A Petri Net Based XML Firewall Security Model for Web Services Invocation

10/09/2006 CIS Dept., UMass Dartmouth 1

A Petri Net Based XML Firewall A Petri Net Based XML Firewall Security Model for Web Security Model for Web

Services InvocationServices Invocation

Prof. Haiping XuConcurrent Software Systems Laboratory

Computer and Information Science DepartmentUniversity of Massachusetts Dartmouth

http://www.cis.umassd.edu/~hxu/


Outline Web Services and XML Firewall XML Firewall Architecture Introduction to Petri Nets Petri Net Models for XML Firewall Formal Analysis of Petri Net Models Conclusions and Future Work


Introduction to Web Services Web Services are Internet-based software

components that support open, XML-based standards and communication protocols.

A Web Service is a software component defined using WSDL, registered using UDDI, and invoked using SOAP.

Web Services make software functionality available over the Internet.


Web Services Roles Service ProviderService Provider implements

the service and makes it available on the internet.

Service RequesterService Requester utilizes an existing web service by opening a network connection and sending a request.

Service BrokerService Broker is centralized directory of the web services.


Security Issues in Web Services Invocation A very common way of accessing web services is to

remotely invoke web services. A service provider may be under attack if

a consumer uses a false identity to invoke a web service. a consumer accesses a web service without properly

assigned permissions. a consumer attempts to corrupt a web service by attacking

the service provider (e.g., using a denial of service attack).


Conventional Firewall Firewall:Firewall: a fireproof wall used

as a barrier to prevent the spread of a fire.

Firewall: a component that limits network access.

Types of firewalls packet filtering application proxy personal firewall

Server Machines

Firewall

Client Machines

Internet


Why XML Firewall ? A conventional firewall typically

does not block port 80 used by HTTP, so malicious web service requests cannot be blocked.

does not support parsing or validating XML data. does not support authentication and authorization for web services

access. An XML firewall can

control access to web services rather than simply to filter untrusted addresses.

inspect a complete XML message including its head and data segments.

support authentication and authorization for web services invocation.


Features of the XML Firewall Grant only those users who are properly authenticated

and authorized for access of web services. Use role base access control (RBAC) for authorization. Develop security policies by identifying security threats. Develop policy rules based on system state. Examine the contents of the incoming traffic.


Protecting Service Provider

XML FirewallXML Firewall

Request

Application Logic

Web Service 1 Web Service nAdmin

Policy Change Request

User Interface

…

Response Request

User

State Info

Service Provider

Response

Application (Service Consumer)


XML Firewall ArchitectureUser Login Computational Logic

[valid user]

authenticate user

[valid] [invalid]

Assign Role

UserinfoDB

Create User Space

StateDB

PolicyDB

Access Request

Invoke Service

Web Service 1 Web Service n

ReturnResults

check_permissions

[access passed]

RoleDB

[access denied]

…

XML Firewall

Application


Introduction to Petri Net “Three-in-one” capability of Petri net models [Murata

1989] Graphical representation Mathematical description Simulation tool

Definition: A Petri net is a 4-tuple, PN = (P, T, F, M0) where

P = {P1, P2, …, Pm} is a finite set of places; T = {t1, t2, …, tn} is a finite set of transitions; F (P x T) (T x P) is a set of arcs (flow relation);

M0: P --> {0, 1, 2, 3, …} is the initial marking.


An Example

P4

P2

P5t1

t5

t3

t4

t2P1

P3


Petri Net Model of an Application

Ready_To_Accept_Request

WS_Logic WS_Logic

User_DB

Req_for _WS1

Req_for _WS2

Dispatch_Request

User_Details

Create_Request

Access_Request

Logout

User_Access _Request

Get_Login_ Request

Username_ Password

Check_User_DB

Not_Valid

Failure

Valid

Get_User_Details

Login_Request

Computational_Logic

XML_FW XML_FW

Access Denied

Access Denied

Req_for _WS Req_for _WS

Accept _Result

Request_ Details

FW_ Result

FW_ Result

Access_Denied

Init/Result

WS_Req

WS_Req


Petri Net Model of XML Firewall

Start_AuthorizationStart_Authorization

Access_Request

Create_Session

Fail

User_Request

Computational_ Logic

Init/Result

WS_Request Check_If_Existing

First_Time _User

Existing_User

Background_Background_CheckCheck

BG_Check_DB

Check_ _Failed

Check_ Passed

Update_ Databases

Role_DB

Assign_Role Fetch_State _Info

User_Role

Policy_DB

Fetch_ Policy

Create_UserSpace

UserSpace(Username, Permissions, Session)

Check_Permission

Pass

Access _Failed

WS_Logic

Accept _Result

Accept_WS_Response

FW_ Result

UserInfo_DB

StateInfo

Valid_User_Request

Access_ Denied

State_DB

Application

Permission_Result


Adding Policy Change Interface

Start_Authorization

Access_Request

Create_Session

Fail

User_Request


Init/Result


First_Time _User

Existing_User

Perform_Background_Check

BG_Check_DB

Check_ _Failed

Check_ Passed

Update_ Databases

Role_DB


User_Role

Policy_DB

Fetch_ Fetch_ Policy Policy

Create_UserSpace

UserSpace(Username, Permissions, Session)Check_Permission

Pass

Access _Failed

WS_Logic

Accept _Result

Accept_WS_Response

FW_ Result

UserInfo_DB

StateInfo

Valid_User_Request

Access_ Denied

State_DB

Application

Permission_Result

Change_Policy_ Request

New_Policy Check_ConflictCheck_Conflict

Reject_Policy

Computational_ Logic Init/Result

Policy_Change InterfaceAdministrator Update_PolicyUpdate_PolicyAccept_Policy

SyncSync

Decision


Formal Analysis of the XML Firewall Model To help ensure a correct design that meets certain

specifications To meet certain requirements such as liveness,

deadlock freeness and concurrency Use Petri net tool: INA (Integrated Net Analyzer)

Verifying structural properties Verifying behavioral properties Detecting design errors


Formal Analysis for the Application Model

Deciding structural boundedness The net is structurally bounded. The net is bounded.

Computation of the reachability graph States generated: 238 The net has no dead transitions at the initial marking. The net has no dead reachable states. The net is safe.

Liveness test: Computing the strongly connected components The net is live. The net is live, if dead transitions are ignored. The net is live and safe. The net is reversible (resetable).


Formal Analysis for the XML Firewall Model

Deciding structural boundednessThe net is structurally bounded.The net is bounded.

Computation of the reachability graphStates generated: 126

Write the state numbers of the dead states? Y/N YThe net has dead reachable states.The net is not live.The net is not live and safe.The net is not reversible (resetable).The deadlock-trap-property is not valid.The net has no dead transitions at the initial marking.The net is not live, if dead transitions are ignored.The net is safe.

The dead states are shown as follows State nr. 39P.nr: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33toks: 1 0 0 0 0 0 1 1 0 0 1 0 0 0 1 1 0 0 1 1 1 1 0 0 0 0 0 1 0 1 0 0 0


Corrected XML Firewall Model

Start_Authorization

Access_Request

Create_Session

Fail

User_Request


Init/Result


First_Time _User

Existing_User

Perform_Background_Check

BG_Check_DB

Check_ _Failed

Check_ Passed

Update_ Databases

Role_DB


User_Role

Policy_DB

Fetch_ Policy

Create_UserSpace

UserSpace(Username, Permissions, Session)Check_Permission

Pass

Access _Failed

WS_Logic

Accept _Result

Accept_WS_Response

FW_ Result

UserInfo_DB

StateInfo

Valid_User_Request

Access_ Denied

State_DB

Application

Permission_Result

Change_Policy_ Request

New_PolicyCheck_Conflict

Reject_PolicyReject_Policy

Computational_ Logic Init/Result

Policy_Change InterfaceAdministrator Update_PolicyAccept_Policy

SyncSync

Decision


Formal Analysis for the Corrected XML Firewall Model

Deciding structural boundedness The net is structurally bounded. The net is bounded.

Computation of the reachability graph States generated: 84 The net has no dead transitions at the initial marking. The net has no dead reachable states. The net is safe.

Liveness test: Computing the strongly connected components The net is live. The net is live, if dead transitions are ignored. The net is live and safe. The net is reversible (resetable).


Concluding Comments An architectural design of the role-based XML

firewall has been proposed. Petri net based formal models for XML firewall have

been developed. Used existing Petri net tools to formally analyze

XML firewall models. Design errors, such as deadlocks, can be

automatically detected.


Future Work Refine the Petri net model of the XML firewall for

detailed design. Use case study, such as health care application, to

illustrate how to design security policies. Develop a prototype of the XML firewall based on

the Petri net based formal model to show the feasibility of our approach.


Questions ??

Thank you for your attention!

The slides for this talk may be downloaded from

http://www.cis.umassd.edu/~hxu

Documents

A Petri Net Based XML Firewall Security Model for Web Services Invocation