Security Issues for Distributed Computing

1
Security Issues for Distributed Computing
Prof. Steven A. Demurjian Computer Science
Engineering Department 191 Auditorium Road, Box
U-155 The University of Connecticut Storrs,
Connecticut 06269-3155
http//www.engr.uconn.edu/steve steve_at_engr.uconn.
edu
2
Overview

• Background and Motivation
• What are Key Distributed Security Issues?
• What are Major/Underlying Security Concepts?
• What are Available Security Approaches?
• Identifying Key Distributed Security Requirements
• Frame the Solution Approach
• Outline UConn Research Emphasis
• Secure Software Design (UML and AOSD)
• Middleware-Based Realization (CORBA/JINI)
• Information Exchange via XML

3
Security for Distributed Applications
How is Security Handled for Individual Systems?
What if Security Never Available for
Legacy/COTS/Database?
Security Issues for New Clients? New Servers?
Across Network?
What about Distributed Security?
Security Policy, Model, and Enforcement?
4
Recall Dynamic Coalitions

• Crisis
• Any Situation Requiring Natl. or INatl.
  Attention
• Coalition
• Alliance of Organizations
• Military, Civilian, International or any
  Combination
• Dynamic Coalition
• Formed in a Crisis and Changes as Crisis Develops
  
• Key Concern Being the Most Effective way to Solve
  the Crisis
• Dynamic Coalition Problem (DCP)
• Security, Resource, and Information Sharing Risks
  that Occur as a Result of Coalition Being Formed

5
DC for Military Deployment/Engagement
OBJECTIVES Securely Leverage Information in a
Fluid Environment Protect Information While
Simultaneously Promoting the Coalition Security
Infrastructure in Support of DCP
SICF France
LFCS Canada
HEROS Germany
SIACCON Italy
6
DC for Medical Emergency
Transportation
Military Medics
Govt.
Local Health Care
CDC
ISSUES Privacy vs. Availability in Medical
Records Support Life-Threatening Situations via
Availability of Patient Data on Demand
7
Security Issues Confidence in Security

• Assurance
• Are the Security Privileges for Each User of DC
  Adequate (and Limited) to Support their Needs?
• What Guarantees are Given by the Security
  Infra-structure of DC in Order to Attain
• Safety Nothing Bad Happens During Execution
• Liveness All Good Things can Happen During
  Execution
• Consistency
• Are the Defined Security Privileges for Each User
  Internally Consistent? Least-Privilege Principle
• Are the Defined Security Privileges for Related
  Users Globally Consistent? Mutual-Exclusion

8
Security for Coalitions

• Dynamic Coalitions will play a Critical Role in
  Homeland Security during Crisis Situations
• Critical to Understand the Security Issues for
  Users and System of Dynamic Coalitions
• Multi-Faceted Approach to Security
• Attaining Consistency and Assurance at Policy
  Definition and Enforcement
• Capturing Security Requirements at Early Stages
  via UML Enhancements/Extensions
• Providing a Security Infrastructure that Unifies
  RBAC and MAC for Distributed Setting

9
Four Categories of Questions

• Questions on Software Development Process
• Security Integration with Software Design
• Transition from Design to Development
• Questions on Information Access and Flow
• User Privileges key to Security Policy
• Information for Users and Between Users
• Questions on Security Handlers and Processors
• Manage/Enforce Runtime Security Policy
• Coordination Across EC Nodes
• Questions on Needs of Legacy/COTS Appls.
• Integrated, Interoperative Distributed
  Application will have New Apps., Legacy/COTS,
  Future COTS

10
Software Development Process Questions

• What is the Challenge of Security for Software
  Design?
• How do we Integrate Security with the Software
  Design Process?
• What Types of Security Must be Available?
• How do we Integrate Security into OO/Component
  Based Design?
• Integration into OO Design?
• Integration into UML Design?
• What Guarantees Must be Available in Process?
• Assurance Guarantees re. Consistent Security
  Privileges?
• Can we Support Security for Round-Trip and
  Reverse Engineering?

11
Software Development Process Questions

• What Techniques are Available for Security
  Assurance and Analysis?
• Can we Automatically Generate Formal Security
  Requirements?
• Can we Analyze Requirements for Inconsistency and
  Transition Corrections Back to Design?
• How do we Handle Transition from Design to
  Development?
• Can we Leverage Programming Language Approaches
  in Support of Security for Development?
• Subject-Oriented Programming?
• Aspect-Oriented Programming?
• Other Techniques?

12
Information Access and Flow Questions

• Who Can See What Information at What Time?
• What Are the Security Requirements for Each User
  Against Individual Legacy/cots Systems and for
  the Distributed Application?
• What Information Needs to Be Sent to Which Users
  at What Time?
• What Information Should Be Pushed in an
  Automated Fashion to Different Users at Regular
  Intervals?

13
Information Access and Flow Questions

• What Information Needs to Be Available to Which
  Users at What Time?
• What Information Needs to Be Pulled On-demand
  to Satisfy Different User Needs in Time-critical
  Situations
• How Are Changing User Requirements Addressed
  Within the Distributed Computing Application?
• Are User Privileges Static for the Distributed
  Computing Application?
• Can User Privileges Change Based on the Context
  and State of Application?

14
Security Handlers/Processing Questions

• What Security Techniques Are
• Needed to Insure That the Correct Information Is
  Sent to the Appropriate Users at Right Time?
• Necessary to Insure That Exactly Enough
  Information and No More Is Available to
  Appropriate Users at Optimal Times?
• Required to Allow As Much Information As Possible
  to Be Available on Demand to Authorized Users?

15
Security Handlers/Processing Questions

• How Does the Design by Composition of a
  Distributed Computing Application Impact on Both
  the Security and Delivery of Information?
• Is the Composition of Its Secure Components
  Also Secure, Thereby Allowing the Delivery of
  Information?
• Can We Design Reusable Security Components That
  Can Be Composed on Demand to Support Dynamic
  Security Needs in a Distributed Setting?
• What Is the Impact of Legacy/cots Applications on
  Delivering the Information?

16
Security Handlers/Processing Questions

• How Does Distribution Affect Security Policy
  Definition and Enforcement?
• Are Security Handlers/enforcement Mechanisms
  Centralized And/or Distributed to Support
  Multiple, Diverse Security Policies?
• Are There Customized Security Handlers/enforcement
  Mechanisms at Different Levels of Organizational
  Hierarchy?
• Does the Organizational Hierarchy Dictate the
  Interactions of the Security Handlers for a
  Unified Enforcement Mechanism for Entire
  Distributed System?

17
Legacy/COTS Applications Questions

• When Legacy/cots Appls. Are Placed Into
  Distributed, Interoperable Environment
• At What Level, If Any, Is Secure Access
  Available?
• Does the Application Require That Secure Access
  Be Addressed?
• How Is Security Added If It Is Not Present? What
  Techniques Are Needed to Control Access to
  Legacy/COTS?
• What Is the Impact of New Programming Languages
  (Procedural, Object-oriented, Etc.) And Paradigms?

18
Focusing on MAC, DAC and RBAC

• For OO Systems/Applications, Focus on Potential
  Public Methods on All Classes
• Role-Based Approach
• Role Determines which Potential Public Methods
  are Available
• Automatically Generate Mechanism to Enforce the
  Security Policy at Runtime
• Allow Software Tools to Look-and-Feel Different
  Dynamically Based on Role
• Extend in Support of MAC (Method and Data Levels)
  and DAC (Delegation of Authority)

19
Legacy/COTS Applications

• Interoperability of Legacy/COTS in a Distributed
  Environment
• Security Issues in Interoperative, Distributed
  Environment
• Can MAC/DAC/RBAC be Exploited?
• How are OO Legacy/COTS Handled?
• How are Non-OO Legacy/COTS Handled?
• How are New Java/C Appls. Incorporated?
• Can Java Security Capabilities be Utilized?
• What Does CORBA/ORBs have to Offer?
• What about other Middleware (e.g. JINI)?
• Explore Some Preliminary Ideas on Select Issues

20
A Distributed Security Framework

• What is Needed for the Definition and Realization
  of Security for a Distributed Application?
• How can we Dynamically Construct and Maintain
  Security for a Distributed Application?
• Application Requirements Change Over Time
• Seamless Transition for Changes
• Transparency from both User and Distributed
  Application Perspectives
• Support MAC, RBAC and DAC (Delegation)
• Cradle to Grave Approach
• Earliest Stages (UML) to Programming (Aspects)
• Information Exchange (XML)
• Middleware Environments - Inter-operating
  Artifacts and Clients

21
A Distributed Security Framework

• Distributed Security Policy Definition, Planning,
  and Management
• Integrated with Software DevelopmentDesign
  (UML) and Programming (Aspects)
• Include Documents of Exchange (XML)
• Formal Security Model with Components
• Formal Realization of Security Policy
• Identifiable Security Components
• Security Handlers Enforcement Mechanism
• Run-time Techniques and Processes
• Allows Dynamic Changes to Policy to be Seamless
  and Transparently Made

22
Interactions and Dependencies
Enforcement Mechanism Collection of SHs
Security Components
Formal Security Model
Distributed Security Policy
23
Policy Definition, Planning, Management

• Interplay of Security Requirements, Security
  Officers, Users, Components and Overall System
• Minimal Effort in Distributed Setting - CORBA Has
  Services for
• Confidentiality, Integrity, Accountability, and
  Availability
• But, No Cohesive CORBA Service Ties Them with
  Authorization, Authentication, and Privacy
• Difficult to Accomplish in Distributed Setting
• Must Understand All Constituent Systems
• Interplay of Stakeholders, Users, Sec. Officers

24
Three-Pronged Security Emphasis
Secure Software Design via UML with MAC/RBAC
Assurance MAC Properties Simple Integrity,
Simple Security, etc. Safety Liveness
Secure Information Exchange via XML with MAC/RBAC
Secure MAC/RBAC Interactions via Middleware in
Distributed Setting
25
Secure Software Design - T. Doan
Other Possibilities Reverse Engineer Existing
Policy to Logic Based Definition UML Model with
Security Capture all Security Requirements!
26
RBAC/MAC at Design Level

• Security as First Class Citizen in the Design
  Process
• Use Cases and Actors (Roles) Marked with Security
  Levels
• Dynamic Assurance Checks to Insure that
  Connections Do Not ViolateMAC Rules

27
Secure Software Design - J. Pavlich

• What are Aspects?
• System Properties that Apply Across an Entire
  Application
• Samples Security, Performance, etc.
• What is Aspect Oriented Programming?
• Separation of Components and Aspects from One
  Another with Mechanisms to Support Abstraction
  and Composition for System Design
• What is Aspect Oriented Software Design?
• Focus on Identifying Components, Aspects,
  Compositions, etc.
• Emphasis on Design Process and Decisions

28
Aspects for Security in UML

• Consider the Class Diagram below that Captures
  Courses, Documents, and Grade Records
• What are Possible Roles?
• How can we Define Limitations of Role Against
  Classes?

29
A Role-Slice for Professors
30
A Role Slide for Students
31
Middleware-Based Security - C. Phillips
COTS Client

• Artifacts DB, Legacy, COTS, GOTS, with APIs
• New/Existing Clients use APIs
• Can we Control Access to APIs (Methods) by
• Role (who)
• Classification (MAC)
• Time (when)
• Data (what)
• Delegation

COTS
Database
Legacy
Legacy Client
Database Client
GOTS
Java Client
NETWORK
Working Prototype Available using CORBA,JINI,
Java, Oracle
32
Process-Oriented View
33
Security for XML Documents

• Emergence of XML for Document/Information
  Exchange
• Extend RBAC/MAC to XML
• Collection of Security DTDs
• DTDs for Roles, Users, and Constraints
• Capture RBAC and MAC
• Apply Security DTDs to XML Documents
• Result Each XML Document Appears Differently
  Based on Role, MAC, Time, Value
• Security DTD Filters Document
• Ongoing H. Wang, C. Ju, C.Slamka, and J. Boysen

Security DTDs n Role DTD n User DTD n Constraint
DTD
Security Officer Generates Security XML files
for the Application
Application DTDs and XML
Application
Application DTDs
Appl_Role.xml Appl _User.xml Appl_Constraint.xml
Application XML Files
Users Role Determines the Scope of Access to
Each XML Document
34
Concluding Remarks

• Objective is for Everyone to Think about the
  Range, Scope, and Impact of Security
• Question-Based Approach Intended to Frame the
  Discussion
• Proposed Solution for Distributed Environment
• Current UConn Foci
• Secure Software Design
• Middleware Realization
• XML Document Customization
• Consider These and Other Issues for DCP