On automated RBAC assessment by constructing a centralized perspective for microservice mesh
Status PubMed-not-MEDLINE Jazyk angličtina Země Spojené státy americké Médium electronic-ecollection
Typ dokumentu časopisecké články
PubMed
33817024
PubMed Central
PMC7924674
DOI
10.7717/peerj-cs.376
PII: cs-376
Knihovny.cz E-zdroje
- Klíčová slova
- Access control, Authorization, Microservices, RBAC, REST, Security, Static code analysis, Systematic architecture reconstruction,
- Publikační typ
- časopisecké články MeSH
It is important in software development to enforce proper restrictions on protected services and resources. Typically software services can be accessed through REST API endpoints where restrictions can be applied using the Role-Based Access Control (RBAC) model. However, RBAC policies can be inconsistent across services, and they require proper assessment. Currently, developers use penetration testing, which is a costly and cumbersome process for a large number of APIs. In addition, modern applications are split into individual microservices and lack a unified view in order to carry out automated RBAC assessment. Often, the process of constructing a centralized perspective of an application is done using Systematic Architecture Reconstruction (SAR). This article presents a novel approach to automated SAR to construct a centralized perspective for a microservice mesh based on their REST communication pattern. We utilize the generated views from SAR to propose an automated way to find RBAC inconsistencies.
Department of Computer Science Baylor University Waco TX USA
Faculty of Informatics Masaryk University Brno Czech Republic
Zobrazit více v PubMed
Ahn G-J, Sandhu R. Role-based authorization constraints specification. ACM Transactions on Information and System Security. 2000;3(4):207–226. doi: 10.1145/382912.382913. DOI
Alshuqayran N, Ali N, Evans R. Towards micro service architecture recovery: An empirical study. 2018 IEEE International Conference on Software Architecture (ICSA); Piscataway: IEEE; 2018. pp. 47–4709.
Alur D, Malks D, Crupi J, Booch G, Fowler M. Core J2EE patterns (core design series): best practices and design strategies. Second Edition. Santa Clara: Sun Microsystems, Inc; 2003.
Basin D, Burri SJ, Karjoth G. Dynamic enforcement of abstract separation of duty constraints. In: Backes M, Ning P, editors. Computer Security—ESORICS 2009. Berlin: Springer; 2009. pp. 250–267.
Bass L, Clements P, Kazman R. Software architecture in practice. Boston: Addison-Wesley Professional; 2003.
Brachmann E, Dittmann G, Schubert K-D. Simplified authentication and authorization for restful services in trusted environments. In: De Paoli F, Pimentel E, Zavattaro G, editors. Service-Oriented and Cloud Computing. Berlin: Springer; 2012. pp. 244–258.
Bruggen DV. JavaParser: analyse, transform and generate your Java codebase. 2020. https://javaparser.org. [14 August 2020]. https://javaparser.org
Castillo P, Bernier J, Arenas M, Merelo GuervÃs J, GarcÃa-Sánchez P. Soap vs rest: comparing a master-slave ga implementation. CoRR. ArVix preprint arXiv:1105.4978v1. 2011.
Cicchetti A, Di Ruscio D, Iovino L, Pierantonio A. Managing the evolution of data-intensive Web applications by model-driven techniques. Software & Systems Modeling. 2013;12(1):53–83. doi: 10.1007/s10270-011-0193-0. DOI
Ciuciu I, Tang Y, Meersman R. Towards evaluating an ontology-based data matching strategy for retrieval and recommendation of security annotations for business process models. In: Aberer K, Damiani E, Dillon T, editors. Data-Driven Process Discovery and Analysis. Berlin: Springer; 2012. pp. 103–119.
Ellson J, Gansner E, Koutsofios L, North SC, Woodhull G. Graphviz—open source graph drawing tools. In: Mutzel P, Jünger M, Leipert S, editors. Graph Drawing. Berlin: Springer; 2002. pp. 483–484.
Ferraiolo DF, Cugini JA, Kuhn DR. Role-based access control (RBAC): features and motivations. Proceedings of the 11th Annual Computer Security Applications Conference; 1995. pp. 241–248.
Freudenthal E, Pesin T, Port L, Keenan E, Karamcheti V. drbac: distributed role-based access control for dynamic coalition environments. Proceedings 22nd International Conference on Distributed Computing Systems; 2002. pp. 411–420.
Granchelli G, Cardarelli M, Di Francesco P, Malavolta I, Iovino L, Di Salle A. Towards recovering the software architecture of microservice-based systems. 2017 IEEE International Conference on Software Architecture Workshops (ICSAW); Piscataway: IEEE; 2017. pp. 46–53.
Habib MA, Mahmood N, Shahid M, Aftab MU, Ahmad U, Nadeem Faisal CM. Permission based implementation of dynamic separation of duty (dsd) in role based access control (rbac). 2014 8th International Conference on Signal Processing and Communication Systems (ICSPCS); 2014. pp. 1–10.
Hunsaker C. REST vs SOAP: when is REST better for web service interfaces? 2015. https://stormpath.com/blog/rest-vs-soap. [14 August 2020]. https://stormpath.com/blog/rest-vs-soap
Ibrahim A, Bozhinoski S, Pretschner A. Attack graph generation for microservice architecture. Proceedings of the 34th ACM/SIGAPP Symposium on Applied Computing, SAC ’19; New York: Association for Computing Machinery; 2019. pp. 1235–1242.
JBoss Javassist: java bytecode engineering toolkit. 2020. https://www.javassist.org. [14 August 2020]. https://www.javassist.org
Jendrock E, Evans I, Gollapudi D, Haase K, Srivathsa C, Cervera-Navarro R, Markito W. The Java EE 7 Tutorial. Vol. 2. Boston: Addison-Wesley Professional; 2014. Working with realms, users, groups, and roles.
Jia Y, Harman M. An analysis and survey of the development of mutation testing. IEEE Transactions on Software Engineering. 2011;37(5):649–678. doi: 10.1109/TSE.2010.62. DOI
Lee S, Jo J, Kim Y. Method for secure restful web service. 2015 IEEE/ACIS 14th International Conference on Computer and Information Science (ICIS); 2015. pp. 77–81.
McGraw G. Software security. IEEE Security & Privacy Magazine. 2004;2(2):80–83. doi: 10.1109/MSECP.2004.1281254. DOI
Mohanty H, Mohanty J, Balakrishnan A. Trends in software testing. Singapore: Springer; 2016.
Montesi F, Weber J. Circuit breakers, discovery, and api gateways in microservices. ArXiv preprint arXiv:1609.05830. 2016
Mordani R. JSR 250: common annotations for the JavaTM platform. 2016. https://jcp.org/en/jsr/detail?id=250 https://jcp.org/en/jsr/detail?id=250
Oberle D, Eberhart A, Staab S, Volz R. Developing and managing software components in an ontology-based application server. In: Jacobsen H-A, editor. Middleware 2004. Berlin: Springer; 2004. pp. 459–477.
Omicini A, Ricci A, Viroli M. Rbac for organisation and security in an agent coordination infrastructure. Electronic Notes in Theoretical Computer Science. 2005;128(5):65–85.
Oracle Securing RESTful web services using Java security annotations. 2020. https://docs.oracle.com/middleware/1212/wls/RESTF/secure-restful-service.htm#RESTF280. [14 August 2020]. https://docs.oracle.com/middleware/1212/wls/RESTF/secure-restful-service.htm#RESTF280
Pallets Projects Flask documentation quickstart (1.1.x) 2020. https://flask.palletsprojects.com/en/1.1.x/quickstart. [14 August 2020]. https://flask.palletsprojects.com/en/1.1.x/quickstart
Quay Clair: vulnerability static analysis for containers. GitHub. 2020. https://github.com/quay/clair. [11 December 2020]. https://github.com/quay/clair
Rademacher F, Sachweh S, Zündorf A. A modeling method for systematic architecture reconstruction of microservice-based software systems. In: Nurcan S, Reinhartz-Berger I, Soffer P, Zdravkovic J, editors. Enterprise, Business-Process and Information Systems Modeling. Cham: Springer International Publishing; 2020. pp. 311–326.
Rademacher F, Sorgalla J, Wizenty P, Sachweh S, Zündorf A. Graphical and Textual Model-Driven Microservice Development. Cham: Springer International Publishing; 2020. pp. 147–179.
Red Hat Inc Keycloak. 2020a. https://www.keycloak.org. [14 August 2020]. https://www.keycloak.org
Red Hat Inc Keycloak authorization services guide. 2020b. https://www.keycloak.org/docs/latest/authorization_services. [14 August 2020]. https://www.keycloak.org/docs/latest/authorization_services
Richards M. Software Architecture Patterns. Newton: O’Reilly Media, Inc; 2015. Layered architecture.
Salah T, Jamal Zemerly M, Yeun CY, Al-Qutayri M, Al-Hammadi Y. The evolution of distributed systems towards microservices architecture. 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST); 2016. pp. 318–325.
Sandhu RS. DBSec. Halifax: Citeseer; 1990. Separation of duties in computerized information systems; pp. 179–190.
Sandhu RS, Coyne EJ, Feinstein HL, Youman CE. Role-based access control models. Computer. 1996;29(2):38–47. doi: 10.1109/2.485845. DOI
Sandhu RS, Samarati P. Access control: principle and practice. IEEE Communications Magazine. 1994;32(9):40–48. doi: 10.1109/35.312842. DOI
Scarioni C, Nardone M. Pro spring security: securing spring framework 5 and boot 2-based Java applications. Berlin: Springer; 2019.
Son S, Mckinley KS, Shmatikov V. Fix me up: repairing access-control bugs in web applications. Network and Distributed System Security Symposium.2013.
Srivastava V, Bond MD, McKinley KS, Shmatikov V. A security policy oracle: detecting security holes using multiple api implementations. Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI; New York: Association for Computing Machinery; 2011. pp. 343–354.
Steinegger R, Giessler P, Hippchen B, Abeck S. Overview of a domain-driven design approach to build microservice-based applications. SOFTENG: The Third International Conference on Advances and Trends in Software Engineering.2017.
Sudhakar A. Techniques for securing rest. CA Technology Exchange. 2011;1(3):32–40.
Swinhoe D. The 15 biggest data breaches of the 21st century. 2020. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html. [14 August 2020]. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Thio L. Role-based authorization—flask-user v1.0 documentation. 2020. https://flask-user.readthedocs.io/en/latest/authorization.html. [14 August 2020]. https://flask-user.readthedocs.io/en/latest/authorization.html
Tihomirovs J, Grabis J. Comparison of soap and rest based web services using software evaluation metrics. Information Technology and Management Science. 2016;19(1):92–97. doi: 10.1515/itms-2016-0017. DOI
VMware Inc Building a RESTful web service. 2020. https://spring.io/guides/gs/rest-service. [14 August 2020]. https://spring.io/guides/gs/rest-service
Vural H, Koyuncu M, Guney S. A systematic literature review on microservices. In: Gervasi O, Murgante B, Misra S, Borruso G, Torre CM, Rocha AMA, Taniar D, Apduhan BO, Stankova E, Cuzzocrea A, editors. Computational Science and Its Applications—ICCSA 2017. Cham: Springer International Publishing; 2017. pp. 203–217.
Wagh DK, Thool R. A comparative study of soap vs rest web services provisioning techniques for mobile host. Journal of Information Engineering and Applications. 2012;2:12–16.
Walker A, Svacina J, Simmons J, Cerny T. On automated role-based access control assessment in enterprise systems. In: Kim KJ, Kim H-Y, editors. Information Science and Applications. Singapore: Springer; 2020. pp. 375–385.
Walls C. Spring boot in action. First Edition. Shelter Island: Manning Publications Co; 2016.
Xu D, Thomas L, Kent M, Mouelhi T, Le Traon Y. A model-based approach to automated testing of access control policies. Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT™ 12; New York: Association for Computing Machinery; 2012. pp. 209–218.
