A ROLE-BASED ACCESS CONTROL APPROACH FOR APPLICATION LEVEL SECURITY ENFORCEMENT Tanvi Desai
advertisement
A ROLE-BASED ACCESS CONTROL APPROACH FOR APPLICATION LEVEL
SECURITY ENFORCEMENT
Tanvi Desai
B.E, Gujarat University, India, 2007
PROJECT
Submitted in partial satisfaction of
the requirements for the degree of
MASTER OF SCIENCE
in
COMPUTER SCIENCE
at
CALIFORNIA STATE UNIVERSITY, SACRAMENTO
Spring
2012
A ROLE-BASED ACCESS CONTROL APPROACH FOR APPLICATION LEVEL
SECURITY ENFORCEMENT
A Project
by
Tanvi Desai
Approved by:
__________________________________, Committee Chair
Ying Jin, Ph.D
__________________________________, Second Reader
Mary Jane Lee, Ph.D
____________________________
Date
ii
Student: Tanvi Desai
I certify that this student has met the requirements for format contained in the University format
manual, and that this project is suitable for shelving in the Library and credit is to be awarded for
the Project.
__________________________, Graduate Coordinator
Nikrouz Faroughi, Ph.D
Department of Computer Science
iii
________________
Date
Abstract
of
A ROLE-BASED ACCESS CONTROL APPROACH FOR APPLICATION LEVEL
SECURITY ENFORCEMENT
by
Tanvi Desai
The web applications are very popular. There are many users who can log into a system
and access, update, or delete the information. In traditional approach, users are recognized by the
username and password provided to gain access, which were stored in the database. In this
approach, authentication is only done when users try to login into the application. Once the user
has successfully entered into web application, they can do as many transactions as they want, via
single database connection.
Access control can restrict the information access to users. Although, in case of web
applications, there might be more than one user working on an application at the same time. In
order to ease the complexity of granting access to multiple users, Role-based Access Control was
implemented. Instead of granting permissions to each and every user, roles are defined based on
the responsibilities and positions a user has in an organization. Permissions are granted to the
roles and the roles are assigned to the users to perform certain operations on the application, or to
access certain information. It is a way of restricting the web application for authorized users.
According to the roles and permissions to the roles, a user can access the functionalities and vital
information from the application.
iv
In this project, I have implemented the Role-based access control approach, using
Employee - Department schema. The project is developed using Oracle 10G Express Editions and
Eclipse Galileo 3.2. Five different types of roles were created and different sets of permissions
have been assigned to those roles. I created many users and assigned appropriate roles to those
users. To show the role-based access control, I developed a web application in Eclipse Galileo
3.2. This project shows how role-based access control can increase database security by
restricting users with limited access to the system. It also shows how we can minimize SQL
Injection attacks by implementing role-based access control.
_______________________, Committee Chair
Ying Jin, Ph.D
_______________________
Date
v
DEDICATION
To my father, mother and loving husband who let me pursue my dreams.
vi
ACKNOWLEDGEMENTS
I would like to thank to all those people who gave me the guidance, knowledge and
support to complete this project.
I would like to thank Dr. Ying Jin, my project advisor, whose valuable knowledge,
experience, suggestions and encouragement helped me in completion of the project. I thank to Dr.
Jin, who allowed me to work under her guidance on this project. Working with Dr. Ying Jin on
this project was a real pleasure especially with working fulltime. Her experience, knowledge,
time and support really helped in completion of this project.
I would also like to thank Dr. Mary Jane Lee for being my second reader. I would also
like to thank Dr. Nikrouz Faroughi, Graduate Coordinator of Computer Science Department, for
his support.
Finally, I would like to thank my family and friends, especially Maulik Vyas and
colleagues, for their constant support and inspiration during this project.
vii
TABLE OF CONTENTS
Page
Dedication ....................................................................................................................................... vi
Acknowledgements ........................................................................................................................ vii
List of Figures .................................................................................................................................. x
Chapter
1. INTRODUCTION ....................................................................................................................... 1
1.1 The Purpose and Fundamentals of Access Control …………………………………..1
2. RELATED WORK ..................................................................................................................... .4
2.1 Brief History and Overview ……………………….……………………………….....4
2.2 Tools and Technology ………………………….……………………………………..7
3. ARCHITECTURE ..................................................................................................................... 12
3.1 System Architecture……………………………………………………………….....12
3.2 RBAC Database Architecture ……………………………………………………….12
3.3 RBAC Role Classification …………….……………...……………………………..17
4. IMPLEMENTATION ................................................................................................................ 21
4.1 Database Implementation ……………………………………………………………22
4.2 Front-End Application Implementation ……………………………………….…… 30
viii
5. TEST AND RESULTS .............................................................................................................. 57
5.1 System Testing……………………………………………….………………………57
5.2 Vulnerability Check………………………………...……………………….……….58
5.3 SQL Injection ………………………………………………………………………..60
6. SUMMARY AND FUTURE WORK........................................................................................ 69
Bibliography .................................................................................................................................. 70
ix
LIST OF FIGURES
Page
Figure 1 Oracle Database 10G Express Edition Architecture .......................................................... 9
Figure 2 Role-based Access Controls, General Architecture......................................................... 12
Figure 3 Database Schema ............................................................................................................. 17
Figure 4 Creating Roles ................................................................................................................. 22
Figure 5 Creating Rules and Granting Permissions for Employees_HR ….……………………..24
Figure 6 Creating Rules and Granting Permissions for Employees_Manager............................... 26
Figure 7 Creating Rules and Granting Permissions for Employees_end_user .............................. 27
Figure 8 Creating Rules and Granting Permissions for Guest_User……………………………..28
Figure 9 Implementation ................................................................................................................ 29
Figure 10 Login Page ..................................................................................................................... 30
Figure 11 Guest Username and Password...................................................................................... 31
Figure 12 Welcome Page for Account Manager, Employees_HR ................................................ 31
Figure 13 Welcome Page for HR ................................................................................................... 32
Figure 14 Welcome Page for Employee ........................................................................................ 33
Figure 15 Welcome page for Guest Users ..................................................................................... 34
x
Figure 16 Create Department for Account Manager...................................................................... 35
Figure 17 Create Department for Employee HR ........................................................................... 36
Figure 18 Department List for Account Manager .......................................................................... 37
Figure 19 Department List for Employee_HR ............................................................................... 38
Figure 20 Department List for Manager ........................................................................................ 39
Figure 21 Department List for Employee ...................................................................................... 40
Figure 22 Employee Registration Page .......................................................................................... 41
Figure 23 Create Employee for Account Manager ........................................................................ 42
Figure 24 Create Employee for Employee_HR ............................................................................. 43
Figure 25 Editing User Information ............................................................................................... 44
Figure 26 Welcome Page After User Has Been Edited ................................................................. 45
Figure 27 Employee List for Account Manager ............................................................................ 46
Figure 28 Employee List for Employee_HR ................................................................................. 47
Figure 29 Employee List for Manager ........................................................................................... 48
Figure 30 Employee List for Employee ........................................................................................ 49
Figure 31 Password Reset Screen .................................................................................................. 50
xi
Figure 32 Password Reset Screen .................................................................................................. 51
Figure 33 Create Salary for Account Manager .............................................................................. 52
Figure 34 Create Salary for Employee_HR ................................................................................... 53
Figure 35 Salary List for Employee_HR ....................................................................................... 54
Figure 36 Salary List for Manager ................................................................................................. 55
Figure 37 List of Departments and Employees .............................................................................. 56
Figure 38 Login Page ………………………………………………………………………….....57
Figure 39 Visibility of Information for the Guest User………..,………………….……….…….58
Figure 40 Acunetix Vulnerability Result…………………………………………………….…...59
Figure 41 SQL Injection Input Strings…………………………….………………………….…..60
Figure 42 Login Page (Attack Result)……………………...……………………………….……61
Figure 43 Department (Logged in as HR) (Attack)…………………………………………........62
Figure 44 Create Department (Logged in as HR) (Attack Result)….……………………………63
Figure 45 Department List (Logged in as Employee Manager) (Attack Result)…………….…...64
Figure 46 Employee List (Logged in as Employee Manager) (Attack Result)………………..…64
Figure 47 Salary List (Logged in as Employee Manager) (Attack Result)…………………..…..65
xii
Figure 48 Department List (Logged in as End User) (Attack Result)………….……………...…66
Figure 49 Employee List (Logged in as End User) (Attack Result)………………………...……66
Figure 50 Salary List (Logged in as End User) (Attack Result)…………………………...……..67
Figure 51 Department List (Logged in as Guest User) (Attack Result)…………………...……..68
xiii
1
Chapter 1
INTRODUCTION
Access control has existed as a concept for protection as humans have assets like guards,
gates or locks to limit individuals’ access to valuable assets. In today’s fast paced world most
things are done through computers thereby increasing level of threat for organization and its
members. In order to protect the organization, authorization is enforced to ensure that users can
access only required resources and content in a system. Access control is most fundamental
security measure in the Information Technology and one of the primary aspects of securing data
that flows in an organization. It promotes the optimal sharing and exchange of resources, even
though it increases the cost and consumes a little more time to get it implemented. Access control
can also be implemented as a constraint for each user to determine when and how the resources
may be used and also helps in determining the user rights. [1]
1.1
The Purpose and Fundamentals of Access Control
Access control is one of the most important security features that have to be integrated
into a secured environment of any organization. Access control is enforced, whenever a user
logsin into the application which has multi-users. There are three types of security risks with a
computer system in general. [1]
1. Confidentiality: Refers to keep information or resources private and secure.
2. Integrity: refers to protecting information being improperly modified by some
unauthorized users.
3. Availability: refers to the information available for use when needed.
For confidentiality and integrity of information, access control is necessary.
It is
essential because only authorized users can read the information for confidentiality and only
2
authorized user can alter information for integrity. Preserving availability also needs access
control. For example, “An attacker who gains unauthorized access to a system is likely to have
little trouble bringing it down.” [1]
Motivation:
The RBAC allows access rights to user in an organization based on the role the user is
assigned. The administrator creates association of the permissions to the role and the
administrator assigns those roles to the users. This allows a non-complex, easy to use
management of authorization while catering to flexible policies in an organization and making
sure it is enforced without any issues.
If the system has various functionalities and access rights associated with it, it is hard to
manage them for individual user. Also, in many organizations, most of the financial, managerial
information are hidden from the end users. They are just at management level. In this case, the
users except managers should not have access rights to this information. To fulfill these criteria,
the administrator would have to restrict them to access that extra information, which the end user
should not see. Also, it is necessary to keep track of the access rights for each user, which is quite
challenging. By implementing RBAC, the administrators will categories the user depending on
their role in the organization. These categories can be seen as Roles. The administrator can assign
the access rights to the Roles directly instead of assigning them to the individual users. This
mechanism, RBAC, helps in easing the whole access rights management task while preventing
the security of vital information. [2]
3
In this project, I implemented the concept of role-base access control by creating users
and roles. The roles are granted with permissions for the tasks, they are allowed. Those roles are
assigned to the users. According to the given permissions to those roles, the user can perform
tasks in the application.
The coding was done in Java and the back end I used was Oracle Express Edition 10G.
The Java code is written using Open Source Eclipse IDE, which is an open source IDE for Java
developers. This project implemented an interface for creating users, assigning roles, adding
information, editing information and deleting users.
The rest of this report is organized as follows. The history, related study, technology and
tools used for this project are covered in Chapter 2. Chapter 3 includes system architecture,
application architecture and application database schema. Chapter 4 covers the implementation of
role-based access control and database schema. Chapter 5 explains the various test cases used to
test the application and the results. Chapter 6 concludes this report with project summary and
future work.
4
Chapter 2
RELATED WORK
2.1 Brief History and Overview
The discipline of the computer security began in early 1970s. Large resource-sharing
systems were becoming commonplace in government and large commercial organizations. [3]
The growth in multiuser computer systems and the increased dependence of defense
systems on computers led to efforts by the U.S Defense Science Board to investigate the
vulnerability of government systems in the late 1960s. University researchers started consider this
problem too. In business organizations and commercial computer applications, they started
recognizing the roles and responsibilities and implemented limited forms of access control based
on the user’s role within an organization. These systems were application-specific. At that time
there was no general-purpose model defined for specifying how access control could be based on
roles. There were no commonly agreed formal standards for this concept. [3]
Ferraiolo and Kuhn [3] proposed a general-purpose role based access control model in
1992, by integrating features of existing application-specific approaches into a generalized role
based access control model. There were three basic rules required:
1. Role Assignment: Any user can perform a task only if the user has selected or been
assigned a role. The identification and authentication process cannot be considered as a
transaction. All user activities on the system are conducted through transactions. So all
active users are required to have some active role.
5
2. Role authorization: A user’s active role must be authorized for the user. The rule ensures
that users can take on only roles for which they are authorized.
3. Transaction authorization: A subject can execute a transaction only if the transaction is
authorized through the subject's role memberships, and subject to any constraints that
may be applied across users, roles, and permissions. With (1) and (2), this rule ensures
that users can execute only transactions for which they are authorized.
The key feature of this model is that user can access application through only roles. A
role can be considered as a collection of permissions, and all the users receive permissions only
through the roles to which they are assigned. The roles are usually stable but the users and
permissions may vary depending on the situation and time. This process simplifies the
management of an organization. This model was extended in 1995 by Ferraiolo, Cugini and
Kuhn. [3]
Sandhu, Coyne, Feinstein and Youman introduced a framework for RBAC models that
incorporated role-based access control features in 1996. The base model was defined through
users, roles and permissions, known as a RBAC0. RBAC1 was derived from RBAC0 and
incorporates hierarchies as a partial order relation between roles. RBAC2 also derived from
RBAC0 and also adds constraints. RBAC3 is fully-featured role-based access control model
which has all the features from RBAC0, RBAC1 and RBAC2. It is equivalent to the model
introduced by Ferraiolo and Kuhn in 1992 with just one exception that RBAC2 allows partial
order hierarchy while the Ferraiolo-Kuhn model defines the hierarchy as a rooted tree. [3]
6
There is a similarity between roles and traditional groups. A group is a set of users, not a
set of permissions and permissions can be granted to users and the groups to which they belong. It
is difficult to grant permissions directly to the users in a group. Role-based access control requires
access through roles and permissions are assigned to roles and not directly to the users. [3]
The security of DBMS has been always an important and common threat. It is always
possible that the authorized users may log-in as a different user in the system and try to
compromise the security of the vital information. In case of web applications, the user has direct
access to the database. It is extremely necessary for the Database Management System to know
who is authorized for what information in the system. Base on the access rights, all the decision
should be taken by DBMS for any information access request rather than the web application
takes these information access decisions. By implementing access control in DBMS, we achieve,
not only the security measures to the system but also it helps us to identify the malicious users of
the system. [4]
As the web applications have become very common now days, they can be used for
unwanted, illegal attacks like SQL injection to DBMS. The best solution to these attacks would
be to go to their roots. If only the authorized users can access the information than there will be
very less chances of malicious transactions on the DBMS. So by implementing RBAC, the
DBMS will be prevented from the security attacks as well as the malicious transactions.
7
2.2 Tools and Technology
2.2.1 Oracle 10g Express Edition (version 10.2)
Oracle database is made and marketed by Oracle Corporation. It is an object-relational
database management system.
Oracle Database 10g Express Edition is easy to install and
manage. It has a browse-based interface, to administer the database, create tables, views and other
objects. The browser-based interface has facility to import, export and view table data, run
queries and SQL scripts and generates reports. Express edition includes Oracle HTML DB 2.1
which is a graphical development environment for creating database centric web applications,
which makes easier for developer. There are some add-ons too which allows you to use popular
oracle and third party languages and tools to develop database applications. The installation of
Oracle Database 10g Express edition is too easy and takes very little time. [3]
Users can access database through user accounts. Some accounts get created
automatically. You can use them to create or manage other user accounts and to maintain
database. Oracle express edition provides facility to multiple system users at no additional cost. It
shares the high performance of Oracle’s flagship DBMS products as it is derived from the same
engine upon which oracle enterprise edition is built. [3]
There are some limitations in oracle express edition like as below:
1. Any user cannot use more than 4GB space.
2. There can be only one instance of Oracle Express in each computer.
8
3. Even running on a multi-core processor, Oracle Express Edition will execute only on a
single processor.
4. It will use only 1GB of available RAM, when it will be install on server.[5]
Oracle Database 10G Express Edition Architecture
All the definitions of applications and an engine that renders and processes pages get
stored in metadata repository. Metadata repository is completely in Oracle Database. Metadata
repository is consists of data in tables and many PL/SQL code scripts. There are approximately
425 tables and 230 PL/SQL packages in Oracle Application Express Edition.
The application Express Engine is responsible for many activities like Session State
Management, Authentication, Authorization, Page Flow Control, Validations processing and also
rendering and page processing. The browser requests URL that is translated into the appropriate
Oracle Application Express PL/SQL call. The results are sent back to browse in form of HTML
after the database processes the PL/SQL call. [6]
9
Figure 1 Oracle Database 10G Express Edition Architecture
2.2.2 Role Based Access Control in Oracle
In RBAC, the authorization can be assigned to the roles and the roles are assigned to the
users. The users get the permissions associated with the role. The roles are created for different
functionalities in an organization and based on the user’s responsibilities and qualifications, the
roles are assigned to them. In Oracle, many users can be assigned to one role and one user can be
assigned many roles. It is “many to many” relationship between the user and the role. You can
also grant the single role to all the users by using PUBLIC keyword in GRANT statement. The
role with the ADMIN OPTION would be able to assign that role to user users or roles. It has also
permission to drop or alter that role. [7]
Using ALL keyword in GRANT statement, the user can assign all authorized roles. Using
EXCEPT keyword, the user can assign all the authorized roles except the one in EXCEPT clause.
To disable all the roles, user can use NONE clause.
10
Oracle also supports to create the role hierarchy by granting role to another role. It
doesn’t allow the user to add relationship or constraints among those roles. User can allocate
Grant on SELECT, UPDATE, DELETE, INSERT type of statements for table or view, ALTER,
CREATE INDEX for tables alone and EXECUTE for operations or functions. Using ADMIN
OPTION, system privileges can be assigned. [7]
2.2.3 Eclipse Galileo 3.2
Eclipse is an integrated development environment known as IDE. It is a multi-language
software development environment. It is written mainly in JAVA. It can be used to develop
applications in java. By adding some plug-ins, it can be used to develop applications in other
languages like Ada, C, C++, COBOL, Perl, PHP, Python, R, Ruby, Scala and many more. It is an
open source for the developers and also it is free. By default, it is meant for Java Developers. [8]
Eclipse was developed as a Java-based replacement for the small talk based VisualAge
family of IDE products by Object Technology International. For the further development of
Eclipse as an open source, there was a consortium formed. The Eclipse Foundation was created in
January 2004. [8]
2.2.4 JQuery Version 1.4.6
JQuery is a library which makes it easier and quicker to build JavaScript for
WebPages and Web application for the java developer. The current version is 1.4.6. It reduces the
line of code, makes it easy to understand and write the code. It is a freeware. There are also many
plug-INS which adds more powerful functionalities to your code. [9]
11
It is also useful for making Ajax requests, manipulating contents in the web page,
creating slideshows, creating drop-down menus, making drag-drop interface. JQuery helps to
write a JavaScript which works on different browsers thus making it easier for developers to not
write code for each browser. [9]
In this project, JQuery was used to perform some of the basic functionalities like
navigation of the content, auto-select for combo box, enabling or disabling some controls on the
forms, hide and unhide some of the fields on the forms. There are some combo-boxes on the front
end where the values will be fetched from the database and will show the option to select from
those values. For example, while creating employee, if you can select the department from the
existing departments in the system. Depending on the privileges the users have, some of the fields
will be disabled or enabled. While providing the HINT for the users, I wanted the functionality
like on first click, the hint will show up and on second click the hint will be disabled. The code is
written in JQuery to achieve this kind functionality.
12
Chapter 3
ARCHITECTURE
3.1 System Architecture
The general architecture of role-based access control is shown in figure below.
Figure 2 Role-based Access Controls, General Architecture
The users are assigned roles. Based on the permission granted to the role, user can
perform the operation in the system. Accessing the application features through the role is the key
feature of this system. Each role has a set of permissions assigned and user only gets permissions
through the roles. Using the RBAC model, the application gets to use the features like
inheritance, reusability and classification of duties.
3.2 RBAC Database Architecture
In this project, I have used the Employees schema to demonstrate the role-based access
control. The database has been created in Oracle 10G Express Edition. Below is the database
schema. There are four tables in the database.
13
1. Employees
2. Department
3. Salary
4. Titles
Emp_no is the primary key and dept_no is the foreign key of Employees table. Employee
table has all the personal information of an employee. Dept_no is the primary key and emp_no is
the foreign key of Department table. Departmental information is stored in Department table.
Department table also stores the information like who is the manager of which departments.
Salary table has the salary information for an employee with the effective period of the salary
change. The combination of Emp_no and from_date is the primary key of Salary table. Title
table carries the current title of all the employees in the system. Again the combination of
Emp_no and from_date is the primary key for Titles table.
Different views are created to set the different level of information sharing for different
type of users. Manager and Employees have access of very less information. Creating views and
granting permissions only on these views for these types of users will be efficient way to
constraint the information access.
Below is the database definition for all the tables and views:
14
Department Table
CREATE TABLE departments (
dept_no INTEGER
CONSTRAINT departments_pk PRIMARY KEY,
dept_name VARCHAR2(40));
Employees Table
CREATE TABLE employees (
emp_no INTEGER CONSTRAINT employees_pk PRIMARY KEY,
birth_date DATE NOT NULL,
userid VARCHAR2 (15) NOT NULL,
first_name VARCHAR2(15) NOT NULL,
last_name VARCHAR2(15) NOT NULL,
ssn_no NUMBER(9),
home_address VARCHAR2(50),
home_phone_no VARCHAR2(15),
work_address VARCHAR2(50),
15
work_phone_no VARCHAR2(15),
gender varchar2(1) CONSTRAINT gender_enum_check CHECK(gender IN('M','F')),
hire_date DATE NOT NULL,
current_title VARCHAR2(10),
dept_no INTEGER
CONSTRAINT employees_fk_dept_no
REFERENCES departments(dept_no));
Alter table departments add (cur_manager_emp_no INTEGER);
Alter table departments add constraint departments_fk_emp_no foreign
key(cur_manager_emp_no) REFERENCES employees(emp_no);
Salaries Table
create table salaries(
emp_no INTEGER,
pay number,
from_date date,
to_date date);
Alter table salaries add constraint salaries_pk_emp_no_from_date primary key(emp_no,
16
from_date);
Alter table salaries add constraint salaries_fk_emp_no foreign key(emp_no) references
employees(emp_no);
Titles Table
create table titles( emp_no
INTEGER,
title varchar(50),
from_date date,
to_date date);
Alter table titles add constraint titles_pk_emp_no_from_date primary key(emp_no,
from_date);
Alter table titles add constraint titles_fk_emp_no foreign key(emp_no) references
employees(emp_no);
Views for Manager and Employees
Create or replace view title_view As
Select e.emp_no, t.title, t. from_date, t.to_date from titles t
Join employees e ON e.emp_no=t.emp_no
Where dept_no=(select dept_no from employees
17
where upper(userid)=(select SYS_CONTEXT('userenv','session_user') from dual));
Create or replace view salaries_Manager_view As
Select e.emp_no, s.pay, s.from_date, s.to_date from salaries s
Join employees e ON e.emp_no=s.emp_no
Where e.dept_no=(select dept_no from employees
where upper(userid)=(select SYS_CONTEXT('userenv','session_user') from dual));
Create or replace view salaries_Employee_view As
Select e.emp_no, s.pay, s.from_date, s.to_date from salaries s
Join employees e ON e.emp_no=s.emp_no
Where s.emp_no=(select emp_no from employees
where upper(userid)=(select SYS_CONTEXT('userenv','session_user') from dual));
Figure 3 Database Schema
3.3 RBAC Role Classification
There are five different roles, which have been considers in this project. The rules have been
created for each and every role. The lists of rules for each role are as follows:
18
5. Role HR
The Rules defined for HR are as follows:
1. HR can select, insert, update, delete on employees information.
2. HR can select, insert, update, delete on departments information.
3. HR can select, insert, update, delete on salaries information.
4. HR can select, insert, update, delete on titles information.
6. Role Manager
The Rules defined for Manager are as follows:
1. Manager can select his information in employee table.
2. Manager can update his information in employee table.
3. Manager can select information in departments table.
4. Manager can select information in employees table of the employees in his
department.
5. Manager can update information in employees table of the employees in his
department.
6. Manager can select information in titles table of the employees in his department.
7. Manager can select his own information on salaries table.
19
7. Role Employee
Rules for Employee
1. Employee can select his own information on Employees tables.
2. Employee can update his own information in employee table like Birth_date,
First_name, Last_name, SSN, Home Address, Work address, Home Phone, Work
phone, Gender.
3. Employee can select information like Birth_date, First_name, Last_name, Work
Address, Work phone, Gender of the employees in his own department.
4. Employee can select information on departments table.
5. Employee can select his own information on Salary table.
6. Employee can select his own information on Titles table.
7. Employee can select information on Titles table of the employees on his own
Department.
8. Role Guest Users
Rules for Guest Users
1. Guest user can 1) view the list of all department name, 2) view how many
employees in each department
2. Select department name and how many employees in each department.
20
9. Account Manager
Rules for Account Manager
Account Manager can perform the entire possible task in the application. He has all
the access in the system.
21
Chapter 4
IMPLEMENTATION
In this project, I have implemented the Role-Base Access Control. In the system, there will be
two kinds of users.
1. Guests
2. Users (HR, Manager, Employees, Account Manager)
The Guest users will be provided by username and password once they click on the link for guest
user on the login screen. Using those credentials they can log in to the system. Once entered in to
the system, there will be a Welcome screen, where they can only see LIST of Departments and
number of Employees in each Department. Because being a Guest user, he has privilege to see
only this information.
Other users of the system can be categorized into following Roles:
Account Manager
Manager
HR
Employee
First of all, there will be an Account Manager who can enter into the system and create users.
22
While creating user, first Account Manager will enter the username and password and will create
the user for the application and database. If the user is already exists in the database than the
application will fetch the user information from the database, if not than the form will be blank
and Account Manager or other user can edit the information based on assigned privileges.
There is a RUN Query textbox on all the pages, where user can enter the query. Based on the
rules specified in database for logged in user, the application will bring the results to the front
end. If the user does not have permission for performing that query than application will show an
alert message - that he/she doesn’t have enough permission to process the query.
4.1
Database Implementation
Creating Roles:
--Creating role
Create role admin;
Create role employees_hr;
Create role employees_manager;
Create role employees_end_user;
Create role guest_users;
23
--Granting permission to create the session
Grant dba to admin;
Grant create session to employees_hr;
Grant create session to employees_manager;
Grant create session to employees_end_user;
Grant create session to guest_users;
Figure 4 Creating Roles
Granting permissions to the roles:
Creating Rules for HR
Rule no.1: HR can select, insert, update, delete on employees information.
GRANT SELECT, INSERT, UPDATE, DELETE ON employees TO employees_hr;
Rule no. 2: HR can select, insert, update, delete on departments information.
GRANT SELECT, INSERT, UPDATE, DELETE ON departments TO employees_hr;
Rule no. 3: HR can select, insert, update, delete on salaries information.
GRANT SELECT, INSERT, UPDATE, DELETE ON salaries TO employees_hr;
24
Rule no. 4: HR can select, insert, update, delete on titles information.
GRANT SELECT, INSERT, UPDATE, DELETE ON titles TO employees_hr;
GRANT CREATE USER TO employees_hr;
GRANT connect to employees_hr;
Figure 5 Creating Rules and Granting Permissions for Employees_HR
Creating Rules for Manager
create or replace view mgr_view as
select emp_no, birth_date, first_name, last_name, ssn_no, home_address, home_phone_no,
work_address, work_phone_no, gender, hire_date, current_title
from employees where dept_no=(select dept_no from employees
where upper(userid)=(select SYS_CONTEXT('userenv','session_user')
from dual));
Rule no.1: Manager can select his information in employee table.
Rule no.4: Manager can select information in employees table of the employees in his
department.
GRANT SELECT ON mgr_view TO employees_manager;
25
Rule no.2: Manager can update his information in employee table.
Rule no.5: Manager can update information in employees table of the employees in his
department.
GRANT UPDATE ON mgr_view TO employees_manager;
Rule no.3: Manager can select information in departments table.
GRANT SELECT ON departments TO employees_manager;
Rule no.6: Manager can select information in titles table of the employees in his
department.
GRANT SELECT ON title_view to employees_manager;
Rule no.7: Manager can select his own information on salaries table.
GRANT select on salaries_view to employees_manager;
GRANT connect TO employees_manager;
Rule No. 8: Manager can view(select) salaries in his/her own department, but cannot
insert, update, delete salaries.
GRANT select on salaries_view to employees_manager;
GRANT connect TO employees_manager;
Create or replace view salaries_Manager_view As
26
Select e.emp_no, s.pay, s.from_date, s.to_date from salaries s
Join employees e ON e.emp_no=s.emp_no
Where e.dept_no=(select dept_no from employees where upper(userid)=(select
SYS_CONTEXT('userenv','session_user') from dual));
Figure 6 Creating Rules and Granting Permissions for Employees_Manager
Creating Rules for Employee
Create or replace view end_user_emp_view As
select emp_no, birth_date, first_name, last_name, ssn_no, home_address, home_phone_no,
work_address, work_phone_no, gender from employees where upper(userid)=(select
SYS_CONTEXT('userenv','session_user') from dual);
Rule no. 1: Employee can select his own information on Employees tables.
GRANT SELECT ON end_user_emp_view to employees_end_user;
Rule no. 2: Employee can update his own information in employee table like
Birth_date, First_name, Last_name, SSN, Home Address, Work address, Home
Phone, Work phone, Gender.
GRANT UPDATE ON end_user_emp_view to employees_end_user;
Rule no. 3:
Employee can select information like Birth_date, First_name,
27
Last_name, Work address, Work phone, Gender of the employees in his own
department.
Create or replace view end_user_select_emp_view As
select emp_no, birth_date, first_name, last_name, work_address, work_phone_no, gender
from employees where dept_no=(select dept_no from employees where
upper(userid)=(select SYS_CONTEXT('userenv','session_user') from dual));
--give grant to end user for end user to access employee's information of his own
departments
GRANT SELECT ON end_user_select_emp_view to employees_end_user;
Rule no.4 : Employee can select information on departments table.
GRANT SELECT ON departments TO employees_end_user;
Rule no. 5: Employee can select his own information on Salary table.
GRANT select on salaries_Employee_view to employees_end_user;
Rule no. 6: Employee can select his own information on Titles table.
Rule no. 7: Employee can select most recent title information on Titles table of the
employees on his own department.
GRANT SELECT ON title_view to employees_end_user;
Figure 7 Creating Rules and Granting Permissions for Employees_end_user
28
Creating Rules for Guest Users
Rule no. 1: Guest users can only see list of Departments and number of employees in
respective Departments.
--creating view for guest user to access department information.
Create or replace view guest_users_view As
select dept_name, (select count(emp_no) from employees where dept_no=d.dept_no) as
total_employees from departments d;
--give grant to guest user for access department information
GRANT SELECT ON guest_users_view to guest_users;
Figure 8 Creating Rules and Granting Permissions for Guest_User
Creating users for all Roles.
create user tanvi identified by tDesai@01;
create user jim identified by j@dave81;
create user james identified by jam@esD19;
create user john identified by usej@hn01;
create user bob identified by h@bocane8;
29
create user mary identified by m@rySacRanch;
create user david identified by SacM@rch_D@v;
create user leena identified by B@otM@nPD56;
create user kevin identified by H@likin89;
Assigning role to the users
grant employees_hr to tanvi;
grant employees_hr to jim;
grant employees_manager to james;
grant employees_manager to leena;
grant employees_end_user to bob;
grant employees_end_user to mary;
grant employees_end_user to david;
grant guest_users to john;
grant guest_users to kevin;
Figure 9 Implementation
30
4.2
Front-End Application Implementation
This is a login page, where user can enter the username and password to enter the system.
Figure 10 Login Page
31
On this page, guest user will get to know their username and password.
Figure 11 Guest Username and Password
This is an welcome page where different type of user will see different welcome screen.
Figure 12 Welcome Page For Account Manager, Employees_HR
32
This is the page which user can see when he has logged in as Employees_HR.
Figure 13 Welcome Page for HR
33
This is the welcome page; user can see when he logs in as Employee.
Figure 14 Welcome Page for Employee
34
This is the page; the guest user can see, once logged into the system.
Figure 15 Welcome Page for Guest Users
35
This is the create deparment screen where Account Manager get enter the salary information.
Figure 16 Create Department for Account Manager
36
This form is for creating Department for HR employees.
Figure 17 Create Department for Employee HR
37
This is the screen where the departements are listed.
Figure 18 Department List for Account manager
38
HR user can see, edit or delete the information from this screen.
Figure 19 Department List for Employee_HR
39
Manager can see the Department information from this screen.
Figure 20 Department List for Manager
40
This is the screen where the departements are listed for Employee.
Figure 21 Department List for Employee
41
Account manager can create three types of users (End user, Manager, HR).
Figure 22 Employee Registration Page
42
Account Manager is creating user named “tanvi” with Manager Role assigned to her.
Figure 23 Create Employee for Account Manager
43
This form helps Employee_HR to create only two types of users- Manager and Employees.
Figure 24 Create Employee for Employee_HR
44
In this form, user can edit personal information. If the information is in the database, then it will
fetch the information otherwise you can edit this information.
Figure 25 Editing User Information
45
This is the page, one can see once the user has been edited.
Figure 26 Welcome Page After User Has Been Edited
46
Account Manager can see, edit and delete the employee information from this screen.
Figure 27 Employee List for Account Manager
47
This page lists the employees and Edit/Delete button on the end for Employee_HR.
Figure 28 Employee List for Employee_HR
48
Managers can only see and edit employee information.
Figure 29 Employee List for Manager
49
This page lists the employees. Edit/Delete button on the end when a user is logged in as an
Employee.
Figure 30 Employee List for Employee
50
This page shows default users in the system. One can select it and start password resetting.
Figure 31 Password Reset Screen
51
This is the page where Account manager or HR can reset the password for a user.
Figure 32 Password Reset Screen
52
This form is used for creating salary information.
Figure 33 Create Salary for Account Manager
53
This form is used for creating salary information for Employees_HR.
Figure 34 Create Salary for Employee_HR
54
HR person can see, edit and delete the salary information from this screen.
Figure 35 Salary List for Employee_HR
55
This page shows that a manager can only see the salary information of employees in his/her own
department.
Figure 36 Salary List for Manager
56
This is the page what guest users can see, total no of employees for each department.
Figure 37 List of Departments and Employees
57
Chapter 5
TEST AND RESULTS
This chapter illustrates different type of testing performed on the system. It is very
important to perform testing on the system to check whether it provides all the expected results.
5.1 System Testing
First of all, the login page allows only authorized user to enter into the application. Although,
there is an option to enter to the application for Guest user, the Guest user can only see certain
information in the application, which doesn’t hurt the security of the application or important
data.
Figure 38: Login Page
58
Figure 39 Visibility of Information for the Guest User
Different type of users has different type of permissions to access the information and
functionalities in the application. Because of that reason, the system has full security for its data
and functionality.
5.2 Vulnerability Check
In order to do vulnerability check on the system, I used Acunetix’s Web Vulnerability
Scanner which can be used to audit the website security for vulnerability scanning. If there are
vulnerabilities in the websites, there are more chances of data theft. Acunetix is an extremely
useful tool for website analysis and vulnerability detection. The result is: NO Vulnerability
Found. [10]
59
Figure 40 Acunetix Vulnerability Result
60
5.3
SQL Injection
SQL Injection is most common security threat in world of web application. SQL injection
is used to compromise the security of the websites. The hacker inputs creafted malicious input to
the system. SQL injection can be ended up by compromising sensitive data from the database,
updateing sensitive information, deleting certain information, executing unwanted commands to
the database. [11]
The SQL injection can be done via different Mechanisms:
5.3.1 Injection through user input:
For the login page, I tried to log in to the application, using following Username and password
combinations.
User Name
‘ ’ union select * from UserLogin_Table -- ‘
“ ’or 1=1 - - ”
%%
Password
‘anypwd’
pwdpwd’
%%
Figure 41 SQL Injection Input Strings
Fortunately, because of not being authorised to the system, these combinations did not work. So
the SQL injection through user input failed. The application will only allow those users who has
granted access to the application. The role-based access control michanism allows the system to
stay protected from the SQL injection attacks as well.
61
Figure 42 Login Page (Attack Result)
5.3.2 Injection through cookies:
Browser cookies have the session information, which is usually created and used by any
web application. These fles are stored in client’s computer. When client sends any response to the
web application, the web application might use the stored cookies for client’s state information.
Heckers can update cookie’s contents for SQL Injection attack. In Role-based access control
model, the access of information is based on rights of the user. So even if with the updated
cookie’s content, the data will not be compromised, as not any use can access, update or delete
the data. This application is safe from this kind of SQL attacks as well. [11]
62
5.3.3 Second order Injection:
In this type of SQL Iinjection, the hecker tries executing different type of commands on database
and applications to access the data.
I have also tried executing some SQL injection queries in the query textbox. The following query
was executed after login as an Employee_HR type of user.
ALTER USER ‘ADMIN’ IDENTIFIED BY ‘ADMIN’;
Figure 43 Department (Logged in as HR) (Attack)
63
Figure 44 Create Department (Logged in as HR) (Attack Result)
I also have tried to executing following queries on Department table after logged in as an
Employee Manager:
(1) Update Departments set Dept_no=10
(2) Update Departments set Dept_no=10 where Dept_no=1
(3) Drop Table Departments
(4) Drop Table Employees
(5) Drop View RBAC.MGR_View
(6) Update salaries set pay=’5000’
(7) Drop Table Salaries
(8) Update RBAC.Salaries_select_view set pay=”2000”
64
The result was as follows:
Figure 45 Department List (Logged in as Employee Manager) (Attack Result)
Figure 46 Employee List (Logged in as Employee Manager) (Attack Result)
65
Figure 47 Salary List (Logged in as Employee Manager) (Attack Result)
I tried executing following SQL injection attack queries after logging as an Employee:
(1) Update Departments set dept_no=10
(2) Update Departments set dept_no=10 where dept_no=1
(3) Drop Table Departments
(4) Drop Table Departments
(5) Drop Table Employees
(6) Drop View RBAC.MGR_View
(7) Select * from RBAC.End_User_Emp_View where emp_no=432
(8) Drop Table Departments
(9) Drop View RBAC.mgr_view
(10) Drop Table Salaries
(11) Update Salaries_select_view set pay=”2000”
(12) Update RBAC.Salaries set pay=’100’
66
Figure 48 Department List (Logged in as End User) (Attack Result)
Figure 49 Employee List (Logged in as End User) (Attack Result)
67
Figure 50 Salary List (Logged in as End User) (Attack Result)
I tried executing following queries after logged in as a Guest user.
(1) Drop Table Departments
(2) Drop View RBAC.MGR_View
(3) Drop Table RBAC.Salaries
(4) Update RBAC.Salaries_select_view set pay=”2000”
(5) Update Salaries set pay=’100’
(6) Update RBAC.Salaries_view set pay=’2000’
(7) Create user ‘admin’ identified by ‘admin’
68
Figure 51 Department List (Logged in as Guest User) (Attack Result)
69
Chapter 6
SUMMARY AND FUTURE WORK
This project was implemented using Java and Oracle 10G Express Edition. This project
incorporated basic functionalities of Role-Based Access Control Model for an organization. The
role is assigned based on the responsibilities the user share in an organization. At a top level, the
administrator manages all the access. Guest user can only see certain data. Access control has
been implemented on the backend instead of front end. User can only access the information, for
which he/she is authorized. As a result, the security of the system will not be compromised by
any malicious attacks on the system. All the necessary testing has been performed to test all kinds
of scenarios to measure the security of an application. By implementing role-based access
control, it has been proved that it is a really good solution for security purposes. There are some
extensions which could be added to enhance the system.
There could be an interface added to the system to actually create custom roles for the
administrator user. Currently, there are only five roles in the system. If the administrator wants to
create another role, he would need to go to backend to create an additional role. The application
does not have any graphical interface where the administrator user can grant the permissions to
other users. To assign the set of permissions, administrator would have to go to the backend. The
interface could be designed in such a way that there is a multi-dimensional table and the
administrator user (? Administrator and user usually cannot be same person)could just click the
check box and assign the permissions to selected users.
70
BIBLIOGRAPHY
[1]
D. Ferrariolo, D. R. Kuhn, R. Chandramouli, “Role-based Access Control” (2003). In
Role-based Access Control. Retrieved February 10, 2012. From National Institute of
Standards and Technology. Online
http://csrc.nist.gov/groups/SNS/rbac/documents/ferraiolo-cugini-kuhn-95.pdf
[2]
Role-Based Access Control (2008). In Computer Security. Retrieved March 1, 2012.
Lecture Notes From Syracuse University Online
http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/RBAC.pdf,
[3]
Role-based Access Control (2007). In Systems & emerging technologies security research
- RBAC FAQ. Retrieved February 2, 2012. From National Institute of Standards and
Technology Online http://csrc.nist.gov/groups/SNS/rbac/faq.html
[4]
A. Bouchahda, N. Le Thanh, A. Bouhoula, F Labbene, “Enforcing Access Control to Web
Databases.” (2010). Proceedings of 2010 IEEE 10th International Conference on
Computer and Information Technology, Bradford, United Kingdom.
[5]
Oracle Database 10g Tutorial (2006). In Welcome to the Oracle Database 10g Express
Edition Tutorial. Retrieved February 15, 2012. From Oracle Database Express Edition
Tutorial Online http://st-curriculum.oracle.com/tutorial/DBXETutorial/index.htm
[6]
Oracle Express Edition (2006). In Manifold System 8.00 for Oracle Express Edition.
Retrieved February 19, 2012. From Manifold System Release 8 User Manual Online
http://georeference.org/doc/oracle_express_edition.htm
[7]
C. Ramaswamy, R. Sandhu, “Role-Based Access Control Features in Commercial
Database Management Systems.” (2003). In RBAC Control Features in Commercial
Database Management System. Retrieved February 20, 2012. From National Institute of
Standards and Technology. Online
http://csrc.nist.gov/groups/SNS/rbac/documents/design_implementation/RBAC_DBMS_
Comparison.pdf
[8]
Application Express (2010). In Developer Tools. Retrieved February 20, 2012. From
Oracle Application Express Architecture Online
http://www.oracle.com/technetwork/developer-tools/apex/apex-arch-086399.html
[9]
R. Grehan, “Understanding Eclipse’s Architecture.” (2003). In Info World Test Center.
Retrieved February 10, 2012. From Understanding Eclipse’s Architecture at InfoWorld
Online http://www.infoworld.com/d/developer-world/understandingeclipse%E2%80%99s-architecture-805
[10]
Web Vulnerability Scanner (2012). In Is Your Website Hackable? Retrieved Febrauary 10
71
2012. From Web Application Security - Acunetix. Online http://www.acunetix.com/
[11]
W. Halfond, J. Viegas and A. Orso, “A Classification of SQL Injection Attacks and
Counter Measures.” In Proc. Of the Intern Symposium on Secure Software Engineering
(ISSSE 2006), March 2006.
