Ideas for future work

E. Fernandez

10/07/04

Where are we now?

• We sent a proposal on medical security to NSF—It was not funded

• We got money for wireless web services security—Project is starting

• We wrote several papers and several more are being written

• Thesis work—Tami and Juan finished their MS theses. Nelly, Andrei, Alvaro, Ajoy, and Laszlo are defining their future work

Medical security

• Survey of models—Andrei has done some work on this. We will write a survey paper.

• Access control model—We wrote two papers (LACCEI, eSociety). We are refining it.

• New version of NSF proposal (NIH?)

Work on medical modeling

• Study of medical requirements and policies: BRCH and another hospital (Tami)

• Study of HL7 and JADIS (Tami)

• Paper on analysis of HL7 for security (Ed and Tami)

• More patterns for medical applications and extension of model

readauthorizeUse

MedicalRecord

readmodify

custodian InChargeOf

MedicalRelationship

forAll(p: PatientID->notify(self.Log.accessor)

* **

1..*

Right

Patient.patientID = MedicalRecord.patientID

patientID: IntegerdateOfBirth: Datename: String address: Stringage: Integersex:{male, female}

Patient

InpatientOutpatient InpatientOutpatient

TreatmentHistory

medications:Stringprocedures:string

*

1

readmodify

Right

Doctor.LoginrID = MedicalRecord.doctorID

doctorID: IntegerdateOfBirth: Datename: String address: Stringage: Integersex:{male, female}

Doctor

custodian

0..*

1

accessor: Stringperiod: Stringdate: DateaccesType

Log

<<role>>

Patient

1

LoginID: Integer

<<role>>

Doctor

1

LoginID: Integer

Secure software development

• Paper for Las Vegas conference• Refine secure software development

methodology: use cases, mapping from conceptual model to component model

• More patterns for the catalog: XML firewall (Nelly, Ed, Saeed, Maria), network firewalls (Ed, Maria, Naeem, Nelly)

• Adapt for wireless secure systems

Secure systems development methodology

• Apply security principles throughout the whole software lifecycle

• Use of object-oriented design and RBAC

• Use cases define rights for roles

• Patterns build a secure conceptual model

• Multilayer architecture extends the model to the lower architectural levels

Specific items to do

• Extend use case templates to indicate security constraints

• Extend the component pattern to include security

• Map from conceptual model security to component security

Voterregistration

Voting

Keep voterslist

C ountyvoting

Local votingRemotevoting

Tally result

Voter

Precinct officer

Component pattern

Client

FactoryProxy

Component

Container

Enterprise Component Framework

PersistenceService

RemoteProxy

Context

<<call>>

<<call>>

<<call>>

<<call>>

<<call>>

<<call>>

<<call>>

Factory

Remote

Factory

Remote

Extend current work

• Firewalls—Basic types are done, develop varieties

• Attribute-based access control—Develop more pattern varieties and dynamic details

• New pattern for virtual machine security

• New pattern for virtual vault architecture

Network Firewalls

Proxy-Based Firewall

Packet Filter Firewall Stateful FirewallAddress Filtering

Address Filtering Keep State

Keep State

Proxy Filtering

Attribute-based RBAC

RBAC Pattern

Session Pattern

MBACPattern

MBAC Pattern w/Sessions

MBAC Pattern w/Predicates

CompositeMBAC Pattern

DAC Pattern

AuthorizationPattern

<<uses>> <<adapts>>

<<

use

s>>

VM Object-Oriented Class Model

VM OS

VM

OS

HyperVisor

supports *

*

1 *

*

*

Can run

<<controls>>

Virtual Vault architecture

W ebS erver

Au ditT ra il

C G IIns ide

Int .W eb

Serv er

Au th.Info

In tServ er

O u tsid e

E xt.B rowse r

Gateway

S ystem

H T M LPa ges

C G I S crip ts

In t.Br owser

Sys H i

Physical/ location-based access control

• Subjects are people. Protection object is a physical location. Type of access could be to a location or a part of a location.

• This model can be used to control access to physical locations, e.g., rooms in a hospital. Ph.D. thesis of Alvaro

• Mobile systems application—location privacy (MS Location-based services)

Wireless web services security

• We completed security survey (Wireless LAN handbook). Now being extended (Mike, Ed, Maria, Saeed)

• Survey of cryptographic methods for wireless security (Saeed)

• Survey of web services security (Ed, Tami, Maria)• Patterns for web services and distributed security

(XML firewall, Secure Broker, SAML)• Secure wireless systems architecture

Wireless web services

• Many standards and still evolving

• Some standards compete with each other or overlap

• The situation gets more complex when we add wireless architectures

• Clerify relationships between standards

XKMS

XACML

XML DSig

SAML

XrML

XML Enc

SOAP

Kerberos X.509

SSL

WS-Security

More standards

WS-SecureConversation WS-Federation WS-Authorization

WS-Trust WS-PrivacyWS-Policy

WS-PolicyAttachments Policy Assertions

WS-PolicyFramework

WS-Security

SOAP Foundation

Patterns for web services and distributed security

• Pattern for architecture of application firewall using multiple agents. Also Reverse Proxy pattern (Nelly)

• Authentication patterns (Nelly)

• Survey of web services security products

• Patterns for Secure Broker units (Ed)

idcredentials

Service

idcredentialsroles

serviceIdrolepredicate

Identity Policy

authenticate()grantAccess()log()definePolicy()defineUser()defineRole()removeUser()removeRole()

addSchema()removeSchema()updateSchema()

SchemaDatabase

XMLSchemaValidator

HarmfulDataDetector

ContentInspector

XMLFirewall

requestServiceXMLMessage

IdentityBase PolicyBase

PolicyDefinitionPoint

interceptMessage()controlAccess(url, id, credentials)

PolicyEnforecementPoint

Client

url

executeService()

Application

*

* *

*

*

* *

**

11

1

1 1

1 1

1

Application Level

Implementation Level

checkAccess

communicatesThrough

accessService

* 1

ApplicationConceptual Model

Layers MVC / PAC Reflection

Complexity Interaction Adaptability

Broker ProxyClient / Servant

accessAdapter

interoperation

Façadeservantmanagement

... resourcemanagement

Client / Dispatcher /Server

Communication

Lookupnamingservice

concurrency ......event handling

...structure /extension

distribution

Security of workflow and business levels

• Study UML model for ebXML registries and develop pattern.

• Workflow level security: BPL4WS, ebXML

• An area largely unexplored

WS1 WS2

Registry

PAYLOADHEADER . . .

. . . HTTP

XML

SOAP

Web Services

Catalog and Description

Business Workflow

ebXML Registry Security model

<<Interface>>AccessControlPolicy

Permission

Privilege

<<Interface>>PrivilegeAttribute

<<Interface>>RegistryObject

identity: Identitygroups: collectionroles: collectionsecurityClearances: collection

getGUID() : StringsetGUID(guid : String) : voidgetURL() : URLsetURL(url : URL) : voidgetName() : StringsetName(name : String) : voiddepricate() : voiddelete() : void

<<Interface>>SecurityClearance

<<Interface>>Group

<<Interface>>Role

<<Interface>>Identity

Principal

0.n 1

0..n

1..n

0..n

1..n

1

0..n

0..n 0..n

0..n 1

Privacy preferences

• User control over personal information

• P3P (Platform for Privacy Preferences), developed by the W3C

• A standardized set of multiple-choice questions about privacy policies

RBAC hierarchies

• R. Sandhu developed the ARBAC model

• Administrators and subjects are organized in a lattice

• They have applied this model to medical systems.

• It is too restrictive, we can find better ways

(I started in an old paper) (Saeed)

A role hierarchyClinicalManager

Doctor Nurse

Patient

ClinicalEmployee

Patient AffairsDirector

Patient AffairsManager

Other

• VoIP (Juan)—We are writing two papers (Ed, Mike)

• Chemical engineering patterns (Deepa)

• Third party assurance (Mike)

• Sarbanes/Oxley –regulation for financial institutions, this is a good area, nothing done on security aspects

Conclusions

• Many possibilities, all interesting• Look at Recent Publications in my web

page and at past talks, ask me for references • Select an idea, write something, submit it

for discussion (email)• Make a presentation for the group• Paper for conference or journal and/or

thesis/dissertation