ilayer toward an application access control framework for
play

iLayer: Toward an Application Access Control Framework for Content - PowerPoint PPT Presentation

Nov 28, 2022 •653 likes •911 views

University of North Carolina at Charlotte iLayer: Toward an Application Access Control Framework for Content Management Systems Gorrell Cheek, Mohamed Shehab, Truong Ung, Ebonie Williams The Laboratory of Information Integration, Security and

  1. University of North Carolina at Charlotte iLayer: Toward an Application Access Control Framework for Content Management Systems Gorrell Cheek, Mohamed Shehab, Truong Ung, Ebonie Williams The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  2. University of North Carolina at Charlotte Outline § Preliminaries § Motivation § iLayer Framework § Conclusion & Future Work Slide 2 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  3. University of North Carolina at Charlotte Content Management Systems (CMS) § Online application that provides users the ability to easily create, design, publish and manage the content of a web site § Multiple users with varying roles § Third party applications expand the capabilities and functionalities of content management systems – For example, a third party developed calendar application can provide schedule management Image source: www.ubc.ca Slide 3 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  4. University of North Carolina at Charlotte Content Management Systems § Presentation Layer Presentation Layer / Templates – Displays to the visitor of the web site the output (or content) of the Core Components CMS Content User § Core Components Management Management – Provides foundational CMS Application Session functionality Admin Management § Database Layer – Stores all content Function Library / API § Function Library / API – Provides interface for integrating third party applications Third Party Database Applications Layer / Content Slide 4 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  5. University of North Carolina at Charlotte Outline § Preliminaries § Motivation § iLayer Framework § Conclusion & Future Work Slide 5 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  6. University of North Carolina at Charlotte CMS Third Party Application Access Control § Third party application (TPA) access control functionality is not well developed § TPA’s typically have full administrator level access to the CMS and its content § File permissions are the primary way to restrict access to TPA’s § Difficult to implement § CMS administrator must be able to translate access requirements of TPA’s into file permissions § Average CMS administrator may not have sufficient skill or experience § Implemented post installation § More often than not, CMS administrators take minimal or no action to secure the CMS and its content from TPA’s Slide 6 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  7. University of North Carolina at Charlotte CMS Third Party Application Access Control § Conducted study of popular CMS – Drupal § Analyzed 412 third party applications’ database calls Table Name Table Description Potential % of 3 rd Party Impact Apps That Require Access sessions Contains user session information, e.g., Session hijacking 2% userID, sessionID, user IP address, etc. users_roles Lists the assignments between users Privilege 5% and roles escalation node_revisions Contains edits / revisions of node Content 7% content compromise permissions Lists each user role’s permissions Privilege 7% escalation users Contains usernames, passwords, Account 23% profile compromise information, etc. We believe that CMS users need additional tools and mechanisms to protect their online information from attacks via third party applications. Slide 7 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  8. University of North Carolina at Charlotte Outline § Preliminaries § Motivation § iLayer Framework § Conclusion & Future Work Slide 8 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  9. University of North Carolina at Charlotte iLayer – TPA Access Control Framework § Manages user to third party application policies in Content Management Systems Makes policy recommendations to CMS administrative user for third party applications. Policies are reviewed and set by the CMS administrative user and enforced by the iLayer Framework. Slide 9 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  10. University of North Carolina at Charlotte iLayer Framework Overview Presentation Layer / Templates Core Components Content User Management Management Application Session Admin Management Function Library / API iLayer – Reference Monitor iLayer Third Party Policy Database Applications Layer / Content Slide 10 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  11. University of North Carolina at Charlotte iLayer Framework Overview Slide 11 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  12. University of North Carolina at Charlotte A. iLayer Setup – Policy Table Setup § Create iLayer Policy table § Policy is made up of three components: – subject: third party application that will be granted access – object: database table being given access to – permission: access privilege that is granted which could be either: • read (select) • write (delete, insert, update) • read & write Slide 12 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  13. University of North Carolina at Charlotte A. iLayer Setup – Refactoring § Library core Functions Refactoring Original core() Refactored core() to i_core() function core(arg) { function i_core(3PA_Params, arg) { … … //extract table name and //extract table name and action from the arg action from the arg … } //loop for all table names if(matchPolicy(3PA_Params, table, action) = null) errorHandler(); else core(arg); } Slide 13 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  14. University of North Carolina at Charlotte B. Third Party Application Installation § Determine Requested Access by the third party application: 1. Manifest provided by the third party developer 2. Application Access Analysis § Policy Rule Tuples presented to administrative user: <manifest> <policy_rule id=``pr1"> – (subject, object, permissions) <subject>appName</subject> <object>birthday_table</object> • (application_name, <permission>select</permission> <required_flag>0</required_flag> • database_table_name, <comments>Access is not required; but...</comments> </policy_rule> • read) <policy_rule id=``pr2"> … </policy_rule> </manifest> Slide 14 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  15. University of North Carolina at Charlotte B. Third Party Application Installation § Thumbs up or thumbs down Policy Rule Recommendation is presented § Indicator of the community’s usage of the policy rule tuple Granted ¡Accesses ¡ ¡/ ¡a i ¡ (object ¡-­‑ ¡permission) ¡ Applica'on ¡ID ¡ user_roles ¡-­‑ ¡write ¡ node_revs ¡-­‑ ¡write ¡ user_roles ¡-­‑ ¡read ¡ node_revs ¡-­‑ ¡read ¡ Sessions ¡-­‑ ¡write ¡ sessions ¡-­‑ ¡read ¡ files ¡-­‑ ¡write ¡ files ¡-­‑ ¡read ¡ … ¡ 001 ¡ 0 ¡ 1 ¡ 0 ¡ 0 ¡ 0 ¡ 1 ¡ x i ¡ 0 ¡ 0 ¡ 002 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 1 ¡ 0 ¡ 003 ¡ 1 ¡ 1 ¡ 1 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 1 ¡ … ¡ 412 ¡ 0 ¡ 1 ¡ 0 ¡ 0 ¡ 0 ¡ 1 ¡ 0 ¡ 1 ¡ 413 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ 0 ¡ ? ¡ ? ¡ Slide 15 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  16. University of North Carolina at Charlotte B. Third Party Application Installation § Thumbs up/down Policy Rule Recommendation is based on the maximum likelihood of the set of possible permission combinations for all requested objects based on historically granted accesses Recommen-­‑ files ¡-­‑ ¡read ¡ files ¡-­‑ ¡write ¡ X ¡ P(R ¡| ¡X) ¡ da'on ¡ deny ¡ deny ¡ {x 1 ¡ = ¡ ¡0, ¡x 2 ¡ = ¡ ¡0} ¡ 0 ¡ deny ¡ allow ¡ {x 1 ¡ = ¡ ¡0, ¡x 2 ¡ = ¡ ¡1} ¡ 0 ¡ allow ¡ deny ¡ {x 1 ¡ = ¡ ¡1, ¡x 2 ¡ = ¡ ¡0} ¡ .2 ¡ allow ¡ allow ¡ {x 1 ¡ = ¡ ¡1, ¡x 2 ¡ = ¡ ¡1} ¡ .5 ¡ ¡ ¡ ¡ Slide 16 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

  17. University of North Carolina at Charlotte B. Third Party Application Installation § Number of conditional probability computations equal 2 n , where n equal the number of requested accesses 180 # of 3rd party apps (modules) 160 140 120 100 80 60 40 20 0 1 2 3 4 5 6 7 8 9 10 11 12 # of accesses (database table - permission) § Distribution of number of accesses for 412 Drupal TPA’s (modules) – average 2.45 and median 2.0 Slide 17 The Laboratory of Information Integration, Security and Privacy – LIISP.uncc.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines

W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines

Laurent Bussard and Moritz Y. Becker Microsoft (EMIC and MSRC) W3C Workshop on Access Control Application Scenarios November 17 th 2009 Luxembourg Outlines Scenario: Privacy Policies and Preferences Links with Access Control Our

636 views • 17 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files &amp; processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
A Formal Framework for UML Modeling with Timed Constraints: Application to Railway Control

A Formal Framework for UML Modeling with Timed Constraints: Application to Railway Control

FRENCH NATIONAL INSTITUTE FOR TRANSPORT SAFETY AND RESEARCH A Formal Framework for UML Modeling with Timed Constraints: Application to Railway Control Systems Rafael Marcano Samuel Colin Georges Mariano Specification and Validation of UML

254 views • 24 slides
SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Application of a Quality Control Framework Principal Investigators: Kevin Fiscella, MD, MPH

Application of a Quality Control Framework Principal Investigators: Kevin Fiscella, MD, MPH

Improving EHR Data Quality: Application of a Quality Control Framework Principal Investigators: Kevin Fiscella, MD, MPH University of Rochester Jonathan N. Tobin, PhD Clinical Directors Network, Inc. Presenter: Mechelle Sanders Project

183 views • 14 slides
Application of RNA aptamers to the control of Application of RNA aptamers to the control of the

Application of RNA aptamers to the control of Application of RNA aptamers to the control of the

Application of RNA aptamers to the control of Application of RNA aptamers to the control of the hepatitis C virus-CRE region function Alba Fernndez-Sanls , Beatriz Berzal-Herranz , Rodrigo Gonzlez-Matamala, Pablo Ros-Marco,

161 views • 15 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena

Towards Standardization of Distributed Access Control Mario Lischka, Yukiko Endo Elena Torroglosa, Alejandro Prez, Antonio G. Skarmeta NEC Laboratories Europe University of Murcia Presentation at W3C Workshop on Access Control Application

555 views • 9 slides
Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access

Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access

Software Security Application-level sandboxing Erik Poll 1 Overview 1. Compartmentalisation 2. Classic OS access control compartmentalisation between processes Chapter 2 of lecture notes 3. Language-level access control

909 views • 69 slides
Access Control is an Inadequate Framework for Privacy Protection Lalana Kagal &amp; Hal Abelson

Access Control is an Inadequate Framework for Privacy Protection Lalana Kagal &amp; Hal Abelson

Access Control is an Inadequate Framework for Privacy Protection Lalana Kagal &amp; Hal Abelson DIG @ CSAIL Monday 12 July 2010 Alternate Definitions of Privacy In 1890, Brandeis and Warren defined privacy as the right to be let alone

541 views • 11 slides
iOS Multimedia CS 4720 Mobile Application Development CS 4720 iOS Architecture CS 4720 2

iOS Multimedia CS 4720 Mobile Application Development CS 4720 iOS Architecture CS 4720 2

iOS Multimedia CS 4720 Mobile Application Development CS 4720 iOS Architecture CS 4720 2 Two Levels of Access Some features live at a higher level in the main media player framework - MediaCoreServices Fine-grained control is

250 views • 20 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
tPA Lawsuits Airway Management Elevate Head of Bed 30 Degrees NPO Bedrails Up Fever Control

tPA Lawsuits Airway Management Elevate Head of Bed 30 Degrees NPO Bedrails Up Fever Control

2/19/2014 Basic Stroke Care tPA Lawsuits Airway Management Elevate Head of Bed 30 Degrees NPO Bedrails Up Fever Control Blood Sugar Control ASA 160-325mg PO (if no blood on CT) Reverse Anticoagulants tPA NOT given tPA given DVT Prophylaxis

444 views • 12 slides
A GLOBAL HEALTHCARE COMPANY We are Sanofi CORPORATE PRESENTATION | JUNE 2016 2 Sanofi US Brands

A GLOBAL HEALTHCARE COMPANY We are Sanofi CORPORATE PRESENTATION | JUNE 2016 2 Sanofi US Brands

A GLOBAL HEALTHCARE COMPANY We are Sanofi CORPORATE PRESENTATION | JUNE 2016 2 Sanofi US Brands Our model of innovation 4 14% R&amp;D HUBS of sales invested in R&amp;D. across Germany, France, Increasing annual R&amp;D investments North

434 views • 12 slides
Form and Structure Factors: Modeling and Interactions Jan Skov Pedersen, iNANO Center and

Form and Structure Factors: Modeling and Interactions Jan Skov Pedersen, iNANO Center and

Form and Structure Factors: Modeling and Interactions Jan Skov Pedersen, iNANO Center and Department of Chemistry University of Aarhus SAXS lab Denmark 1 New SAXS instrument in ultimo Nov 2014: Funding from: Research Council for

583 views • 44 slides
Do Informed Consumers Reduce the Price and Prevalence of Counterfeit Drugs? Evidence from the

Do Informed Consumers Reduce the Price and Prevalence of Counterfeit Drugs? Evidence from the

Do Informed Consumers Reduce the Price and Prevalence of Counterfeit Drugs? Evidence from the Antimalarial Market Anne Fitzpatrick* Department of Economics &amp; Ford School of Public Policy fitza@umich.edu March 22, 2015 *Funding was

1.34k views • 104 slides
IETF 78 TPA-Label for ADSP DKIM Third-Party Authorization Label draft-otis-dkim-tpa-label By

IETF 78 TPA-Label for ADSP DKIM Third-Party Authorization Label draft-otis-dkim-tpa-label By

IETF 78 TPA-Label for ADSP DKIM Third-Party Authorization Label draft-otis-dkim-tpa-label By Douglas Otis &amp; Daniel Black Acceptance w/o Author Domain Signature and ADSP Reject or discard discardable w/o A-D sig breaks mailing lists

473 views • 10 slides
Foreign Military Sales MG Stephen Farmen Building Readiness through Commanding General Partner

Foreign Military Sales MG Stephen Farmen Building Readiness through Commanding General Partner

UNCLASSIFIED Foreign Military Sales MG Stephen Farmen Building Readiness through Commanding General Partner Capacity United States Army Security Assistance Command UNCLASSIFIED UNCLASSIFIED Expanding Army Capabilities &amp; Capacity of Our

634 views • 38 slides
CS156: The Calculus of Complete induction (for T PA , T cons ) Computation Theoretically

CS156: The Calculus of Complete induction (for T PA , T cons ) Computation Theoretically

Induction Stepwise induction (for T PA , T cons ) CS156: The Calculus of Complete induction (for T PA , T cons ) Computation Theoretically equivalent in power to stepwise induction, Zohar Manna but sometimes produces more concise proof

348 views • 10 slides
March 8, 2018 1 1. Identify the frame work for TPA/PC Milestones and understand the

March 8, 2018 1 1. Identify the frame work for TPA/PC Milestones and understand the

Kerrie A Parr, C-TAGME March 8, 2018 1 1. Identify the frame work for TPA/PC Milestones and understand the definitions of the various levels used 2. Describe the use of TPA/PC Milestones as a self-reflection, professional development

733 views • 36 slides

More recommend