Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #12 Secure Object Systems March 2, 2009
Outline Background on object systems Discretionary security Multilevel security Objects for modeling secure applications Object Request Brokers Secure Object Request Brokers Secure frameworks Directions
Concepts in Object Database Systems Objects- every entity is an object Example: Book, Film, Employee, Car Class Objects with common attributes are grouped into a class Attributes or Instance Variables Properties of an object class inherited by the object instances Class Hierarchy Parent-Child class hierarchy Composite objects Book object with paragraphs, sections etc. Methods Functions associated with a class
Example Class Hierarchy ID Name Author Publisher Document Class D1 D2 Method1: Method2: Print-doc-att(ID) Print-doc(ID) Journal Subclass Book Subclass # of Chapters Volume # B1 J1
Example Composite Object Document Object Section 2 Object Section 1 Object Paragraph 1 Object Paragraph 2 Object
Security Issues Access Control on Objects, Classes, Attributes etc. Execute permissions on Methods Multilevel Security Security impact on class hierarchies Security impact on composite hierarchies
Objects and Security Secure OODB Secure OODA Secure DOM Persistent Design and analysis Infrastructure data store Secure OOPL Programming Secure Frameworks language Business objects Secure OOT Technologies Secure OOM Unified Object Model is Evolving
Access Control
Access Control Hierarchies
Secure Object Relational Model
Policy Enforcement
Sample Systems
Multilevel Security
Some Security Properties Security level of an instance must dominate the level of the class Security level of a subclass must dominate the level of the superclass Classifying associations between two objects Method must execute at a level that dominates the level of the method
Multilevel Secure Object Relational Systems
Sample MLS Object Systems
Objects for Secure Applications
Object Modeling
Dynamic Model
Functional Model
UML and Policies
Distributed Object Management Systems Integrates heterogeneous applications, systems and databases Every node, database or application is an object Connected through a Bus Examples of Bus include Object Request Brokers (Object Management Group) Distributed Component Object Model (Microsoft)
Object-based Interoperability Server Client Object Object Object Request Broker Example Object Request Broker: Object Management Group’s (OMG) CORBA (Common Object Request Broker Architecture)
Javasoft’s RMI (Remote Method Invocation) RMI Business Objects Clients Java-based Servers
Objects and Security Secure OODB Secure OODA Secure DOM Persistent Design and analysis Infrastructure data store Secure OOPL Programming Secure Frameworks language Business objects Secure OOT Technologies Secure OOM Unified Object Model is Evolving
Secure Object Request Brokers
CORBA (Common Object Request Broker Architecture) Security Security Service provides the following: Confidentiality Integrity Accountability Availability URLs http://www.javaolympus.com/J2SE/NETWORKING/CORBA/COR BASecurity.jsp http://student.cosy.sbg.ac.at/~amayer/projects/corbasec/sec_ov erview.html www.omg.org
OMG Security Specifications
CORBA (Common Object Request Broker Architecture) Security Security Service provides the following: Confidentiality Integrity Accountability Availability URLs http://www.javaolympus.com/J2SE/NETWORKING/CORBA/COR BASecurity.jsp http://student.cosy.sbg.ac.at/~amayer/projects/corbasec/sec_ov erview.html www.omg.org
CORBA (Common Object Request Broker Architecture) Security - 2 Identification and Authentication of Principles Authorization and Access Control Security Auditing Security of communications Administration of security information Non repudiation
Dependable Object Request Brokers Navigation Data Analysis Programming Display Consoles Data Links Processor Group (DAPG) (14) & Sensors Refresh Channels Sensor Multi-Sensor Detections Tracks Technology provided by Project Integrate Security, Real- time and Fault Tolerance Computing Future Future Future App App App Data MSI Mgmt. Data App Xchg. Infrastructure Services Real Time Operating System Hardware
Secure Frameworks
Directions Object Models UML for Security applications is becoming common practice Secure distributed object systems has gained popularity Evolution into secure object-based middleware Secure object-based languages Integrating security and real-time for object systems Distributed Objects Security cannot be an afterthought for object-based interoperability Use ORBs that have implemented security services Trends are moving towards Java based interoperability and Enterprise Application Integration (EAI) Examples of EAI products are Web Sphere (IBM) and Web Logic (BEA) Security has to be incorporated into EAI products