Access Control in CORBA Gerald Brose Institut für Informatik Freie Universität Berlin Oberseminar...
-
date post
18-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Access Control in CORBA Gerald Brose Institut für Informatik Freie Universität Berlin Oberseminar...
Access Control Access Control in CORBAin CORBA
Gerald BroseGerald BroseInstitut für Informatik
Freie Universität Berlin
Oberseminar AG Softwaretechnik, Albert-Ludwigs-Universität Freiburg
Gerald Brose, Freie Universität Berlin 2
27.6.2000
OverviewOverview
1. Access Control
2. Introduction to CORBA Security
3. CORBA Access Control Concepts
4. Raccoon
Gerald Brose, Freie Universität Berlin 3
27.6.2000
1. Access Control1. Access Control
Access Decision Function:Access Decision Function:
adf : Policy Aci {allow,deny}
MechanismMechanism:
• Implementation of adf()
• (DS: Middleware masks heterogeneity)
PolicyPolicy:
• Specification of rules
Gerald Brose, Freie Universität Berlin 4
27.6.2000
Access Control MechanismsAccess Control Mechanisms Reference MonitorReference Monitor
• interceptor in the access path
• mediates all accesses
CapabilitiesCapabilities• target reference with rights
• required to make accesses
TicketsTickets• cryptographically secured tokens
• passed on access
Gerald Brose, Freie Universität Berlin 5
27.6.2000
Access Control PoliciesAccess Control Policies
Described at different levels of granularity, abstraction, formality:
• requirements: informal, enterprise view
• informational: formal, information view
• operational: formal, technology view
„Semantic gap“
policy management is both error- prone and sensitive!
Gerald Brose, Freie Universität Berlin 6
27.6.2000
Policy managementPolicy management
Support for the entire life cycle
Policy specification/design (Developer)high-level model
Installation (Deployer)in actual environments, efficient implementation
Management (Manager) Monitoring, Adaptation to context changes
Gerald Brose, Freie Universität Berlin 7
2. CORBA Security2. CORBA Security
Reference model and APIs
technology-neutral(Kerberos, SESAME, SSL, DCE-Security)
Security Functions at two levels:• Level 1: transparent
• Level 2: APIs security-aware clients
Protocols for Secure Interoperability
(Firewalls: orthogonal)
Gerald Brose, Freie Universität Berlin 8
Security ServicesSecurity Services
Protection:
• Objects (access control)
• Communication (confidentiality/integrity) “Secure Invocation”
Auditing
Accountability/Non-repudiation
Gerald Brose, Freie Universität Berlin 9
General ModelGeneral Model
Current
ORB Core ORB Core
Target
ORB Security
Security Association
ORB Security
Access control
Secure Invocation
SecureInvocation
Access controlAccess Decisio
n
Access Decisio
n
PolicyObj-
Reference
Client
Credentials
Current
Credentials
Security Association
Policy
Secure Inter-
operability
Gerald Brose, Freie Universität Berlin 10
27.6.2000
Secure Interoperability Secure Interoperability (CSI)(CSI)
Invocations across domain boundaries
• technology, policy
Establish Security Association
• negotiate technology (algorithms) and parameters (key lengths, etc.)
currently under revision at OMG
• define standard Privilege Attribute Cert.
Gerald Brose, Freie Universität Berlin 11
27.6.2000
Security Policy DomainsSecurity Policy Domains Policy Domains =
set of objects with the same policy
Hierarchical and overlapping domains
Policy conflicts?
Gerald Brose, Freie Universität Berlin 12
3. Access Control Concepts3. Access Control Concepts
Principals: sets of security attributes
Generic Rights in Families:family corba: g, s, u, m
Policies assign effective Rights to Principals
Operations require Rights
Rights Combinators: any, all
Gerald Brose, Freie Universität Berlin 13
requiredrights
combinator operation interface
corba:--u-namng:n-
all resolve
corba:g-u-namng:n-
all list
corba:gsu-namng:n-
all bind
corba:gsumnamng:n-
all new_context,bind_new_context
corba:gsumnamng:nm
all unbind, rebind,destroy
CosNaming::Naming-Context
requiredrights
combinator operation interface
corba:--u-namng:n-
all resolve
corba:g-u-namng:n-
all list
corba:gsu-namng:n-
all bind
corba:gsumnamng:n-
all new_context,bind_new_context
corba:gsumnamng:nm
all unbind, rebind,destroy
CosNaming::Naming-Context
Required RightsRequired Rights Group operations by sensitivity
specified system-wide
Gerald Brose, Freie Universität Berlin 14
Effective RightsEffective Rights
Privilege Attribute Delegation State Granted Rights
access_id:alice initiator corba:gsu-namng:n-
access_id:alice delegate corba:g-u-namng:n-
group:admin initiator corba:gsumnamng:nm
group:programmers initiator corba:gsu-namng:--
Privilege Attribute Delegation State Granted Rights
access_id:alice initiator corba:gsu-namng:n-
access_id:alice delegate corba:g-u-namng:n-
group:admin initiator corba:gsumnamng:nm
group:programmers initiator corba:gsu-namng:--
Granted by policy
Gerald Brose, Freie Universität Berlin 15
RestrictionsRestrictions
Coarse-grained, does not scale • limited set of rights Rights collisions• all objects of a type are treated equal!
hard to manage:• not OO, low level of abstraction
• semantic gap: requirements “lost”
hard to specify:• not expressive: no dynamic properties,
no exceptions
• no language support, untyped
Gerald Brose, Freie Universität Berlin 16
27.6.2000
4. Raccoon4. Raccoon
Prof. Löhr (leader), part of DFG-Schwerpunktprogramm “Sicherheit”
Support for security policy management
• Managing security policy domains:
– Policy Domain Service + GUI tool
• Managing policies:
– View Policy Language: language + tools
• efficient and scalable acces controls
Gerald Brose, Freie Universität Berlin 17
Managing Policy Managing Policy DomainsDomains
Managing Domain life cycles and relationships
Managing object life cycles wrt. Domain Membership
Policy Domain Service:
• realizes relation O Dom Pol
• management operations
• “metapolicies” resolve policy conflicts
Gerald Brose, Freie Universität Berlin 18
27.6.2000
ViewView Policy LanguagePolicy Language
Declarative Policy Language• static type checks
• Documentation, Communication, Manageability, Reuse
object-oriented Protection model
expressive, structured
fine-grained and scalable
specification and management tools
Gerald Brose, Freie Universität Berlin 19
27.6.2000
ViewsViews contain rights for operations on
objects typed by controlled object type
view Resolver controls NamingContext
{allow
resolve;list;
denybind;
}
Gerald Brose, Freie Universität Berlin 20
27.6.2000
roles chair, member, author
role assertion
card( author and chair ) = 0; card( chair ) = 1
Users in RolesUsers in Roles Users not known in advance, but Roles
Roles = Actors as in Use-Case-Models
Authentication Service certifies role membership
Gerald Brose, Freie Universität Berlin 21
27.6.2000
Object o1:Paper o2:Paper o3:Review o4:T Role
Chair v1, v2 v1,v3 ...
Reviewer v2 v4 v5 v6,v7
Author - v4 - v7 view Reader controls Paper{ allow read;};
view Owner : Reader{ allow destroy;};
Access Matrix ModelAccess Matrix Model
Entries
• well-formed
• well-typed
Gerald Brose, Freie Universität Berlin 22
27.6.2000
interface Paper {Review submitReview(in string text);
};
schema Paper { submitReview
grants result.update to caller; grants this.getReview to caller; revokes this.submitReview from
caller;};
Dynamic Changes: SchemasDynamic Changes: Schemas
Gerald Brose, Freie Universität Berlin 23
27.6.2000
Steps in Policy DesignSteps in Policy Design
1. Identification of roles
2. Definition of Views for access use cases
(3.) Definition of Schemas for dynamic changes
4. Definition of initial Views
Gerald Brose, Freie Universität Berlin 24
27.6.2000
http://www.inf.fu-berlin.de/inst/ag-ss/raccoon
G. Brose: A typed access model for CORBA, to appear: Proc. ESORICS 2000.
G. Brose, K.-P. Löhr: VPL - Sprachunterstützung für den Entwurf von Zugriffsschutzpolitiken, Proc. VIS’99.
G. Brose: A view-based access model for CORBA, in: J. Vitek, C. Jensen (Hrsg.): Secure Internet Programming: Security Issues for Mobile and Distributed Objects, Springer LNCS, 1999.
G. Karjoth: Authorization in CORBA Security, Proc. ESORICS 1998.
ReferencesReferences