According to the Open Web Application Security Project (OWASP), access-control problems account for the seventh and tenth most common security vulnerabilities in today's Web applications. In the area of access control, we have designed and developed static- and dynamic-analysis tools for automatic configuration of access-control policies in stack-inspection-based access-control systems, such as Java Platform, Standard Edition (Java SE), Java Platform, Enterprise Edition (Java EE), and Microsoft .NET Common Language Runtime (CLR). We have also designed and developed static-analysis tools that automatically detect Role-Based Access Control (RBAC) configuration problems. RBAC is a form of access control adopted by many enterprise and middleware systems, such as application servers based on Java EE and the CLR. All the static-analysis tools described here are implemented on top of IBM's T.J. Watson Libraries for Analysis (WALA).
Systems, such as Java and the CLR, that have adopted a form of access control based on stack inspection impose that, when a security-sensitive resource is about to be accessed, the current stack of execution is inspected to verify that all the components whose methods are on the stack are sufficiently authorized. We have designed and implemented two program-analysis algorithms for automatic identification of new access-control policies and validation of existing access-control policies:- Automated Authorization Analysis (A3). A3 is a permission analysis with demand-driven precision: context-sensitivity is added only where it matters for the purpose of permission-requirement identification. A3 uses a novel string analysis for computation of the string parameters that uniquely identify permissions. For better scalability, A3 is modular: precomputed permission requirements are cached at the entry points of the standard lbraries so that it becomes unnecessary to reanalyze those standard libraries at every run of A3. A paper on A3 is about to appear in the proceedings of the 31st International Conference on Software Engineering (ICSE 2009), Vancouver, BC, Canada, May 2009.
- Access Control Explorer (ACE). ACE integrates static and dynamic analysis for precise identification of access-control polcies. The combined use of static and dynamic analysis virtually eliminates the false positives reported by the static analysis and the false negatives of the dynamic analysis. A paper on ACE was published in the proceedings of the Annual Computer Security Applications Conference (ACSAC 2007), Miami Beach, FL, December 2007.
We have also explored how to compute or evaluate RBAC policies:- Enterprise Security Policy Evaluator (ESPE). ESPE is a static-analysis tool that automatically computes the roles that a user must have to execute a Web application. ESPE can also detect if an RBAC policy is too permissive because it grants users unnecessary roles. Finally, ESPE can detect whether an RBAC policy is not properly enforced; this happens when a Web container has been configured to enforce authorization restrictions only at component boundaries, causing access restrictions at component internal points to be ignored. A paper on RBAC was published in the proceedings of the 29th International Conference on Software Engineering (ICSE 2007), Minneapolis, MN, May 2007.
- Static Analysis for Validation of Enterprise Security (SAVES). SAVES is a static-analysis tool that maps RBAC policies, which are defined on operations, or methods, to more traditional access-control policies, defined on data. This allows detecting whether an RBAC policy restricts access to data inconsistently. A paper on SAVES was published in the proceedings of the ACM SIGSOFT 2006 International Symposium on Software Testing and Analysis (ISSTA 2006), Portland, ME, USA, July 2006.
As part of work in progress, we have also designed and implemented a static analysis called COmplete MEdiation Tool (COMET) that detects violations of the Principle of Complete Mediation (PCM). This principle dictates that any access to any protected resource be preceded by an authorization check, appropriate for the resource being accessed.
The sublinks on the left provide more details on these projects.
