Security for Distributed E-Service Composition · Related Work Extensible database systems:...

Security for DistributedE-Service Composition

Stefan Seltzsam Stephan Börzsönyi Alfons Kemper

Universität Passau

Outline

MotivationSecurity RequirementsMultilevel Security Architecture

Quality Assurance for External OperatorsSecurity Measures during Plan DistributionArchitecture of the Runtime Security System

Related WorkConclusions

MotivationTomorrow´s applications

No longer based on monolithic architecturesDistributed, dynamically extensibleComposed from existing software components/services

ObjectGlobeInternet query processing engineExtensible by mobile, user-defined operatorsImplemented in Java 2Currently extended to handle general e-services

ObjectGlobe - Providers

Three kinds of service providers:Data providers Function providers Cycle providers

A single site can comprise all three services

ObjectGlobe – Query Processing

optimizeparse/lookup plug execute

lookup service

query

result

ObjectGlobe – Example Query

“Find a hotel that is cheap and close to the beach in Nassau, Bahamas”User-defined operator “Skyline” to find all relevant hotels[K. Stocker et.al.: The Skyline Operator, ICDE 2001]

Skyline = all hotels where no other exists, which is closer to the beach and cheaper

ObjectGlobe – Example Query

Hotels ... ... ... ... ... ... ... ... ...

HotelBookWrapper

Skyline

www.operators.orgwww.hotelbook.com www.hotelguide.com

load operator

client (cycle provider)

Hotels ... ... ... ... ... ... ... ... ...

HotelGuideWrapper

HotelBookWrapper HotelGuideWrapper

SkylineSkyline

Skyline

∪∪∪∪

Security Requirements

Basic assumptionsTrustworthy cycle providersUnmodified code of ObjectGlobe and JavaSecurity System of Java 2 works as designed

Security concerns of ObjectGlobe Common security concerns of distributed systemsMobile code introduces specific security concerns

Common Security Concerns

Authentication and authorizationAnonymitySecure communication channelsAdmission control

Concerns by User-Defined Operators

Protection of cycle providers againstResource monopolizationUnauthorized resource access (e.g., file system)Manipulation of ObjectGlobe components

Users are concerned aboutsemantics of user-defined operatorsprivacy of the processed data

Example attackExample attack: resource monopolization

public class Skyline extends IteratorClass {

public TypeSpec open() throws Exception {

List l = new LinkedList();

while(true)

l.add(new Object());

...

}

...

}

Example attack (2)

Example attack: wrong semanticspublic class Skyline extends IteratorClass {

private ElementDescriptor currElem = null;

private PredicateFunctionInterface eliminationPredicate =

FunctionConstructor.construct(inputTypes[0],

"name=\"Sheraton\"");

public ElementDescriptor next() throws Exception {

...

do {

currElem = inputIterators[0].next();

} while (currElem != null &&

eliminationPredicate.test(currElem));

... /* skyline code */ ...

} ... }

Example attack: wrong semanticspublic class Skyline extends IteratorClass {

private ElementDescriptor currElem = null;

private PredicateFunctionInterface eliminationPredicate =

FunctionConstructor.construct(inputTypes[0],

"name=\"Sheraton\"");

public ElementDescriptor next() throws Exception {

...

do {

currElem = inputIterators[0].next();

} while (currElem != null &&

eliminationPredicate.test(currElem));

... /* skyline code */ ...

} ... }

Example attack (2)

FILTER

Multilevel Security Architecture

preventivemeasures


lookup service

queryexecution

qualityassurance


Preventive measures

preventivemeasures


lookup service

queryexecution

qualityassurance


Preventive measuresSecurity measures during plan distribution

preventivemeasures


lookup service

queryexecution

qualityassurance


Preventive measuresSecurity measures during plan distribution Runtime security system

preventivemeasures


lookup service

queryexecution

qualityassurance

Preventive Measures

Optional, preventive stepGoals – Quality assurance

Verification of the semantics of the operatorCompare resource consumption with given cost modelsStress testing

Results are digitally signed

Methods of Formal Specification

Skyline - Mathematical Formula{s|s∈S ∧ ¬∃t∈S: t≠s ∧ t≥s}Skyline - Haskellskyline :: [αααα] -> [αααα]skyline ss = skyline´ ss ssskyline´ [] ts = []skyline´ (s:ss) ts =

if dominated s tsthen skyline´ ss tselse s:skyline´ ss ts

dominated s [] = Falsedominated s (t:ts) =

dominance t s || dominated s tsdominance t s = (t≠≠≠≠s && t≥≥≥≥s)

Test Data Generation

User-directedTest data fulfill preconditions of operatorsTest data meet the testers´ strategies

FeaturesSpecification of attribute valuesFunctional dependencies between attributesRelationships between relationsControl on the order of the tuples

The OperatorCheck ServerBenchmark test

Different sizes of input dataResource consumption is measuredResults are compared to cost models(MathML)

Correctness testVerifies the semantics of operatorsBlack box testingHaskell program as oracleDifferent result comparison semantics

Architecture of OperatorCheck

oracle(Haskell interpreter)

Obj

ectG

lobe

Que

ry E

ngin

e

test data generation

generating signature for test results

analysis of results

consultation of oracle / query execution

program generation / plan generation

test data test data

save

load

test operator

input: test operator, Haskell specification, description of test data

output: digitally signed test results

http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml

Advantages/LimitationsAdvantages

Improvement of trustResource stabilityMore reliable query executionContinuously available cycle providersBetter result qualityObjectGlobe can renounce runtime monitoring

LimitationsCorrectness can not be provedResults depend on intuition of testers Further security measures necessary

Measures during Plan Distribution

Setup of secure communication channels using SSL and/or TLSAuthentication of communication partnersAuthentication of usersAuthorizationAdmission control

Runtime Security System

Based on Java´s security architectureNative library

TasksGuarantee privacyProtection of cycle providers

GuardingMonitoring

Guarding

Prevention of unauthorized resource accessAccess to temporary memoryPrevention of access to ObjectGlobe componentsIsolation of user-defined operators

Monitoring

Monitored resourcesCPUPrimary and secondary memoryData volume produced by operatorsNumber of temporary files

Dynamically adapted limitsOperators are terminated upon limit violations

Related WorkExtensible database systems:

POSTGRES, Predator, JaguarOracle, DB2

Braumandl et.al.: ObjectGlobe: Ubiquitous Query Processing on the Internet, VLDBJ 2001Seshadri et.al.: Secure and Portable Database Extensibility, SIGMOD 1998Dalton et.al.: An Operating System Approach to Securing E-Services, Communications of the ACM, 2001Weikum: The Web in 2010: Challenges and Opportunities for Database Research, Springer, 2001

Conclusions

Security requirements of cycle providers and usersObjectGlobe as an ExampleMultilevel security architecture

OperatorCheck serverMeasures during plan distributionRuntime security system

Security for Distributed E-Service Composition · Related Work Extensible database systems:...

Documents

Transcript of Security for Distributed E-Service Composition · Related Work Extensible database systems:...