Title: ENgine for Controlling Emergent Hierarchical Role-Based Access (ENforCE HRBAccess)
1ENgine for Controlling Emergent Hierarchical
Role-Based Access(ENforCE HRBAccess)
- Osama Khaleel
- Thesis Defense
- May 2007
- Master of Science in Computer Science
- University of Colorado, Colorado Springs
- Committee Members
- Dr. Edward Chow, Chair
- Dr. Terry Boult
- Dr. Xiaobo Zhou
2Thesis Defense Outlines
- Intro Background
- Design
- Implementation
- Performance Analysis
- Lessons Learned
- Future Work
- Contribution
- Demo
- Q A
3Introduction
- Roles in any organization are Hierarchical by
their nature. - Resources in any organization vary
- From a simple HTML web page,
- To RDP/SSH access in which a user can gain full
control. - Mission becomes more complicated when users
should access resources - Securely and
- Based on their ROLES.
- Password-based protection is way far from
satisfying high-level security requirements.
4ROLE NAME DIRECT ACCESS
CEO PAM ZALABAK Admin Tool
CFO BRIAN BURNETT Finance-Mgmt SSH MySQL
Project Manager TERRY BOULT Projects-Manager RDP
IT Manager KATE TALLMAN Resource-Manager Passwords-Reset
Sales Manager JIM TIDWELL Sales-Write
Accounting Manager JULIE BREWSTER Finance-Write
Network Admin EDWARD CHOW VLAN-Manager SSH
Database Admin XIAOBO ZHOU MySQL Interface MySQL SSH IF(ITMgr CEO)
Developer OSAMA KHALEEL Reports-Submission RDP IF (ProjMgr)
Engineer BILL KRETSCHMER Engineer-update-Read
Accountant AMIE WOODY View-Orders MySQL IF(ANY)
Salesman LEVI GRAY Sales-Read
5Background
- Authentication
- Public Key Certificate (PKC)
- Certificate Authority (CA)
- Certificate Revocation List (CRL)
- Authorization
- Attribute Certificate (AC)
- Attribute Authority (AA)
- Role-Based Access Control (RBAC)
- Core
- Hierarchical
- eXtensible Access Control Markup Language (XACML)
- Policy Enforcement Point (PEP)
- Policy Decision Point (PDP)
- Active Directory (AD) store certificates
- ISAPI Filter secure web-resource access
Public Key Infrastructure (PKI)
Privilege Management Infrastructure (PMI)
Policy Engine
6- RBAC a mechanism/model for restricting access
based on the Role of authorized users. - Core roles are assigned to users, and
permissions are associated with roles not
directly with users. - Hierarchical an enhancement to the core, in
which senior roles inherit permissions from more
junior roles. - XACML an XML-based OASIS standard that
describes - A policy language
- A request/response language
- The main three components in XACML are Rule,
Policy, and PolicySet - XACML RBAC profile has two main components
- Permission PolicySet (PPS)
- Role PolicySet (RPS).
- One PPS and one RPS for each defined Role .
7- PPS
- defines Policies and Rules needed to the
Permissions associated with a certain Role. - Contains a set of PPS references using
"ltPolicySetIdReferencegt" to inherit permissions
from the more junior role associated with this
PPS reference
- RPS
- defines the Role name
- includes ONLY one PPS to associate this Role
with its permissions defined in the corresponding
PPS.
ltPolicySet PolicySetId"CFOPermissions"gt
ltPolicy PolicyId"PolicyForCFORole"gt
ltRule RuleId"FinanceManagementRule"
Effect"Permit"gt ltTargetgt
ltSubjectsgt ltAnySubject/gt
lt/Subjectsgt ltResourcesgt
ltResourcegt
ltResourceMatch
MatchId"function regexp-string-match"gt
ltAttributeValue
DataTypestring"gt
https//ncdcrx3.uccs.edu/financial/finMgmt.aspx
lt/AttributeValuegt
lt/ResourceMatchgt
lt/Resourcegt lt/Resourcesgt
lt/Targetgt lt/Rulegt
lt/Policygt ltPolicySetIdReferencegtSalesMgrPermissio
nslt/PolicySetIdReferencegt ltPolicySetIdReferencegtAc
cMgrPermissionslt/PolicySetIdReferencegt lt/PolicySe
tgt
ltPolicySet PolicySetId"RPSCFO"gt ltTargetgt
ltSubjectsgt ltSubjectgt
ltSubjectMatch MatchId"function
string-equal"gt
ltSubjectAttributeDesignator
DataType"string" AttributeId"role"/gt
ltAttributeValue DataType"string"gt
CFO
lt/AttributeValuegt
lt/SubjectMatchgt lt/Subjectgt
lt/Subjectsgt lt/Targetgt ltPolicySetIdReferencegt
CFOPermissionslt/PolicySetIdReferencegt lt/PolicySe
tgt
8Design
- By taking advantage of the concepts
technologies just mentioned, the goal is to build
a structure/engine that provides - Authentication
- Authorization
- Secure access based on users ROLES
- Protection for ANY type of resources
- Fine grained control based on active sessions
- PKI PMI management tool
9ENforCE Test-Bed
10ENforCE Big Picture
Protected web resources
Permit/Deny access
ISAPI
Http request
Http request
XML response
XML response
Policy Decision Point
Policy Enforcement Point
Get Decision
Check session policy
Session policy source
Open/Close commands
Get User's AC
FC4 machine (Firewall)
Iptables Control Daemon
Permit/Deny
Protected Network resources
11Implementation
- Two types of access
- Web-based resources (http//ncdcrx3.uccs.edu)
- Network-based resources (http//ncdcrx4.uccs.edu)
- Web resources accessed directly through IIS
using https (port 443) - Network resources
- Activate a web-session first
- ENforCE will open the firewall for the specified
service - Physically access the service through the
firewall. - Service port varies (e.g. SSH22, RDP3389)
- ISAPI Filter ? Enforces Web-Resource Access
(C/C - MFC) - Global.asax ? Enforces Net-Resource Access
(C/ASP.NET) - Policy Engine ? PEP, PDP, Policy, RBAC (XACML -
Java) - Firewall Daemon ? Updates Iptables Rules (Java -
JSSE)
12Web resources (ISAPI)
1) Web request
IIS
IIS Authentication
Policy Enforcement Point
2) Http request with attributes
ISAPI
5) XML response with decision
6) Permit/Deny access
4) Get Decision
3) Get User's AC
Protected web resources
Policy Decision Point
13Network resources (Global.asax)
IIS
1) Request a session
Global.asax
ASP.NET Application
IIS Authentication
2) Http request with attributes
7) XML response with decision
8) Physically access the services
FC4 machine (Firewall)
Policy Enforcement Point
6) Open/Close commands
Iptables Control Daemon
3) Get User's AC
5) Check session policy
4) Get decision
Protected Network resources
Session policy source
PDP
14Requests to PEP
- From ISAPI (Access a web resource)
- http//localhost8080/sispep/servlets/sispep ?
- subject CNEdward Chow, CUS, SCO, ....,
Echow_at_sis.uccs.edu, OUComputer Science - URLhttps//ncdcrx3.uccs.edu/it/img.jpg
- methodGET
- serviceweb
- From Global.asax (Open a network resource)
http//localhost8080/sispep/servlets/sispep ? - subject CNEdward Chow, CUS, SCO, .,
Echow_at_sis.uccs.edu, OUComputer Science - URLhttps//ncdcrx4.uccs.edu/ssh/session.aspx
- servicessh
- IP128.198.55.11
- sessionID23hjhY43
- actionopen
- From Global.asax (Close a network resource)
http//localhost8080/sispep/servlets/sispep ? - subject CNEdward Chow, CUS, SCO, .,
Echow_at_sis.uccs.edu, OUComputer Science - URLhttps//ncdcrx4.uccs.edu/ssh/session.aspx
- servicessh
15Conditional Active-Session Access (CASA)
- Idea Junior role can ONLY access a network
resource IF its Senior role has an active session
for that resource. - Why? To add finer access control
- How? PEP maintains a table. An entry looks like
-
29gY3k0ssh Engineer Subject https//ncdcrx4.uccs.edu/ssh/net.aspx 128.198.162.50
ltService name SSHgt ltSeniorgtProjectMngr
lt/Seniorgt ltJuniorgtDeveloper lt/Juniorgt
lt/Servicegt
PEP reads an XML policy file (session policy).
The session policy file supports 3 cases 1) A
CERTAIN Senior Role is required 2) ANY Senior
Role is required (NOT including itself) 3)
N-Senior Roles are required
ltService name MySQLgt
ltSeniorgtANYlt/Seniorgt ltJuniorgtAccountant
lt/Juniorgt lt/Servicegt
ltService nameSSHgt ltSeniorgtITManager
lt/Seniorgt ltJuniorgtDB Admin lt/Juniorgt
lt/Servicegt ltService nameSSHgt
ltSeniorgtCEO lt/Seniorgt ltJuniorgtDBAdmin
lt/Juniorgt lt/Servicegt
16CASA (contd)
- PEP reads the session policy file and creates two
things
1) Hierarchical-Role tree To answer Is Role A
senior to Role B ?
2) Session Policy Table To decide For the
requested service, Is Juniors access constrained
by Seniors ?
SSH CFO Sales Mngr ANY Developer
RDP CEO DB Admin ITMngr DB Admin
Senior Junior
17Code Highlights (1)
- ISAPI Filter should define 2 functions
- GetFilterVersion() register event notifications
- PVer-gtdwFlags SF_NOTIFY_SECURE_PORT
SF_NOTIFY_AUTH_COMPLETE - HttpFilterProc() put the actual code that will
be executed - Intercept URL
- pfc-gtGetServerVariable(pfc, URL, reqUrlBuf,
bufSize) - Intercept request method
- pfc-gtGetServerVariable(pfc, REQUEST_METHOD,
methBuf, bufSize2) - Intercept users PKC
- pfc-gtServerSupportFunction(pfc,
HSE_REQ_GET_CERT_INFO_EX, ccex, dwSize) - Submit a request to the PEP
- HttpFile (CHttpFile) pHttpSession.OpenURL(pepUr
l) - Parse the XML response
- CMarkup xml and use this object to traverse the
XML response.
18Code Highlights (2)
- Global.asax
- Application_BeginRequest()
- Users PKC Request.ClientCertificate.Subject
- URL Request.Url.AbsoluteUri
- IP Request.ServerVariables"REMOTE_ADDR"
- Application_AcquireRequestState()
- Session.Timeout 1 // in minutes
- srvSessionID Session.SessionID
- uri new Uri(PolicyEnforcementPointUrl)
- webReq WebRequest.Create(PEPURI)
- PEPResponse webReq.GetResponse()
- If (! Permit)
- Response.Redirect(Error Page)
- Session_End()
- Similar to AcquireRequestState()s code but the
action is close.
19Code Highlights (3)
- Iptables Daemon
- Create SSL context
- sslctx SSLContext.getInstance("TLSv1" ,
"SunJSSE") - Define keyStores
- PEPstore KeyStore.getInstance("JKS" , "SUN")
- PEPtrust KeyStore.getInstance("JKS", "SUN")
- Define init the trusted keystore
- TrustManagerFactory tmf TrustManagerFactory.getI
nstance("SunX509" , "SunJSSE") - tmf.init(PEPtrust)
- Define init the owned keystore (for the private
key) - KeyManagerFactory kmf KeyManagerFactory.getInsta
nce("SunX509" , "SunJSSE") - kmf.init(PEPstore , keypass)
- Init the SSL context
- sslctx.init(kmf.getKeyManagers(),
tmf.getTrustManagers(), null) - SSLServerSocketFactory ssf sslctx.getServerSocke
tFactory() - Init the SSL server socket
- secSock (SSLServerSocket) ssf.createServerSocket
(9876) - secSock.setNeedClientAuth(true)
20Performance Analysis
Unit ms
Web resources (ISAPI)
Resource Retrieve AC from AD PDP decision Total request time
Finance Mgmnt 5.4750 3.0345 10.3476
Sales Write 6.2864 4.3872 13.7203
Posting orders 6.9820 4.92345 13.8433
View orders 5.1734 4.1093 11.7390
Network resources (Global.asax) new session
Resource Retrieve AC from AD PDP decision CASA decision Firewall update Total request time
SSH 5.8730 3.8264 2.3654 15.5093 29.4374
RDP 5.7639 4.9276 3.1093 17.1204 32.2841
MySQL 6.1927 3.1043 2.5831 14.7627 30.6392
Network resources (Global.asax) session refresh
Resource Retrieve AC from AD PDP decision CASA decision Total request time
SSH 6.8093 4.3298 3.9485 20.5912
RDP 7.7602 3.8749 2.2037 20.5382
MySQL 6.3175 3.7829 2.5582 19.7045
21Lessons Learned
- It is not a good idea to use too many packages
with different programming languages in one
component (i.e. the Admin tool). - At the vary beginning, I tried to use a package
called "CryptLib" 59 to create ACs, but it
didn't work. - I tried to use an HttpModule, but it turned out
that it is triggered by aspx pages and can handle
request-level events only. On the other hand,
ISAPI filters and Global.asax were very good
choices to go for - ISAPI is very fast and works with any type of
files. - Global.asax has the ability to deal with session
and application level events. - Don't start implementing something from scratch
unless you have spent sufficient time to do
research about it and to make sure that it is not
already exist. - Generally speaking, it is really a good thing
that a developer does not limit him/herself to a
certain programming language or technology. - In fact, when I started working on this thesis, I
only knew Java and some security related things,
so it took me some time to teach myself the
required stuff to get this work done. - Now anyone who reads about this thesis can see
that Java, C, ASP.NET, JSP, C/C, XACML,
Iptables, X509 certificates, ISAPI filters,
OpenSSL, Tomcat, IIS, and Active Directory have
been used. It wasn't easy though!
22Future Work
- Extend the system to work in a multi-agency
environment. - Develop more services that can take advantage of
the existing RBAC architecture. For instance - RBAC E-Voting users can vote based on their
roles. - RBAC Instant Messenger users can chat based on
their roles. - RBAC E-Mail users can send e-mails based on
their roles. - RBAC XXX and so on
- Support more Operating systems (Mac, Solaris )
- Improve the Admin tool to initialize and modify
Active Directory, and to be able to generate
XACML policies. - Support Wireless access.
23Thesis Contributions
Filed an Invention Disclosure with CU TTO
- Provide an architecture for small-mid sized
(potentially large-scale) companies to address
accessing sensitive resources securely according
to hierarchical role-based access policy. - Extend XACMLs implementation to handle
Hierarchical Role-Based Access Control (HRBAC)
model. - Add a new concept of secure access in which a
Senior Role can restrict its Junior Role's access
using active sessions. - Enhance IIS 6.0 with two components
- ENforCE-ISAPI Filter
- ENforCE-Global.asax
- Simplify PKI and PMI management, therefore,
reducing management cost and errors.
24ENforCE DemoQ A
For References and more details, please refer to
the Thesis report http//cs.uccs.edu/gsc/pub/mas
ter/okhaleel/doc/osamaThesisReport.doc
25- Authentication the process in which someone
provides some kind of credentials to prove his or
her identity. - CA a trusted third party that issues digital
certificates to be used by other parties. It
guarantees that the individual granted the
certificate is really who claims to be. - PKC a digitally signed document that binds a
public key to a subject (identity). This binding
is asserted by a trusted CA. - CRL a list signed by the issuing CA that
contains the serial numbers of the revoked
certificates. - Authorization the process that is used to
determine whether the subject has the required
permissions to access some protected resources. - AC a digitally signed document that binds a set
of attributes like membership, role, or security
clearance to the AC holder. - AA a trusted third party that is responsible for
issuing, maintaining, and revoking ACs.
26- AD a distributed directory service included in
the Windows server 2000/2003 - The Microsoft's implementation of LDAP
- Used to store and manage all information about
network resources across the domain computers,
groups, users, - ISAPI filters DLLs that can be used to enhance
and modify the functionality of IIS. - Powerful -gt they can modify both incoming and
outgoing DataStream for EVERY request. - Global.asax a file resides in the root directory
of the ASP.NET application. - Contains code to handle application-level and
session-level events raised by ASP.NET. - Iptables a generic table structure for defining
a set of rules to deal with network packets. - Rules are grouped into chains.
- Chains are grouped into tables
- Each table is associated with a different kind of
packet processing.