Web Data and Application Security Kodali, Farkas and Wijesekera

Web Data and Application Security Kodali, Farkas and Wijesekera

Reading • Word Wide Web Consortium, http://www.w3.org/ • Organization for the Advancement of Structure Information Standards, http://www.oasis-open.org/home/index.php • Web Services Interoperability Organization, http://www.ws-i.org/ • Workshop on Secure Web Services, http://sws06.univ-pau.fr/ • Semantic Web Security, http://www.cse.sc.edu/research/isl/SSW/index.shtml

Web Evolution • Past: Human usage • HTTP • Static Web pages (HTML) • Current: Human and some automated usage • Interactive Web pages • Web Services (WSDL, SOAP, SAML) • Semantic Web (RDF, OWL, RuleML, Web databases) • XML technology (data exchange, data representation) • Future: Semantic Web Services

Semantic Web From: T.B. Lee

Web Services “…a software system designed to support interoperable machine-to-machine interaction over a network.” W3C From: Wikipedia

WS Components • SOAP: An XML-based, extensible message envelope format, with "bindings" to underlying protocols • WSDL: An XML format that allows service interfaces to be described, along with the details of their bindings to specific protocols. • UDDI: A protocol for publishing and discovering metadata about Web services, to enable applications to find Web services, either at design time or runtime. • WS-Security: Defines how to use XML Encryption and XML Signature in SOAP to secure message exchanges.

SOAP • Simple Object Access Protocol: a protocol for exchanging XML-based messages over computer network, normally using HTTP (from W3C) • Foundation layer of the Web services stack • Different types of messaging patterns: • Remote Procedure Call (RPC) – most popular • Service-Oriented Architecture (SOA) • RESTful Web Services • SOAP Envelop

UDDI • Universal Description, Discovery, and Integration: a platform-independent, XML-based registry for businesses worldwide to list themselves on the Internet (from OASIS) • Support: • businesses to publish service listings • discover each other • define how the services or software applications interact over the Internet • Components: • White Pages — address, contact, and known identifiers • Yellow Pages — industrial categorizations based on standard taxonomies • Green Pages — technical information about services exposed by the business

WS-Security • WS-Security (Web Services Security): a communications protocol providing a means for applying security to Web Services • From: originally by IBM, Microsoft, and VeriSign, the protocol is now officially called WSS and developed via committee in Oasis-Open • Defines how integrity and confidentiality can be enforced on Web Services messaging • Use of SAML and Kerberos, and certificate formats • Incorporates security features in the header of a SOAP message, working in the application layer (different from TLS-based security)

WS Policy • WS-Policy: a specification that allows web services to use XML to advertise their policies (on security, Quality of Service, etc.) and for web service consumers to specify their policy requirements

W3C Standard Maturation • Working Draft (WD): published for review by "the community" • Candidate Recommendation (CR): a version of the standard that is more firm than the WD • Proposed Recommendation (PR): the version of the standard that has passed the prior two levels • W3C Recommendation (REC): most mature stage of development • Later Revisions: updated by separately-published Errata

WS Security Outline • Security on the Web • Data Security • Metadata Security • Application Security • Future Directions

Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML UpdatesXML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions

Limitation of Research • Syntax-based • No association protection • Limited handling of updates • No data or application semantics • No inference control

Secure XML Views - Example medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith </name> UC <phone>111-2222</phone> S </patient> <physician>Jim Dale </physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC <phone>333-4444</phone> S </patient> <physician>Joe White </physician> UC <milTag>MT78</milTag> TS </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White milTag MT78 patient patient name John Smith phone 111-2222 name Harry Green phone 333-4444 View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <countyRec> <patient> <name>John Smith</name> </patient> <physician>Jim Dale</physician> </countyRec> <milBaseRec> <patient> <name>Harry Green</name> </patient> <physician>Joe White</physician> </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <tag01> <tag02> <name>John Smith</name> </tag02> <physician>Jim Dale</physician> </tag01> <tag03> <tag02> <name>Harry Green</name> </tag02> <physician>Joe White</physician> </tag03> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> UC <countyRec> S <patient> S <name>John Smith</name> UC </patient> <physician>Jim Dale</physician> UC </countyRec> <milBaseRec> TS <patient> S <name>Harry Green</name> UC </patient> <physician>Joe White</physician> UC </milBaseRec> </medicalFiles> countyRec milBaseRec physician Jim Dale physician Joe White patient patient name John Smith name Harry Green View over UC data

Secure XML Views - Example cont. medicalFiles <medicalFiles> <name>John Smith</name> <physician>Jim Dale</physician> <name>Harry Green</name> <physician>Joe White</physician> </medicalFiles> physician Jim Dale name John Smith physician Joe White name Harry Green View over UC data

Secure XML Views - Solution • Multi-Plane DTD Graph (MPG) • Minimal Semantic Conflict Graph (association preservation) • Cover story • Transformation rules

Multi-Plane DTD Graph <milBaseRec> D,medicalFiles UC <milTag> TopSecret S TS D, countyRec D, milBaseRec <countyRec> UC S TS D, physician <patient> D, patient D, milTag Secret <phone> UC S D, name D, phone <physician> <name> <medicalFiles> Unclassified MPG = DTD graph over multiple security planes

Transformation - Example <milBaseRec> MPG <milTag> TS MSCG <countyRec> <patient> name phone S <phone> physician <medicalFiles> Security Space Secret UC <physician> <name>

Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> name S <phone> physician <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

Transformation - Example <milBaseRec> <milTag> TS <countyRec> <patient> S <phone>  <emrgRec> <medicalFiles> MSCG UC <physician> <name> SP MPG

Transformation - Example <milBaseRec> <milTag> TS medicalFiles <countyRec> <patient> emergencyRec S <phone> physician <emrgRec> name <medicalFiles> UC <physician> <name> SP Data Structure MPG

Outline • Security on the Web • Data Security • Access Control Models for Semi-Structured Data • Syntactic XML • Secure XML Views • XML Updates XML association object • XML and Semantics • SMIL • Inference Control • MetadataSecurity • Application Security • Future Directions

Report P Title P Data P Date P Temperature ? P Images S Water Resources S Concrete Location S Civil Area S TS Defense Sector Delete - Example

Delete Operations • Delete entire sub-tree under a deleted node • Most widely used approach • Problem: blind write • Delete only the viewable nodes • Problem: fragmentation of XML tree • Reject the delete • Problem: covert channel

Different Solution – Deleted Label Basic Idea • A unique domain “Del” for deleted nodes • Change security classification of deleted node (o, {do  Del}) • Perform after delete operation • Change security clearance of users, where s = (s, {ds}) > (o, {do}) to ( (s, {ds}) , (o, {do  Del}) ) • Can be preprocessed • Use BLP axioms

Report P Title P Data P Date P Temperature P Images (S,{Del}) Concrete Location (S,{Del}) Defense Sector TS Example - Top Secret View Subject clearances: (TS, {})  { (TS, {}) , (S, {Del}), (P, {Del}) } (S, {})  { (S, {}), (P, {Del}) } (P, {})  { (P, {}) }

MedicalDb SSN Patient * Name Name Patient Phone Phone Birthdate Race * Diagnosis Date Patient Physician Prescription Comments Birthdate Allergies * Race Allergen Diagnosis Date Comments Node Association - Example DTD of Patient Health Record

Object - Association level classification Node level classification + - + + + + Layered Access Control

t1 t2 t3 t4 Simple Security Object o  ti :(ti) = (o)

t1 t2 t3 t4 Association Security Object o  ti : (ti) < (o)

// r d a b c v1 v1 Query Pattern FOR $x in //r LET $y := $x/d, $z := $x/a RETURN <answer> {$z/c} </answer> WHERE { $z/b==$y} Query Pattern

Pattern Automata • Pattern Automata X = { S, Q, q0 , Qf , d } • S = E  A  { pcdata, //} • d is a transition function • Q = {q0 , … , qn} • Qf Q, (q0 Ï Qf) • Valid transitions on d are of the following form: s(qi, … ,qj)  qk • If d does not contain a valid transition rule, the default new state is q0

// a b c Pattern Automata - Example • = { a, b, c, //} Q = {q0, qa, qb, qc} Qf = {qa} d= { b( )  qb , c( )  qc , a(qb,qc)  qa , *(qa)  qa } Association object Pattern Automata

Parallel Operator “PAR” VIDEO AUDIO AUDIO Sequential Operator “SEQ” VIDEO and AUDIO together VIDEO AUDIO VIDEO VIDEO after END of AUDIO Switch Operator “switch” VIDEO SILENCE If Condition A= TRUE, then only VIDEO AUDIO SILENCE If Condition B= TRUE, then only AUDIO SMIL

SMIL vs. XML • In both, document = tree • BUT XML has NO intended semantics, SMIL specify runtime behavior • QoS (timeliness and continuity) specified using synchronization constructs <par>, <seq>, <excl> and others. • No Security for SMIL <smil> <seq> <par> <audio src=“http://www.example.org/Audio1.rm”> <video src=“http://www.example.org/Video1.rm”> </par> <par> <audio src=“http://www.example.org/Audio2.rm”> <video src=“http://www.example.org/Video2.rm”> </par> </seq> </smil> <smil> <seq> <par> <par> Video2 Video1 Audio1 Audio2

t t+7 t+14 SEQ Audio 1 Audio 2 Audio 1 Audio 2 Video 1 Video 2 A1 A2 t t+7 t+14 SEQ Audio 1 Audio 2 Video 1 Video 2 Video 1 Video 2 V1 V2 PAR PAR t t+7 t+14 SEQ SEQ Audio 1 Audio 2 Audio 1 Audio 2 Video 1 Video 2 Video 1 Video 2 V1 V2 A1 A2 Object Identity in SMIL - I

t t+7 t+14 SEQ Audio 1 Audio 2 Audio 1 Video 1 Video 2 Video 2 A1 V2 t t+7 t+14 SEQ Audio 2 Audio 1 Audio 2 Video 1 Video 1 Video 2 A2 V1 Audio 1 PAR Audio 2 Video 1 Video 2 PAR t t+7 t+14 SEQ SEQ Audio 1 Audio 2 Video 1 Video 2 V1 A2 A1 V2 Object Identity in SMIL - II

t t+7 t+14 PAR Audio 1 Audio 2 Audio 1 Video 1 Video 2 Video 1 A1 V1 t t+7 t+14 PAR Audio 2 Audio 1 Audio 2 Video 2 Video 1 Video 2 V2 A2 Audio 1 SEQ Audio 2 Video 1 Video 2 SEQ t t+7 t+14 PAR PAR Audio 1 Audio 2 Video 1 Video 2 A2 V2 V1 A1 Object Identity in SMIL - III

SMIL Normal Form SMIL Normal Form (smilNF) is of the form <seq> <par> C_1,1(s) C_1,2 (s) C_1,3 (s) .. C_1,n (s)</par> <par> ……………………..………………<par> <par> C_ m,1(s) C_m,2(s) C_ m,3 (s)..C_m,n (s)</par> </seq> where C i,j are audio or video, image or text media intervals.

A1 A2 A3 B1 B2 B3 C1 C2 C3 D1 D2 D3 Normalization Algorithm SEQ SEQ 1 2 3 A1 A2 A3 A <PAR> <PAR> <PAR> B1 B2 B3 B <PAR> C1 C2 C3 C A1 B1 D1 C1 A3 B3 D3 C3 D1 D2 D3 D A2 B2 D2 C2 Representation 1 SEQ SEQ 1 2 3 A B <PAR> <PAR> <PAR> <PAR> C A1 C3 D B2 C2 D2 Representation 2

<SEQ> <SEQ> <SEQ> <PAR> <PAR> (r1)<PAR> <PAR> <PAR> <PAR> (Empty) V1 A2 V2 A1 (r3)V1 (r1)A2 (r2)V2 A1 V1 A2 Metadata in SMIL - RBAC Example A1 RBAC metadata decorated SMIL Normal Form SMIL Normal Form Permitted view for Role 1

The Inference Problem General Purpose Database: Non-confidential data + Metadata Undesired Inferences Semantic Web: Non-confidential data + Metadata (data and application semantics) + Computational Power + Connectivity  Undesired Inferences

Air show address fort address fort Association Graph • Association similarity measure • Distance of each node from the association root • Difference of the distance of the nodes from the association root • Complexity of the sub-trees originating at nodes • Example: XML document: Association Graph: Public Public, AC

Web Data and Application Security Kodali, Farkas and Wijesekera

Web Data and Application Security Kodali, Farkas and Wijesekera

Presentation Transcript

Web Application Security

Implementing Application and Data Security

Web Application and network security

Web Application Security

Web Application Security

Web Application Security

Web Application Security

Web Data and Application Security CSCE 201

Web Application Security

Web Data and Application Security Policies Naren Kodali

Implementing Application and Data Security

Web Application Security

Web application security

Web Application Security

Web Application Security

Web Application Security

Web browser and Web application security

Web Data and Application Security Csilla Farkas farkas@cse.sc cse.sc/~farkas

Web Application Security