Design of Secure CAMIN Application System based on Dependable and

Secure TMO and RT-UCON

Jungin Kim

Dr. Bhavani Thuraisingham

The University of Texas at Dallas

May 08, 2007

Contents

Introduction

Background- TMO

- RT-RBAC

- RT-UCON

Secure CAMIN- Access control TMO object

- Application Interfaces

Summary

Introduction

Computing paradigm shift

- More security concerns

- Serving real-time services with sufficient security features

Objective

- Ensure security for real-time system (TMO scheme)

- Incorporate access control mechanisms, RT-UCON into the CAMIN

Background

TMO scheme

- Time-triggered Message-triggered Object

- High-level real-time and distributed computing object

- A new paradigm for object-oriented real-time distributed computing

- Proposed by Dr. Kane Kim and Hermann Kopetz [94]

Components of the TMO

- ODS (Object Data Store)

- SpM (Spontaneous Method)

- SvM (Service Method)

- EAC (Environment Access Capability)

- AAC (Autonomous Activation Condition)

Background

TMO model

A TMO object

ODSS1 ODSS2

Object Data Store (ODS)

SpM1

Deadlines

AAC

SpM2AAC

SvM1

ConcurrencyControl

SvM2

AAC: Autonomous Activation Condition

ServiceRequestQueue

RemoteTMOClients

Lock/Condition/CREW for Concurrent AccessTime-triggered(TT) Spontaneous Methods(SpMs)

Message-triggered(MT) Service Methods(SvMs)

EAC

Capability for accessing other TMOs and network environment including logical multicast channels and I/O devices

Access Control mechanisms

- Role Based Access Control (RBAC) model Users (TMO objects) are associated with roles Roles are associated with permissions (Write, Read,

Execution, All) A user has permission only if the user has an authorized role

which is associated with that permission

- Inadequate for distributed real-time system Server side centralized model Need constraints on temporal behaviors of spontaneous

methods in TMO

RT-RBAC

RT-UCON

Access Control mechanisms

- Usage Control (UCON) Model encompasses traditional access control models

Authorization rules, conditions and obligations are involved in authorization process

Continuity of decision being either pre or ongoing with respect to the access

Mutability that can allow updates on subject or object attributes at different times

Subjects ObjectsUsageDecision

Obligations Conditions

Rights

Authorizations

RT-UCON

Basic authorization components for access control in TMO

• Continuity: dynamic and seamless constraints

• Mutability: control the scope of access

• Conditions: control the amount of access, access time, etc

• Obligations: pre-conditions for determining access decisions

Adequate for distributed real-time system

• Space and Time domain

• Server and Client side control

• Dynamic and Flexible

Developed at UC Irvine DREAM Lab

Mission: Defend target objects both in the sea and on the land from the hostile objects in the sky

Application

• Theater: application environment

• Alien: enemy and flying objects

• Command post, Command ship

CAMIN(Coordinated anti-missile interceptor network)

Secure CAMIN

Mission: Defend target objects both in the sea and on the land from the hostile objects in the sky

Access control checks policies and security levels Some malicious objects are added

Access control TMO object

Implemented with through a separated object or included inside object

Checks access right, maintain access policies in the system

• ODS: stores static and dynamic access policies

• SpM: controls access policies in ODS

• SvM: handles access decision requests

Structure of the TMO application with access control TMO object

A TMO object

ODSS

SpMAAC

SvM

EAC

Application TMO

Mutability &Continuity

Attributes of object

SvM

Environmental Conditions,

Policies

Communication Network

TMO MiddlewareOS

SpM

ODS

Access Decision TMO

Access decision

A TMO object

ODSS

SpMAAC

SvM

EAC

Application TMO

Mutability &Continuity

Attributes of object

SvMSvM

Environmental Conditions,

Policies

Communication Network

TMO MiddlewareOS

TMO MiddlewareOS

SpMSpM

ODSODS

Access Decision TMO

Access decision

Access control TMO object

Application Interfaces

Client TMO

ServerTMO

Access controlTMO

decision

access request(name, attributes)

get rights

Access PoliciesAttributesAttributes

Temporal constraints and environmental conditions of applications

- Access decision are performed many times during continuous activities

- Conditions can be changed over time To fully utilize the RT-UCON

- We need: set_access_time() to restrict the access time resume_access() block_access(time domain) set_access_count(attributes) More functions should be designed according to the

application specification in the design phase

Application Interfaces

Summary and Directions

Designed a model named the RT-UCON and secure real-time application utilizing CAMIN

Need to design sophisticated security APIs