To safeguard sensitive user data, web developers typically rely on implicit access-control policies, which they implement using access checks and query filters. This ad hoc approach is error-prone as these scattered checks and filters are easy to misplace or misspecify, and the lack of an explicit policy precludes external access-control enforcement. More critically, it is difficult for humans to discern what policy is embedded in application code and what data the application may access -- an issue that worsens as development teams evolve. This paper tackles policy extraction: the task of extracting the access-control policy embedded in an application by summarizing its data queries. An extracted policy, once vetted for errors, can stand alone as a specification for the application's data access, and can be enforced to ensure compliance as code changes over time. We introduce Ote, a policy extractor for Ruby-on-Rails web applications. Ote uses concolic execution to explore execution paths through the application, generating traces of SQL queries and conditions that trigger them. It then merges and simplifies these traces into a final policy that aligns with the observed behaviors. We applied Ote to three real-world applications and compared extracted policies to handwritten ones, revealing several errors in the latter.
翻译:为保护敏感用户数据,Web开发者通常依赖隐式访问控制策略,通过访问检查与查询过滤器实现。这种临时性方法容易出错,因为分散的检查与过滤器易被误置或错误设定,且缺乏显式策略会阻碍外部访问控制的实施。更关键的是,人类难以辨别应用程序代码中嵌入了何种策略以及应用可能访问哪些数据——随着开发团队更替,该问题会持续恶化。本文研究策略提取任务:通过总结应用程序的数据查询来提取其中嵌入的访问控制策略。经错误审查后的提取策略可作为应用数据访问的独立规范,并能在代码随时间变更时强制执行以确保合规性。我们提出面向Ruby-on-Rails Web应用的策略提取工具Ote。Ote采用混合执行技术探索应用程序的执行路径,生成触发SQL查询及其条件的执行轨迹,随后将这些轨迹合并简化为符合观测行为的最终策略。我们将Ote应用于三个实际应用,将提取策略与人工编写策略进行对比,揭示了后者存在的若干错误。