Access Control in CORBA Gerald Brose Institut für Informatik Freie Universität Berlin Oberseminar...

Access Control Access Control in CORBAin CORBA

Gerald BroseGerald BroseInstitut für Informatik

Freie Universität Berlin

Oberseminar AG Softwaretechnik, Albert-Ludwigs-Universität Freiburg

Gerald Brose, Freie Universität Berlin 2

27.6.2000

OverviewOverview

1. Access Control

2. Introduction to CORBA Security

3. CORBA Access Control Concepts

4. Raccoon


27.6.2000

1. Access Control1. Access Control

Access Decision Function:Access Decision Function:

adf : Policy Aci {allow,deny}

MechanismMechanism:

• Implementation of adf()

• (DS: Middleware masks heterogeneity)

PolicyPolicy:

• Specification of rules


27.6.2000

Access Control MechanismsAccess Control Mechanisms Reference MonitorReference Monitor

• interceptor in the access path

• mediates all accesses

CapabilitiesCapabilities• target reference with rights

• required to make accesses

TicketsTickets• cryptographically secured tokens

• passed on access


27.6.2000

Access Control PoliciesAccess Control Policies

Described at different levels of granularity, abstraction, formality:

• requirements: informal, enterprise view

• informational: formal, information view

• operational: formal, technology view

„Semantic gap“

policy management is both error- prone and sensitive!


27.6.2000

Policy managementPolicy management

Support for the entire life cycle

Policy specification/design (Developer)high-level model

Installation (Deployer)in actual environments, efficient implementation

Management (Manager) Monitoring, Adaptation to context changes


2. CORBA Security2. CORBA Security

Reference model and APIs

technology-neutral(Kerberos, SESAME, SSL, DCE-Security)

Security Functions at two levels:• Level 1: transparent

• Level 2: APIs security-aware clients

Protocols for Secure Interoperability

(Firewalls: orthogonal)


Security ServicesSecurity Services

Protection:

• Objects (access control)

• Communication (confidentiality/integrity) “Secure Invocation”

Auditing

Accountability/Non-repudiation


General ModelGeneral Model

Current

ORB Core ORB Core

Target

ORB Security

Security Association

ORB Security

Access control

Secure Invocation

SecureInvocation

Access controlAccess Decisio

n

Access Decisio

n

PolicyObj-

Reference

Client

Credentials

Current

Credentials

Security Association

Policy

Secure Inter-

operability


27.6.2000

Secure Interoperability Secure Interoperability (CSI)(CSI)

Invocations across domain boundaries

• technology, policy

Establish Security Association

• negotiate technology (algorithms) and parameters (key lengths, etc.)

currently under revision at OMG

• define standard Privilege Attribute Cert.


27.6.2000

Security Policy DomainsSecurity Policy Domains Policy Domains =

set of objects with the same policy

Hierarchical and overlapping domains

Policy conflicts?


3. Access Control Concepts3. Access Control Concepts

Principals: sets of security attributes

Generic Rights in Families:family corba: g, s, u, m

Policies assign effective Rights to Principals

Operations require Rights

Rights Combinators: any, all


requiredrights

combinator operation interface

corba:--u-namng:n-

all resolve

corba:g-u-namng:n-

all list

corba:gsu-namng:n-

all bind

corba:gsumnamng:n-

all new_context,bind_new_context

corba:gsumnamng:nm

all unbind, rebind,destroy

CosNaming::Naming-Context

requiredrights

combinator operation interface

corba:--u-namng:n-

all resolve

corba:g-u-namng:n-

all list

corba:gsu-namng:n-

all bind

corba:gsumnamng:n-

all new_context,bind_new_context

corba:gsumnamng:nm

all unbind, rebind,destroy

CosNaming::Naming-Context

Required RightsRequired Rights Group operations by sensitivity

specified system-wide


Effective RightsEffective Rights

Privilege Attribute Delegation State Granted Rights

access_id:alice initiator corba:gsu-namng:n-

access_id:alice delegate corba:g-u-namng:n-

group:admin initiator corba:gsumnamng:nm

group:programmers initiator corba:gsu-namng:--

Privilege Attribute Delegation State Granted Rights

access_id:alice initiator corba:gsu-namng:n-

access_id:alice delegate corba:g-u-namng:n-

group:admin initiator corba:gsumnamng:nm

group:programmers initiator corba:gsu-namng:--

Granted by policy


RestrictionsRestrictions

Coarse-grained, does not scale • limited set of rights Rights collisions• all objects of a type are treated equal!

hard to manage:• not OO, low level of abstraction

• semantic gap: requirements “lost”

hard to specify:• not expressive: no dynamic properties,

no exceptions

• no language support, untyped


27.6.2000

4. Raccoon4. Raccoon

Prof. Löhr (leader), part of DFG-Schwerpunktprogramm “Sicherheit”

Support for security policy management

• Managing security policy domains:

– Policy Domain Service + GUI tool

• Managing policies:

– View Policy Language: language + tools

• efficient and scalable acces controls


Managing Policy Managing Policy DomainsDomains

Managing Domain life cycles and relationships

Managing object life cycles wrt. Domain Membership

Policy Domain Service:

• realizes relation O Dom Pol

• management operations

• “metapolicies” resolve policy conflicts


27.6.2000

ViewView Policy LanguagePolicy Language

Declarative Policy Language• static type checks

• Documentation, Communication, Manageability, Reuse

object-oriented Protection model

expressive, structured

fine-grained and scalable

specification and management tools


27.6.2000

ViewsViews contain rights for operations on

objects typed by controlled object type

view Resolver controls NamingContext

{allow

resolve;list;

denybind;

}


27.6.2000

roles chair, member, author

role assertion

card( author and chair ) = 0; card( chair ) = 1

Users in RolesUsers in Roles Users not known in advance, but Roles

Roles = Actors as in Use-Case-Models

Authentication Service certifies role membership


27.6.2000

Object o1:Paper o2:Paper o3:Review o4:T Role

Chair v1, v2 v1,v3 ...

Reviewer v2 v4 v5 v6,v7

Author - v4 - v7 view Reader controls Paper{ allow read;};

view Owner : Reader{ allow destroy;};

Access Matrix ModelAccess Matrix Model

Entries

• well-formed

• well-typed


27.6.2000

interface Paper {Review submitReview(in string text);

};

schema Paper { submitReview

grants result.update to caller; grants this.getReview to caller; revokes this.submitReview from

caller;};

Dynamic Changes: SchemasDynamic Changes: Schemas


27.6.2000

Steps in Policy DesignSteps in Policy Design

1. Identification of roles

2. Definition of Views for access use cases

(3.) Definition of Schemas for dynamic changes

4. Definition of initial Views


27.6.2000

http://www.inf.fu-berlin.de/inst/ag-ss/raccoon

G. Brose: A typed access model for CORBA, to appear: Proc. ESORICS 2000.

G. Brose, K.-P. Löhr: VPL - Sprachunterstützung für den Entwurf von Zugriffsschutzpolitiken, Proc. VIS’99.

G. Brose: A view-based access model for CORBA, in: J. Vitek, C. Jensen (Hrsg.): Secure Internet Programming: Security Issues for Mobile and Distributed Objects, Springer LNCS, 1999.

G. Karjoth: Authorization in CORBA Security, Proc. ESORICS 1998.

ReferencesReferences

Access Control in CORBA Gerald Brose Institut für Informatik Freie Universität Berlin Oberseminar...

Documents

Transcript of Access Control in CORBA Gerald Brose Institut für Informatik Freie Universität Berlin Oberseminar...