ENgine for Controlling Emergent Hierarchical Role-Based Access (ENforCE HRBAccess)

1
ENgine for Controlling Emergent Hierarchical
Role-Based Access(ENforCE HRBAccess)

• Osama Khaleel
• Thesis Defense
• May 2007
• Master of Science in Computer Science
• University of Colorado, Colorado Springs
• Committee Members
• Dr. Edward Chow, Chair
• Dr. Terry Boult
• Dr. Xiaobo Zhou

2
Thesis Defense Outlines

• Intro Background
• Design
• Implementation
• Performance Analysis
• Lessons Learned
• Future Work
• Contribution
• Demo
• Q A

3
Introduction

• Roles in any organization are Hierarchical by
  their nature.
• Resources in any organization vary
• From a simple HTML web page,
• To RDP/SSH access in which a user can gain full
  control.
• Mission becomes more complicated when users
  should access resources
• Securely and
• Based on their ROLES.
• Password-based protection is way far from
  satisfying high-level security requirements.

4
ROLE NAME DIRECT ACCESS
CEO PAM ZALABAK Admin Tool
CFO BRIAN BURNETT Finance-Mgmt SSH MySQL
Project Manager TERRY BOULT Projects-Manager RDP
IT Manager KATE TALLMAN Resource-Manager Passwords-Reset
Sales Manager JIM TIDWELL Sales-Write
Accounting Manager JULIE BREWSTER Finance-Write
Network Admin EDWARD CHOW VLAN-Manager SSH
Database Admin XIAOBO ZHOU MySQL Interface MySQL SSH IF(ITMgr CEO)
Developer OSAMA KHALEEL Reports-Submission RDP IF (ProjMgr)
Engineer BILL KRETSCHMER Engineer-update-Read
Accountant AMIE WOODY View-Orders MySQL IF(ANY)
Salesman LEVI GRAY Sales-Read
5
Background

• Authentication
• Public Key Certificate (PKC)
• Certificate Authority (CA)
• Certificate Revocation List (CRL)
• Authorization
• Attribute Certificate (AC)
• Attribute Authority (AA)
• Role-Based Access Control (RBAC)
• Core
• Hierarchical
• eXtensible Access Control Markup Language (XACML)
• Policy Enforcement Point (PEP)
• Policy Decision Point (PDP)
• Active Directory (AD) store certificates
• ISAPI Filter secure web-resource access

Public Key Infrastructure (PKI)
Privilege Management Infrastructure (PMI)
Policy Engine
6

• RBAC a mechanism/model for restricting access
  based on the Role of authorized users.
• Core roles are assigned to users, and
  permissions are associated with roles not
  directly with users.
• Hierarchical an enhancement to the core, in
  which senior roles inherit permissions from more
  junior roles.
• XACML an XML-based OASIS standard that
  describes
• A policy language
• A request/response language
• The main three components in XACML are Rule,
  Policy, and PolicySet
• XACML RBAC profile has two main components
• Permission PolicySet (PPS)
• Role PolicySet (RPS).
• One PPS and one RPS for each defined Role .

7

• PPS
• defines Policies and Rules needed to the
  Permissions associated with a certain Role.
• Contains a set of PPS references using
  "ltPolicySetIdReferencegt" to inherit permissions
  from the more junior role associated with this
  PPS reference

• RPS
• defines the Role name
• includes ONLY one PPS to associate this Role
  with its permissions defined in the corresponding
  PPS.

ltPolicySet PolicySetId"CFOPermissions"gt
ltPolicy PolicyId"PolicyForCFORole"gt
ltRule RuleId"FinanceManagementRule"
Effect"Permit"gt ltTargetgt
ltSubjectsgt ltAnySubject/gt
lt/Subjectsgt ltResourcesgt
ltResourcegt
ltResourceMatch
MatchId"function regexp-string-match"gt
ltAttributeValue
DataTypestring"gt
https//ncdcrx3.uccs.edu/financial/finMgmt.aspx
lt/AttributeValuegt

lt/ResourceMatchgt
lt/Resourcegt lt/Resourcesgt
lt/Targetgt lt/Rulegt
lt/Policygt ltPolicySetIdReferencegtSalesMgrPermissio
nslt/PolicySetIdReferencegt ltPolicySetIdReferencegtAc
cMgrPermissionslt/PolicySetIdReferencegt lt/PolicySe
tgt
ltPolicySet PolicySetId"RPSCFO"gt ltTargetgt
ltSubjectsgt ltSubjectgt
ltSubjectMatch MatchId"function
string-equal"gt
ltSubjectAttributeDesignator
DataType"string" AttributeId"role"/gt
ltAttributeValue DataType"string"gt
CFO
lt/AttributeValuegt
lt/SubjectMatchgt lt/Subjectgt
lt/Subjectsgt lt/Targetgt ltPolicySetIdReferencegt
CFOPermissionslt/PolicySetIdReferencegt lt/PolicySe
tgt
8
Design

• By taking advantage of the concepts
  technologies just mentioned, the goal is to build
  a structure/engine that provides
• Authentication
• Authorization
• Secure access based on users ROLES
• Protection for ANY type of resources
• Fine grained control based on active sessions
• PKI PMI management tool

9
ENforCE Test-Bed
10
ENforCE Big Picture
Protected web resources
Permit/Deny access
ISAPI
Http request
Http request
XML response
XML response
Policy Decision Point
Policy Enforcement Point
Get Decision
Check session policy
Session policy source
Open/Close commands
Get User's AC
FC4 machine (Firewall)
Iptables Control Daemon
Permit/Deny
Protected Network resources
11
Implementation

• Two types of access
• Web-based resources (http//ncdcrx3.uccs.edu)
• Network-based resources (http//ncdcrx4.uccs.edu)
• Web resources accessed directly through IIS
  using https (port 443)
• Network resources
• Activate a web-session first
• ENforCE will open the firewall for the specified
  service
• Physically access the service through the
  firewall.
• Service port varies (e.g. SSH22, RDP3389)
• ISAPI Filter ? Enforces Web-Resource Access
  (C/C - MFC)
• Global.asax ? Enforces Net-Resource Access
  (C/ASP.NET)
• Policy Engine ? PEP, PDP, Policy, RBAC (XACML -
  Java)
• Firewall Daemon ? Updates Iptables Rules (Java -
  JSSE)

12
Web resources (ISAPI)
1) Web request
IIS
IIS Authentication
Policy Enforcement Point
2) Http request with attributes
ISAPI
5) XML response with decision
6) Permit/Deny access
4) Get Decision
3) Get User's AC
Protected web resources
Policy Decision Point
13
Network resources (Global.asax)
IIS
1) Request a session
Global.asax
ASP.NET Application
IIS Authentication
2) Http request with attributes
7) XML response with decision
8) Physically access the services
FC4 machine (Firewall)
Policy Enforcement Point
6) Open/Close commands
Iptables Control Daemon
3) Get User's AC
5) Check session policy
4) Get decision
Protected Network resources
Session policy source
PDP
14
Requests to PEP

• From ISAPI (Access a web resource)
• http//localhost8080/sispep/servlets/sispep ?
• subject CNEdward Chow, CUS, SCO, ....,
  Echow_at_sis.uccs.edu, OUComputer Science
• URLhttps//ncdcrx3.uccs.edu/it/img.jpg
• methodGET
• serviceweb
• From Global.asax (Open a network resource)
  http//localhost8080/sispep/servlets/sispep ?
• subject CNEdward Chow, CUS, SCO, .,
  Echow_at_sis.uccs.edu, OUComputer Science
• URLhttps//ncdcrx4.uccs.edu/ssh/session.aspx
• servicessh
• IP128.198.55.11
• sessionID23hjhY43
• actionopen
• From Global.asax (Close a network resource)
  http//localhost8080/sispep/servlets/sispep ?
• subject CNEdward Chow, CUS, SCO, .,
  Echow_at_sis.uccs.edu, OUComputer Science
• URLhttps//ncdcrx4.uccs.edu/ssh/session.aspx
• servicessh

15
Conditional Active-Session Access (CASA)

• Idea Junior role can ONLY access a network
  resource IF its Senior role has an active session
  for that resource.
• Why? To add finer access control
• How? PEP maintains a table. An entry looks like

29gY3k0ssh Engineer Subject https//ncdcrx4.uccs.edu/ssh/net.aspx 128.198.162.50
ltService name SSHgt ltSeniorgtProjectMngr
lt/Seniorgt ltJuniorgtDeveloper lt/Juniorgt
lt/Servicegt
PEP reads an XML policy file (session policy).
The session policy file supports 3 cases 1) A
CERTAIN Senior Role is required 2) ANY Senior
Role is required (NOT including itself) 3)
N-Senior Roles are required
ltService name MySQLgt
ltSeniorgtANYlt/Seniorgt ltJuniorgtAccountant
lt/Juniorgt lt/Servicegt
ltService nameSSHgt ltSeniorgtITManager
lt/Seniorgt ltJuniorgtDB Admin lt/Juniorgt
lt/Servicegt ltService nameSSHgt
ltSeniorgtCEO lt/Seniorgt ltJuniorgtDBAdmin
lt/Juniorgt lt/Servicegt
16
CASA (contd)

• PEP reads the session policy file and creates two
  things

1) Hierarchical-Role tree To answer Is Role A
senior to Role B ?
2) Session Policy Table To decide For the
requested service, Is Juniors access constrained
by Seniors ?
SSH CFO Sales Mngr ANY Developer
RDP CEO DB Admin ITMngr DB Admin
Senior Junior
17
Code Highlights (1)

• ISAPI Filter should define 2 functions
• GetFilterVersion() register event notifications
• PVer-gtdwFlags SF_NOTIFY_SECURE_PORT
  SF_NOTIFY_AUTH_COMPLETE
• HttpFilterProc() put the actual code that will
  be executed
• Intercept URL
• pfc-gtGetServerVariable(pfc, URL, reqUrlBuf,
  bufSize)
• Intercept request method
• pfc-gtGetServerVariable(pfc, REQUEST_METHOD,
  methBuf, bufSize2)
• Intercept users PKC
• pfc-gtServerSupportFunction(pfc,
  HSE_REQ_GET_CERT_INFO_EX, ccex, dwSize)
• Submit a request to the PEP
• HttpFile (CHttpFile) pHttpSession.OpenURL(pepUr
  l)
• Parse the XML response
• CMarkup xml and use this object to traverse the
  XML response.

18
Code Highlights (2)

• Global.asax
• Application_BeginRequest()
• Users PKC Request.ClientCertificate.Subject
• URL Request.Url.AbsoluteUri
• IP Request.ServerVariables"REMOTE_ADDR"
• Application_AcquireRequestState()
• Session.Timeout 1 // in minutes
• srvSessionID Session.SessionID
• uri new Uri(PolicyEnforcementPointUrl)
• webReq WebRequest.Create(PEPURI)
• PEPResponse webReq.GetResponse()
• If (! Permit)
• Response.Redirect(Error Page)
• Session_End()
• Similar to AcquireRequestState()s code but the
  action is close.

19
Code Highlights (3)

• Iptables Daemon
• Create SSL context
• sslctx SSLContext.getInstance("TLSv1" ,
  "SunJSSE")
• Define keyStores
• PEPstore KeyStore.getInstance("JKS" , "SUN")
• PEPtrust KeyStore.getInstance("JKS", "SUN")
• Define init the trusted keystore
• TrustManagerFactory tmf TrustManagerFactory.getI
  nstance("SunX509" , "SunJSSE")
• tmf.init(PEPtrust)
• Define init the owned keystore (for the private
  key)
• KeyManagerFactory kmf KeyManagerFactory.getInsta
  nce("SunX509" , "SunJSSE")
• kmf.init(PEPstore , keypass)
• Init the SSL context
• sslctx.init(kmf.getKeyManagers(),
  tmf.getTrustManagers(), null)
• SSLServerSocketFactory ssf sslctx.getServerSocke
  tFactory()
• Init the SSL server socket
• secSock (SSLServerSocket) ssf.createServerSocket
  (9876)
• secSock.setNeedClientAuth(true)

20
Performance Analysis
Unit ms
Web resources (ISAPI)
Resource Retrieve AC from AD PDP decision Total request time
Finance Mgmnt 5.4750 3.0345 10.3476
Sales Write 6.2864 4.3872 13.7203
Posting orders 6.9820 4.92345 13.8433
View orders 5.1734 4.1093 11.7390
Network resources (Global.asax) new session
Resource Retrieve AC from AD PDP decision CASA decision Firewall update Total request time
SSH 5.8730 3.8264 2.3654 15.5093 29.4374
RDP 5.7639 4.9276 3.1093 17.1204 32.2841
MySQL 6.1927 3.1043 2.5831 14.7627 30.6392
Network resources (Global.asax) session refresh
Resource Retrieve AC from AD PDP decision CASA decision Total request time
SSH 6.8093 4.3298 3.9485 20.5912
RDP 7.7602 3.8749 2.2037 20.5382
MySQL 6.3175 3.7829 2.5582 19.7045
21
Lessons Learned

• It is not a good idea to use too many packages
  with different programming languages in one
  component (i.e. the Admin tool).
• At the vary beginning, I tried to use a package
  called "CryptLib" 59 to create ACs, but it
  didn't work.
• I tried to use an HttpModule, but it turned out
  that it is triggered by aspx pages and can handle
  request-level events only. On the other hand,
  ISAPI filters and Global.asax were very good
  choices to go for
• ISAPI is very fast and works with any type of
  files.
• Global.asax has the ability to deal with session
  and application level events.
• Don't start implementing something from scratch
  unless you have spent sufficient time to do
  research about it and to make sure that it is not
  already exist.
• Generally speaking, it is really a good thing
  that a developer does not limit him/herself to a
  certain programming language or technology.
• In fact, when I started working on this thesis, I
  only knew Java and some security related things,
  so it took me some time to teach myself the
  required stuff to get this work done.
• Now anyone who reads about this thesis can see
  that Java, C, ASP.NET, JSP, C/C, XACML,
  Iptables, X509 certificates, ISAPI filters,
  OpenSSL, Tomcat, IIS, and Active Directory have
  been used. It wasn't easy though!

22
Future Work

• Extend the system to work in a multi-agency
  environment.
• Develop more services that can take advantage of
  the existing RBAC architecture. For instance
• RBAC E-Voting users can vote based on their
  roles.
• RBAC Instant Messenger users can chat based on
  their roles.
• RBAC E-Mail users can send e-mails based on
  their roles.
• RBAC XXX and so on
• Support more Operating systems (Mac, Solaris )
• Improve the Admin tool to initialize and modify
  Active Directory, and to be able to generate
  XACML policies.
• Support Wireless access.

23
Thesis Contributions
Filed an Invention Disclosure with CU TTO

• Provide an architecture for small-mid sized
  (potentially large-scale) companies to address
  accessing sensitive resources securely according
  to hierarchical role-based access policy.
• Extend XACMLs implementation to handle
  Hierarchical Role-Based Access Control (HRBAC)
  model.
• Add a new concept of secure access in which a
  Senior Role can restrict its Junior Role's access
  using active sessions.
• Enhance IIS 6.0 with two components
• ENforCE-ISAPI Filter
• ENforCE-Global.asax
• Simplify PKI and PMI management, therefore,
  reducing management cost and errors.

24
ENforCE DemoQ A
For References and more details, please refer to
the Thesis report http//cs.uccs.edu/gsc/pub/mas
ter/okhaleel/doc/osamaThesisReport.doc
25

• Authentication the process in which someone
  provides some kind of credentials to prove his or
  her identity.
• CA a trusted third party that issues digital
  certificates to be used by other parties. It
  guarantees that the individual granted the
  certificate is really who claims to be.
• PKC a digitally signed document that binds a
  public key to a subject (identity). This binding
  is asserted by a trusted CA.
• CRL a list signed by the issuing CA that
  contains the serial numbers of the revoked
  certificates.
• Authorization the process that is used to
  determine whether the subject has the required
  permissions to access some protected resources.
• AC a digitally signed document that binds a set
  of attributes like membership, role, or security
  clearance to the AC holder.
• AA a trusted third party that is responsible for
  issuing, maintaining, and revoking ACs.

26

• AD a distributed directory service included in
  the Windows server 2000/2003
• The Microsoft's implementation of LDAP
• Used to store and manage all information about
  network resources across the domain computers,
  groups, users,
• ISAPI filters DLLs that can be used to enhance
  and modify the functionality of IIS.
• Powerful -gt they can modify both incoming and
  outgoing DataStream for EVERY request.
• Global.asax a file resides in the root directory
  of the ASP.NET application.
• Contains code to handle application-level and
  session-level events raised by ASP.NET.
• Iptables a generic table structure for defining
  a set of rules to deal with network packets.
• Rules are grouped into chains.
• Chains are grouped into tables
• Each table is associated with a different kind of
  packet processing.