opensplice security module
DESCRIPTION
This presentation provide an overview of the mechanism provided by the OpenSplice Security Model to support secure DDS communication.TRANSCRIPT
Ope
nSpl
ice
DD
S
OpenSplice Security Module
Angelo CORSARO, Ph.D.Chief Technology Officer OMG DDS Sig Co-Chair
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
OpenSplice Security in BriefThe OpenSplice Security module provides transport security enjoying the following properties:
☐ Confidentiality and Data Integrity (Availability is built-in DDS)
☐ Separation between the area in which information is processed in unencrypted-form (RED) and the area in which critical information is not permitted to flow in unencrypted-form (BLACK)
☐ Authenticity via Mandatory Access Control
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
Separation of Information Flows☐ OpenSplice DDS binds a level of security to a node
(or OS partition on a separation kernel)
☐ All applications running on the same node will share the same level of security (same user)
☐ The reliable separation of different level of security (clearance) is provided for applications deployed on different nodes (or OS partitions)
Ope
nSpl
ice
DD
S Data Confidentiality and Integrity
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
DDS Partitions☐ The Partition QoS Policy can
be used as subjects organizing the flow of data
☐ The Partition QoS Policy is used to connect Publishers/Subscribers to a Partitions’ List which might also contain wildcards, e.g. tracks.*
☐ Topics are published and subscribed across one or more Partitions
Domain
Subscriber
Subscriber
Subscriber
"tracks.kfo" "tracks.ufo"
Publisher
Publisher
Publisher
Partition
Ope
nSpl
ice
DD
S
"airspace.kfo.aircrafts"
"airspace.kfo.flyingcars"
"airspace.tfo"
TracksPublisher
Publisher
Publisher
Subscriber
Subscriber
Subscriber
DataWriter<TrakedObject>
DataWriter<FlightPlan>
DataReader<TrakedObject>
DataWriter<FlightPlan>
DataWriter<TrakedObject>
DataWriter<FlightPlan>
DataReader<TrakedObject>
DataReader<Tracks>
Subscriber DataReader<FlightPlan>
DataReader<TrackedObject>
DataReader<FlightPlan>
Global Data Space (GDS)Partition
Topic
FlightPlanAirCraft
FlightPlanFlyingCar
Ope
nSpl
ice
DD
S
"airspace.kfo.aircrafts"
"airspace.kfo.flyingcars"
"airspace.tfo"
TracksPublisher
Publisher
Publisher
Subscriber
Subscriber
Subscriber
DataWriter<TrakedObject>
DataWriter<FlightPlan>
DataReader<TrakedObject>
DataWriter<FlightPlan>
DataWriter<TrakedObject>
DataWriter<FlightPlan>
DataReader<TrakedObject>
DataReader<Tracks>
Subscriber DataReader<FlightPlan>
DataReader<TrackedObject>
DataReader<FlightPlan>
Global Data Space (GDS)Partition
Topic
FlightPlanAirCraft
FlightPlanFlyingCar
“airspace.*”
Ope
nSpl
ice
DD
S
"airspace.kfo.aircrafts"
"airspace.kfo.flyingcars"
"airspace.tfo"
TracksPublisher
Publisher
Publisher
Subscriber
Subscriber
Subscriber
DataWriter<TrakedObject>
DataWriter<FlightPlan>
DataReader<TrakedObject>
DataWriter<FlightPlan>
DataWriter<TrakedObject>
DataWriter<FlightPlan>
DataReader<TrakedObject>
DataReader<Tracks>
Subscriber DataReader<FlightPlan>
DataReader<TrackedObject>
DataReader<FlightPlan>
Global Data Space (GDS)Partition
Topic
FlightPlanAirCraft
FlightPlanFlyingCar
“airspace.kfo.*”
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
OpenSplice Network Partitions
☐ OpenSplice DDS maps DDS Partitions onto Network Partitions
Subscriber
Subscriber
Subscriber
"tracks.kfo" "tracks.ufo"
Publisher
Publisher
Publisher
"NetPartOne" "NetPartTwo"
"NetPartThree"239.1.1.19
239.1.1.18
239.1.1.18,192.1.1.7
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
{C+I} in OpenSplice DDS☐ Security profile can be
associated with Network Partitions
☐ Each Security Profile specifies:☐ Cipher (AES, BLOWFISH, N/A)☐ Key
☐ All data sent over the given partition is then encrypted with the provided cipher/key
Subscriber
Subscriber
Subscriber
"tracks.kfo" "tracks.ufo"
Publisher
Publisher
Publisher
"NetPartOne" "NetPartTwo"
"NetPartThree"239.1.1.19
239.1.1.18
239.1.1.18,192.1.1.7
Ope
nSpl
ice
DD
S Access Control
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
Access Control☐ Access Control is implemented via an optional and
pluggable module
☐ This allows to plug-in modules implementing Mandatory Access Control (MAC) based on Bell-LaPadula/Biba model, Role-Based Access Control, or others
☐ The current implementation only provides support for Mandatory Access Control (MAC)
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
Access Control in OpenSplice☐ OpenSplice implements two access control
enforcement points:☐ Inbound traffic. When reading data from the network, the
following checks are carried out:☐ is the reader allowed to receive the data?☐ was the data published by a trusted node? (in other words, was the
sender allowed to send the data)
☐ Outbound Traffic. When writing data to the network, the following check is carried out:☐ is the user allowed to write data to the network?
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
MAC in OpenSplice☐ Mandatory Access Control (MAC) in Open Splice combines
the Bell-LaPadula and Biba models to ensure confidentiality and data integrity.
☐ Each resource (object) has a classification made by (1) secrecy level, (2) integrity level and (3) a set of compartments that this resource is intended for
☐ Each user (subject) has a clearance made by (1) secrecy level, (2) an integrity level and (3) a set of compartments this user has a ‘need-to-know’ for
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
MAC in OpenSplice
☐ To determine if a user is authorized to access a resource, e.g. publish a certain topic or subscribe to a topic, the clearance of the user is compared to the classification of the resource
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
Secrecy Level
☐ Subscribing is permitted if the resource’s secrecy level is identical or lower than the user’s secrecy level
☐ Publishing is permitted if the resource’s secrecy level is identical or higher than the user’s secrecy level
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
Integrity Level
☐ Subscribing is permitted if the resource’s integrity level is identical or higher
☐ Publishing is permitted if the resource’s integrity level is identical or lower
Copyrig
ht 2011, PrismTech – A
ll Rights Reserved.
Ope
nSpl
ice
DD
S
Need to Know
☐ Publish/Subscribe is permitted if the user’s set of compartments is a subset of the resource’s set of compartments