Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Access Control & Authorization

Access Control & Authorization

Proving the identity of a user isn’t the end of an application’s responsibilities: you must also verify the user is allowed to perform the actions they’re attempting. Conflating authentication (the act of identifying users) with authorization (the act of verifying their level of access within the system) is one of the most common ways applications have been breached in the recent past. Don’t fall victim to simple oversights and instead keep your application – and your users – safe.

Eric Mann

May 21, 2019
Tweet

More Decks by Eric Mann

Other Decks in Programming

Transcript

  1. Access Control,
    Authorization, and
    Authentication
    Adam Englander Ijeoma Ezeonyebuchi Eric Mann

    View Slide

  2. Hello.
    Adam Englander
    Architect, iovation
    Ijeoma Ezeonyebuchi
    Mobile Quality Assurance
    Engineer, NPR
    Eric Mann
    Director of Engineering,
    Vacasa

    View Slide

  3. Today’s Session
    Terminology
    Access Control Systems
    Role-based Systems
    Attribute-based Systems
    Risk-based Systems
    Things to Consider

    View Slide

  4. Terminology
    Authorization is the function of specifying
    access rights/privileges to resources. (Wikipedia)
    Authentication is the act of confirming the
    truth of an attribute of a single piece of data
    claimed true by an entity. (Wikipedia)

    View Slide

  5. Terminology
    Access control is the selective restriction of
    access to a place or other resource. (Wikipedia)

    View Slide

  6. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $filename = basename($_POST['filename']);
    $file = sprintf('/var/www/support/uploads/%s', $filename);
    if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
    header(sprintf('Content-Length: %d', filesize($file)));
    readfile($file);
    exit;
    }

    View Slide

  7. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $filename = basename($_POST['filename']);
    $file = sprintf('/var/www/support/uploads/%s', $filename);
    if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
    header(sprintf('Content-Length: %d', filesize($file)));
    readfile($file);
    exit;
    }

    View Slide

  8. Terminology
    Authorization is not
    Authentication is not
    Access Control

    View Slide

  9. Authorization -vs- Authentication
    Authentication - proving a user is who they say they are
    Authorization - proving a user is allowed to do what
    they are attempting to do

    View Slide

  10. Authorization -vs- Access Control
    Authorization - proving a user is allowed to do what
    they are attempting to do
    Access Control - actually enforcing authorization
    controls on systems or resources

    View Slide

  11. Strong Security Requires all Three
    Authentication Authorization
    Access Control
    SECURITY

    View Slide

  12. Role-based Access Control (RBAC)
    RBAC separates the concepts of Users, Roles and
    Permissions. Roles are defined in a system, then
    Permissions defined separately. Then the security
    administrator decides what role should be permitted to
    do what action, by assigning that role to the permission.
    Finally users are assigned to roles. The system does the
    rest. (PHP-RBAC)

    View Slide

  13. Role-based Access Control
    Users are each assigned to one or more role
    Each role will have one or more permission
    Operations are restricted based on role membership
    (Based on the permissions that role grants)

    View Slide

  14. Role-based Access Control (RBAC)

    View Slide

  15. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $rbac = new \PhpRbac\Rbac();
    $rbac->enforce('downloads_manager', 105);
    $filename = basename($_POST['filename']);
    $file = sprintf('/var/www/support/uploads/%s', $filename);
    if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
    // ...

    View Slide

  16. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $rbac = new \PhpRbac\Rbac();
    $rbac->enforce('downloads_manager', $_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $file = sprintf('/var/www/support/uploads/%s', $filename);
    if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header(sprintf('Content-Disposition: attachment; filename="%s"', $filename));
    // ...

    View Slide

  17. Attribute-based Access Control (ABAC)
    Attribute-based access control, also known as
    Policy-based access control, defines an access control
    paradigm whereby access rights are granted to users
    through the use of policies which combine attributes
    together. (Wikipedia)

    View Slide

  18. Attribute-based Access Control
    Users can still be assigned to one or more role
    Resources (and users) have specific attributes
    Users (or roles) have applied policies that use these
    attributes to allow or block access
    Policies are evaluated at request time based on current
    attributes

    View Slide

  19. Attribute-based Access Control

    View Slide

  20. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $user = new \User($_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $download = new \Download($filename);
    $abac = \PhpAbac\AbacFactory::getAbac();
    $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]];
    if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    // ...

    View Slide

  21. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $user = new \User($_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $download = new \Download($filename);
    $abac = \PhpAbac\AbacFactory::getAbac();
    $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]];
    if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    // ...

    View Slide

  22. For example ...
    if (! isset($_SESSION['user_id'])) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    $user = new \User($_SESSION['user_id']);
    $filename = basename($_POST['filename']);
    $download = new \Download($filename);
    $abac = \PhpAbac\AbacFactory::getAbac();
    $attributes = ['dynamic-attributes' => ['report-author' => $user->getId()]];
    if ($abac->enforce('downloads-access', $user, $download, $attributes) !== true) {
    header('HTTP/1.1 403 Forbidden');
    exit;
    }
    // ...

    View Slide

  23. Risk-based Access Control
    In general, built upon an attribute-based system
    Leverages attributes that quantify risk
    ● How did the user authenticate?
    ● When and from where did they authenticate?
    ● How risky is the operation being performed?
    Effectively adds environmental info to the system

    View Slide

  24. Final Items to Consider
    What does your application do?
    Who has access to the application?
    What is the potential impact of a breach?
    What is your overall threat model?

    View Slide

  25. Questions?

    View Slide

  26. Thank you!
    Please rate our talk:
    https://joind.in/talk/8b428

    View Slide