an algorithmic approach to authorization rules conflict resolution in software security
DESCRIPTION
An Algorithmic Approach to Authorization Rules Conflict Resolution in Software Security. Weider D. Yu Ellora Nayak San Jose State University San Jose (Silicon Valley), California, USA. Topics. Purpose Security in Web Services Web Service Authorization Requirements - PowerPoint PPT PresentationTRANSCRIPT
An Algorithmic An Algorithmic Approach to Approach to
Authorization Rules Authorization Rules Conflict Resolution in Conflict Resolution in
Software SecuritySoftware SecurityWeider D. YuWeider D. YuEllora NayakEllora Nayak
San Jose State UniversitySan Jose State UniversitySan Jose (Silicon Valley), California, San Jose (Silicon Valley), California,
USAUSA
W. D. Yu, E. Nayak November 12, 2008
2TRUST Autumn 2008 Conference, Nashville, Tennessee
TopicsTopics PurposePurpose Security in Web ServicesSecurity in Web Services Web Service Authorization Web Service Authorization
RequirementsRequirements Authorization Framework using ARSLAuthorization Framework using ARSL Usage Scenario Usage Scenario EvaluationEvaluation Conflict ResolutionConflict Resolution Future Scope and ConclusionFuture Scope and Conclusion
W. D. Yu, E. Nayak November 12, 2008
3TRUST Autumn 2008 Conference, Nashville, Tennessee
PurposePurpose To propose a framework for To propose a framework for
implementing authorization in Web implementing authorization in Web Services.Services.
To provide a generalized and To provide a generalized and reusable approach that provides the reusable approach that provides the flexibility to manage fast flexibility to manage fast authorization rule updates. authorization rule updates.
W. D. Yu, E. Nayak November 12, 2008
4TRUST Autumn 2008 Conference, Nashville, Tennessee
Need for Web Service Need for Web Service SecuritySecurity
An unauthenticated person may try An unauthenticated person may try to access services. to access services.
An authenticated but unauthorized An authenticated but unauthorized person may access services.person may access services.
Messages might be modified by Messages might be modified by hackers.hackers.
Non-repudiation issue.Non-repudiation issue.
W. D. Yu, E. Nayak November 12, 2008
5TRUST Autumn 2008 Conference, Nashville, Tennessee
Current Authorization Current Authorization ImplementationImplementation
Web Service User
Business Provider (e.g. IT dept of
Bank )
Security Architect
Independent Software Vendor
Requests for a new web
service
Discuss about users needs
Decide on security features
Testing & QA
Get the requirements
Security requirements passed to developer
Validates application against user requirements
I need a new service to graph the growth of my stock.
This is possible by developing a new module accessing customer database.
Only authorized personnel should access the service. Customer can authorize over phone to access their data.What is a funds growth graph? Can I switch off the access flag to prevent unauthorized access?
W. D. Yu, E. Nayak November 12, 2008
6TRUST Autumn 2008 Conference, Nashville, Tennessee
Problems Problems Different perspectives of the Different perspectives of the
stakeholders. stakeholders. Different requirement, Different requirement,
specializations and backgrounds of specializations and backgrounds of the stakeholders.the stakeholders.
Insufficient understanding of Insufficient understanding of individual domains.individual domains.
Significant amount of time and effort Significant amount of time and effort required.required.
W. D. Yu, E. Nayak November 12, 2008
7TRUST Autumn 2008 Conference, Nashville, Tennessee
Requirements of an Requirements of an Authorization FrameworkAuthorization Framework
Isolation of authorization module Isolation of authorization module from the rest of the Web Service from the rest of the Web Service application.application.
Automated authorization code Automated authorization code generation and integration.generation and integration.
Simple and powerful authorization Simple and powerful authorization and access control language for and access control language for security administrators.security administrators.
W. D. Yu, E. Nayak November 12, 2008
8TRUST Autumn 2008 Conference, Nashville, Tennessee
Proposed FrameworkProposed Framework The framework is composed of:The framework is composed of:
An authorization specification language (ARSL) used An authorization specification language (ARSL) used to specify authorization and access control policies.to specify authorization and access control policies.
A compiler used to automatically generate A compiler used to automatically generate authorization modules in High-Level Language authorization modules in High-Level Language (HLL) from the above policies.(HLL) from the above policies.
Dynamic Link Library (DLL) modules compiled from Dynamic Link Library (DLL) modules compiled from the HLL code and linked with existing Web Service.the HLL code and linked with existing Web Service.
The authorization layer is separated from the The authorization layer is separated from the Web Service application.Web Service application.
Authorization and access control rules can be Authorization and access control rules can be changed without affecting other Web Service changed without affecting other Web Service application code.application code.
W. D. Yu, E. Nayak November 12, 2008
9TRUST Autumn 2008 Conference, Nashville, Tennessee
Input file (in ARSL) (BankInput.txt)
Compiler (ars.exe)
GeneratedFile.cs
AuthLib.dll
Authorization Enabled Web Service Module
Updated rule file
Security Admin adds/ corrects rules
Generates code
Insert Generated Code into Authorize.cs
DB Access code
Generated Code Other Authorization independent code
Error
Error
Test with sample inputError
stoppassed
ARSL Tool
Compile with HLL compiler (csc.exe)
BankWService
DB
W. D. Yu, E. Nayak November 12, 2008
10TRUST Autumn 2008 Conference, Nashville, Tennessee
Database
(forall x) [ LocSecure(x) AND Role_HRM(x) =>Access(EmployeeDetails) ]
Authorization Rules
Compiler
Generates Code
Authorization Module
Authorization Module DLL
linked
Existing Web Service modules
bool AccessEmployeeDetails( int userid )
{ return ( (LocSecure(userid) ) &&
(userid.Role == “HRM”) ); }
AuthLib.dll
Web Service with Authorization
W. D. Yu, E. Nayak November 12, 2008
11TRUST Autumn 2008 Conference, Nashville, Tennessee
Authorization Rule Authorization Rule Specification Language Specification Language
((ARSLARSL)) ARSL is a special high-level ARSL is a special high-level
specification language to specify specification language to specify authorization rules.authorization rules.
Based on mathematical predicate logic:Based on mathematical predicate logic: It is a knowledge representation type It is a knowledge representation type
of language. of language. The language syntax is suitable for The language syntax is suitable for
stating facts and deriving additional stating facts and deriving additional facts.facts.
W. D. Yu, E. Nayak November 12, 2008
12TRUST Autumn 2008 Conference, Nashville, Tennessee
Language SyntaxLanguage Syntax Authorization Rule: Authorization Rule:
quantifier [(function_1) op (function_2) …op quantifier [(function_1) op (function_2) …op (function_N) (function_N) => Access (service)]=> Access (service)]
Left hand side terms of the rule are used to Left hand side terms of the rule are used to specify conditions that must be verified for the specify conditions that must be verified for the authorization to hold.authorization to hold.
Example: Example: “ “All employees who are not teller have access to All employees who are not teller have access to
the service to open account.”the service to open account.”
((forall x)[ NOT Role_TELLER( x) forall x)[ NOT Role_TELLER( x) =>Access(OPEN_ACT)];=>Access(OPEN_ACT)]; where:where: Role_TELLER() Role_TELLER() macro macro OPEN_ACT OPEN_ACT service name service name
W. D. Yu, E. Nayak November 12, 2008
13TRUST Autumn 2008 Conference, Nashville, Tennessee
Design RequirementsDesign Requirements Provide a way to specify string, Boolean, Provide a way to specify string, Boolean,
numeric constants, and variables. numeric constants, and variables. Provide a way to define individual Provide a way to define individual
components that combine to give rules. components that combine to give rules. Facilitate combining individual clauses Facilitate combining individual clauses
(or macros) to derive authorization rules.(or macros) to derive authorization rules. Provide basic logical and arithmetic Provide basic logical and arithmetic
operators.operators. Be complete enough to express any Be complete enough to express any
authorization rules. authorization rules.
W. D. Yu, E. Nayak November 12, 2008
14TRUST Autumn 2008 Conference, Nashville, Tennessee
Language ConstructsLanguage Constructs ConstantsConstants: Boolean constants (true and false), : Boolean constants (true and false),
string constants (set of characters within string constants (set of characters within quotes), numeric constants.quotes), numeric constants.
OperatorsOperators: Arithmetic operators, logical : Arithmetic operators, logical
operators, assignment operators, string operators, assignment operators, string operators are implemented. operators are implemented. Example:Example: AND, OR, NOT, =, ==, +, - , *, /, >, <, >=, <=. AND, OR, NOT, =, ==, +, - , *, /, >, <, >=, <=.
QuantifiersQuantifiers: forall: forall
Delimiter: Delimiter: Semicolon is used to terminate rulesSemicolon is used to terminate rules ExampleExample: (forall x) [CurrentTime(x) > 900 AND CurrentTime (x) < : (forall x) [CurrentTime(x) > 900 AND CurrentTime (x) <
1700 1700 => Access(BankServices)];=> Access(BankServices)];
W. D. Yu, E. Nayak November 12, 2008
15TRUST Autumn 2008 Conference, Nashville, Tennessee
Language Constructs Language Constructs (cont.)(cont.)
PredicatePredicate:: A unary predicate, A unary predicate, AccessAccess, which , which
takes as argument the service name: takes as argument the service name: Access (ServiceName).Access (ServiceName).
During code generation, calls to During code generation, calls to AccessAccess (ServiceName)(ServiceName) is translated is translated to the function call to the function call ‘‘AccessServiceName (UserId)AccessServiceName (UserId)’.’.
W. D. Yu, E. Nayak November 12, 2008
16TRUST Autumn 2008 Conference, Nashville, Tennessee
Language Constructs Language Constructs (cont.)(cont.)
MacrosMacros: : Subroutines for an access rule. Subroutines for an access rule. Defined in terms of user data, such as Defined in terms of user data, such as
his/her location, role etc. his/her location, role etc. Evaluated in isolation and do not specify Evaluated in isolation and do not specify
an access rule. an access rule. Example: Example: [Location(x) ==”Sunnyvale” OR Location(x) [Location(x) ==”Sunnyvale” OR Location(x)
==”San Jose” ==”San Jose” => LocationSecure(x)];=> LocationSecure(x)];
where where LocationSecureLocationSecure is a macro. is a macro.
W. D. Yu, E. Nayak November 12, 2008
17TRUST Autumn 2008 Conference, Nashville, Tennessee
Grammar RulesGrammar Rules <start> <start> <macros> BEGIN <rules> END <macros> BEGIN <rules> END <rules> <rules> <rules> <access_rule> <rules> <access_rule> <access_rule> <access_rule> <quantifier> [<predicate> <quantifier> [<predicate> IMPLIES <access_expr>];IMPLIES <access_expr>]; <predicate> <predicate> <macro> | <access_expr> <macro> | <access_expr> <quantifier> <quantifier> forall | exists forall | exists <access_expr> <access_expr> ACCESS (VAR) | DENY ACCESS (VAR) | DENY
(VAR)(VAR) | <access_expr> <op> | <access_expr> <op>
<access_expr><access_expr>
W. D. Yu, E. Nayak November 12, 2008
18TRUST Autumn 2008 Conference, Nashville, Tennessee
Grammar Rules (cont.)Grammar Rules (cont.) <macros> <macros> <macros> <macro> <macros> <macro>
<macro> <macro> <context_expr> <cmp_op> <context_expr> <cmp_op> CONST IMPLIES MACRO_NAME CONST IMPLIES MACRO_NAME (VAR)(VAR)
<context_expr> <context_expr> <CONTEXT_VAR> (VAR) <CONTEXT_VAR> (VAR) | <context_expr> <op> | <context_expr> <op>
<context_expr><context_expr>
<cmp_op> <cmp_op> EQUALS | NE| GT| GE| LT| LE EQUALS | NE| GT| GE| LT| LE
<op> <op> AND | OR AND | OR
W. D. Yu, E. Nayak November 12, 2008
19TRUST Autumn 2008 Conference, Nashville, Tennessee
Advantages of using Advantages of using ARSLARSL
Easy to express - Simple and easy to use Easy to express - Simple and easy to use constructs to express authorizations constructs to express authorizations rules.rules.
Scalability - Easy to adapt to the growth Scalability - Easy to adapt to the growth of authorization rules due to of authorization rules due to organizational or environmental changes.organizational or environmental changes.
Manageability – Modification is applied to Manageability – Modification is applied to all Web Services. all Web Services.
Reusability – Code can be easily Reusability – Code can be easily understood and modified for reuse.understood and modified for reuse.
W. D. Yu, E. Nayak November 12, 2008
20TRUST Autumn 2008 Conference, Nashville, Tennessee
Scenario-1Scenario-1 Tellers do not have the access rights to Tellers do not have the access rights to
open new accounts. open new accounts. RuleRule (forall x) [Role_PBK (x) OR (forall x) [Role_PBK (x) OR
Role_CSR(x) OR NOT Role_CSR(x) OR NOT Role_TLR(x) => Access (OPEN_ACT)];Role_TLR(x) => Access (OPEN_ACT)];
Code generated for the above rule is:Code generated for the above rule is: bool AccessOPEN_ACT( int userid ) bool AccessOPEN_ACT( int userid ) { { return ((Role_PBK (userid)|| Role_CSR (userid) || return ((Role_PBK (userid)|| Role_CSR (userid) || ! Role_TLR (userid));! Role_TLR (userid)); }}
W. D. Yu, E. Nayak November 12, 2008
21TRUST Autumn 2008 Conference, Nashville, Tennessee
Scenario-2Scenario-2 Branch Manager and Accountant have Branch Manager and Accountant have
access to banking service after office hours, access to banking service after office hours, others can only access the service during others can only access the service during office hours. office hours.
RuleRule:: (forall x) [(Role_BRM(x) OR (forall x) [(Role_BRM(x) OR
Role_ACC(x)) AND NOT Role_ACC(x)) AND NOT Office_Hours(x)) => Office_Hours(x)) => Access(ACCESS_TIME)];Access(ACCESS_TIME)];
Code generated for the above rule is:Code generated for the above rule is: bool AccessACCESS_TIME( int userid ) bool AccessACCESS_TIME( int userid ) {{ return ((Role_BRM (userid)|| Role_ACC (userid)) &&return ((Role_BRM (userid)|| Role_ACC (userid)) && ! Office_Hours(userid) );! Office_Hours(userid) ); }}
W. D. Yu, E. Nayak November 12, 2008
22TRUST Autumn 2008 Conference, Nashville, Tennessee
Scenario-3Scenario-3 Only Teller’s supervisors or managers can Only Teller’s supervisors or managers can
modify an existing transaction. modify an existing transaction.
RuleRule:: (forall x) [((Role_LTR(x) OR (forall x) [((Role_LTR(x) OR
Role_SVM(x) OR Role_BRM(x)) AND NOT Role_SVM(x) OR Role_BRM(x)) AND NOT Role_TLR(x))=> Access (MODIFY_TRX)]; Role_TLR(x))=> Access (MODIFY_TRX)];
Code generated for the above rule is:Code generated for the above rule is: bool AccessMODIFY_TRX ( int userid ) bool AccessMODIFY_TRX ( int userid ) {{ return ((Role_LTR (userid)|| Role_SVM (userid)||return ((Role_LTR (userid)|| Role_SVM (userid)|| Role_BRM (userid)) && (! Role_TLR (userid)));Role_BRM (userid)) && (! Role_TLR (userid))); }}
W. D. Yu, E. Nayak November 12, 2008
23TRUST Autumn 2008 Conference, Nashville, Tennessee
Evaluation
No. of rules in an input file vs. code generation time
01000200030004000500060007000
0 500 1000 1500
No. of rules in file
Tim
e in
mse
c
W. D. Yu, E. Nayak November 12, 2008
24TRUST Autumn 2008 Conference, Nashville, Tennessee
010203040
0 200 400 600 800 1000
No. of functions
Tim
e in
ms
No. of functions in each rule vs. code generation time With increase in the number of functions in a single
rule, the time taken to generate HLL increases proportionally.
W. D. Yu, E. Nayak November 12, 2008
25TRUST Autumn 2008 Conference, Nashville, Tennessee
No. of predicates per rule vs. execution time for authorization function calls
Execution time taken by ARSL
020406080
100120140
0 200 400 600 800 1000 1200
No. of predicates per rule
Tim
e in
mse
c
W. D. Yu, E. Nayak November 12, 2008
26TRUST Autumn 2008 Conference, Nashville, Tennessee
Conflict ResolutionConflict Resolution Conflict resolution on authorization rules Conflict resolution on authorization rules
is achieved by conflict prevention and is achieved by conflict prevention and detection.detection.
Conflict DetectionConflict Detection:: User (Security Admin) can use the “–D” User (Security Admin) can use the “–D”
compiler option to generate code for compiler option to generate code for conflict detection.conflict detection.
On detecting a conflict, user can On detecting a conflict, user can manually correct the conflicting rules.manually correct the conflicting rules.
All Access and Deny rules are evaluated All Access and Deny rules are evaluated to a decision to allow or deny the access to a decision to allow or deny the access of a resource.of a resource.
W. D. Yu, E. Nayak November 12, 2008
27TRUST Autumn 2008 Conference, Nashville, Tennessee
Conflict PreventionConflict Prevention It is the default option used in the ARSL It is the default option used in the ARSL
compiler.compiler. Based on the priority of input authorization Based on the priority of input authorization
rules for a given resource:rules for a given resource: If there exists more than one rule for a If there exists more than one rule for a
given resource, the order of rule given resource, the order of rule occurrences is used as the order of priority.occurrences is used as the order of priority.
All resources must have a default rule at All resources must have a default rule at the end of input file.the end of input file.
ARSL uses an algorithm to prevent conflicts.ARSL uses an algorithm to prevent conflicts.
W. D. Yu, E. Nayak November 12, 2008
28TRUST Autumn 2008 Conference, Nashville, Tennessee
Algorithm Used for Conflict Algorithm Used for Conflict PreventionPrevention
InputsInputs: A set of authorization rules : A set of authorization rules given in a priority order.given in a priority order.
OutputOutput: A single authorization rule : A single authorization rule resolving conflicts based on the resolving conflicts based on the priority.priority.
Current_Predicate = Predicate of Rule Current_Predicate = Predicate of Rule nn
Current_Action = Action of Rule n Current_Action = Action of Rule n
FOR i = n-1 to 1 DOFOR i = n-1 to 1 DO BEGINBEGIN IF Action of Rule I == IF Action of Rule I ==
Current_Action Current_Action THEN THEN Current_Predicate = Current_Predicate = (Predicate of Rule i)(Predicate of Rule i) OR (Current_Predicate)OR (Current_Predicate) ELSEELSE
Current_Predicate = Current_Predicate = NOT (Predicate of Rule i) NOT (Predicate of Rule i) AND (Current_Predicate) AND (Current_Predicate) ENDIFENDIF
/* Convert deny rules to access rules /* Convert deny rules to access rules */*/
IF (Current_Action == ”Deny”)IF (Current_Action == ”Deny”) THENTHEN Current_Predicate = NOT Current_Predicate = NOT
(Current_(Current_ Predicate)Predicate) Current_Action = “Access”Current_Action = “Access” ENDIFENDIF ENDENDENDFORENDFOR
W. D. Yu, E. Nayak November 12, 2008
29TRUST Autumn 2008 Conference, Nashville, Tennessee
Conflict Resolution Conflict Resolution ExampleExample
Input Authorization Rules:Input Authorization Rules:
Rule 1Rule 1: : (forall x) [CreditCard(x)=="INVALID" => Deny(Item)];(forall x) [CreditCard(x)=="INVALID" => Deny(Item)];Rule 2Rule 2: : (forall x) [Prescription(x) == "Item" => Access(Item)];(forall x) [Prescription(x) == "Item" => Access(Item)];Rule 3Rule 3: : (forall x) [Country(x) =="USA" AND Age < 19 AND (forall x) [Country(x) =="USA" AND Age < 19 AND
Item == "Liquor" => Deny(Item)];Item == "Liquor" => Deny(Item)];Rule 4Rule 4: : (forall x) [Country(x) =="GERMANY" AND Age < 21 AND(forall x) [Country(x) =="GERMANY" AND Age < 21 AND
Item == "Liquor" => Deny(Item)];Item == "Liquor" => Deny(Item)];
Rule 5Rule 5: : (forall x)[TRUE => Access(Item) ];(forall x)[TRUE => Access(Item) ]; //default rule//default rule
W. D. Yu, E. Nayak November 12, 2008
30TRUST Autumn 2008 Conference, Nashville, Tennessee
Using the prevention algorithm, the resultant authorization rule is:
i=4:NOT (Country(x) ==”Germany” AND Age(x) < 21 AND Item(x)
== “Liquor”) AND True) => Access(Item)i=3: NOT (Country(x) ==”USA” AND Age(x) < 18 AND Item(x) ==
“Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True ))=> Access(Item)
i=2:( Prescription(x) == “Item” ) OR (NOT (Country(x) ==”USA”
AND Age(x) < 18 AND Item(x) == “Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True )))=> Access(Item)
i=1:NOT (CreditCard(x) == “INVALID”) AND (( Prescription(x) ==
“Item” ) OR (NOT (Country(x) ==”USA” AND Age(x) < 18 AND Item(x) == “Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True) )))=> Access(Item)
W. D. Yu, E. Nayak November 12, 2008
31TRUST Autumn 2008 Conference, Nashville, Tennessee
Features of the AlgorithmFeatures of the Algorithm Output is a single logical expression.Output is a single logical expression. Authorization function call returns as soon Authorization function call returns as soon
as one of the rules is true. as one of the rules is true. Execution time is less.Execution time is less.
0
5
10
15
20
25
30
100 200 400 600 800 1000
No. of Functions
Tim
e in
sec
Conflict DetectionConflict Prevention
W. D. Yu, E. Nayak November 12, 2008
32TRUST Autumn 2008 Conference, Nashville, Tennessee
Future Work and Future Work and ConclusionConclusion
Port the compiler to generate more HLL Port the compiler to generate more HLL code other than C#.code other than C#.
Provide options to dynamically select Provide options to dynamically select language and platform options.language and platform options.
Decoupling security policies from Web Decoupling security policies from Web Service specific functionality helps in Service specific functionality helps in improving Web Service security.improving Web Service security.
The framework helps in dynamic The framework helps in dynamic authorization rule updates.authorization rule updates.
The proposed framework together with the The proposed framework together with the specification language, ARSL, provides an specification language, ARSL, provides an effective solution for authorization effective solution for authorization implementation.implementation.
W. D. Yu, E. Nayak November 12, 2008
33TRUST Autumn 2008 Conference, Nashville, Tennessee
Thank You