security concepts and capabilities
DESCRIPTION
Security Concepts and Capabilities. The majority of these slides represent material that has been accumulated from various sources over the years. A portion these slides are being used with the permission of Dr. Ling Lui, Associate Professor, College of Computing, Georgia Tech. - PowerPoint PPT PresentationTRANSCRIPT
Security_BG-1
CSE 300
Security Concepts and CapabilitiesSecurity Concepts and Capabilities
Prof. Steven A. Demurjian, Sr. Computer Science & Engineering Department
The University of Connecticut371 Fairfield Road, Box U-1155
Storrs, CT [email protected]
http://www.engr.uconn.edu/~steve(860) 486 - 4818
The majority of these slides represent material that has been accumulated from various The majority of these slides represent material that has been accumulated from various sources over the years. sources over the years.
A portion these slides are being used with the permission of Dr. Ling Lui, Associate A portion these slides are being used with the permission of Dr. Ling Lui, Associate Professor, College of Computing, Georgia Tech. Professor, College of Computing, Georgia Tech.
Security_BG-2
CSE 300
Patients Providers
Clinical Researchers
Web-BasedPortal(XML + HL7)Open Source DB(XML or MySQL)
EMR
EducationMaterials
FeedbackRepository
Motivation: Recall Project ArchitectureMotivation: Recall Project Architecture
Where are the Security Issues and Concerns?
Consider Components of Architecture…
Security_BG-3
CSE 300
Patients
Providers
Clinical Researchers
Motivation: Security Issues?Motivation: Security Issues?
Web Server
Appl Server
DB Server
Firewall
https Encryptionhttps
Encryption
Encryption
Secure Communication
XML
html
Web Content
GUI Look and Feel
Patient GUI for RN vs. MD
Web - Control Services
Appl. – Control Methods
Security_BG-4
CSE 300
OverviewOverview Objective: Cover the wide range of Background Objective: Cover the wide range of Background
Concepts and Security Ideas Concepts and Security Ideas Motivation: Importance, Concepts, and IssuesMotivation: Importance, Concepts, and Issues Glossary of Security TermsGlossary of Security Terms Security Policy, Authentication, and AuthorizationSecurity Policy, Authentication, and Authorization Security in JavaSecurity in Java Access ControlAccess Control
Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role-Based Access Control (RBAC)
DB Security, Cryptography, Security in Statistical DBDB Security, Cryptography, Security in Statistical DB Middleware SecurityMiddleware Security Web Based SecurityWeb Based Security Concluding RemarksConcluding Remarks
Security_BG-5
CSE 300
Motivation: General ConceptsMotivation: General Concepts AuthenticationAuthentication
Proving you are who you are Signing a Message Is Client who s/he Says they are?
AuthorizationAuthorization Granting/Denying Access Revoking Access Does Client have Permission to do what s/he
Wants? EncryptionEncryption
Establishing Communications Such that No One but Receiver will Get the Content of the Message
Symmetric Encryption and Public Key Encryption
Security_BG-6
CSE 300
Motivation: Type of Security IssuesMotivation: Type of Security Issues Legal and Ethical Issues Legal and Ethical Issues
Information that Must be Protected Information that Must be Accessible HIPPA vs. Emergent Health Situations
Policy Issues Policy Issues Who Can See What Information When? Applications Limits w.r.t. Data vs. Users?
System Level EnforcementSystem Level Enforcement What is Provided by the DBMS? Programming
Language? OS? Application? Web Server? Client? How Do All of the Pieces Interact?
Multiple Security Levels/Organizational EnforcementMultiple Security Levels/Organizational Enforcement Mapping Security to Organizational Hierarchy Protecting Information in Organization
Security_BG-7
CSE 300
Glossary of Protection and Security TermsGlossary of Protection and Security Terms PrincipalPrincipal
Entity (Person/Process/etc.) to Which Authorizations are Granted
Can be a User, User Group, Program, Client, etc. Also Known as Subject
Protected ObjectProtected Object Known Object whose Internal Structure is
Inaccessible Except by Protection System The Unit of Protection For Our Purposes:
Table, Column, Tuple Data and Meta-Data
Glossary from: Saltzer and Schroeder, “The Protection of Information in Glossary from: Saltzer and Schroeder, “The Protection of Information in Computer Systems”, Proc. of IEEE, Vol. 63, No. 9, September 1975.Computer Systems”, Proc. of IEEE, Vol. 63, No. 9, September 1975.
Security_BG-8
CSE 300
Glossary of Protection and Security TermsGlossary of Protection and Security Terms Access Control ListAccess Control List
List of Principals (User, User Group, Process, …) Authorized to have Access to Some Object
For Every Object, Maintain Authorized Principals Easily Implemented in Algorithm/Typically in OS
AuthenticateAuthenticate Verify Identity of Principal Making Request In OS - Equivalent to Logging on (ID, Password) May be More Complicated Based on Security
Needs AuthorizeAuthorize
Grant Principal Access to Objects Granularity Ranges from Fine to Coarse Application Directed
Security_BG-9
CSE 300
Glossary of Protection and Security TermsGlossary of Protection and Security Terms CapabilityCapability
Unforgeable Ticket as Proof of Authorization of Presenter (Principal) to Access Named Object
Ticket or Certificate Must be Presented at Each Access
Capability ListCapability List List of Protected Objects which Likewise List
Authorized Principles Used in Conjunction with Tickets for
Authorization CertifyCertify
Verify Accuracy, Correctness, & Completeness of Security/Protection Mechanism
Critical for Select Domains (DoD, Banking, etc.)
Security_BG-10
CSE 300
Glossary of Protection and Security TermsGlossary of Protection and Security Terms ConfinementConfinement
Restricting What a Process Can Do to with Authorized Objects
Similar in Concept to Sandbox of Java DomainDomain
Objects Currently Accessed by Principal (De)Encryption(De)Encryption
De(Encoding) of Data According to Transformation Key for Transmission/Storage
Reciprocal Activity - Many Different Options GrantGrant
Authorize Access to Objects by Principals Who Can do What When
Security_BG-11
CSE 300
Glossary of Protection and Security TermsGlossary of Protection and Security Terms PasswordPassword
Encrypted Character String to Authenticate Identity of Individual
Critical to Encrypt Also from Client to Login Server Client Types in Plain Text that is Encrypted Encrypted login Travels of Network Decrypted at Login Server and Verified
PermissionPermission Form of Allowed Access to Object (R, W, RW) Level of Access is System Dependent Unix File System has:
r, w, x for User, Group, and Other
Security_BG-12
CSE 300
Glossary of Protection and Security TermsGlossary of Protection and Security Terms PrivacyPrivacy
Ability to Decide Whether, When, and to Whom Information is Released
Is Anyone Intercepting Client/Server Communications?
PropagationPropagation Principal Passing on Authorization to Object to
Another Principal Current Term Today is “Delegation” Principal Must be Authorized to Delegate
Privileges to Another Principal Enforcement MechanismEnforcement Mechanism
Centralized and Distributed “Code” Enforces Security Policy at Runtime
Security_BG-13
CSE 300
Glossary of Protection and Security TermsGlossary of Protection and Security Terms Protection & SecurityProtection & Security
Mechanisms and Techniques to Control Access to Information by Executing Programs
Enforcement Mechanism, Cryptography Algorithms, Database Security, etc.
RevokeRevoke Remove Previously Authorized Access from
Principals Security Tools Must Promote Grant, Revoke, and
Authorize in a Dynamic Setting Ticket-OrientedTicket-Oriented
Each Principal Maintains List of Unforgeable Tickets Denoting Objects have been Authorized
Works with Capability Lists
Security_BG-14
CSE 300
Policy & MechanismPolicy & Mechanism Security Policy Defines Rules for Authorizing Access Security Policy Defines Rules for Authorizing Access
to Computer and Resourcesto Computer and Resources Who are Users? What are DB Items? What DB
Items are Available to Each User? Etc… For PHR – Patient Defines Policy
Protection Mechanisms Authenticate Protection Mechanisms Authenticate Access to DB Items, File and Memory Protection What is the Granularity of Access?
A Security Policy is an Organizations Strategy to A Security Policy is an Organizations Strategy to Authorize Access to the DBMS DB ItemsAuthorize Access to the DBMS DB Items Each Policy is Application Dependent Range from Full to Limited Access
Security Transcends DB as a Separate Research and Security Transcends DB as a Separate Research and Realization for All Types of Systems/ApplicationsRealization for All Types of Systems/Applications
Security_BG-15
CSE 300
AuthenticationAuthentication User/Process AuthenticationUser/Process Authentication
Is this User/Client Who It Claims to Be? Passwords More Sophisticated Mechanisms Need for Re-authentication
Authentication in NetworksAuthentication in Networks Is this Computer Who It Claims to Be?
File Downloading and Transferring Obtaining Network Services What is Java Promise? What Does Java Guarantee re.
Applets? What can Application do that Applet Can’t? DB AuthenticationDB Authentication
Uncontrolled Access (Select, Modify, etc.) Can be Limited (Authorized) requiring Authentication
Security_BG-16
CSE 300
AuthorizationAuthorization Ability of Principals to Use Machines, Objects, Ability of Principals to Use Machines, Objects,
Resources, etc.Resources, etc. Security Policy Defines Capabilities of Each Principal Security Policy Defines Capabilities of Each Principal
Against Objects, Resources, etc.Against Objects, Resources, etc. Authorization Mechanism Enforces Policy at RuntimeAuthorization Mechanism Enforces Policy at Runtime External AuthorizationExternal Authorization
User Attempts to Access Computer Authenticate Identify and Verify Authorizations
Internal AuthorizationInternal Authorization Can Process Access a Specific Resource?
Database AuthorizationDatabase Authorization What Can Each User Do Against the DB? Select,
Insert, Update, Delete? Are Users Limited to Subsets of Tuples by Value?
Security_BG-17
CSE 300
User AuthenticationUser Authentication Combination of User ID and Password Universal for Combination of User ID and Password Universal for
Access to ComputersAccess to Computers However, Cannot Prevent …However, Cannot Prevent …
Guessing of Passwords Stolen and Decrypted Passwords Masquerading of Intended User
Is User Who they are Supposed to be? What Extra Information Can User be Asked to Supply? What About Life Critical Situations – EMR’s Treating
Accident Victim? Past Invasion of Engineering ComputingPast Invasion of Engineering Computing
yppasswd File Stolen/Decrypted S. Demurjian’s Sun Workstation Corrupted
Security_BG-18
CSE 300
Network AuthenticationNetwork Authentication Computers Must Interact with One AnotherComputers Must Interact with One Another
Classic Example, Transmitting E-Mail Msgs. Does Transferring Computer have Right to Store a
File on Another Computer? What About PHR Data Routed from Web to
Application to DB to EMR? Where is the Control? https? Encryption? Guarantee Unencrypted Data not Stored on the Way?
Viruses: Passive Penetrating EntityViruses: Passive Penetrating Entity Software Module Hidden in Another Module When Container Executed, Virus Can Penetrate
and Wreak Havoc Worms: Active Penetrating EntityWorms: Active Penetrating Entity
Actively Seeks to Invade Machine
Security_BG-19
CSE 300
Core Security Capabilities of JavaCore Security Capabilities of Java Sandbox and Applet Level SecuritySandbox and Applet Level Security
Downloaded Applets are Confined in a Targeted Portion of System During Execution
Execution of Untrusted Code in Trusted Way What is Sandbox?What is Sandbox?
Area of Web-Browser Dedicated to Applet Applet Limited to Sandbox to Prohibit Access to
Local Machine/Environment Utilizes Class Loader, Bytecode Verifier, and
Security Manager Three Components Maintain System Integrity How Does this Occur?
Why is this Relevant for BMI Applications?Why is this Relevant for BMI Applications? Pervasive Usage of Applets and Client Java Code
Security_BG-20
CSE 300
Core Security Capabilities of JavaCore Security Capabilities of Java Class Loader - Only Load Correct ClassesClass Loader - Only Load Correct Classes Bytecode Verifier - Classes in Correct FormatBytecode Verifier - Classes in Correct Format
Both Don’t care Where the Code is from (compiled from Java or another PL – just is it correct)
Security Manager - Untrusted Classes Can’t Execute Security Manager - Untrusted Classes Can’t Execute Dangerous Instructions nor Access Protected System Dangerous Instructions nor Access Protected System ResourcesResources
Role of Security ManagersRole of Security Managers Enforces Boundaries of Sandbox All Java Classes ask Manager for Permission to
Perform Certain Operations Implements/Imposes Appl. Security Policy Java Interface Class Implementable by Users Integrated with Exception Handling of Java
Security_BG-21
CSE 300
Recall Java Bytecode Verification:Recall Java Bytecode Verification:
Security_BG-22
CSE 300
Digital Signatures and JAR FilesDigital Signatures and JAR Files When Can Applets Become Applications?When Can Applets Become Applications?
Trusted Publisher (Originator of Applet) Signed Applet is Authenticated Java Security Manager May Allow Applet out of
Sandbox to be Application How is Information Transmitted and Exchanged?How is Information Transmitted and Exchanged?
JAR: Archived (Compressed) Files Bundling of Code/Data into Java Archive Associated Digital Signature for Verification Transmission via Object Serialization
Again, for BMIAgain, for BMI Web Applications to PCs, PDAs, and Cells Pervasiveness of Technology and Potential for
Misuse and Information Release
Security_BG-23
CSE 300
Available Access Control ApproachesAvailable Access Control Approaches Mandatory Access Control (MAC)Mandatory Access Control (MAC)
Bell/Lapadula Security Model Security Classification Levels for Data Items Access Based on Security Clearance of User
Role Based Access Control (RBAC)Role Based Access Control (RBAC) Govern Access to Information based on Role Users can Play Different Roles at Different Times
Responsibilities of Users Guiding Factor Facilitate User Interactions while Simultaneously
Protecting Sensitive Data Discretionary Access Control (DAC)Discretionary Access Control (DAC)
Richer Set of Access Modes - Govern Access to Information based on User Id
Discretionary Rules on Access Privileges Focused on Application Needs/Requirements
Security_BG-24
CSE 300
What are Key Access Control Concepts?What are Key Access Control Concepts? AssuranceAssurance
Are the Security Privileges for Each User Adequate to Support their Activities?
Do the Security Privileges for Each User Meet but Not Exceed their Capabilities?
ConsistencyConsistency Are the Defined Security Privileges for Each User
Internally Consistent? Least-Privilege Principle: Just Enough Access
Are the Defined Security Privileges for Related Users Globally Consistent? Mutual-Exclusion: Read for Some-Write for Others
Security_BG-25
CSE 300
Mandatory Access ControlMandatory Access Control Bell-Lapadula Model [1976]Bell-Lapadula Model [1976]
An Extension of the Access Matrix Model The Model is Based on Subject-Object Paradigm
Subjects: Active Elements Objects: Passive Elements
Four Access Modes/Categories Executable by Subjects on Objects Read-only or Read Append (Write without Read) Execute (Executes an Object/program) Read-Write or Write
Security_BG-26
CSE 300
Mandatory Security MechanismMandatory Security Mechanism Typical Security Classification Levels for Typical Security Classification Levels for
Subjects/programs and Objects/resourcesSubjects/programs and Objects/resources Top Secret (TS) and Secret (S) Confidential (C) and Unclassified (U)
Rules:Rules: TS is the Highest and U is the Lowest Level TS > S > C > U Security Levels:
C1 is Security Clearance Given to User U1 C2 is Security Classification Given to Object O1 U1 can Access O1 iff C1 C2 This is Referred to as the Domination of U1 Over O1
Security_BG-27
CSE 300
OperationsOperations Get accessGet access
Initiate access to object in the given mode Release accessRelease access
Terminate access previously started by get Given accessGiven access
grant an access mode on an object to a subject Rescind accessRescind access
Revoke access previously granted with the “give” operation Create objectCreate object
An object may be inactive or active; this takes an inactive object and adds to the object hierarchy
Delete objectDelete object Deactivates an active object
Change subject security levelChange subject security level Change object security levelChange object security level
Security_BG-28
CSE 300
Mandatory Security MechanismMandatory Security Mechanism Restriction (Axiom 1):Restriction (Axiom 1):
No Subject S Can Read an Object O if the Object’s Security Classification is Higher Than the Subject’s Security Clearance S Can Read O iff Clearance(S) Classification(O)
No Subject May Write an Object that has Lower Security Class than the Subject’s Security Clearance S Can Write O iff Clearance(S) Classification(O) This Prevents Information Flow from Higher
Classification to Lower Classification Levels Depending on the Desired MAC, Different Axioms Depending on the Desired MAC, Different Axioms
Can be Employed that Satisfy Different Criteria ofCan be Employed that Satisfy Different Criteria ofClearance Dominating ClassificationClearance Dominating Classification
Security_BG-29
CSE 300
Other AxiomsOther Axioms Simple Security (SS) PropertySimple Security (SS) Property
Subject S may have Read(Write) Access to Object O iff Clearance of S Dominates the Classification of O
Star (*) PropertyStar (*) Property A Subject Can Only Read Objects at or Above
their Level A Subject Can Only Write Objects at or Below
their Level Tranquility PrincipleTranquility Principle
No Subject Can Modify Classification of Active Object
Security_BG-30
CSE 300
Mandatory Security MechanismMandatory Security Mechanism There are Numerous Security Properties Regarding the There are Numerous Security Properties Regarding the
Ability of a Subject S to Read (Write) an Object OAbility of a Subject S to Read (Write) an Object O These Properties Control the flow of Information from These Properties Control the flow of Information from
Users to the Objects that they are allowed to AccessUsers to the Objects that they are allowed to Access Simple Security Property (Read Down – No Read Up)Simple Security Property (Read Down – No Read Up)
No Subject S Can Read an Object O if the Object’s Security Classification is Higher Than the Subject’s Security Clearance
S Can Read O iff Clearance(S) Classification(O) This Insures that a Subject S cannot Read
Information Above his/her Security Level
TS S C U
User (S) Read Down
Security_BG-31
CSE 300
Mandatory Security MechanismMandatory Security Mechanism Simple Integrity Property (Write Down–No Write Up)Simple Integrity Property (Write Down–No Write Up)
A Subject May Write an Object only if that Object is at or Below the Subject’s Security Clearance
S Can Write O iff Clearance(S) ≥ Classification(O) This Allows the Potential of Information Flow
from Higher Classification to Lower Classification Levels
This Prevents the Ability of a Subject S to Corrupt Data above its Security Level
Security Designer Must Choose their Poison!Security Designer Must Choose their Poison!
TS S C U
User (S) Write Down
Security_BG-32
CSE 300
Mandatory Security MechanismMandatory Security Mechanism Liberal * Property (Write Up–No Write Down)Liberal * Property (Write Up–No Write Down)
No Subject May Write an Object that has Lower Security Class than the Subject’s Security Clearance
S Can Write O iff Clearance(S) Classification(O)
This Prevents Information Flow from Higher Classification to Lower Classification Levels
Such an Attempt can be Overt or Unintentional Likewise, this Allows a Subject to Corrupt Likewise, this Allows a Subject to Corrupt
Information above its Level Information above its Level
TS S C U
User (S)Write Up
Security_BG-33
CSE 300
Mandatory Security MechanismMandatory Security Mechanism Strict * Property (Read/Write Equal)Strict * Property (Read/Write Equal)
A Subject May Only Read/Write an Object that has the Exact Same Security Class than the Subject’s Security Clearance
S Can Read/Write O iff Clearance(S) = Classification(O)
This Limits Information Flow to within a Level
TS S C U
User (S)
Read EqualWrite Equal
Security_BG-34
CSE 300
Using the PropertiesUsing the Properties Security Policy is Typically a Combination of one Security Policy is Typically a Combination of one
Read and one Write PropertyRead and one Write Property Simple Security + Simple Integrity Simple Security + Strict * (Write) Simple Security + Liberal * Strict * (Read) + Simple Integrity Strict * (Read) + Strict * (Write) Strict * (Read) + Liberal *
Objective: Security Engineer Must Choose the Most Objective: Security Engineer Must Choose the Most Appropriate Combination for their ApplicationAppropriate Combination for their Application
Security_BG-35
CSE 300
A Classic ExampleA Classic Example Simple Security for ReadsSimple Security for Reads
See Information at User Clearance Level and Lower (Less Secure)
No Chance of Viewing TS Information Liberal * for Writes Liberal * for Writes
Write Information at User Clearance Level and Above (More Secure)
No Chance of Releasing “S” Data to Lower Levels
TS S C U
User (S)
Write Up
Read Down
Security_BG-36
CSE 300
Other AxiomsOther Axioms Discretionary Property (DS-property)Discretionary Property (DS-property)
Every Current Access Must Be Present in the Access Matrix
For All Subjects S, Objects O, and the Access Mode M:
<S,o,m> B M M[s,o] Non-Accessibility of Inactive ObjectsNon-Accessibility of Inactive Objects
A Subject Cannot Read the Contents of an Inactive Object
Rewriting of Inactive ObjectsRewriting of Inactive Objects A Newly Activated Object is Assigned to an Initial
State Independent of the Previous Activation of the Object
Security_BG-37
CSE 300
Illustrating MACIllustrating MAC Consider the EMPLOYEE Table Below with Two Consider the EMPLOYEE Table Below with Two
InstancesInstances Notice Classifications on Each Tuple (TC) Notice Classifications on Each Attribute Value
Interpretation:Interpretation: Limit Who Can See Each Tuple and Values Focus on User Clearance w.r.t. Classifications
Security_BG-38
CSE 300
Illustrating MACIllustrating MAC Whenever a User Attempts to Access a Table, the Whenever a User Attempts to Access a Table, the
Table is Filtered According to U’s ClearanceTable is Filtered According to U’s Clearance First Set are for a User at Confidential Level Second Set is For a User at Unclassified Level
Security_BG-39
CSE 300
Security in Software ApplicationsSecurity in Software Applications Extensive Published Research (Demurjian, et al) in Extensive Published Research (Demurjian, et al) in
Last Ten Years for DAC/RBAC for OOLast Ten Years for DAC/RBAC for OO Efforts in Efforts in
Automatically Generatable and Reusable Enforcement Mechanisms
MAC/DAC/RBAC within Distributed Setting Premise:Premise:
Customizable Public Interface of Class Access to Public Interface is Variable and Based
on User Needs and Responsibilities Only Give Exactly What’s Needed and No More
Please see:Please see:www.engr.uconn.edu/~steve/DSEC/desc.htmlwww.engr.uconn.edu/~steve/DSEC/desc.html
Security_BG-40
CSE 300
What is Role Based Access Control (RBAC)?What is Role Based Access Control (RBAC)?
Most OO Programming and Database Languages have Most OO Programming and Database Languages have a Single Public Interface that is Shared by All Users a Single Public Interface that is Shared by All Users of OT/Classof OT/Class
Consequently, Public Interface Often Union of all Consequently, Public Interface Often Union of all Possible Methods Required by All Likely UsersPossible Methods Required by All Likely Users
Discretionary Access Control:Discretionary Access Control: Occurs at Type-Level Different Portions of Public Interface Available to
Different Users at Different Times Depending on User-Roles
Promote Potential Public Interface
Security_BG-41
CSE 300
Motivating Security for OO ParadigmMotivating Security for OO Paradigm OO Paradigm Provides Minimal Support via Public OO Paradigm Provides Minimal Support via Public
Interface and Private ImplementationInterface and Private Implementation Public Interface Represents UNION of all Possible Public Interface Represents UNION of all Possible
Privileges Needed by All Potential UsersPrivileges Needed by All Potential Users A Method in the Public Interface for One Specific User A Method in the Public Interface for One Specific User
Available to ALL UsersAvailable to ALL Users Can Access to Public Interface be Customized? Can Individuals have Particular Access to Specific
Subsets of Public Interface? Can Access be Based on (Potentially) Dynamic User
Roles? Can Code be Automatically Generated to Implement
an Enforcement Mechanism? Role of OO Paradigm in Support a Generic,
Evolvable, Reusable Enforcement Mechanism?
Security_BG-42
CSE 300
Why is RBAC Needed?Why is RBAC Needed? In Health Care, different professionals (e.g., Nurses In Health Care, different professionals (e.g., Nurses
vs. Physicians vs. Administrators, etc.) Require Select vs. Physicians vs. Administrators, etc.) Require Select Access to Sensitive Patient DataAccess to Sensitive Patient Data
Suppose we have a Patient Access ClientSuppose we have a Patient Access Client Lois playing the Nurse Role would be Allowed to
Enter Patient History, Record Vital Signs, etc. Steve playing M.D. Role would be Allowed to do
all of a Nurse plus Write Orders, Enter Scripts, etc. Vicky playing Admin Role would be Allowed to
Enter Demographic/Insurance Info. Role Dictates Client Behavior
Security_BG-43
CSE 300
Why is RBAC Needed?Why is RBAC Needed? Many Situations When Application Library Designer Many Situations When Application Library Designer
(SWE) Could Utilize More Fine-Grained Control to (SWE) Could Utilize More Fine-Grained Control to Access of Public InterfaceAccess of Public Interface
Tradeoff Between Developers and End-UsersTradeoff Between Developers and End-Users SWEs Have Different Roles Based on Their
Responsibilities Related to Cooperative Design on an Application
SWEs Should Only See Those Portions of the Application That They Need to See or That They Will Be Responsible for Implementing
End-users Must Be Limited in Their Interactions and Access Depending on Their Roles
Security_BG-44
CSE 300
Examples of Why RBAC is NeededExamples of Why RBAC is Needed In HTSS, the public interface for Items has methods In HTSS, the public interface for Items has methods
that read (for Scanner, I-Controller) and modify that read (for Scanner, I-Controller) and modify instances (only for I-Controller)instances (only for I-Controller) Read Methods Targeted for Certain System
Functions (e.g., Scan Item) Update Methods Targeted for Others (e.g., as Item
is Scanned, Decrement Inventory Amount) In HCA, different health care professionals (e.g., In HCA, different health care professionals (e.g.,
Nurses vs. Physicians vs. Administrators, etc.) Nurses vs. Physicians vs. Administrators, etc.) require select access to sensitive patient datarequire select access to sensitive patient data Physician’s Write Scripts Nurses Enter Patient Data (Vitals + History) All Access Shared Medical Record Access is Limited Based on Role
Security_BG-45
CSE 300
public class PatientRecord { private: Data/Methods as Needed; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); etc…
For MDsand Nurses
For MDs Only
For Admitting
RBAC for OORBAC for OO Public Interface is Union of All Privileges for All Public Interface is Union of All Privileges for All
Potential Users No Explicit way to Prohibit Access Potential Users No Explicit way to Prohibit Access Customizable Public Interface of ClassCustomizable Public Interface of Class Access to Public Interface is Variable and Based on Access to Public Interface is Variable and Based on
User Needs and ResponsibilitiesUser Needs and Responsibilities Only Give Exactly What’s Needed and No More Only Give Exactly What’s Needed and No More
Security_BG-46
CSE 300
Sample RBAC Hierarchy for HCASample RBAC Hierarchy for HCA
Users
Medical_Staff
Nurse Physcian
UR:Manager
UR:Staff_RN UR:Education
UR:Discharge_Plng
UR:Private UR:Attending
Support_Staff
Etc.
Technician
UR:Director
UR:Lab UR:Pharmacy
UR:Radiology
Security_BG-47
CSE 300
Sample RBAC Hierarchy for UniversitySample RBAC Hierarchy for University
Users / \ +---+ +-----+ / \ non-academic-staff academic-staff / \ \ / \ \.... / \ \ / \ purchasing campus-police ... dept-staff registrar-staff ... / \ ... ... / \ grade-recording transcript-issuing
Security_BG-48
CSE 300
Sample RBAC Hierarchy for PortalSample RBAC Hierarchy for Portal
Users
Medical_Staff
Clinical Researcher Basic User
UR: Poster
UR: ForumLeader
UR: DataAnalyst UR: EdMaterials
UR: etc…
Patients
Etc.
Provider
UR: BasicPHR
UR: Nurse UR: OccTher
UR: Physician
Security_BG-49
CSE 300
NIST RBAC Standard NIST RBAC Standard http://csrc.nist.gov/groups/SNS/rbac/http://csrc.nist.gov/groups/SNS/rbac/ Formalized in 1992 (Ferraiolo and Kuhn)Formalized in 1992 (Ferraiolo and Kuhn) Based on Work by Sandhu, et al.Based on Work by Sandhu, et al. Lot’s of Health Care Related Case Studies:Lot’s of Health Care Related Case Studies:
http://csrc.nist.gov/groups/SNS/rbac/case_studies.htmlhttp://csrc.nist.gov/groups/SNS/rbac/case_studies.html Please Visit the Site … May be Applicable Applications ….
Briefly, Let’s Review …Briefly, Let’s Review …
Security_BG-50
CSE 300
RBAC Model Variants RBAC Model Variants http://csrc.nist.gov/groups/SNS/rbac/documents/towards-http://csrc.nist.gov/groups/SNS/rbac/documents/towards-
std.pdfstd.pdf Transition from Essential Features to Complex ModelTransition from Essential Features to Complex Model
Security_BG-51
CSE 300
Level 1 and Level 2Level 1 and Level 2 Level 1: Three States and UA/PALevel 1: Three States and UA/PA Level 2: Add in Role Hierarchy Look on R StateLevel 2: Add in Role Hierarchy Look on R State
Security_BG-52
CSE 300
Example Role HierarchiesExample Role Hierarchies
Security_BG-53
CSE 300
Constrained RBAC – with SODConstrained RBAC – with SOD
Security_BG-54
CSE 300
Constrained RBAC – with SODConstrained RBAC – with SOD
Security_BG-55
CSE 300
Discretionary Access ControlDiscretionary Access Control DiscretionaryDiscretionary
Grant Privileges to Users, Including the Capabilities to Access Specific Data Items in a Specific Mode
Available in Most Commercial DBMSs Aspects of DACAspects of DAC
User’s Identity Predefined Discretionary “Rules” Defined by the
Security Administrator Focus on Two Variants of this ModelFocus on Two Variants of this Model
Access Matrix Model Lampson’s Protection System
Role Delegation and Delegation AuthorityRole Delegation and Delegation Authority Detail DAC in SQL2Detail DAC in SQL2
Security_BG-56
CSE 300
What is Role Delegation?What is Role Delegation? Role Delegation, a User-to-User Relationship, Allows Role Delegation, a User-to-User Relationship, Allows
an an Original User (OU)Original User (OU) to Transfer Responsibility for a to Transfer Responsibility for a Particular Role to a Particular Role to a Delegated User (DU)Delegated User (DU)
Two Major Types of DelegationTwo Major Types of Delegation Administratively-directed Delegation has an
Administrative Infrastructure Outside the Direct Control of a User Mediates Delegation
User-directed Delegation has an User (Playing a Role) Determining If and When to Delegate a Role to Another User
In Both, Security Administrators Still Oversee Who In Both, Security Administrators Still Oversee Who Can Do What When w.r.t. DelegationCan Do What When w.r.t. Delegation
Delegation Vital in Health Care:Delegation Vital in Health Care: Provider on-Call, Emergent Situations, DCP …
Security_BG-57
CSE 300
Why is Role Delegation Important?Why is Role Delegation Important? Many Different Scenarios Under Which Privileges Many Different Scenarios Under Which Privileges
May Want to be Passed to Other IndividualsMay Want to be Passed to Other Individuals Large organizations often require delegation to
meet demands on individuals in specific roles for certain periods of time
True in Many Different Sectors Health Care Financial Services Engineering Academic Setting
Key Issues:Key Issues: Who Controls Delegation to Whom? How are Delegation Requirements Enforced?
Security_BG-58
CSE 300
What Can be Delegated?What Can be Delegated? Authority to Do the Task, Carries the Least Authority to Do the Task, Carries the Least
Responsibility Necessary to Execute the Task, but Responsibility Necessary to Execute the Task, but Does Mean the Delegated User Can Execute the Does Mean the Delegated User Can Execute the Delegated Task or Role. Delegated Task or Role.
Responsibility to Do a Task Implies Accountability Responsibility to Do a Task Implies Accountability and a Vested Interest that a Task or Role Can Be and a Vested Interest that a Task or Role Can Be Executed Properly. Executed Properly.
Duty to Perform a Task Implies that the Delegated Duty to Perform a Task Implies that the Delegated User is Obligated to Execute the Given Task. User is Obligated to Execute the Given Task.
Our Focus: Delegate Authority OnlyOur Focus: Delegate Authority Only
Security_BG-59
CSE 300
Delegation/Pass on Delegation AuthoritiesDelegation/Pass on Delegation Authorities When Establishing Privileges (by the Security Officer) When Establishing Privileges (by the Security Officer)
there must be the Ability to Define:there must be the Ability to Define: Delegation Authority (DA)
Recall:Security Officer can Delegate a Role to User DA Means that the Security Officer Can Delegate the
Authority to Delegate to another User Role Can be Delegated by one User to Another However, Delegation Authority Cannot
Pass-on Delegation Authority (PODA) PODA Augments DA to Allow the Delegation
Authority to Also be Delegated as Part of the Delegation of a Role to a User
Security_BG-60
CSE 300
Example - Role DelegationExample - Role Delegation General DoBest Delegates his Role CDR_CR1
(Commander, Crisis 1) to Colonel DoGood with DA, where DoBest, CDR_CR1, and DoGood defined as:
OU: [DoBest, [ct, ], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoBest, CDR_CR1, [01dec00, 01dec01]]DA: YesPODA: Yes
After Delegation:
DU: [DoGood, [01dec00, 01jun01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]
Security_BG-61
CSE 300
Example - Role DelegationExample - Role Delegation Now,Now, Colonel DoGood wishes to re-delegate Colonel DoGood wishes to re-delegate
CDR_CR1 to Major CanDoRight, which can be CDR_CR1 to Major CanDoRight, which can be defined as:defined as:
DU: [DoGood, [01dec00, 01jun01], T]UR: [CDR_CR1, [01dec00, 01dec01], T]UA: [DoGood, CDR_CR1, [01dec00, 01jun01]]DA: YesPODA: No
After Delegation:
DU: [CanDoRight, [01jan01, 01feb01], T]UA: [CanDoRight, CDR_CR1, [01dec00, 01jun01]]
Security_BG-62
CSE 300
Role Delegation Revocation RulesRole Delegation Revocation Rules User-to-User Delegation Authority Rule User-to-User Delegation Authority Rule
A User (OU or DU) Who is a Current Member of a Delegatable Role (DUR), Can Delegate that User Role to Any User that Meets the Prerequisite Conditions of the Role: DU Receiving the Role is Not a Member of the Role; OU or DU is Identified As Having Delegation
Authority for the Role; DU Meets the Mandatory Access Control Constraints
(MACC).
Security_BG-63
CSE 300
Role Delegation Revocation RulesRole Delegation Revocation Rules Delegation Revocation Authorization Rule: Delegation Revocation Authorization Rule:
An Original User Can Revoke Any Delegated User From a User Role in Which the OU Executed the Delegation.
This is a Stricter Interpretation than [Zhan01], Which Allows Any OU of a Role Revocation Authority Over a DU in the Delegation Path.
In Addition, a Security Administrator Can Revoke Any Delegation.
Cascading Revocation Rule: Cascading Revocation Rule: Whenever an OU or DU in the delegation path is
revoked, all DUs in the path are revoked.
Security_BG-64
CSE 300
Monotonicity and Permanence Monotonicity and Permanence Definition: Monotonicity Refers to the State of
Control the OU Possesses After Role Delegation Monotonic Delegation Means That the OU
Maintains Control of the Delegated Role Non-monotonic Means That the OU Passes the
Control of the Role to DU Definition: Definition: PermanencePermanence Refers to Delegation in Refers to Delegation in
Terms of Time DurationTerms of Time Duration Permanent Delegation is When a DU Permanently
Replaces the OU Temporary Delegation Has an Associated Time
Limit With Each Role
Security_BG-65
CSE 300
Totality and AdministrationTotality and Administration Definition: Definition: Totality Refers to How Completely the
Permissions Assigned to the Role Are Delegated Partial Delegation Refers to the Delegation of a
Subset of the Permissions of the Role Total Delegation Refers to the Situation All of the
Permissions of the Role Are Delegated Definition: Definition: Administration Refers to how Delegation
will be Administered User Directed is when the User Controls all Aspects
of Delegation Administrator-Directed (Third party, Agent-
directed) is when Control is with the Security Officer
Security_BG-66
CSE 300
RevocationRevocation Definition: Definition: Cascading Revocation Refers to the
Indirect Revocation of All DUs When the OU Revokes Delegation or Administration Revokes the OU’s Delegated Role
Definition: Definition: Grant-Dependency Revocation Refers to Who Has Authority to Revoke a DU Grant-Dependent Revocation Only Allow the OU
to Revoke the Delegated Role Grant-Independent Revocation Allows Any
Original Member of the DUR to Revoke a Delegated Role
Security_BG-67
CSE 300
Database Security ApproachDatabase Security Approach Software Engineers can Write Complex Programs Software Engineers can Write Complex Programs
Limited by Intellectual CapabilitiesLimited by Intellectual Capabilities DB Designer Must Create Protection Scheme that DB Designer Must Create Protection Scheme that
Can’t be Bypassed by Current and Future SoftwareCan’t be Bypassed by Current and Future Software Users and DB InitiatorsUsers and DB Initiators
Users have Dedicated and Shared DB Items DB Items Shared by User Groups vs. DB Items
Globally Shared Users Spawn Clients that Access DB Items Clients May be Local or Remote (on Another
Machine Connected via Network) Protection System of DB Must Support Above Protection System of DB Must Support Above
According to Organization’s Admin. PolicyAccording to Organization’s Admin. Policy
Security_BG-68
CSE 300
Database SecurityDatabase Security Types of SecurityTypes of Security
Database Security is Mainly Related with Access Rights to the Database
Database Security Involves Issues Such as Governmental or Corporate Level of Policies Privacy and Confidentiality Requirements
For Example - Consider a Medicine Prescription Physician or PA Only One Authorized to Write Drug,
Dosage, Refills, Generic vs. Brand, etc. Pharmacist by Law Can Enter Script, Replace Brand
with Generic, Alter “Refills” - Can’t Change the Med By Law - Protect the Script per Patient (MD/Insurance)
Access Control is Mechanism to Prevent Unauthorized Access Control is Mechanism to Prevent Unauthorized Access to DatabasesAccess to Databases
Security_BG-69
CSE 300
Database SecurityDatabase Security Database Administrator (DBA) has the Privileged Database Administrator (DBA) has the Privileged
Commands to Perform the Following on DatabasesCommands to Perform the Following on Databases Account Creation Privilege Granting Privilege Revocation Security Level Assignments
Elements of the Security ModelElements of the Security Model Subjects (Principals) Objects (Data) Access Methods (How to Use) Policies (Application Dictated) Authorizations (Who Can Do What) Authentication and Enforcement (Runtime)
Security_BG-70
CSE 300
DAC in SQL2DAC in SQL2 SQL2 Uses the Concept of SQL2 Uses the Concept of Authorization IdentifierAuthorization Identifier
User Group (could be Single User) References a Set of User Accounts
DBA Must Provide Selective Access by each User to DBA Must Provide Selective Access by each User to Every Relation in the DB Based on AccountEvery Relation in the DB Based on Account
Two Levels of Privilege AssignmentTwo Levels of Privilege Assignment Account Level - DBA Manages the Accounts for
to Authorize Users to Different DBs Relation/Table Level - Controlling Access to Each
Relation or View in a DB ObjectiveObjective
Manage and Administer Design/Realize the Security Policy
Security_BG-71
CSE 300
Privileges in SQLPrivileges in SQL Allocated at a Relation LevelAllocated at a Relation Level
SELECT Privilege - Gives Account Retrieval Access
MODIFY Privilege Gives Account Ability to Change the Database Subdivided into Insert, Update, and Delete Insert and Update can be Specialized on Different
Attributes of Relation REFERENCES Privilege
Gives Account the Ability re. Integrity Constraints Can be Restricted to Certain Attributes of Relation
Commands to both GRANT and REVOKE are Commands to both GRANT and REVOKE are SupportedSupported
Security_BG-72
CSE 300
Example Schema Example Schema Consider Two Database Tables:Consider Two Database Tables:
EMPLOYEE (NAME, SNN, BDATE, ADDRESS, SET, SALARY,
DNO) DEPARTMENT
(D#, DNAME, MGRSNN) Consider Four Accounts/Users:Consider Four Accounts/Users:
U1, U2, U3 and U4 Limit U1 to be Able to Create Schema In SQL
GRANT CREATETAB TO U1; In SQL2
CREATE SCHEMA EXAMPLE AUTHORIZATION U1; U1 Can Create Tables In Schema EXAMPLE
Security_BG-73
CSE 300
SQL ExamplesSQL Examples Suppose U1 Wants to Grant U2 the Ability to Insert Suppose U1 Wants to Grant U2 the Ability to Insert
and Delete into EMPLOYEE and DEPARTMENTand Delete into EMPLOYEE and DEPARTMENT U1 Wants to Disallow Ability of U2 to Propagate
(Delegate) Insert/Delete to Other Users GRANT INSERT, DELETE ON EMPLOYEE,
DEPARTMENT TO U2; Suppose U1 Wants to Grant U3 the Ability to Select Suppose U1 Wants to Grant U3 the Ability to Select
from EMPLOYEE and DEPARTMENTfrom EMPLOYEE and DEPARTMENT U1 Allows U3 to Propagate to Other Users
GRANT SELECT ON EMPLOYEE TO U3 WITH GRANT OPTION;
Now, U3 can: GRANT SELECT ON EMPLOYEE TO U4; U4 Cannot Propagate/Delegate this Privilege
Security_BG-74
CSE 300
SQL ExamplesSQL Examples Suppose U1 Wants to REVOKE U3 the Ability to Suppose U1 Wants to REVOKE U3 the Ability to
Select from EMPLOYEE and DEPARTMENTSelect from EMPLOYEE and DEPARTMENT REVOKE SELECT ON EMPLOYEE TO U3;
Database Must Also Cascade this Revoke to U4 Since U3 No Longer has the Ability to Grant
Cascading Revokes Can be Complicated as Privileges Cascading Revokes Can be Complicated as Privileges are Definedare Defined
Consider 100 Users and DB with 20 Tables and Consider 100 Users and DB with 20 Tables and Ability to Grant/Revoke Becomes ComplexAbility to Grant/Revoke Becomes Complex
Consequently, Propagation/Delegation are Usually Consequently, Propagation/Delegation are Usually Only Given Very CarefullyOnly Given Very Carefully
Critical to Document Security Policy for Each Critical to Document Security Policy for Each Application!Application!
Security_BG-75
CSE 300
SQL ExamplesSQL Examples Suppose that U1 wants to Give Back to U3 a Limited Suppose that U1 wants to Give Back to U3 a Limited
Capability to SELECT from EMPLOYEE Capability to SELECT from EMPLOYEE Also Allow U3 to be able to Propagate U1 First Creates a View
create view U3_EMP as
select NAME, BDATE, ADDRESS
from EMPLOYEE
where DNO = 5; U1 Now Grants the View
GRANT SELECT ON U3_EMP TO U3 WITH GRANT OPTION;
U1 Can also Grant Limited Update GRANT UPDATE ON EMPLOYEE (SAL) TO U4;
Security_BG-76
CSE 300
CryptographyCryptography Information can be Encoded Using a Key it is Written Information can be Encoded Using a Key it is Written
(or Transferred) -- Encryption(or Transferred) -- Encryption Information is then Decoded Using a Key When it is Information is then Decoded Using a Key When it is
Read (or Received) -- DecryptionRead (or Received) -- Decryption Very Widely Used for Secure Network TransmissionVery Widely Used for Secure Network Transmission Mathematical Basis - Prime Number GenerationMathematical Basis - Prime Number Generation
plaintext ciphertext
encryption
decryption
Security_BG-77
CSE 300 plaintext plaintext
EncryptEncrypt DecryptDecrypt
Ke Kd
C = EKe(plaintext)
More on CryptographyMore on Cryptography
InvaderInvaderSide information plaintext
Security_BG-78
CSE 300
Cryptographic Systems
Conventional orSymmetric Systems
Modern Systems
Private Key Public Key•Ke and Kd are essentially the same •Ke and Kd are
private•Ke is public•Kd is private
Cryptographic SystemsCryptographic Systems
Security_BG-79
CSE 300
Statistical Databases are used to Produce Statistics on Statistical Databases are used to Produce Statistics on Various PopulationsVarious Populations Individual Information is Considered Confidential Users May be Allowed to Access Statistical
Information on the Population, i.e., Applying Statistic Functions to a Population of Tuples
Techniques for Protecting Privacy of Individual Techniques for Protecting Privacy of Individual Information Solutions are Illustrated by Examples:Information Solutions are Illustrated by Examples:
Suppose we are Allowed to Retrieve Only the Suppose we are Allowed to Retrieve Only the Statistical Information Over this Relation by Using Statistical Information Over this Relation by Using SUM, AVG, MIN, MAX, COUNT, Etc.SUM, AVG, MIN, MAX, COUNT, Etc.
Vital for Epidemiology and other Clinical ResearchVital for Epidemiology and other Clinical Research
Person(name, ssn, income, address,city, state, zip, sex, last_degree)
Statistical Database SecurityStatistical Database Security
Security_BG-80
CSE 300
select COUNT(*) from Personwhere last_degree = “ph.D.”and sex = “F”and city = “Calgary”and state = “Alberta”;
select AVG(income) from Personwhere last_degree = “ph.D.”and sex = “F”and city = “Calgary”and state = “Alberta”;
Q1: find the total number of women who have ph.D. and live in Calgary, Alberta.
Q1: find the average income of women who have ph.D. and live in Calgary, Alberta.
Example of Statistical DBExample of Statistical DB Consider Q1 and Q2:Consider Q1 and Q2:
Suppose Mary Black is a Ph.D who Lives in Calgary and we Suppose Mary Black is a Ph.D who Lives in Calgary and we want to know her Income, which is Prohibited want to know her Income, which is Prohibited If Query Q1 Returns One Tuple, then the Result of Q2 is
the Income of Mary Otherwise we May Issue a Number of Subsequent Queries
Using MAX and MIN, we May Easily Obtain a Close Range of Mary’s Income
Security_BG-81
CSE 300
The Issue is that Even with Statistical DB Limits, it is The Issue is that Even with Statistical DB Limits, it is Possible to Infer and Discern Confidential Info.Possible to Infer and Discern Confidential Info.
Suppose the Query Writer (Connie) also Lives in Suppose the Query Writer (Connie) also Lives in Calgary and has a Ph.D. Calgary and has a Ph.D.
Consider Q3 (left) and Q4 (right) below:Consider Q3 (left) and Q4 (right) below:
Since Connie Knows her Own Income, by Calculating Since Connie Knows her Own Income, by Calculating Q4 - (Q3 - Connie’s Income), She Determinds Mary’s Q4 - (Q3 - Connie’s Income), She Determinds Mary’s IncomeIncome
select SUM(income) from Personwhere last_degree = “ph.D.”and sex = “F”and city = “Calgary”and state = “Alberta”;and name <> “Mary”
select SUM(income) from Personwhere last_degree = “ph.D.”and sex = “F”and city = “Calgary”and state = “Alberta”and name <> “Connie”;
Example Two of Statistical DBExample Two of Statistical DB
Security_BG-82
CSE 300
Statistical Database SecurityStatistical Database Security Thus, having Just Aggregate Operations Can Allow Thus, having Just Aggregate Operations Can Allow
the Confidentiality of DB to be Breachedthe Confidentiality of DB to be Breached A Number of Restrictions can be used to Reduce the A Number of Restrictions can be used to Reduce the
Possibility of Deducing Individual Information from Possibility of Deducing Individual Information from Statistical Queries: Statistical Queries: Statistical Queries are not Permitted if the Number
of Tuples in the Population Specified by the Selection Condition Falls Below Some Threshold
Restricting the Number of Tuples in the Intersection of Subsequent Query Results
Prohibiting Sequences of Queries that Refer Repeatedly to the Same Population of Tuples
While these can help - it may Still Possible to Deduce While these can help - it may Still Possible to Deduce Information and Breach Confidentiality!Information and Breach Confidentiality!
Security_BG-83
CSE 300
Security in Middleware - MotivationSecurity in Middleware - Motivation Distributed Computing Applications are Constructed Distributed Computing Applications are Constructed
From Legacy, COTS, Database, and Client/Server From Legacy, COTS, Database, and Client/Server Applications Applications
Solutions Facilitate the Interoperation of Applications Solutions Facilitate the Interoperation of Applications in a Network Centric Environment in a Network Centric Environment
CORBA, DCOM/OLE, J2EE/EJB, JINI, and .NET CORBA, DCOM/OLE, J2EE/EJB, JINI, and .NET have Enabled the Parallel and Distributed Processing have Enabled the Parallel and Distributed Processing of Large, Computation-intensive Applications of Large, Computation-intensive Applications
Security has Historically Often Been an AfterthoughtSecurity has Historically Often Been an Afterthought Dramatic Turnaround in Support of Security within Dramatic Turnaround in Support of Security within
these Modern Middleware Platforms these Modern Middleware Platforms
Special Thanks to Keith Bessette and Prior CSE333 students for providing portions of this material.
Security_BG-84
CSE 300
OverviewOverview Focus on the Attainment of Security withinFocus on the Attainment of Security within
CORBA .NET J2EE
Represent Three Dominant Middlware PlatformsRepresent Three Dominant Middlware Platforms Emphasis on Exploring the RBAC/MAC Capabilities Emphasis on Exploring the RBAC/MAC Capabilities
of Eachof Each What Can Each Offer in Support of Security? How do the Different Technologies Compare?
Later - Focus on Using Middlware (e.g., CORBA, Later - Focus on Using Middlware (e.g., CORBA, JINI) to Attain MAC/RBAC for Distributed SettingJINI) to Attain MAC/RBAC for Distributed Setting
Security_BG-85
CSE 300
Security in CORBA, .NET, and J2EESecurity in CORBA, .NET, and J2EE The CORBA Security Specification is a Meta-model,The CORBA Security Specification is a Meta-model,
Similar in Concept to the UML Meta-model with Implementations (e.g., Together, Rational, etc.)
Offers Wide Variety of Security Capabilities at the Model Level - RBAC, MAC, Encryption, Etc.
Language Independent (Not Tied to Java, C++, .NET, Etc.)
In Contrast, .NET and J2EE are Commercial ProductsIn Contrast, .NET and J2EE are Commercial Products Characterizable as Implementations or Instances
of the CORBA Security Meta-model Transition Concepts into Platform Specific
Implementations
Security_BG-86
CSE 300
CORBA Security Capabilities CORBA Security Capabilities The CORBA Security Service Specification Focuses The CORBA Security Service Specification Focuses
on Four Keys Aspects of Security on Four Keys Aspects of Security Confidentiality: Confidentiality:
Concerned with Access to Information Limit Access to Those Individuals (Programs)
That Have Been Given Explicit Permission Integrity: Integrity:
Only Authorized Users are Allowed to Modify Information
Delegation of this Authorization Between Users is Tightly Controlled
Security_BG-87
CSE 300
CORBA Security CapabilitiesCORBA Security Capabilities Accountability: Accountability:
Users Must be Responsible for All of their Actions Security Mechanisms Must be able to Monitor and
Track the Accountability Availability: Availability:
If Users have Been Appropriately Authorized, then their Authorizations Require the System's Availability
Security_BG-88
CSE 300
CORBA Security CapabilitiesCORBA Security Capabilities Collectively, These Four Features Underlie the Collectively, These Four Features Underlie the
Security Offered in the Meta Model forSecurity Offered in the Meta Model for Identification and Authentication of Users Authorization and Access Control of Users to
Objects Security Auditing for Accountability Security of Communication Between Users and
Objects Non-repudiation to Provide Proof of Access Administration of All of the Security Requirements
Security_BG-89
CSE 300
The CORBA Security Model The CORBA Security Model The Structural Model of CORBA is Comprised of The Structural Model of CORBA is Comprised of
Different Levels used to Facilitate Secure Object Different Levels used to Facilitate Secure Object Invocation by Clients Invocation by Clients
Application Components: Client Request Services and Application Components: Client Request Services and a Target Object Providing Servicesa Target Object Providing Services
ORB Security Services: ORB Security Services: Access Control Service - If the Operation Being
Requested Is Permitted Secure Invocation Service - Protect the Target
Object in Its Interactions With the Client Implementation of Security Services: Implementation of Security Services:
Available in actual CORBA Implementations Platform Specific, must Interact with Security
supported by OS and Hardware
Security_BG-90
CSE 300
The CORBA Security ModelThe CORBA Security Model
Security_BG-91
CSE 300
Access Control in CORBA Access Control in CORBA Must Verify the Characteristics of a Subject's Must Verify the Characteristics of a Subject's
Permissions (via Permissions (via Privilege AttributesPrivilege Attributes) Against the ) Against the Target Objects Target Objects
Target Objects Are Managed via Target Objects Are Managed via Control AttributesControl Attributes (Grouped As (Grouped As DomainsDomains) and Operations (Grouped as ) and Operations (Grouped as RightsRights))
Combination of Privilege Attributes, Control Combination of Privilege Attributes, Control Attributes, and Domains Provides Attributes, and Domains Provides Means to Define Security Requirements Basis for Enforcing Those Requirements by Actual
Clients Against Target Objects
Security_BG-92
CSE 300
Access Control in CORBAAccess Control in CORBA Privilege Attributes are Associated with the Client, Privilege Attributes are Associated with the Client,
Referred to as the Referred to as the PrincipalPrincipal Privilege Attributes are Used to Capture All of the Privilege Attributes are Used to Capture All of the
Various Security Permissions for Access ControlVarious Security Permissions for Access Control Security Permissions: Security Permissions:
Identity (e.g., User Id) of the Principal Role(s) of the Principal Group(s) That the Principal Belongs to in the
Organization Security Clearance (e.g., Secret, Classified, Etc.)
Of the Principal Target Objects and Operations to Which the
Principal Has Been Granted Access, and Any Other Enterprise-wide Privileges.
Security_BG-93
CSE 300
Access Control in CORBAAccess Control in CORBA Control Attributes are Associated with Each Target Control Attributes are Associated with Each Target
Object, to Track the Security Privileges from an Object, to Track the Security Privileges from an Object's Perspective Object's Perspective
Control Attributes can also Track Security Information Control Attributes can also Track Security Information on the Target Object Itselfon the Target Object Itself
Control Attributes Track All of the Principals on a Control Attributes Track All of the Principals on a Target-Object-by-Target-Object BasisTarget-Object-by-Target-Object Basis List of all Principles for an Object
Privilege Attributes Focus on Capabilities of Privilege Attributes Focus on Capabilities of Individual Principals Individual Principals
Security_BG-94
CSE 300
Access Control in CORBAAccess Control in CORBA Rights of a Target Object are the Set of Operations Rights of a Target Object are the Set of Operations
That Are Available for Assignment to Each PrincipalThat Are Available for Assignment to Each Principal Examples: Examples:
An Access Control List Entry for Each Target Object would Track the List of Principals Who Have Been Authorized the Role(s) of the Principal
A Target Object Itself Might have a Security Classification (e.g., Secret,
Classified, etc.) May Be Limited in Access to Certain Time Periods
Security_BG-95
CSE 300
Access Control in CORBAAccess Control in CORBA To Assist in the Security Definition Process of To Assist in the Security Definition Process of
Principles and Objects for an Organization, Domains Principles and Objects for an Organization, Domains can be Utilizedcan be Utilized
Domain: Provides a Context to Define Common Domain: Provides a Context to Define Common Characteristics and Capabilities Related to Security Characteristics and Capabilities Related to Security
Security Policy Domain Represents the Scope Over Security Policy Domain Represents the Scope Over Which Each Security Policy is Enforced Which Each Security Policy is Enforced An Organization May Have Multiple Policies
Security Policy Domain Permits the Definition of Security Policy Domain Permits the Definition of Security Requirements for a Group of Target Objects Security Requirements for a Group of Target Objects Group Can Be Managed As a Whole, Thereby
Reducing the Needed Administrative Effort
Security_BG-96
CSE 300
Access Control in CORBAAccess Control in CORBA Policy Domain Hierarchies: Policy Domain Hierarchies:
Allows a Security Administrator to Design a Hierarchy of Policy Domains
Delegate Subsets of the Hierarchy (Sub-domain) to Different Individuals
Example: a Health Care OrganizationExample: a Health Care Organization Sub-domains for Patient Objects, Test-result
Objects, Employee Objects, Etc. Security for These Sub-domains Delegated to
Different People in Hospital Administration
Security_BG-97
CSE 300
CORBA Security User Views CORBA Security User Views Views to Provide a Hierarchical Structure of the Views to Provide a Hierarchical Structure of the
Security Requirements for an OrganizationSecurity Requirements for an Organization Enterprise Management View Enterprise Management View
Organization-wide Perspective on the Treatment of Security Requirements
Risk Assessment, Protection Against Malicious & Inadvertent Security Breaches, Countermeasures
End Result Will Be the Definition of Security Policies, As Appropriate, for Different Portions of an Organization
End User View End User View Involves the Privilege Attributes (E.G., User Id,
Role, Clearance, Etc.) Focus on the Privileges That Are Authorized, and
Action Authentications of Users
Security_BG-98
CSE 300
CORBA Security ViewsCORBA Security Views Application Developer View Application Developer View
Security Definitions Maybe Transparent to the Majority of Stakeholders (Programmers, Developers, Etc.)
Security May Be the Strict Responsibility of All Stakeholders (Programmers, Developers, Etc.)
Administrator’s View Administrator’s View Security Management Perspective Creating and Maintaining the Domains Assigning the Privilege Attributes to End Users, Administrating the Security Policies, Monitoring
the Control Attributes of Target Objects, Etc.
Security_BG-99
CSE 300
CORBA Security Execution Model CORBA Security Execution Model Client Makes a Request to Access the Target Object. Client Makes a Request to Access the Target Object. Must Obtain a Binding to the Target ObjectMust Obtain a Binding to the Target Object
Requires a Check to See If the Client Has the Permissions (Via the Privilege Attributes) to Invoke an Operation on the Target Object (Via the Control Attributes)
The Binding is Established, and a Reference to the The Binding is Established, and a Reference to the Target Object is Returned, Allowing the InvocationTarget Object is Returned, Allowing the Invocation
The Ability to Obtain an Object Reference May The Ability to Obtain an Object Reference May Involve Interaction with a Policy Object and the Involve Interaction with a Policy Object and the Domain ManagerDomain Manager
Security_BG-100
CSE 300
Security Binding in CORBASecurity Binding in CORBA
Security_BG-101
CSE 300
Domain Objects in CORBADomain Objects in CORBA
Security_BG-102
CSE 300
Security in .NET/JavaSecurity in .NET/Java Secure Development and Execution Environments via Secure Development and Execution Environments via
a Number of Different Capabilities:a Number of Different Capabilities: Code-Based Access Control - CBAC: Permission
for Code to Access Resources Role-Based Access Control - RBAC: Permission
for Users/roles to Access Resources Code Verification and Execution: Semantics,
Bytecode, Safe Execution Environment Secure Communication: Pass Data/messages
Securely Code and Data Integrity: No Unauthorized Code
Modification, Cryptography Our Objective - Explore their Attainment in .NETOur Objective - Explore their Attainment in .NET Apply Similar Framework to J2EE for ComparisonApply Similar Framework to J2EE for Comparison
Security_BG-103
CSE 300
.NET Security Capabilities.NET Security Capabilities Important Initial DefinitionsImportant Initial Definitions
Assembly: Refers to Compiler Generated Code, Specifically, Microsoft Intermediate Language (MSIL)
Evidence: Refers to the “Proof” that is Supplied Regarding Identity
Permissions: Refers to a Privilege that is Given to Perform an Operation on a Resource In the Case of an Assembly, the Permission Set for All
Allowable Privileges on All Required Resources We’ll Revisit in Later Slides in more DetailWe’ll Revisit in Later Slides in more Detail
Security_BG-104
CSE 300
.NET Security Execution Model.NET Security Execution Model Three Components:Three Components:
Hosting Environment is Attempting to Execute an Application Must Provide Both the Code (Via Assembly) and Its
Identity (Via Evidence) in Its Interactions With CLR Common Language Runtime (CLR) Provides a
Secure Execution Environment Through Managed Code and Code Access Security
CLR Contains the Security System That Realizes Policy Files Comprised of Rules Defined by a Security Administrator (Security Setting) The Rules Allow Permission Sets to Different Types of
Code or Users Based on Evidence
Security_BG-105
CSE 300
.NET Security Execution Model.NET Security Execution Model
Security_BG-106
CSE 300
C# vs. Java - Differences/SimilaritiesC# vs. Java - Differences/Similarities Class HierarchiesClass Hierarchies
Both have Single Rooted Class Hierarchies System.Object and Java.Lang.Object
Both Classes have Methods Sharing Some Similarities and Difference
Execution EnvironmentExecution Environment JAVA Compiled to Bytecodes
Interpreted or Natively Compiled and Run in Managed Execution Environment JVM
C# Code Gets Compiled to MSIL (Microsoft Intermediate Language) which Runs in CLR C# Code is Never Interpreted, it is Always Natively
Compiled C#’s MSIL is More Type Neutral
Security_BG-107
CSE 300
(Continued)C# access modifier Java access modifier
Private Private
Public public
Internal protected
protected N/A
internal protected N/A
C# vs. Java - Differences/SimilaritiesC# vs. Java - Differences/Similarities Access ModifiersAccess Modifiers
Serialization and DocumentationSerialization and Documentation C# supports XML format as well as binary format
for serialization while Java only supports binary format by default.
JAVA uses Javadoc while C# uses XML for documentation
Security_BG-108
CSE 300
.NET Security Capabilities.NET Security Capabilities Code-based Access Control - CBAC: Code-based Access Control - CBAC:
Giving Permissions at the Code Level to Access Resources
Based on the Application Domain That the Code is Assigned to (Information in Evidences)
Role-based Access Control - RBAC: Role-based Access Control - RBAC: Giving Permissions to a User to Access Resources
Based on the User’s Role in the System Secure Code Verification & Execution: Secure Code Verification & Execution:
Similar in Concept to Bytecode Verification in Java, MSIL in .NET
Insures That the Executing Code is Staying Within Its Allowed Domain
Security_BG-109
CSE 300
.NET Security Capabilities.NET Security Capabilities Secure Communication Secure Communication
Provides the Ability to Pass Data and Messages Locally or Remotely in a Secure Manner
Avoids Both Intentional and Inadvertent Data/message Modification
Secure Code and Data Protection: Secure Code and Data Protection: Insures That Code Hasn’t Been Modified Without
Authorization Utilizes Cryptographic Solutions and Signed
Distribution Files
Security_BG-110
CSE 300
.NET .NET Code-Based Access Control Code-Based Access Control The Determination of What a Piece of Code is The Determination of What a Piece of Code is
Allowed to Do is Decided by the Origins and Allowed to Do is Decided by the Origins and Intentions of the Code ItselfIntentions of the Code Itself
Can Be Decomposed Into Evidence Based Security, Can Be Decomposed Into Evidence Based Security, Permissions, and a Security PolicyPermissions, and a Security Policy
During Execution, the CLR During Execution, the CLR Reviews Evidence of an Assembly Determines an Identity for the Assembly Looks up and Grants Permissions Based on the
Security Policy for That Assembly Identity
Security_BG-111
CSE 300
.NET CBAC .NET CBAC Evidence Based Security Evidence Based Security Used by the CLR to Determine the Origin(s) of an Used by the CLR to Determine the Origin(s) of an
AssemblyAssembly At Runtime the CLR At Runtime the CLR
Examines the Meta-data of an Assembly to Determine the Origin of the Code
Determine the Creator of the Assembly Determine the URL and Zone That the Assembly
Came From A Zone Represents the Domain That the Assembly Is A Zone Represents the Domain That the Assembly Is
From, E.G., Internet, LAN, Local Machine, Etc. From, E.G., Internet, LAN, Local Machine, Etc. The Association of the Meta-data and Its The Association of the Meta-data and Its
Corresponding Assembly Is Verified by the CLR Corresponding Assembly Is Verified by the CLR
Security_BG-112
CSE 300
.NET CBAC .NET CBAC PermissionsPermissions An Assembly will Request Permissions to ExecuteAn Assembly will Request Permissions to Execute Requests are Answered at Runtime by the CLR, Requests are Answered at Runtime by the CLR,
Assuming that the Assembly Has Provided Evidence Assuming that the Assembly Has Provided Evidence Partially Denied Requests; the CLR Dynamically Partially Denied Requests; the CLR Dynamically
Assigning the Assembly a Lower-level Permission Assigning the Assembly a Lower-level Permission Than Requested Than Requested
Permissions are Grouped Into Sets Where Each Set Permissions are Grouped Into Sets Where Each Set Has the Same Level of Security and Trust Has the Same Level of Security and Trust
Example: Example: An Assembly that has Originated From the Internet
Zone May Be Granted an Internet Permission Set that Pertains to the Execution of Un-trusted Code, Allowing the Behavior of Non-local Code to Be Tightly Controlled
Security_BG-113
CSE 300
.NET CBAC Security Policies (SPs).NET CBAC Security Policies (SPs) The Grouping of Assemblies Establishes Different The Grouping of Assemblies Establishes Different
Security Policies for Different Code GroupingsSecurity Policies for Different Code Groupings Security Policy Groups Are Hierarchically Security Policy Groups Are Hierarchically
Categorized Based on the Identity That the CLR Categorized Based on the Identity That the CLR Determines From the Evidence in the Meta-dataDetermines From the Evidence in the Meta-data
An Actual Security Policy can be Specified As An Actual Security Policy can be Specified As Permissions for All Assemblies in a GroupPermissions for All Assemblies in a Group
This is Accomplished Using Security Policy Files to This is Accomplished Using Security Policy Files to Capture Security RequirementsCapture Security Requirements
A Policy File May Limit the Permissions of Another A Policy File May Limit the Permissions of Another Policy File, but Can’t Entirely Restrict ItPolicy File, but Can’t Entirely Restrict It
Security_BG-114
CSE 300
.NET CBAC Security Policies.NET CBAC Security Policies SP is Set by an Admin to Make Permission Decisions SP is Set by an Admin to Make Permission Decisions
for Assemblies and Domainsfor Assemblies and Domains Three Policies: Total Enterprise, Machine Executing Three Policies: Total Enterprise, Machine Executing
Code, Requesting UserCode, Requesting User Any Policy File May Partially Restrict Permissions of Any Policy File May Partially Restrict Permissions of
Another Policy FileAnother Policy File SP Groups Code into Hierarchical Categories Based SP Groups Code into Hierarchical Categories Based
on Identity Determined by the CLRon Identity Determined by the CLR SP Determines Permissions for Assembly After Code SP Determines Permissions for Assembly After Code
is Grouped and Categorizedis Grouped and Categorized
Security_BG-115
CSE 300
.NET Role-Based Access Control.NET Role-Based Access Control A Role Represents a Logical Grouping of Users (e.g., A Role Represents a Logical Grouping of Users (e.g.,
in a Health Care Application: Physician, Nurse)in a Health Care Application: Physician, Nurse) .NET Uses Role-based Security to Authenticate an .NET Uses Role-based Security to Authenticate an
Identity and to Pass on That Identity to Resources Identity and to Pass on That Identity to Resources Resources Authorize the Users Playing Roles Access Resources Authorize the Users Playing Roles Access
According to Policies and PermissionsAccording to Policies and Permissions Principal Defines a Role Membership, and the Principal Defines a Role Membership, and the
Permissions of Role-based Security are Managed by Permissions of Role-based Security are Managed by the Principalpermission Object the Principalpermission Object
Windows Authentication, Passport Authentication, IIS Windows Authentication, Passport Authentication, IIS Authentication, Impersonation AuthenticationAuthentication, Impersonation Authentication
Security_BG-116
CSE 300
.NET .NET Secure Code Verification/Execution Secure Code Verification/Execution Security Checks Verified During the Code Execution: Security Checks Verified During the Code Execution:
Stack Integrity, Bytecode Structure, Accessibility Buffer Overflows, Semantics
‘‘Java Sandbox’ of .NET is Called the Application Java Sandbox’ of .NET is Called the Application DomainDomain
Multiple Assemblies May Be Loaded into the Same Multiple Assemblies May Be Loaded into the Same Application DomainApplication Domain
No Way for an Object to Directly Reference Another No Way for an Object to Directly Reference Another Object in a Different Application Domain Object in a Different Application Domain
All of the Security Checks to Verify Code are Done on All of the Security Checks to Verify Code are Done on Managed Code in a the CLRManaged Code in a the CLR
Security_BG-117
CSE 300
.NET Secure Communication.NET Secure Communication Transmission and Communication of Sensitive Data Transmission and Communication of Sensitive Data
Across Systems Must Be Securely Accomplished Across Systems Must Be Securely Accomplished Secure Communications Occurs at the Application Secure Communications Occurs at the Application
Level Via SSL and Transport Layer Security (TLS) Level Via SSL and Transport Layer Security (TLS) .NET Applications Can Use the Windows SSPI, but .NET Applications Can Use the Windows SSPI, but
Only As Unmanaged Code With Managed WrappersOnly As Unmanaged Code With Managed Wrappers .NET Promotes the Exclusive Use of IIS.NET Promotes the Exclusive Use of IIS
IIS Supports SSL and TLS But IIS has an Extensive History of Security Flaws
Security_BG-118
CSE 300
.NET Secure Code and Data Protection.NET Secure Code and Data Protection Any Code/data Loaded by the System Must Supply Any Code/data Loaded by the System Must Supply
Evidence of Its Source, Version Signature Proof That There Hasn’t Been Any Unauthorized
Modification .NET Uses Strong-named Assemblies That Include the .NET Uses Strong-named Assemblies That Include the
Assembly Name and Version Information Assembly Name and Version Information Assemblies Are Signed With an RSA Keypair Assemblies Are Signed With an RSA Keypair
Nullifying the Chance of Unauthorized ModificationNullifying the Chance of Unauthorized Modification Version Information is Included in Order to Avoid Version Information is Included in Order to Avoid
DLL Conflicts During ExecutionDLL Conflicts During Execution .Net’s Encryption Functionality is Tied to the .Net’s Encryption Functionality is Tied to the
Windows Cryptographic APIWindows Cryptographic API
Security_BG-119
CSE 300
J2EE Security Capabilities J2EE Security Capabilities Platform Independent Java Bytecode That Is Able to Platform Independent Java Bytecode That Is Able to
Execute Either Locally or RemotelyExecute Either Locally or Remotely Bytecode Execution Process Involves a Number of Bytecode Execution Process Involves a Number of
Different Components: Different Components: The Class Loader (With Bytecode Verifier) Java Class Libraries (Apis) Java Virtual Machine (JVM) Which Interacts With
the OS All Three Provide a Secure Runtime Environment All Three Provide a Secure Runtime Environment The Security Manager and Access Controller Examine The Security Manager and Access Controller Examine
and Implement the Security Policyand Implement the Security Policy
Security_BG-120
CSE 300
J2EE Security Capabilities J2EE Security Capabilities
Security_BG-121
CSE 300
J2EE Code-Based Access ControlJ2EE Code-Based Access Control CBAC Implemented Through the JVM, Class Loader, CBAC Implemented Through the JVM, Class Loader,
and the Security Manager and Access Controller.and the Security Manager and Access Controller. The Hierarchy of the Class Loader Prevents The Hierarchy of the Class Loader Prevents
Unauthorized and Untrusted Code From Replacing Unauthorized and Untrusted Code From Replacing Any Code in the Base ClassesAny Code in the Base Classes
Multiple Class Loaders Are Permitted, Each With Its Multiple Class Loaders Are Permitted, Each With Its Own Namespace, Are Simultaneously Active.Own Namespace, Are Simultaneously Active.
Namespaces Allow the JVM to Group Classes Based Namespaces Allow the JVM to Group Classes Based on Where They Originated (Local, Remote)on Where They Originated (Local, Remote)
Namespaces Insure an Application Can’t Affect the Namespaces Insure an Application Can’t Affect the Rest of the Runtime EnvironmentRest of the Runtime Environment
Bytecode Verifier: All Untrusted Code Is Verified Bytecode Verifier: All Untrusted Code Is Verified Before Permitting Execution Within a Namespace Before Permitting Execution Within a Namespace
Security_BG-122
CSE 300
J2EE CBAC: The Security ManagerJ2EE CBAC: The Security Manager The Security Manager Enforces the Boundaries The Security Manager Enforces the Boundaries
Around the Sandbox by Implementing and Imposing Around the Sandbox by Implementing and Imposing the Security Policy for Applicationsthe Security Policy for Applications
All Classes Must Ask the Security Manager for All Classes Must Ask the Security Manager for Permission to Perform Certain OperationsPermission to Perform Certain Operations
By Default, an Application Has No Security Manager, By Default, an Application Has No Security Manager, So All Operations Are AllowedSo All Operations Are Allowed
Java Only Has Two Security Policy Levels, One for Java Only Has Two Security Policy Levels, One for the Executing Machine, and One for the Userthe Executing Machine, and One for the User
Each Level Can Expand or Restrict All of the Each Level Can Expand or Restrict All of the Permissions of Another LevelPermissions of Another Level
There Can Be Multiple Policy Files at Each LevelThere Can Be Multiple Policy Files at Each Level
Security_BG-123
CSE 300
J2EE CBAC PermissionsJ2EE CBAC Permissions Permissions Are Determined by the Security Policy at Permissions Are Determined by the Security Policy at
RuntimeRuntime Granted by the Security Policy Based on Evidence, a Granted by the Security Policy Based on Evidence, a
Publisher Signature and Location Origin Publisher Signature and Location Origin Permissions Are Also Grouped Into Protection Permissions Are Also Grouped Into Protection
Domains (Similar to Security Policy Domains in Domains (Similar to Security Policy Domains in CORBA and to Security Policy Files in .NET)CORBA and to Security Policy Files in .NET)
Permissions Are Associated With Groups of Classes Permissions Are Associated With Groups of Classes in Java, and Classes Are Grouped by Their Originsin Java, and Classes Are Grouped by Their Origins
CBAC Isn’t Automatic in J2EE, but Requires CBAC Isn’t Automatic in J2EE, but Requires Programmatic Effort by the Software Engineer Programmatic Effort by the Software Engineer
Security_BG-124
CSE 300
J2EE Role-Based Access ControlJ2EE Role-Based Access Control J2EE Uses the Java Authentication and Authorization J2EE Uses the Java Authentication and Authorization
Service (JAAS) Service (JAAS) JAAS: an Integrated Package That Implements a Java JAAS: an Integrated Package That Implements a Java
Version of the Pluggable Authentication Module Version of the Pluggable Authentication Module (PAM) Framework(PAM) Framework
Using JAAS, Software Engineers Are Allowed to Using JAAS, Software Engineers Are Allowed to Modify and Then Plug-in Domain/application Specific Modify and Then Plug-in Domain/application Specific Authentication ModulesAuthentication Modules
JAAS Currently Supports Authentication Methods JAAS Currently Supports Authentication Methods Including Unix, JNDI, and KerberosIncluding Unix, JNDI, and Kerberos
Security_BG-125
CSE 300
J2EE Secure Code Verification/ExecutionJ2EE Secure Code Verification/Execution J2EE Security Checks Are Performed During the Code J2EE Security Checks Are Performed During the Code
Execution Process, and Have Their Roots in the JVM Execution Process, and Have Their Roots in the JVM and JRE.and JRE.
Java Interprets Compiled Bytecodes Java Interprets Compiled Bytecodes A Bytecode Verifier Traverse the Bytecodes Before It A Bytecode Verifier Traverse the Bytecodes Before It
Goes to the Just-in-time (JIT) Compiler or JVM.Goes to the Just-in-time (JIT) Compiler or JVM. Java's ‘Sandbox’ Protected Domains, Are Similar to Java's ‘Sandbox’ Protected Domains, Are Similar to
Application Domains in .NETApplication Domains in .NET Protected Domains Constitute an Extension of the Protected Domains Constitute an Extension of the
Sandbox, Determining the Domain and Scope in Sandbox, Determining the Domain and Scope in Which an Application Can Execute Which an Application Can Execute
Security_BG-126
CSE 300
J2EE Secure Code Verification/ExecutionJ2EE Secure Code Verification/Execution Two Different Protected Domains Can Interact Two Different Protected Domains Can Interact
Through Trusted Code Explicit Consent of Both Parties (Remotely
Possible in .NET) An Object Can Access Another Object in Another An Object Can Access Another Object in Another
Protection Domain Protection Domain As Long As They Were Both Loaded From the
Same Class Loader This Is Due to the Hierarchical Class Loader
Structure
Security_BG-127
CSE 300
J2EE Secure CommunicationJ2EE Secure Communication Like .NET, J2EE Supports Secure Sockets Layer Like .NET, J2EE Supports Secure Sockets Layer
(SSL) and Transport Layer Security (TLS)(SSL) and Transport Layer Security (TLS) Java Provides Java Secure Sockets Extensions (JSSE) Java Provides Java Secure Sockets Extensions (JSSE)
for Implementing Secure Communicationsfor Implementing Secure Communications JSSE Is a Configurable and Flexible Solution That JSSE Is a Configurable and Flexible Solution That
Uses SSL and TLS to Create a Secure Connection Uses SSL and TLS to Create a Secure Connection Using Sockets (Sslsocketfactory)Using Sockets (Sslsocketfactory)
The Secure Connection Can Be Used for Remote The Secure Connection Can Be Used for Remote Method Invocations (RMI)Method Invocations (RMI)
Security_BG-128
CSE 300
J2EE Secure Code and Data ProtectionJ2EE Secure Code and Data Protection J2EE Provides Java Cryptography Extensions (JCE) J2EE Provides Java Cryptography Extensions (JCE)
and Java Cryptography Architecture (JCA) and Java Cryptography Architecture (JCA) Java Provides the Functionality of a Message Digest Java Provides the Functionality of a Message Digest
Algorithm for Use of Digital SignaturesAlgorithm for Use of Digital Signatures A Supplier Bundles Java Code Into a JAR (Java A Supplier Bundles Java Code Into a JAR (Java
Archive), Signing the File With a Digital SignatureArchive), Signing the File With a Digital Signature The JAR is Released As a Version, and the Client Can The JAR is Released As a Version, and the Client Can
Verify the Authenticity of the Supplier by Verifying Verify the Authenticity of the Supplier by Verifying the Signaturethe Signature
An Unsigned Class May Be Added to a JAR File, but An Unsigned Class May Be Added to a JAR File, but Not to a Package Within a JAR FileNot to a Package Within a JAR File
Security_BG-129
CSE 300
Java CBAC vs. .NET CBACJava CBAC vs. .NET CBAC Permissions Are Grouped Into Protection Domains Permissions Are Grouped Into Protection Domains
and Associated W/ Groups of Classesand Associated W/ Groups of Classes Permissions Are Grouped Into Sets and Associated Permissions Are Grouped Into Sets and Associated
with Code Groupswith Code Groups Classes Are Grouped by Their Origin Like Code Is Classes Are Grouped by Their Origin Like Code Is
Categorized by Assembly’s ZoneCategorized by Assembly’s Zone No Security Manager by Default in JavaNo Security Manager by Default in Java J2EE Has 2 Security Policy Types: J2EE Has 2 Security Policy Types:
Executing Machine & Requesting User .NET Provides a Lot of Standard Permissions.NET Provides a Lot of Standard Permissions Stronger Credentials Needed for Permissions in .NET Stronger Credentials Needed for Permissions in .NET
(Evidence)(Evidence) SP Files Are More Configurable in Java, but Doesn’t SP Files Are More Configurable in Java, but Doesn’t
Help W/o All Perm SetsHelp W/o All Perm Sets
Security_BG-130
CSE 300
J2EE RBAC vs. .NET RBACJ2EE RBAC vs. .NET RBAC .Net Supports Both Imperative and Declarative Role .Net Supports Both Imperative and Declarative Role
Permission CheckingPermission Checking Java Servlets Provide Declarative Checking at the Java Servlets Provide Declarative Checking at the
Servlet LevelServlet Level EJB’s Provide Declarative Checking Down to Method EJB’s Provide Declarative Checking Down to Method
LevelLevel JAAS Provides Imperative Checking Within Method JAAS Provides Imperative Checking Within Method
LevelLevel .Net Flexibility is Limited Severely.Net Flexibility is Limited Severely IIS is Only Supported Server of .Net FrameworkIIS is Only Supported Server of .Net Framework Passport Requires Users to Be Members of Microsoft Passport Requires Users to Be Members of Microsoft
Passport ServicePassport Service
Security_BG-131
CSE 300
Code Verification/ExecutionCode Verification/Execution Prevent System Weaknesses Exposure by Application Prevent System Weaknesses Exposure by Application
Errors; Malicious or NotErrors; Malicious or Not .NET and Java Perform Security Checks During Code .NET and Java Perform Security Checks During Code
ExecutionExecution Stack Integrity, Bytecode Structure, Buffer Overflows, Stack Integrity, Bytecode Structure, Buffer Overflows,
SemanticsSemantics Application Domains Have Static Boundaries Application Domains Have Static Boundaries Protection Domains Have Dynamic Boundaries Protection Domains Have Dynamic Boundaries All Security Checks to Verify Code Are Done on All Security Checks to Verify Code Are Done on
Managed CodeManaged Code Both .NET and Java Allow Unmanaged Code to Both .NET and Java Allow Unmanaged Code to
Bypass the CLR and JRE Bypass the CLR and JRE
Security_BG-132
CSE 300
Comments on Middleware SecurityComments on Middleware Security Objective of this Material:Objective of this Material:
Detail Security Requirements for Middleware (CORBA’s Meta Model)
Illustrate the Realization of the Meta-Model (Microsoft’s .NET and Java’s J2EE)
Compare and Contrast .NET and J2EE Touching Only Surface of Capabilities and Touching Only Surface of Capabilities and
FunctionalitiesFunctionalities See Paper on Web Site and Various References for See Paper on Web Site and Various References for
Additional DetailAdditional Detail
Security_BG-133
CSE 300
Web Based SecurityWeb Based Security What are the Issues and Concerns in Web-Based What are the Issues and Concerns in Web-Based
Security?Security?See: http://www.w3.org/Security/Faq/ See: http://www.w3.org/Security/Faq/
Partitions Security into:Partitions Security into: Client Side Security Server Side Security CGI Scripts Protecting Confidential Documents Denial of Service Attacks
We’ll Briefly Review all, but Concentrate on those We’ll Briefly Review all, but Concentrate on those Most Apropos to BMI and Associated Web-Based Most Apropos to BMI and Associated Web-Based Applications (e.g., Team Project)Applications (e.g., Team Project)
Security_BG-134
CSE 300
General Web Security IssuesGeneral Web Security Issues Bugs or Configuration Problems in Web Servers that Bugs or Configuration Problems in Web Servers that
allow Remote users able to:allow Remote users able to: Steal Confidential Documents, Execute Commands
on Servers, Break Into Servers, Launch DoS Browser-Side:Browser-Side:
Active-X or Applets Can Breach Privacy Misuse of Supplied Personal Info (App Side)
Network Eavesdropping:Network Eavesdropping: Network on Browser Side Network on Server Side End User ISP, Server ISP
What is the Biggest Concern for BMI?What is the Biggest Concern for BMI?
Security_BG-135
CSE 300
General Web Security IssuesGeneral Web Security Issues Impact of OS on Web Security:Impact of OS on Web Security:
Unix and NT – Powerful and Full Featured have Many Potential Holes – most Vulnerable
Special Purpose Web Boxes – less Vulnerable Bare-Bones Macintosh – least Vulnerable
Security of Web Server Software ProgramsSecurity of Web Server Software Programs Dependent on Services Offered Simple Server (Static files) Safer than Complex
Server (CGI scripts, Server-Side Processing, etc.) All Security Servers have Holes!
Common Gateway Interface (CGI) Scripts are Major Common Gateway Interface (CGI) Scripts are Major Source of Security ProblemsSource of Security Problems Issue Traced to Diligence in Writing Code as
Opposed to Technology Itself
Security_BG-136
CSE 300
General Web Security IssuesGeneral Web Security Issues General Security Precautions – Laundry ListGeneral Security Precautions – Laundry List
Who is allowed to use the system When they are allowed to use it What they are allowed to do (different groups may
be granted different levels of access) Procedures for granting access to the system Procedures for revoking access (e.G. When an
employee leaves) What constitutes acceptable use of the system Remote and local login methods System monitoring procedures Protocols for responding to suspected security
breaches
Security_BG-137
CSE 300
Benefits for Written Security PolicyBenefits for Written Security Policy You yourself will understand what is and is not You yourself will understand what is and is not
permitted on the system. If you don't have a clear permitted on the system. If you don't have a clear picture of what is permitted, you can never be sure picture of what is permitted, you can never be sure when a violation has occurred. when a violation has occurred.
Others in your organization will understand what the Others in your organization will understand what the security policy is. The written policy raises the level security policy is. The written policy raises the level of security consciousness, and provides a focal point of security consciousness, and provides a focal point for discussion. for discussion.
The security policy serves as a requirements document The security policy serves as a requirements document against which technical solutions can be judged. This against which technical solutions can be judged. This helps guard against the "buy first, ask questions later" helps guard against the "buy first, ask questions later" syndrome. syndrome.
The policy may help bolster your legal case should The policy may help bolster your legal case should you ever need to prosecute for a security violation. you ever need to prosecute for a security violation.
Security_BG-138
CSE 300
Issues of Client Side SecurityIssues of Client Side SecurityQ1Q1 How do I turn off the "You are submitting the contents of a form insecurely" message in How do I turn off the "You are submitting the contents of a form insecurely" message in
Netscape? Should I worry about it? Netscape? Should I worry about it? Q2Q2 How secure is the encryption used by SSL? How secure is the encryption used by SSL? Q3Q3 When I try to view a secure page, the browser complains that the site certificate doesn't When I try to view a secure page, the browser complains that the site certificate doesn't
match the server and asks me if I wish to continue. Should I? match the server and asks me if I wish to continue. Should I? Q4Q4 When I try to view a secure page, the browser complains that it doesn't recognize the When I try to view a secure page, the browser complains that it doesn't recognize the
authority that signed its certificate and asks me if I want to continue. Should I? authority that signed its certificate and asks me if I want to continue. Should I? Q5 How private are my requests for Web documents? Q5 How private are my requests for Web documents? Q6 What's the difference between Java and JavaScript? Q6 What's the difference between Java and JavaScript? Q7 Are there any known security holes in Java? Q7 Are there any known security holes in Java? Q8 Are there any known security holes in JavaScript? Q8 Are there any known security holes in JavaScript? Q9 What is ActiveX? Does it pose any risks? Q9 What is ActiveX? Does it pose any risks? Q10 Do "Cookies" Pose any Security Risks? Q10 Do "Cookies" Pose any Security Risks? Q11 I hear there's an e-mail message making the rounds that can trash my hard disk when I Q11 I hear there's an e-mail message making the rounds that can trash my hard disk when I
open it. Is this true? open it. Is this true? Q12 Can one Web site hijack another's content? Q12 Can one Web site hijack another's content? Q13 Can my web browser reveal my LAN login name and password? Q13 Can my web browser reveal my LAN login name and password? Q14 Are there any known problems with Microsoft Internet Explorer? Q14 Are there any known problems with Microsoft Internet Explorer? Q15 Are there any known problems with Netscape Communicator? Q15 Are there any known problems with Netscape Communicator? Q16 Are there any known problems with Lynx for Unix? Q16 Are there any known problems with Lynx for Unix? Q17 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-Q17 Someone suggested I configure /bin/csh as a viewer for documents of type application/x-
csh. Is this a good idea? csh. Is this a good idea? Q18 Is there anything else I should keep in mind regarding external viewers?Q18 Is there anything else I should keep in mind regarding external viewers?
Security_BG-139
CSE 300
Issues of Client Side SecurityIssues of Client Side Security
Q9 What is ActiveX? Does it pose any risks? Q9 What is ActiveX? Does it pose any risks? Q10 Do "Cookies" Pose any Security Risks? Q10 Do "Cookies" Pose any Security Risks? Q11 I hear there's an e-mail message making the rounds Q11 I hear there's an e-mail message making the rounds
that can trash my hard disk when I open it. Is this true? that can trash my hard disk when I open it. Is this true? Q12 Can one Web site hijack another's content? Q12 Can one Web site hijack another's content? Q13 Can my web browser reveal my LAN login name and Q13 Can my web browser reveal my LAN login name and
password? password? Q14 Are there any known problems with Microsoft IE? Q14 Are there any known problems with Microsoft IE? Q15 Are there any known problems with Netscape Com.? Q15 Are there any known problems with Netscape Com.? Q16 Are there any known problems with Lynx for Unix? Q16 Are there any known problems with Lynx for Unix? Q17 Is it a good idea to configure /bin/csh as a viewer for Q17 Is it a good idea to configure /bin/csh as a viewer for
documents of type application/x-csh. documents of type application/x-csh. Q18 Is there anything else I should keep in mind Q18 Is there anything else I should keep in mind
regarding external viewers?regarding external viewers?
Security_BG-140
CSE 300
Issues of Protecting Confidential DocumentsIssues of Protecting Confidential Documents
Q1 What types of access restrictions are available? Q1 What types of access restrictions are available? Q2 How safe is restriction by IP address or domain name? Q2 How safe is restriction by IP address or domain name? Q3 How safe is restriction by user name and password? Q3 How safe is restriction by user name and password? Q4 What is user verification? Q4 What is user verification? Q5 How do I restrict access to documents by the IP Q5 How do I restrict access to documents by the IP
address or domain name of the remote browser? address or domain name of the remote browser? Q6 How do I add new users and passwords? Q6 How do I add new users and passwords? Q7 Isn't there a CGI script to allow users to change their Q7 Isn't there a CGI script to allow users to change their
passwords online? passwords online? Q9 How does encryption work? Q9 How does encryption work? Q10 What are: SSL, SHTTP, Shen? Q10 What are: SSL, SHTTP, Shen? Q11 Are there any "freeware" secure servers? Q11 Are there any "freeware" secure servers?
Security_BG-141
CSE 300
Web Services SecurityWeb Services Security Predominately Achieved via SOAP MessagingPredominately Achieved via SOAP Messaging
See: See: http://www.oasis-open.org/specs/index.php#wssv1.0 Enhancements to SOAP Messaging for:Enhancements to SOAP Messaging for:
Message Integrity Message Confidentiality Single Message Authentication
General Purpose Mechanism for Associating Security General Purpose Mechanism for Associating Security Token with messagesToken with messages
This is a Good Topic for Project 2 – Web Services This is a Good Topic for Project 2 – Web Services Security… Security… See also:See also:http://www.ibm.com/developerworks/library/specification/ws-secure/
Security_BG-142
CSE 300
Concluding RemarksConcluding Remarks Security is Multi-Step, Multi-Discipline ProcessSecurity is Multi-Step, Multi-Discipline Process
Definition of Security Requirements Realization of Security at Web, Application, and
Database Levels Integration of Security from Client to Web to
Application to DB Rigorous Definition of Security Policy Dynamic Nature of Security Privileges Enforcement of Defined Privileges Across and within
Multiple Tiers Overall, Security in Today’s World Integral Part of Overall, Security in Today’s World Integral Part of
Everyday Life - Some Key ConcernsEveryday Life - Some Key Concerns Confidentiality of an Individuals Data – PHR/EMR Identity Theft Protecting National Infrastructure