Journal of Computers, Vol 6, No 11 (2011), 2395-2407, Nov 2011
doi:10.4304/jcp.6.11.2395-2407

Defending Against XML-Based Attacks Using State-Based XML Firewall

Haiping Xu, Abhinay Reddyreddy, Daniel F. Fitch

Abstract


With the proliferation of service-oriented systems and cloud computing, web services security has gained much attention in recent years. Web service attacks, called XML-based attacks, typically occur at the SOAP message level, thus they are not readily handled by existing security mechanisms such as a conventional firewall. In order to provide effective security mechanisms for service-oriented systems, XML firewalls have recently been introduced as one of the major means for web services security. In this paper, we present a framework for state-based XML firewall, called S-Wall, which supports dynamic role-based access control (D-RBAC) and detection of XML-based attacks in real-time. We provide a detailed design of the S-Wall security model by defining state-based information, user information, access control policies, and detection and verification (D&V) rules. The D&V rules are modularized into separate units, which support real-time detection and verification of various types of attacks using state-based information. To illustrate the effectiveness of our approach, we develop a prototype S-Wall, and utilize a case study to demonstrate how S-Wall can be used to efficiently detect and defend against XML-based attacks.


Keywords


State-based XML firewall (S-Wall); web services security; service-oriented architecture; dynamic role-based access control (D-RBAC); XML-based attack; detection and verification (D&V)

References


T. Erl, Service-Oriented Architecture (SOA): Concepts, Technology, and Design, Prentice Hall PTR, Service-Oriented Computing Series, Aug. 2005. D. S. Linthicum, Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide, Addison-Wesley Professional, Oct. 2009. G. Raines, Cloud computing and SOA, Technical Report, Service-Oriented Architecture (SOA) Series, The MITRE Corporation, Oct. 2009.

Z. Jaroucheh, X. Liu, and S. Smith, A model-driven approach to flexible multi-level customization of SaaS applications, in: Proc. 22nd Int. Conf. Software Engineering and Knowledge Engineering (SEKE¡¯10), San Francisco, pp. 241-246, Jul. 2010.

S. Mysore, Securing web services - concepts, standards, and requirements, White Paper, Sun Microsystems, Inc., Santa Clara, CA, USA, Oct. 2003. P. Crocker and B. Thompson, Integrating WebSphere DataPower SOA appliances with WebSphere MQ, Technical Report, IBM Hursley Software Lab, UK, Mar. 2007. Reactivity, Architecting the infrastructure for SOA and XML, White Paper, Cisco Systems, Inc., USA, 2007.

E. Moradian and A. Hakansson, Possible attacks on XML web services, Int. J. Computer Science and Network Security (IJCSNS), vol. 6, no. 1B, pp. 154-170, Jan. 2006.

P. Lindstrom, Attacking and defending web services, Technical Report, Spire Security, LLC, Jan. 2004.

S. Shah, Hacking Web Services, Charles River Media, Boston, Massachusetts, Aug. 2006. M. O¡'Neill, P. Hall-Baker, S. M. Cann, M. Shema, E. Simon, P. A. Watters, and A. White, Web Services Security, McGraw-Hill Osborne Media, Jan. 2003.

A. Vorobiev, J. Han and N. Bekmamedova, An ontology framework for managing security attacks and defenses in component based software systems, in: Proc. 19th Australian Conf. Software Engineering (ASWEC 2008), pp. 552-561, Mar. 2008.
http://dx.doi.org/10.1109/ASWEC.2008.4483245

E. B. Fernandez, M. M. Larrondo-Petrie, N. Seliya, N. Delessy-Gassant, and M. Schumacher, A pattern language for firewalls, in: M. Schumacher, et al. (Eds.), Security Patterns: Integrating Security and Systems Engineering, Wiley, Mar. 2006.

M. Andrews and J. A. Whittaker, How to Break Web Software: Functional and Security Testing of Web Applications and Web Services, Addison-Wesley Professional, Feb. 2006.

A. Reddyreddy and H. Xu, Securing service-oriented systems using state-based XML firewall, in: Proc. 20th Int. Conf. Software Engineering and Knowledge Engineering (SEKE¡¯2008), Redwood City, San Francisco Bay, California, USA, pp. 512-518, Jul. 2008.

H. Xu, M. Ayachit and A. Reddyreddy, Formal modeling and analysis of XML firewall for service-oriented systems, Int. J. Security and Netwok (IJSN), vol. 3, no. 3, pp. 147-160, 2008.
http://dx.doi.org/10.1504/IJSN.2008.020089

E. Bertino, L. Martino, F. Paci, and A. Squicciarini, Security for Web Services and Service-Oriented Architectures, Springer, 2009.

E. B. Fernandez, Two patterns for web services security, in: Proc. 2004 Int. Symp. Web Services and Applications (ISWS¡¯04), Las Vegas, Nevada, 2004.

M. Holtkamp, The role of XML firewalls for web services, in: Proc. 1st Twente Student Conference IT, Jun. 2004.

M. Cremonini, S. Vimercati, E. Damiani, and P. Samarati, An XML-based approach to combine firewalls and web services security specifications, in: Proc. 2003 ACM Workshop XML Security, Fairfax, Virginia, pp. 69-78, Oct. 2003.

R. Bebawy, H. Sabry, S. El-Kassas, Y. Hanna, and Y. Youssef, Nedgty: web services firewall, in: Proc. IEEE Int. Conf. Web Services (ICWS¡¯05), pp. 597-601, 2005.

Forum, Forum XWall, Forum Systems, Inc., Retrieved on Feb. 18, 2008, from http://forumsys.com/products_xwall.htm.

S. Northcutt and J. Novak, Network Intrusion Detection, 3rd Edition, Sams, Sept. 2002.

R. G. Bace, Intrusion Detection, Macmillan Technical Publishing, Indianapolis, IN, USA, 2000.

Y. Mai, R. Upadrashta, and X. Su, J-Honeypot: a Java-based network deception tool with monitoring and intrusion detection, in: Proc. Int. Conf. Information Technology: Coding and Computing (ITCC 2004), Las Vegas, NV, USA, pp. 804-808, Apr. 2004.

W. Zhang, R. Rao, G. Cao, and G. Kesidis, Secure routing in ad hoc networks and a related intrusion detection problem, in: Proc. IEEE Military Communications Conference (MILCOM), Oct. 2003.

K. Rao, A. Pal, and M. R. Patra, A service oriented architectural design for building intrusion detection systems, Int. J. Recent Trends in Engineering, vol. 1, no. 2, pp. 11-14, May 2009.

J. McGibneya, N. Schmidtb, and A. Patelb, A service-centric model for intrusion detection in next-generation networks, Computer Standards & Interfaces, vol. 27, no. 5, pp. 513-520, Jun. 2005.
http://dx.doi.org/10.1016/j.csi.2005.01.009

B. Zhou, Q. Shi, and M. Merabti, A framework for intrusion detection in heterogeneous environments, in: Proc. 4th IEEE Consumer Communications and Networking Conference (CCNC 2006), pp. 1244-1248, Jan. 8-10, 2006.

H. Feinstein, R. Sandhu, E. Coyne, and C. Youman, Role-based access control models, in: Proc. IEEE Computer, vol. 29, no. 2, pp. 38-47, 1996.

G. Zhang and M. Parashar, Context-aware dynamic access control for pervasive applications, in: Proc. Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2004), Western Multi-Conference (WMC), San Diego, CA, USA, Jan. 2004.

H. Xu, S. M. Shatz, and C. K. Bates, A framework for agent-based trust management in online auctions, in: Proc. 5th Int. Conf. Information Technology: New Generations (ITNG 2008), Las Vegas, Nevada, USA, pp. 149-155, Apr. 7-9, 2008.

D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn, and R. Chandramouli, Proposed NIST standard for role-based access control, ACM Trans. Information and System Security (TISSEC), vol. 4, no. 3, pp. 224-274, Aug. 2001.
http://dx.doi.org/10.1145/501978.501980

M. Becker, Cassandra: flexible trust management and its application to electronic health records, Ph.D. Thesis, University of Cambridge, Oct. 2005.

N. Li, B. N. Grosof, and J. Feigenbaum, Delegation logic: a logic-based approach to distributed authorization, ACM Trans. Information and System Security, vol. 6, no. 1, pp. 128-171, Feb. 2003.
http://dx.doi.org/10.1145/605434.605438

J. DeTreville, Binder, a logic-based security language, in: Proc. 2002 IEEE Symp. Security and Privacy, IEEE Computer Society Press, pp. 105-113, May 2002.

C. Anley, Advanced SQL injection in SQL server applications, White Paper, Next Generation Security Software Ltd., Jan. 2002.


Full Text: PDF


Journal of Computers (JCP, ISSN 1796-203X)

Copyright @ 2006-2013 by ACADEMY PUBLISHER – All rights reserved.