Information security is a critical issue for organizations and comprises several ... The most common form of MAC is the multilevel security policy using classification ... which simulates the scenario of a decision support enterprise application.
ENFORCING AUTHORIZATION RULES IN INFORMATION SYSTEMS Felipe Leão, Leonardo Guerreiro Azevedo, Fernanda Baião, Claudia Cappelli NP2Tec – Núcleo de Pesquisa e Prática em Tecnologia, DIA - Departamento de Informática Aplicada Universidade Federal do Estado do Rio de Janeiro (UNIRIO) {felipe.leao, azevedo, fernanda.baiao,claudia.cappelli}@uniriotec.br
ABSTRACT Information security is a critical issue for organizations and comprises several perspectives. Identity propagation and data access control are important issues in current distributed information systems architectures. This work describes the design and implementation of an architecture for effectively assuring information security. The proposal is based on standard technologies allied to modifications to standard objects of Spring framework, and its goal is to propagate the user identity, in a non-intrusive way, from client applications until the DBMS where the authorization rules are enforced. KEYWORDS Database security, Identity Propagation, Dependency Injection, Data Access Control, Authorization Rules, TPC-H Benchmark.
1. INTRODUCTION Information security is an important issue for organizations. Aspects in this field include access control, interface control, auditing, information flow control, data availability, confidentiality, etc. Among them, access control (or authorization) is responsible for integrity guarantee (Sandhu et al., 1996; Yang, 2009; Calì and Martinenghi, 2008; Murthy and Sedlar, 2007). Authorization mechanisms enforce authorization rules, a type of rule that restricts who is allowed to perform a certain action on data (BRG, 2000). Another important issue in security is identity propagation in multi-tier systems. Its concern is propagating user identify from a client application to the database, where authorization rules are enforced by DBMS (Database Management System). Application architectures for database access can be divided into four types (Leão et al., 2011), and identity propagation solution for each type must be addressed. (i) Client application connects directly the database using an identifiable user: the database user is the same as application client’s user which is the same as the user that is connect to the operating system. (ii) Client application connects directly the database using a non-identifiable user: the user that executes the client application is different from the user connected to the operating system. (iii) Client application connects to and application server that access the database: client application sends requests to an application server that connects to the database to execute CRUD (Create-RetrieveUpdate-Delete) operations. The application server connects to the database using a general user. (iv) Client application connects to and application server that invokes a web service that access the database: many layers are considered in this scenario to propagate user identity, and the real user that is logged in the operating system where application client is running is far from the database. In the first scenario the DBMS can identify the current user from the connection parameters attributes. This is a non-intrusive scenario related to the other three ones. In scenarios ii, iii and iv, it is required to explicitly retrieve the user using the application/web service and propagate the user to the next layer. This can be very intrusive, and it can require changes in application architecture. This work proposes an effective architecture for identity propagation, and authorization rules execution that fulfills the requirement of minimum impact on existing applications. The architecture was evaluated in practice considering the third scenario features, but it can be applied in the other scenarios as well. The
identity propagation was implemented using Spring framework1, and authorization the rule was implemented using FARBAC framework (Azevedo et al., 2010). Experimental tests were performed on top of the TPCH Benchmark (TPC Council, 2008). The results indicate the effectiveness of our proposal. This work is presented as follows. Section 2 presents the technical grounding. Section 3 presents our proposal. Section 4 presents the experimental results. Section 5 presents conclusions and future works.
2. THEORETICAL GROUNDING The mechanisms for access control can be classified into: DAC (Discricionary Access Control), MAC (Mandatory Access Control) (DoD, 1983), and more recently RBAC (Role-Based Access Control) (Ferraiolo and Khun, 1992). The DAC mechanism restricts the access to objects based on identity of users and/or groups to which they belong. MAC policies are based on mandated regulations determined by a central authority (Yang, 2009). The most common form of MAC is the multilevel security policy using classification of subjects (users and groups) and objects (data) of the systems. RBAC considers functions and information, and the main interest is to protect the information integrity: who is allowed to perform which actions over which information (Ferraiolo and Khun, 1992). Ferraiolo et al. (2001) propose a pattern for RBAC in order to consolidate different RBAC reference models, commercial products and research prototypes. Access control mechanisms are implemented in different DBMS, such as Oracle, Sybase and Microsoft SQL-Server. RBAC policies are more flexible than MAC and DAC. However, defining and enforcing RBAC policies using approaches of DBMS is not simple in real scenarios. It requires a lot of effort and knowledge from the user responsible for managing rules and roles, usually a Database Administrator (DBA). To accomplish this requirement, we proposed in a previous work the FARBAC framework (Azevedo et al., 2010). FARBAC is a flexible and easy to use mechanism to aid database administrators in defining and managing RBAC policies to implement database security. It was implemented using the VPD (Virtual Private Database) mechanism of Oracle DBMS (Jeloka et al., 2008). In FARBAC approach, authorization rules are stored in a metamodel following a structure that allow dynamic WHERE clauses (predicates) generation at runtime. These clauses are used in commands sent from applications to the DBMS. E.g., in queries, authorization rules act as filters, removing from queries tuples that the user does not have access. Another important concern in data access security is identity propagation. Identity propagation allows the distributed identity to be preserved, regardless of where the identity information was created, for use during authorization and for auditing purposes (IBM, 2011).
3. AUTHORIZATION RULE ENFORCEMENT PROPOSAL Considering the scenarios for database access (Section 1), a solution for access control must consider mechanisms for profile and authorization rules specification, user authentication, identity propagation in multi-tier systems and authorization rule execution at runtime. This work has focus on identity propagation in multi-tier systems. It uses FARBAC framework (Azevedo et al., 2010) for profile and authorization rules specification and execution of the authorization rules. It considers that the user was properly authenticated. The proposed solution employs dependency injection, remote access and interceptor handlers. It tries to fulfill the following requirement: architectures of existing applications should not be changed to consider authorization rule enforcement. Figure 1 presents the main ideas considering scenario (iii). In this case, the requisition of client application accessing a remote object is intercepted (“A”) for injection of user’s security information. When application server receives the requisition, it is intercepted again (“B”), and user’s security information is extracted from the requisition, and injected in DBMS context. Afterwards, the requisition is passed to the remote object running on the application server. It fulfills the requirement, since client application does not need to inject security information, and either the remote object does not need to handle it. The framework is responsible for handling interception and injection of user information in the client side, as well as interception, extraction and injection of user information in DBMS context. In other words, all CRUD (Create-Retrieve-Update-Delete) operations executed by the remote object are processed 1
http://www.springsource.org/
by the DBMS considering the user that is using the client application, whose information was passed through application layers. Despite of the solution be presented considering scenario (iii), it can be also utilized in scenarios (i), (ii) and (iv). It is only required to define places where interception, injection and extraction of security information must be handled.
Figure 1. Dependency Injection, Remote Access and Interceptor in scenario (iii)
The proposed architecture was implemented using Spring framework which is an open source framework that provides various functionalities to Java application developers, such as Inversion of Control (IoC) (base for Dependency Injection), Aspect-Oriented Programming (AOP) and Model-View-Controller (MVC) (Walls and Braidenbach, 2007; Johson et al., 2010; Prasanna, 2009). The features of Spring used in our proposal were: Dependency Injection, Remote Access and Interceptor. Dependency injection was used to decrease coupling of application modules. Remote access was employed to locate and invoke remote objects available from an application server module. These remote objects were deployed as Spring Remote Services feature and were invoked using HTTP invokers. Interceptor feature was used to intercept the request message to inject and extract security information. An architecture prototype (available on http://code.google.com/p/pdac/) was implemented using the following technologies: Java (Standard and Enterprise Editions), Spring framework, JBoss Application Server, Hibernate (an object-relational mapping framework) and Oracle DBMS configured with the FARBAC framework. The database used to execute experimental tests followed the schema of the TPC-H benchmark (TPC Council, 2008), which simulates the scenario of a decision support enterprise application. The prototype was divided into three modules: Client, Server, and Shared. The Client module was developed using Java SE and Spring technologies. It was responsible to make available an interface for users to execute business functionalities. This module invokes methods of remote components available from Server module, implemented as Java Beans, using Java EE and Spring Remote technologies. They access the database using Hibernate object-relational mapping technology to execute the corresponding queries. Shared module contains classes and components that both Client and Server modules needs. Remote Method Invocation was implemented using HTTP invoker, which allows object serialization through HTTP. When using this mechanism, two main concepts must be explained first: (i) how to expose a remote object as a service, configuring a bean in the Spring configuration file implementing HttpInvokerServiceExporter class.; and, (ii) how to invoke this service by a client application, configuring a remote bean that implements the class HttpInvokerProxyFactoryBean. The use of HTTP invoker approach was evaluated carefully by system analysts and information systems researchers, and the result was that it does not fulfill the requirement that existing applications should not be changed to consider authorization rule enforcement for user information propagation. Hence, inheritance was used to improve HttpInvokerProxyFactoryBean overridden getServiceUrl method by ServiceProxy class to inject a user identity in the request string sent to the Server Module. Composite pattern was used by ServiceExporter class to add logic to HttpInvokerServiceExporter to extract from the request string the injected identity, in the handleRequest method. The method getServiceUrl overridden by ServiceProxy receives an injected bean UserStore (an object that stores user information) and concatenate parameters in request string (e.g., user identity). These parameters are intercepted by the ServiceExporter class through the method handleRequest, in the server, and stores data in a request-scoped object (a server-side bean UserStore). The request-scoped is one kind of scope provided by Spring framework, and it assures that a bean will have its lifecycle attached to the request being processed. Another characteristic of a request-scoped bean is to be thread safe, meaning that one bean shall be instantiated to each request, providing data isolation. To evaluate the implementations, a bean SalesService was implemented and remotely exposed through RemoteService class. The bean provides the method revenueChangePrediction(), which answers the
difference in the company’s year billing if a specific discount is removed. Get and Setter methods were implemented to enable the injection of a bean UserStore. SalesService use a ServiceDAO object, which isolates the business logic for accessing the DBMS. ServiceDAO class needs a session factory object in order to retrieve database sessions to execute CRUD operations. Instead of asking Hibernate for its SessionFactory object, the DAO class asks a database session to a specific session factory object (named as PropSessionFactory) implemented specifically in our approach. This class implements a getSession method, responsible for retrieving a database session through Hibernate framework and set the user ID stored in the bean userStore in the context of that session following FARBAC approach. The act of setting a user ID in the context of the session is made through a call to a specific procedure that sets the client_info variable present in the USERENV namespace of the context of Oracle database. The access to the bean userStore is possible due a configuration done in Spring’s server to inject the bean userStore in a bean PropSessionFactory, an instance of PropSessionFactory class.
4. EXPERIMENTAL TESTS To evaluate the proposed architecture the TPC-H benchmark was used. It is an industry relevant benchmark specification aiming at simulating the scenario of a decision support enterprise application (TPC Council, 2008). This scenario has a realistic context representing the activities of a whole sale industry that needs to manage its sales worldwide. The revenue change prediction query was used in this work. The following rule was included in FARBAC model: “The North America and Asia sales manager must only access orders from suppliers located at countries in the north hemisphere and only in the regions of Asia and America”. Considering the query, the information to be protected by this policy refers to tables ORDERS and LINEITEM, which store the orders and their associated items, respectively. The corresponding predicates returned by FARBAC to authorize data access are presented in Figure 2. (O_CUSTKEY in ( select C_CUSTKEY from TPCH.CUSTOMER inner join TPCH.NATION on N_NATIONKEY = C_NATIONKEY inner join TPCH.REGION on R_REGIONKEY = N_REGIONKEY where R_NAME IN ('AMERICA' , 'ASIA') AND N_HEMISPHERE IN ('NORTH')))
(L_ORDERKEY in ( select O_ORDERKEY from TPCH.ORDERS))
Figure 2 – FARBAC predicates for tables ORDERS (left) and LINEITEM (right)
Two users were created: Bob as America and Asia Sales Manager; and Alice, the company’s CEO, which received the privilege EXEMPT ACCESS POLICY, making all policies ignored. The client application was used by Bob and Alice to execute the revenue change prediction query. Since Bob is the sales manager of North America and Asia, he can access only orders of customers from north part of those regions, and the returned value was U$ 21,445,915.50. On the other hand, as Alice, is CEO, she can access all order items, and the revenue change prediction was U$ 88,894,386.60. Therefore, the tests demonstrated that rules were applied, and only authorized information was returned.
5. CONCLUSION Information Security is an important challenge for most of organizations. In general, problems in this area are solved through the implementation of access control mechanisms and the implementation of authorization rules in Information Systems. Nevertheless, when rules change, all systems that implement these rules and controls must be updated, turning it into a complex problem, especially in scenarios composed by legacy applications and a big number of authorization rules. This paper presented an access control architecture and its implementation using Spring framework. It focus is identity propagation and authorization rules. The implementations consisted in the application of design patterns (Singleton, Dependency Injection and Composite) allied to Remote Access, request-scoped beans and the implementation of FARBAC framework (in the DBMS side).
Considering identity propagation features, only user information is added to the traditional scenario to propagate user identity, which has no impact on client’s or remote object’s performance. While considering authorization rule execution through use of FARBAC, performance tests executed by (Puntar et al., 2010) demonstrated that the difference from FARBAC approach to conventional Oracle VPD implementation is quite small. Therefore, using a flexible approach to store authorization rule in a central repository is an important feature of our approach. So, the proposal showed itself as capable of providing identity propagation with little impact to legacy systems and to the conception of new projects in addition to the isolation of authorizations rules, making easier the task of maintaining them updated. As future work, we intend to execute performance tests and the evaluation of the proposal in a real scenario of a company or a government agency.
REFERENCES Azevedo, L.G. et al., 2010. A Flexible Framework for Applying Data Access Authorization Business Rules. In Proceedings of the 12th International Conference on Enterprise Information Systems (ICEIS 2010). Funchal, Madeira, Portugal , pp. 275-280. BRG, 2000. Defining Business Rules ~ What Are They Really?. Business Rule Group. Available at: http://www.businessrulesgroup.org/first_paper/BRG-whatisBR_3ed.pdf. Accessed on July, 2011. Calì, A. & Martinenghi, D., 2008. Querying Data under Access Limitations. In IEEE 24th International Conference on Data Engineering (ICDE 2008), Cancun, Mexico, pp. 50-59. DoD, 1983. Trusted computer security evaluation criteria. Department of Defense. Available at: http://csrc.nist.gov/publications/history/dod85.pdf. Accessed on July, 15th 2011. Ferraiolo, D.A. & Kuhn, D.R., Role-Based Access Control. In National Computer Security Conference. Baltimore, MD, pp. 554-563. Ferraiolo, D.F., Sandhu, R., Gravila, S., Khun, D. R., 2001. Proposed NIST standard for role-based access control. Proceedings of ACM Transactions on Information and System Security (TISSEC), Vol. 4, No. 3, pp.224–274. IBM, Identity propagation and distributed security. Available at: http://publib.boulder.ibm.com/infocenter/cicsts/v4r1/topic/com.ibm.cics.ts.doc/dfht5/topics/idprop_intro.html. Accessed on August, 31st 2011. Jeloka, S., Mulagund, G. & Lewis, N., 2008. Oracle Database Security Guide. Oracle RDBMS 10gR2. Available at: http://download.oracle.com/docs/cd/B19306_01/network.102/b14266.pdf. Accessed on July, 15th 2011. Johnson, R., Hoeller, J., Donald, K. et al., 2010. Spring Framework Reference Documentation (3.0). Spring Community. Available at http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/pdf/spring-frameworkreference.pdf. Accessed on May, 2011. Leão, F., Puntar, S., Azevedo, L. G., Cappelli, C., Baião, F., 2011. Controle de Acesso a Dados em Sistemas de Informação através de Mecanismos de Propagação de Identidade e Execução de Regras de Autorização. In: VII Simpósio Brasileiro de Sistemas de Informação (SBSI 2011), Salvador, Brazil. Murthy, R. & Sedlar, E., 2007. Flexible and Efficient Access Control in Oracle. In Proceedings of the 2007 ACM SIGMOD International Conference on Management of Data. Beijing, China, p. 973. Puntar, S., Azevedo, L., Baião, F., Cappelli, C. Performance Tests Comparing Flexible Model against Conventional VPD. Technical Report DIA/UNIRIO (RelaTe-DIA), RT-0013/2010, 2010 (in portuguese). Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E. 1996. Role-based access control models. Computer. Vol. 29, No. 2, pp. 38-47. Prasanna, D. R. 2009. Dependency Injection: Design Patterns Using Spring and Guice. Manning, Greenwich, CT. TPC Council, 2008. TPC Benchmark H Standard Specification Revision 2.8.0. Transaction Processing Perfermance Council. Available at: http://www.tpc.org/tpch/spec/tpch2.8.0.pdf. Accessed on July, 15th 2011. Yang, L., 2009. Teaching database security and auditing. Proceedings of the 40th ACM Technical Symposium on Computer Science Education, Vol. 41, No. 1, pp. 241-245. Walls, C., Breidenbach, R. 2007. Spring in Action. Manning.
