Cherubim Dynamic Security System

Roy Campbell and Denny MickunasTin Qian, Vijay Raghavan, Tim Fraser, Chuck Willis,

Zhaoyu Liu

Department of Computer Science

University of Illinois at Urbana-Champaign

Motivation

• Increasing connectivity and mobility

• Emerging software-intensive networks

• Software based protection at system level

• Acceptance of mobile agent technology

• Extensible and adaptable software architecture

Existing Solutions

• Firewall, VPN, Kerberos, SSL, SOCKS

• Limited support for fine-grained application specific security

• Hard to evolve, adapt and inter-operate

• No guard against grudging insiders

• Too complex and resource intensive for mobile clients

Our Approach

• Mobile security agents

• Secure bootstrapping process with minimal core security services

• Active capability providing application specific access control

• Interoperable security policies

• CORBA compliant security services and APIs

Achievement

• Security representation framework

• Security extensions to OMG IDL

• Minimal core security services

• Mobile collaborative testbed environment

• ‘Dynamic Security for Active Network’ Proof of Concept

Contents

• Overview of Cherubim

• Core Services

• Dynamic Policies

• Example Applications

• Demonstration

• Future

• Summary

Core Security Services

• Abstracts underlying cryptographic functionality

• Provides five basic functions– Encryption– Decryption– Signature– Signature Verification– Authentication

Core Implementation

• Based on Cryptix Package, a free implementation of the Java Cryptographic Architecture

• Authentication Protocol– 2048 bit prime for Diffie-Hellman exchange– 1024 bit DSA keys for signatures on key

exchange and mobile classes– 128 bit IDEA session keys

Authentication

Client Server

<ga, destination, timestamp, algorithm, keylength>, signature

<gb, destination, timestamp, algorithm, keylength>, signaturegab

gab

IDEA Sessionkey

IDEA Sessionkey

SHA-1 SHA-1

a b

Class Request Data Format

Class NameTimeStamp

(5 min)SequenceNumber

Destination

Encrypted with IDEA Key

Signature

Packet Data Format

Class Response Data Format

Class Name

TimeStamp(5 min)

SequenceNumber

Destination

Encrypted with IDEA Key

Signature

Packet Data Format

Class

Classloader Hierarchy

Java core classes, Necessary Cryptix and Cherubim classes

Jacorb classes, home application classes, Cherubim policy library

Specific policies, remoteapplication classes

Primordial Classloader

Jurassic Classloader

CORBA Classloader

Dynamic Policies

• Framework– Primitives (sets, maps, mappings)– OS entities (devices, processes, users)– Interfaces with

• Security Policy Decision Function• Underlying system

– Policy classes

• Demo examples atop framework

• Active capabilities

Policy Classes

DAC - Discretionary Access Control– Double DAC

• NDAC - Non ...– DONDAC, Domain Oriented ...– MAC formed from customized NDAC

• DSP Device Specific Policies– DANDAC, Device Aware ...

Policy Framework

OS

DSPDAC NDAC

DANDAC

DONDAC

Interfaces

Primitives

DDAC

Policy Formulation for Demo

• Double Discretionary Access Control– Traditional Allowed Lists– Disallowed Lists– Policies that are functions of underlying

mechanisms like time

• Corba monitoring and authorization for each RMI

Role-Base Access Control

• Separation of duties– Invocation of mutually exclusive roles for a task to

increase security

• Least privilege– Assign only needed role/right to users

• Simplified authorization management– Independent mappings: role-permission, user-role,

and role-role relationships– Suitable for dynamic mobile environment

Role Management

• Hierarchical roles– Simple, clear role management

• Object classes– Classify objects based on access type

• Roles to manage roles– Administrative roles

• Net effect of a configuration: open question

Environment

• System defines role permissions– Can dynamically define new role, or modify

permissions, though should do so infrequently

• User-role binding by password/certificate– User can dynamically attain role– Can attain multiple non-exclusive roles

Current Implementation

• Two ids in policy framework: user and role– Access control entry can be for either user, role, or

both

• Grant access if no conflict– Check ACL for both user and role

• One user can have multiple roles– Must be non-exclusive– Grant access if access control returns yes for user

and one role

Architecture

• CORBA compliant security services

• Security enhanced IDL

• Agent-based dynamic security framework

CORBA Security Services

• OMG’s general security model

• OMG’s Security Service Interface

• Extensions defining binding between security policies and applications

• Principals, Roles, Privilege Attributes, Credentials, Active Capabilities

• Security Domain defines scope of policy and security authority

Object Access in Cherubim

Active Capability/Certificates

Network Transport

Dynamic Policies

BOA

Security Mechanisms

Application Client

Orb Stub

Active Capability/Certificates

Application Server

Active Capability

• Smart packet containing certificate

• Signed policy code

• External mechanisms, framework interfaces– Time– Encryption– System/Device state

Security Enhanced IDL

• Interface definition extended to specify– enforced by <policy1>, … , <policyN>

• Declarations of variables, methods, and parameters extended to specify mechanisms:– authenticated, authorized, encrypted, audited,

non-repudiated,

Demonstration

• Secure Bootstrap from ‘Smart Card’

• Process Management System example

• Double Discretionary Access Control– 2 hosts (system objects)– 2 users– 8 process management operations– Allowed and denied lists for various accesses

• CORBA monitoring and authentication for method invocations

Bootstrap from Smart Card

• File -> passphrase decryption -> credentials

• Credentials– home server, public key, private key

• Mutual authentication with home server

• Download Jacorb, security classes, application with active capabilities

Cherubim Smart Card

Process Management Example

SystemManager

Client 1 UserApplication

Host Manager

Remote UserProcessRemote User

ProcessRemote UserProcess

Client 2 UserApplication

Client 3 UserApplication Host

Manager Remote UserProcess

Remote UserProcessRemote User

Process

Host Manager

Remote UserProcessRemote User

Process

Remote UserProcess

Server 1

Server 2

Server 3

Laptop Mickunas

Key Components in Demonstration

Denny ClientApplication

NameServer

PolicyServer

ServiceManager

Denny ServerApplication

Hostmanager

Roy ClientApplication

Laptop Roy

Roy ServerApplication

Future

• Dynamic Distributed Objects with Dynamic Adaptable Security Policies over Heterogeneous Networks

• “Instant” Security Policy Response to Attacks

• Automated and Flexible Configurability

• Dynamic Security for Active Networks

Cherubim Summary

• Dynamic policies• Compatibility• Extensibility• Customizability• Interoperability

• Multiple Policies• Multiple Mechanisms• Multiple Protocols• Secure Orb, Security

Server• Public Key Infrastructure

Architecture for and Demonstration of:-

What’s missing from Tucson meeting