Session # 2883 Managing Applications Comprised of Untrusted Components Michael Thome Senior...
-
Upload
imogene-leonard -
Category
Documents
-
view
216 -
download
0
Transcript of Session # 2883 Managing Applications Comprised of Untrusted Components Michael Thome Senior...
Session # 2883
Managing Applications Comprised of Untrusted Components
Michael ThomeSenior ScientistBBN Technologies
Session # 28832
Presentation Goal
Beginning
Learn how to manage the risks associated with allowing Components you do not trust into your application using a Model inspired by the JavaBeans™ BeanContext API.
Session # 28833
Learning Objectives
• As a result of this presentation, you will understand:– some of the risks and benefits of allowing
“untrusted” components into your application.
– how to protect your application from such components.
– how to use the Cougaar Component Model API to simplify the job.
Beginning
Session # 28834
Speaker’s Qualifications
• Senior Scientist, BBN Technologies, Distributed Systems and Logistics department
• Chief Software Architect of Cougaar Core development team
• Designed and Implemented Cougaar Component Model
Beginning
Session # 28835
Plugin == Trojan Horse?
“A data structure is just a stupid programming language.”
- Bill Gosper
“A programming language is a very dangerous data structure.”
- Guy Steele
Beginning
Session # 28836
Agenda
• Component Models
• “Untrusted” Components
• Cougaar Component Model
• Examples
• Implications
• Questions and Answers
Beginning
Session # 28837
Component Models
• Component– Modular software entity– Well-defined interface to other Components
• Component Model– Method of connecting Components– Method of storing connections– Service model integration– Trust model
Session # 28838
Untrusted Components
• What is an Untrusted Component?
• What can they do?– System/VM abuse– Java abuse– Application abuse
• Why do they do it?– Bugs and other mistakes– Evil developers
Session # 28839
Untrusted Components (cont’d)
• Where do they come from?
• Why accept the risk?– Contractual obligations– Competition– Flexibility– Extensibility– Reuse
Session # 288310
Traditional Protection Methods
• Documentation
• Interface
• Class/member protection/visibility
• Final methods in base class
• Proxy objects/Delegation
• SecurityManager
• Classloader namespaces
Session # 288311
Cougaar: Design Context
• Widely distributed p2p agent network
• Goals: Secure, Scalable, Robust
• OSS & free
• Many contributors and users
• Several applications
• More than 1MLOC (core+BBN)
Session # 288312
Context: Cougaar Implications
• Code base too large to audit
• Too many developers to code review
• Wide range of skills, experience
• Red-team Attacks and Exploits
• Policy-driven restrictions on behavior, resource-use
• Highly constrained and dynamic environment
Session # 288313
BeanContext API
• Extensible Runtime Containment and Services Protocol for JavaBeans Version 1.0, Laurence Cable, 1998
• Adds to JavaBeans™– Hierarchical structure– Service model
• But– Single hierarchy/VM– Tuned for integration with UI (e.g. AWT)
Session # 288314
BeanContext with Services
BeanContextChild
BeanContextServiceProvider
ServiceInstance
BeanContextServices
Session # 288315
Cougaar Component Model
• “Binder” = Proxy Abstraction
• Separate Service from Containment
• Drop UI focus
• Require interface layer
• Add simple StateModel
• Add explicit persistence state collection
• Add ComponentDescription
Session # 288316
Classes:BeanContext versus Cougaar
BeanContext Cougaar
BeanContext Container
BeanContextChild Component
BeanContextServices ServiceBroker
BeanContextServiceProvider ServiceProvider
Session # 288317
Cougaar Component Hierarchy
Component
ServiceProvider
ServiceInstance
ContainerServiceBroker
Session # 288318
Binder = Component Wrapper
Component
ServiceProvider
ServiceInstance
ContainerServiceBroker
Binder
Session # 288319
interface BindingSite {// let us get to servicesServiceBroker getServiceBroker();
// required control over component statevoid requestStop();
}
BindingSite
• Component’s view of parent:
Session # 288320
Component Construction
• ComponentDescription – Full specification of Component
• BinderFactory– Instantiate a Binder given a
ComponentDescription
• Binder – Instantiate Component from
ComponentDescription
Session # 288321
class ComponentDescription {public String getName(){}public String getInsertionPoint(){}public String getClassname(){}public URL getCodebase(){}public Object getParameter(){}public Object getCertificate(){}public Object getLeaseRequested(){}
}
ComponentDescription
• Uninstantiated Component
Session # 288322
interface BinderFactory extends Component {// priority (for Binder combination)int getPriority();
// create a Binder for a CD (or component)Binder getBinder(Object child);
// Utility for Binder instance to instantiate// a Component from a ComponentDescriptionComponentFactory getComponentFactory();
}
BinderFactory
• Component for choosing peer binders
Session # 288323
Binder Proxy Structure
Component
ServiceProvider
ServiceInstance
ContainerServiceBroker
ContainerProxy
ServiceBrokerProxy
ServiceInstanceProxy …
Session # 288324
Proxy Capabilities
• Opportunities– Incoming calls– Return values– Callbacks
• Options– Veto– Audit/Log– Alter– Buffer
Session # 288325
Hierarchy of Binders
Component
Container ServiceBroker
ContainerProxy B
ServiceBrokerProxy B
ServiceInstanceProxy B
ServiceProvider
ServiceInstance
ContainerServiceBroker
ContainerProxy A Service
BrokerProxy A
ServiceInstanceProxy A
Session # 288326
Binder Roles
• Insulation– Veto requests– Modify in/out information
• Management– Control– Support
• Probe point
Session # 288327
A Securely Bound Service
ComponentD
ContainerA
ContainerProxy A1
ContainerB1
ContainerProxy B1
ContainerC
ContainerProxy C
ServiceProvider
B2
ServiceBroker
ContainerB2
ContainerProxy A2
ServiceInstance
Session # 288328
Binder as Container Proxy
• Management– Construction– State control– Support methods– Scheduling
• Access to hierarchy– ServiceBroker– Alias other services
Session # 288329
Binder as ServiceBroker Proxy
• Mediated Service discovery and rendezvous– Reflection at initialization time– getService() like
• Service requests– Proxy/veto/audit– Passthrough to next level up
Session # 288330
Binder as Service Proxy
• Method wrapper– Audit– Veto– Proxy callbacks (both directions)– Proxy returned objects
• Insulate
• Translate
• Authorization
Session # 288331
Implications: Safety
• All interactions with other components mediated by Binder
• Each Binder may implement own policies
• Multi-level interactions mediated by all intervening Binders
• Proxies prevent casting attacks
Session # 288332
Implications: Performance
• Insulating Proxies usually thin
• Connect-time versus invocation-time
• Can escalate management level at runtime
• Optimizations possible
Session # 288333
Implications: Other
• Information Translation/Transformation– Encryption
• Hierarchy of management policy– Properly nesting Policy
• Testing– Lash-ups, jigs, logging, tracing
• Decoupling development of Components– Enforcing modular programming practices
Session # 288334
Other: Binder Combination
• Binding a Binder– Allow untrusted Binders
• Multiple binders for one Component– Allow composition of function– Binder overlays/filters
Session # 288335
Example 1: Basic Service Binder
class MyBinderFactory extends ServiceFilter {// select the BinderClass getBinderClass(Object child) {
return MyFilteringBinder.class;}
}class MyFilteringBinder extends ServiceFilterBinder {
protected ServiceBroker createFilteringServiceBroker(
ServiceBroker sb) { return new MyFilteringServiceBroker(sb); }}class MyFilteringServiceBroker extends FilteringServiceBroker {
public MyFilteringServiceBroker(ServiceBroker sb){ super(sb);}
}
Session # 288336
Example 2: Service Firewall
interface NameService { URL lookup(String name);}
class MyFilteringServiceBroker extends FilteringServiceBroker {
// return false to veto requestprotected boolean allowService(Class serviceClass){ return serviceClass.equals(NameService.class);
}}
Session # 288337
Example 3: Proxy a Service
class MyFilteringServiceBroker extends FilteringServiceBroker {
protected Object getServiceProxy(Object service,Class serviceClass,Object client) {
if (serviceClass.equals(NameService.class)) {return new NameServiceProxy(service, client);
} else { return null; }}
}class NameServiceProxy implements NameService {
public URL lookup(String name) {if (isLookupAllowed(name, this.client)) {
return this.service.lookup(name);} else { return null; }
}private boolean isLookupAllowed(..){}
}
Session # 288338
Future
• Other forms of Binder Combination
• Automatic Service Proxy creation
• Library of generic Binders
• “Remote” Binders
• Unloadable Binders
• Can Containment be just another Service?
Session # 288339
Further information
• Cougaar home:– http://www.cougaar.org
• Presentation web site:– http://www.alpine.bbn.com/~mthome/javaone
• BeanContext whitepaper:– http://java.sun.com/products/javabeans/
glasgow/
Session # 288341
Summary
• Components are good
• Untrusted Components are scary
• Cougaar Component Model is like the BeanContext API with a Proxy layer between all Components and between Components and Services.
End
Session # 288342
Binders are the Chaperones of the Component Dating Game
End
As applications get larger and the boundaries between them blur we will need some way of increasing the level of trust if we are to get any work done.
Session # 2883
Session # 2883