Security Model and Enforcement for Data-Centric Pub/Sub with High Information Assurance Requirements



Similar documents
Reference Guide for Security in Networks

Secure Networking Configuration

Chapter 23. Database Security. Security Issues. Database Security

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Part III. Access Control Fundamentals

Network Security 網 路 安 全. Lecture 1 February 20, 2012 洪 國 寶

Chapter 23. Database Security. Security Issues. Database Security

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

DDS and SOA Interfaces to ESB

What is a secret? Ruth Nelson

Mandatory Access Control

Access Control. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Access Control.

CSE543 - Introduction to Computer and Network Security. Module: Access Control

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Role Based Access Control: Adoption and Implementation in the Developing World

Middleware and Distributed Systems. System Models. Dr. Martin v. Löwis. Freitag, 14. Oktober 11

Secure web transactions system

Top Ten Security and Privacy Challenges for Big Data and Smartgrids. Arnab Roy Fujitsu Laboratories of America

Weighted Total Mark. Weighted Exam Mark

A Data Centric Approach for Modular Assurance. Workshop on Real-time, Embedded and Enterprise-Scale Time-Critical Systems 23 March 2011

PrivyLink Cryptographic Key Server *

Chapter 7 Transport-Level Security

Introduction. Haroula Zouridaki Mohammed Bin Abdullah Waheed Qureshi

Cryptography and Network Security

Security and privacy for multimedia database management systems

A Model-based Methodology for Developing Secure VoIP Systems

ITM661 Database Systems. Database Security and Administration

CS 665: Computer System Security. Designing Trusted Operating Systems. Trusted? What Makes System Trusted. Information Assurance Module

Access Control Matrix

Chapter 17. Transport-Level Security

Integrated Development of Distributed Real-Time Applications with Asynchronous Communication

TRANSMAT Trusted Operations for Untrusted Database Applications

Security (II) ISO : Security Architecture of OSI Reference Model. Outline. Course Outline: Fundamental Topics. EE5723/EE4723 Spring 2012

Database Security Part 7

A SECURITY ARCHITECTURE FOR AGENT-BASED MOBILE SYSTEMS. N. Borselius 1, N. Hur 1, M. Kaprynski 2 and C.J. Mitchell 1

Chapter 10. Network Security

Authentication. Authorization. Access Control. Cloud Security Concerns. Trust. Data Integrity. Unsecure Communication

How To Model Access Control Models In Cse543

Chap. 1: Introduction

Cryptography and Network Security Chapter 1

Secure Managed File Transfer with Connect:Direct

Trusted RUBIX TM. Version 6. Multilevel Security in Trusted RUBIX White Paper. Revision 2 RELATIONAL DATABASE MANAGEMENT SYSTEM TEL

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Session objectives. Access control. Subjects and objects. The request. Information Security

Implementation of Mandatory Access Control in Role-based Security System with Oracle Snapshot Skill

Securing VoIP Networks using graded Protection Levels

Internet of things (IOT) applications covering industrial domain. Dev Bhattacharya

Sync Security and Privacy Brief

Security Implications of Distributed Database Management System Models

An Object Oriented Role-based Access Control Model for Secure Domain Environments

Overview. SSL Cryptography Overview CHAPTER 1

Best Practices, Procedures and Methods for Access Control Management. Michael Haythorn

A Security Integrated Data Storage Model for Cloud Environment

Savitribai Phule Pune University

Windows Web Based VPN Connectivity Details & Instructions

Enterprise Security Architecture Concepts and Practice

Security and Privacy Controls for Federal Information Systems and Organizations

Information Security Policy

Using DDS to Enable The Real-Time Enterprise Service Bus (RT-ESB)

Supporting FISMA and NIST SP with Secure Managed File Transfer

Meeting Cyber Security Challenges

Committee on National Security Systems

Department of Computer & Information Sciences. CSCI-445: Computer and Network Security Syllabus

Cornerstones of Security

Content Teaching Academy at James Madison University

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Identity Management and Access Control

UML Profile for DDS. a tutorial for OMG Specification in Government Workshop (Real-Time & Embedded Systems) July 13, 2009

EECatalog SPECIAL FEATURE

CSCI 454/554 Computer and Network Security. Final Exam Review

VALLIAMMAI ENGINEERING COLLEGE

Complying with National Institute of Standards and Technology (NIST) Special Publication (SP) An Assessment of Cyber-Ark's Solutions

Access Control Intro, DAC and MAC. System Security

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Access Control Models Part I. Murat Kantarcioglu UT Dallas

Directives and Instructions Regarding Security and Installation of Wireless LAN in DoD Federal Facilities

Network Security. A Quick Overview. Joshua Hill josh-web@untruth.org

Transport Layer Security Protocols

Network Security Essentials Chapter 5

MAC Web Based VPN Connectivity Details and Instructions

Government of Canada Managed Security Services (GCMSS) Appendix D: Security Control Catalogue ITSG-33 - Annex 3 DRAFT 3.1

Understanding Digital Certificates and Wireless Transport Layer Security (WTLS)

A Structured Approach to Computer Security *

Commercial Practices in IA Testing Panel

CHAPTER 1: OPERATING SYSTEM FUNDAMENTALS

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

SSL Firewalls

POLICY ON WIRELESS SYSTEMS

Transcription:

Security Model and Enforcement for Data-Centric Pub/Sub with High Information Assurance Requirements Sebastian Staamann, Director Security Products, PrismTech OMG's Eighth Workshop on Distributed Object Computing for Real-time and Embedded Systems July 9-12, 2007 - Arlington, VA, USA

The Need for Information Assurance (IA) within DDS 1 Data-Centric Publish/Subscribe middleware, most notably the Data Distribution Service for Real-time Systems (DDS), heavily used for systems of highest criticality DDS used for distribution (and storage) of classified information Information to be distributed within a system or a system-of-systems potentially of different classification Distribution over untrusted networks (network segments) Distribution middleware (DDS, CORBA, etc.) is the architectural layer in a distributed systems architecture at which application-level security policies can be defined and enforced, yet with generic, non-application-specific mechanisms/technology DDS-based information backbone is (more trustworthy) infrastructure, in contrast to (less trusted) application code

Constraints and Requirements on IA in Typical Application Environments of Data-Centric Pub/Sub 2 DDS is the Data Distribution Service for Real-time Systems, i.e. required are: Minimum latency Minimum latency implementation of access control Minimum use of cryptography Efficient use of cryptography (minimization of encryption/decryption operation) Using cryptography in modes with minimum latency No unnecessary use of public-key cryptography Non-blocking generation of security audit information Minimum jitter No blocking hand-shake protocols No centralized access decision function servers DDS is pub/sub for multi-node systems Full support for multicast needed, no peer-to-peer (hub-and-spoke) approaches as usually used for internet security (like SSL for transport-level communication security) Architecture support for RED/BLACK separation (nodes potentially connected via untrusted networks) Plug-in / replaceability of crypto algorithms/software/hardware High IA: Support for formally proven security policies and models

Proven Security Policies and Models for High IA 3 Traditionally (especially in Defense), focus of security policies for high-ia environments on confidentiality of information Implementing multilevel security for IT (security [secrecy] levels, compartments [need-to-know]) Controlling the information flow (containment of Trojan horse effects, covert channel suppression, RED/BLACK separation...) Cornerstone: Bell-LaPadula Confidentiality Model Nowadays, especially with the processing of real-time control information, the integrity of the information has become equally important. Model with proven foundation: Biba Integrity Model (sibling of Bell-LaPadula model) Information assurance (IA) MUST be supported/enabled by the appropriate technology Security Services Availability Integrity Transmission Storage Processing Information States Authentication Confidentiality Extended McCumber Model (chosen by the IA group in the NCOIC as the reference model for their work on the IA Design Framework) Nonrepudiation Technology Policy & Practice People Security Countermeasures

Security Policy and Models briefly reminded 4 Military Security Policy: Each piece of information is ranked at a particular sensitivity level, such as unclassified, restricted, confidential, secret, or top secret. Each piece of classified information (information object, or object for short) is associated to one or more compartments which represent the subject matter of the information. The combination rank; compartments is the classification (C) of a piece of information. An entity (traditionally a person) that wants to access a piece of classified information must be cleared. A clearance (C) is an indication that an entity (a subject, traditionally a person) is trusted to access information up to a certain level of sensitivity and that this subject needs to know certain categories of information. Also the clearance of a subject has the form rank; compartments. A subject dominates an object, meaning the subject can read the information object if and only if (i) the rank of the subject is at least as high as the rank of the subject (rank object rank subject ), AND (ii) the subject has a need to know about all compartments for which the object is classified (compartments object compartments subject ). Bell-LaPadula Confidentiality Model: Two properties characterize the secure flow of information (i.e., the enforcement of the military security policy): Security Property: A subject may have read access to an object only if the subject dominates the object, i.e., C subject C object *- Property : A subject s that has read access to an object o may have write access to an object p only if C p C o Biba Integrity Model: In the Biba model, two properties guarantee the integrity of the information in the system: Simple Integrity Property: A subject can modify (have write access to) an object only if I subject I object Integrity *-Property: If a subject s has read access to an object o with integrity level I o, s can have write access to an object p only if I o I p

Building Distributed Application Systems Based on Data-Centric Pub/Sub Middleware what does it mean for IA? 5 Proven security policies and models for high IA are data-centric The underlying interaction model for distributed applications systems based on data-centric publish/subscribe middleware also is data-centric (in contrast to object-oriented or service oriented distribution middleware like CORBA or SOAP/WSDL) The software architecture, named SPLICE, that we developed for distributed embedded systems basically consists of two types of components: applications and a shared data space. Applications are active, concurrently executing processes that each implement part of the system s overall functionality. Besides process creation, there is no direct interaction between applications; all communication takes place through a logically shared data space simply by reading and writing data elements. [1] MAC read access [1] M. Boasson and E. de Jong. Software Architecture for Large Embedded Systems. In Proc. of the IEEE. RTSS 97 Workshop on Middleware for Distributed Real-Time Software Systems, San Francisco, CA, Dec. 1997. write access Implementing Data-Centric Applications: Data-centric applications can be implemented using the precepts of dataoriented programming. In general, the tenets of data-oriented programming include the following principles: (i) Expose the data. Ensure that the data is visible throughout the entire system... [2] [2] G. Pardo-Castellote and S. Oberoi. A Data- Centric Approach to Distributed Application Architecture. White paper. March 2007. www.devx.com Direct applicability of proven security policies and models (interaction model: common access of all applications to a replicated database) if the information backbone (replicated database) is implemented as a trusted infrastructure that enforces mandatory access control (MAC), i.e. is an IA-enabled information backbone

The DDS-based IA-enabled Information Backbone for Building Secure Distributed Application Systems 6 Application 1 App.2 App.3 App.4 App.5 DP 1a DP 1b DP 2 DP 3 DP 4 DP 5 Global Data Space (GDS) A Global Data Space is made accessible to applications through an DDS-based information backbone. The IA-enabled backbone enforces security controls on the (global) distribution (replication) of the data within the Global Data Space and on the access to the (local) replicas. local replica/part of GDS node 1 local replica/part of GDS node 2 local replica/part of GDS intelligent replication node 3 inter-node enforcement of global security policy The IA-enabled information backbone covers the technology part of the five pillars of IA: Availability Integrity Authentication Confidentiality Non-repudiation local (intra-node) enforcement of global security policy

The Pieces of the Puzzle 7 What is the scope of a security policy and model? What is the scope of a single security administration (what is the security domain / trust domain)? The DDS Domain What are the (identifiable) principals (that can be authenticated) in the security domain? The applications, resp. the registered userids (human or system) that the applications run for (like processes in Unix) What are the objects to which access control is to be enforced in a DDS-based information backbone (global data space)? ClassifiedDataPartitions and ClassifiedDataTopics What are the subjects that access these objects and that act for a principal (with the principals privileges)? The Domain Participants What about nodes of varying trustworthiness? All nodes are under the same security administration and governed by the same security policy and model. However, the level up to which a node can be trusted to handle classified information appropriately may vary (due to hardware, operating system, physical exposure etc.). Nodes get assigned max. security levels. Inter-node security enforcement prevents distribution (replication) of higher-classified information to lesser classified nodes.

The Pieces of the Puzzle (cont.): Clearances & Classifications 8 Security attributes (clearance) of a subject (Domain Participant, inherited from userid): Secrecy level Integrity level Set of Compartments (all assigned by the security administration) Security attributes (classification) of ClassifiedDataPartition (object): Secrecy level Integrity level Set of Compartments (all assigned by the security administration) Security attributes (classification) of ClassifiedDataTopic (object): assignment to an (already existing) ClassifiedDataPartition (assigned by the security administration) Security attributes (classification) of node: max. Secrecy level max. Integrity level Set of Compartments (all assigned by the security administration)

Mandatory Security Policy and Models looked at again 9 Military Security Policy: Each piece of information is ranked at a particular sensitivity level, such as unclassified, restricted, confidential, secret, or top secret. Each piece of classified information (information object, or object for short) is associated to one or more compartments which represent the subject matter of the information. The combination rank; compartments is the classification (C) of a piece of information. An entity (traditionally a person) that wants to access a piece of classified information must be cleared. A clearance (C) is an indication that an entity (a subject, traditionally a person) is trusted to access information up to a certain level of sensitivity and that this subject needs to know certain categories of information. Also the clearance of a subject has the form rank; compartments. A subject dominates an object, meaning the subject can read the information object if and only if (i) the rank of the subject is at least as high as the rank of the subject (rank object rank subject ), AND (ii) the subject has a need to know about all compartments for which the object is classified (compartments object compartments subject ). Bell-LaPadula Confidentiality Model: Two properties characterize the secure flow of information (i.e., the enforcement of the military security policy): Security Property: A subject may have read access to an object only if the subject dominates the object, i.e., C subject C object *- Property : A subject s that has read access to an object o may have write access to an object p only if C p C o Biba Integrity Model: In the Biba model, two properties guarantee the integrity of the information in the system: Simple Integrity Property: A subject can modify (have write access to) an object only if I subject I object Integrity *-Property: If a subject s has read access to an object o with integrity level I o, s can have write access to an object p only if I o I p

Security Model Activation 10 The Bell-LaPadula *- Property can be deactivated for single applications (trusted applications, MLS applications) The Biba Integrity *- Property can be deactivated for single applications (trusted applications, MLS applications)

End-to-end Security / Inter-node Security 11 Application 1 App.2 App.3 App.4 App.5 End-to-end security = intranode security + inter-node security DP 1a DP 1b DP 2 DP 3 DP 4 DP 5 local replica/part of GDS node 1 Global Data Space (GDS) local replica/part of GDS node 2 local replica/part of GDS intelligent replication node 3 Inter-node security includes preservation of confidentiality and integrity of information communicated over unsecure networks labeling of differently classified information cryptographic of differently classified information RED/BLACK separation at the node/network boundary by means of a dedicated network process inter-node enforcement of global security policy local (intra-node) enforcement of global security policy

Summary / Q&A 12 Most application environments for Data-centric Pub/Sub require the integration and support of proven security models (Bell-LaPadula etc.) by the information distribution backbone Data-centric way to build distributed application systems very suitable for the implementation of such models End-to-end security = intra-node security + inter-node security Proposed mapping of DDS entities to subjects and objects of established security models: ClassifiedDataPartitions as objects (ClassifiedDataTopics as specialization) Domain Participants as subjects Applications as principals

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information