Data and Applications Security Developments and Directions

1
Data and Applications Security Developments and
Directions

• Dr. Bhavani Thuraisingham
• The University of Texas at Dallas
• Lecture 12
• Secure Object Systems
• March 2, 2009

2
Outline

• Background on object systems
• Discretionary security
• Multilevel security
• Objects for modeling secure applications
• Object Request Brokers
• Secure Object Request Brokers
• Secure frameworks
• Directions

3
Concepts in Object Database Systems

• Objects- every entity is an object
• Example Book, Film, Employee, Car
• Class
• Objects with common attributes are grouped into a
  class
• Attributes or Instance Variables
• Properties of an object class inherited by the
  object instances
• Class Hierarchy
• Parent-Child class hierarchy
• Composite objects
• Book object with paragraphs, sections etc.
• Methods
• Functions associated with a class

4
Example Class Hierarchy
ID Name Author Publisher
Document Class
Method2
Method1
Print-doc(ID)
Print-doc-att(ID)
Journal Subclass
Book Subclass
of Chapters
Volume
B1
5
Example Composite Object
Composite Document Object
Section 2 Object
Section 1 Object
Paragraph 1 Object
Paragraph 2 Object
6
Security Issues

• Access Control on Objects, Classes, Attributes
  etc.
• Execute permissions on Methods
• Multilevel Security
• Security impact on class hierarchies
• Security impact on composite hierarchies

7
Objects and Security
Secure OODB
Secure OODA
Secure DOM
Persistent
Design and analysis
Infrastructure
data store

Secure OOPL
Secure Frameworks
Programming
Business objects
language
Secure OOT
Technologies
Secure OOM
Unified Object
Model is Evolving
8
Access Control


9
Access Control Hierarchies



10
Secure Object Relational Model




11
Policy Enforcement





12
Sample Systems






13
Multilevel Security







14
Some Security Properties

• Security level of an instance must dominate the
  level of the class
• Security level of a subclass must dominate the
  level of the superclass
• Classifying associations between two objects
• Method must execute at a level that dominates the
  level of the method

15
Multilevel Secure Object Relational Systems







16
Sample MLS Object Systems







17
Objects for Secure Applications


18
Object Modeling



19
Dynamic Model




20
Functional Model



21
UML and Policies



22
Distributed Object Management Systems

• Integrates heterogeneous applications, systems
  and databases
• Every node, database or application is an object
• Connected through a Bus
• Examples of Bus include
• Object Request Brokers (Object Management Group)
• Distributed Component Object Model (Microsoft)

23
Object-based Interoperability
Server
Client
Object
Object
Object Request Broker
Example Object Request Broker Object Management
Groups (OMG) CORBA (Common Object Request
Broker Architecture)
24
Javasofts RMI (Remote Method Invocation)
25
Objects and Security
Secure OODB
Secure OODA
Secure DOM
Persistent
Design and analysis
Infrastructure
data store

Secure OOPL
Secure Frameworks
Programming
Business objects
language
Secure OOT
Technologies
Secure OOM
Unified Object
Model is Evolving
26
Secure Object Request Brokers
27
CORBA (Common Object Request Broker Architecture)
Security

• Security Service provides the following
• Confidentiality
• Integrity
• Accountability
• Availability
• URLs
• http//www.javaolympus.com/J2SE/NETWORKING/CORBA/C
  ORBASecurity.jsp
• http//student.cosy.sbg.ac.at/amayer/projects/cor
  basec/sec_overview.html
• www.omg.org

28
OMG Security Specifications

29
CORBA (Common Object Request Broker Architecture)
Security

• Security Service provides the following
• Confidentiality
• Integrity
• Accountability
• Availability
• URLs
• http//www.javaolympus.com/J2SE/NETWORKING/CORBA/C
  ORBASecurity.jsp
• http//student.cosy.sbg.ac.at/amayer/projects/cor
  basec/sec_overview.html
• www.omg.org

30
CORBA (Common Object Request Broker Architecture)
Security - 2

• Identification and Authentication of Principles
• Authorization and Access Control
• Security Auditing
• Security of communications
• Administration of security information
• Non repudiation

31
Dependable Object Request Brokers
Navigation
Display
Consoles
Data Analysis Programming
Processor
Data Links
(14)
Group (DAPG)

Sensors
Refresh
Channels
Multi-Sensor
Sensor
Tracks
Detections

• Technology provided by Project

Integrate Security, Real-time and Fault Tolerance
Computing
Future
Future
Future
App
App
App
MSI
Data
App
Mgmt.
Data
Xchg.
Infrastructure Services
Real Time Operating System
Hardware
32
Secure Frameworks


33
Directions

• Object Models
• UML for Security applications is becoming common
  practice
• Secure distributed object systems has gained
  popularity
• Evolution into secure object-based middleware
• Secure object-based languages
• Integrating security and real-time for object
  systems
• Distributed Objects
• Security cannot be an afterthought for
  object-based interoperability
• Use ORBs that have implemented security services
• Trends are moving towards Java based
  interoperability and Enterprise Application
  Integration (EAI)
• Examples of EAI products are Web Sphere (IBM) and
  Web Logic (BEA)
• Security has to be incorporated into EAI products