ISSEA 2002-1 Security Engineering for Roles and Resources in a Distributed Environment Security...
-
Upload
verity-quinn -
Category
Documents
-
view
213 -
download
0
Transcript of ISSEA 2002-1 Security Engineering for Roles and Resources in a Distributed Environment Security...
ISSEA 2002-1
Security Engineering for Roles and Security Engineering for Roles and Resources in a Distributed EnvironmentResources in a Distributed Environment
Profs. Steven A. Demurjian and T.C. TingComputer Science & Engineering Department
191 Auditorium Road, Box U-155The University of Connecticut
Storrs, Connecticut 06269-3155http://www.engr.uconn.edu/~steve
Lt.Col. Charles E. Phillips, Jr.Computer Science & Engineering Department
191 Auditorium Road, Box U-155The University of Connecticut
Storrs, Connecticut [email protected]
ISSEA 2002-2
Overview of PresentationOverview of Presentation
IntroductionIntroduction Distributed Security ModelDistributed Security Model Enforcement FrameworkEnforcement Framework Experimental PrototypeExperimental Prototype Supporting Advanced Applications Supporting Advanced Applications ConclusionsConclusions Future WorkFuture Work
ISSEA 2002-3
Introduction Introduction Goals of Our ResearchGoals of Our Research
Incorporation of Role-Based Security within a Incorporation of Role-Based Security within a Distributed Resource EnvironmentDistributed Resource Environment Highly-Available Distributed Applications
Constructed Using Middleware Tools Demonstrate Use of Lookup Service to Provide
Role-based Access of Clients to Resources Propose Software Architecture and Role-Based Propose Software Architecture and Role-Based
Security Model with Constraints forSecurity Model with Constraints for Authorization of Clients Based on Role Authentication of Clients and Resources Enforcement and Tracking so Clients Only Use
Authorized Services (of Resource) Propose a Flexible Security Solution for Clients and Propose a Flexible Security Solution for Clients and
Services (Resources) in Dynamic CoalitionsServices (Resources) in Dynamic Coalitions
ISSEA 2002-4
IntroductionIntroductionProposed ArchitectureProposed Architecture
SecurityAuthorizationClient (SAC)
SecurityPolicy
Client (SPC)
WrappedResource
for LegacyApplication
WrappedResource
for DatabaseApplication
LookupService
General Resource
WrappedResource
for COTSApplication
Global ClockResource (GCR)
JavaClient
LegacyClient
DatabaseClient
SoftwareAgent
COTSClient
Lookup
Service
SecurityRegistration
Services
Unified Security Resource (USR)
SecurityPolicy
Services
SecurityAuthorization
Services
SecurityAnalysis and
Tracking (SAT)
ISSEA 2002-5
Distributed Security ModelDistributed Security ModelLookup Service MiddlewareLookup Service Middleware
Construct Distributed Applications by Construct Distributed Applications by Federating Groups of Users Resources Provide Services for Users
A Resource Provides a Set of Services for Use by A Resource Provides a Set of Services for Use by Clients (Users) and Other Resources (Services)Clients (Users) and Other Resources (Services)
A Service is Similar to a set of Public MethodsA Service is Similar to a set of Public Methods Exportable - Analogous to API Any Entity Utilized by Person or Program Samples Include:
Computation, Persistent Store, Printer, Sensor Software Filter, Real-Time Data Source
Services: Concrete Interfaces of Components Services Register with Lookup ServiceServices Register with Lookup Service
ISSEA 2002-6
Distributed Security ModelDistributed Security ModelJoin, Lookup, and Service InvocationJoin, Lookup, and Service Invocation
ClientResource
Service ObjectService Attributes
Lookup ServiceRequestServiceAddCourse(CSE900)
ReturnService
Proxy toAddCourse( )
Join
Register & Lease Services CourseDB ClassContains Method AddCourse ( )
Service Invocation via Proxy by Transparent RMI Call
Service Object
Service Attributes
Registry of Entries
Step1. Join. Services are registeredStep2. Client makes requestStep3. Lookup Service returns ServiceStep4. Client Invokes AddCourse(CSE230) on ResourceStep5. Resource Returns Results of Invocation to Client
ISSEA 2002-7
Distributed Security ModelDistributed Security ModelLookup Service ShortfallsLookup Service Shortfalls
Many Current Lookup ServicesMany Current Lookup Services Successfully Dictates Service Utilization Requires Programmatic Solution for Security Does Not Selectively and Dynamically Control
Access Based on Client Role Security of a Distributed Resource Should Security of a Distributed Resource Should
Selectively and Dynamically Control Client Access Selectively and Dynamically Control Client Access to Services Based on the Roleto Services Based on the Role
Our ApproachOur Approach Define Dedicated Resources to Authorize,
Authenticate, and Enforce Security by Role Proposed Unified Security Resources (USR)
Policy Services, Authoriz. Services, Registration Services, & Analysis/Tracking Services
ISSEA 2002-8
Distributed Security ModelDistributed Security ModelResource, Service, MethodsResource, Service, Methods
Definition 1Definition 1: A Distributed Application Consists : A Distributed Application Consists of M Software/system of M Software/system ResourcesResources (Legacy, COTS, (Legacy, COTS, Database, Web Server, Etc.) Uniquely IdentifiableDatabase, Web Server, Etc.) Uniquely Identifiable
Definition 2Definition 2: Each Resource is Composed of : Each Resource is Composed of ServicesServices That Are Uniquely Identifiable That Are Uniquely Identifiable
Definition 3Definition 3: Each Service is Composed of a Set : Each Service is Composed of a Set of Uniquely Identifiable of Uniquely Identifiable MethodsMethods..Note That the Triple (R-id, S-id, M-id) is Unique.Note That the Triple (R-id, S-id, M-id) is Unique.
Definition 4Definition 4: The : The Signature of a MethodSignature of a Method of of Service of Resource is Unique, and Consists of: Service of Resource is Unique, and Consists of: Method Name Parameter List of Names/Types Return Type (possible Null)
ISSEA 2002-9
Distributed Security ModelDistributed Security ModelResources, Services, and MethodsResources, Services, and Methods
Read Service with Methods: String getAllClasses (Token); String getRegisteredCourses (Token, StudentName); Vector getClasses (long Token, Semester); Vector getClassDescription (Token, Course); Vector getPreReqCourses (Token, Course); Vector getVacantClasses (Token, Semester);
Modification Service with Methods: boolean addCourse (Token, Course); boolean removeCourse (Token, Course); boolean updateEnroll (Token, CourseNumber,
UpdateChoice, NewValue); boolean registerCourse (Token, Course, StudentName); boolean dropCourse (Token, Course, StudentName);
ISSEA 2002-10
Distributed Security ModelDistributed Security ModelRoles and ConstraintsRoles and Constraints
Definition 5Definition 5: A : A User RoleUser Role, UR, is a Uniquely , UR, is a Uniquely Identifiable Named Entity Representing a Specific Identifiable Named Entity Representing a Specific Set of Responsibilities Against an Application. Set of Responsibilities Against an Application.
Definition 6Definition 6: A : A Signature ConstraintSignature Constraint, SC, is a , SC, is a Boolean Expression Defined on Method Signature Boolean Expression Defined on Method Signature to Limit the Allowable Values on the Parameters, to Limit the Allowable Values on the Parameters, and the Return Type.and the Return Type.
Definition 7Definition 7: A : A Time ConstraintTime Constraint, TC, is an , TC, is an Expression Defined for a Discrete Period of Time Expression Defined for a Discrete Period of Time (Days or Time Period in GMT) Under Which a (Days or Time Period in GMT) Under Which a Method Can Be Invoked:Method Can Be Invoked:
TC = {E | E=“Never” or E= “Always” or E = Boolean Expression}.
ISSEA 2002-11
Modification, addCourse, cse101 course cse499Modification, updateEnroll, newValue 30Read, getClasses, semester = Spring
Distributed Security ModelDistributed Security Model Roles and Constraints Roles and Constraints
Sample Signature Constraints for CourseDB Sample Signature Constraints for CourseDB ResourceResource
Sample Time ConstraintsSample Time Constraints
01jan01 date 31mar011apr01 date 14apr01date = 10apr01
ISSEA 2002-12
Distributed Security ModelDistributed Security ModelPrivilege Tuples and AuthorizationsPrivilege Tuples and Authorizations
Definition 8Definition 8: Assume a Distributed Application : Assume a Distributed Application Consists of Resources, Services, and Methods. A Consists of Resources, Services, and Methods. A Security Privilege TupleSecurity Privilege Tuple Contains a Specific Contains a Specific Resource, Service, and/or Method (with Optional Resource, Service, and/or Method (with Optional Time and Signature Constraint) :Time and Signature Constraint) :
{UR, TC, Ri, Sij, [Mijk, SCijk]} {UR, TC, Ri, Sij, [Mijk, SCijk]}
Definition 9Definition 9: Assume a Distributed Application of : Assume a Distributed Application of Resources, Services, and Methods. A Resources, Services, and Methods. A Security Security Privilege Tuple SetPrivilege Tuple Set, , , Contains All of the , Contains All of the Resources, Services, and Methods that have been Resources, Services, and Methods that have been Authorized (Granted) to a UR: Authorized (Granted) to a UR:
={[UR, TC, Ri, Sij, [Mijk, Scijk]}={[UR, TC, Ri, Sij, [Mijk, Scijk]}
ISSEA 2002-13
Distributed Security ModelDistributed Security Model Roles, Constraints, and Authorizations Roles, Constraints, and Authorizations
Role: CSEFaculty
{[CSEFaculty,always,CourseDB,Read,[*]], [CSEFaculty,01jan01 date31mar01,CourseDB, Modification, [addCourse, cse101 course cse499]], [CSEFaculty,always,CourseDB,Modification,[updateEnroll, newValue 30]]}Role: CSEUndergrad
{[CSEUndergrad,10dec00 date 16feb01, CourseDB, Read, [getClasses, semester = Spring]],
[CSEUndergrad,1apr01date14apr01, CourseDB, Modification, [registerCourse, cse101coursecse299]], [CSEUndergrad,15apr01date30apr01,CourseDB,Modification, [registerCourse, true]]}Authorized Users/RolesHarris: CSEUndergradJones: CSEFaculty, CSEDeptHead
Token: [Harris, UR/CSEUndergrad, IP/100.150.200.250, Time/16mar01-14:50:04]
ISSEA 2002-14
Distributed Security ModelDistributed Security Model User and Authorizations User and Authorizations
Definition 10Definition 10: A : A UserUser, U, is Uniquely Identifiable , U, is Uniquely Identifiable (User-id) and Authorized to Play One or More (User-id) and Authorized to Play One or More Roles in an Application. A User Must Always Roles in an Application. A User Must Always Play Exactly One Role at Any Point During an Play Exactly One Role at Any Point During an Active Session, but is Able to Change Roles Active Session, but is Able to Change Roles During a Session. During a Session.
Definition 11Definition 11: A : A ClientClient, C, Represents an , C, Represents an Authorized User, U, Utilizing a Client Application, Authorized User, U, Utilizing a Client Application, and is Uniquely Identified During a Specific and is Uniquely Identified During a Specific Session Via a System Generated Token:Session Via a System Generated Token:
[User-id, Ur-id, Ip-address, Token-creation-[User-id, Ur-id, Ip-address, Token-creation-time] time]
ISSEA 2002-15
Enforcement FrameworkEnforcement FrameworkThe Unified Security Resource (USR)The Unified Security Resource (USR)
WrappedResource
for LegacyApplication
WrappedResource
for DatabaseApplication
.
SecurityAuthorizationClient (SAC)
SecurityPolicy
Client (SPC)
LookupService
General Resource
WrappedResource
for COTSApplication
Global ClockResource (GCR)
JavaClient
LegacyClient
DatabaseClient
SoftwareAgent
COTSClient
Lookup
Service
SecurityRegistration
Services
Unified Security Resource (USR)
SecurityPolicy
Services
SecurityAuthorization
Services
SecurityAnalysis and
Tracking (SAT)
ISSEA 2002-16
Enforcement FrameworkEnforcement FrameworkSecurity Policy ServicesSecurity Policy Services
Register Service: Register_Resource(R_Id); Register_Service(R_Id, S_Id);Register_Method(R_Id, S_Id, M_Id);Register_Signature(R_Id, S_Id, M_Id, Signat);UnRegister_Resource(R_Id);UnRegister_Service(R_Id, S_Id);UnRegister_Method(R_Id, S_Id, M_Id);Unregister_Token(Token)
Query Privileges Service: Query_AvailResource(); Query_AvailMethod(R_Id);
Query_Method(Token, R_Id, S_Id, M_Id);Check_Privileges(Token, R_Id, S_Id, M_Id, ParamValueList);
User Role Service: Create_New_Role(UR_Name, UR_Disc, UR_Id);Delete_Role(UR_Id);
Constraint Service: DefineTC(R_Id, S_Id, M_Id, SC);DefineSC(R_Id, S_Id, M_Id, SC);CheckTC(Token, R_Id, S_Id, M_ID); CheckSC(Token, R_Id, S_Id, M_ID, ParamValueList);
Grant-Revoke Service: Grant{Revoke}_Resource(UR_Id, R_Id);Grant{Revoke}_Service(UR_Id, R_Id, S_Id);Grant{Revoke}_Method(UR_Id, R_Id, S_Id, M_Id);Grant{Revoke}_SC(UR_Id, R_Id, S_Id, M_Id, SC);Grant{Revoke}_TC(UR_Id, R_Id, S_Id, M_Id, TC);
ISSEA 2002-17
Enforcement Framework Other Services
Register Client ServiceCreate_Token(User_Id, UR_Id, Token); Register_Client(User_Id, IP_Addr, UR_Id);UnRegister_Client(User_Id, IP_Addr, UR_Id);IsClient_Registered(Token);Find_Client(User_Id, IP_Addr);
Security Tracking and Analysis ServicesTracking Service: Logfile(Log String)Analysis Service: Analyze (Java Class File)
SECURITY REGISTRATION SERVICES
SECURITY AUTHORIZATION SERVICESAuthorize Role ServiceGrant_Role(UR_Id, User_Id);Revoke_Role(UR_Id, User_Id);
Client Profile ServiceVerify_UR(User_Id, UR_Id);Erase_Client(User_Id);Find_Client(User_Id);Find_All_Clients();
ISSEA 2002-18
Enforcement FrameworkEnforcement FrameworkClient, Resource, Service InvocationsClient, Resource, Service Invocations
SecurityAuthorization
Services
Security Registration
Services
LookupService
CourseClient
1 Register_Client(Harris,cse.uconn.edu,CSEUndergrad)
10 Return Result of Check_Privileges(…)
4 Return Result,Create_Token(CSEUndergrad, Token)
6 RegisterCourse(Token, CSE230, Harris)
3 Client OK?
11 Return Result,RegisterCourse(…)
5. Discover/Lookup(UnivDB,Modification, RegisterCourse) Returns Proxy to Course Client
7 IsClient_Registered(Token)
9 Check_Privileges(Token, UnivDB, Modification, RegisterCourse, [CSE230, Harris])
2 Verify_UR(Harris, CSEUndergrad)
SecurityPolicy
ServicesUnivDB
Resource8 Return Result of IsClient_Registered(…)
USR
ISSEA 2002-19
Enforcement FrameworkEnforcement FrameworkSecurity Prototype (JINI and CORBA)Security Prototype (JINI and CORBA)
During the Past Two Years, Extensive Prototype During the Past Two Years, Extensive Prototype has Been Developed on NT/Linux Using:has Been Developed on NT/Linux Using: Java as Main Development Language JINI/Corba as Middleware Oracle/MS Access as Databases
Security Management/Administration ToolsSecurity Management/Administration Tools Security Policy Client Security Authorization Client Tracking/Analysis Client
We’ll Discuss Each in Turn by Reviewing a Series We’ll Discuss Each in Turn by Reviewing a Series of GUI Bitmapsof GUI Bitmaps
ISSEA 2002-20
Enforcement FrameworkEnforcement FrameworkSecurity Prototype (JINI and CORBA)Security Prototype (JINI and CORBA)
JavaGUI
PDB Client
JINILookupService
SecuritySystem
ResourcePDB &UDB
CommonResource
(Global Clock)
CORBALookupService
PDBServer Service
write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode();
UDBServer Service GetClasses(); PreReqCourse(); GetVacantClasses(); EnrollCourse(); AddCourse(); RemoveCourse(); UpdateCourse().
JavaGUI
UDB Client
SecurityPolicyClient
SecurityAuthorization
Client
Patient DBResource (PDB)
University DBResource (UDB)
ISSEA 2002-21
Security PrototypeSecurity Prototype Security Policy Client Security Policy Client
ISSEA 2002-22
Security PrototypeSecurity PrototypeDefining a Signature ConstraintDefining a Signature Constraint
ISSEA 2002-23
Security PrototypeSecurity PrototypeTracking Logins and Actions Tracking Logins and Actions
ISSEA 2002-24
Security PrototypeSecurity Prototype Security Authorization Client Security Authorization Client
ISSEA 2002-25
Security PrototypeSecurity PrototypeTracking Methods of ResourcesTracking Methods of Resources
ISSEA 2002-26
Security PrototypeSecurity PrototypeGlobal Clock Server for TimestampGlobal Clock Server for Timestamp
ISSEA 2002-27
Security PrototypeSecurity PrototypeClient Authentication Upon LoginClient Authentication Upon Login
ISSEA 2002-28
Security PrototypeSecurity PrototypeRegistering Individual MethodRegistering Individual Method
ISSEA 2002-29
Security PrototypeSecurity PrototypeRegistering Methods for ResourceRegistering Methods for Resource
ISSEA 2002-30
Security PrototypeSecurity PrototypeConfirmation of Registered MethodsConfirmation of Registered Methods
ISSEA 2002-31
Security PrototypeSecurity PrototypeTracking Defined Resources Tracking Defined Resources
ISSEA 2002-32
Security PrototypeSecurity PrototypeAdministration of RolesAdministration of Roles
ISSEA 2002-33
Security PrototypeSecurity PrototypeCreating User RoleCreating User Role
ISSEA 2002-34
Security PrototypeSecurity PrototypeGranting Resources to RolesGranting Resources to Roles
ISSEA 2002-35
Security PrototypeSecurity PrototypeReviewing Access of Resources to RolesReviewing Access of Resources to Roles
ISSEA 2002-36
Security PrototypeSecurity PrototypeGranting Methods to RolesGranting Methods to Roles
ISSEA 2002-37
Security PrototypeSecurity PrototypeConfirmation of Method to RoleConfirmation of Method to Role
ISSEA 2002-38
Security PrototypeSecurity PrototypeCreating a UserCreating a User
ISSEA 2002-39
Security PrototypeSecurity PrototypeGranting Roles to UserGranting Roles to User
ISSEA 2002-40
Supporting Advanced ApplicationsSupporting Advanced ApplicationsDynamic Coalition ProblemDynamic Coalition Problem
A A Crisis Crisis is Any Situation Requiring National or is Any Situation Requiring National or International Attention as Determined by the International Attention as Determined by the President of the United States or UN President of the United States or UN
A A CoalitionCoalition is an Alliance of Organizations: is an Alliance of Organizations: Military, Civilian, International or any Military, Civilian, International or any CombinationCombination
A A Dynamic CoalitionDynamic Coalition is Formed in a Crisis and is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the CrisisBeing the Most Effective way to Solve the Crisis
Dynamic Coalition ProblemDynamic Coalition Problem (DCP) is the Inherent (DCP) is the Inherent Security, Resource, and/or Information Sharing Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Risks that Occur as a Result of the Coalition Being Formed QuicklyFormed Quickly
ISSEA 2002-41
Supporting Advanced ApplicationsSupporting Advanced ApplicationsGlobal Command And Control SystemGlobal Command And Control System
GCCS is Used to Manage Activities in a Joint and GCCS is Used to Manage Activities in a Joint and Combined EnvironmentCombined Environment Joint Refers to More than One Branch Army,
Navy, Air Force, Marines, or Coast Guard and Combined Means More Than One Country
GCCS Provides a Local Commander With GCCS Provides a Local Commander With Operational Awareness in Near Real-time Through Operational Awareness in Near Real-time Through an Integrated Set of Resources and Servicesan Integrated Set of Resources and Services
GCCS Provides Information-Processing Support GCCS Provides Information-Processing Support to Planning, Mobility, Sustainment, and to Planning, Mobility, Sustainment, and Messaging by Bringing Together 20 Separate Messaging by Bringing Together 20 Separate Automated Systems With Several Additions Automated Systems With Several Additions Planned Planned
ISSEA 2002-42
Supporting Advanced ApplicationsSupporting Advanced ApplicationsGCCS ShortfallsGCCS Shortfalls
Does Not Consider Multiple Roles for UsersDoes Not Consider Multiple Roles for Users Does Not Place Time Limitations on UsersDoes Not Place Time Limitations on Users Does Not Use Any Resource ConstraintsDoes Not Use Any Resource Constraints Is Not a Multi-level Secure SystemIs Not a Multi-level Secure System Is a U. S. Only SystemIs a U. S. Only System
ISSEA 2002-43
Supporting Advanced ApplicationsSupporting Advanced ApplicationsDCP ObjectivesDCP Objectives
Federate Users Quickly and DynamicallyFederate Users Quickly and Dynamically Bring Together Resources Without ModificationBring Together Resources Without Modification Dynamically Realize and Manage Simultaneous Dynamically Realize and Manage Simultaneous
CrisesCrises Identify Users by their Roles to Finely Tune Identify Users by their Roles to Finely Tune
Access Access Authorize, Authenticate, and Enforce a Scalable Authorize, Authenticate, and Enforce a Scalable
Security Policy That is Flexible in Response to Security Policy That is Flexible in Response to Collation NeedsCollation Needs
Security Solution that is Portable, Extensible, and Security Solution that is Portable, Extensible, and Redundant for SurvivabilityRedundant for Survivability
Management, and Introspection Capabilities to Management, and Introspection Capabilities to Track and Monitor System Behavior Track and Monitor System Behavior
ISSEA 2002-44
Concluding RemarksConcluding Remarks
For a Distributed Resource EnvironmentFor a Distributed Resource Environment Proposed & Explained a Constraint-Based
Approach to Role Security Authorize, Authenticate, and Enforce
Presented an Software Architecture ContainingPresented an Software Architecture Containing Constraint-Based Security Model for Role
Security in a Distributed Resource Environment
An Enforcement Framework for Security with Registration, Authorization, and Policy Services
ISSEA 2002-45
Concluding RemarksConcluding Remarks
Developed Prototype SystemDeveloped Prototype System JINI and CORBA-Based Prototype for Role-
Based Security Model that Allows Role Access System is Flexible, Scalable and Redundant System Uses Constraints to Realize Policy
Presented Real-World IssuesPresented Real-World Issues Defined the Dynamic Coalition Problem Discussed the Global Command and Control
System and Its Shortcomings Offered a Set of Objectives for Realization of
Distributed Security in a Dynamic Setting
ISSEA 2002-46
Ongoing and Future WorkOngoing and Future Work
Integrating Mandatory Access ControlsIntegrating Mandatory Access Controls Currently Integrated into Security Prototype Model Extended to Include Classifications
Role Deconfliction and Mutual ExclusionRole Deconfliction and Mutual Exclusion Preliminary Model Being Designed Prototyping Planned in Near Future
User ConstraintsUser Constraints Extend to Include User Constraints Prototyping Underway
User Role Delegation AuthorityUser Role Delegation Authority Preliminary Model Designed Prototyping Underway