Extended role access control model for web applications based on path hierarchy Текст научной статьи по специальности «Компьютерные и информационные науки»

Journal of Siberian Federal University. Engineering & Technologies, 2018, 11(7), 748-754

yflK 004.056

Extended Role Access Control Model

for Web Applications Based on Path Hierarchy

Dmitry D. Kononov and Sergey V. Isaev*

Institute of Computational Modeling of SB RAS 50/44 Akademgorodok Str., Krasnoyarsk, 660036, Russia

Received 13.09.2016, received in revised form 09.10.2016, accepted 31.10.2018

Web applications security is a complex problem with several aspects. One aspect is access control according to specified security policy. Access control is accomplished by security model restrictions. This research is dedicated to developing security access control model for web applications. This work describes path-based RBAC model, which improves RBAC and allows flexible access control using request path (URI). Authors created guidelines to apply model's elements for real-world web applications. Developing web applications with model described allows reducing security risks.

Keywords: security models, access control, web applications.

Citation: Kononov D.D., Isaev S.V. Extended role access control model for web applications based on path hierarchy, J. Sib. Fed. Univ. Eng. technol., 2018, 11(7), 748-754. DOI: 10.17516/1999-494X-0029.

Расширенная ролевая модель безопасности для веб-приложений, основанная на иерархии путей

Д.Д. Кононов, С.В. Исаев

Институт вычислительного моделирования СО РАН Россия, 660036, Красноярск, ул. Академгородок, 50/44

Обеспечение безопасности веб-приложений - комплексная проблема, имеющая несколько аспектов. Одним из аспектов является разграничение доступа в соответствии с заданной политикой безопасности. Разграничение доступа осуществляется путем применения ограничений, накладываемых моделью безопасности. Данная работа посвящена разработке модели безопасности для разграничения доступа в веб-приложениях. В работе описана основанная на иерархии путей ролевая модель безопасности, которая улучшает базовую

© Siberian Federal University. All rights reserved

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License (CC BY-NC 4.0). Corresponding author E-mail address: ddk@icm.krasn.ru, si@icm.krasn.ru

модель RBAC и обеспечивает гибкое разграничение доступа на основе пути запроса (иК1). Разработаны рекомендации по применению модели для веб-приложений. Разработка веб-приложений с применением описанной модели позволяет снизить риски, связанные с безопасностью.

Ключевые слова: модели безопасности, разграничение доступа, веб-приложения.

Introduction

Today modern Web applications and services are affected by several security issues. Computer security is becoming increasingly important and actual. According to Symantec security research

[1], in spite of security means development there are high security risks for web applications. Web applications security is a complex problem with several aspects. One aspect is access control according to specified security policy. Access control is accomplished by security model restrictions. Choosing and applying appropriate security model is able to reduce risks of successful attacks.

Widely known security models include discretionary, mandatory, and role-based [2, 3]. In our work, we research and develop security model based on Role-based access control model (RBAC) [4]. Role access control represents access rights control from subjects to objects grouped by some characteristics named roles. Original role-based access control model does not take into account web applications features [5] particularly hierarchic requests. Also assigning permissions is limited to roles only. This work describes path-based RBAC model, which improves RBAC and allows flexible access control using request path (URI).

Security models

Currently, there are several security access control models. Some of them include access control accomplished by discretionary matrix, mandatory levels, and role-based.

Discretionary security models are based on access control from subjects to objects by using access control lists or access matrix. This family include security model such as Harrison-Ruzzo-Ulman [6], typed access matrix [7], Take-Grant [8].

Mandatory access control - access control from subjects to objects based on assigned confidentiality label for information contained in the objects and permission entities to access information with such level of confidentiality. An example of the mandatory model is Bell-LaPadula

[2]. Classic Bell-LaPadula model analyzes conditions under which the computer system cannot initiate information flows from the objects with a high level of confidentiality to objects with a lower level of confidentiality.

Role-based access control is a further development of the discretionary access control policy: permissions to system objects are grouped according to certain characteristics, forming role. Roles are intended to manage access control rules in a more simple way.

These models do not take into account the specifics of web applications, in particular, the hierarchical organization of requests and links. The paper describes the adapted role-based security model that eliminates these problems.

Role-based access control

The original role-based access control model [4] defines a set of elements:

<e i I, S ^A(UOt 14(1)1, MserpSj, rofegaUn,

whaee:

U - tet of users ;

id - set of roles;

P - set of accuss permissions;

S - set of ustr srssk^

UA\U 2R - fancsioa Eii^rsi^tn-1^!? ef o each useu a variety s) role s to which he -an be rothorized;

PAS : i — t.p - diuiehon asaigning Sgr rach roie s>rt of acme; e es ^itnni^oionPi wleile Vg> e P,3r e d sucPt-at p ePASb ;

nscr : S — U - function defining foe each atas ieosion, on wh-ae byhebt is re eutPoaezed;

rola : S -so 2d - funeSion dnfining fiac noer o voséety et rotes iio:e ^iei^cJti Hcce is nuteorizrd orroenO storkm; od tfa namo time Vs r S tatinfie o tbc seadeeten roler{s) a UAMuser(s)).

The model RBAC1 is dvfiavdi an RyfOCr, at the stiaitiie tiam introdueing a rolehierarchy (RHi.

Adapting the model for web applications

To existing RBAQ meOd'e dements "user", "role", "permission", "session" we added new ekments tading énlo s^^^tatcntit ^init^1» appticotion feutuces: "tolea", "request".

DeUnitioa E.Tokrn (TD) - soC oit uios atitUbutes ntant allow him to carry out authenticetirn in a system. Token is e pa'i <noma,pasiwoed>, or pair <dnblic key, nriratc n"d>.

DsOntrioa P. "Vuitiaoin (firS - set aO ineuemacion snnt by ihe client to HTTP server. The roque st crnteius e set pf deaduds, a un'Ruo r^stitust;" identifie" tURS"), s ert o" gvati'iimeaei"i numdfvrlue, end d pe"Meet paytocd (body).

Reqaert Kektnga do th" se;s;i^I"n, oner iie;^i;:ioM caa handk mrdtioVe requoafe Requese end peimks.on are eiod d" manyttOdmenr relationtliip. On trp nf coquests Rq inc;^uit"o^ retetton ts defined.

Definition 3( Request. sneiudeo a requnst H5 eei tig cf tDe path o° a onksun resouece idenitfiee -URR) o" reqursi A "uneemt liht g;»a1^ei of dno aln]liouIi kDoitifier sd the ansnurce iri£;c]_ii^^st E1 with the tnitiel ^osiУion 'liieloLi^ lme wtehig ehq same tlamrspacel with len(B est) q len(nnet), where len(x) s length of the stri ny x.

Ftgure 1 ehowa the requests; Ie, hi, C, arid D, whk;h satt;sfy tlie Onnowiicg: u < B,B < C, B < D, A<CeA <D.

Inclusion relatioti scas tins foUowinc ^oper-tiea:

• s-etElaxiniLva: Vrq e Rq :rq < rq ,

• antisymmetsio: Vn^,rq' eRq : ((rq < o^'I& ,rq' < hq)) -rrq = rq_',

• tonsHree: 's/rqj,rq2,rq3 e Rq : ((rqj < rq2) & (rq2 < rq3)) -— rqq < rq3.

Fig. 1. An example of the inclusion relations on top of requests

Roles hierarchy

Fig. 2. Elementsofpath-basedRBACmodel

Thus , the ^nc^usiort relation on top of requests set Rq defines non-strict partial order.

Next,wedefinea functioniCqal(9 mapprng ^i^irm^sss^^or^s to multiple requests RqA: P ^ 2Rq.

Definition 4. Requosts hteracchy (RqH) - i relaaion defined on top of requests Rq. For any

p e P the following condition is true: if rq,rq' e Rq, rq e RqA(p), and rq < rq', then rq' £ RqA(p).

Thus, the definition 4 makes it possible a flexible access control for individual requests, and all children requests.

Figure 2 shows a diagram of adapted security model elements. The model name is path-based role-based accesscontrol security model.

Ad aptingmandaOoryocce ssmodel

[n [9] for role-based security model authors describe use of mandatory access control designed to protect against threatc to iiUoomalian coofidentiaeity. Wtthic defineO teominology, we describe mandatory rolc-bosed cocescmodel tgweb aapllcativnt. V^^ndMcvidV^o defined o^t^^v^aCaiff^nnW, the

fcitrwino o^^^ismswerr^c^^ed:

Rq - sit o° re.ueeCe;

(L, P) -ce^i^tiv^^c^ti^Ort}^ l^c^etsla^^ice;

c : U r l - fupetiap of user access leveCs;

c : Rg r L - fuoctiao oJf congdentiaOrty ievetc fga requeeRo;

A = {read, write} - access types;

R = {x _ read | x e L} u {x _ write | x e L} - set of roles;

P = {(rq, read) | rq e Rq} u {(rq, write) | rq e Rq} - set of permissions.

Using the definitions 5.20 and 5.22 [10], according to requirements of liberal mandatory access control for set of requests Rq we define a hierarchy on top of roles R and restriction functions UA(), roles(), and PA().

Asapartofthemandatory accesscontrol, informationflow is defined.

Definition 5. We assume that there is an information flow from request rq e Rq to request rq' e Rq if and only if there are roles r,r' e R, and session 5 e S, such that (rq, read) e PA (r), (rq', write) e PA(r'), and r,r' e roles(s).

Let us formulate a proposition about the impossibility of forbidden information flows from the request with a higher confidentiality level to requests with a lower confidentiality level.

Proposition 1. If a role-based access model complies with liberal mandatory access control requirements, then for any requests rq,rq' e Rq, such that c(rq) > c(rq'), it is impossible to initiate information flow from rq to rq'.

The proof is similar to theorem 5.1 [10].

Thus, the model described is safe in terms of information flows for requests with different confidentiality levels.

Application of models

Security models described can be used in a wide range of applications. To apply these security models the system must meet the following requirements:

• centralized access control - access control is carried out only in a single module without delegating to other units or systems;

• principle of least privilege - provide the user only minimal set of privileges necessary for his work;

• separation of duties support - tasks processed in the system may require multiple users to process one operation;

• possibility of decomposition the system into separate components, which can be accessed using a variety of URIs, which are unique within the system.

When the above requirements are met, the system may be divided into different parts, each of them is uniquely identified by a URI. URI paths are described as access control elements and used to define a set of requests Rq. This set includes all client requests and API calls provided by the system. Using Rq request hierarchy is created that reflects the interaction and dependence between components.

In order to apply security model it is necessary to create a set of roles R. The role defines a set of permissions that a user can perform. Examples of roles: "user", "moderator", "registrar", "administrator".

Next, the system should have defined set of permissions P. Permissions define specific action or operation in the system, for example, "create new user", "delete the document," etc. One role can have many permissions. One permission can be assigned to many roles. Assigning permissions for roles is performed by function PA(). Permissions are non-overlapping and consistent. Elements from permissions P map to a subset of requests Rq using function RqA(). One permission can have multiple requests. One request can be assigned to many permissions.

To maintain users a set of users U is created, which have assigned roles from R using mapping function UA(). One user can have multiple roles. One role can be assigned to multiple users. To identify a user the model includes a set of tokens Tk. The elements of the set are pairs of <username, password>, or <public key, private key>. Each user can have multiple tokens. The token belongs to one user.

Once authenticated, authorized work of users is carried out by sessions. A session is a set of authorized user data, including a set of roles to which the user is authorized. Users can create multiple sessions. A session belongs to one user. Sessions can have additional data related to authorization or specific operation.

As an example, we describe application of extended path-based RBAC for publication system. The system allows users to create articles for public reading. Registered users can create and edit their articles. Editors have the ability to edit articles created by users. The administrator has access to all sections, including user administration. The system has two users, who write articles: Alice and Bob. John is an editor, and Martin is a system administrator. In addition, Martin can work as editor. The system provides a special role for anonymous users for public reading without editing articles. Users U: {Anonymous, Alice, Bob, John, Martin} Roles R: {Viewer, User, Editor, Administrator}

Permissions P: {"view article", "create article", "edit own articles", "edit all articles", "user management", "access control", "system maintenance"} Requests Rq: { /articles/list, /articles/view, /manage/articles/list, /manage/articles/create, /manage/articles/edit, /manage/users/list, /manage/users/create, /manage/users/edit, /manage/permissions/roles, /manage/permissions/acl, /manage/system/settings, /manage/system/maintenance\} Roles assignment for users:

UA(Anonymous) ^ {Viewer} U4 (Alice) ^ {User} U4 (Bob) ^ {User} U4 (John) ^ {Editor} UA (Martin) ^ {Editor, Administrator} Permissions assignment for roles: PA(Viewer) ^ {"view article"}

PA(User) ^ {"view article", "create article", "edit own article"} PA(Editor) ^ {"view article", "create article", "edit all articles"} PA (Administrator) ^ {"user management", "access control", "system maintenance"} Requests assignment for permissions:

RqA ("view article") ^ {/articles/list, /articles/view} RqA ("create article") ^ {/manage/articles/create} RqA ("edit own article") ^ {/manage/articles/edit} RqA ("edit all article") ^ {/manage/articles/edit} RqA ("user management") ^ {/manage/users} RqA ("access control") ^ {/manage/permissions} RqA ("system maintenance") ^ {/manage/system}

As you can see from the example above, the developed models offer flexibility and simplicity for access control restriction that can be used in real-world web applications.

Conclusion

The paper describes extended path-based role access control model, which takes into account web applications features. New elements were defined: token, request, inclusion relation. The model created allows flexible access control for modern web applications.

Also extended path-based mandatory role-based access control model was created with additional sets: requests, security levels lattice, access types, roles, and permissions. Impossibility of forbidden information flows from higher to lower security levels was proven.

Authors created guidelines to apply model's elements for real-world web applications. Developing web applications according to these guidelines allows reducing security risks. We use the model developed to enhance security in our web applications [11].

References

[1] The 2016 Internet Security Threat Report, Symantec Corp [Electronic resource], 2016 -Access: https://www. symantec.com/security-center/threat-report

[2] Bell D.E., LaPadula L.J. Secure Computer Systems: Unified Exposition and Multics Interpretation, MITRE Corp. Bedford, 1976, 129 p.

[3] Bishop M. Introduction to Computer Security, Addison-Wesley, 2005, 27-35.

[4] Sandhu R., Coyne E.J., Feinstein H.L. and Youman C.E. Role-based Access Control Models, IEEE Computer (IEEE Press), 1996, 29 (2), 38-47.

[5] Bhatti R., Bertino E. and Ghafoor A. A Trust-based Context-Aware Access Control Model for Web Services, Distributed and Parallel Databases Archive, 2005, 18 (1), 83-105.

[6] Harrison M., Ruzzo W. Monotonic protection systems, Foundation of Secure Computation, 1978, 337-365.

[7] Sandhu R. The typed access matrix model, Proceedings of the IEEE Symposium on Research in Security and Privacy, 1992, 122-136.

[8] Lipton R.J., Snyder L.. A Linear Time Algorithm for Deciding Subject Security, Journal of the ACM, Published by Addison-Wesley, 1977, 24 (3), 455-464.

[9] Sandhu R. Role-based Access Control, Advanced computers, 1998, 46, 237-286.

[10] Девянин П.Н. Модели безопасности компьютерных систем. М.: Издательский центр «Академия», 2005. 144 с. [Devyanin P. N. Security models for computer systems, Moscow, Izdatelskiy Centr "Akademiya", 2005, 144 p. (in Russian)]

[11] Кононов Д.Д., Исаев С.В. Модель безопасности кросс-платформенных веб-сервисов поддержки муниципальных закупок. Прикладная дискретная математика, 2011, 4, 48-50 [Kononov D.D., Isaev S.V. The security model of cross-platform web services for municipal procurement support, Applied Discrete Mathematics, 2011, 4, 48-50 (in Russian)]