Re: web application access control research

[Ray Stirbei <me () highentropy org>]

I completely agree with Jeff and would just like to add:
1) the reference monitor (that deals to all references/requests to objects) is 
really the center of gravity for security. 
2) the access control matrix is the focal point of an application's security 
policy. Things of less importance, but necessary, to think about in a policy: 
password length/aging/changes, what to do with inactive user ids, how to 
handle password compromise, etc. A comprehensive infosec policy (among other 
things) is what separates an amateur development team from the pros. 
3) if an architect isn't very familiar with reference monitors, it might be 
best to buy instead of build. There are many competent commercial products in 
this space. 
4) if it intent is to build regardless, one doesn't have to start from 
scratch; that is what design patterns are for. 'A system of patterns' 
(published by Wiley) is highly recommended and the patterns are platform 
independent. 'J2EE Design Patterns Applied' (published by Wrox) is obviously 
platform specific and includes source code. Look up the security patterns 
like 'single access point', 'check point', etc - they start on page 200.

Hope that helps

ray



On Wednesday 23 April 2003 08:30 pm, Jeff Williams @ Aspect wrote:
> Andy,
>
> I suspect that you will find a large number of papers that deal with
> identification and authentication, and very few that deal with access
> control (aka authorization) for any kind of sophisticated security policy
> on web apps.  The reason is that in many web environments, the
> authentication mechanisms are centralized and standard, and the access
> control mechanisms are haphazard custom code.
>
> There is a tremendous body of literature on access control schemes for
> operating systems and databases. The only difference here is that the set
> of attributes on which access control decisions are made is a little
> different in the web application environment.
>
> Here's what I look for in a web app access control scheme...
>  - tamperproof
>  - always invoked
>  - verifiable (minimize complexity)
>  - flexible support for a broad range of subjects (thing that accesses) and
> objects (what gets accessed)
>  - ability to group subject and object attributes for easier management
>  - ability to express access control policy in the simplest form possible
>
> The vast majority of access control components out there allow decisions to
> be made based on the URL. Period.  Not form data, not query string, not
> time of day, age of user, account number, last page visited, special deal
> in effect, session data, or anything else.  Most developers end up coding a
> bunch of special rules into their code and it quickly spirals out of
> control.  Access control mechanisms should be centralized.
>
> By the way, the first three requirements are properties of a 'reference
> monitor' -- anyone implementing an access control scheme who hasn't heard
> those words, should find out what they mean and why they're important. 
> I've always found that thinking through the access control matrix (of
> subjects and objects) raises many issues and special cases that are often
> overlooked without a systematic approach.
>
> --Jeff
>
> Jeff Williams
> jeff.williams () aspectsecurity com
> Aspect Security, Inc.
> http://www.aspectsecurity.com
>
>
>
> ----- Original Message -----
> From: <absmith () cerias purdue edu>
> To: <webappsec () securityfocus com>
> Sent: Tuesday, April 22, 2003 6:46 PM
> Subject: web application access control research
>
> > All,
> >
> > Besides the OWASP Guide, can anyone point me to papers/articles that deal
> > with the issues of access control of web applications?
> >
> > I am looking to do a survey paper on this topic.  Basically, I am looking
> > for references that talk about access control in regards to web
> > applications: current trends, research, tools, software, ideas, etc.
> >
> > Any help would be great.  Thanks in advance!
> >
> > - Andy