Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

A Component Security Infrastructure Y. David Liu Scott Smith

advertisement 
A Component Security
Infrastructure
Y. David Liu
Scott Smith
http://www.jcells.org
6/21/2016
Cells @ FCS 2002
1
Motivation
Secure software
systems
Build software systems
using components
SDSI/SPKI
Cells
Secure software systems
at the component level
6/21/2016
Cells @ FCS 2002
2
Goals for a Component Security
Infrastructure

Simplicity
– Complex protocols will be misused

Generality
– Applicable across a wide range of domains

Interoperability
– Security policies shared between
components, others

Extensibility
– Evolves as component architecture
evolves
6/21/2016
Cells @ FCS 2002
3
Background: Cells

A new distributed component programming
language [Rinat and Smith, ECOOP2002]
Header
Header
Body
Body
Cell A
Cell B
Service =
6/21/2016
Connector =
Cells @ FCS 2002
plugout
plugin
4
Background: SDSI/SPKI


Basis of our security infrastructure
Features
–
–
Principal with public/private key pair
Decentralized name service


–
Access control


6/21/2016
Extended names, name certificate
Group membership certificate
Principal with ACL
Delegation model: authorization/revocation
certificate
Cells @ FCS 2002
5
Principles of Component
Security

Each component should be a principal
–
–



Traditional principals: users, locations, protection
domains, …
New idea: Components as principals
Components are known to outsiders by their
public key
Components each have their own secured
namespace for addressing other components
Components may be private
6/21/2016
Cells @ FCS 2002
6
Cell Identifiers: CID

CID = the public key in the key pair
generated by public key cryptosystem
– CID is a secured cell identity

Universally unique
– No two cells share the same CID

Outgoing messages signed by CID-1
and verified by CID
6/21/2016
Cells @ FCS 2002
7
CVM Identity
CellA
CID: 1..1
CellB
CID: 5..5
CVM President Cell
CVM
CID: 7..7
With President Cells:

Universe is homogeneously composed of
cells
 Locations are also principals
– Locations are represented by cells and each cell is
a principal

Unique CVM identity via its President
6/21/2016
Cells @ FCS 2002
8
Cell Header Security Information
CID
CID-1
NLT
Naming Lookup Table
SPT
Security Policy Table
CertSTORE
6/21/2016
Identity/Key
Certificate Store (Delegation)
Cells @ FCS 2002
9
Cell Reference
Unifies many notions in one concept:
A locator of cells
 A capability to a cell

Cell CID
CVM CID
Network
Location
6/21/2016
– No cell reference, no access
A programming language
construct: reference
 Corresponds to a SDSI/SPKI
principal certificate

Cells @ FCS 2002
10
Name Services

CIDs vs. Names
– CIDs serve as universal identifiers, but names are
still necessary
– Extended name mechanism enables a cell to refer
to another cell even if its CID is unknown

Our name service is based on SDSI/SPKI
 Improvements:
– Fewer certificates needed due to on-line nature
– More expressive lookup algorithm
6/21/2016
Cells @ FCS 2002
11
SDSI/SPKI Extended Names
Local Name Certificate
Andy ID : 2..9
Bob’s Andy?
LOC : sdsi://starwars.com
ID
7..1
ID
1..3
Local Name Certificate
Bob
ID : 1..3
LOC : sdsi://cs.jhu.edu
6/21/2016
Cells @ FCS 2002
ID
2..9
12
SDSI/SPKI Groups
ID
7..1
Local Name Certificate
Andy ID : 2..9
LOC : sdsi://starwars.com
Local Name Certificate
Bob
ID : 1..3
LOC : sdsi://cs.jhu.edu
ID
1..3
Group Membership Certificate
Friend
6/21/2016
{Bob, Bob’s Andy}
Cells @ FCS 2002
ID
2..9
13
Cell Naming Lookup Table
CID
7..1
CID: 9..5
cell://home.org
Bob
Friend
CID : 1..3
CVM :4..7
LOC :
cell://cs.jhu.edu
Andy CID : 2..9
CVM :5..5
LOC :
cell://starwars.com
CID
1..3
CID: 4..7
cell://cs.jhu.edu
CID: 5..5
cell://starwars.com
{Bob, Bob’s Andy}
6/21/2016
CID
2..9
Cells @ FCS 2002
14
Cell Naming Lookup Table

Online nature makes local name certificates
unnecessary, unlike SDSI/SPKI
– More suited for mobility

Maintained by naming lookup interface, a
concept closer to programming languages
 Naming entries can be effectively secured by
using hooks
 Compatible with SDSI/SPKI
6/21/2016
Cells @ FCS 2002
15
Name Lookup Process
Andy CID : 2..9
CVM :5..5
LOC :
cell://starwars.com
Bob’s Andy?
CID
7..1
Bob
CID
1..3
CID : 1..3
CVM :4..7
LOC : cell://cs.jhu.edu
6/21/2016
Cells @ FCS 2002
CID
2..9
16
A More Expressive Algorithm
Tony?
CID
1..3
Anthony CID : 9..9
CVM :4..7
LOC : cell://cs.jhu.edu
CID
2..9
Andy CID : 2..9
CID
9..9
CVM :5..5
LOC :
cell://starwars.com
Tony Andy’s Anthony
6/21/2016
Cells @ FCS 2002
17
Cycles
Alice
Tony’s Bob?
CID
1..3
Andy CID : 2..9
Anthony Alice’s Tony
CID
2..9
CVM :5..5
LOC :
cell://starwars.com
CID
9..9
Tony Andy’s Anthony
6/21/2016
CID : 1..3
CVM :5..7
LOC :
cell://cs.jhu.edu
Cells @ FCS 2002
18
Cycle Detection Sketch
A cycle exists
Same local name expansion entry
encountered twice
Solution:
 Keep track of the path
 Raise an exception if the same name
encountered twice
6/21/2016
Cells @ FCS 2002
19
Security Policy

Each cell holds a security policy table, SPT.
 Each policy is a 5-tuple.
subject
resource
access
right
hook
deleg bit
owner
unit
Bob
thiscell
connector1
connect
NULL
0
Group1
thiscell
service1
invoke
NULL
1
Alice
Tim
service1
invoke
h
0
6/21/2016
Cells @ FCS 2002
20
Subjects, Resources,
Access Rights

Subjects
– Cells and a group of cells
– Local names, extended names, cell references

Resources
– Services, connectors, operations
– Partial order relations among them

Access rights
– Connect and invoke

Application level protection: meaningful
services and meaningful connections.
6/21/2016
Cells @ FCS 2002
21
Hooks

Designed for fine-grained access control
– Protect a naming lookup entry: lookup(“Tony”)
– Protect a specific file: read(“abc.txt”)

Associated with operations
 Operation parameters verified via a predicate
 Predicate checked when the associated
operation is triggered
– Example:
Hooklookup(arg1) = { arg1=“Tony” }
6/21/2016
Cells @ FCS 2002
22
SDSI/SPKI Delegation
ID
1..1
ID
3..3
AuthC1
“Access Granted”
AuthC1
AuthC3
AuthC1
AuthC3
6/21/2016
Cells @ FCS 2002
ID
5..5
23
Cell Delegation

Implements SDSI/SPKI delegation
 Each cell holds all certificates (both delegation
and revocation) in a certificate store.
 Security policy table supports delegation
– The owner of the resource might not be thiscell
– The delegation bit indicating whether certificates
can be further delegated

Certificates are implicitly passed for
delegation chain detection
– No need for manual user intervention
6/21/2016
Cells @ FCS 2002
24
Goals Revisited

Simplicity
– No complex algorithms/data structures
– Clearly defined principals and resources

Generality
– Not just cells, but components in general
– Not limited to certain applications

Interoperability
– Built on SDSI/SPKI standard
– Communicate with any infrastructure that supports
SDSI/SPKI

Extensibility
– Consideration for future additions: mobility, etc
6/21/2016
Cells @ FCS 2002
25
Future Work

Security for Mobile Components
– Cells can migrate
– Mobile devices, PDAs
Hierarchical Security Policy
 Interoperability

6/21/2016
Cells @ FCS 2002
26
jcells.org
6/21/2016
Cells @ FCS 2002
27
Dynamic Component

Components are named, addressable
entities, running at a particular location.

Components have interfaces which can
be invoked.

Components may be distributed across
the network
6/21/2016
Cells @ FCS 2002
28
Summary



Security infrastructure in a component programming
language
Cell identity and CVM identity (president cell)
Naming lookup table/interface
– More expressive lookup algorithm and cycle detection

Fine-grained access control
 Unification of security artifacts and programming language
ones
 Formalization of SDSI/SPKI
 API from programming language perspective
6/21/2016
Cells @ FCS 2002
29
Traditional Security Model
allow request
from
alice.jhu.edu
6/21/2016
Cells @ FCS 2002
30
…Fails for Mobile Devices
allow request
from
alice.jhu.edu
6/21/2016
Cells @ FCS 2002
31
Cell Security Infrastructure
allow request
from CVM with
CID 3333333
6/21/2016
Cells @ FCS 2002
32
…Adapts Well with Mobile
Devices
allow request
from CVM with
CID 3333333
6/21/2016
Cells @ FCS 2002
33
Extended Name
An extended name is a sequence of local
names [n1, n2, …, nk], where each ni+1 is a
local name defined in the name space of
the cell ni.
6/21/2016
Cells @ FCS 2002
34
Example:
Traditional Security Model
allow request
from
alice.jhu.edu
6/21/2016
Cells @ FCS 2002
35
…Fails in Cell Migration
allow request
from
alice.jhu.edu
6/21/2016
Cells @ FCS 2002
36
Example:
Cell Security Infrastructure
allow request
from cell with
CID 1234567
6/21/2016
Cells @ FCS 2002
37
…Adapts Well in Cell Migration
allow request
from cell with
CID 1234567
6/21/2016
Cells @ FCS 2002
38
Related documents
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
FINANCE COMMITTEE REPORT Thursday, January 21, 2016
Document10401523 10401523
Document10401523 10401523
Download
advertisement