Security Engineering for Large Scale Distributed Applications

Transcription

1 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A Security Engineering for Large Scale Distributed Applications Konstantin Beznosov Electrical and Computer Engineering University of British Columbia Copyright Konstantin Beznosov

2 airplanes vs. cars flying is fast driving is slow why isn t everybody flying? 2

3 why aren't secure systems almost completely insecure, or secure but too expensive and error-prone to build too complex to administer inadequate for real-world problems forever everywhere? examples 3

4 CORBA Security examples no compliant system over 600 pages 3 days to install and configure a toy set up Web services security harder than RPC-based CORBA 4

5 research direction outline access control mechanisms overview some things that can be done about it some specific things: attribute function, composable policy engines other research projects 5

6 what can be done about it? improvements towards inexpensive and error-proof to build effective and inexpensive in administration adequate for problem domains easy and inexpensive to change and integrate 6

7 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A access control mechanisms overview Copyright Konstantin Beznosov

8 conventional computer security protection from breaking rules Protection preventing bad things from happening Assurance Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Service Continuity Disaster Recovery Design Assurance Development Assurance Operational Assurance enforces the rules, when rule check is possible 8

9 9 overview of access control Specific to Application Domain Subject Security Attributes id=alice Not managed by security admin-s Subject Non-security Attributes age=40 role=physician Context sensitive Emergency Subjects Is attending physician? Action Attributes name=read actions Authorization Engine Reference monitor Authorization Decisions Access Control Mechanism Request-specific Objects Object Attributes patient=bob type=patient_record subtype=current_episode Fine grain Object Security Attributes owner=fred domain=hospital_a physician can read medical records attending physician can modify patient current episode sensitive records

10 decision-enforcement paradigm Decision Function access control data protection security audit subjects Enforcement Function policy decisions Security Mechanisms objects 10

11 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A some things that can make it better Copyright Konstantin Beznosov

12 separation of concerns application vendors sell application(s) product middleware vendors sell middleware products security vendors sell security products application owners sell service(s) 12

13 all security in middleware Application space Application Object Advantages security-unaware applications Both functions are implemented by security vendor Hard to bypass Separate from application easier to analyze Implementations CORBA, EJB, COM+, ASP.NET View Objects [Hailpern 1990] Role Classes [Barkley 1995] SafeBots [Filman 1996] Security Meta Objects [Riechmann 1998] Enforcement Function Decision Function 13 Access Request Middleware Security Middleware Space

14 studying DF expressiveness Psychiatrist Physician Physician Assistant Registration Clerk Nurse Caregiver [Sandhu 1998] RBAC Owner-based DAC Technician supports [Sandhu 1996] Lattice-based MAC Right 0..* 0..* Family : ExtensibleFamily +consists 0..* +consists RequiredRights Combinator : RightsCombinator requires 0..* 0..* 0..* GrantedRights +based on 0..* grante SecurityAttribute type : AttributeType defining_authority : Opaque value : Opaque 0..* Credentials 0..* 0..* 1..1 Operation +invoke Request Principal * 0..* +makes * 0..* +defined +on 0..* +acts on behalf * Interface 1..* DomainAccessPolicy inherits 0..* implement +applies User 0..* * +associated Interface Implementation SecurityPolicyDomain 0..* 1..* CORBA Security 0..* +contain 0..* +has K. Beznosov and Y. Deng, A Framework for Implementing Role-based Access Control Using CORBA Security Service, Fourth ACM Workshop on Role-Based Access Control, Fairfax, Virginia, USA,

15 making better to administer Application Application space Object Enforcement Function Decision Function Middleware Security Middleware Space Object Application Application space Security Policies Policy Administration Enforcement Function Decision Function Middleware Security Middleware Space Application space Application Object Enforcement Function Decision Function XACML-TC, OASIS extensible Access Control Markup Language (XACML), Committee Specification v1.0, OASIS, February Security Policy Mediators [Hale 1999] 15 Middleware Security Middleware Space

16 middleware security limitations Application Application space Object no application-specific information or logic only information known before the method is invoked method-level granularity Enforcement Function Decision Function 16 Access Request Middleware Security Middleware Space

17 reconfigurable decision function Application space Resource Access Decision (RAD) Application Object Policy EvaluatorLocator 2: get_policy_decision_evaluators PolicyEvaluator DynamicAttributeService 5: * evaluate 3: get_dynamic_attributes Enforcement Function 1: Access Decision Object 4: combine_decisions DecisionCombinator Enforcement Function Middleware Security K. Beznosov, Y. Deng, B. Blakley, C. Burt, and J. Barkley, A Resource Access Decision Service for CORBA-based Distributed Systems, Annual Computer Security Applications Conference (ACSAC), Phoenix, Arizona, USA, OMG, Resource Access Decision Facility, Object Management Group, OMG document number: formal/ , August

18 relationship-based access control Attending Psychiatrist Patient Attending Physician Spouse Assistant Attending Physician Guardian Attending Nurse Related Technician Relative Related Care-giver 18 J. Barkley, K. Beznosov, and J. Uppal, Supporting Relationships in Access Control Using Role Based Access Control, Fourth ACM Role-based Access Control Workshop, Fairfax, Virginia, USA, 1999.

19 RBAC RAD == RelBAC Application System 1: access_allowed 2: get_policy_decision_evaluators Access Decision Object 4: combine_decisions Policy EvaluatorLocator 3: get_dynamic_attributes DecisionCombinator RAD Relationships DynamicAttributeService RBAC PolicyEvaluator 5: evaluate 19

20 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A one specific thing: attribute function Copyright Konstantin Beznosov

21 enforcement in middleware Application space Application Advantages EF stays outside of the application DF can use application-specific policies and/or information Examples CORBA Security replaceable mech. Java Authorization Contract for Containers, (JACC) in J2EE v1.4 getaccess, Access Manager, SiteMinder Legion [Grimshaw 1998] Object Decision Function Enforcement Function 21 Access Request Middleware Security Middleware Space

22 how to get application data for decisions? Application space Application Coupled with the object Object Access Request Enforcement Function Back Door Application-specific Data Request Application-specific Data Decision Decision Function Decision Request Disadvantages Each business object has to implement the backdoor Could be inefficient on expensive to activate objects Weak in the face of denial of service attacks Middleware Security Subsystem Middleware Space Access Request 22

23 a better way Attribute Function Application Object Access Request Application space Enforcement Function Attribute Function Middleware Security Subsystem Middleware Decision Function Decision Decision Request Advantages + security out + application data in + separation of concerns EF middleware vendor DF authorization vendor AF application owner 23 Access Request K. Beznosov, "Object Security Attributes: Enabling Application-specific Access Control in Middleware," The 4th International Symposium on Distributed Objects & Applications, pp , Irvine, California, October 28 - November 1, 2002.

24 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A another specific thing: composable policy engines K. Beznosov, "On the Benefits of Decomposing Policy Engines into Components, in Proceedings of The 3rd Workshop on Reflective and Adaptive Middleware, Toronto, Canada. October Copyright Konstantin Beznosov

25 problem motivation Mechanism (Enforcement function) Policy (Decision function a.k.a. Policy engine) 25 Distributed app. developers/admins have limited choices: 1. Pre-built policy engines with limited capabilities e.g., JAAS default policy file, COM+, EJB authorization Limited support for non-trivial or application-specific policies 2. Pre-built policy engines one size fits all generic e.g., CORBA Unnecessary complex and expensive to use 3. plug-in APIs for creating custom do-it-yourself engines e.g., CORBA Sec. Replaceable, JSR 115, SiteMinder and alike Hard to do it right

26 premise common policy elements e.g., authorizations based on roles, groups, location differences in the weight and composition e.g., location ( role && group ) vs. role ( location && group ) application-specific factors e.g., relations, certification, license 26

27 component framework for A&A policy engine Legend 27 Replaceable Created by Replaceable Fixed

28 expected benefits wide range of supported policies pay as you go cost of supporting a policy determined by required policy not by policy engine complexity incremental changes proportional to policy Δ-s addition/removal/re-composition of policy components re-use of existing policy logic by developers/administrators 28

29 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A example 1 university course web service Copyright Konstantin Beznosov

30 university course web service policy 1. Anyone can lookup course descriptions. 2. All users should authenticate using HTTP-BA. 3. Registration clerks can list students registered for the course and (un)register students. 4. The course instructor can list registered students as well as manage course content. 5. Registered for the course students can download assignments and course material, as well as submit assignments. 30

31 policy engine assembly for example 1 HTTP BA Credential Retriever Permit Overrides Decision Combinator Course PolicyEvaluator Publicmethods PolicyEvaluator CourseId AttributeRetriever 31 Legend Generic Prebuilt Custom

32 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A example 2 human resources web service for an international organization Copyright Konstantin Beznosov

33 HR web service policy 1. Only users within the company s intranet or those who access the service over SSL and have valid X.509 certificates issued by the company should access. 2. Anybody in the company can look up any employee and get essential information about her/him. 3. HR employees can modify contact information and review salary information of any employee from the same division. 4. HR managers can modify any information about the employees of the same division. 33

34 policy engine assembly for example 2 HTTP BA Credential Retriever (A uthroizedip Certificate) (PublicMethod (Role Division)) Decision C ombinator X.509 Certificate Credential Retriever Authorized IP PE RBAC PE Division PE Public methods PE X.509 Certificate PE X.509 Certificate Credential Legend Generic Prebuilt Generic from Third-party Custom 34

35 summary what adequate for different application domains inexpensive and error-proof to build effective and inexpensive in administration and management easy and inexpensive to change, and replace how RBAC in CORBA XACML Resource Access Decision (RAD) RelBAC attribute function composable policy engines 35

36 T H E U N I V E R S I T Y O F B R I T I S H C O L U M B I A other research projects Copyright Konstantin Beznosov

37 multiple-channel SSL P 1 P n C S end-to-end security with partially trusted proxies selective data protection 37

38 usability of security administration improving visualization of the information existing cognitive models of security administration improving feedback to security administrators "what if" scenarios safe staging playgrounds testing system state better cognitive models mappings between different mental models/abstractions application-specific model oriented on business processes mechanism-specific technical model 38

39 agile security assurance 1. examined the mismatch between security assurance and agile methods 2. classified conventional security assurance practices according to the degree of clash 1) natural match, 2) methodology nuetral, 3) (semi-)atomatable, 4) complete mismatch 3. suggested ways of alleviating the conflict tool support, knowledge codification, agile-friendly assurance, intermittent assurance 39

40 Advanced ADAE/ADME Scheme Client Tier Presentation Tier Component Tier Back-Office Tier Application Infrastructure Application Client Brow ser Web Serv ers Web Serv ice s Application Serv ers Mainframes Databases EASI Application Env ironment Adapters EASI Security Unifier Authentication API Authorization API EASI Executiv e Audit API Secur ity Management Secur ity A dministr ation Secur ity Configur ation Security Policy Cryptography API EASI Security Serv ice Mappers Security Serv ices A uthentication Ser vices A uthorization Ser vices Cr yptogr aphy Ser vices A ccountability Ser vices Security A dministr ation Ser vices 40

41 security diffuses in applications Application Objects Application Objects Application Objects Middleware Operating System Hardware Middleware Operating System Hardware Middleware Operating System Hardware Network 41

42 42 Servant XOA attribute function in CORBA Application Servant POA Enforcement Function (security interceptor) Application space Attribute Function Attribute Manager Attribute Manager CORBA Security ORB Attribute Retriever Security Domain Membership Management Service, Final Submission, OMG, # orbos/ , July Decision Function (Decision Object) Decision Function (DecisionObject) Decision Request