4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May

4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 11

ENENginegine FORFOR CControllingontrolling EEmergent mergent HHierarchicalierarchical RRole-ole-BBasedased AAccessccess

(ENforCE (ENforCE HRBAccess)HRBAccess)

Osama KhaleelOsama Khaleel

Thesis DefenseThesis DefenseMay 2007May 2007

Master of Science in Computer ScienceMaster of Science in Computer ScienceUniversity of Colorado, Colorado SpringsUniversity of Colorado, Colorado Springs


ENENginegine FORFOR CControllingontrolling EEmergent mergent HHierarchicalierarchical RRole-ole-BBasedased AAccessccess

(ENforCE (ENforCE HRBAccess)HRBAccess)

Committee Members:Committee Members:

Dr. Edward Chow, ChairDr. Edward Chow, Chair

Dr. Terry BoultDr. Terry Boult

Dr. Xiaobo ZhouDr. Xiaobo Zhou


Thesis Defense OutlinesThesis Defense Outlines

Intro & BackgroundIntro & Background DesignDesign ImplementationImplementation Performance AnalysisPerformance Analysis Future WorkFuture Work Contribution Contribution DemoDemo Q & AQ & A


Introduction Introduction Roles in any organization are Hierarchical by their Roles in any organization are Hierarchical by their

nature.nature.

Resources in any organization vary:Resources in any organization vary: From a simple HTML web page,From a simple HTML web page, To RDP/SSH access in which a user can gain full control.To RDP/SSH access in which a user can gain full control.

Mission becomes more complicated when users Mission becomes more complicated when users should access resources: should access resources: Securely Securely And based on their ROLES.And based on their ROLES.

Password-based protection is way far from Password-based protection is way far from satisfying high-level security requirements.satisfying high-level security requirements.


Background Background AuthenticationAuthentication

Public Key Certificate (PKC)Public Key Certificate (PKC) Certificate Authority (CA)Certificate Authority (CA) Certificate Revocation List (CRL)Certificate Revocation List (CRL)

AuthorizationAuthorization Attribute Certificate (AC)Attribute Certificate (AC) Attribute Authority (AA)Attribute Authority (AA)

Role-Based Access Control (RBAC)Role-Based Access Control (RBAC) CoreCore HierarchicalHierarchical

eXtensible Access Control Markup Language (XACML)eXtensible Access Control Markup Language (XACML) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) Policy Decision Point (PDP)Policy Decision Point (PDP)

Active Directory (AD)Active Directory (AD) ISAPI FilterISAPI Filter ASP.NET Application File (Global.asax)ASP.NET Application File (Global.asax) IptablesIptables

Public Key Infrastructure (PKI)

Privilege Management Infrastructure (PMI)


Authentication:Authentication: the process in which someone provides some the process in which someone provides some kind of credentials to prove his or her identity.kind of credentials to prove his or her identity.

CA:CA: a trusted third party that issues digital certificates to be used a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the by other parties. It guarantees that the individual granted the certificate is really who claims to be.certificate is really who claims to be.

PKC:PKC: a digitally signed document that binds a public key to a a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA.subject (identity). This binding is asserted by a trusted CA.

CRL:CRL: a list signed by the issuing CA that contains the serial a list signed by the issuing CA that contains the serial numbers of the revoked certificates. numbers of the revoked certificates.

Authorization:Authorization: the process that is used to determine whether the the process that is used to determine whether the subject has the required permissions to access some protected subject has the required permissions to access some protected resources. resources.

AC:AC: a digitally signed document that binds a set of attributes like a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder.membership, role, or security clearance to the AC holder.

AA:AA: a trusted third party that is responsible for issuing, a trusted third party that is responsible for issuing, maintaining, and revoking ACs. maintaining, and revoking ACs.


AD:AD: a distributed directory service included in the Windows a distributed directory service included in the Windows server 2000/2003 server 2000/2003 The Microsoft's implementation of LDAPThe Microsoft's implementation of LDAP Used to store and manage all information about network resources Used to store and manage all information about network resources

across the domain: computers, groups, users, …across the domain: computers, groups, users, …

ISAPI filters:ISAPI filters: DLLs that can be used to enhance and modify the DLLs that can be used to enhance and modify the functionality of IIS. functionality of IIS. Powerful -> they can modify both incoming and outgoing Powerful -> they can modify both incoming and outgoing

DataStream for EVERY request.DataStream for EVERY request.

Global.asax:Global.asax: a file resides in the root directory of the ASP.NET a file resides in the root directory of the ASP.NET application.application. Contains code to handle application-level and session-level events Contains code to handle application-level and session-level events

raised by ASP.NET. raised by ASP.NET.

Iptables:Iptables: a generic table structure for defining a set of rules to a generic table structure for defining a set of rules to deal with network packets. deal with network packets. Rules are grouped into chains. Rules are grouped into chains. Chains are grouped into tablesChains are grouped into tables Each table is associated with a different kind of packet processing.Each table is associated with a different kind of packet processing.


RBAC:RBAC: a mechanism/model for restricting access a mechanism/model for restricting access based on the role of authorized users. based on the role of authorized users. Core: roles are assigned to users, and permissions are Core: roles are assigned to users, and permissions are

associated with roles – not directly with users.associated with roles – not directly with users. Hierarchical: an enhancement to the core, in which senior Hierarchical: an enhancement to the core, in which senior

roles inherit permissions from more junior roles. roles inherit permissions from more junior roles.

XACML:XACML: an XML-based OASIS standard that an XML-based OASIS standard that describes:describes: A policy language A policy language A request/response language A request/response language

The main three components in XACML are Rule, The main three components in XACML are Rule, Policy, and PolicySet Policy, and PolicySet

XACML RBAC profile has two main components:XACML RBAC profile has two main components: Permission PolicySet (PPS) Permission PolicySet (PPS) Role PolicySet (RPS). Role PolicySet (RPS).

One PPS and one RPS for each defined Role .One PPS and one RPS for each defined Role .


PPS:PPS: defines Policies and Rules needed to the defines Policies and Rules needed to the

Permissions associated with a certain Role. Permissions associated with a certain Role. Contains a set of PPS references using Contains a set of PPS references using

"<PolicySetIdReference>" to inherit permissions "<PolicySetIdReference>" to inherit permissions from a from a junior rolejunior role associated with this PPS associated with this PPS referencereference

Define What is a Junior role. Before using it.Define What is a Junior role. Before using it.

RPS:RPS: defines the Role namedefines the Role name includes ONLY one PPS to includes ONLY one PPS to associate this Role with its associate this Role with its permissions defined in the permissions defined in the corresponding PPS.corresponding PPS.

<PolicySet PolicySetId="CFOPermissions"> <Policy PolicyId="PolicyForCFORole"> <Rule RuleId="FinanceManagementRule" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function: regexp-string-match"> <AttributeValue DataType=“string">

https://ncdcrx3.uccs.edu/financial/finMgmt.aspx </AttributeValue> </ResourceMatch> </Resource> </Resources> </Target> </Rule> </Policy>

<PolicySetIdReference>SalesMgrPermissions</PolicySetIdReference><PolicySetIdReference>AccMgrPermissions</PolicySetIdReference>

</PolicySet>

<PolicySet PolicySetId="RPS:CFO"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function: string-equal"> <SubjectAttributeDesignator DataType="string" AttributeId="role"/> <AttributeValue DataType="string"> CFO </AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target>

<PolicySetIdReference>CFOPermissions</PolicySetIdReference>

</PolicySet>


Design Design

By taking advantage of the concepts & By taking advantage of the concepts & technologies just mentioned, the goal is technologies just mentioned, the goal is to build a structure/engine that to build a structure/engine that provides:provides: AuthenticationAuthentication AuthorizationAuthorization Secure access based on users ROLESSecure access based on users ROLES Protection for ANY type of resourcesProtection for ANY type of resources Fine grained control based on active Fine grained control based on active

sessionssessions PKI & PMI management toolPKI & PMI management tool


ENforCE “Big Picture”ENforCE “Big Picture”

Policy Enforcement

Point

Policy Enforcement

Point

Global.asaxASP.NET

Application

FC4 machine (Firewall)FC4 machine (Firewall)

Iptables Control ServiceNetwork- resourceAccess

IIS Authentication

ISAPI

Protected web resources


Http request

XML response

Session policy source


Get User's AC

RPS

PPS

Domain ControllerDomain Controller

Active DirectoryActive

Directory

Http request

User Request

Protected Network resources


XML response Policy

DecisionPoint

Policy Decision

Point

Open/Close commands

GetDecision Check

session policy


ENforCE Test-BedENforCE Test-Bed

Windows XPWin2003 IIS Win2003 DC

10.0.0.1110.0.0.13 10.0.0.12 10.0.0.10

Local switch

FedoraCore4 Gateway/Firewall

10.0.0.1

128.198.162.53 128.198.162.52 128.198.162.51128.198.162.50

Main switch


Implementation:Implementation: Two types of access:Two types of access:

Web-based resources (Web-based resources (http://ncdcrx3.uccs.eduhttp://ncdcrx3.uccs.edu)) Network-based resources (Network-based resources (http://ncdcrx4.uccs.eduhttp://ncdcrx4.uccs.edu))

Web resources: accessed directly through IIS using https (port Web resources: accessed directly through IIS using https (port 443)443)

Network resources: Network resources: Activate a web-session firstActivate a web-session first ENforCE will open the firewall for the specified service ENforCE will open the firewall for the specified service Physically access the service through the firewall.Physically access the service through the firewall. Service port varies (e.g. SSH:22, RDP:3389)Service port varies (e.g. SSH:22, RDP:3389)

ISAPI FilterISAPI Filter web-access entry pointweb-access entry point (C/C++ - MFC) (C/C++ - MFC) Global.asaxGlobal.asax Manage web sessionsManage web sessions (C#/ASP.NET) (C#/ASP.NET) Policy EnginePolicy Engine PEP, PDP, Policy, RBACPEP, PDP, Policy, RBAC (XACML - Java) (XACML - Java) Firewall DaemonFirewall Daemon Update Iptables RulesUpdate Iptables Rules (Java - JSSE) (Java - JSSE)

http://ncdcrx3.uccs.edu/

http://ncdcrx4.uccs.edu/


Web resources (ISAPI)Web resources (ISAPI)

ISAPI

IIS

1) Web request

IIS Authentication



Policy Enforcement

Point

Policy Enforcement

Point

2) Http request with attributes

5) XML response with decision

Policy Decision

Point

Policy Decision

Point

4) Get Decision6) Permit/Deny access

Domain ControllerDomain Controller

Active DirectoryActive

Directory

3) Get User's AC


Network resources Network resources (Global.asax)(Global.asax)



IIS1) Request a session

IIS Authentication



Policy Enforcement

Point

Policy Enforcement

Point

2) Http request with attributes

7) XML response with decision

PDPPDP

FC4 machine (Firewall)FC4 machine (Firewall)

Global.asax

ASP.NET Application

Iptables Control Daemon

6) Open/Close commands

8) Physically access the services

4) Get decision

DCDC

ADAD

3) Get User's AC

5) Check session policy


Requests to PEPRequests to PEP

1)1) From ISAPI (Access a web resource): From ISAPI (Access a web resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?

• subjectsubject= CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer Science Science &&

• URLURL=https://ncdcrx3.uccs.edu/it/img.jpg =https://ncdcrx3.uccs.edu/it/img.jpg && • methodmethod=GET =GET && • serviceservice=web=web

2)2) From Global.asax (Open a network resource): From Global.asax (Open a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?

• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&

• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjhY43=23hjhY43 && • actionaction==openopen

3)3) From Global.asax (Close a network resource): From Global.asax (Close a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?

• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&

• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjf73G2=23hjf73G2 && • actionaction==closeclose

http://localhost:8080/sispep/servlets/sispep




Conditional Active-Session Access Conditional Active-Session Access (CASA)(CASA)

Idea : Junior role can ONLY access a network resource IF its Senior role Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource.has an active session for that resource.

Why? To add finer access control Why? To add finer access control How? PEP maintains a table. An entry looks like: How? PEP maintains a table. An entry looks like:

29gY3k0*ss29gY3k0*sshh

EngineeEngineerr

SubjecSubjectt

https://ncdcrx4.uccs.edu/ssh/https://ncdcrx4.uccs.edu/ssh/net.aspxnet.aspx

128.198.162.128.198.162.5050

PEP reads an XML policy file (session PEP reads an XML policy file (session policy). policy). The session policy file supports 3 cases:The session policy file supports 3 cases:

1) A 1) A CERTAINCERTAIN Senior Role is Senior Role is requiredrequired

2) 2) ANYANY Senior Role is required Senior Role is required(including itself?)(including itself?)

3) 3) N-SeniorN-Senior Roles are required Roles are required

<Service name “SSH”> <Senior>ProjectMngr </Senior> <Junior>Developer </Junior> </Service>

<Service name=“ MySQL”> <Senior>ANY</Senior> <Junior>Accountant </Junior> </Service>

<Service name=“SSH”> <Senior>ITManager </Senior> <Junior>DB Admin </Junior> </Service>

<Service name=“SSH”> <Senior>CEO </Senior> <Junior>DB Admin </Junior> </Service>


CASA (cont’d)CASA (cont’d) PEP reads the session policy file and creates two things:PEP reads the session policy file and creates two things:

1) Hierarchical-Role tree

To answer: Is Role A senior to Role B ?

2) Session Policy Table

To decide: For the requested service, Is Junior’s access constrained by Senior’s ?

SSHCFO : Sales MngrANY : Developer

RDPCEO : DB AdminITMngr : DB Admin

Senior : Junior


Performance Analysis Performance Analysis ResourceRetrieve AC from

ADPDP decisionTotal request

time

Finance Mgmnt5.47503.034510.3476

Sales Write6.28644.387213.7203

Posting orders6.98204.9234513.8433

View orders5.17344.109311.7390

Resource

Retrieve AC from AD

PDP decisio

n

CASA decisio

n

Firewall updat

e

Total request

time

SSH5.87303.82642.365415.509329.4374

RDP5.76394.92763.109317.120432.2841

MySQL6.19273.10432.583114.762730.6392

ResourceRetrieve AC from AD

PDP decisionCASA decision

Total request

time

SSH6.80934.32983.948520.5912

RDP7.76023.87492.203720.5382

MySQL6.31753.78292.558219.7045

Web resources (ISAPI)

Network resource (Global.asax) – new session

Network resource (Global.asax) – session refresh

Unit: ms


Future WorkFuture Work Extend the system to work in a multi-agency Extend the system to work in a multi-agency

environment. environment.

Develop more services that can take advantage of Develop more services that can take advantage of the existing RBAC architecture. For instance:the existing RBAC architecture. For instance: RBAC E-Voting: users can vote based on their roles.RBAC E-Voting: users can vote based on their roles. RBAC Instant Messenger: users can chat based on their roles.RBAC Instant Messenger: users can chat based on their roles. RBAC E-Mail: users can send e-mails based on their roles.RBAC E-Mail: users can send e-mails based on their roles. RBAC XXX and so on…RBAC XXX and so on…

Support more Operating systems (Mac, Solaris …)Support more Operating systems (Mac, Solaris …)

Improve the Admin tool to initialize and modify Active Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies.Directory, and to be able to generate XACML policies.

Support Wireless access.Support Wireless access.


Thesis ContributionsThesis Contributions Provide a robust architecture for large-scale Provide a robust architecture for large-scale

companies to address companies to address accessing sensitive resources accessing sensitive resources securely according to hierarchical role-based access securely according to hierarchical role-based access policy.policy.

Extend XACML to handle Hierarchical Role-Based Extend XACML to handle Hierarchical Role-Based Access Control (HRBAC) model.Access Control (HRBAC) model.

Add a totally new concept of secure access in which Add a totally new concept of secure access in which a a Senior Role can restrict its Junior Role's access using Senior Role can restrict its Junior Role's access using active session's management.active session's management.

Enhance IIS 6.0 with two components, Enhance IIS 6.0 with two components, ISAPI filterISAPI filter and and Global.asaxGlobal.asax..

Simplify Simplify PKIPKI and and PMIPMI management, therefore, reducing management, therefore, reducing management cost and errors.management cost and errors.


ENforCE DemoENforCE Demo

Q & AQ & A

Documents

4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May