Presentation is loading. Please wait.

Presentation is loading. Please wait.

Richard Gay – ICISS, December 20, 2014 CliSeAu:Securing Distributed Java Programs by Cooperative Dynamic Enforcement Richard Gay, Jinwei Hu, Heiko Mantel.

Published byPaulina Weaver Modified over 9 years ago

Similar presentations

Presentation on theme: "Richard Gay – ICISS, December 20, 2014 CliSeAu:Securing Distributed Java Programs by Cooperative Dynamic Enforcement Richard Gay, Jinwei Hu, Heiko Mantel."— Presentation transcript:

1 Richard Gay – ICISS, December 20, 2014 CliSeAu:Securing Distributed Java Programs by Cooperative Dynamic Enforcement Richard Gay, Jinwei Hu, Heiko Mantel Modeling and Analysis of Information Systems (MAIS), TU Darmstadt, Germany 10 th International Conference on Information Systems Security, Hyderabad, India funded by CASED, by the DFG under project FM-SecEng, and by TU Darmstadt

2 Richard Gay – ICISS, December 20, 2014 Dynamic Security Enforcement Enforcement as encapsulation Duties of an encapsulation 2 program (needs to be trusted) enforcement mechanism program (trustworthy) “encapsulation” intercept eventsdecide impose countermeasure PEP in XACML PIP+PDP in XACML

3 Richard Gay – ICISS, December 20, 2014 Security in Distributed Programs Related work (selected)  SASI [Erlingsson, Schneider ‘99]  Security Automata [Schneider ’00]  Edit Automata [Ligatti et al. ’02, ‘05, ‘09]  Polymer [Bauer et al. ’05, ‘09]  JavaMOP [Rosu et al. ’07, ’12, ‘12] Our goals  dynamic enforcement for distributed Java programs  system-wide security requirements  decentralized to avoid bottlenecks and single points of failure  effective  efficient 3  Service Automata [Gay et al. ‘11]  MFOTL enforcement [Basin et al. ‘10, ‘12]  Information-flow enforcement [e.g., Guernic ’07,…,Chudnov et al. ’14]  Usage control [e.g., Pretschner et al. ‘13, ‘14]

4 Richard Gay – ICISS, December 20, 2014 4 Security in Distributed Programs File server 1File server 2 download file of Bank A download file of Bank B financial auditor checks for local enforcement checks for local enforcement

5 Richard Gay – ICISS, December 20, 2014 Concept [Gay et al., FAST‘11]  encapsulate each component of distributed target program  encapsulations can coordinate the enforcement with each other  formalized in CSP Modular architecture Remaining challenges  a cooperative enforcement mechanism for Java programs  a combination technique for the mechanism with a Java program 5 Service Automata Concept interceptor enforcerlocal policy target coordinator

6 Richard Gay – ICISS, December 20, 2014 CliSeAu concept cooperative enforcement modular architecture combination technique prototype (available for download) evaluation case study performance evaluation 6 Overview of Contributions 1234 a novel tool for dynamic enforcement of security in distributed Java programs

7 Richard Gay – ICISS, December 20, 2014 Architecture of Encapsulations Basis: Service Automata concept [Gay et al., FAST‘11]  inherits local policy and coordinator  inherits modular architecture Novel augmentation of CliSeAu  event factory: abstracts security-irrelevant details of actions  enforcer factory: refines decisions to concrete countermeasures  design patterns (strategy, factory): integrate parametric components  IPC: connects “left part” and “right part”  benefits:  local policy less dependent on technical peculiarities of target  decision-making can be placed into separate process than target 7 enforcer factory event factory interceptor enforcerlocal policy target coordinator

8 Richard Gay – ICISS, December 20, 2014 Combining Capsules with Targets Concept  in-lining interception and imposition of countermeasures (left)  placing decision-making into environment of program (right) Key technologies used  AspectJ for instrumentation of target programs’ bytecode  TCP/IP sockets for communication within & between ECs  key-value configuration files for selection of target and policy 8 Java code of the capsule Java code of the program environment of the program decider JavaMOP Clara JavaMOP Clara SASI, JavaMop… SASI, JavaMop… Porscha, CoPilot… Porscha, CoPilot…

9 Richard Gay – ICISS, December 20, 2014 CliSeAu Goal  automated encapsulation of a given distributed Java program  flexibility in the choice of the program and the security policy CliSeAu’s approach  configuration determines target program and security policy  each distributed component is encapsulated 9 CliSeAu config policydistributed Java program

10 Richard Gay – ICISS, December 20, 2014 Enforcement for non-distributed Java programs  JavaMOP [Rosu et al.]  based on AspectJ  focus on efficiency; no abstraction  Polymer  abstraction concept, for policy composition Enforcement in distributed programs  LGI/Moses [Minsky et al.]  program’s network interaction  DiAna [Agha et al.]  piggy-backing, possibly delayed  [KelbertPretschner ‘13+’14]  focus on usage control  formal model for decentralized enforcement 10 Related Approaches

11 Richard Gay – ICISS, December 20, 2014 Case Study: Enforcing Chinese Wall Goals  evidence whether CliSeAu can be applied to third-party programs  evidence for possibility to re-use CliSeAu config parts  basis for performance evaluation Application scenario  distributed file storage system  Chinese Wall security policy  3 different Java file servers as target programs  sound, decentralized enforcement (even in case of simultaneous downloads) 11

12 Richard Gay – ICISS, December 20, 2014 Instantiation of CliSeAu  intercepted events:  method calls underlying file downloads  program-level, not API-level  deciding, cooperative & decentralized  assigning actions to responsible ECs via hash code of (user, COI)  delegating the decision-making to the responsible EC  imposed countermeasures:  suppress policy-violating downloads (2 of 3 targets)  replace return value of method (1 of 3 target) 12 Case Study: Enforcing Chinese Wall intercept eventsdecide impose countermeasure

13 Richard Gay – ICISS, December 20, 2014 Goals  determine basic runtime overhead of CliSeAu  determine effect of cooperation on runtime overhead Experimental setup  3 different Java file servers  for each: 10 file servers on a Linux machine  downloading files of size 10KB  overhead measured in FTP client, averaged over 2500 experiments  enforcement of Chinese Wall security policy 13 Performance Evaluation

14 Richard Gay – ICISS, December 20, 2014 Performance Evaluation: Results Performance overhead on a single file download Performance overhead for multiple hops  roughly linear increase in number of hops  increase per hop: ≈1.35ms 14 AnomicFTPDDRSSimpleFTPD local deciding2.72ms (1.3%)2.80ms (3.8%)1.67ms (4.2%) coordinated deciding (2 hops) 5.23ms (2.6%)5.62ms (6.8%)4.68ms (11.7%)

15 Richard Gay – ICISS, December 20, 2014 CliSeAu:Securing Distributed Java Programs by Cooperative Dynamic Enforcement Our goals  enforcement for distributed Java programs  decentralized  system-wide security requirements  effective  efficient Not in scope so far  fault tolerance of CliSeAu  network attacks on CliSeAu 15 http://www.mais.informatik.tu-darmstadt.de/CliSeAu

16 Richard Gay – ICISS, December 20, 2014 Appendix 16

17 Richard Gay – ICISS, December 20, 2014 Dynamic enforcement in distributed systems  feasible:  intercepting individually at each agent of the distributed system  imposing countermeasures individually at the agents  not feasible in general  deciding at the agent that tried to perform an action (  soundness)  deciding about all at a single agent (  performance) 17 Cooperative Decentralized Enforcement

18 Richard Gay – ICISS, December 20, 2014 Cooperative Enforcement Goals for the enforcement capsules (ECs)  capability of local deciding  deciding about events of the program it encapsulates  to reduce communication overhead  capability of cooperative deciding  requesting support by other ECs  supporting other ECs in decision-making  to enable sound decisions even when a single EC does not have sufficient information Challenges  enabling cooperative deciding when needed and local deciding when possible  enabling sound decision-making for system-wide policies without excessive synchronization 18

19 Richard Gay – ICISS, December 20, 2014 CliSeAu’s approach  ECs cooperate by delegation  every EC can specify when to delegate and when to decide locally  delegation is non-blocking: 19 Cooperative Deciding

20 Richard Gay – ICISS, December 20, 2014 Architecture of Encapsulations Goals for the enforcement capsules (ECs)  support for cooperative decentralized deciding  abstraction from security-irrelevant actions (in the example: browsing server directories)  abstraction from security-irrelevant details of actions (in the example: download size)  modular architecture Challenge  enabling flexibility in the supported programs and the security policies while providing much fixed structure to simplify instantiation 20

Download ppt "Richard Gay – ICISS, December 20, 2014 CliSeAu:Securing Distributed Java Programs by Cooperative Dynamic Enforcement Richard Gay, Jinwei Hu, Heiko Mantel."

Similar presentations

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu www.list.gmu.edu.

Towards Remote Policy Enforcement for Runtime Protection of Mobile Code Using Trusted Computing Xinwen Zhang Francesco Parisi-Presicce Ravi Sandhu
Network Resource Broker for IPTV in Cloud Computing Lei Liang, Dan He University of Surrey, UK OGF 27, G2C Workshop 15 Oct 2009 Banff,

Network Resource Broker for IPTV in Cloud Computing Lei Liang, Dan He University of Surrey, UK OGF 27, G2C Workshop 15 Oct 2009 Banff,
3 Copyright © 2005, Oracle. All rights reserved. Designing J2EE Applications.

3 Copyright © 2005, Oracle. All rights reserved. Designing J2EE Applications.
Henry C. H. Chen and Patrick P. C. Lee

Henry C. H. Chen and Patrick P. C. Lee
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 9 Distributed Systems Architectures Slide 1 1 Chapter 9 Distributed Systems Architectures.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 9 Distributed Systems Architectures Slide 1 1 Chapter 9 Distributed Systems Architectures.
Jay Ligatti and Srikar Reddy University of South Florida.

Jay Ligatti and Srikar Reddy University of South Florida.
Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.

Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.
Chapter 13 (Web): Distributed Databases

Chapter 13 (Web): Distributed Databases
Tu sca ny 1 Simplifying Service Oriented Applications with The Apache Tuscany project Jeremy Boynes 27 July 2006.

Tu sca ny 1 Simplifying Service Oriented Applications with The Apache Tuscany project Jeremy Boynes 27 July 2006.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.

CIM2564 Introduction to Development Frameworks 1 Overview of a Development Framework Topic 1.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.

Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.
More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)
A Type System for Expressive Security Policies David Walker Cornell University.

A Type System for Expressive Security Policies David Walker Cornell University.
Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)

Polaris Financial Technologies Welcomes the members of Hyderabad chapter for the 2nd event on 4 th July 14 held by PACE (The Testing Practice)
.NET Mobile Application Development Introduction to Mobile and Distributed Applications.

.NET Mobile Application Development Introduction to Mobile and Distributed Applications.
Course Instructor: Aisha Azeem

Course Instructor: Aisha Azeem
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.

Architectural Design Establishing the overall structure of a software system Objectives To introduce architectural design and to discuss its importance.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

Similar presentations

Ads by Google