service security.
The framework helps in dynamic The framework helps in dynamic authorization rule updates.authorization rule updates.
The proposed framework together with the The proposed framework together with the specification language, ARSL, provides an specification language, ARSL, provides an effective solution for authorization effective solution for authorization implementation.implementation.