Cherubim Dynamic Security System Roy Campbell and Denny Mickunas Tin Qian, Vijay Raghavan, Tim Fraser, Chuck Willis, Zhaoyu Liu Department of Computer Science University of Illinois at Urbana-Champaign
Motivation Increasing connectivity and mobility Emerging software-intensive networks Software based protection at system level Acceptance of mobile agent technology Extensible and adaptable software architecture
Existing Solutions Firewall, VPN, Kerberos, SSL, SOCKS Limited support for fine-grained application specific security Hard to evolve, adapt and inter-operate No guard against grudging insiders Too complex and resource intensive for mobile clients
Our Approach Mobile security agents Secure bootstrapping process with minimal core security services Active capability providing application specific access control Interoperable security policies CORBA compliant security services and APIs
Achievement Security representation framework Security extensions to OMG IDL Minimal core security services Mobile collaborative testbed environment ‘Dynamic Security for Active Network’ Proof of Concept
Contents Overview of Cherubim Core Services Dynamic Policies Example Applications Demonstration Future Summary
Core Security Services Abstracts underlying cryptographic functionality Provides five basic functions –Encryption –Decryption –Signature –Signature Verification –Authentication
Core Implementation Based on Cryptix Package, a free implementation of the Java Cryptographic Architecture Authentication Protocol –2048 bit prime for Diffie-Hellman exchange –1024 bit DSA keys for signatures on key exchange and mobile classes –128 bit IDEA session keys
Authentication Client Server, signature g ab IDEA Session key IDEA Session key SHA-1 a b
Class Request Data Format Class Name TimeStamp (5 min) Sequence Number Destination Encrypted with IDEA Key Signature Packet Data Format
Class Response Data Format Class Name TimeStamp (5 min) Sequence Number Destination Encrypted with IDEA Key Signature Packet Data Format Class
Classloader Hierarchy Java core classes, Necessary Cryptix and Cherubim classes Jacorb classes, home application classes, Cherubim policy library Specific policies, remote application classes Primordial Classloader Jurassic Classloader CORBA Classloader
Dynamic Policies Framework –Primitives (sets, maps, mappings) –OS entities (devices, processes, users) –Interfaces with Security Policy Decision Function Underlying system –Policy classes Demo examples atop framework Active capabilities
Policy Classes DAC - Discretionary Access Control –Double DAC NDAC - Non... –DONDAC, Domain Oriented... –MAC formed from customized NDAC DSP Device Specific Policies –DANDAC, Device Aware...
Policy Framework OS DSPDACNDAC DANDAC DONDAC Interfaces Primitives DDAC
Policy Formulation for Demo Double Discretionary Access Control –Traditional Allowed Lists –Disallowed Lists –Policies that are functions of underlying mechanisms like time Corba monitoring and authorization for each RMI
Role-Base Access Control Separation of duties –Invocation of mutually exclusive roles for a task to increase security Least privilege –Assign only needed role/right to users Simplified authorization management –Independent mappings: role-permission, user- role, and role-role relationships –Suitable for dynamic mobile environment
Role Management Hierarchical roles –Simple, clear role management Object classes –Classify objects based on access type Roles to manage roles –Administrative roles Net effect of a configuration: open question
Environment System defines role permissions –Can dynamically define new role, or modify permissions, though should do so infrequently User-role binding by password/certificate –User can dynamically attain role –Can attain multiple non-exclusive roles
Current Implementation Two ids in policy framework: user and role –Access control entry can be for either user, role, or both Grant access if no conflict –Check ACL for both user and role One user can have multiple roles –Must be non-exclusive –Grant access if access control returns yes for user and one role
Architecture CORBA compliant security services Security enhanced IDL Agent-based dynamic security framework
CORBA Security Services OMG’s general security model OMG’s Security Service Interface Extensions defining binding between security policies and applications Principals, Roles, Privilege Attributes, Credentials, Active Capabilities Security Domain defines scope of policy and security authority
Object Access in Cherubim Active Capability/Certificates Network Transport Dynamic Policies BOA Security Mechanisms Application Client Orb Stub Active Capability/Certificates Application Server
Active Capability Smart packet containing certificate Signed policy code External mechanisms, framework interfaces –Time –Encryption –System/Device state
Security Enhanced IDL Interface definition extended to specify –enforced by, …, Declarations of variables, methods, and parameters extended to specify mechanisms: –authenticated, authorized, encrypted, audited, non-repudiated,
Demonstration Secure Bootstrap from ‘Smart Card’ Process Management System example Double Discretionary Access Control –2 hosts (system objects) –2 users –8 process management operations –Allowed and denied lists for various accesses CORBA monitoring and authentication for method invocations
Bootstrap from Smart Card File -> passphrase decryption -> credentials Credentials –home server, public key, private key Mutual authentication with home server Download Jacorb, security classes, application with active capabilities Cherubim Smart Card
Process Management Example System Manager Client 1 User Application Host Manager Remote User Process Remote User Process Remote User Process Client 2 User Application Client 3 User Application Host Manager Remote User Process Remote User Process Remote User Process Host Manager Remote User Process Remote User Process Remote User Process Server 1 Server 2 Server 3
Laptop Mickunas Key Components in Demonstration Denny Client Application NameServer PolicyServer Service Manager Denny Server Application Hostmanager Roy Client Application Laptop Roy Roy Server Application
Future Dynamic Distributed Objects with Dynamic Adaptable Security Policies over Heterogeneous Networks “Instant” Security Policy Response to Attacks Automated and Flexible Configurability Dynamic Security for Active Networks
Cherubim Summary Dynamic policies Compatibility Extensibility Customizability Interoperability Multiple Policies Multiple Mechanisms Multiple Protocols Secure Orb, Security Server Public Key Infrastructure Architecture for and Demonstration of:-
What’s missing from Tucson meeting