460 likes | 610 Vues
Security Engineering for Roles and Resources in a Distributed Environment. Lt.Col. Charles E. Phillips, Jr. Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 charlesp@engr.uconn.edu.
E N D
Security Engineering for Roles and Resources in a Distributed Environment Lt.Col. Charles E. Phillips, Jr. Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 charlesp@engr.uconn.edu Profs. Steven A. Demurjian and T.C. Ting Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 http://www.engr.uconn.edu/~steve steve@engr.uconn.edu
Overview of Presentation • Introduction • Distributed Security Model • Enforcement Framework • Experimental Prototype • Supporting Advanced Applications • Conclusions • Future Work
Introduction Goals of Our Research • Incorporation of Role-Based Security within a Distributed Resource Environment • Highly-Available Distributed Applications Constructed Using Middleware Tools • Demonstrate Use of Lookup Service to Provide Role-based Access of Clients to Resources • Propose Software Architecture and Role-Based Security Model with Constraints for • Authorization of Clients Based on Role • Authentication of Clients and Resources • Enforcement and Tracking so Clients Only Use Authorized Services (of Resource) • Propose a Flexible Security Solution for Clients and Services (Resources) in Dynamic Coalitions
IntroductionProposed Architecture Unified Security Resource (USR) Security Global Clock Policy Resource (GCR) Client (SPC) Security Security Security Security Authorization Analysis and Policy Registration Tracking (SAT) Services Services Services Security Authorization Client (SAC) Java Wrapped Client Resource for Legacy Application Software Agent Lookup Service Legacy Client Wrapped Wrapped General Lookup Resource Resource Database COTS Resource for Database for COTS Service Client Client Application Application
Distributed Security ModelLookup Service Middleware • Construct Distributed Applications by • Federating Groups of Users • Resources Provide Services for Users • A Resource Provides a Set of Services for Use by Clients (Users) and Other Resources (Services) • A Service is Similar to a set of Public Methods • Exportable - Analogous to API • Any Entity Utilized by Person or Program • Samples Include: • Computation, Persistent Store, Printer, Sensor • Software Filter, Real-Time Data Source • Services: Concrete Interfaces of Components • Services Register with Lookup Service
Distributed Security ModelJoin, Lookup, and Service Invocation Request Service AddCourse(CSE900) Service Object Service Attributes Register & Lease Services CourseDB Class Contains Method AddCourse ( ) Return Service Proxy to AddCourse( ) Join Service Invocation via Proxy by Transparent RMI Call Resource Service Object Service Attributes Lookup Service Registry of Entries Client Step1. Join. Services are registered Step2. Client makes request Step3. Lookup Service returns Service Step4. Client Invokes AddCourse(CSE230) on Resource Step5. Resource Returns Results of Invocation to Client
Distributed Security ModelLookup Service Shortfalls • Many Current Lookup Services • Successfully Dictates Service Utilization • Requires Programmatic Solution for Security • Does Not Selectively and Dynamically Control Access Based on Client Role • Security of a Distributed Resource Should Selectively and Dynamically Control Client Access to Services Based on the Role • Our Approach • Define Dedicated Resources to Authorize, Authenticate, and Enforce Security by Role • Proposed Unified Security Resources (USR) • Policy Services, Authoriz. Services, Registration Services, & Analysis/Tracking Services
Distributed Security ModelResource, Service, Methods • Definition 1: A Distributed Application Consists of M Software/system Resources (Legacy, COTS, Database, Web Server, Etc.) Uniquely Identifiable • Definition 2: Each Resource is Composed of Services That Are Uniquely Identifiable • Definition 3: Each Service is Composed of a Set of Uniquely Identifiable Methods.Note That the Triple (R-id, S-id, M-id) is Unique. • Definition 4: The Signature of a Method of Service of Resource is Unique, and Consists of: • Method Name • Parameter List of Names/Types • Return Type (possible Null)
Distributed Security ModelResources, Services, and Methods Read Service with Methods: String getAllClasses (Token); String getRegisteredCourses (Token, StudentName); Vector getClasses (long Token, Semester); Vector getClassDescription (Token, Course); Vector getPreReqCourses (Token, Course); Vector getVacantClasses (Token, Semester); Modification Service with Methods: boolean addCourse (Token, Course); boolean removeCourse (Token, Course); boolean updateEnroll (Token, CourseNumber, UpdateChoice, NewValue); boolean registerCourse (Token, Course, StudentName); boolean dropCourse (Token, Course, StudentName);
Distributed Security ModelRoles and Constraints • Definition 5: A User Role, UR, is a Uniquely Identifiable Named Entity Representing a Specific Set of Responsibilities Against an Application. • Definition 6: A Signature Constraint, SC, is a Boolean Expression Defined on Method Signature to Limit the Allowable Values on the Parameters, and the Return Type. • Definition 7: A Time Constraint, TC, is an Expression Defined for a Discrete Period of Time (Days or Time Period in GMT) Under Which a Method Can Be Invoked: • TC = {E | E=“Never” or E= “Always” or E = Boolean Expression}.
Distributed Security Model Roles and Constraints • Sample Signature Constraints for CourseDB Resource • Sample Time Constraints Modification, addCourse, cse101 course cse499 Modification, updateEnroll, newValue 30 Read, getClasses, semester = Spring 01jan01 date 31mar01 1apr01 date 14apr01 date = 10apr01
Distributed Security ModelPrivilege Tuples and Authorizations • Definition 8: Assume a Distributed Application Consists of Resources, Services, and Methods. A Security Privilege Tuple Contains a Specific Resource, Service, and/or Method (with Optional Time and Signature Constraint) : {UR, TC, Ri, Sij, [Mijk, SCijk]} • Definition 9: Assume a Distributed Application of Resources, Services, and Methods. A Security Privilege Tuple Set, , Contains All of the Resources, Services, and Methods that have been Authorized (Granted) to a UR: ={[UR, TC, Ri, Sij, [Mijk, Scijk]}
Distributed Security Model Roles, Constraints, and Authorizations Role: CSEFaculty {[CSEFaculty,always,CourseDB,Read,[*]], [CSEFaculty,01jan01 date31mar01,CourseDB, Modification, [addCourse, cse101 course cse499]], [CSEFaculty,always,CourseDB,Modification,[updateEnroll, newValue 30]]} Role: CSEUndergrad {[CSEUndergrad,10dec00 date 16feb01, CourseDB, Read, [getClasses, semester = Spring]], [CSEUndergrad,1apr01date14apr01, CourseDB, Modification, [registerCourse, cse101coursecse299]], [CSEUndergrad,15apr01date30apr01,CourseDB,Modification, [registerCourse, true]]} Authorized Users/Roles Harris: CSEUndergrad Jones: CSEFaculty, CSEDeptHead Token: [Harris, UR/CSEUndergrad, IP/100.150.200.250, Time/16mar01-14:50:04]
Distributed Security Model User and Authorizations • Definition 10: A User, U, is Uniquely Identifiable (User-id) and Authorized to Play One or More Roles in an Application. A User Must Always Play Exactly One Role at Any Point During an Active Session, but is Able to Change Roles During a Session. • Definition 11: A Client, C, Represents an Authorized User, U, Utilizing a Client Application, and is Uniquely Identified During a Specific Session Via a System Generated Token: [User-id, Ur-id, Ip-address, Token-creation-time]
Enforcement FrameworkThe Unified Security Resource (USR) Unified Security Resource (USR) Security Global Clock Policy Resource (GCR) Client (SPC) Security Security Security Security Authorization Analysis and Policy Registration Tracking (SAT) Services Services Services Security Authorization Client (SAC) Java Wrapped Client Resource for Legacy Application Software Agent Lookup Service Legacy Client Wrapped Wrapped General Lookup Resource Resource Database COTS Resource for Database for COTS Service Client Client Application Application .
Enforcement FrameworkSecurity Policy Services Register Service: Register_Resource(R_Id); Register_Service(R_Id, S_Id); Register_Method(R_Id, S_Id, M_Id); Register_Signature(R_Id, S_Id, M_Id, Signat); UnRegister_Resource(R_Id); UnRegister_Service(R_Id, S_Id); UnRegister_Method(R_Id, S_Id, M_Id); Unregister_Token(Token) Query Privileges Service: Query_AvailResource(); Query_AvailMethod(R_Id); Query_Method(Token, R_Id, S_Id, M_Id); Check_Privileges(Token, R_Id, S_Id, M_Id, ParamValueList); User Role Service : Create_New_Role(UR_Name, UR_Disc, UR_Id); Delete_Role(UR_Id); Constraint Service: DefineTC(R_Id, S_Id, M_Id, SC); DefineSC(R_Id, S_Id, M_Id, SC); CheckTC(Token, R_Id, S_Id, M_ID); CheckSC(Token, R_Id, S_Id, M_ID, ParamValueList); Grant-Revoke Service: Grant{Revoke}_Resource(UR_Id, R_Id); Grant{Revoke}_Service(UR_Id, R_Id, S_Id); Grant{Revoke}_Method(UR_Id, R_Id, S_Id, M_Id); Grant{Revoke}_SC(UR_Id, R_Id, S_Id, M_Id, SC); Grant{Revoke}_TC(UR_Id, R_Id, S_Id, M_Id, TC);
Enforcement Framework Other Services SECURITY AUTHORIZATION SERVICES Authorize Role Service Grant_Role(UR_Id, User_Id); Revoke_Role(UR_Id, User_Id); Client Profile Service Verify_UR(User_Id, UR_Id); Erase_Client(User_Id); Find_Client(User_Id); Find_All_Clients(); SECURITY REGISTRATION SERVICES Register Client Service Create_Token(User_Id, UR_Id, Token); Register_Client(User_Id, IP_Addr, UR_Id); UnRegister_Client(User_Id, IP_Addr, UR_Id); IsClient_Registered(Token); Find_Client(User_Id, IP_Addr); Security Tracking and Analysis Services Tracking Service: Logfile(Log String) Analysis Service: Analyze (Java Class File)
Enforcement FrameworkClient, Resource, Service Invocations 1 Register_Client(Harris,cse.uconn.edu,CSEUndergrad) 2 Verify_UR(Harris, CSEUndergrad) 3 Client OK? 4 Return Result,Create_Token(CSEUndergrad, Token) 6 RegisterCourse(Token, CSE230, Harris) 5. Discover/Lookup(UnivDB,Modification, RegisterCourse) Returns Proxy to Course Client 11 Return Result,RegisterCourse(…) 7 IsClient_Registered(Token) 8 Return Result of IsClient_Registered(…) Course Client Security Registration Services USR Lookup Service Security Authorization Services 9 Check_Privileges(Token, UnivDB, Modification, RegisterCourse, [CSE230, Harris]) Security Policy Services UnivDB Resource 10 Return Result of Check_Privileges(…)
Enforcement FrameworkSecurity Prototype (JINI and CORBA) • During the Past Two Years, Extensive Prototype has Been Developed on NT/Linux Using: • Java as Main Development Language • JINI/Corba as Middleware • Oracle/MS Access as Databases • Security Management/Administration Tools • Security Policy Client • Security Authorization Client • Tracking/Analysis Client • We’ll Discuss Each in Turn by Reviewing a Series of GUI Bitmaps
Enforcement FrameworkSecurity Prototype (JINI and CORBA) Java GUI PDB Client Common Resource (Global Clock) Java GUI UDB Client PDBServer Service write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); UDBServer Service GetClasses(); PreReqCourse(); GetVacantClasses(); EnrollCourse(); AddCourse(); RemoveCourse(); UpdateCourse(). CORBA Lookup Service JINI Lookup Service Patient DB Resource (PDB) University DB Resource (UDB) Security System Resource PDB &UDB Security Policy Client Security Authorization Client
Supporting Advanced ApplicationsDynamic Coalition Problem • A Crisis is Any Situation Requiring National or International Attention as Determined by the President of the United States or UN • A Coalition is an Alliance of Organizations: Military, Civilian, International or any Combination • A Dynamic Coalition is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the Crisis • Dynamic Coalition Problem (DCP) is the Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Formed Quickly
Supporting Advanced ApplicationsGlobal Command And Control System • GCCS is Used to Manage Activities in a Joint and Combined Environment • Joint Refers to More than One Branch Army, Navy, Air Force, Marines, or Coast Guard and Combined Means More Than One Country • GCCS Provides a Local Commander With Operational Awareness in Near Real-time Through an Integrated Set of Resources and Services • GCCS Provides Information-Processing Support to Planning, Mobility, Sustainment, and Messaging by Bringing Together 20 Separate Automated Systems With Several Additions Planned
Supporting Advanced ApplicationsGCCS Shortfalls • Does Not Consider Multiple Roles for Users • Does Not Place Time Limitations on Users • Does Not Use Any Resource Constraints • Is Not a Multi-level Secure System • Is a U. S. Only System
Supporting Advanced ApplicationsDCP Objectives • Federate Users Quickly and Dynamically • Bring Together Resources Without Modification • Dynamically Realize and Manage Simultaneous Crises • Identify Users by their Roles to Finely Tune Access • Authorize, Authenticate, and Enforce a Scalable Security Policy That is Flexible in Response to Collation Needs • Security Solution that is Portable, Extensible, and Redundant for Survivability • Management, and Introspection Capabilities to Track and Monitor System Behavior
Concluding Remarks • For a Distributed Resource Environment • Proposed & Explained a Constraint-Based Approach to Role Security • Authorize, Authenticate, and Enforce • Presented an Software Architecture Containing • Constraint-Based Security Model for Role Security in a Distributed Resource Environment • An Enforcement Framework for Security with Registration, Authorization, and Policy Services
Concluding Remarks • Developed Prototype System • JINI and CORBA-Based Prototype for Role-Based Security Model that Allows Role Access • System is Flexible, Scalable and Redundant • System Uses Constraints to Realize Policy • Presented Real-World Issues • Defined the Dynamic Coalition Problem • Discussed the Global Command and Control System and Its Shortcomings • Offered a Set of Objectives for Realization of Distributed Security in a Dynamic Setting
Ongoing and Future Work • Integrating Mandatory Access Controls • Currently Integrated into Security Prototype • Model Extended to Include Classifications • Role Deconfliction and Mutual Exclusion • Preliminary Model Being Designed • Prototyping Planned in Near Future • User Constraints • Extend to Include User Constraints • Prototyping Underway • User Role Delegation Authority • Preliminary Model Designed • Prototyping Underway