Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Extracting Database Access-control Policies From Web Applications

Wen Zhang, Dev Bali, Jamison Kerney, Aurojit Panda, Scott Shenker

TL;DR

The paper tackles the problem of implicit access-control policies in legacy web applications by introducing Ote, a policy extractor for Ruby on Rails that uses concolic execution to generate transcripts of SQL queries and the conditions under which they are issued. It then merges and simplifies these traces into a view-based policy that can be reviewed and optionally enforced to ensure ongoing compliance. The authors evaluate Ote on three real-world apps, showing that extracted policies can reveal errors in handwritten policies and uncover subtle bugs in the application, while acknowledging limitations in completeness and scalability. Overall, the work demonstrates that explicit, auditable policy representations are practically attainable for existing web applications and outlines clear directions for improving accuracy, expressiveness, and usability.

Abstract

To safeguard sensitive user data, web developers typically rely on implicit access-control policies, which they implement using access checks and query filters. This ad hoc approach is error-prone as these scattered checks and filters are easy to misplace or misspecify, and the lack of an explicit policy precludes external access-control enforcement. More critically, it is difficult for humans to discern what policy is embedded in application code and what data the application may access -- an issue that worsens as development teams evolve. This paper tackles policy extraction: the task of extracting the access-control policy embedded in an application by summarizing its data queries. An extracted policy, once vetted for errors, can stand alone as a specification for the application's data access, and can be enforced to ensure compliance as code changes over time. We introduce Ote, a policy extractor for Ruby-on-Rails web applications. Ote uses concolic execution to explore execution paths through the application, generating traces of SQL queries and conditions that trigger them. It then merges and simplifies these traces into a final policy that aligns with the observed behaviors. We applied Ote to three real-world applications and compared extracted policies to handwritten ones, revealing several errors in the latter.

Extracting Database Access-control Policies From Web Applications

TL;DR

The paper tackles the problem of implicit access-control policies in legacy web applications by introducing Ote, a policy extractor for Ruby on Rails that uses concolic execution to generate transcripts of SQL queries and the conditions under which they are issued. It then merges and simplifies these traces into a view-based policy that can be reviewed and optionally enforced to ensure ongoing compliance. The authors evaluate Ote on three real-world apps, showing that extracted policies can reveal errors in handwritten policies and uncover subtle bugs in the application, while acknowledging limitations in completeness and scalability. Overall, the work demonstrates that explicit, auditable policy representations are practically attainable for existing web applications and outlines clear directions for improving accuracy, expressiveness, and usability.

Abstract

To safeguard sensitive user data, web developers typically rely on implicit access-control policies, which they implement using access checks and query filters. This ad hoc approach is error-prone as these scattered checks and filters are easy to misplace or misspecify, and the lack of an explicit policy precludes external access-control enforcement. More critically, it is difficult for humans to discern what policy is embedded in application code and what data the application may access -- an issue that worsens as development teams evolve. This paper tackles policy extraction: the task of extracting the access-control policy embedded in an application by summarizing its data queries. An extracted policy, once vetted for errors, can stand alone as a specification for the application's data access, and can be enforced to ensure compliance as code changes over time. We introduce Ote, a policy extractor for Ruby-on-Rails web applications. Ote uses concolic execution to explore execution paths through the application, generating traces of SQL queries and conditions that trigger them. It then merges and simplifies these traces into a final policy that aligns with the observed behaviors. We applied Ote to three real-world applications and compared extracted policies to handwritten ones, revealing several errors in the latter.

Paper Structure

This paper contains 56 sections, 1 equation, 2 figures, 3 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Motivation and Background
  3. Why Policy Extraction?
  4. Policy as SQL View Definitions
  5. Overview
  6. Workflow
  7. Assumptions and Scope
  8. Queries
  9. Policies
  10. Non-guarantees
  11. Application assumptions
  12. Exploring Executions
  13. Observation: Simple Query-issuing Cores
  14. Concolic Execution: What and Why
  15. System Architecture
  16. ...and 41 more sections

Figures (2)

  • Figure 1: Policy extraction workflow. "CondQs" stands for conditioned queries (\ref{['sec:policy:preprocess']}).
  • Figure 2: A transcript from a run of the handler in \ref{['lst:view_grades']}, when the user is an instructor for the course.

Theorems & Definitions (4)

  • Example 2.1
  • Example 5.1
  • Example 5.3: continues=example:view-generation
  • Remark 8.1