SECISS-1 CSE333 Prof. Steven A. Demurjian Computer Science & Engineering Department 191 Auditorium...
-
Upload
gordon-simmons -
Category
Documents
-
view
215 -
download
0
Transcript of SECISS-1 CSE333 Prof. Steven A. Demurjian Computer Science & Engineering Department 191 Auditorium...
SECISS-1
CSE333
Prof. Steven A. Demurjian Computer Science & Engineering Department
191 Auditorium Road, Box U-155The University of Connecticut
Storrs, Connecticut 06269-3155
http://www.engr.uconn.edu/[email protected]
Security Issues for Distributed Computing Security Issues for Distributed Computing
SECISS-2
CSE333
OverviewOverview
Background and MotivationBackground and Motivation What are Key Distributed Security Issues? What are Major/Underlying Security Concepts? What are Available Security Approaches?
Identifying Key Distributed Security RequirementsIdentifying Key Distributed Security Requirements Frame the Solution ApproachFrame the Solution Approach Outline UConn Research Emphasis:Outline UConn Research Emphasis:
Secure Software Design (UML and AOSD) Middleware-Based Realization (CORBA/JINI) Information Exchange via XML
SECISS-3
CSE333
Security for Distributed ApplicationsSecurity for Distributed Applications
Legacy
Legacy
Legacy
COTS
COTS
COTS
Database
Database
NETWORK
JavaClient
JavaClient
How is Security Handled How is Security Handled for Individual Systems?for Individual Systems?
What about Distributed What about Distributed Security?Security?
Security Issues for New Clients?Security Issues for New Clients?New Servers? Across Network?New Servers? Across Network?
What if Security Never Available What if Security Never Available for Legacy/COTS/Database?for Legacy/COTS/Database?
Security Policy, Model, Security Policy, Model, and Enforcement?and Enforcement?
SECISS-4
CSE333
Recall Dynamic CoalitionsRecall Dynamic Coalitions
CrisisCrisis Any Situation Requiring Natl. or I’Natl. Attention
CoalitionCoalition Alliance of Organizations Military, Civilian, International or any
Combination DynamicDynamic CoalitionCoalition
Formed in a Crisis and Changes as Crisis Develops
Key Concern Being the Most Effective way to Solve the Crisis
Dynamic Coalition Problem (DCP)Dynamic Coalition Problem (DCP) Security, Resource, and Information Sharing Risks
that Occur as a Result of Coalition Being Formed
SECISS-5
CSE333
FADDAFATDS
GCCS-A
MCS
ASAS
CSSCS
Other
ABCS
U.N.
U.S.A
NGO/PVO
NATOMarine Corps
NavyAir Force
Army
GCCS
Battle Management
System
JointCommand
System
Army Battle Command
System
CombatOperations
System
U.S. Global C2 Systems
DC for Military Deployment/EngagementDC for Military Deployment/Engagement
LFCSCanada
SICF France
HEROS Germany
SIACCON Italy
OBJECTIVES: Securely Leverage Information in a
Fluid EnvironmentProtect Information While Simultaneously
Promoting the CoalitionSecurity Infrastructure in Support of DCP
SECISS-6
CSE333
DC for Medical EmergencyDC for Medical Emergency
Govt.
TransportationMilitaryMedics
LocalHealthCare
CDC
ISSUES: Privacy vs. Availability in Medical RecordsSupport Life-Threatening Situations via Availability of Patient Data on Demand
Pharma.Companies
Govt.MDs w/oBorders
RedCross
RNsEMTs
MDsState
HealthOther
SECISS-7
CSE333
Security Issues: Confidence in SecuritySecurity Issues: Confidence in Security
AssuranceAssurance Are the Security Privileges for Each User of DC
Adequate (and Limited) to Support their Needs? What Guarantees are Given by the Security Infra-
structure of DC in Order to Attain: Safety: Nothing Bad Happens During Execution Liveness: All Good Things can Happen During
Execution ConsistencyConsistency
Are the Defined Security Privileges for Each User Internally Consistent? Least-Privilege Principle
Are the Defined Security Privileges for Related Users Globally Consistent? Mutual-Exclusion
SECISS-8
CSE333
Security for CoalitionsSecurity for Coalitions
Dynamic Coalitions will play a Critical Role in Dynamic Coalitions will play a Critical Role in Homeland Security during Crisis SituationsHomeland Security during Crisis Situations
Critical to Understand the Security Issues for Users Critical to Understand the Security Issues for Users and System of Dynamic Coalitionsand System of Dynamic Coalitions
Multi-Faceted Approach to SecurityMulti-Faceted Approach to Security Attaining Consistency and Assurance at Policy
Definition and Enforcement Capturing Security Requirements at Early Stages
via UML Enhancements/Extensions Providing a Security Infrastructure that Unifies
RBAC and MAC for Distributed Setting
SECISS-9
CSE333
Four Categories of QuestionsFour Categories of Questions
Questions on Software Development ProcessQuestions on Software Development Process Security Integration with Software Design Transition from Design to Development
Questions on Information Access and FlowQuestions on Information Access and Flow User Privileges key to Security Policy Information for Users and Between Users
Questions on Security Handlers and ProcessorsQuestions on Security Handlers and Processors Manage/Enforce Runtime Security Policy Coordination Across EC Nodes
Questions on Needs of Legacy/COTS Appls.Questions on Needs of Legacy/COTS Appls. Integrated, Interoperative Distributed Application
will have New Apps., Legacy/COTS, Future COTS
SECISS-10
CSE333
Software Development Process QuestionsSoftware Development Process Questions
What is the Challenge of Security for Software What is the Challenge of Security for Software Design?Design? How do we Integrate Security with the Software
Design Process? What Types of Security Must be Available?
How do we Integrate Security into OO/Component How do we Integrate Security into OO/Component Based Design?Based Design? Integration into OO Design? Integration into UML Design?
What Guarantees Must be Available in Process?What Guarantees Must be Available in Process? Assurance Guarantees re. Consistent Security
Privileges? Can we Support Security for Round-Trip and
Reverse Engineering?
SECISS-11
CSE333
Software Development Process QuestionsSoftware Development Process Questions
What Techniques are Available for Security What Techniques are Available for Security Assurance and Analysis?Assurance and Analysis? Can we Automatically Generate Formal Security
Requirements? Can we Analyze Requirements for Inconsistency
and Transition Corrections Back to Design? How do we Handle Transition from Design to How do we Handle Transition from Design to
Development?Development? Can we Leverage Programming Language Can we Leverage Programming Language
Approaches in Support of Security for Development?Approaches in Support of Security for Development? Subject-Oriented Programming? Aspect-Oriented Programming? Other Techniques?
SECISS-12
CSE333
Information Access and Flow QuestionsInformation Access and Flow Questions
Who Can See What Information at What Time? Who Can See What Information at What Time? What Are the Security Requirements for Each
User Against Individual Legacy/cots Systems and for the Distributed Application?
What Information Needs to Be Sent to Which Users at What Information Needs to Be Sent to Which Users at What Time? What Time? What Information Should Be “Pushed” in an
Automated Fashion to Different Users at Regular Intervals?
SECISS-13
CSE333
Information Access and Flow QuestionsInformation Access and Flow Questions
What Information Needs to Be Available to Which What Information Needs to Be Available to Which Users at What Time? Users at What Time? What Information Needs to Be “Pulled” On-
demand to Satisfy Different User Needs in Time-critical Situations
How Are Changing User Requirements Addressed How Are Changing User Requirements Addressed Within the Distributed Computing Application? Within the Distributed Computing Application? Are User Privileges Static for the Distributed
Computing Application? Can User Privileges Change Based on the
“Context” and “State” of Application?
SECISS-14
CSE333
Security Handlers/Processing Questions Security Handlers/Processing Questions
What Security Techniques Are What Security Techniques Are Needed to Insure That the Correct Information Is
Sent to the Appropriate Users at Right Time? Necessary to Insure That Exactly Enough
Information and No More Is Available to Appropriate Users at Optimal Times?
Required to Allow As Much Information As Possible to Be Available on Demand to Authorized Users?
SECISS-15
CSE333
Security Handlers/Processing QuestionsSecurity Handlers/Processing Questions
How Does the Design by Composition of a How Does the Design by Composition of a Distributed Computing Application Impact on Both Distributed Computing Application Impact on Both the Security and Delivery of Information? the Security and Delivery of Information? Is the Composition of Its “Secure” Components
Also Secure, Thereby Allowing the Delivery of Information?
Can We Design Reusable Security Components That Can We Design Reusable Security Components That Can Be Composed on Demand to Support Dynamic Can Be Composed on Demand to Support Dynamic Security Needs in a Distributed Setting?Security Needs in a Distributed Setting?
What Is the Impact of Legacy/cots Applications on What Is the Impact of Legacy/cots Applications on Delivering the Information?Delivering the Information?
SECISS-16
CSE333
Security Handlers/Processing QuestionsSecurity Handlers/Processing Questions
How Does Distribution Affect Security Policy How Does Distribution Affect Security Policy Definition and Enforcement?Definition and Enforcement?
Are Security Handlers/enforcement Mechanisms Are Security Handlers/enforcement Mechanisms Centralized And/or Distributed to Support Multiple, Centralized And/or Distributed to Support Multiple, Diverse Security Policies?Diverse Security Policies?
Are There Customized Security Are There Customized Security Handlers/enforcement Mechanisms at Different Handlers/enforcement Mechanisms at Different Levels of Organizational Hierarchy? Levels of Organizational Hierarchy? Does the Organizational Hierarchy Dictate the
Interactions of the Security Handlers for a Unified Enforcement Mechanism for Entire Distributed System?
SECISS-17
CSE333
Legacy/COTS Applications Questions Legacy/COTS Applications Questions
When Legacy/cots Appls. Are Placed Into When Legacy/cots Appls. Are Placed Into Distributed, Interoperable Environment: Distributed, Interoperable Environment: At What Level, If Any, Is Secure Access
Available? Does the Application Require That Secure Access
Be Addressed? How Is Security Added If It Is Not Present? What
Techniques Are Needed to Control Access to Legacy/COTS?
What Is the Impact of New Programming Languages (Procedural, Object-oriented, Etc.) And Paradigms?
SECISS-18
CSE333
Focusing on MAC, DAC and RBACFocusing on MAC, DAC and RBAC
For OO Systems/Applications, Focus on Potential For OO Systems/Applications, Focus on Potential Public Methods on All ClassesPublic Methods on All Classes
Role-Based Approach: Role-Based Approach: Role Determines which Potential Public Methods
are Available Automatically Generate Mechanism to Enforce the
Security Policy at Runtime Allow Software Tools to Look-and-Feel Different
Dynamically Based on Role Extend in Support of MAC (Method and Data Levels) Extend in Support of MAC (Method and Data Levels)
and DAC (Delegation of Authority)and DAC (Delegation of Authority)
SECISS-19
CSE333
Legacy/COTS ApplicationsLegacy/COTS Applications
Interoperability of Legacy/COTS in a Distributed Interoperability of Legacy/COTS in a Distributed EnvironmentEnvironment
Security Issues in Interoperative, Distributed Security Issues in Interoperative, Distributed EnvironmentEnvironment Can MAC/DAC/RBAC be Exploited? How are OO Legacy/COTS Handled? How are Non-OO Legacy/COTS Handled? How are New Java/C++ Appls. Incorporated? Can Java Security Capabilities be Utilized? What Does CORBA/ORBs have to Offer? What about other Middleware (e.g. JINI)?
Explore Some Preliminary Ideas on Select IssuesExplore Some Preliminary Ideas on Select Issues
SECISS-20
CSE333
A Distributed Security FrameworkA Distributed Security Framework
What is Needed for the Definition and Realization of What is Needed for the Definition and Realization of Security for a Distributed Application?Security for a Distributed Application?
How can we Dynamically Construct and Maintain How can we Dynamically Construct and Maintain Security for a Distributed Application?Security for a Distributed Application? Application Requirements Change Over Time Seamless Transition for Changes Transparency from both User and Distributed
Application Perspectives Support MAC, RBAC and DAC (Delegation)Support MAC, RBAC and DAC (Delegation) Cradle to Grave ApproachCradle to Grave Approach
Earliest Stages (UML) to Programming (Aspects) Information Exchange (XML) Middleware Environments - Inter-operating
Artifacts and Clients
SECISS-21
CSE333
A Distributed Security FrameworkA Distributed Security Framework
Distributed Security Policy Definition, Planning, and Distributed Security Policy Definition, Planning, and ManagementManagement Integrated with Software Development:
Design (UML) and Programming (Aspects) Include Documents of Exchange (XML)
Formal Security Model with ComponentsFormal Security Model with Components Formal Realization of Security Policy Identifiable “Security” Components
Security Handlers & Enforcement MechanismSecurity Handlers & Enforcement Mechanism Run-time Techniques and Processes Allows Dynamic Changes to Policy to be
Seamless and Transparently Made
SECISS-22
CSE333
Distributed Security Policy
L + SH DB + SH
JavaClient
JavaClient
LegacyClient DB Client
COTSClient
L + SH CO+ SHDB + SH Server + SH
L + SHCO+ SH Server + SHDB + SH
Formal Security Model
Security Components
Enforcement Mechanism Collection of SHs
L: Legacy CO: COTS DB: Database SH: Security Handler
Interactions and DependenciesInteractions and Dependencies
SECISS-23
CSE333
Policy Definition, Planning, ManagementPolicy Definition, Planning, Management
Interplay of Security Requirements, Security Officers, Interplay of Security Requirements, Security Officers, Users, Components and Overall SystemUsers, Components and Overall System
Minimal Effort in Distributed Setting - CORBA Has Minimal Effort in Distributed Setting - CORBA Has Services forServices for Confidentiality, Integrity, Accountability, and
Availability But, No Cohesive CORBA Service Ties Them
with Authorization, Authentication, and Privacy Difficult to Accomplish in Distributed SettingDifficult to Accomplish in Distributed Setting
Must Understand All Constituent Systems Interplay of Stakeholders, Users, Sec. Officers
SECISS-24
CSE333
Three-Pronged Security EmphasisThree-Pronged Security Emphasis
Secure Software Designvia
UMLwith MAC/RBAC
Secure Information Exchangevia XML
with MAC/RBAC
Secure MAC/RBAC Interactions via Middleware in
Distributed Setting
AssuranceMAC Properties: Simple Integrity, Simple Security,
etc.Safety
Liveness
SECISS-25
CSE333
Other Possibilities: Reverse Engineer Existing Policy to
Logic Based DefinitionUML Model with Security
Capture all Security Requirements!
Extending UML for the Designand Definition of Security Requirements
Address Security in Use-Case Diagrams, Class Diagrams, Seqiemce Diagrams, etc.
Formal Security Policy Definition usingExisting Approach (Logic Based Policy Language)
Iterate, Revise
Bi-Directional Translation - Prove thatall UML Security Definitions in UML in Logic-Based Policy Language and vice-versa
Security Model Generation
RBAC99GMU
RBAC/MACUConn
OracleSecurity
Must Prove GenerationCaptures all Security
Requirements
Secure Software Design - T. DoanSecure Software Design - T. Doan
SECISS-26
CSE333
RBAC/MAC at Design LevelRBAC/MAC at Design Level
Poll Topic Archived System
JuniorOperator- C
Senior Staff - S
Poll Topic Admin - TS
Enter PollTopic - S
Activate PollTopic - TS Deactivate Poll
Topic - TS
Enter Question - C Verify Topic - S
EnterOrdinaryQuestion - C
EnterSpecialQuestion - S
CategorizeQuestion - C
Enter Category - S
Supervisor - TS
<<extend>>
<<extend>><<extend>>
<<include>>
<<extend>>
<<include>>
<<include>>
<<include>>
Security as Security as First Class First Class Citizen in the Citizen in the Design ProcessDesign Process
Use Cases and Use Cases and Actors (Roles) Actors (Roles) Marked with Marked with Security LevelsSecurity Levels
Dynamic Dynamic Assurance Assurance Checks to Checks to Insure that Insure that Connections Connections Do Not Do Not ViolateViolateMAC RulesMAC Rules
SECISS-27
CSE333
Secure Software Design - J. PavlichSecure Software Design - J. Pavlich
What are Aspects?What are Aspects? System Properties that Apply Across an Entire
Application Samples: Security, Performance, etc.
What is Aspect Oriented Programming?What is Aspect Oriented Programming? Separation of Components and Aspects from One
Another with Mechanisms to Support Abstraction and Composition for System Design
What is Aspect Oriented Software Design?What is Aspect Oriented Software Design? Focus on Identifying Components, Aspects,
Compositions, etc. Emphasis on Design Process and Decisions
SECISS-28
CSE333
Aspects for Security in UMLAspects for Security in UML
Consider the Class Diagram below that Captures Consider the Class Diagram below that Captures Courses, Documents, and Grade RecordsCourses, Documents, and Grade Records What are Possible Roles? How can we Define Limitations of Role Against
Classes?
SECISS-29
CSE333
A Role-Slice for ProfessorsA Role-Slice for Professors
SECISS-30
CSE333
A Role Slide for StudentsA Role Slide for Students
SECISS-31
CSE333
Legacy
COTS
GOTS
Database
NETWORKJava
Client
LegacyClientDatabase
Client
COTSClient
Middleware-Based Security - C. PhillipsMiddleware-Based Security - C. Phillips Artifacts: DB, Legacy, COTS, Artifacts: DB, Legacy, COTS,
GOTS, with APIsGOTS, with APIs New/Existing Clients use APIsNew/Existing Clients use APIs Can we Control Access to APIs Can we Control Access to APIs
(Methods) by … (Methods) by … Role (who) Classification (MAC) Time (when) Data (what) Delegation
Security AuthorizationClient (SAC)
Security Policy Client (SPC)
SecurityRegistration
Services
Unified Security Resource (USR)Security Policy
Services
Security DelegationClient (SDC)
SecurityAnalysis and
Tracking (SAT)
SecurityAuthorization
Services
Working Prototype Available
usingCORBA,
JINI, Java,Oracle
SECISS-32
CSE333
Process-Oriented ViewProcess-Oriented View
Analyses of RBAC/MACModel/Framework Against SSE-CMM
Evaluation of RBAC/MAC Model
Using DCP
UnifiedRBAC/MAC
Security Model
RBAC/MACEnforcementFramework
SecurityMiddleware
Security Administrative
and Management Tools
Security Policy Definition
Run TimeSecurity
Assurance
Design Time Security
Assurance
SECISS-33
CSE333
Security for XML DocumentsSecurity for XML Documents Emergence of XML for Emergence of XML for
Document/Information ExchangeDocument/Information Exchange Extend RBAC/MAC to XMLExtend RBAC/MAC to XML
Collection of Security DTDs DTDs for Roles, Users, and
Constraints Capture RBAC and MAC
Apply Security DTDs to XML Documents Result: Each XML Document
Appears Differently Based on Role, MAC, Time, Value
Security DTD Filters Document
Ongoing: H. Wang, C. Ju, C.Slamka, and J. Boysen
Security DTDsRole DTDUser DTDConstraint DTD
Application
Application DTDs
Application XML Files
Appl_Role.xmlAppl _User.xmlAppl_Constraint.xml
Security Officer Generates Security XML files for the Application
ApplicationDTDs and XML
User’s Role Determines
the Scope of Access
to Each XML Document
SECISS-34
CSE333
Concluding RemarksConcluding Remarks
Objective is for Everyone to Think about the Range, Objective is for Everyone to Think about the Range, Scope, and Impact of SecurityScope, and Impact of Security
Question-Based Approach Intended to Frame the Question-Based Approach Intended to Frame the DiscussionDiscussion
Proposed Solution for Distributed EnvironmentProposed Solution for Distributed Environment Current UConn FociCurrent UConn Foci
Secure Software Design Middleware Realization XML Document Customization
Consider These and Other Issues for DCPConsider These and Other Issues for DCP