Graphs for security

Presenting the ACG datastructure

1 2 Page 2
Page 2 of 2

While storing the source identifier in the session context simplifies the access-control process, it includes some disadvantages. First, the programming becomes more complex if the application allows multiple windows to be open at once. In that case, there are multiple valid source nodes, and the application must track and store all of them. Second, the assumption that responses to the requests are always received by the client browser may not be valid. For example, the user may push the Stop button on the Web browser. In that case, the user's source node stored in the session context may not correspond to the source of the displayed Webpage, and subsequent requests may be not authorized (depending on the access graph's structure).

Therefore, it makes sense to consider an approach that relies less on session variables. For instance, the program can send the source node as a form field with every request. That way, the source node is associated with the page displayed on the client and no longer associated with a current context for the user's session. The advantage, clearly, is that the issues discussed above are no longer a problem. Unfortunately, the system has become open to manipulation since the data sent from the client is now trusted. A hacker who learns the nodes' identifiers and graph's structure can issue requests that do not reflect the user's actual application context and thus puts the system into the same security state the system has with just ACL-based authorization. One way to address this issue is to encode and/or encrypt the identifiers of the source and the destination nodes. As a side note, from a security perspective, obfuscating the identifiers of business methods is a good idea regardless of the authorization scheme (For example, consider the following sample of bad security in URLs: https://server.company.com/app/c?ACTION=FETCH_PERSON&ID=12939&).

ACGs are not the only possible solution to out-of-order access in n-tier applications. Some current Web systems avert out-of-order access through a current access token or similar device. In using a current token, each request has an expected identifier; if the client sends the wrong identifier, the request is not authorized. This method is also effective for preventing duplicate form submissions. While effective in stopping certain kinds of inappropriate requests, current-token control does not offer the full protection of ACGs because, if a hacker gets the current token, she can potentially submit a request to an arbitrary business method as in the ACL case. Moreover, given the architectural benefits of ACGs, the current access token method begins to look like a patch on a structural problem.

Conclusion

Since many applications and systems implicitly use a directed graph as the model of access control, I think it makes sense to create a datastructure that implements the model explicitly—an access-control graph. These ACGs offer several advantages over access control implemented via ACLs including: greater security, better software design, and verification of sequential consistency of access in applications.

I implemented the ACG model on two real-world systems at a global financial company. One system is an intranet (with portions to be extranet) workflow and imaging system for a broker-dealer group. The other is an extranet application for financial-plan delivery to the sales force. Both are J2EE systems and follow the Model-View-Controller design pattern.

ACG-based authorization systems do require more upfront planning regarding application flow and may take some getting used to. However, even with these issues, ACGs are a more robust and more secure alternative than ACLs for access control in many computer applications.

Efraim Berkovich has more than 10 years' experience as a software engineer and architect. Consulting as an architect at one of the world's leading financial companies, Berkovich implemented the ideas in this article on two Web-based systems: an intranet imaging and workflow application and an extranet financial plan preparation application. Berkovich has a BS in mathematics, an MS in electrical engineering, and is currently pursuing a PhD in economics at the University of Pennsylvania. He can be reached at eqberkovich@yahoo.com.

Learn more about this topic

1 2 Page 2
Page 2 of 2