Utilizing Object Capabilities to Improve Web Application Security

Artykuł - szczegóły

Tytuł artykułu

Autorzy

Koppmann Michael , Kudera Christian , Pucher Michael , Merzdovnik Georg

Treść / Zawartość

Pełne teksty:

Pobierz

Identyfikatory

DOI

10.5604/01.3001.0016.0823

Warianty tytułu

Języki publikacji

Abstrakty

Nowadays, more and more applications are built with web technologies, such as HTML, CSS, and JavaScript, which are then executed in browsers. The web is utilized as an operating system independent application platform. With this change, authorization models change and no longer depend on operating system accounts and underlying access controls and file permissions. Instead, these accounts are now implemented in the applications themselves, including all of the protective measures and security controls that are required for this. Because of the inherent complexity, flaws in the authorization logic are among the most common security vulnerabilities in web applications. Most applications are built on the concept of the Access-Control List (ACL), a security model that decides who can access a given object. Object Capabilities, transferable rights to perform operations on specific objects, have been proposed as an alternative to ACLs, since they are not susceptible to certain attacks prevalent for ACLs. While their use has been investigated for various domains, such as smart contracts, they have not been widely applied for web applications. In this paper, we therefore present a general overview of the capability- based authorization model and adapt those approaches for use in web applications. Based on a prototype implementation, we show the ways in which Object Capabilities may enhance security, while also offering insights into existing pitfalls and problems in porting such models to the web domain.

Słowa kluczowe

object capabilities design patterns web security

możliwości obiektów wzorce projektowe bezpieczeństwo sieci

Wydawca

NASK – National Research Institute

Czasopismo

Applied Cybersecurity & Internet Governance

Rocznik

2022

Tom

Vol. 1, No. 1

Strony

1--18

Opis fizyczny

Bibliogr. 48 poz., rys.

Twórcy

autor

Koppmann Michael

mkoppmann@sba-research.org

SBA Research Vienna, Austria

https://orcid.org/0000-0001-5699-8226

autor

Kudera Christian

SBA Research Vienna, Austria

https://orcid.org/0000-0003-1772-039X

autor

Pucher Michael

University of Vienna, Austria

https://orcid.org/0000-0003-0123-0214

autor

Merzdovnik Georg

SBA Research Vienna, Austria

https://orcid.org/0000-0002-9955-7284

Bibliografia

1. K. Smith, A. Jones, L. Johnson, L. Smith, “Examination of cybercrime and its effects on corporate stock value,” Journal of Information, Communication and Ethics in Society, vol. 17, no. 1, pp. 42–60, 2019.
2. K. Mlitz. (2021). Size of the cybersecurity market worldwide, from 2021 to 2026. [Online]. Available: https://www.statista.com/statistics/595182/worldwide-security-as-a-service-market-size/. [Accessed: Oct. 24, 2022].
3. Inc. OWASP Foundation. (2021). OWASP top ten 2021 [Online], Available: https://www.hhs.gov/sites/default/files/owasp-top-10.pdf. [Accessed: Oct. 24, 2022].
4. J. H. Saltzer, “Protection and the control of information sharing in multics,” Communications of the ACM, vol. 17, no. 7, pp. 388–402, 1974.
5. H. M. Levy, Capability-based computer systems. USA: Butterworth-Heinemann, 1984.
6. B. W. Lampson, “Protection,” SIGOPS Operating Systems Review, vol. 8, no. 1, pp. 18–24, 1974.
7. D. Ferraiolo and R. Kuhn, “Role-based access control,” 15th NIST-NCSC National Computer Security Conference, 1992, pp. 554–563, doi: https://doi.org/10.48550/arXiv.0903.2171.
8. V. Hu, D. Kuhn, D. Ferraiolo, J. Voas, “Attribute-based access control,” Computer, vol. 48, pp. 85–88, 2015, doi: 10.1109/MC.2015.33.
9. J. B. Dennis, E. C. Van Horn, “Programming semantics for multiprogrammed computations,” Communications of the ACM, vol. 9, no. 3, pp. 143–155, 1966.
10. J. S. Shapiro, J. M. Smith, D. J. Farber, “EROS: A fast capability system,” Proceedings of the 17th ACM Symposium on Operating Systems Principles, 1999, pp. 170–185.
11. A. S. Tanenbaum, M. F. Kaashoek, R. V. Renesse, H. E. Bal, “The amoeba distributed operating system – a status report,” Computer Communications, vol. 14, pp. 324–335, 1991.
12. K. Elphinstone, G. Heiser, “From L3 to seL4 what have we learnt in 20 years of L4 microkernels?” Proceedings of the 24th ACM Symposium on Operating Systems Principles, 2013, pp. 133–150, doi: 10.1145/2517349.2522720.
13. Z. Wilcox-O’Hearn, B. Warner, “Tahoe: The least-authority filesystem,” Proceedings of the 4th ACMInternational Workshop on Storage Security and Survivability, 2008, pp. 21–26, doi: 10.1145/1456469.1456474.
14. C. Morningstar. (2017, May 7). What are capabilities? [Online]. Available: http://habitatchronicles.com/2017/05/what-are-capabilities/. [Accessed: Oct. 24, 2022].
15. A. Conill. (2019). The bearer capability URI scheme. [Online]. Available: https://git.sr.ht/~kaniini/draft-conill-bearcapsuri-scheme/tree/22c458a95992e56ac41f1fff745855b14a811046/item/draft-conillbearcaps-urischeme.txt. [Accessed: Oct. 24, 2022].
16. C. Lemmer-Webber. (2019). Bearcap URIs. [Online]. Available: https://github.com/cwebber/rwot9prague/blob/908c5522720f0e3debad2c1578c28a984660ba05/topics-and advancereadings/bearcaps.md. [Accessed: Oct. 24, 2022].
17. N. Madden. (2021). Towards a standard for bearer token URLs. [Online]. Available: https://neilmadden.blog/2021/03/20/towards-a-standard-for-bearer-token-urls/. [Accessed: Oct. 24, 2022].
18. A. Birgisson, J. G. Politz, Ú. Erlingsson, A. Taly, M. Vrable M. Lentczner, “Macaroons: Cookies with contextual caveats for decentralized authorization in the cloud,” in Network and Distributed System Security Symposium, San Diego, CA, 2014.
19. G. working group. (2020, July 10). Grant negotiation and authorization protocol. [Online]. Available: https://datatracker.ietf.org/doc/charter-ietf-gnap/01/. [Accessed: Oct. 24, 2022].
20. C. Lemmer-Webber, M. Sporny, M. S. Miller. (2020, Dec. 29). Authorization capabilities for linked data v0.3, World Wide Web Consortium Community Group. [Online]. Available: https://w3c-ccg.github.io/zcap-ld/[Accessed: Oct. 24, 2022].
21. D. Longley, M. Sporny. (2021, June 3). Linked data proofs 1.0, World Wide Web Consortium Community Group. [Online]. Available: https://w3c-ccg.github.io/ld-proofs/. [Accessed: Oct. 24, 2022].
22. Agoric. (2021). Endo [Online]. Available: https://github.com/endojs/endo. [Accesed: Oct. 24, 2022].
23. Agoric. (2021). ECMAScript spec proposal for ShadowRealm API. [Online]. Available: https://github.com/tc39/proposalshadowrealm. [Accessed: Oct. 24, 2022].
24. C. Lemmer-Webber. (2021). Spritely: Social worlds await. [Online]. Available: https://spritelyproject.org. [Accessed: Oct. 24, 2022].
25. C. Lemmer-Webber. (2021, July 18). Spritely goblins v0.8 released! [Online]. Available: https://spritelyproject.org/news/goblins0.8.html. [Accessed: Oct. 24, 2022].
26. K. Varda. (2021). Cap’n proto: introduction. [Online]. Available: https://capnproto.org/. [Accessed: Oct. 24, 2022].
27. Google. (2021). Fuchsia. [Online]. Available: https://fuchsia.dev. [Accessed: Oct. 24, 2022].
28. J. A. Rees, “A security kernel based on the lambda-calculus,” Massachusetts Institute of Technology, vol. 1564, 1995.
29. M. S. Miller. (2011, Oct. 7). Bringing object-orientation to security programming. [Online]. Available: https://www.youtube.com/watch?v=oBqeDYETXME. [Accessed: Oct. 24, 2022].
30. M. S. Miller, K.-P. Yee, J. Shapiro, Capability myths demolished, 2003.
31. M. S. Miller, Robust composition: Towards a unified approach to access control and concurrency control. Baltimore, Maryland: Johns Hopkins University, 2006.
32. M. S. Miller, C. Morningstar, B. Frantz, “Capability-based financial instruments,” Proceedings of Financial Cryptography 2000, Anguila, BWI, 2000, pp. 349–378.
33. J. Noble, S. Drossopoulou, M. S. Miller, T. Murray, A. Potanin, “Abstract data types in object-capability systems,” IWACO, 2016.
34. S. Peyton Jones, “A history of haskell: Being lazy with class,” The Third ACM SIGPLAN History of Programming Languages Conference (HOPL-III), 2007.
35. M. Finifter, A. Mettler, N. Sastry, D. Wagner, “Verifiable functional purity in java,” Proceedings of the 15th ACM Conference on Computer and Communications Security, 2008, pp. 161– 174.
36. S. Wlaschin. (2015). Using types as access tokens, F# for Fun; Profit. [Online]. Available: https://fsharpforfunandprofit.com/posts/capability-based-security-3/. [Accessed: Oct. 24, 2022].
37. E. Evans, Domain-driven design: Tackling complexity in the heart of software. Addison-Wesley, 2004.
38. C. Simpson. (2018). Object capability discipline, Monte Project. [Online]. Available: https://monte.readthedocs.io/en/latest/intro.html#object-capability-discipline. [Accessed: Oct. 24, 2022].
39. P. Wadler and S. Blott, “How to make ad-hoc polymorphism less ad hoc,” Proceedings of the 16th Annual ACM SIGPLAN–SIGACT Symposium on Principles of Programming Languages, ACM, 1989, pp. 60–76.
40. T. Close, “Web-key: Mashing with permission,” Proceedings of Web 2.0 Security and Privacy, 2008.
41. N. Loeuillet. (2016). Wallabag. [Online]. Available: https://wallabag.it/en. [Accessed: Oct. 24, 2022].
42. J. Schoning. (2019). Espial. [Online]. Available: https://github.com/jonschoning/espial. [Accessed: Oct. 24, 2022].
43. S. SAS. (2005). Symfony [Online]. Available: https://symfony.com/. [Accessed: Oct. 24, 2022].
44. T. Y. Team. (2012). Yesod web framework. [Online]. Available: https://www.yesodweb.com/. [Accessed: Oct. 24, 2022].
45. T. P. Team (2017). PureScript. [Online]. Available: https://www.purescript.org/. [Accessed: Oct. 24, 2022].
46. T. Bazaz, A. Khalique, “A review on single sign on enabling technologies and protocols,” International Journal of Computer Applications, vol. 151, pp. 18–25, 2016.
47. C. Michael, M. Gegick, S. Barnum. (2005, Sep. 12). Complete mediation, The Cybersecurity; Infrastructure Security Agency. [Online]. Available: https://us-cert.cisa.gov/bsi/articles/knowledge/principles/ completemediation. [Accessed: Oct. 24, 2022].
48. N. V. Limited. (2016). Element. [Online]. Available: https://www.element.io/ [Accessed: Oct. 24, 2022].

Uwagi

Opracowanie rekordu ze środków MEiN, umowa nr SONP/SP/546092/2022 w ramach programu "Społeczna odpowiedzialność nauki" - moduł: Popularyzacja nauki i promocja sportu (2022-2023).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-0ab0d26e-ade0-4dc7-bc7b-08c213f9f592