ISSEA 2002-1

Security Engineering for Roles and Security Engineering for Roles and Resources in a Distributed EnvironmentResources in a Distributed Environment

Profs. Steven A. Demurjian and T.C. TingComputer Science & Engineering Department

191 Auditorium Road, Box U-155The University of Connecticut

Storrs, Connecticut 06269-3155http://www.engr.uconn.edu/~steve

steve@engr.uconn.edu

Lt.Col. Charles E. Phillips, Jr.Computer Science & Engineering Department

191 Auditorium Road, Box U-155The University of Connecticut

Storrs, Connecticut 06269-3155charlesp@engr.uconn.edu

ISSEA 2002-2

Overview of PresentationOverview of Presentation

IntroductionIntroduction Distributed Security ModelDistributed Security Model Enforcement FrameworkEnforcement Framework Experimental PrototypeExperimental Prototype Supporting Advanced Applications Supporting Advanced Applications ConclusionsConclusions Future WorkFuture Work

ISSEA 2002-3

Introduction Introduction Goals of Our ResearchGoals of Our Research

Incorporation of Role-Based Security within a Incorporation of Role-Based Security within a Distributed Resource EnvironmentDistributed Resource Environment Highly-Available Distributed Applications

Constructed Using Middleware Tools Demonstrate Use of Lookup Service to Provide

Role-based Access of Clients to Resources Propose Software Architecture and Role-Based Propose Software Architecture and Role-Based

Security Model with Constraints forSecurity Model with Constraints for Authorization of Clients Based on Role Authentication of Clients and Resources Enforcement and Tracking so Clients Only Use

Authorized Services (of Resource) Propose a Flexible Security Solution for Clients and Propose a Flexible Security Solution for Clients and

Services (Resources) in Dynamic CoalitionsServices (Resources) in Dynamic Coalitions

ISSEA 2002-4

IntroductionIntroductionProposed ArchitectureProposed Architecture

SecurityAuthorizationClient (SAC)

SecurityPolicy

Client (SPC)

WrappedResource

for LegacyApplication

WrappedResource

for DatabaseApplication

LookupService

General Resource

WrappedResource

for COTSApplication

Global ClockResource (GCR)

JavaClient

LegacyClient

DatabaseClient

SoftwareAgent

COTSClient

Lookup

Service

SecurityRegistration

Services

Unified Security Resource (USR)

SecurityPolicy

Services

SecurityAuthorization

Services

SecurityAnalysis and

Tracking (SAT)

ISSEA 2002-5

Distributed Security ModelDistributed Security ModelLookup Service MiddlewareLookup Service Middleware

Construct Distributed Applications by Construct Distributed Applications by Federating Groups of Users Resources Provide Services for Users

A Resource Provides a Set of Services for Use by A Resource Provides a Set of Services for Use by Clients (Users) and Other Resources (Services)Clients (Users) and Other Resources (Services)

A Service is Similar to a set of Public MethodsA Service is Similar to a set of Public Methods Exportable - Analogous to API Any Entity Utilized by Person or Program Samples Include:

Computation, Persistent Store, Printer, Sensor Software Filter, Real-Time Data Source

Services: Concrete Interfaces of Components Services Register with Lookup ServiceServices Register with Lookup Service

ISSEA 2002-6

Distributed Security ModelDistributed Security ModelJoin, Lookup, and Service InvocationJoin, Lookup, and Service Invocation

ClientResource

Service ObjectService Attributes

Lookup ServiceRequestServiceAddCourse(CSE900)

ReturnService

Proxy toAddCourse( )

Join

Register & Lease Services CourseDB ClassContains Method AddCourse ( )

Service Invocation via Proxy by Transparent RMI Call

Service Object

Service Attributes

Registry of Entries

Step1. Join. Services are registeredStep2. Client makes requestStep3. Lookup Service returns ServiceStep4. Client Invokes AddCourse(CSE230) on ResourceStep5. Resource Returns Results of Invocation to Client

ISSEA 2002-7

Distributed Security ModelDistributed Security ModelLookup Service ShortfallsLookup Service Shortfalls

Many Current Lookup ServicesMany Current Lookup Services Successfully Dictates Service Utilization Requires Programmatic Solution for Security Does Not Selectively and Dynamically Control

Access Based on Client Role Security of a Distributed Resource Should Security of a Distributed Resource Should

Selectively and Dynamically Control Client Access Selectively and Dynamically Control Client Access to Services Based on the Roleto Services Based on the Role

Our ApproachOur Approach Define Dedicated Resources to Authorize,

Authenticate, and Enforce Security by Role Proposed Unified Security Resources (USR)

Policy Services, Authoriz. Services, Registration Services, & Analysis/Tracking Services

ISSEA 2002-8

Distributed Security ModelDistributed Security ModelResource, Service, MethodsResource, Service, Methods

Definition 1Definition 1: A Distributed Application Consists : A Distributed Application Consists of M Software/system of M Software/system ResourcesResources (Legacy, COTS, (Legacy, COTS, Database, Web Server, Etc.) Uniquely IdentifiableDatabase, Web Server, Etc.) Uniquely Identifiable

Definition 2Definition 2: Each Resource is Composed of : Each Resource is Composed of ServicesServices That Are Uniquely Identifiable That Are Uniquely Identifiable

Definition 3Definition 3: Each Service is Composed of a Set : Each Service is Composed of a Set of Uniquely Identifiable of Uniquely Identifiable MethodsMethods..Note That the Triple (R-id, S-id, M-id) is Unique.Note That the Triple (R-id, S-id, M-id) is Unique.

Definition 4Definition 4: The : The Signature of a MethodSignature of a Method of of Service of Resource is Unique, and Consists of: Service of Resource is Unique, and Consists of: Method Name Parameter List of Names/Types Return Type (possible Null)

ISSEA 2002-9

Distributed Security ModelDistributed Security ModelResources, Services, and MethodsResources, Services, and Methods

Read Service with Methods: String getAllClasses (Token); String getRegisteredCourses (Token, StudentName); Vector getClasses (long Token, Semester); Vector getClassDescription (Token, Course); Vector getPreReqCourses (Token, Course); Vector getVacantClasses (Token, Semester);

Modification Service with Methods: boolean addCourse (Token, Course); boolean removeCourse (Token, Course); boolean updateEnroll (Token, CourseNumber,

UpdateChoice, NewValue); boolean registerCourse (Token, Course, StudentName); boolean dropCourse (Token, Course, StudentName);

ISSEA 2002-10

Distributed Security ModelDistributed Security ModelRoles and ConstraintsRoles and Constraints

Definition 5Definition 5: A : A User RoleUser Role, UR, is a Uniquely , UR, is a Uniquely Identifiable Named Entity Representing a Specific Identifiable Named Entity Representing a Specific Set of Responsibilities Against an Application. Set of Responsibilities Against an Application.

Definition 6Definition 6: A : A Signature ConstraintSignature Constraint, SC, is a , SC, is a Boolean Expression Defined on Method Signature Boolean Expression Defined on Method Signature to Limit the Allowable Values on the Parameters, to Limit the Allowable Values on the Parameters, and the Return Type.and the Return Type.

Definition 7Definition 7: A : A Time ConstraintTime Constraint, TC, is an , TC, is an Expression Defined for a Discrete Period of Time Expression Defined for a Discrete Period of Time (Days or Time Period in GMT) Under Which a (Days or Time Period in GMT) Under Which a Method Can Be Invoked:Method Can Be Invoked:

TC = {E | E=“Never” or E= “Always” or E = Boolean Expression}.

ISSEA 2002-11

Modification, addCourse, cse101 course cse499Modification, updateEnroll, newValue 30Read, getClasses, semester = Spring

Distributed Security ModelDistributed Security Model Roles and Constraints Roles and Constraints

Sample Signature Constraints for CourseDB Sample Signature Constraints for CourseDB ResourceResource

Sample Time ConstraintsSample Time Constraints

01jan01 date 31mar011apr01 date 14apr01date = 10apr01

ISSEA 2002-12

Distributed Security ModelDistributed Security ModelPrivilege Tuples and AuthorizationsPrivilege Tuples and Authorizations

Definition 8Definition 8: Assume a Distributed Application : Assume a Distributed Application Consists of Resources, Services, and Methods. A Consists of Resources, Services, and Methods. A Security Privilege TupleSecurity Privilege Tuple Contains a Specific Contains a Specific Resource, Service, and/or Method (with Optional Resource, Service, and/or Method (with Optional Time and Signature Constraint) :Time and Signature Constraint) :

{UR, TC, Ri, Sij, [Mijk, SCijk]} {UR, TC, Ri, Sij, [Mijk, SCijk]}

Definition 9Definition 9: Assume a Distributed Application of : Assume a Distributed Application of Resources, Services, and Methods. A Resources, Services, and Methods. A Security Security Privilege Tuple SetPrivilege Tuple Set, , , Contains All of the , Contains All of the Resources, Services, and Methods that have been Resources, Services, and Methods that have been Authorized (Granted) to a UR: Authorized (Granted) to a UR:

={[UR, TC, Ri, Sij, [Mijk, Scijk]}={[UR, TC, Ri, Sij, [Mijk, Scijk]}

ISSEA 2002-13

Distributed Security ModelDistributed Security Model Roles, Constraints, and Authorizations Roles, Constraints, and Authorizations

Role: CSEFaculty

{[CSEFaculty,always,CourseDB,Read,[*]], [CSEFaculty,01jan01 date31mar01,CourseDB, Modification, [addCourse, cse101 course cse499]], [CSEFaculty,always,CourseDB,Modification,[updateEnroll, newValue 30]]}Role: CSEUndergrad

{[CSEUndergrad,10dec00 date 16feb01, CourseDB, Read, [getClasses, semester = Spring]],

[CSEUndergrad,1apr01date14apr01, CourseDB, Modification, [registerCourse, cse101coursecse299]], [CSEUndergrad,15apr01date30apr01,CourseDB,Modification, [registerCourse, true]]}Authorized Users/RolesHarris: CSEUndergradJones: CSEFaculty, CSEDeptHead

Token: [Harris, UR/CSEUndergrad, IP/100.150.200.250, Time/16mar01-14:50:04]

ISSEA 2002-14

Distributed Security ModelDistributed Security Model User and Authorizations User and Authorizations

Definition 10Definition 10: A : A UserUser, U, is Uniquely Identifiable , U, is Uniquely Identifiable (User-id) and Authorized to Play One or More (User-id) and Authorized to Play One or More Roles in an Application. A User Must Always Roles in an Application. A User Must Always Play Exactly One Role at Any Point During an Play Exactly One Role at Any Point During an Active Session, but is Able to Change Roles Active Session, but is Able to Change Roles During a Session. During a Session.

Definition 11Definition 11: A : A ClientClient, C, Represents an , C, Represents an Authorized User, U, Utilizing a Client Application, Authorized User, U, Utilizing a Client Application, and is Uniquely Identified During a Specific and is Uniquely Identified During a Specific Session Via a System Generated Token:Session Via a System Generated Token:

[User-id, Ur-id, Ip-address, Token-creation-[User-id, Ur-id, Ip-address, Token-creation-time] time]

ISSEA 2002-15

Enforcement FrameworkEnforcement FrameworkThe Unified Security Resource (USR)The Unified Security Resource (USR)

WrappedResource

for LegacyApplication

WrappedResource

for DatabaseApplication

.

SecurityAuthorizationClient (SAC)

SecurityPolicy

Client (SPC)

LookupService

General Resource

WrappedResource

for COTSApplication

Global ClockResource (GCR)

JavaClient

LegacyClient

DatabaseClient

SoftwareAgent

COTSClient

Lookup

Service

SecurityRegistration

Services

Unified Security Resource (USR)

SecurityPolicy

Services

SecurityAuthorization

Services

SecurityAnalysis and

Tracking (SAT)

ISSEA 2002-16

Enforcement FrameworkEnforcement FrameworkSecurity Policy ServicesSecurity Policy Services

Register Service: Register_Resource(R_Id); Register_Service(R_Id, S_Id);Register_Method(R_Id, S_Id, M_Id);Register_Signature(R_Id, S_Id, M_Id, Signat);UnRegister_Resource(R_Id);UnRegister_Service(R_Id, S_Id);UnRegister_Method(R_Id, S_Id, M_Id);Unregister_Token(Token)

Query Privileges Service: Query_AvailResource(); Query_AvailMethod(R_Id);

Query_Method(Token, R_Id, S_Id, M_Id);Check_Privileges(Token, R_Id, S_Id, M_Id, ParamValueList);

User Role Service: Create_New_Role(UR_Name, UR_Disc, UR_Id);Delete_Role(UR_Id);

Constraint Service: DefineTC(R_Id, S_Id, M_Id, SC);DefineSC(R_Id, S_Id, M_Id, SC);CheckTC(Token, R_Id, S_Id, M_ID); CheckSC(Token, R_Id, S_Id, M_ID, ParamValueList);

Grant-Revoke Service: Grant{Revoke}_Resource(UR_Id, R_Id);Grant{Revoke}_Service(UR_Id, R_Id, S_Id);Grant{Revoke}_Method(UR_Id, R_Id, S_Id, M_Id);Grant{Revoke}_SC(UR_Id, R_Id, S_Id, M_Id, SC);Grant{Revoke}_TC(UR_Id, R_Id, S_Id, M_Id, TC);

ISSEA 2002-17

Enforcement Framework Other Services

Register Client ServiceCreate_Token(User_Id, UR_Id, Token); Register_Client(User_Id, IP_Addr, UR_Id);UnRegister_Client(User_Id, IP_Addr, UR_Id);IsClient_Registered(Token);Find_Client(User_Id, IP_Addr);

Security Tracking and Analysis ServicesTracking Service: Logfile(Log String)Analysis Service: Analyze (Java Class File)

SECURITY REGISTRATION SERVICES

SECURITY AUTHORIZATION SERVICESAuthorize Role ServiceGrant_Role(UR_Id, User_Id);Revoke_Role(UR_Id, User_Id);

Client Profile ServiceVerify_UR(User_Id, UR_Id);Erase_Client(User_Id);Find_Client(User_Id);Find_All_Clients();

ISSEA 2002-18

Enforcement FrameworkEnforcement FrameworkClient, Resource, Service InvocationsClient, Resource, Service Invocations

SecurityAuthorization

Services

Security Registration

Services

LookupService

CourseClient

1 Register_Client(Harris,cse.uconn.edu,CSEUndergrad)

10 Return Result of Check_Privileges(…)

4 Return Result,Create_Token(CSEUndergrad, Token)

6 RegisterCourse(Token, CSE230, Harris)

3 Client OK?

11 Return Result,RegisterCourse(…)

5. Discover/Lookup(UnivDB,Modification, RegisterCourse) Returns Proxy to Course Client

7 IsClient_Registered(Token)

9 Check_Privileges(Token, UnivDB, Modification, RegisterCourse, [CSE230, Harris])

2 Verify_UR(Harris, CSEUndergrad)

SecurityPolicy

ServicesUnivDB

Resource8 Return Result of IsClient_Registered(…)

USR

ISSEA 2002-19

Enforcement FrameworkEnforcement FrameworkSecurity Prototype (JINI and CORBA)Security Prototype (JINI and CORBA)

During the Past Two Years, Extensive Prototype During the Past Two Years, Extensive Prototype has Been Developed on NT/Linux Using:has Been Developed on NT/Linux Using: Java as Main Development Language JINI/Corba as Middleware Oracle/MS Access as Databases

Security Management/Administration ToolsSecurity Management/Administration Tools Security Policy Client Security Authorization Client Tracking/Analysis Client

We’ll Discuss Each in Turn by Reviewing a Series We’ll Discuss Each in Turn by Reviewing a Series of GUI Bitmapsof GUI Bitmaps

ISSEA 2002-20

Enforcement FrameworkEnforcement FrameworkSecurity Prototype (JINI and CORBA)Security Prototype (JINI and CORBA)

JavaGUI

PDB Client

JINILookupService

SecuritySystem

ResourcePDB &UDB

CommonResource

(Global Clock)

CORBALookupService

PDBServer Service

write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode();

UDBServer Service GetClasses(); PreReqCourse(); GetVacantClasses(); EnrollCourse(); AddCourse(); RemoveCourse(); UpdateCourse().

JavaGUI

UDB Client

SecurityPolicyClient

SecurityAuthorization

Client

Patient DBResource (PDB)

University DBResource (UDB)

ISSEA 2002-21

Security PrototypeSecurity Prototype Security Policy Client Security Policy Client

ISSEA 2002-22

Security PrototypeSecurity PrototypeDefining a Signature ConstraintDefining a Signature Constraint

ISSEA 2002-23

Security PrototypeSecurity PrototypeTracking Logins and Actions Tracking Logins and Actions

ISSEA 2002-24

Security PrototypeSecurity Prototype Security Authorization Client Security Authorization Client

ISSEA 2002-25

Security PrototypeSecurity PrototypeTracking Methods of ResourcesTracking Methods of Resources

ISSEA 2002-26

Security PrototypeSecurity PrototypeGlobal Clock Server for TimestampGlobal Clock Server for Timestamp

ISSEA 2002-27

Security PrototypeSecurity PrototypeClient Authentication Upon LoginClient Authentication Upon Login

ISSEA 2002-28

Security PrototypeSecurity PrototypeRegistering Individual MethodRegistering Individual Method

ISSEA 2002-29

Security PrototypeSecurity PrototypeRegistering Methods for ResourceRegistering Methods for Resource

ISSEA 2002-30

Security PrototypeSecurity PrototypeConfirmation of Registered MethodsConfirmation of Registered Methods

ISSEA 2002-31

Security PrototypeSecurity PrototypeTracking Defined Resources Tracking Defined Resources

ISSEA 2002-32

Security PrototypeSecurity PrototypeAdministration of RolesAdministration of Roles

ISSEA 2002-33

Security PrototypeSecurity PrototypeCreating User RoleCreating User Role

ISSEA 2002-34

Security PrototypeSecurity PrototypeGranting Resources to RolesGranting Resources to Roles

ISSEA 2002-35

Security PrototypeSecurity PrototypeReviewing Access of Resources to RolesReviewing Access of Resources to Roles

ISSEA 2002-36

Security PrototypeSecurity PrototypeGranting Methods to RolesGranting Methods to Roles

ISSEA 2002-37

Security PrototypeSecurity PrototypeConfirmation of Method to RoleConfirmation of Method to Role

ISSEA 2002-38

Security PrototypeSecurity PrototypeCreating a UserCreating a User

ISSEA 2002-39

Security PrototypeSecurity PrototypeGranting Roles to UserGranting Roles to User

ISSEA 2002-40

Supporting Advanced ApplicationsSupporting Advanced ApplicationsDynamic Coalition ProblemDynamic Coalition Problem

A A Crisis Crisis is Any Situation Requiring National or is Any Situation Requiring National or International Attention as Determined by the International Attention as Determined by the President of the United States or UN President of the United States or UN

A A CoalitionCoalition is an Alliance of Organizations: is an Alliance of Organizations: Military, Civilian, International or any Military, Civilian, International or any CombinationCombination

A A Dynamic CoalitionDynamic Coalition is Formed in a Crisis and is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the CrisisBeing the Most Effective way to Solve the Crisis

Dynamic Coalition ProblemDynamic Coalition Problem (DCP) is the Inherent (DCP) is the Inherent Security, Resource, and/or Information Sharing Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Risks that Occur as a Result of the Coalition Being Formed QuicklyFormed Quickly

ISSEA 2002-41

Supporting Advanced ApplicationsSupporting Advanced ApplicationsGlobal Command And Control SystemGlobal Command And Control System

GCCS is Used to Manage Activities in a Joint and GCCS is Used to Manage Activities in a Joint and Combined EnvironmentCombined Environment Joint Refers to More than One Branch Army,

Navy, Air Force, Marines, or Coast Guard and Combined Means More Than One Country

GCCS Provides a Local Commander With GCCS Provides a Local Commander With Operational Awareness in Near Real-time Through Operational Awareness in Near Real-time Through an Integrated Set of Resources and Servicesan Integrated Set of Resources and Services

GCCS Provides Information-Processing Support GCCS Provides Information-Processing Support to Planning, Mobility, Sustainment, and to Planning, Mobility, Sustainment, and Messaging by Bringing Together 20 Separate Messaging by Bringing Together 20 Separate Automated Systems With Several Additions Automated Systems With Several Additions Planned Planned

ISSEA 2002-42

Supporting Advanced ApplicationsSupporting Advanced ApplicationsGCCS ShortfallsGCCS Shortfalls

Does Not Consider Multiple Roles for UsersDoes Not Consider Multiple Roles for Users Does Not Place Time Limitations on UsersDoes Not Place Time Limitations on Users Does Not Use Any Resource ConstraintsDoes Not Use Any Resource Constraints Is Not a Multi-level Secure SystemIs Not a Multi-level Secure System Is a U. S. Only SystemIs a U. S. Only System

ISSEA 2002-43

Supporting Advanced ApplicationsSupporting Advanced ApplicationsDCP ObjectivesDCP Objectives

Federate Users Quickly and DynamicallyFederate Users Quickly and Dynamically Bring Together Resources Without ModificationBring Together Resources Without Modification Dynamically Realize and Manage Simultaneous Dynamically Realize and Manage Simultaneous

CrisesCrises Identify Users by their Roles to Finely Tune Identify Users by their Roles to Finely Tune

Access Access Authorize, Authenticate, and Enforce a Scalable Authorize, Authenticate, and Enforce a Scalable

Security Policy That is Flexible in Response to Security Policy That is Flexible in Response to Collation NeedsCollation Needs

Security Solution that is Portable, Extensible, and Security Solution that is Portable, Extensible, and Redundant for SurvivabilityRedundant for Survivability

Management, and Introspection Capabilities to Management, and Introspection Capabilities to Track and Monitor System Behavior Track and Monitor System Behavior

ISSEA 2002-44

Concluding RemarksConcluding Remarks

For a Distributed Resource EnvironmentFor a Distributed Resource Environment Proposed & Explained a Constraint-Based

Approach to Role Security Authorize, Authenticate, and Enforce

Presented an Software Architecture ContainingPresented an Software Architecture Containing Constraint-Based Security Model for Role

Security in a Distributed Resource Environment

An Enforcement Framework for Security with Registration, Authorization, and Policy Services

ISSEA 2002-45

Concluding RemarksConcluding Remarks

Developed Prototype SystemDeveloped Prototype System JINI and CORBA-Based Prototype for Role-

Based Security Model that Allows Role Access System is Flexible, Scalable and Redundant System Uses Constraints to Realize Policy

Presented Real-World IssuesPresented Real-World Issues Defined the Dynamic Coalition Problem Discussed the Global Command and Control

System and Its Shortcomings Offered a Set of Objectives for Realization of

Distributed Security in a Dynamic Setting

ISSEA 2002-46

Ongoing and Future WorkOngoing and Future Work

Integrating Mandatory Access ControlsIntegrating Mandatory Access Controls Currently Integrated into Security Prototype Model Extended to Include Classifications

Role Deconfliction and Mutual ExclusionRole Deconfliction and Mutual Exclusion Preliminary Model Being Designed Prototyping Planned in Near Future

User ConstraintsUser Constraints Extend to Include User Constraints Prototyping Underway

User Role Delegation AuthorityUser Role Delegation Authority Preliminary Model Designed Prototyping Underway