Title: A typed Access Control Model for CORBA
1A typed Access Control Model for CORBA
- Gerald Brose
- Institut für Informatik
- Freie Universität Berlin, Germany
- ESORICS 2000, October 4-6, Toulouse, France
2 Roadmap
- 1. Why another Access Control Model?
- 2. View-based access control
- 3. Case Study
- 4. Raccoon Architecture
3 1. YAM - Yet Another Model?
- Existing models do not fit CORBA environments
- heterogeneous policy management
- homogeneous object model (IDL)
- most models use generic rights
- take no advantage of typed object model
- mapping to operations is left to the
implementation or the designer - practical access control for CORBA fine-grained
scalable manageable
4 Who deals with Access Policies?
- (Global IT Security Managers)
- Developers
- define application scenarios, design interfaces
- need to define some static policy properties
principle of least privilege - Deployers
- install and adapt policies
- assign objects to policy domains, users to roles
- Managers
- manage users, roles, objects, domains
- evolve policies
5 Example CORBA Access Model
- Rights in families corbagsmu (rwmx)
- Specification in two tablesrequired rights
vs. effective rights - Example policy for name service access
- resolve a name
- list bindings
- bind a name
- bind a subcontext
- unbind names, destroy contexts
6 Effective vs. Required Rights
- Group operations by sensitivity
- specified by developers
- per-type!
- system-wide!
- Granted by Policy
- per domain
7 Restrictions
- Granularity vs. Scalability
- restricted set of rights ? collisions
- all objects of a type treated alike
- Hard to specify and manage
- not expressive
- no dynamic changes
- no denials
- limited semantics of rights
- error-prone
- untyped, low-level (Object rwx)
- policy semantics are easily lost
8 2. View-based Access Control
- Manageability ? language support VPL
- Abstraction
- Documentation, Communication, Reuse
- fixed object model IDL
- static consistency checks
- Fine-grained
- rights for individual operations on objects
- Scalability ? Grouping
- Rights Views and Roles
- Objects Domains
9 Access Matrix Model
Object nNamingCtx o2Paper o3Review
o4T Role
resolve Employee bind
read
bind_new_ctx. Secretary
resolve append
correct list
read
read resolve
read read TechAuthor
list, bind, write
ResolvingBinding
10 Views
- are higher-level authorizations
- group rights
- contain type-specific permissions and denials for
operations - allow consistency checks
IDL
VPL interface Document view Reading
controls Document void read(out string s)
allow read void write(in string s)
void append(in string s) view
Writing Reader void correct(in string s)
restricted_to Author
allow
write
append
11 Roles in VPL
- emphasize use-case view on policies
- support division of labor
- Standard RBAC Sandhu et al. 96
- RoleName ? 2Users X 2Rights
- VPL
- static actors with viewsRoleName ? 2Views
- Assigning users to roles is done at deployment
time
12 3. Case Study
- Support reviewing of conference papers (à la
CyberChair) - 1. Authors submit papers
- 2. Reviewers submit reviews
- 3. Reviewers may read other reviews and change
their own review. - Application-level policy with dynamic
- changes in the protection state
- Deadline reached no more papers
- Review submitted read other reviews
13 Interfaces
- interface Conference // change working phase
void callForPapers() void deadlineReached()vo
id makeDecision()void submitPaper(in string
paper)void listPapers(out string list)Paper
getPaper(in long paper) -
- interface Paper void read(out string
text)Review submitReview(in string rev,in long
reviewer)void listReviews(out string
list)Review getReview(in long reviewer) -
- interface Review void read(out string
text)void update(in string text)
14 Views
- policy ConferenceReviewing
- view AccessingPapers controls Conference
allow listPapers getPaper -
- view Reviewing controls Paper
allow read listReviews -
- view ConferenceSteering AccessingPapers
restricted_to Chair allow callForPapers dea
dlineReached makeDecision ...
15 Dynamic Changes Schemas
- regular changes triggered by operations
- IDL
- interface Paper Review submitReview(in
string text) - VPL
- schema Paper submitReview grants
result.update to caller grants
this.getReview to caller revokes
this.submitReview from caller -
16 Roles
policy ConferenceReviewing view
AccessingPapers ... view Reviewing ...
view ConferenceSteering ... view Submitting
... schema Paper ... roles Chair
holds ConferenceSteering Member holds
Reviewing Author holds Submitting role
assertion Author excludes Chair card
Chair 1
17 4. Raccoon Architecture
Domain
Policy
Object
Principal
Client
Server
access_object()
allow/deny access?
Kontext
18 Project stage
- currently XML-based VPL compiler
- Domain Server done.
- CORBA IIOP/SSL and Portable Interceptors
integrated in JacORB - To do
- Role and Policy Servers
- Visualizations and GUI management
- Demonstrate feasibility and manageability