SECISS-1

CSE333

Prof. Steven A. Demurjian Computer Science & Engineering Department

191 Auditorium Road, Box U-155The University of Connecticut

Storrs, Connecticut 06269-3155

http://www.engr.uconn.edu/~stevesteve@engr.uconn.edu

Security Issues for Distributed Computing Security Issues for Distributed Computing

SECISS-2

CSE333

OverviewOverview

Background and MotivationBackground and Motivation What are Key Distributed Security Issues? What are Major/Underlying Security Concepts? What are Available Security Approaches?

Identifying Key Distributed Security RequirementsIdentifying Key Distributed Security Requirements Frame the Solution ApproachFrame the Solution Approach Outline UConn Research Emphasis:Outline UConn Research Emphasis:

Secure Software Design (UML and AOSD) Middleware-Based Realization (CORBA/JINI) Information Exchange via XML

SECISS-3

CSE333

Security for Distributed ApplicationsSecurity for Distributed Applications

Legacy

Legacy

Legacy

COTS

COTS

COTS

Database

Database

NETWORK

JavaClient

JavaClient

How is Security Handled How is Security Handled for Individual Systems?for Individual Systems?

What about Distributed What about Distributed Security?Security?

Security Issues for New Clients?Security Issues for New Clients?New Servers? Across Network?New Servers? Across Network?

What if Security Never Available What if Security Never Available for Legacy/COTS/Database?for Legacy/COTS/Database?

Security Policy, Model, Security Policy, Model, and Enforcement?and Enforcement?

SECISS-4

CSE333

Recall Dynamic CoalitionsRecall Dynamic Coalitions

CrisisCrisis Any Situation Requiring Natl. or I’Natl. Attention

CoalitionCoalition Alliance of Organizations Military, Civilian, International or any

Combination DynamicDynamic CoalitionCoalition

Formed in a Crisis and Changes as Crisis Develops

Key Concern Being the Most Effective way to Solve the Crisis

Dynamic Coalition Problem (DCP)Dynamic Coalition Problem (DCP) Security, Resource, and Information Sharing Risks

that Occur as a Result of Coalition Being Formed

SECISS-5

CSE333

FADDAFATDS

GCCS-A

MCS

ASAS

CSSCS

Other

ABCS

U.N.

U.S.A

NGO/PVO

NATOMarine Corps

NavyAir Force

Army

GCCS

Battle Management

System

JointCommand

System

Army Battle Command

System

CombatOperations

System

U.S. Global C2 Systems

DC for Military Deployment/EngagementDC for Military Deployment/Engagement

LFCSCanada

SICF France

HEROS Germany

SIACCON Italy

OBJECTIVES: Securely Leverage Information in a

Fluid EnvironmentProtect Information While Simultaneously

Promoting the CoalitionSecurity Infrastructure in Support of DCP

SECISS-6

CSE333

DC for Medical EmergencyDC for Medical Emergency

Govt.

TransportationMilitaryMedics

LocalHealthCare

CDC

ISSUES: Privacy vs. Availability in Medical RecordsSupport Life-Threatening Situations via Availability of Patient Data on Demand

Pharma.Companies

Govt.MDs w/oBorders

RedCross

RNsEMTs

MDsState

HealthOther

SECISS-7

CSE333

Security Issues: Confidence in SecuritySecurity Issues: Confidence in Security

AssuranceAssurance Are the Security Privileges for Each User of DC

Adequate (and Limited) to Support their Needs? What Guarantees are Given by the Security Infra-

structure of DC in Order to Attain: Safety: Nothing Bad Happens During Execution Liveness: All Good Things can Happen During

Execution ConsistencyConsistency

Are the Defined Security Privileges for Each User Internally Consistent? Least-Privilege Principle

Are the Defined Security Privileges for Related Users Globally Consistent? Mutual-Exclusion

SECISS-8

CSE333

Security for CoalitionsSecurity for Coalitions

Dynamic Coalitions will play a Critical Role in Dynamic Coalitions will play a Critical Role in Homeland Security during Crisis SituationsHomeland Security during Crisis Situations

Critical to Understand the Security Issues for Users Critical to Understand the Security Issues for Users and System of Dynamic Coalitionsand System of Dynamic Coalitions

Multi-Faceted Approach to SecurityMulti-Faceted Approach to Security Attaining Consistency and Assurance at Policy

Definition and Enforcement Capturing Security Requirements at Early Stages

via UML Enhancements/Extensions Providing a Security Infrastructure that Unifies

RBAC and MAC for Distributed Setting

SECISS-9

CSE333

Four Categories of QuestionsFour Categories of Questions

Questions on Software Development ProcessQuestions on Software Development Process Security Integration with Software Design Transition from Design to Development

Questions on Information Access and FlowQuestions on Information Access and Flow User Privileges key to Security Policy Information for Users and Between Users

Questions on Security Handlers and ProcessorsQuestions on Security Handlers and Processors Manage/Enforce Runtime Security Policy Coordination Across EC Nodes

Questions on Needs of Legacy/COTS Appls.Questions on Needs of Legacy/COTS Appls. Integrated, Interoperative Distributed Application

will have New Apps., Legacy/COTS, Future COTS

SECISS-10

CSE333

Software Development Process QuestionsSoftware Development Process Questions

What is the Challenge of Security for Software What is the Challenge of Security for Software Design?Design? How do we Integrate Security with the Software

Design Process? What Types of Security Must be Available?

How do we Integrate Security into OO/Component How do we Integrate Security into OO/Component Based Design?Based Design? Integration into OO Design? Integration into UML Design?

What Guarantees Must be Available in Process?What Guarantees Must be Available in Process? Assurance Guarantees re. Consistent Security

Privileges? Can we Support Security for Round-Trip and

Reverse Engineering?

SECISS-11

CSE333

Software Development Process QuestionsSoftware Development Process Questions

What Techniques are Available for Security What Techniques are Available for Security Assurance and Analysis?Assurance and Analysis? Can we Automatically Generate Formal Security

Requirements? Can we Analyze Requirements for Inconsistency

and Transition Corrections Back to Design? How do we Handle Transition from Design to How do we Handle Transition from Design to

Development?Development? Can we Leverage Programming Language Can we Leverage Programming Language

Approaches in Support of Security for Development?Approaches in Support of Security for Development? Subject-Oriented Programming? Aspect-Oriented Programming? Other Techniques?

SECISS-12

CSE333

Information Access and Flow QuestionsInformation Access and Flow Questions

Who Can See What Information at What Time? Who Can See What Information at What Time? What Are the Security Requirements for Each

User Against Individual Legacy/cots Systems and for the Distributed Application?

What Information Needs to Be Sent to Which Users at What Information Needs to Be Sent to Which Users at What Time? What Time? What Information Should Be “Pushed” in an

Automated Fashion to Different Users at Regular Intervals?

SECISS-13

CSE333

Information Access and Flow QuestionsInformation Access and Flow Questions

What Information Needs to Be Available to Which What Information Needs to Be Available to Which Users at What Time? Users at What Time? What Information Needs to Be “Pulled” On-

demand to Satisfy Different User Needs in Time-critical Situations

How Are Changing User Requirements Addressed How Are Changing User Requirements Addressed Within the Distributed Computing Application? Within the Distributed Computing Application? Are User Privileges Static for the Distributed

Computing Application? Can User Privileges Change Based on the

“Context” and “State” of Application?

SECISS-14

CSE333

Security Handlers/Processing Questions Security Handlers/Processing Questions

What Security Techniques Are What Security Techniques Are Needed to Insure That the Correct Information Is

Sent to the Appropriate Users at Right Time? Necessary to Insure That Exactly Enough

Information and No More Is Available to Appropriate Users at Optimal Times?

Required to Allow As Much Information As Possible to Be Available on Demand to Authorized Users?

SECISS-15

CSE333

Security Handlers/Processing QuestionsSecurity Handlers/Processing Questions

How Does the Design by Composition of a How Does the Design by Composition of a Distributed Computing Application Impact on Both Distributed Computing Application Impact on Both the Security and Delivery of Information? the Security and Delivery of Information? Is the Composition of Its “Secure” Components

Also Secure, Thereby Allowing the Delivery of Information?

Can We Design Reusable Security Components That Can We Design Reusable Security Components That Can Be Composed on Demand to Support Dynamic Can Be Composed on Demand to Support Dynamic Security Needs in a Distributed Setting?Security Needs in a Distributed Setting?

What Is the Impact of Legacy/cots Applications on What Is the Impact of Legacy/cots Applications on Delivering the Information?Delivering the Information?

SECISS-16

CSE333

Security Handlers/Processing QuestionsSecurity Handlers/Processing Questions

How Does Distribution Affect Security Policy How Does Distribution Affect Security Policy Definition and Enforcement?Definition and Enforcement?

Are Security Handlers/enforcement Mechanisms Are Security Handlers/enforcement Mechanisms Centralized And/or Distributed to Support Multiple, Centralized And/or Distributed to Support Multiple, Diverse Security Policies?Diverse Security Policies?

Are There Customized Security Are There Customized Security Handlers/enforcement Mechanisms at Different Handlers/enforcement Mechanisms at Different Levels of Organizational Hierarchy? Levels of Organizational Hierarchy? Does the Organizational Hierarchy Dictate the

Interactions of the Security Handlers for a Unified Enforcement Mechanism for Entire Distributed System?

SECISS-17

CSE333

Legacy/COTS Applications Questions Legacy/COTS Applications Questions

When Legacy/cots Appls. Are Placed Into When Legacy/cots Appls. Are Placed Into Distributed, Interoperable Environment: Distributed, Interoperable Environment: At What Level, If Any, Is Secure Access

Available? Does the Application Require That Secure Access

Be Addressed? How Is Security Added If It Is Not Present? What

Techniques Are Needed to Control Access to Legacy/COTS?

What Is the Impact of New Programming Languages (Procedural, Object-oriented, Etc.) And Paradigms?

SECISS-18

CSE333

Focusing on MAC, DAC and RBACFocusing on MAC, DAC and RBAC

For OO Systems/Applications, Focus on Potential For OO Systems/Applications, Focus on Potential Public Methods on All ClassesPublic Methods on All Classes

Role-Based Approach: Role-Based Approach: Role Determines which Potential Public Methods

are Available Automatically Generate Mechanism to Enforce the

Security Policy at Runtime Allow Software Tools to Look-and-Feel Different

Dynamically Based on Role Extend in Support of MAC (Method and Data Levels) Extend in Support of MAC (Method and Data Levels)

and DAC (Delegation of Authority)and DAC (Delegation of Authority)

SECISS-19

CSE333

Legacy/COTS ApplicationsLegacy/COTS Applications

Interoperability of Legacy/COTS in a Distributed Interoperability of Legacy/COTS in a Distributed EnvironmentEnvironment

Security Issues in Interoperative, Distributed Security Issues in Interoperative, Distributed EnvironmentEnvironment Can MAC/DAC/RBAC be Exploited? How are OO Legacy/COTS Handled? How are Non-OO Legacy/COTS Handled? How are New Java/C++ Appls. Incorporated? Can Java Security Capabilities be Utilized? What Does CORBA/ORBs have to Offer? What about other Middleware (e.g. JINI)?

Explore Some Preliminary Ideas on Select IssuesExplore Some Preliminary Ideas on Select Issues

SECISS-20

CSE333

A Distributed Security FrameworkA Distributed Security Framework

What is Needed for the Definition and Realization of What is Needed for the Definition and Realization of Security for a Distributed Application?Security for a Distributed Application?

How can we Dynamically Construct and Maintain How can we Dynamically Construct and Maintain Security for a Distributed Application?Security for a Distributed Application? Application Requirements Change Over Time Seamless Transition for Changes Transparency from both User and Distributed

Application Perspectives Support MAC, RBAC and DAC (Delegation)Support MAC, RBAC and DAC (Delegation) Cradle to Grave ApproachCradle to Grave Approach

Earliest Stages (UML) to Programming (Aspects) Information Exchange (XML) Middleware Environments - Inter-operating

Artifacts and Clients

SECISS-21

CSE333

A Distributed Security FrameworkA Distributed Security Framework

Distributed Security Policy Definition, Planning, and Distributed Security Policy Definition, Planning, and ManagementManagement Integrated with Software Development:

Design (UML) and Programming (Aspects) Include Documents of Exchange (XML)

Formal Security Model with ComponentsFormal Security Model with Components Formal Realization of Security Policy Identifiable “Security” Components

Security Handlers & Enforcement MechanismSecurity Handlers & Enforcement Mechanism Run-time Techniques and Processes Allows Dynamic Changes to Policy to be

Seamless and Transparently Made

SECISS-22

CSE333

Distributed Security Policy

L + SH DB + SH

JavaClient

JavaClient

LegacyClient DB Client

COTSClient

L + SH CO+ SHDB + SH Server + SH

L + SHCO+ SH Server + SHDB + SH

Formal Security Model

Security Components

Enforcement Mechanism Collection of SHs

L: Legacy CO: COTS DB: Database SH: Security Handler

Interactions and DependenciesInteractions and Dependencies

SECISS-23

CSE333

Policy Definition, Planning, ManagementPolicy Definition, Planning, Management

Interplay of Security Requirements, Security Officers, Interplay of Security Requirements, Security Officers, Users, Components and Overall SystemUsers, Components and Overall System

Minimal Effort in Distributed Setting - CORBA Has Minimal Effort in Distributed Setting - CORBA Has Services forServices for Confidentiality, Integrity, Accountability, and

Availability But, No Cohesive CORBA Service Ties Them

with Authorization, Authentication, and Privacy Difficult to Accomplish in Distributed SettingDifficult to Accomplish in Distributed Setting

Must Understand All Constituent Systems Interplay of Stakeholders, Users, Sec. Officers

SECISS-24

CSE333

Three-Pronged Security EmphasisThree-Pronged Security Emphasis

Secure Software Designvia

UMLwith MAC/RBAC

Secure Information Exchangevia XML

with MAC/RBAC

Secure MAC/RBAC Interactions via Middleware in

Distributed Setting

AssuranceMAC Properties: Simple Integrity, Simple Security,

etc.Safety

Liveness

SECISS-25

CSE333

Other Possibilities: Reverse Engineer Existing Policy to

Logic Based DefinitionUML Model with Security

Capture all Security Requirements!

Extending UML for the Designand Definition of Security Requirements

Address Security in Use-Case Diagrams, Class Diagrams, Seqiemce Diagrams, etc.

Formal Security Policy Definition usingExisting Approach (Logic Based Policy Language)

Iterate, Revise

Bi-Directional Translation - Prove thatall UML Security Definitions in UML in Logic-Based Policy Language and vice-versa

Security Model Generation

RBAC99GMU

RBAC/MACUConn

OracleSecurity

Must Prove GenerationCaptures all Security

Requirements

Secure Software Design - T. DoanSecure Software Design - T. Doan

SECISS-26

CSE333

RBAC/MAC at Design LevelRBAC/MAC at Design Level

Poll Topic Archived System

JuniorOperator- C

Senior Staff - S

Poll Topic Admin - TS

Enter PollTopic - S

Activate PollTopic - TS Deactivate Poll

Topic - TS

Enter Question - C Verify Topic - S

EnterOrdinaryQuestion - C

EnterSpecialQuestion - S

CategorizeQuestion - C

Enter Category - S

Supervisor - TS

<<extend>>

<<extend>><<extend>>

<<include>>

<<extend>>

<<include>>

<<include>>

<<include>>

Security as Security as First Class First Class Citizen in the Citizen in the Design ProcessDesign Process

Use Cases and Use Cases and Actors (Roles) Actors (Roles) Marked with Marked with Security LevelsSecurity Levels

Dynamic Dynamic Assurance Assurance Checks to Checks to Insure that Insure that Connections Connections Do Not Do Not ViolateViolateMAC RulesMAC Rules

SECISS-27

CSE333

Secure Software Design - J. PavlichSecure Software Design - J. Pavlich

What are Aspects?What are Aspects? System Properties that Apply Across an Entire

Application Samples: Security, Performance, etc.

What is Aspect Oriented Programming?What is Aspect Oriented Programming? Separation of Components and Aspects from One

Another with Mechanisms to Support Abstraction and Composition for System Design

What is Aspect Oriented Software Design?What is Aspect Oriented Software Design? Focus on Identifying Components, Aspects,

Compositions, etc. Emphasis on Design Process and Decisions

SECISS-28

CSE333

Aspects for Security in UMLAspects for Security in UML

Consider the Class Diagram below that Captures Consider the Class Diagram below that Captures Courses, Documents, and Grade RecordsCourses, Documents, and Grade Records What are Possible Roles? How can we Define Limitations of Role Against

Classes?

SECISS-29

CSE333

A Role-Slice for ProfessorsA Role-Slice for Professors

SECISS-30

CSE333

A Role Slide for StudentsA Role Slide for Students

SECISS-31

CSE333

Legacy

COTS

GOTS

Database

NETWORKJava

Client

LegacyClientDatabase

Client

COTSClient

Middleware-Based Security - C. PhillipsMiddleware-Based Security - C. Phillips Artifacts: DB, Legacy, COTS, Artifacts: DB, Legacy, COTS,

GOTS, with APIsGOTS, with APIs New/Existing Clients use APIsNew/Existing Clients use APIs Can we Control Access to APIs Can we Control Access to APIs

(Methods) by … (Methods) by … Role (who) Classification (MAC) Time (when) Data (what) Delegation

Security AuthorizationClient (SAC)

Security Policy Client (SPC)

SecurityRegistration

Services

Unified Security Resource (USR)Security Policy

Services

Security DelegationClient (SDC)

SecurityAnalysis and

Tracking (SAT)

SecurityAuthorization

Services

Working Prototype Available

usingCORBA,

JINI, Java,Oracle

SECISS-32

CSE333

Process-Oriented ViewProcess-Oriented View

Analyses of RBAC/MACModel/Framework Against SSE-CMM

Evaluation of RBAC/MAC Model

Using DCP

UnifiedRBAC/MAC

Security Model

RBAC/MACEnforcementFramework

SecurityMiddleware

Security Administrative

and Management Tools

Security Policy Definition

Run TimeSecurity

Assurance

Design Time Security

Assurance

SECISS-33

CSE333

Security for XML DocumentsSecurity for XML Documents Emergence of XML for Emergence of XML for

Document/Information ExchangeDocument/Information Exchange Extend RBAC/MAC to XMLExtend RBAC/MAC to XML

Collection of Security DTDs DTDs for Roles, Users, and

Constraints Capture RBAC and MAC

Apply Security DTDs to XML Documents Result: Each XML Document

Appears Differently Based on Role, MAC, Time, Value

Security DTD Filters Document

Ongoing: H. Wang, C. Ju, C.Slamka, and J. Boysen

Security DTDsRole DTDUser DTDConstraint DTD

Application

Application DTDs

Application XML Files

Appl_Role.xmlAppl _User.xmlAppl_Constraint.xml

Security Officer Generates Security XML files for the Application

ApplicationDTDs and XML

User’s Role Determines

the Scope of Access

to Each XML Document

SECISS-34

CSE333

Concluding RemarksConcluding Remarks

Objective is for Everyone to Think about the Range, Objective is for Everyone to Think about the Range, Scope, and Impact of SecurityScope, and Impact of Security

Question-Based Approach Intended to Frame the Question-Based Approach Intended to Frame the DiscussionDiscussion

Proposed Solution for Distributed EnvironmentProposed Solution for Distributed Environment Current UConn FociCurrent UConn Foci

Secure Software Design Middleware Realization XML Document Customization

Consider These and Other Issues for DCPConsider These and Other Issues for DCP