Static Evaluation of Role-Based Access Control Policies in Distributed Component-Based Systems

Understanding and configuring security requirements for large distributed component-based applications is a complex process. Java 2, Enterprise Edition (J2EE) and Microsoft .NET have adopted a form of Role-Based Access Control (RBAC) for controlling accesses to security-sensitive resources. Access to resources is controlled through "security roles" rather than through the user identity. We have found a number of fundamental problems in the way RBAC is often defined and implemented. For instance, in J2EE a user initiating a transaction must have been granted not just the roles necessary to invoke the transaction entry point, but all the roles needed to access each resource traversed by the transaction, taking into account that a J2EE container performs authorization checks only when an access-restricted resource is accessed from another component, and that J2EE allows a "principal-delegation policy" to override the roles granted on subsequent component calls. For a typical application deployer or system administrator, configuring the security requirements for an application and assigning roles to users is quite a challenge. Making any sensible security configuration may require reading the source code of the entire application, if available. For this reason, deployers either turn off security or grant broad authorizations, which in both cases compromises the security of the application.

In this paper, we present a static-analysis tool, called Enterprise Security Policy Evaluator (ESPE), which helps application deployers and system administrators to correctly configure the security of a J2EE application. ESPE determines potential security flaws in J2EE applications. Using the role information computed statically, ESPE can identify whether too many or too few roles have been granted, and detect security policy inconsistencies. ESPE has been used to configure the security requirements of large J2EE applications.

By: Marco Pistoia; Robert J. Flynn; Vugranam C. Sreedhar

Published in: RC23836 in 2004

LIMITED DISTRIBUTION NOTICE:

This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.

rc23836.pdf

Questions about this service can be mailed to reports@us.ibm.com .