ifip 2002-1 role delegation for a distributed, unified rbac/mac* c. phillips, s. demurjian, t.c....
Post on 20-Dec-2015
214 views
TRANSCRIPT
IFIP 2002-1
Role Delegation for a Distributed, Unified Role Delegation for a Distributed, Unified RBAC/MAC*RBAC/MAC*
C. Phillips, S. Demurjian, T.C. Ting and J. EllisComputer Science & Engineering Department
The University of ConnecticutStorrs, Connecticut 06269-3155
[email protected], {steve, ting}@engr.uconn.edu
http://www.engr.uconn.edu/~steve/DSEC/dsec.html
M. Liebrand and H. EllisComputer and Info. Science Dept.
Rensselaer at HartfordHartford, CT 06120-2991
[email protected], [email protected]
860.548.5387, fax: 860.547.0868
*Supported in part by a grant from the GE Foundation to UConn’s Engineering School.
IFIP 2002-2
Introduction/MotivationIntroduction/MotivationDistributed Application AccessDistributed Application Access
Legacy
Legacy
COTS
GOTS
Database
Database
NETWORK
JavaClient
GOTSClient
LegacyClient
DatabaseClient
COTSClient
Premise: Premise: ArtifactsArtifacts - set of - set of DB, Legacy, COTS,
GOTS, Each w/ API Premise: Premise: UsersUsers
New and Existing Utilize Artifact APIs
Distributed ApplicationDistributed Application Artifacts + Users
Can we Control Can we Control UserUser Access to Access to Artifact Artifact APIs APIs (Methods) by … (Methods) by … Role (who) Classification (MAC) Time (when) Data (what)
IFIP 2002-3
Overview of Remainder of PresentationOverview of Remainder of Presentation
BackgroundBackground Security Model Definitions Examples of Definitions
Role DelegationRole Delegation Security Model Extensions for Role Delegation Examples of Role Delegation See Paper for Additional Analyses/Discussion
Regarding Enforcement Framework Security Assurance and Delegation EnforcementSecurity Assurance and Delegation Enforcement
Assurance at Design and Runtime Security Enforcement Framework Screen Shots of Various Security Tools
Conclusions and Ongoing/Future WorkConclusions and Ongoing/Future Work
IFIP 2002-4
Definition 1: A lifetime, LT, is a Discrete Time Interval [LT.st, LT.et] with LT.et > LT.st LT.st (start time) or LT.et (end time) is a tuple
(day, month, year, hour, minute, second) where x y means x.LT.st y.LT.st and
x.LT.et y.LT.et Definition 2: Relevant MAC Concepts are:
A sensitivity level, SLEVEL, SLEVEL = {U,C,S,T} unclassified (U) - no impact; confidential (C) causes some damage; secret (S), causes serious damage; top secret (T) causes exceptionally grave damage
SLEVELs form a hierarchy: U < C < S < T Clearance (CLR) is SLEVEL given to users Classification (CLS) is the SLEVEL given to entities
(roles, objects, methods, etc.)
Security Model DefinitionsSecurity Model DefinitionsLifetimes and MAC ConceptsLifetimes and MAC Concepts
IFIP 2002-5
Security Model DefinitionsSecurity Model DefinitionsMethods, Services, and ResourcesMethods, Services, and Resources
Definition 3:Definition 3: A A distributed applicationdistributed application, , DAPPL,DAPPL, is is composed of a set of composed of a set of software/systemsoftware/system resources resources (e.g., a legacy, COTS, DB, etc.), each composed of (e.g., a legacy, COTS, DB, etc.), each composed of a set of a set of services, services, which in turn are each composed which in turn are each composed of a set of of a set of methodsmethods. .
Definition 4:Definition 4: Every Every methodmethod is registered as: is registered as:
Definition 5Definition 5: Every : Every service service is registered as:is registered as:
Definition 6:Definition 6: Every Every resourceresource is registered as: is registered as:
],,,[ Paramsijk
CLSijk
LTijk
Nameijkijk MMMMM
],,[ CLSij
LTij
Nameijij SSSS
],,[ CLSi
LTi
Nameii RRRR
IFIP 2002-6
Global Command and Control System Global Command and Control System (GCCS) Resource/Service/Methods(GCCS) Resource/Service/Methods
GCCS Resource with Two Services - Classification Precedes Method
Joint Service with Methods: a.k.a (S) Weather (Token); METOC (S) VideoTeleconference (Token, fromOrg, toOrg); TLCF (S) JointOperationsPlannning (Token, CrisisNum); JOPES (S) CrisisPicture (Token, CrisisNum, Grid1, Grid2); COP (S) TransportationFlow (Token); JFAST (S) LogisticsPlanningTool (Token, CrisisNum); LOGSAFE (S) DefenseMessageSystem (Token); DMS (T) NATOMessageSystem (Token); CRONOS
Component Service with Methods: (S) ArmyBattleCommandSys (Token, CrisisNum); ABCS (S) AirForceBattleManagementSys (Token, CrisisNum);TBMCS (S) MarineCombatOpnsSys (Token, CrisisNum); TCO (S) NavyCommandSystem (Token, CrisisNum);JMCIS
IFIP 2002-7
Security Model DefinitionsSecurity Model DefinitionsUser Roles, UR List, Users, User ListUser Roles, UR List, Users, User List
Definition 7: Definition 7: A A user roleuser role, , URUR, representing a set , representing a set of responsibilities for an application, is defined as: of responsibilities for an application, is defined as:
[CDR_Crisis1, URLT, T] Definition 8:Definition 8: A A user-role list, user-role list, ,, URL URL is the set of is the set of rr
unique roles that have been defined for DAPPL. unique roles that have been defined for DAPPL. Definition 9:Definition 9: A A user, U,user, U, who will be accessing the who will be accessing the
DAPPL via a client application, is defined as: DAPPL via a client application, is defined as:
[Colonel_DoGood, ULT, S] Definition 10:Definition 10: A A user list, UL user list, UL is the set of is the set of uu users users
that have been defined for DAPPL.that have been defined for DAPPL.
],,[ CLSLTName URURURUR
],,[ CLRLTUserId UUUU
IFIP 2002-8
Security Model DefinitionsSecurity Model DefinitionsSignature and Time ConstraintsSignature and Time Constraints
Definition 11:Definition 11: A A signature constraint, SCsignature constraint, SC, is a , is a boolean expression defined on method’s signature boolean expression defined on method’s signature to limit the allowable values on the parameters.to limit the allowable values on the parameters.
CrisisPicture (Token, CrisisNum, Grid1, Grid2);CrisisPicture (Token, CrisisNum, Grid1, Grid2);Grid1 < NA20 and Grid2 < NC40Grid1 < NA20 and Grid2 < NC40
Definition 12:Definition 12: A A time constraint, TC, time constraint, TC, is a lifetime is a lifetime that represents when a method can be assigned to a that represents when a method can be assigned to a user role (or invoked by a user) or when a user is user role (or invoked by a user) or when a user is allowed to play a role. allowed to play a role.
ArmyBattleCommandSys (Token, CrisisNum);ArmyBattleCommandSys (Token, CrisisNum); TC =TC = [[10dec00, 16feb01]-10dec00, 16feb01]-shorthand notation
IFIP 2002-9
Security Model DefinitionsSecurity Model DefinitionsMAC Constraint/User Role AuthorizationsMAC Constraint/User Role Authorizations Definition 13:Definition 13: A A mandatory access control mandatory access control
constraint, MACC, constraint, MACC, is the is the dominationdomination of the of the SLEVEL of one entity over another entity:SLEVEL of one entity over another entity: CLS of Role Dominate () CLS of Resource,
Service, or Method CLR of User Dominate () CLS of Role
Definition 14Definition 14: A : A user-role authorization, URA,user-role authorization, URA, signifies a UR authorized to invoke a method signifies a UR authorized to invoke a method under optional TC and/or SC, and is defined as: under optional TC and/or SC, and is defined as:
Definition 15aDefinition 15a:: UR authorization matrix, URAMUR authorization matrix, URAM::],,,[ SCTCMURURA
otherwise
MinvoketoauthorizedisURMURURAM ji
ji 0
1),(
IFIP 2002-10
Example Users, User Roles, and URAsExample Users, User Roles, and URAs
],
IFIP 2002-11
Security Model DefinitionsSecurity Model DefinitionsRemaining DefinitionsRemaining Definitions
Definition 15bDefinition 15b:: A A valid user-role authorization valid user-role authorization list, VURAL list, VURAL has URAM(UR,M) = 1. has URAM(UR,M) = 1.
Definition 16: Definition 16: A A user authorization, UA,user authorization, UA, is a user is a user authorized to play a role: authorized to play a role:
Definition 17aDefinition 17a:: User authorization matrix, UAMUser authorization matrix, UAM::
Definition 17bDefinition 17b: A : A valid user authorization list, valid user authorization list, (VUA) has UAM(UR,U) = 1.(VUA) has UAM(UR,U) = 1.
Definition 18Definition 18: A : A client, C, client, C, is authorized user is authorized user UU, , uniquely identified via a uniquely identified via a client tokenclient token C = [U, UR, C = [U, UR, IP-Address, Client-Creation-Time]IP-Address, Client-Creation-Time]. .
],,[ TCURUUA
otherwise
URtoauthorizedisUUURUAM ij
ji 0
1),(
IFIP 2002-12
Role Delegation Extensions Role Delegation Extensions
Role Delegation: Where Authorized Individual (not the Security Officer) may Delegate all or part of his/her Authority (roles) to Another Individual Identify Roles that are Delegatable Distinguish: Original and Delegated Users Delegation Authority and Delegated Role
What Can be Delegated?What Can be Delegated? Authority – can do task, but no responsibility Responsibility – implies accountability Duty – obligation to execute task Our Focus: Delegate Authority Only
IFIP 2002-13
Role DelegationRole DelegationDelegatable UR, Original/Delegated UserDelegatable UR, Original/Delegated User Definition 19:Definition 19: A A delegatable UR, DURdelegatable UR, DUR, is a UR , is a UR
that is eligible for delegation. that is eligible for delegation. Definition 20:Definition 20: The The delegatable UR vector, DURV,delegatable UR vector, DURV,
is defined for all is defined for all r r as: as:
Definition 21:Definition 21: An An original user, OUoriginal user, OU UL, UL, is is authorized to the UR such that there exists a VUA authorized to the UR such that there exists a VUA for the OU/UR, i.e., UAM(UR,OU) = 1for the OU/UR, i.e., UAM(UR,OU) = 1
Definition 22:Definition 22: A A delegated user, DUdelegated user, DU UL, UL, is a is a user eligible to be delegated a UR by an OU or a user eligible to be delegated a UR by an OU or a DU (there is not a VUA i.e., UAM(UR,DU) DU (there is not a VUA i.e., UAM(UR,DU) 1). 1). Note a DU of a UR cannot be an OU for same UR. Note a DU of a UR cannot be an OU for same UR.
DURanotisUR
DURaisURURDURV
i
ii 0
1)(
IFIP 2002-14
Role DelegationRole DelegationModel ExtensionsModel Extensions
Definition 23:Definition 23: User delegation/authorization User delegation/authorization matrix,matrix, UDAMUDAM: :
Definition 24:Definition 24: Delegation authority, DA, Delegation authority, DA, is given is given to the OU to allow delegation of a DUR.to the OU to allow delegation of a DUR.
Definition 25:Definition 25: Pass-on delegation authority, Pass-on delegation authority, PODA, PODA, allows an OU (DU) to pass on DA for a allows an OU (DU) to pass on DA for a DUR to another user (OU or DU). DUR to another user (OU or DU).
Definition 26:Definition 26: Delegation authority matrix,Delegation authority matrix, DAMDAM::
ij
ij
ij
ji
URtoauthorizednotisU0
URofOUanisU1
URofDUaisU2
UURUDAM ),(
ij
ij
ij
ji
URforPODAnorDAneitherhasU0
URforDAonlyhasU1
URforPODAandDAhasU2
UURDAM ),(
IFIP 2002-15
Example - Role DelegationExample - Role Delegation
General DoBest Delegates his Role to Colonel DoGood with DA, where DoBest, CDR_CR1, and DoGood defined as:
OU: [DoBest, [ct, ], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoBest, CDR_CR1, [01dec00, 01dec01]]DA: YesPODA: Yes
After Delegation:
DU: [DoGood, [01dec00, 01jun01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]
IFIP 2002-16
Example - Role DelegationExample - Role Delegation
Now,Now, Colonel DoGood wishes to re-delegate Colonel DoGood wishes to re-delegate CDR_CR1 to Major CanDoRight, which can be CDR_CR1 to Major CanDoRight, which can be defined as:defined as:
DU: [DoGood, [01dec00, 01jun01], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]DA: YesPODA: No
After Delegation:
DU: [CanDoRight, [01jan01, 01feb01], T]UA: [CanDoRight, CDR_CR1, [01dec00, 01jun01]]
IFIP 2002-17
Example Matrices Used to Example Matrices Used to Define/Track/Monitor DelegationDefine/Track/Monitor Delegation
IFIP 2002-18
Related Work: Role DelegationRelated Work: Role Delegation
Role Administration [Awis97]Role Administration [Awis97] Delegation with RBAC [Bark00, Na00]Delegation with RBAC [Bark00, Na00] Delegation Principals [Zhang01]Delegation Principals [Zhang01] Similarities and DifferencesSimilarities and Differences
In Our Approach, OU Maintains Control of Delegation DU Cannot Give Delegation Authority
Our Approach is Dynamic, in that, Delegations have LTs Changeable During Runtime
Our Delegation Incorporates MACC We extend Zhang’s Definitions to Include
Delegation Authority, Revocation Authority, Delegated Role, and Delegatable Role
IFIP 2002-19
Design Time Security Assurance Design Time Security Assurance for Delegationfor Delegation
Design Time Checks – Policy RealizationDesign Time Checks – Policy Realization MACC Domination
Clearance (CLR) Dominates Classification (CLS) Role Delegation
DU Not Already a Role Member User to User Delegation Authority
Must Check User Delegation Authority Matrix DU Meets MACC Requirements
Lifetime Consistency DU’s LT Must be Within OU’s LT
Modified Boolean Delegation OU can Delegate and Pass on Delegation Authority DU cannot Pass On Delegation Authority
IFIP 2002-20
Run Time Security Assurance Run Time Security Assurance for Delegationfor Delegation
Executed While Running Distributed ApplicationExecuted While Running Distributed Application MACC Domination Role Delegation User to User Delegation Authority Lifetime Consistency Modified Boolean Delegation
(additional checks) Delegation Revocation Authorization Rule
OU/DU Can Revoke Any Initiated Delegation Cascading Revocation Rule
Whenever OU is Revoked, OU’s Delegations are revoked, Including Passed On Delegations
IFIP 2002-21
Security Enforcement FrameworkSecurity Enforcement Framework
Unified Security Resource (USR) Services to:Unified Security Resource (USR) Services to: Manage URs and Privileges Authorize URs to Us Identify Users and Track Security Behavior USR Performs Run Time Assurance
Security Tools Performs Design Time AssuranceSecurity Tools Performs Design Time Assurance Security Policy Client to Grant/Revoke Privileges (TCs,
methods, SCs)/set CLS/CLR Security Authorization Client to Assign CLRs and
Authorize URs to End Users Security Delegation Client (SDC) for Defining and
Managing Role Delegation Security Analysis Tool (SAT) to Track all Client Activity
(Logons/Method Invocations)
IFIP 2002-22
Security Enforcement Framework Security Enforcement Framework Software ArchitectureSoftware Architecture
WrappedResource for LegacyApplication
WrappedResource
for DatabaseApplication
LookupService
General Resource
WrappedResource
for COTSApplication
JavaClient
LegacyClient
DatabaseClient
SoftwareAgent
COTSClient
Lookup
Service
Security AuthorizationClient (SAC)
Security Policy Client (SPC)
Global ClockResource (GCR)
SecurityRegistration
Services
Unified Security Resource (USR)
Security Policy
Services
SecurityAuthorization
Services
SecurityAnalysis and
Tracking (SAT)
Security DelegationClient (SDC)
Oracle DB
IFIP 2002-23
Security Policy Client Security Policy Client Creating a URCreating a UR
IFIP 2002-24
Security Authorization Client Security Authorization Client Creating a UserCreating a User
IFIP 2002-25
Security Authorization Client Security Authorization Client Granting UR to UserGranting UR to User
IFIP 2002-26
Security Delegation Client Security Delegation Client Granting DelegationGranting Delegation
IFIP 2002-27
Security Delegation Client Security Delegation Client Granting Delegation Granting Delegation
IFIP 2002-28
Security Delegation Client Security Delegation Client Revoking DelegationRevoking Delegation
IFIP 2002-29
Conclusions and Ongoing/Future WorkConclusions and Ongoing/Future Work
ConclusionsConclusions Presented Underlying Security Model Detailed Role Delegation Extensions to
Security Model Introduced Assurance Checks for Delegation Presented Screen Shots of Prototype
Ongoing/Future WorkOngoing/Future Work User Role Deconfliction Internal Role Deconfliction Increased Method Level MAC Constraints Establish Group Roles
See: http://www.engr.uconn.edu/~steve/DSEC/dsec.htmlSee: http://www.engr.uconn.edu/~steve/DSEC/dsec.html