ebook img

Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Expressions PDF

12 Pages·2017·1.39 MB·English
by  
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Expressions

Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Expressions Oscar Mortagua Pereira, Diogo Domingues Regateiro, Rui L. Aguiar To cite this version: Oscar Mortagua Pereira, Diogo Domingues Regateiro, Rui L. Aguiar. Distributed and Typed Role- based Access Control Mechanisms Driven by CRUD Expressions. International Journal of Computer Science Theory and Application, 2014, 2 (1), pp.1-11. ￿hal-01144104￿ HAL Id: hal-01144104 https://hal.archives-ouvertes.fr/hal-01144104 Submitted on 20 Apr 2015 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Expressions O´scar Morta´gua Pereira, Diogo Domingues Regateiro, Rui L. Aguiar InstitutodeTelecomunicac¸o˜es,DETI,UniversityofAveiro,Aveiro,Portugal. Email:[email protected],[email protected],[email protected] ABSTRACT Businesslogicsofrelationaldatabasesapplicationsareanimportantsourceofsecurityviolations,namelyinrespect toaccesscontrol. Thesituationisparticularlycriticalwhenaccesscontrolpoliciesaremanyandcomplex. Inthese cases,programmersofbusinesslogicscanhardlymastertheestablishedaccesscontrolpolicies. Nowweconsider situationswherebusinesslogicsarebuiltwithtoolssuchasJDBCandODBC.Thesetoolsconveytwosourcesof securitythreats: 1)theuseofunauthorizedCreate,Read,UpdateandDelete(CRUD)expressionsandalso2)the modificationofdatapreviouslyretrievedbySelectstatements. ToovercomethissecuritygapwhenRole-based accesscontrolpoliciesareused,weproposeanextensiontothebasicmodelinordertocontrolthetwosources ofsecuritythreats. Finally,wepresentasoftwarearchitecturalmodelfromwhichdistributedandtypedRBAC mechanismsareautomaticallybuilt,thiswayrelievingprogrammersfrommasteringanysecurityschema. We demonstrateempiricalevidenceoftheeffectivenessofourproposalfromausecasebasedonJavaandJDBC. KEYWORDS RBAC—accesscontrol—informationsecurity—softwarearchitecture—middleware—distributedsystems— relationaldatabases. 1. Introduction casesitisaSelectexpressionand,therefore,aLDSisinstantiated (line44,33,17). Onceagain,programmerscanreadattributes Informationsystemsaretraditionallyprotectedbyseveralsecu- (line 44, 35, 18), delete rows (line 51, -, -), update rows (line ritymeasures,amongthemweemphasize: userauthentication, 53-54,37-39,20-21)and,finally,insertnewrows(line55-57,-, secureconnectionsanddataencryption. Anotherrelevantsecu- -). Afterbeingcommitted,thesemodificationsarereplicatedin ritymeasureisaccesscontrol[1][2],which“isconcernedwith thehostdatabases. Thereisnopossibilitytomakeprogrammers limitingtheactivityoflegitimateusers”[3]. Inotherwords,ac- awareofanyestablishedschemas(databaseandaccesscontrol cess control regulates every users’ requests to access sensitive policies). Insituationswheredatabaseschemasand/orsecurity resources, in our case data stored in relational database man- policies are complex, programmers can hardly write source in agement systems (RDBMS). Most of these requests are from accordancewiththeestablishedsecuritypolicies. Toovercome usersrunningclientapplicationsthatneedtoaccessdata. When thissituationweproposeanextensiontobasicRole-BasedAc- client applications, and mainly business logics, are built from cessControl(RBAC)policy[10],whichhasemergedasoneof tools such as ODBC [4], JDBC [5], ADO.NET [6], LINQ [7], thedominantaccesscontrolpolicies[11]. Inourproposedmodel, JPA [8] and Hibernate [9], users’ requests can be materialized arolecomprisestherequiredsecurityinformationtosupervise throughseveraltechniquesprovidedbythosetools(hereinknown thedirectandtheindirectaccessmodes. Throughthissecurity asaccessmodes). Twoofthemarethemostpopularand,there- informationandfromasoftwarearchitecturalmodel,tobeherein fore,widelyused: requestsbasedonCreate,Read,Updateand presented,distributedsecuritycomponentsareautomaticallybuilt Delete (CRUD) expressions encoded inside strings (this is the to statically enforce the established RBAC policies. This way, DirectAccessMode)andrequestsaretriggedwhencontentof programmersarerelievedfrommasteringanyschema. localdatasets(LDS)retrievedbySelectexpressionsaremodified This paper is organized as follows: section 2 presents the andcommittedtothehostdatabase(thisistheIndirectAccess relatedwork;section3presentsourconceptualproposal;section Mode). Figure1,Figure2andFigure3presenttypicalusages 4presentsourimplementationproposal;section5discussessome ofJDBC,ADO.NETandLINQ,respectively. Similarlytothe aspectsofthepresentedsolutionand,finally,section6presents othertools,JDBC,ADO.NETandLINQareagnosticregarding theconclusion. theschemaofdatabasesandalsoregardingtheschemaofaccess controlmechanisms. ProgrammerscanwriteanyCRUDexpres- sion(line40, 28, 17)andexecuteit(line44, 33, 17). Inthese 1 InternationalJournalofComputerScience:TheoryandApplication CRUDexpressions. Theworkpresentedin[15]canbeseenas thefirststeptoachievetheobjectivesoftheworkpresentedin thispaper. Basically,itdealswithCRUDexpressionsandalso withbothaccessmodesbutdoesnotaddresshowtorelateCRUD expressionsandpoliciesbasedonRBAC.Theworkpresentedin [15]alsoleverages[14]butitismainlyfocusedonaddressinga differentsecuritykeyaspect: theenforcementofaccesscontrol policiestotheruntimevaluesusedonthedirectandontheindirect accessmodes. Forthebestofourknowledgenosimilarworkhasbeenor is being done around distributed and typed RBAC driven by CRUDexpressions. Therefore,intheremainingofthissection wepresentsomeofthemostrelevantworksaroundaccesscontrol forrelationaldatabaseapplications. Chlipalaetal. [16]presentatool,Ur/Web,thatallowspro- grammerstowritestatically-checkableaccesscontrolpoliciesas CRUDexpressions. Basically,eachpolicydetermineswhichdata isaccessible. Then,programsarewrittenandcheckedtoensure that data involved in CRUD expressions is accessible through Figure1. TypicalusageofJDBC. somepolicy. Toallowpoliciestovarybyuser,queriesuseactual dataandanewextensiontothestandardSQLtocapture‘which secretstheuserknows’. Thisextensionisbasedonapredicate referredtoas‘known’usedtomodelwhichinformationusersare alreadyawareoftodecideupontheinformationtobedisclosed. Thevalidationprocesstakesplaceatcompiletime,thiswaynot relieving programmers from mastering database schemas and securitypolicieswhilewritingsourcecode. Abramovetal.[17]presentacompleteframeworkthatallows securityaspectstobedefinedearlyinthesoftwaredevelopment process and not at the end. They present a model from which access control policies can be inferred and applied. Neverthe- less, similarly to [16], the validation process takes place only atcompiletime, thiswayentailingprogrammerstomasterthe establishedaccesscontrolpolicies. Figure2. TypicalusageofADO.NET. Zarnettetal. [18]presentadifferentsolution,whichcanbe applied to control the access to methods of remote objects via JavaRMI[19]. TheserverthathoststheremoteobjectsusesJava Annotationstoenrichmethodsandclasseswithmetadataabout therolestobeauthorizedtousethem. Then,RMIProxyObjects aregeneratedinaccordancewiththeestablishedaccesscontrol policies(theycontaintheauthorizedmethodsonly). Fischeret al. [20]presentamorefine-grainedaccesscontrol,whichuses parameterizedAnnotationstoassignrolestomethods. Theseap- proaches,incontrastwithourconcept,donotfacilitatetheaccess toarelationaldatabasebecausethedevelopersstillneedtohave fullknowledgeofthedatabaseschemaandalsotheauthorized Figure3. TypicalusageofLINQ. accessestodatabaseobjects.Asimilarapproachwaspresentedby Ahnetal. [21],whereatoolisusedtogenerate,fromasecurity model,sourcecodetocheckifthereisanysecurityviolation.The 2. Related Work verificationprocesstakesplaceonlyafterwritingthesourcecode, This paper is an extension of [12]. The authors of this paper thiswaynotaddressingthekeyaspectsofourwork. have also been addressing the research issue of this paper for Oracle, in the Oracle DB, addressed access control by in- some time [13][14][15]. While in [13] the focus is centered troducing the Virtual Private Database [22] technology. This onreusablebusinesstiercomponents,in[14][15]thepresented technologyisbasedonquery-rewritingtechniques,whichmeans worksdealwiththedirectandtheindirectaccessmodes,butnone thatCRUDexpressionsarerewrittenbeforetheirexecutionand ofthemisfocusedonhowtoenforceRBACpoliciesbasedon inaccordancewiththeestablishedaccesscontrolpolicies. Au- 2 InternationalJournalofComputerScience:TheoryandApplication thorizationpoliciesareencodedintofunctionsdefinedforeach meta-models(todescribeaccesscontrolpolicies)andarchitecture relation,whichareusedtoreturnwhereclausepredicatestobe meta-models(todescribetheapplicationarchitecture). Theyalso appended to CRUD expressions, this way limiting data access showhowtomap(staticallyanddynamically)securityconcepts at the row level. Virtual Privacy Database is an alternative to intoarchitecturalconcepts. Thisapproachismainlyfocusedon databaseviewsbyavoidingsomeoftheirdrawbackssuchasthe howtodynamicallyestablishbindingsbetweencomponentsfrom needforanadditionalviewforeachadditionalpolicy. Withthe differentlayerstoenforcesecuritypolicies. Theydidnotaddress VirtualPrivateDatabasetechnique,thesameCRUDexpression the key issue of how to statically implement dynamic security issharedbyallusersandautomaticallymodifiedinaccordance mechanismsinsoftwareartifacts,inourcasebusinesstiersbased withpermissionsofeachuser. onCLI. LeFevreetal. [23]proposeatechniquetocontrolthedisclos- There are several other works related to access control: a ingdataprocessinHippocraticdatabases. Thedisclosingprocess distributed enforcement of the RBAC policies is proposed by isbasedonthepremisethatthesubjecthascontroloverwhois Komlenovic et al. in [31]; a new technique and a tool to find allowedtoseeitsprotecteddataandforwhatpurpose. Itisbased errorsintheRBACpoliciesarepresentedbyJayaramanetal. in onthequeryrewritingtechnique. PoliciesaredefinedusingP3P [32]and,finally,Wallachetal. in[33]proposenewsemanticsfor [24]orEPAL[25]andcompriseasetofrulesthatdescribeto stackinspectionthataddressesconcernswiththetraditionalstack whomthedatamaybedisclosedandhowthedatamaybeused. inspection,whichisusedtodetermineifadangerouscall(e.g. to Twodisclosuremodelsaresupportedforcells: atthetablelevel- thefilesystem)isallowed. eachpurpose-recipientpairisassignedaviewovereachtablein thedatabaseandprohibitedcellsarereplacedwithnullvalues;at 3. Our Proposal: Conceptual Perspective theCRUDexpressionslevel-protecteddataareremovedfrom thereturnedrelationsofSelectexpressions,inaccordancewith Accesscontrolisusuallyimplementedinathreephaseapproach thepurpose-recipientconstraints. Rulesarestoredasmeta-data [1]: securitypolicydefinition,securitymodeltobefollowedand in the database. CRUD expressions must be associated with a securityenforcementmechanisms. Theorganizationofthissec- purposeandarecipient,andarerewrittentoreflecttheACP. tionisalsoorganizedinthreesub-sections,eachoneaddressing SELINKS[26]isaprogramminglanguageinthetypeofLINQ oneimplementationphase. and Ruby on Rails which extends LINKS [27] to build secure multi-tierwebapplications. LINKSaimstoreducetheimpedance 3.1 DistributedRBACMechanisms mismatch between the three tiers. The programmer writes a Thispaperisfocusedondistributedaccesscontrolmechanisms. single LINKS program and the compiler creates the byte-code Therefore,beforepresentingthesolutionfortheirimplementation for each tier and also for the security policies (coded as user- it is advisable to clarify what are “distributed access control defined functions on RDBMS). Through a type system object mechanisms”. named as Fable [28], it is assured that sensitive data is never Access control mechanisms are entities that act at runtime accesseddirectlywithoutfirstconsultingtheappropriatepolicy and,therefore,beforeadvancingwithdeploymentarchitectures enforcement function. Policy functions, running in a remote itisimportanttofindoutiftheycanberepresentedbyageneral server,checkatruntimewhattypeofactionsusersaregrantedto model. Fromthesurveyedcommercialandscientificliterature, perform. Programmersdefinesecuritymetadata(termedlabels) wecanstatethatindependentlyfromanytechniqueorsolution, usingalgebraicandstructuredtypesandthenwriteenforcement access control mechanisms can always be represented by two policyfunctionsthatapplicationscallexplicitlytomediatethe distinct processes: the enforcement process and the decision accesstolabeleddata. process. Figure4presentsasimplifiedblockdiagramforaccess Rizvietal. [29]presentaqueryrewritingtechniquetodeter- controlmechanismsandtheirinternalandexternalinteractions. mineifaCRUDexpressionisauthorizedbutwithoutchanging The basic operation is as follows: (1) client-side applications the CRUD expression. It uses security views to filter contents requesttheenforcementprocesstoaccesstoaprotectedresource; of tables and simultaneously to infer and check at runtime the (2) enforcement process asks the decision process to evaluate appropriateauthorizationtoexecuteanyCRUDexpressionissued if the request is authorized; (3) the decision process answers; against the unfiltered table. The user is responsible for formu- (4) if authorization is denied, the client application is notified; latingtheCRUDexpressionproperly. Theycallthisapproach (5) if authorization is granted, the request is executed by the the Non-Truman model. Non-Truman models, unlike Truman enforcement process and, finally (6) the result is delivered to models,donotchangetheoriginalCRUDexpression. Thepro- client-sideapplications. Thisblockdiagramanditsoperationis cessistransparentforusersandCRUDexpressionsarerejectedif clearlytheapproachfollowedbyXACML.Anyway,aswewill theydonothavetheappropriateauthorization. Thetransparency see,itcanalsobeusedasthebasicblockdiagramtorepresent ofthistechniqueisnotalwaysdesirableparticularlywhenitis othersolutions. WehavealsointentionallyusedasimilarXACM importanttounderstandwhyauthorizationisnotgrantedsothat terminology(enforcementanddecision)inordernottointroduce programmerscanrevisetheirCRUDexpressionsmoreeasily. a new complete and different one. The enforcement process Morinetal. [30]useasecurity-drivenmodel-baseddynamic is the process being used to enforce a decision about granting adaptationprocesstoaddressaccesscontrolandsoftwareevolu- or denying the access to the protected resource. The decision tionsimultaneously. Theapproachbeginsbycomposingsecurity processistheprocessbeingusedtodecideiftheauthorizationto 3 InternationalJournalofComputerScience:TheoryandApplication accessaprotectedresourceisgrantedordenied. XACMLPolicy Traditionally,amongotherconcepts,RBACpoliciescomprise: EnforcementPointsandXACMPolicyDecisionPointsarethe users,roles(theycanbehierarchized),permissions,delegations equivalententitiesforourenforcementanddecisionprocesses, andactions. Basically,legitimate(authenticated)userscanonly respectively. execute some action if he has been authorized to play the role thatrulesthataction. Intheend,inthelastfinalstage,actionsare thefourmainoperationsondatabaseobjects(tablesandviews): select,insert,updateanddelete. Dependingonthegranularity, theseactionscanbedefinedatthelevelofdatabaseobjects,at thelevelofcolumns,atthelevelofrowsandatthelevelofcells. Thereareseveralapproachestoauthorizeordenytheseactions, amongthem: constraintscanbedefineddirectlyondatabaseob- jectsandalsobyusingqueryre-writingtechniques. Inourcase actionsareformalizedbywhatcanbedoneonthedirectandon theindirectaccessmodes. Inotherwords,actionsaretheCRUD Figure4. Accesscontrolmechanismsblockdiagramandtheir expressionsthatcanbeused(directaccessmode)andalsothe interactions. operationsthatcanbedoneonLDS(indirectaccessmode). The granularityofthedirectaccessmodeisdefinedbyeachCRUD expression. Thegranularityoftheindirectaccessmodemustbe Several architectural solutions are available to implement definedattheprotocollevel(read,insert,updateanddelete)and access control mechanisms. Some are provided by vendors of alsoattheattributelevel(exceptforthedeleteprotocol,whichis RDBMSandothershavebeenproposedbythescientificcom- alwaysattherowlevel). ThegranularityatLDSlevelprovides munity. Basicallytherearethreemainarchitecturalsolutions: 1) afullcontroltodefinewhichprotocolsaretobemadeavailable. centralizedarchitectures(suchas: vendorsofRDBMS,theuseof This granularity when combined with the granularity at the at- viewsandparameterizedviews[34],queryrewritingtechniques tribute level provides, for each LDS, the full control to define [22][23][29][35][36],extensionstoSQL[16][37]);2)distributed whichattributesaretobemadeavailableforeachprotocol. In architectures [14][15][38][39][40] and 3) mixed architectures termsofcardinality,wedefinethateachrolecomprisesasetof [26][41]. un-orderedCRUDexpressions. Inthispaperweareinterestedinthedistributedarchitecture only,whichispresentedinFigure5. 3.3 RBACModel Inthissub-sectionwepresentamodeltoformalizetheextension tobesupportedbytheRBACpolicy.Theextensioncanbeformal- izedbyseveralapproaches,dependingonthepracticalscenarios wheretheyaregoingtobeusedtoenforceRBACpolicies. The model herein presented is tailored to scenarios where a tool is availabletohelpandminimizetheeffortindefiningthepolicies tobeenforced. WestartbyanalyzingCRUDexpressionsbecause every access to data starts through the direct access mode and onlythentheindirectaccessmodecanbeused(onlywithSelect expressions). EachCRUDexpressiontype(Select,Insert,Update Figure5. Blockdiagramforthedistributedarchitecture. andDelete)canbeexpressedbygeneralschemasbuteachindi- vidualCRUDexpressionisrepresentedbyspecializingoneofthe Inthedistributedarchitecture,decisionprocessesandenforce- generalschemas. DuringtheassessmentwemadetoCallLevel mentprocessesarebothlocallymanagedonclient-sidesystems, Interfaces(CLI),inwhichJDBCisincluded,wefoundoutthat seeFigure5. Asecurityexpertcraftsasecuritylayertobede- theschemaofeachexpressiontypecanbebuiltfromasmallset ployedineachclientsystem. Then,everyrequesttoaccessthe ofsmallerschemas. Thefunctionalitiesexpressedbythesmaller RDBMSiscapturedbythesecuritylayer(1)toevaluateifautho- schemasare: onlySelectexpressionsreturnrelations;allCRUD rizationisgrantedordenied. Ifgranted,therequestissenttothe expressionstypescanuseruntimevaluesforclauseconditions; RDBMS(2)andresultsreturnedtoclient-sideapplications(3). someCRUDexpressionsreturnthenumberofaffectedrows(In- Incaseofbeingdenied,therequestispreventedfrombeingwell sert,UpdateandDelete)and,finally,someCRUDexpressions succeeded(4). useruntimevaluesforcolumnvalues(InsertandUpdate). We canalsoelicitotherperspectivesforLDS,suchassomeLDSare 3.2 RBACPolicy scrollable(therearenorestrictionsonchoosingwhichrowisthe Inthissub-sectionwepresentanextensiontothebasicRBACpol- nextselectedrow)whileothersareforward-only(onlythenext icythatwillbeusedtosuperviserequeststoaccessdatastoredin rowcanbeselected). Toaddressthisbundleofdifferentsmaller RelationalDatabaseSystems(RDBMS).Theextensionisaimed schemas, the schema needs to be flexible and adaptable. This at defining new properties to be supported by RBAC policies. challengeisaddressedthroughthedesignofentities,hereinre- 4 InternationalJournalofComputerScience:TheoryandApplication ferredtoasBusinessSchemas. BusinessSchemasareresponsible andotherissuesareoutofthearchitecturalmodelcontext. We forhidingtheactualdirectandindirectaccessmodesandalsofor startbydescribingtheBusinessSchemainterface,hereinknown providingnewdirectandindirectaccessmodesdrivenbyaccess asIBusinessSchema,whichisthemostcomplexentity. Fromit controlpolicies. Additionally,aftersomeresearchwecameto wewillpresentanddescribethearchitecturalmodel. Thisinter- theconclusionthattherelationshipbetweenBusinessSchemas face,aswecaninferfromwhathasbeenalreadypresented,needs andCRUDexpressionsismanytomany. Thismeansthatone tocopewiththetwoaccessmodes. Thefunctionalitiestobepro- BusinessSchemacanmanageoneormoreCRUDexpressions videddependmainlyontheCRUDexpressionstypeandonthe andoneCRUDexpressioncanbemanagedbyoneormoreBusi- necessaryruntimevalues. Thisistranslatedintothearchitectural nessSchemas. Nowwegiveoneexampleforeachcase. Letus modelthisway: IBusinessSchemaextendstwointerfacesIDAC considerthenexttwoSelectexpressions: (directaccessmode)eIIAM(indirectaccessmode). 1. Select*fromtable; IDAC Thisinterfacemanagesthedirectaccessmode. Dependingon 2. Select*fromtablewherecol>10; thetypeofCRUDexpressionsandontheruntimevalues,itcan Firstweanalyzethedirection“oneBusinessSchema->many extend1,2or3interfaces: CRUDexpressions”. Fromthedirectaccessmodeperspective, thereisnodifferencebetweenthetwoexpressions. BothareSe- • IExecute-Thisinterfaceismandatory. Itisresponsiblefor lectexpressionsandbothhavezeroruntimevalues. Additionally, theexecutionofCRUDexpressionsofanytypeandalso theschemaofthereturnedrelationsisequalinbothcases. Then, forsettingtheruntimevaluesforclauseconditions. thesameBusinessSchemacanbesharedbybothexpressionsif • ISet – This interface is used with Insert and Update ex- thesecuritypolicytobeappliedontheindirectaccessmodeisthe pressionswhenthereistheneedtosetruntimevaluesfor sameforbothcases. Nowweanalyzethedirection“oneCRUD columns. expression->manyBusinessSchemas”. Thiscaseissimplerto explain. WecanuseanyofthetwoSelectexpressions. Incases • IRows–ThisinterfaceisusedonlywithUpdate,Insertand wheredifferentsecuritypoliciesareappliedtothesameSelectex- Deleteexpressionstonotifyapplicationsaboutthenumber pression,thenwecanuseitininmorethanoneBusinessSchema. ofaffectedrows For example, the same CRUD expression is managed by two BusinessSchemaswheretheupdatedprotocolisprovidedonly IIAM inoneofthem. Finally,Figure6presentsthegeneralextensionto Thisinterfacemanagestheindirectaccessmode. Dependingon beincludedinconcreteRBACmodels. Thisextensiondoesnot themechanismstobeimplemented, itcanextendatmostfour needtobeexactlyaspresented. Theonlyimportantissuesarethe interfaces: relationshipsandcardinalitiesbetweenroles,BusinessSchemas • IRead–Thisinterfaceismandatory. Itcancompriseser- andCRUDexpressions.Bythiswemeanthatitisnotcompulsory vicestoreadanysub-setofattributesofreturnedrelations. tokeepthemadjacentaspresented.Otherentitiescanbeincluded betweenthem. Moreover,thepoliciestobefollowedtoauthorize • IUpdate–Thisinterfaceisonlyavailableiftheestablished ornottoauthorizerolesarealsooutofscopeofthispaper. Itis accesscontrolpoliciesauthorizetheattributesofLDSto uptothesecurityexperttodecidethegrantingandthedenying beupdated. Inthiscase,onlytheupdatableattributescan modelstobefollowed. beupdated. • IInsert-Thisinterfaceisonlyavailableiftheestablished accesscontrolpoliciesauthorizetheinsertionofnewrows onLDS.Inthiscase,onlytheinsertableattributescanbe inserted. Figure6. ExtensionfortheRBACmodel. • IDelete–Thisinterfaceisonlyavailableiftheestablished access control policies authorize the rows of LDS to be deleted. 3.4 SoftwareArchitecturalModel Inthissub-sectionwepresentthesoftwarearchitecturalmodel, RegardingtherelationbetweenBusinessSchemasand,Rolesand showninFigure7,forbuildingtheenforcementmechanismsfrom CRUDexpressions,wecanseefromFigure7thatthearchitec- theextendedRBACmodel. Thepresentedarchitecturalmodel turalmodelisconsistentwiththeRBACmodel. Pleaseremember representstheimplementationofonerole. Itisuptoeachsys- thatthearchitecturalmodelrepresentstheimplementationofone temarchitecttodecidehowtoexpandittosupportseveralroles. roleonly. Themodelsaysthatonerolecomprisesoneormore Moreover,itisfocusedonhowtoimplementRBACmechanisms BusinessSchemasandeachBusinessSchemacomprisesoneor andnothowtobuildcompleteandfeasibleimplementations. For moreCRUDexpressions. Fromthepresentedarchitecturalmodel example,thearchitecturalmodeldoesnotaddresskeyissuessuch and also from the RBAC model, security components can be asthescrollingpolicyonLDSanddatabasetransactions. These automaticallybuilt,seeFigure8. Toachievethisgoal,atoolis 5 InternationalJournalofComputerScience:TheoryandApplication Figure7. ExtensionfortheRBACmodel. necessarytoautomatetheprocess. Itisnotpartofourproposal thedirectandtheindirectaccessmodes. ThePolicyManagerisa but the tool is a key component to transform modeled RBAC componentthatreceivescommandsfromtheSecurityEngineand policiesintosecuritycomponents. retrievestherelevantinformationfromthePolicyServer,e.g. the listofBusinessSchemasauthorizedfortheclientapplication’s role. ThePolicyWatcherisaDLLthatresidesintheDBMSand allowsthePolicyServerdatabasetosendmessageswhenchanges occurtotheestablishedaccesscontrolpolicies. Thesemessages arethenresenttothePolicyManager,whichupdatestheaccess controlmechanismsoftheaffectedclients. Figure8. Automatedbuildingprocessofsecuritycomponents. 4. Our Proposal: Implementation Perspec- tive Inthissectionwepresentourimplementationperspective,which consistsofseveraldifferentcomponents,asshowninFigure9. Nextwepresentabriefexplanationaboutourproposal. Then,we willpresentamoredetailexplanationabouteachcomponent. ThePolicyServerisarelationaldatabasethatcontainsare- alization of the proposed extension to the RBAC model. The Policy Extractor is an automated tool responsible for building automaticallySecurityDataStructures. Thesedatastructuresare builtfromdataextractedfromthePolicyServerandalsofromthe softwarearchitecturalmodel. Thedatastructuresareresponsible forrelievingprogrammersfrommasteringanydatabaseschema Figure9. Implementationarchitecture. andanyRBACpolicywhiletheyarewritingsourcecode. The SecurityLayerisresponsibleforimplementingtheaccesscontrol mechanisms(enforcementanddecisionprocesss). Itcomprises 4.1 PolicyServer acomponent,hereinknownastheSecurityEngine,thatbuilds ThePolicyServercontainsarealizationoftheproposedextension themechanismsatruntimefromPolicyServerandalsofromthe (shown in Figure 6) for a simplified RBAC model, see Figure softwarearchitecturalmodel. Thesemechanismseffectivelycon- 10. OurmodelusessomeofthemostrelevantfeaturesofRBAC trolusers’requests,atruntime,whentheyissuerequeststhrough models: subjects(users),applications,sessions,permissionsand 6 InternationalJournalofComputerScience:TheoryandApplication delegations. Ausercanplayaroleonlyifthatroleisexplicitly anisms). ThePolicyManageridentifiestheapplicationandthe authorized(permittedordelegated)tohimwhenheisrunning userprofileandfromthemitknowswhichsecuritymetadatato asessionofanapplication. Permissionsanddelegationscanbe sendtotheclientsystem. MessagesfromthePolicyWatcheralert dynamically modified at runtime. CRUD expressions are kept thePolicyManageraboutmodificationsinpolicies. Inthiscase, inCrd crudandBusinessSchemasarestoredasJavainterfaces thePolicyManagerdeterminesthelistofclientsystemsaffected (basedonthearchitecturalmodel)inBus BusinessSchema. This bythemodificationsanditsendstoeachclientsystemthelistof methodofstorageisnotmandatory. BusinessSchemascanbe changestobeimplementedintheenforcementanddecisionpro- representedinanyothermetadatamodel. Additionally,thePolicy cesses. Figure11showssomeoftheinterfacesimplementedby ServercontainstriggerstowakeupthePolicyWatcherwhenever thePolicyManager. Forexample,thehandleDelegationDelete() changesoccurintheestablishedaccesscontrolpolicies(when isamethodcalledwhenthePolicyWatcherinformsthePolicy BusinessSchemasareadded/deletedfromrolesordelegations Manager that a role delegation is no longer in effect, and the arecreated/deleted). clients of the affected role will have the related authorizations revoked. Figure11. PolicyManagerhandlemethods. 4.4 PolicyExtractor InthissubsectionwewillpresentthePolicyExtractor,whichis responsibleforbuildingautomaticallytheSecurityDataStruc- tures to convey a complete awareness of the security mecha- nismstoprogrammers. WehaveimplementedtwodifferentPol- icyExtractors: oneasastandaloneapplicationandotherbased on Java annotations. Independently from the used technique, programmersarealwaysprovidedwiththesameSecurityData Figure10. SimplifiedsecurityRBACmodel. Structures. Inourimplementation,SecurityDataStructuresare Java interfaces that formalize roles and mechanisms to be im- plementedonbothdirectandindirectaccessmodes. Figure12 4.2 PolicyWatcher showsthedatastructuresforaroleidentifiedbyRole IRole B1 The Policy Watcher is a DLL that resides in the DBMS. It is (line 7). This role is defined as a Java interface, as previously responsiblefordealingwiththetriggersthathavebeenputon mentioned,thatextendstheroleRole IRole A.WeusethisJava the Policy Server. These triggers are responsible for detecting property to allow hierarchization of roles. Beyond extending modificationsbeingtakenattheleveloftheestablishedaccess the role Role IRole A, Role IRole B1 comprises two Business controlpolicies. Thisisveryimportantbecausewheneveramod- Schemas: i orders (9-10) and s customers (15-16). The first ification takes place, it is necessary to update the enforcement BusinessSchemamanagesoneCRUDexpressionidentifiedby and decision processes of client systems affected by the modi- i orders I Orders withCustomerID(line11-12)andthesecond fication. Basically, the Policy Watcher sends a message to the managess customers S Customer all(line17-18). Again,these servercomponentresponsiblefortheupdatingprocess(Policy BusinessSchemasareformalizedthroughJavainterfaces. From Manager). thesedatastructures(somenotexplicitlyshown)programmers writesourcecodeastheoneshowninFigure13. Fromthisfigure 4.3 PolicyManager wecanseethattheBusinessSchemaRole IRole B1.s customers PolicyManagerisacomponentthatrunsintheserversideand isinstantiatedforauserplayingtheroleB1(line53). TheCRUD handlesrequestsfromtwodifferentsources: theSecurityLayer expressionisselectedbyselectingonesupportedbytheselected oftheclientsystemsandfromthePolicyWatcher.Messagesfrom BusinessSchemas(line54). InthiscasetheCRUDexpressionis clientssystemsalertthePolicyManageraboutaclientrequesting identifiedbytheintegerRole IRole B1.s customers S Customers all. informationforitsenforcementanddecisionprocesses(Mech- A runtime value is set for a clause condition (line 55) and the 7 InternationalJournalofComputerScience:TheoryandApplication CRUDexpressionisexecuted(line55)(thisisthedirectaccess mode). Programmers continue to be aware of the policies on theindirectaccessmode(line56-68). Somereadable,updatable (withprefixu)andinsertable(withprefixi)attributesareshown. Asafinalnote, inourimplementation, CRUDexpressionsare identifiedbyintegers,thiswayhidinginformationaboutdatabase schemas. Thisaspectcanbeveryrelevantincriticaldatabaseap- plicationswhereschemasofdatabasesneedtobehidden. CRUD expressionsonlyexistatthelevelofSecurityLayers. Finally,Figure14showstheexamplepresentedinFigure1but nowbasedonourproposal. UnlikeFigure1,nowprogrammers are completely aware of constraints enforced by mechanisms, beingrelievedfrommasteringanyschema. Figure14. ExampleofFigure1basedonourproposal. thesemechanismsimplementthenecessarysourcecodetosuper- viserequestsissuedthroughbothaccessmodes. Ifanymismatch existsbetweenwhatuserswanttorequestandtheimplemented policies,runtimeexceptionsareraised. Inourimplementation, securitylayersprovidegenerictypesafemethodstoallowappli- cationtierstoinstantiateBusinessSchemasandexecuteCRUD Figure12. Implementedsecuritydatastructures. expressions,seeFigure13(line53-54). Thesemethodslookup inlocallibrariesfortherequestedBusinessSchemasandCRUD expressionsand,iffound,classesthatimplementtherequested BusinessSchemasareinstantiatedthroughreflection. Iftheyare notfound,itmeansthatthatuser,forsomesecurityreason,isno longerauthorizedtoplaythatrole. Inthiscase,anexceptionis raised. 5. Discussion Theapproachhereinpresentedwassuccessfullyevaluatedagainst theobjectiveinitiallydefined. Thereareotherrelevantissuesthat alsodeservetobediscussed,althoughtheyarenotkeyaspects of this work. As such, a brief description is presented about eight different aspects: scalability, maintainability, autonomic computing,configurability,usability,applicability,separationof concernsandtrustworthy. Figure13. Environmentconveyedtoprogrammers. • Scalability: Unlikesomeapproachestoimplementaccess controlmechanisms,suchasthosebasedonthecentralized andmixedarchitectures,theirimplementationinourpro- 4.5 SecurityLayer posaliscompletelydistributed. Eachclientapplicationis Our security layer comprises three sub-components: 1) a gen- responsiblefortwofundamentalaspects: todecideupon eralmanager(notshowninFigure9),whichisresponsiblefor granting or denying the access to protected data and to providingclientapplicationswithstandardinterfacestoaccess enforcethedecision. Thereisnocentralsysteminterfering internalfunctionalities;2)SecurityEngine,whichisresponsible inthisprocess. Itiscompletelydistributed. forbuildingatruntimethenecessaryaccesscontrolmechanisms (enforcementanddecisionprocesses),alwaysinaccordancewith • Maintainability:Securitylayersareautomaticallybuiltand theestablishedpoliciesfortherunninguserprofileand,finally, updatedatruntime. Thisisclearlydifferentfromwhathap- 3)theMechanisms(enforcementanddecisionprocesses),which penswithotherapproacheswheremaintenanceactivities comprise: classesthatimplementBusinessSchemasandalsothe arerequiredatthelevelofclientsystemswhenevermod- authorizedCRUDexpressions. UnlikeSecurityDataStructures, ificationsoccuratthelevelofbusinesslogicsorsecurity 8 InternationalJournalofComputerScience:TheoryandApplication requirements. accesscontrol. Itisaimedateasingprogrammersworkdur- ingthedevelopmentprocessofclientsystemsindatabase • Autonomic Computing: An autonomic system is charac- applicationsprotectedbyaccesscontrolpolicies. terized by making decisions on its own. It permanently checksthecontextand,basedonpolicies,itautomatically 6. Conclusion and Future Work adaptsitself. Ourproposalisnotanautonomicsystembut systemsbasedonourproposalareeasilyintegratedinauto- Inthispaperweaddressedthekeyissueofeasingprogrammers nomicsystems. Anautonomicsystempreparedtodetect workwhentheydevelopsourcecodeforclientsystemsofrela- situationswherepoliciesneedtobedynamicallyadapted tionaldatabaseapplicationswithcomplexschemasand/orcom- canuseourproposaltodynamicallyadapttheimplemented plex access control policies. A solution was presented for dis- mechanisms. tributedandtypedRBACpolicieswhenprogrammersusetools, suchasJDBC,Hibernate,ADO.NET.Westartedbydefiningan • Configurability: Theconfigurationprocessofmetadatais extensiontotraditionalRBACpolicies,thenwedefinedthere- substantiallyautomatedifanenhancedtoolsimilartothe spectiveextensiontotraditionalmodelsand,finally,wedescribed one presented in [20][21] is used. The new tool would howtoenforcepolicies. Inoursolution,eachrolecomprisesa automatically create the required metadata from CRUD setofCRUDexpressionsandtheauthorizedactionsonLDSof expressions. Moreover, thetoolcouldalsoautomatethe eachSelectexpression. Thus,accesscontrolmechanismsactat processtoobtainthebasicmetadatatoaccessdatabaseson thelevelofthedirectandalsoattheleveloftheindirectaccess atablebasisasO/RMtoolsandLINQdo. Additionally, modes, this way covering the two most used access modes. A toolssimilartothosepresentedin[38]couldalsobeused proofofconceptbasedonJDBCwasalsopresented. Fromit,we tovalidatetheauthorizedCRUDexpressions. canrealizethatprogrammersarenowrelievedfrommastering not only any RBAC policy but also any database schema. Ac- • Usability: toolssimilartoJDBCareverypoorregarding cess control mechanisms are automatically built and statically theirusability[20][21]. Oursolutionovercomessomeof implementedatthelevelofbusinesslogicsofrelationaldatabase the most relevant aspects of their lack of usability. For applications. example, unlike JDBC, our solution transforms runtime Theworkherepresentedcannotbyitselfensurethatthemech- errorsofgetterandsettermethodsintocompileerrors. anismsarecompletelysafe. Wehavealreadydevelopedanew • Applicability:JDBCwasthemainAPIusedinoursolution. securitylayer,whichseatsabovethisone,toensurethatthedis- Inordertoevaluatethepossibilityofusingothertoolsthan tributedmechanismsarecompletelysecure. Thisworkisalready JDBC,asuccessfulattemptwasachievedwithADO.NET. concludedandreadytobepublishedinthenearfuture. TheimplementationinADO.NETwasmainlycarriedout toevaluateifthemainaspectsofthesoftwarearchitectural References modelareflexibleenoughtobeusedwithdifferentmiddle- [1] SAMARATI,PierangelaetDEVIMERCATI,SabrinaCapi- wear tools and frameworks. There were some technical tani.Accesscontrol: Policies,models,andmechanisms.In: implementationaspectsthatneededsomeadjustmentsbut FoundationsofSecurityAnalysisandDesign.SpringerBerlin thefinalresultisafullyfunctionalsecuritylayerbasedon Heidelberg,2001.p.137-196. ADO.NET.Nevertheless,someparadigms,suchasO/RM, can be used but should not be considered as an option. [2] DEVIMERCATI,SabrinaDeCapitani,FORESTI,Saraet O/RMtoolsaremostlyorientedtohandledatabasetables SAMARATI,Pierangela.RecentAdvancesinAccessControl asentityclasseswhichistoorestrictivetomostdatabase -HandbookofDatabaseSecurity.In:HandbookofDatabase applications. CRUDexpressionscanalsobehandledby Security, Gertz, M. et Jajodia, S., Eds. Springer, 2008. p. O/RMtoolsbutthatisnotthefocusofO/RM. 1–26. [3] SANDHU,RaviS.etSAMARATI,Pierangela.Accesscon- • SeparationofConcerns: thearchitectureherepresented, trol: principle and practice. Communications Magazine, clearlyseparatestherolesplayedbyprogrammersofclient IEEE,1994,vol.32,no9,p.40-48. systemsfromrolesplayedbysecurityexperts. Securityex- pertsactatthelevelofthepolicymodelwhileprogrammers [4] Microsoft, Microsoft Open Database Connectivity, act only at the level of application tiers. Eventually, for 1992. [Online]. Available: http://msdn.microsoft.com/en- someorganizationalreasons,thetworolescanbeplayed us/library/ms710252(VS.85).aspx. bythesamepersonorgroupofpersonsduringthedevelop- [5] PARSIAN,Mahmoud.JDBCRecipes: AProblem-Solution mentprocess. Anyway,securityexpertscanalwayshave Approach.NY,USA:Apress,2005. thelastwordbyinspectingandvalidatingthecontentof [6] CASTRO,Pablo,MELNIK,Sergey,etADYA,Atul.ADO. securitymodels,whichcanbeanautomatedprocess. NETentityframework:raisingthelevelofabstractionindata • Trustworthy: Fromasecurityperspective,oursolution,in programming.In: Proceedingsofthe2007ACMSIGMOD this current version, by itself cannot be used in practice. international conference on Management of data. ACM, Weemphasizethatitisnotaimedatprovidingareliable 2007.p.1070-1072. 9

Description:
Submitted on 20 Apr 2015 JPA [8] and Hibernate [9], users' requests can be materialized .. i orders I Orders withCustomerID (line 11-12) and the second . JDBC Recipes: A Problem-Solution. Approach. NY, USA: Apress, 2005.
See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.