Modern enterprise systems support Role-Based Access Control (RBAC), allowing for flexible access control on sensitive operations. Although these systems specify RBAC based on privileged operations, in many cases the deployer actually intends to control access to privileged data. This paper presents a theoretical foundation for correlating an operation-based RBAC policy with a data-based RBAC policy. Relying on a location-consistency property, this paper shows how to infer whether an operation-based policy is equivalent to any data-based RBAC policy.
We have built a static analysis tool for J2EE called Static Analysis for Validation of Enterprise Security (SAVES). Relying on interprocedural pointer analysis and dataflow analysis, SAVES analyzes J2EE bytecode to determine if the associated RBAC policy is location-consistent, and reports potential security flaws where location-consistency does not hold. The experimental results obtained by using SAVES on a number of production-level J2EE codes have identifed several security flaws with no false positive reports.
By: Paolina Centonze; Gleb Naumovich; Stephen J. Fink; Marco Pistoia
Published in: RC23876 in 2006
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .