During the design of a security architecture for a web application, the usage of security patterns can assist with fulfilling quality attributes, such as increasing reusability or safety. The attack surface is a common indicator for the safety of a web application, thus, reducing it is a problem during design. Today’s methods for attack surface reduction are not connected to security patterns and have an unknown impact on quality attributes, e.g., come with an undesirable trade-off in functionality. This talk introduces a systematic and deterministic method to reduce the attack surface of web services by deriving service interface methods from authorization patterns.
Publication: http://www.thinkmind.org/index.php?view=article&articleid=securware_2014_9_10_30080
Authors: Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck
Attack Surface Reduction for Web Services based on Authorization Patterns
1. Research Group Cooperation & Management, Institute of Telematics, Department of Informatics
KIT – University of the State of Baden-Wuerttemberg and
National Research Center of the Helmholtz Association
www.kit.edu
Attack Surface Reduction for Web Services
based on Authorization Patterns
Roland Steinegger, Johannes Schäfer, Max Vogler, Sebastian Abeck
20.11.2014 – SECURWARE 2014, Lisbon, Portugal
2. About the authors
Roland Steinegger Johannes Schäfer Max Vogler Sebastian Abeck
2 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
20.11.14
3. Outline
Background
Motivation
Attack surface reduction
1. Set up Access Control Matrix
2. Derive Service Description
3. Create Web Service
Comparison
3 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
4. Background
Attack Surface Reduction for Web Services
based on Authorization Patterns
Attack Surface:
Indicator for vulnerability towards external attacks [1] [2]
Authorization Patterns
Attribute-Based Access Control [3]
Role-Based Access Control [4]
4 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
5. Background
5 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
6. Background
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
6 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
20.11.14
7. Motivation
HTTP-PUT-Request to www.example.com/users/42
@RequestMapping(method = PUT, value = "users/{id}")
@PreAuthorize("isOwnerOf(#id) || isAdmin()")
public JSONObject update() {
if(getCurrentUser().isAdmin()) {
// Administrator is updating a user account
} else {
// Update the user's own profile, limited to allowed fields
}
7 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
}
20.11.14
8. Motivation
Problems with authorization logic
Duplicated
Hard to test
Opaque for clients
è Attack surface is increased
Idea: Split up authorization logic
Goals
Reduce attack surface
Use authorization patterns
Keep functionality
8 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
9. Methodology
Set up
Access
Control
Matrix
Derive
Service
Description
Create
Web
Service
9 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
10. Set up Access Control Matrix
List resources and operations
Resource r
User profile
C R U D
10 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
20.11.14
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
11. Set up Access Control Matrix
11 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
List attributes
Resource r
Subject s
User profile
C R U D
Guest(s)
Authenticated(s)
Owner(s, r)
Admin(s)
20.11.14
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
12. Set up Access Control Matrix
Fill out access control matrix
Resource r
12 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
Subject s
User profile
C R U D
Guest(s) ●
Authenticated(s) ●
Owner(s, r) ● ●
Admin(s) ● ●
20.11.14
User profile operations
Guest
Authenticated User
Profile Owner
Admin
Register
View profile
Edit profile
13. Derive Service Description
User service
CreateIfGuest
ReadIfAuthenticated
ReadIfOwner
ReadIfAdmin
UpdateIfOwner
UpdateIfAdmin
Resource r
Split up operations è Improved testability, reduced attack surface
13 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
Subject s
User profile
C R U D
Guest(s) ●
Authenticated(s) ●
Owner(s, r) ● ●
Admin(s) ● ●
20.11.14
14. Create Web Service
User service Method URL Query parameters
CreateIfGuest
ReadIfAuthenticated
ReadIfOwner
ReadIfAdmin
UpdateIfOwner
UpdateIfAdmin
14 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
20.11.14
15. Create Web Service
User service Method URL Query parameters
CreateIfGuest POST /users ?auth=Guest
ReadIfAuthenticated GET /users ?auth=Authenticated
ReadIfOwner GET /users ?auth=Owner
ReadIfAdmin GET /users ?auth=Admin
UpdateIfOwner PUT /users/{id} ?auth=Owner
UpdateIfAdmin PUT /users/{id} ?auth=Admin
15 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
20.11.14
Client chooses authorization level actively
è Improved transparency, reduced attack surface
16. Create Web Service
@Controller
public class UserController {
HTTP-PUT-Request to www.example.com/users/42?auth=Owner
@RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner")
@PreAuthorize("isOwnerOf(#id)")
public JSONObject updateIfOwner() { /* ... */ }
HTTP-PUT-Request to www.example.com/users/42?auth=Admin
@RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin")
@PreAuthorize("isAdmin()")
public JSONObject updateIfAdmin() { /* ... */ }
16 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
20.11.14
17. Comparison
// Don't do it like this!
@RequestMapping(method = PUT, value = "users/{id}")
@PreAuthorize("isOwnerOf(#id) || isAdmin()")
public JSONObject update() {
// If is admin, allow editing all fields, if is owner, allow editing in a limited way
}
// Split up authorization like this:
@RequestMapping(method = PUT, value = "users/{id}", params="auth=Owner")
@PreAuthorize("isOwnerOf(#id)")
public JSONObject updateIfOwner() { /* ... */ }
@RequestMapping(method = PUT, value = "users/{id}", params="auth=Admin")
@PreAuthorize("isAdmin()")
public JSONObject updateIfAdmin() { /* ... */ }
17 Max Vogler
Attack Surface Reduction for Web Services based on Authorization Patterns
20.11.14
18. Set up
Access
Control
Matrix
Derive
Service
Description
Create
Web
Service
Comparison
Traditional New
public JSONObject update() public JSONObject updateIfOwner()
public JSONObject updateIfAdmin()
Opaque authorization logic Transparent authorization logic
Duplicate authorization logic Partitioned authorization logic
+ Improved testability
+ Reduced attack surface
– Difficulties with large number of similar
roles
18 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
19. Thank you
Max Vogler
max.vogler@student.kit.edu
19 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns
20. Sources
R. Steinegger, J. Schäfer, M. Vogler, and S. Abeck, "Attack Surface Reduction for Web Services
based on Authorization Patterns," In Proceedings of SECURWARE 2014 The Eighth
International Conference on Emerging Security Information, Systems and Technologies,
November 2014, pp. 194-201, ISBN 978-1-61208-376-6
[1] T. Heumann, J. Keller, and S. Türpe, “Quantifying the Attack Surface of a Web Application,” In
Proceedings of Sicherheit 2010, vol. 170, 2010, pp. 305-316, ISBN: 978-3-88579-264-2
[2] M. Howard, “Attack Surface – Mitigate Security Risks by Minimizing the Code You Expose to
Untrusted Users,” MSDN Magazine, November 2004. [Online]. Available from: http://
msdn.microsoft.com/en-us/magazine/cc163882.aspx [retrieved: 23.09.2014]
[3] E. Yuan and J. Tong, “Attribute Based Access Control (ABAC) for Web Services,” in Proceedings
of the International Conference on Web Services (ICWS), Jul. 2005, pp. 561–569, doi:10.1109/ICWS.
2005.25.
[4] R. Steinegger, “Authentication and authorization patterns in existing security frameworks
[Authentifizierungs- und Autorisierungsmuster in bestehenden Sicherheits-Frameworks],” diploma
thesis, Karlsruhe Institute of Technology, Karlsruhe, Germany, 2012. German.
20 Max Vogler
20.11.14 Attack Surface Reduction for Web Services based on Authorization Patterns