June 3, 2016 CS 388: Model Integrated Computing 1 Security QoS Modeling (SQML) for Enterprise DRE Systems (eDRE) By Akshay V. Dabholkar Adviser Dr. Aniruddha Gokhale

June 3, 2016 CS 388: Model Integrated Computing 2 Motivation  Security is one of the key QoS Aspects in addition to Real-Time, & Fault Tolerance in making Enterprise DRE (eDRE) systems Trustworthy  Apply the MDE approach to security to be able to express security policy annotations at a higher level and evaluate conflicting requirements at modeling time  Goal is to add model-driven security enhancements to component middleware like CCM (CORBA Component Model)

June 3, CS 388: Model Integrated Computing Security  Definition of security “Safety“ or “freedom from worry“  Types of protection:  Authorization  Access control and data protection (untrusted environment)  Accountability  Audit (weaker) and non-repudiation (stronger)  Availability  Service continuity and disaster recovery  Assurance  System safety and operational correctness

June 3, CS 388: Model Integrated Computing Multiple Security Concerns  Role-Based Access Control (RBAC): for managing user identity and roles for authorization  Evidence Generation: Component code running in the CCM container can be restricted to only use well-defined interfaces, which allows security to be effectively enforced on the code enabling safe deployment of large applications with varying degrees of security enforcements  Multi-level Security Policies: Enterprise, Machine, User & Application Domain policy types  System Partitioning: Based on domain security policies  Container Security: Infrastructure support in the CCM leveraging the CORBA security service and supported protocols for communication, authentication, encryption, integrity and interoperability

June 3, CS 388: Model Integrated Computing CORBA Security Model v1.8 Client Application (Message Sender) ORB Security Enforcement Subsystem Execution Context Credential Identity Privileges Message Policy Decision Core Target Object Domain Domain Policy  Security protection based upon policy  Policy may be domain specific  Policy enforced by ORB The ORB enforces –Access Control –Message Protection –Audit Policy The ORB implements –PEP (Policy Evaluation Points) –PDP (Policy Decision Points), i.e., portable interceptors The ORB Services implement –Policy Repository –Security Protocols (e.g., SSLIOP) –Authentication Methods –Cryptographic Algorithms CCM Security adopts the EJB Security Specification

June 3, CS 388: Model Integrated Computing Secure Invocation Model Current ORB Core Target ORB Security Security Association ORB Security Access control Secure Invocation Secure Invocation Access control Access Decision Policy Obj-Reference Client Credentials Current Credentials Security Association Policy Secure Inter- operability

June 3, 2016 CS 388: Model Integrated Computing 7 Modeling Approach  Platform Independent Component Modeling Language (PICML)  Captures CCM application lifecycle  e.g., Assembly, Packaging, Deployment, etc.  Component QoS Modeling Language (CQML)  Enhances PICML  Captures Component QoS requirements  Leverage and enhance to capture security requirements for eDRE applications  Solution: Security QoS Modeling Language (SQML)

June 3, CS 388: Model Integrated Computing User-Role-Rights Mapping (Effective Rights)  Responsibility of the System Administrator and defined in the application server deployment site through access control policies  The roles can be application specific or platform (CCM) specific  CCM Specific roles: Designer, Developer, Implementer, Assembler, Packager, Deployer, End-User  Application Specific roles: Administrator, User, Director, Programmer, Manager, etc. The Users & Groups are shown for completeness. User/Group → Role mappings are defined in the application access policies

June 3, CS 388: Model Integrated Computing Operation/Interface Classification Modeling (Required Rights)  Responsibility of the Component Developer  Operations/Interfaces are classified according to the standard CORBA family rights [corba:gsum]  Well-defined Component Interfaces  Allows for coarse-grained control over operation access  Used underneath in the container to determine access decisions to the operations  Granted Rights vs. Required Rights Rights assignment on a two-way method

Different effective set of rights based on role June 3, CS 388: Model Integrated Computing Effective Vs. Required Rights  Specified by developers  Per-type!  System-wide!  Group operations by “sensitivity “  get(g), set(s), use(u), manage(m)  Rights Combinators: any, all  Granted by Policy  Per domain

June 3, 2016 CS 388: Model Integrated Computing 11 CCM QoS Levels  Address three CCM QoS levels – ports, components and assemblies  SQML provides fine-grained as well as coarse- grained access control and security guarantees A CCM Assembly The CORBA Component Model Configure Security QoS Properties

June 3, CS 388: Model Integrated Computing Access Control Granularity  Fine-grained:  Interface Operation  Assembly Property  Component Attribute  Coarse-grained:  Interface  Set of Operations  Class of Operations (based on Required Rights - corba:gsum)  Inter-Component Execution Flow (Path in an Assembly)

June 3, CS 388: Model Integrated Computing Policy Definition Rules Allow/Deny access to all operations with same rights Two-Level evaluation: Operation name & Required Rights Two-Level Evaluation: Operation name & Required Rights Component Attributes have implicit get/set rights Critical path in the system (part of a functionality/workflow) Two-Level Evaluation: Operation name & Required Rights

June 3, 2016 CS 388: Model Integrated Computing 14 Model Interpreter  Inject security related assertions and constraints to the CCM component deployment and configuration plan and generate security policies and permissions  Generate User → Role → Granted-Rights mappings defined by the system administrator for deployment in Security Assertion Markup Language (SAML)  Generate Operation → Required-Rights mapping for an interface that are determined by the component designer  Generate Policy definition files in eXtended Access Control Markup Language (XACML)  Based on the mappings and policy rules, generate method permissions defined on operations of the interface definition for the User roles that have rights to invoke a method  Generate additional metadata to configure the CCM container for applying the defined Security policies and enforcing them on the object interactions

June 3, CS 388: Model Integrated Computing Future Work  Define efficient rule and policy validation and rule combining algorithms.  Extend the critical path functionality to provide Business Process & Workflow security  Provide middleware infrastructure support for security in the CCM container through container portable interceptors, leveraging the facilities of the CORBA security service implementation available with TAO  Implement Policy Evaluation Point (PEP), Policy Decision Point (PDP), Policy Repository in CIAO  Enable D & C tools like DAnCE to integrate security QoS properties with application deployment and configure the CCM middleware to enforce them  This project will be extended in future R&D activities at ISIS to support Security QoS that is independent of the underlying middleware technology  Weaving of Concerns: Investigate the ramifications of having FT, RT and Security working in tandem

Enabling Trustworthy Systems with the DDS Quality of Service Modeling Language Joe Hoffert, Aniruddha Gokhale, Doug Schmidt

Outline  Trustworthy Systems via Model Driven Engineering (MDE)  Use Case: Data Distribution Service (DDS)  DDS QoS Modeling Language (DQML)  DQML Metamodel Overview  DQML Application: DDS Benchmark Environment (DBE)  DBE Interpreter  DQML Demonstration  Future Work

Trustworthy Systems (1/2)  Security Technology  Software Security  Software design  specification languages, methods, and tools supporting security by design  Static code verification via:  security-friendly APIs  disciplined styles of programming  automated tools for lightweight static checking  Trusted Platforms  Understanding composition  Evaluating security and vulnerability  Examining minimal configurations (hardware & software) that provide trusted platforms  Systems Science  Model-Based Integration of Secure Systems  model-based design  Quality of Service (QoS)-enabled component middleware TRUST Goals for Enterprise Publish/Subscribe DRE Systems

 Manage inherent complexity  Scope models to area/level of concern  Compose larger scope using modeling artifacts (e.g., application infrastructure/framework, higher level tools)  Understand composition via separation of concerns  Simplify vulnerability, provability analysis Trustworthy Systems (2/2)  Reduce accidental complexity  Increase confidence, reuse via MDE tools  Close security loopholes via misused tools, software, and configurations Facilitation of TRUST Goals via Model Driven Engineering (MDE)

 Coupling of business logic, infrastructure, QoS configuration (i.e., all crafted in handwritten code)  Intermixing of concerns/areas of focus  Lack of composition understanding  “Provability” via testing  Potential loopholes in untested code paths  Unintended functionality (i.e., design != implementation) Non-Trustworthy Systems Vulnerability, Lack of Confidence/Provability

Use Case: The OMG Data Distribution Service (DDS) Application Logical Data Store read write Provides flexibility, power and modular structure by decoupling: Location – anonymous pub/sub Redundancy – any number of readers & writers Time – asynchronous, time-independent data distribution Platform – same as CORBA middleware Architecturally Broken into: Data Centric Publish/Subscribe (DCPS) -Lower layer APIs to exchange topic data based on QoS policies Data Local Reconstruction Layer (DLRL) -Upper layer APIs that make topic data appear local

QoS Policies Supported by DDS  DCPS entities (e.g., topics, data readers/writers) configurable via QoS policies  QoS tailored to data distribution in tactical information systems  Request/offered compatibility checked by DDS at Runtime  Consistency checked by DDS at Runtime  DEADLINE  Establishes contract regarding rate at which periodic data is refreshed  LATENCY_BUDGET  Establishes guidelines for acceptable end-to-end delays  TIME_BASED_FILTER  Mediates exchanges between slow consumers & fast producers  RESOURCE_LIMITS  Controls resources utilized by service  RELIABILITY (BEST_EFFORT, RELIABLE)  Enables use of real-time transports for data  HISTORY (KEEP_LAST, KEEP_ALL)  Controls which (of multiple) data values are delivered  DURABILITY (VOLATILE, TRANSIENT, PERSISTENT)  Determines if data outlives time when they are written  … and 15 more …  Implications for Trustworthiness

DDS QoS Policies Interactions of QoS Policies have implications for: Consistency/Validity e.g., Deadline period < TimeBasedFilter minimum separation (for a DataReader) Compatibility/Connectivity e.g., best-effort communication offered (by DataWriter), reliable communication requested (by DataReader) DataWriter Durability- Volatile Durability- Transient Reliability- Best Effort Reliability- Reliable Deadline- 10ms Deadline- 20ms Liveliness- Manual By Topic Liveliness- Automatic Topic Will Settings Be Consistent? Or Will QoS Settings Need Updating? Timebased- 15ms DataWriter DataReader Will Data Flow? Or Will QoS Settings Need Updating? DataReader

DDS Trustworthiness Needs (1/2)  Compatibility and Consistency of QoS Settings  Data needs to flow as intended  Close software loopholes that might be maliciously exploited  Fixing at code time untenable  Implies long turn-around times  Code, compile, run, check status, iterate  Introduces accidental complexity  DDS QoS Modeling Language (DQML) models QoS configurations and allows checking at design/modeling time  Supports quick and easy fixes by “sharing” QoS policies  Supports correct-by-construction configurations  Fixing at run-time untenable  Updating QoS settings on the fly  Introduces inherent complexity  Unacceptable for certain systems (e.g., RT, mission critical, provable properties)

DDS Trustworthiness Needs (2/2)  QoS configurations generated automatically  Eliminate accidental complexities  Close configuration loopholes for malicious exploitation  Decouple configurations from application logic  Refinement of configuration separate from refinement of code  DQML generates QoS settings files for DDS Applications  Creates consistent configurations  Promotes separation of concerns  Configuration changes unentangled with business logic changes  Increases confidence QoS Settings

DDS Application Development  Business/application logic mixed with QoS configuration code  Accidental complexity  Obfuscation of configuration concerns  DQML decouples QoS configuration from business logic  Facilitates configuration analysis  Reduces accidental complexity DataWriter QoS configuration & datawriter creation QoS configuration & publisher creation QoS Configuration Business logic = Higher confidence DDS application

DQML Design Decisions No Abortive Errors User can ignore constraint errors Useful for developing pieces of a distributed application Initially focused on flexibility QoS Associations vs. Containment Entities and QoS Policies associated via connections rather than containment Provides flexibility, reusability Eases resolution of constraint violations

DQML Application: DDS Benchmark Environment (DBE) Part of Real-Time DDS Examination & Evaluation Project (RT-DEEP) DataReader DataWriter QoS DataReader QoS Developed by DRE Group at ISIS DBE runs Perl scripts to deploy DataReaders and DataWriters onto nodes Passes QoS settings files (generated by hand) Requirement for testing and evaluating non-trivial QoS configurations

DBE Interpreter Model the Desired QoS Policies via DQML Invoke the DBE Interpreter Generates One QoS Settings File for Each DBE DataReader and DataWriter to Use DBE QoS Settings DataReader DataWriter Have DBE Launch DataReaders and DataWriters with Generated QoS Settings Files No Manual Intervention

DQML Demonstration Create DDS entities, QoS policies, and connections Run constraint checking consistency check compatibility check fix at design time Invoke DBE Interpreter automatically generate QoS settings files

Future Work  Incorporate into Larger Scale Tool Chains  e.g., Deployment and Configuration Engine (DAnCE) in CoSMIC Tool Chain  Develop mapping between SQML security model and DDS security service (as input for security PIM)  Incorporate with TRUST Trustworthy Systems  Combine QoS polices and patterns to provide higher level services  Build on DDS patterns 1  Continuous data, state data, alarm/event data, hot-swap and failover, controlled data access, filtered by data content 1 Gordon Hunt, OMG Workshop Presentation, July, 2006  Fault-tolerance service (e.g., using ownership/ownership strength, durability policies, multiple readers and writers, hot- swap and failover pattern)  Security service (e.g., using time based filter, liveliness policies, controlled data access pattern)  Real-time data service (e.g., using deadline, transport priority, latency budget policies, continuous data pattern)