an algorithmic approach to authorization rules conflict resolution in software security

An Algorithmic An Algorithmic Approach to Approach to

Authorization Rules Authorization Rules Conflict Resolution in Conflict Resolution in

Software SecuritySoftware SecurityWeider D. YuWeider D. YuEllora NayakEllora Nayak

San Jose State UniversitySan Jose State UniversitySan Jose (Silicon Valley), California, San Jose (Silicon Valley), California,

USAUSA

W. D. Yu, E. Nayak November 12, 2008

2TRUST Autumn 2008 Conference, Nashville, Tennessee

TopicsTopics PurposePurpose Security in Web ServicesSecurity in Web Services Web Service Authorization Web Service Authorization

RequirementsRequirements Authorization Framework using ARSLAuthorization Framework using ARSL Usage Scenario Usage Scenario EvaluationEvaluation Conflict ResolutionConflict Resolution Future Scope and ConclusionFuture Scope and Conclusion



PurposePurpose To propose a framework for To propose a framework for

implementing authorization in Web implementing authorization in Web Services.Services.

To provide a generalized and To provide a generalized and reusable approach that provides the reusable approach that provides the flexibility to manage fast flexibility to manage fast authorization rule updates. authorization rule updates.



Need for Web Service Need for Web Service SecuritySecurity

An unauthenticated person may try An unauthenticated person may try to access services. to access services.

An authenticated but unauthorized An authenticated but unauthorized person may access services.person may access services.

Messages might be modified by Messages might be modified by hackers.hackers.

Non-repudiation issue.Non-repudiation issue.



Current Authorization Current Authorization ImplementationImplementation

Web Service User

Business Provider (e.g. IT dept of

Bank )

Security Architect

Independent Software Vendor

Requests for a new web

service

Discuss about users needs

Decide on security features

Testing & QA

Get the requirements

Security requirements passed to developer

Validates application against user requirements

I need a new service to graph the growth of my stock.

This is possible by developing a new module accessing customer database.

Only authorized personnel should access the service. Customer can authorize over phone to access their data.What is a funds growth graph? Can I switch off the access flag to prevent unauthorized access?



Problems Problems Different perspectives of the Different perspectives of the

stakeholders. stakeholders. Different requirement, Different requirement,

specializations and backgrounds of specializations and backgrounds of the stakeholders.the stakeholders.

Insufficient understanding of Insufficient understanding of individual domains.individual domains.

Significant amount of time and effort Significant amount of time and effort required.required.



Requirements of an Requirements of an Authorization FrameworkAuthorization Framework

Isolation of authorization module Isolation of authorization module from the rest of the Web Service from the rest of the Web Service application.application.

Automated authorization code Automated authorization code generation and integration.generation and integration.

Simple and powerful authorization Simple and powerful authorization and access control language for and access control language for security administrators.security administrators.



Proposed FrameworkProposed Framework The framework is composed of:The framework is composed of:

An authorization specification language (ARSL) used An authorization specification language (ARSL) used to specify authorization and access control policies.to specify authorization and access control policies.

A compiler used to automatically generate A compiler used to automatically generate authorization modules in High-Level Language authorization modules in High-Level Language (HLL) from the above policies.(HLL) from the above policies.

Dynamic Link Library (DLL) modules compiled from Dynamic Link Library (DLL) modules compiled from the HLL code and linked with existing Web Service.the HLL code and linked with existing Web Service.

The authorization layer is separated from the The authorization layer is separated from the Web Service application.Web Service application.

Authorization and access control rules can be Authorization and access control rules can be changed without affecting other Web Service changed without affecting other Web Service application code.application code.



Input file (in ARSL) (BankInput.txt)

Compiler (ars.exe)

GeneratedFile.cs

AuthLib.dll

Authorization Enabled Web Service Module

Updated rule file

Security Admin adds/ corrects rules

Generates code

Insert Generated Code into Authorize.cs

DB Access code

Generated Code Other Authorization independent code

Error

Error

Test with sample inputError

stoppassed

ARSL Tool

Compile with HLL compiler (csc.exe)

BankWService

DB



Database

(forall x) [ LocSecure(x) AND Role_HRM(x) =>Access(EmployeeDetails) ]

Authorization Rules

Compiler

Generates Code

Authorization Module

Authorization Module DLL

linked

Existing Web Service modules

bool AccessEmployeeDetails( int userid )

{ return ( (LocSecure(userid) ) &&

(userid.Role == “HRM”) ); }

AuthLib.dll

Web Service with Authorization



Authorization Rule Authorization Rule Specification Language Specification Language

((ARSLARSL)) ARSL is a special high-level ARSL is a special high-level

specification language to specify specification language to specify authorization rules.authorization rules.

Based on mathematical predicate logic:Based on mathematical predicate logic: It is a knowledge representation type It is a knowledge representation type

of language. of language. The language syntax is suitable for The language syntax is suitable for

stating facts and deriving additional stating facts and deriving additional facts.facts.



Language SyntaxLanguage Syntax Authorization Rule: Authorization Rule:

quantifier [(function_1) op (function_2) …op quantifier [(function_1) op (function_2) …op (function_N) (function_N) => Access (service)]=> Access (service)]

Left hand side terms of the rule are used to Left hand side terms of the rule are used to specify conditions that must be verified for the specify conditions that must be verified for the authorization to hold.authorization to hold.

Example: Example: “ “All employees who are not teller have access to All employees who are not teller have access to

the service to open account.”the service to open account.”

((forall x)[ NOT Role_TELLER( x) forall x)[ NOT Role_TELLER( x) =>Access(OPEN_ACT)];=>Access(OPEN_ACT)]; where:where: Role_TELLER() Role_TELLER() macro macro OPEN_ACT OPEN_ACT service name service name



Design RequirementsDesign Requirements Provide a way to specify string, Boolean, Provide a way to specify string, Boolean,

numeric constants, and variables. numeric constants, and variables. Provide a way to define individual Provide a way to define individual

components that combine to give rules. components that combine to give rules. Facilitate combining individual clauses Facilitate combining individual clauses

(or macros) to derive authorization rules.(or macros) to derive authorization rules. Provide basic logical and arithmetic Provide basic logical and arithmetic

operators.operators. Be complete enough to express any Be complete enough to express any

authorization rules. authorization rules.



Language ConstructsLanguage Constructs ConstantsConstants: Boolean constants (true and false), : Boolean constants (true and false),

string constants (set of characters within string constants (set of characters within quotes), numeric constants.quotes), numeric constants.

OperatorsOperators: Arithmetic operators, logical : Arithmetic operators, logical

operators, assignment operators, string operators, assignment operators, string operators are implemented. operators are implemented. Example:Example: AND, OR, NOT, =, ==, +, - , *, /, >, <, >=, <=. AND, OR, NOT, =, ==, +, - , *, /, >, <, >=, <=.

QuantifiersQuantifiers: forall: forall

Delimiter: Delimiter: Semicolon is used to terminate rulesSemicolon is used to terminate rules ExampleExample: (forall x) [CurrentTime(x) > 900 AND CurrentTime (x) < : (forall x) [CurrentTime(x) > 900 AND CurrentTime (x) <

1700 1700 => Access(BankServices)];=> Access(BankServices)];



Language Constructs Language Constructs (cont.)(cont.)

PredicatePredicate:: A unary predicate, A unary predicate, AccessAccess, which , which

takes as argument the service name: takes as argument the service name: Access (ServiceName).Access (ServiceName).

During code generation, calls to During code generation, calls to AccessAccess (ServiceName)(ServiceName) is translated is translated to the function call to the function call ‘‘AccessServiceName (UserId)AccessServiceName (UserId)’.’.



Language Constructs Language Constructs (cont.)(cont.)

MacrosMacros: : Subroutines for an access rule. Subroutines for an access rule. Defined in terms of user data, such as Defined in terms of user data, such as

his/her location, role etc. his/her location, role etc. Evaluated in isolation and do not specify Evaluated in isolation and do not specify

an access rule. an access rule. Example: Example: [Location(x) ==”Sunnyvale” OR Location(x) [Location(x) ==”Sunnyvale” OR Location(x)

==”San Jose” ==”San Jose” => LocationSecure(x)];=> LocationSecure(x)];

where where LocationSecureLocationSecure is a macro. is a macro.



Grammar RulesGrammar Rules <start> <start> <macros> BEGIN <rules> END <macros> BEGIN <rules> END <rules> <rules> <rules> <access_rule> <rules> <access_rule> <access_rule> <access_rule> <quantifier> [<predicate> <quantifier> [<predicate> IMPLIES <access_expr>];IMPLIES <access_expr>]; <predicate> <predicate> <macro> | <access_expr> <macro> | <access_expr> <quantifier> <quantifier> forall | exists forall | exists <access_expr> <access_expr> ACCESS (VAR) | DENY ACCESS (VAR) | DENY

(VAR)(VAR) | <access_expr> <op> | <access_expr> <op>

<access_expr><access_expr>



Grammar Rules (cont.)Grammar Rules (cont.) <macros> <macros> <macros> <macro> <macros> <macro>

<macro> <macro> <context_expr> <cmp_op> <context_expr> <cmp_op> CONST IMPLIES MACRO_NAME CONST IMPLIES MACRO_NAME (VAR)(VAR)

<context_expr> <context_expr> <CONTEXT_VAR> (VAR) <CONTEXT_VAR> (VAR) | <context_expr> <op> | <context_expr> <op>

<context_expr><context_expr>

<cmp_op> <cmp_op> EQUALS | NE| GT| GE| LT| LE EQUALS | NE| GT| GE| LT| LE

<op> <op> AND | OR AND | OR



Advantages of using Advantages of using ARSLARSL

Easy to express - Simple and easy to use Easy to express - Simple and easy to use constructs to express authorizations constructs to express authorizations rules.rules.

Scalability - Easy to adapt to the growth Scalability - Easy to adapt to the growth of authorization rules due to of authorization rules due to organizational or environmental changes.organizational or environmental changes.

Manageability – Modification is applied to Manageability – Modification is applied to all Web Services. all Web Services.

Reusability – Code can be easily Reusability – Code can be easily understood and modified for reuse.understood and modified for reuse.



Scenario-1Scenario-1 Tellers do not have the access rights to Tellers do not have the access rights to

open new accounts. open new accounts. RuleRule (forall x) [Role_PBK (x) OR (forall x) [Role_PBK (x) OR

Role_CSR(x) OR NOT Role_CSR(x) OR NOT Role_TLR(x) => Access (OPEN_ACT)];Role_TLR(x) => Access (OPEN_ACT)];

Code generated for the above rule is:Code generated for the above rule is: bool AccessOPEN_ACT( int userid ) bool AccessOPEN_ACT( int userid ) { { return ((Role_PBK (userid)|| Role_CSR (userid) || return ((Role_PBK (userid)|| Role_CSR (userid) || ! Role_TLR (userid));! Role_TLR (userid)); }}



Scenario-2Scenario-2 Branch Manager and Accountant have Branch Manager and Accountant have

access to banking service after office hours, access to banking service after office hours, others can only access the service during others can only access the service during office hours. office hours.

RuleRule:: (forall x) [(Role_BRM(x) OR (forall x) [(Role_BRM(x) OR

Role_ACC(x)) AND NOT Role_ACC(x)) AND NOT Office_Hours(x)) => Office_Hours(x)) => Access(ACCESS_TIME)];Access(ACCESS_TIME)];

Code generated for the above rule is:Code generated for the above rule is: bool AccessACCESS_TIME( int userid ) bool AccessACCESS_TIME( int userid ) {{ return ((Role_BRM (userid)|| Role_ACC (userid)) &&return ((Role_BRM (userid)|| Role_ACC (userid)) && ! Office_Hours(userid) );! Office_Hours(userid) ); }}



Scenario-3Scenario-3 Only Teller’s supervisors or managers can Only Teller’s supervisors or managers can

modify an existing transaction. modify an existing transaction.

RuleRule:: (forall x) [((Role_LTR(x) OR (forall x) [((Role_LTR(x) OR

Role_SVM(x) OR Role_BRM(x)) AND NOT Role_SVM(x) OR Role_BRM(x)) AND NOT Role_TLR(x))=> Access (MODIFY_TRX)]; Role_TLR(x))=> Access (MODIFY_TRX)];

Code generated for the above rule is:Code generated for the above rule is: bool AccessMODIFY_TRX ( int userid ) bool AccessMODIFY_TRX ( int userid ) {{ return ((Role_LTR (userid)|| Role_SVM (userid)||return ((Role_LTR (userid)|| Role_SVM (userid)|| Role_BRM (userid)) && (! Role_TLR (userid)));Role_BRM (userid)) && (! Role_TLR (userid))); }}



Evaluation

No. of rules in an input file vs. code generation time

01000200030004000500060007000

0 500 1000 1500

No. of rules in file

Tim

e in

mse

c



010203040

0 200 400 600 800 1000

No. of functions

Tim

e in

ms

No. of functions in each rule vs. code generation time With increase in the number of functions in a single

rule, the time taken to generate HLL increases proportionally.



No. of predicates per rule vs. execution time for authorization function calls

Execution time taken by ARSL

020406080

100120140

0 200 400 600 800 1000 1200

No. of predicates per rule

Tim

e in

mse

c



Conflict ResolutionConflict Resolution Conflict resolution on authorization rules Conflict resolution on authorization rules

is achieved by conflict prevention and is achieved by conflict prevention and detection.detection.

Conflict DetectionConflict Detection:: User (Security Admin) can use the “–D” User (Security Admin) can use the “–D”

compiler option to generate code for compiler option to generate code for conflict detection.conflict detection.

On detecting a conflict, user can On detecting a conflict, user can manually correct the conflicting rules.manually correct the conflicting rules.

All Access and Deny rules are evaluated All Access and Deny rules are evaluated to a decision to allow or deny the access to a decision to allow or deny the access of a resource.of a resource.



Conflict PreventionConflict Prevention It is the default option used in the ARSL It is the default option used in the ARSL

compiler.compiler. Based on the priority of input authorization Based on the priority of input authorization

rules for a given resource:rules for a given resource: If there exists more than one rule for a If there exists more than one rule for a

given resource, the order of rule given resource, the order of rule occurrences is used as the order of priority.occurrences is used as the order of priority.

All resources must have a default rule at All resources must have a default rule at the end of input file.the end of input file.

ARSL uses an algorithm to prevent conflicts.ARSL uses an algorithm to prevent conflicts.



Algorithm Used for Conflict Algorithm Used for Conflict PreventionPrevention

InputsInputs: A set of authorization rules : A set of authorization rules given in a priority order.given in a priority order.

OutputOutput: A single authorization rule : A single authorization rule resolving conflicts based on the resolving conflicts based on the priority.priority.

Current_Predicate = Predicate of Rule Current_Predicate = Predicate of Rule nn

Current_Action = Action of Rule n Current_Action = Action of Rule n

FOR i = n-1 to 1 DOFOR i = n-1 to 1 DO BEGINBEGIN IF Action of Rule I == IF Action of Rule I ==

Current_Action Current_Action THEN THEN Current_Predicate = Current_Predicate = (Predicate of Rule i)(Predicate of Rule i) OR (Current_Predicate)OR (Current_Predicate) ELSEELSE

Current_Predicate = Current_Predicate = NOT (Predicate of Rule i) NOT (Predicate of Rule i) AND (Current_Predicate) AND (Current_Predicate) ENDIFENDIF

/* Convert deny rules to access rules /* Convert deny rules to access rules */*/

IF (Current_Action == ”Deny”)IF (Current_Action == ”Deny”) THENTHEN Current_Predicate = NOT Current_Predicate = NOT

(Current_(Current_ Predicate)Predicate) Current_Action = “Access”Current_Action = “Access” ENDIFENDIF ENDENDENDFORENDFOR



Conflict Resolution Conflict Resolution ExampleExample

Input Authorization Rules:Input Authorization Rules:

Rule 1Rule 1: : (forall x) [CreditCard(x)=="INVALID" => Deny(Item)];(forall x) [CreditCard(x)=="INVALID" => Deny(Item)];Rule 2Rule 2: : (forall x) [Prescription(x) == "Item" => Access(Item)];(forall x) [Prescription(x) == "Item" => Access(Item)];Rule 3Rule 3: : (forall x) [Country(x) =="USA" AND Age < 19 AND (forall x) [Country(x) =="USA" AND Age < 19 AND

Item == "Liquor" => Deny(Item)];Item == "Liquor" => Deny(Item)];Rule 4Rule 4: : (forall x) [Country(x) =="GERMANY" AND Age < 21 AND(forall x) [Country(x) =="GERMANY" AND Age < 21 AND

Item == "Liquor" => Deny(Item)];Item == "Liquor" => Deny(Item)];

Rule 5Rule 5: : (forall x)[TRUE => Access(Item) ];(forall x)[TRUE => Access(Item) ]; //default rule//default rule



Using the prevention algorithm, the resultant authorization rule is:

i=4:NOT (Country(x) ==”Germany” AND Age(x) < 21 AND Item(x)

== “Liquor”) AND True) => Access(Item)i=3: NOT (Country(x) ==”USA” AND Age(x) < 18 AND Item(x) ==

“Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True ))=> Access(Item)

i=2:( Prescription(x) == “Item” ) OR (NOT (Country(x) ==”USA”

AND Age(x) < 18 AND Item(x) == “Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True )))=> Access(Item)

i=1:NOT (CreditCard(x) == “INVALID”) AND (( Prescription(x) ==

“Item” ) OR (NOT (Country(x) ==”USA” AND Age(x) < 18 AND Item(x) == “Liquor”) AND (NOT ( Country(x) ==”Germany” AND Age(x) < 21 AND Item(x) == “Liquor” ) AND True) )))=> Access(Item)



Features of the AlgorithmFeatures of the Algorithm Output is a single logical expression.Output is a single logical expression. Authorization function call returns as soon Authorization function call returns as soon

as one of the rules is true. as one of the rules is true. Execution time is less.Execution time is less.

0

5

10

15

20

25

30

100 200 400 600 800 1000

No. of Functions

Tim

e in

sec

Conflict DetectionConflict Prevention



Future Work and Future Work and ConclusionConclusion

Port the compiler to generate more HLL Port the compiler to generate more HLL code other than C#.code other than C#.

Provide options to dynamically select Provide options to dynamically select language and platform options.language and platform options.

Decoupling security policies from Web Decoupling security policies from Web Service specific functionality helps in Service specific functionality helps in improving Web Service security.improving Web Service security.

The framework helps in dynamic The framework helps in dynamic authorization rule updates.authorization rule updates.

The proposed framework together with the The proposed framework together with the specification language, ARSL, provides an specification language, ARSL, provides an effective solution for authorization effective solution for authorization implementation.implementation.



Thank You

an algorithmic approach to authorization rules conflict resolution in software security

Documents

authorization modules

powerful authorization

authorization layer

web service application

existing web service

new service

unauthorized access

access flag