View
217
Download
0
Category
Tags:
Preview:
Citation preview
Cherubim Dynamic Security System
Roy Campbell and Denny MickunasTin Qian, Vijay Raghavan, Tim Fraser, Chuck Willis,
Zhaoyu Liu
Department of Computer Science
University of Illinois at Urbana-Champaign
Motivation
• Increasing connectivity and mobility
• Emerging software-intensive networks
• Software based protection at system level
• Acceptance of mobile agent technology
• Extensible and adaptable software architecture
Existing Solutions
• Firewall, VPN, Kerberos, SSL, SOCKS
• Limited support for fine-grained application specific security
• Hard to evolve, adapt and inter-operate
• No guard against grudging insiders
• Too complex and resource intensive for mobile clients
Our Approach
• Mobile security agents
• Secure bootstrapping process with minimal core security services
• Active capability providing application specific access control
• Interoperable security policies
• CORBA compliant security services and APIs
Achievement
• Security representation framework
• Security extensions to OMG IDL
• Minimal core security services
• Mobile collaborative testbed environment
• ‘Dynamic Security for Active Network’ Proof of Concept
Contents
• Overview of Cherubim
• Core Services
• Dynamic Policies
• Example Applications
• Demonstration
• Future
• Summary
Core Security Services
• Abstracts underlying cryptographic functionality
• Provides five basic functions– Encryption– Decryption– Signature– Signature Verification– Authentication
Core Implementation
• Based on Cryptix Package, a free implementation of the Java Cryptographic Architecture
• Authentication Protocol– 2048 bit prime for Diffie-Hellman exchange– 1024 bit DSA keys for signatures on key
exchange and mobile classes– 128 bit IDEA session keys
Authentication
Client Server
<ga, destination, timestamp, algorithm, keylength>, signature
<gb, destination, timestamp, algorithm, keylength>, signaturegab
gab
IDEA Sessionkey
IDEA Sessionkey
SHA-1 SHA-1
a b
Class Request Data Format
Class NameTimeStamp
(5 min)SequenceNumber
Destination
Encrypted with IDEA Key
Signature
Packet Data Format
Class Response Data Format
Class Name
TimeStamp(5 min)
SequenceNumber
Destination
Encrypted with IDEA Key
Signature
Packet Data Format
Class
Classloader Hierarchy
Java core classes, Necessary Cryptix and Cherubim classes
Jacorb classes, home application classes, Cherubim policy library
Specific policies, remoteapplication classes
Primordial Classloader
Jurassic Classloader
CORBA Classloader
Dynamic Policies
• Framework– Primitives (sets, maps, mappings)– OS entities (devices, processes, users)– Interfaces with
• Security Policy Decision Function• Underlying system
– Policy classes
• Demo examples atop framework
• Active capabilities
Policy Classes
DAC - Discretionary Access Control– Double DAC
• NDAC - Non ...– DONDAC, Domain Oriented ...– MAC formed from customized NDAC
• DSP Device Specific Policies– DANDAC, Device Aware ...
Policy Framework
OS
DSPDAC NDAC
DANDAC
DONDAC
Interfaces
Primitives
DDAC
Policy Formulation for Demo
• Double Discretionary Access Control– Traditional Allowed Lists– Disallowed Lists– Policies that are functions of underlying
mechanisms like time
• Corba monitoring and authorization for each RMI
Role-Base Access Control
• Separation of duties– Invocation of mutually exclusive roles for a task to
increase security
• Least privilege– Assign only needed role/right to users
• Simplified authorization management– Independent mappings: role-permission, user-role,
and role-role relationships– Suitable for dynamic mobile environment
Role Management
• Hierarchical roles– Simple, clear role management
• Object classes– Classify objects based on access type
• Roles to manage roles– Administrative roles
• Net effect of a configuration: open question
Environment
• System defines role permissions– Can dynamically define new role, or modify
permissions, though should do so infrequently
• User-role binding by password/certificate– User can dynamically attain role– Can attain multiple non-exclusive roles
Current Implementation
• Two ids in policy framework: user and role– Access control entry can be for either user, role, or
both
• Grant access if no conflict– Check ACL for both user and role
• One user can have multiple roles– Must be non-exclusive– Grant access if access control returns yes for user
and one role
Architecture
• CORBA compliant security services
• Security enhanced IDL
• Agent-based dynamic security framework
CORBA Security Services
• OMG’s general security model
• OMG’s Security Service Interface
• Extensions defining binding between security policies and applications
• Principals, Roles, Privilege Attributes, Credentials, Active Capabilities
• Security Domain defines scope of policy and security authority
Object Access in Cherubim
Active Capability/Certificates
Network Transport
Dynamic Policies
BOA
Security Mechanisms
Application Client
Orb Stub
Active Capability/Certificates
Application Server
Active Capability
• Smart packet containing certificate
• Signed policy code
• External mechanisms, framework interfaces– Time– Encryption– System/Device state
Security Enhanced IDL
• Interface definition extended to specify– enforced by <policy1>, … , <policyN>
• Declarations of variables, methods, and parameters extended to specify mechanisms:– authenticated, authorized, encrypted, audited,
non-repudiated,
Demonstration
• Secure Bootstrap from ‘Smart Card’
• Process Management System example
• Double Discretionary Access Control– 2 hosts (system objects)– 2 users– 8 process management operations– Allowed and denied lists for various accesses
• CORBA monitoring and authentication for method invocations
Bootstrap from Smart Card
• File -> passphrase decryption -> credentials
• Credentials– home server, public key, private key
• Mutual authentication with home server
• Download Jacorb, security classes, application with active capabilities
Cherubim Smart Card
Process Management Example
SystemManager
Client 1 UserApplication
Host Manager
Remote UserProcessRemote User
ProcessRemote UserProcess
Client 2 UserApplication
Client 3 UserApplication Host
Manager Remote UserProcess
Remote UserProcessRemote User
Process
Host Manager
Remote UserProcessRemote User
Process
Remote UserProcess
Server 1
Server 2
Server 3
Laptop Mickunas
Key Components in Demonstration
Denny ClientApplication
NameServer
PolicyServer
ServiceManager
Denny ServerApplication
Hostmanager
Roy ClientApplication
Laptop Roy
Roy ServerApplication
Future
• Dynamic Distributed Objects with Dynamic Adaptable Security Policies over Heterogeneous Networks
• “Instant” Security Policy Response to Attacks
• Automated and Flexible Configurability
• Dynamic Security for Active Networks
Cherubim Summary
• Dynamic policies• Compatibility• Extensibility• Customizability• Interoperability
• Multiple Policies• Multiple Mechanisms• Multiple Protocols• Secure Orb, Security
Server• Public Key Infrastructure
Architecture for and Demonstration of:-
What’s missing from Tucson meeting
Recommended