EN gine for C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess)
description
Transcript of EN gine for C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess)
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 11
ENENginegine forfor CControllingontrolling EEmergent mergent HHierarchicalierarchical RRole-ole-BBasedased AAccessccess
(ENforCE (ENforCE HRBAccess)HRBAccess)
Osama KhaleelOsama KhaleelThesis DefenseThesis Defense
May 2007May 2007Master of Science in Computer ScienceMaster of Science in Computer Science
University of Colorado, Colorado SpringsUniversity of Colorado, Colorado Springs
Committee Members:Committee Members:Dr. Edward Chow, ChairDr. Edward Chow, Chair
Dr. Terry BoultDr. Terry BoultDr. Xiaobo ZhouDr. Xiaobo Zhou
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 22
Thesis Defense OutlinesThesis Defense Outlines
Intro & BackgroundIntro & Background DesignDesign ImplementationImplementation Performance AnalysisPerformance Analysis Lessons Learned Lessons Learned Future WorkFuture Work ContributionContribution DemoDemo Q & AQ & A
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 33
Introduction Introduction Roles in any organization are Hierarchical by their Roles in any organization are Hierarchical by their
nature.nature.
Resources in any organization vary:Resources in any organization vary: From a simple HTML web page,From a simple HTML web page, To RDP/SSH access in which a user can gain full control.To RDP/SSH access in which a user can gain full control.
Mission becomes more complicated when users Mission becomes more complicated when users should access resources: should access resources: Securely and Securely and Based on their ROLES.Based on their ROLES.
Password-based protection is way far from Password-based protection is way far from satisfying high-level security requirements.satisfying high-level security requirements.
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 44
ROLENAMEDIRECTACCESS
CEOPAM ZALABAKAdmin Tool
CFOBRIAN BURNETTFinance-Mgmt
SSHMySQL
Project Manager
TERRY BOULTProjects-Manager
RDP
IT ManagerKATE TALLMANResource-ManagerPasswords-Reset
SalesManager
JIM TIDWELLSales-Write
AccountingManager
JULIE BREWSTERFinance-Write
NetworkAdmin
EDWARD CHOWVLAN-Manager
SSH
DatabaseAdmin
XIAOBO ZHOUMySQL Interface
MySQLSSH IF(ITMgr & CEO)
DeveloperOSAMA KHALEELReports-Submission
RDP IF (ProjMgr)
EngineerBILL KRETSCHMEREngineer-update-Read
AccountantAMIE WOODYView-Orders
MySQL IF(ANY)
SalesmanLEVI GRAYSales-Read
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 55
Background Background AuthenticationAuthentication
Public Key Certificate (PKC)Public Key Certificate (PKC) Certificate Authority (CA)Certificate Authority (CA) Certificate Revocation List (CRL)Certificate Revocation List (CRL)
AuthorizationAuthorization Attribute Certificate (AC)Attribute Certificate (AC) Attribute Authority (AA)Attribute Authority (AA)
Role-Based Access Control (RBAC)Role-Based Access Control (RBAC) CoreCore HierarchicalHierarchical
eXtensible Access Control Markup Language (XACML)eXtensible Access Control Markup Language (XACML) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) Policy Decision Point (PDP)Policy Decision Point (PDP)
Active Directory (AD) [Active Directory (AD) [store certificatesstore certificates]] ISAPI Filter [ISAPI Filter [secure web-resource accesssecure web-resource access]] ASP.NET Application File (Global.asax) [ASP.NET Application File (Global.asax) [secure net-resource secure net-resource
accessaccess]] Iptables [Iptables [system firewallsystem firewall]]
Public Key Infrastructure (PKI)
Privilege Management Infrastructure (PMI)
Policy
Engine
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 66
RBAC:RBAC: a mechanism/model for restricting access a mechanism/model for restricting access based on the Role of authorized users. based on the Role of authorized users. Core: roles are assigned to users, and permissions are Core: roles are assigned to users, and permissions are
associated with roles – not directly with users.associated with roles – not directly with users. Hierarchical: an enhancement to the core, in which senior Hierarchical: an enhancement to the core, in which senior
roles inherit permissions from more junior roles. roles inherit permissions from more junior roles.
XACML:XACML: an XML-based OASIS standard that an XML-based OASIS standard that describes:describes: A policy language A policy language A request/response language A request/response language
The main three components in XACML are Rule, The main three components in XACML are Rule, Policy, and PolicySet Policy, and PolicySet
XACML RBAC profile has two main components:XACML RBAC profile has two main components: Permission PolicySet (PPS) Permission PolicySet (PPS) Role PolicySet (RPS). Role PolicySet (RPS).
One PPS and one RPS for each defined Role .One PPS and one RPS for each defined Role .
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 77
PPS:PPS: defines Policies and Rules needed to the defines Policies and Rules needed to the
Permissions associated with a certain Role. Permissions associated with a certain Role. Contains a set of PPS references using Contains a set of PPS references using
"<PolicySetIdReference>" to inherit "<PolicySetIdReference>" to inherit permissions from the more junior role permissions from the more junior role associated with this PPS reference associated with this PPS reference
RPS:RPS: defines the Role namedefines the Role name includes ONLY one PPS to includes ONLY one PPS to associate this Role with its associate this Role with its permissions defined in the permissions defined in the corresponding PPS.corresponding PPS.
<PolicySet PolicySetId="CFOPermissions"> <Policy PolicyId="PolicyForCFORole"> <Rule RuleId="FinanceManagementRule" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function: regexp-string-match"> <AttributeValue DataType=“string">
https://ncdcrx3.uccs.edu/financial/finMgmt.aspx </AttributeValue> </ResourceMatch> </Resource> </Resources> </Target> </Rule> </Policy>
<PolicySetIdReference>SalesMgrPermissions</PolicySetIdReference><PolicySetIdReference>AccMgrPermissions</PolicySetIdReference>
</PolicySet>
<PolicySet PolicySetId="RPS:CFO"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function: string-equal"> <SubjectAttributeDesignator DataType="string" AttributeId="role"/> <AttributeValue DataType="string"> CFO </AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target>
<PolicySetIdReference>CFOPermissions</PolicySetIdReference>
</PolicySet>
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 88
Design Design
By taking advantage of the concepts & By taking advantage of the concepts & technologies just mentioned, the goal is technologies just mentioned, the goal is to build a structure/engine that to build a structure/engine that provides:provides: AuthenticationAuthentication AuthorizationAuthorization Secure access based on users ROLESSecure access based on users ROLES Protection for ANY type of resourcesProtection for ANY type of resources Fine grained control based on active Fine grained control based on active
sessionssessions PKI & PMI management toolPKI & PMI management tool
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 99
ENforCE Test-BedENforCE Test-Bed
Windows XPWin2003 IIS Win2003 DC
10.0.0.1110.0.0.13 10.0.0.12 10.0.0.10
Local switch
FedoraCore4 Gateway/Firewall
10.0.0.1
128.198.162.53 128.198.162.52 128.198.162.51128.198.162.50
Main switch
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1010
ENforCE “Big Picture”ENforCE “Big Picture”
Policy Enforcement
Point
Policy Enforcement
Point
Global.asaxASP.NET
Application
FC4 machine (Firewall)FC4 machine (Firewall)
Iptables Control DaemonNetwork- resourceAccess
IIS Authentication
ISAPI
Protected web resources
Protected web resources
Http request
XML response
Session policy source
Session policy source
Get User's AC
Domain ControllerDomain Controller
Active DirectoryActive
Directory
Http request
Protected Network resources
Protected Network resources
XML response
User Request
Open/Close commands
RPS
PPSCheck session policy
Policy Decision
Point
Policy Decision
Point
GetDecision
Permit/Deny access
Permit/Deny
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1111
ImplementationImplementation Two types of access:Two types of access:
Web-based resources (Web-based resources (http://ncdcrx3.uccs.eduhttp://ncdcrx3.uccs.edu)) Network-based resources (Network-based resources (http://ncdcrx4.uccs.eduhttp://ncdcrx4.uccs.edu))
Web resources: accessed directly through IIS using https (port Web resources: accessed directly through IIS using https (port 443)443)
Network resources: Network resources: Activate a web-session firstActivate a web-session first ENforCE will open the firewall for the specified service ENforCE will open the firewall for the specified service Physically access the service through the firewall.Physically access the service through the firewall. Service port varies (e.g. SSH:22, RDP:3389)Service port varies (e.g. SSH:22, RDP:3389)
ISAPI FilterISAPI Filter Enforces Web-Resource Access Enforces Web-Resource Access (C/C++ - MFC) (C/C++ - MFC) Global.asaxGlobal.asax Enforces Net-Resource AccessEnforces Net-Resource Access (C#/ASP.NET) (C#/ASP.NET) Policy EnginePolicy Engine PEP, PDP, Policy, RBACPEP, PDP, Policy, RBAC (XACML - Java) (XACML - Java) Firewall DaemonFirewall Daemon Updates Iptables RulesUpdates Iptables Rules (Java - JSSE) (Java - JSSE)
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1212
Web resources (ISAPI)Web resources (ISAPI)
ISAPI
IIS
1) Web request
IIS Authentication
Protected web resources
Protected web resources
Policy Enforcement
Point
Policy Enforcement
Point
2) Http request with attributes
5) XML response with decision
Policy Decision
Point
Policy Decision
Point
4) Get Decision6) Permit/Deny access
Domain ControllerDomain Controller
Active DirectoryActive
Directory
3) Get User's AC
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1313
Network resources Network resources (Global.asax)(Global.asax)
Session policy source
Session policy source
IIS1) Request a session
IIS Authentication
Protected Network resources
Protected Network resources
Policy Enforcement
Point
Policy Enforcement
Point
2) Http request with attributes
7) XML response with decision
PDPPDP
FC4 machine (Firewall)FC4 machine (Firewall)
Global.asax
ASP.NET Application
Iptables Control Daemon
6) Open/Close commands
8) Physically access the services
4) Get decision
DCDC
ADAD
3) Get User's AC
5) Check session policy
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1414
Requests to PEPRequests to PEP1)1) From ISAPI (Access a web resource): From ISAPI (Access a web resource):
http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?• subjectsubject= CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer
Science Science &&• URLURL=https://ncdcrx3.uccs.edu/it/img.jpg =https://ncdcrx3.uccs.edu/it/img.jpg && • methodmethod=GET =GET && • serviceservice=web=web
2)2) From Global.asax (Open a network resource): From Global.asax (Open a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?
• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&
• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjhY43=23hjhY43 && • actionaction==openopen
3)3) From Global.asax (Close a network resource): From Global.asax (Close a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?
• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&
• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjf73G2=23hjf73G2 && • actionaction==closeclose
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1515
Conditional Active-Session Access Conditional Active-Session Access (CASA)(CASA)
Idea : Junior role can ONLY access a network resource IF its Senior role Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource.has an active session for that resource.
Why? To add finer access control Why? To add finer access control How? PEP maintains a table. An entry looks like: How? PEP maintains a table. An entry looks like:
29gY3k0*ss29gY3k0*sshh
EngineeEngineerr
SubjecSubjectt
https://ncdcrx4.uccs.edu/ssh/https://ncdcrx4.uccs.edu/ssh/net.aspxnet.aspx
128.198.162.128.198.162.5050
PEP reads an XML policy file (session PEP reads an XML policy file (session policy). policy). The session policy file supports 3 cases:The session policy file supports 3 cases:
1) A 1) A CERTAINCERTAIN Senior Role is Senior Role is requiredrequired
2) 2) ANYANY Senior Role is required Senior Role is required((NOTNOT including itself including itself))
3) 3) N-SeniorN-Senior Roles are required Roles are required
<Service name “SSH”> <Senior>ProjectMngr </Senior> <Junior>Developer </Junior> </Service>
<Service name=“ MySQL”> <Senior>ANY</Senior> <Junior>Accountant </Junior> </Service>
<Service name=“SSH”> <Senior>ITManager </Senior> <Junior>DB Admin </Junior> </Service>
<Service name=“SSH”> <Senior>CEO </Senior> <Junior>DBAdmin </Junior> </Service>
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1616
CASA (cont’d)CASA (cont’d) PEP reads the session policy file and creates two things:PEP reads the session policy file and creates two things:
1) Hierarchical-Role tree
To answer: Is Role A senior to Role B ?
2) Session Policy Table
To decide: For the requested service, Is Junior’s access constrained by Senior’s ?
SSHCFO : Sales MngrANY : Developer
RDPCEO : DB AdminITMngr : DB Admin
Senior : Junior
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1717
Code Highlights (1)Code Highlights (1) ISAPI Filter:ISAPI Filter: should define 2 functions: should define 2 functions:
GetFilterVersion():GetFilterVersion(): register event notifications register event notifications PVer->dwFlags = SF_NOTIFY_SECURE_PORT| SF_NOTIFY_AUTH_COMPLETE;PVer->dwFlags = SF_NOTIFY_SECURE_PORT| SF_NOTIFY_AUTH_COMPLETE;
HttpFilterProc():HttpFilterProc(): put the actual code that will be executed; put the actual code that will be executed; Intercept URL:Intercept URL:
pfc->GetServerVariable(pfc, “URL”, reqUrlBuf, &bufSize);pfc->GetServerVariable(pfc, “URL”, reqUrlBuf, &bufSize); Intercept request method: Intercept request method:
pfc->GetServerVariable(pfc, “REQUEST_METHOD”, methBuf, pfc->GetServerVariable(pfc, “REQUEST_METHOD”, methBuf, &bufSize2);&bufSize2);
Intercept user’s PKC: Intercept user’s PKC: pfc->ServerSupportFunction(pfc, HSE_REQ_GET_CERT_INFO_EX, &ccex, pfc->ServerSupportFunction(pfc, HSE_REQ_GET_CERT_INFO_EX, &ccex,
dwSize); dwSize); Submit a request to the PEP:Submit a request to the PEP:
HttpFile = (CHttpFile*) pHttpSession.OpenURL(pepUrl);HttpFile = (CHttpFile*) pHttpSession.OpenURL(pepUrl); Parse the XML response: Parse the XML response:
CMarkup xml;CMarkup xml; and use this object to traverse the XML response. and use this object to traverse the XML response.
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1818
Code Highlights (2)Code Highlights (2) Global.asax:Global.asax:
Application_BeginRequest()Application_BeginRequest() User’s PKC:User’s PKC: Request.ClientCertificate.Subject;Request.ClientCertificate.Subject; URL:URL: Request.Url.AbsoluteUri;Request.Url.AbsoluteUri; IP:IP: Request.ServerVariables["REMOTE_ADDR"];Request.ServerVariables["REMOTE_ADDR"];
Application_AcquireRequestState()Application_AcquireRequestState() Session.Timeout = 1; // in minutesSession.Timeout = 1; // in minutes srvSessionID = Session.SessionID;srvSessionID = Session.SessionID; uri = new Uri(PolicyEnforcementPointUrl);uri = new Uri(PolicyEnforcementPointUrl); webReq = WebRequest.Create(“PEPURI”); webReq = WebRequest.Create(“PEPURI”); PEPResponse = webReq.GetResponse();PEPResponse = webReq.GetResponse(); If (! Permit)If (! Permit)
Response.Redirect(“Error Page”);Response.Redirect(“Error Page”);
Session_End()Session_End() Similar to AcquireRequestState()’s code but the action is “Similar to AcquireRequestState()’s code but the action is “closeclose”.”.
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 1919
Code Highlights (3)Code Highlights (3) Iptables Daemon:Iptables Daemon:
Create SSL context: Create SSL context: sslctx = SSLContext.getInstance("TLSv1" , "SunJSSE");sslctx = SSLContext.getInstance("TLSv1" , "SunJSSE");
Define keyStores:Define keyStores: PEPstore = KeyStore.getInstance("JKS" , "SUN");PEPstore = KeyStore.getInstance("JKS" , "SUN"); PEPtrust = KeyStore.getInstance("JKS", "SUN");PEPtrust = KeyStore.getInstance("JKS", "SUN");
Define & init the trusted keystore:Define & init the trusted keystore: TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509" , "SunJSSE");TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509" , "SunJSSE"); tmf.init(PEPtrust);tmf.init(PEPtrust);
Define & init the owned keystore (for the private key):Define & init the owned keystore (for the private key): KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509" , "SunJSSE");KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509" , "SunJSSE"); kmf.init(PEPstore , keypass);kmf.init(PEPstore , keypass);
Init the SSL context:Init the SSL context: sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null) ;sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null) ; SSLServerSocketFactory ssf = sslctx.getServerSocketFactory();SSLServerSocketFactory ssf = sslctx.getServerSocketFactory();
Init the SSL server socket:Init the SSL server socket: secSock = (SSLServerSocket) ssf.createServerSocket(9876);secSock = (SSLServerSocket) ssf.createServerSocket(9876); secSock.setNeedClientAuth(true);secSock.setNeedClientAuth(true);
Execute commands on Fedora Core OS:Execute commands on Fedora Core OS: rt = Runtime.getRuntime();rt = Runtime.getRuntime(); rt.exec(“cmd1”);rt.exec(“cmd1”);
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 2020
Performance Analysis Performance Analysis Web resources (ISAPI)
Network resources (Global.asax) – new session
Network resources (Global.asax) – session refresh
Unit: ms
ResourceRetrieve AC from ADPDP decisionTotal request time
Finance Mgmnt5.47503.034510.3476
Sales Write6.28644.387213.7203
Posting orders6.98204.9234513.8433
View orders5.17344.109311.7390
Resource
Retrieve AC from AD
PDP decisio
n
CASA decisio
n
Firewall updat
e
Total request
time
SSH5.87303.82642.365415.509329.4374
RDP5.76394.92763.109317.120432.2841
MySQL6.19273.10432.583114.762730.6392
ResourceRetrieve AC from AD
PDP decisionCASA decision
Total request time
SSH6.80934.32983.948520.5912
RDP7.76023.87492.203720.5382
MySQL6.31753.78292.558219.7045
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 2121
Lessons LearnedLessons Learned It is not a good idea to use too many packages with different programming It is not a good idea to use too many packages with different programming
languages in one component (i.e. the Admin tool). languages in one component (i.e. the Admin tool).
At the vary beginning, I tried to use a package called "CryptLib" [59] to At the vary beginning, I tried to use a package called "CryptLib" [59] to create ACs, but it didn't work.create ACs, but it didn't work.
I tried to use an HttpModule, but it turned out that it is triggered by aspx I tried to use an HttpModule, but it turned out that it is triggered by aspx pages and can handle request-level events only. On the other hand, ISAPI pages and can handle request-level events only. On the other hand, ISAPI filters and Global.asax were very good choices to go for:filters and Global.asax were very good choices to go for:
ISAPI is very fast and works with any type of files.ISAPI is very fast and works with any type of files. Global.asax has the ability to deal with session and application level events.Global.asax has the ability to deal with session and application level events.
Don't start implementing something from scratch unless you have spent Don't start implementing something from scratch unless you have spent sufficient time to do research about it and to make sure that it is not already sufficient time to do research about it and to make sure that it is not already exist. exist.
Generally speaking, it is really a good thing that a developer does not limit Generally speaking, it is really a good thing that a developer does not limit him/herself to a certain programming language or technology. him/herself to a certain programming language or technology.
In fact, when I started working on this thesis, I only knew Java and some security In fact, when I started working on this thesis, I only knew Java and some security related things, so it took me some time to teach myself the required stuff to get related things, so it took me some time to teach myself the required stuff to get this work done.this work done.
Now anyone who reads about this thesis can see that Java, C#, ASP.NET, JSP, Now anyone who reads about this thesis can see that Java, C#, ASP.NET, JSP, C/C++, XACML, Iptables, X509 certificates, ISAPI filters, OpenSSL, Tomcat, IIS, and C/C++, XACML, Iptables, X509 certificates, ISAPI filters, OpenSSL, Tomcat, IIS, and Active Directory have been used. It wasn't easy though!Active Directory have been used. It wasn't easy though!
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 2222
Future WorkFuture Work Extend the system to work in a multi-agency Extend the system to work in a multi-agency
environment. environment.
Develop more services that can take advantage of Develop more services that can take advantage of the existing RBAC architecture. For instance:the existing RBAC architecture. For instance: RBAC E-Voting: users can vote based on their roles.RBAC E-Voting: users can vote based on their roles. RBAC Instant Messenger: users can chat based on their roles.RBAC Instant Messenger: users can chat based on their roles. RBAC E-Mail: users can send e-mails based on their roles.RBAC E-Mail: users can send e-mails based on their roles. RBAC XXX and so on…RBAC XXX and so on…
Support more Operating systems (Mac, Solaris …)Support more Operating systems (Mac, Solaris …)
Improve the Admin tool to initialize and modify Active Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies.Directory, and to be able to generate XACML policies.
Support Wireless access.Support Wireless access.
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 2323
Thesis ContributionsThesis Contributions Provide an architecture for small-mid sized Provide an architecture for small-mid sized (potentially (potentially
large-scale) large-scale) companies to address companies to address accessing sensitive accessing sensitive resources securely according to hierarchical role-based resources securely according to hierarchical role-based access policy. access policy.
Extend XACML’s implementation to handle Hierarchical Extend XACML’s implementation to handle Hierarchical Role-Based Access Control (HRBAC) model.Role-Based Access Control (HRBAC) model.
Add a new concept of secure access in which Add a new concept of secure access in which a Senior a Senior Role can restrict its Junior Role's access using active Role can restrict its Junior Role's access using active sessions.sessions.
Enhance IIS 6.0 with two components:Enhance IIS 6.0 with two components: ENforCE-ISAPI FilterENforCE-ISAPI Filter ENforCE-Global.asaxENforCE-Global.asax
Simplify Simplify PKIPKI and and PMIPMI management, therefore, reducing management, therefore, reducing management cost and errors.management cost and errors.
Filed an Invention
Disclosure with CU TTO
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 2424
ENforCE DemoENforCE Demo
Q & AQ & A
For References and more details, please refer to the Thesis report:
http://cs.uccs.edu/~gsc/pub/master/okhaleel/doc/osamaThesisReport.doc
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 2525
Authentication:Authentication: the process in which someone provides some the process in which someone provides some kind of credentials to prove his or her identity.kind of credentials to prove his or her identity.
CA:CA: a trusted third party that issues digital certificates to be used a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the by other parties. It guarantees that the individual granted the certificate is really who claims to be.certificate is really who claims to be.
PKC:PKC: a digitally signed document that binds a public key to a a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA.subject (identity). This binding is asserted by a trusted CA.
CRL:CRL: a list signed by the issuing CA that contains the serial a list signed by the issuing CA that contains the serial numbers of the revoked certificates. numbers of the revoked certificates.
Authorization:Authorization: the process that is used to determine whether the the process that is used to determine whether the subject has the required permissions to access some protected subject has the required permissions to access some protected resources. resources.
AC:AC: a digitally signed document that binds a set of attributes like a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder.membership, role, or security clearance to the AC holder.
AA:AA: a trusted third party that is responsible for issuing, a trusted third party that is responsible for issuing, maintaining, and revoking ACs. maintaining, and revoking ACs.
5/1/20075/1/2007 okhaleel / ENforCEokhaleel / ENforCE 2626
AD:AD: a distributed directory service included in the Windows a distributed directory service included in the Windows server 2000/2003 server 2000/2003 The Microsoft's implementation of LDAPThe Microsoft's implementation of LDAP Used to store and manage all information about network resources Used to store and manage all information about network resources
across the domain: computers, groups, users, …across the domain: computers, groups, users, …
ISAPI filters:ISAPI filters: DLLs that can be used to enhance and modify the DLLs that can be used to enhance and modify the functionality of IIS. functionality of IIS. Powerful -> they can modify both incoming and outgoing Powerful -> they can modify both incoming and outgoing
DataStream for EVERY request.DataStream for EVERY request.
Global.asax:Global.asax: a file resides in the root directory of the ASP.NET a file resides in the root directory of the ASP.NET application.application. Contains code to handle application-level and session-level events Contains code to handle application-level and session-level events
raised by ASP.NET. raised by ASP.NET.
Iptables:Iptables: a generic table structure for defining a set of rules to a generic table structure for defining a set of rules to deal with network packets. deal with network packets. Rules are grouped into chains. Rules are grouped into chains. Chains are grouped into tablesChains are grouped into tables Each table is associated with a different kind of packet processing.Each table is associated with a different kind of packet processing.