a component security infrastructure · sdsi/spki cells build software systems using components ....
TRANSCRIPT
![Page 1: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/1.jpg)
9/24/15 Cells @ FCS 2002 1
A Component Security Infrastructure
Y. David Liu Scott Smith
http://www.jcells.org
![Page 2: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/2.jpg)
9/24/15 Cells @ FCS 2002 2
Motivation
Secure software systems
Secure software systems at the component level
SDSI/SPKI Cells
Build software systems using components
![Page 3: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/3.jpg)
9/24/15 Cells @ FCS 2002 3
Goals for a Component Security Infrastructure
l Simplicity – Complex protocols will be misused
l Generality – Applicable across a wide range of domains
l Interoperability – Security policies shared between
components, others l Extensibility
– Evolves as component architecture evolves
![Page 4: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/4.jpg)
9/24/15 Cells @ FCS 2002 4
Background: Cells
Cell A
Connector = Service = plugout
plugin
Header
Body
Header
Body
Cell B
l A new distributed component programming language [Rinat and Smith, ECOOP2002]
![Page 5: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/5.jpg)
9/24/15 Cells @ FCS 2002 5
Background: SDSI/SPKI
l Basis of our security infrastructure l Features
– Principal with public/private key pair – Decentralized name service
l Extended names, name certificate l Group membership certificate
– Access control l Principal with ACL l Delegation model: authorization/revocation
certificate
![Page 6: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/6.jpg)
9/24/15 Cells @ FCS 2002 6
Principles of Component Security
l Each component should be a principal – Traditional principals: users, locations, protection
domains, … – New idea: Components as principals
l Components are known to outsiders by their public key
l Components each have their own secured namespace for addressing other components
l Components may be private
![Page 7: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/7.jpg)
9/24/15 Cells @ FCS 2002 7
Cell Identifiers: CID l CID = the public key in the key pair
generated by public key cryptosystem – CID is a secured cell identity
l Universally unique – No two cells share the same CID
l Outgoing messages signed by CID-1 and verified by CID
![Page 8: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/8.jpg)
9/24/15 Cells @ FCS 2002 8
CVM Identity
With President Cells: l Universe is homogeneously composed of
cells l Locations are also principals
– Locations are represented by cells and each cell is a principal
l Unique CVM identity via its President
CVM
CellA CID: 1..1
CellB CID: 5..5
CVM President Cell CID: 7..7
![Page 9: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/9.jpg)
9/24/15 Cells @ FCS 2002 9
Cell Header Security Information
CID CID-1
NLT SPT
CertSTORE Security Policy Table
Naming Lookup Table
Certificate Store (Delegation)
Identity/Key
![Page 10: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/10.jpg)
9/24/15 Cells @ FCS 2002 10
Cell Reference
l A locator of cells l A capability to a cell
– No cell reference, no access l A programming language
construct: reference l Corresponds to a SDSI/SPKI
principal certificate
Cell CID CVM CID Network Location
Unifies many notions in one concept:
![Page 11: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/11.jpg)
9/24/15 Cells @ FCS 2002 11
Name Services
l CIDs vs. Names – CIDs serve as universal identifiers, but names are
still necessary – Extended name mechanism enables a cell to refer
to another cell even if its CID is unknown l Our name service is based on SDSI/SPKI l Improvements:
– Fewer certificates needed due to on-line nature – More expressive lookup algorithm
![Page 12: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/12.jpg)
9/24/15 Cells @ FCS 2002 12
SDSI/SPKI Extended Names
Bob ID : 1..3 LOC : sdsi://cs.jhu.edu
ID 1..3
ID 2..9
ID 7..1
Andy ID : 2..9 LOC : sdsi://starwars.com
Bob’s Andy?
Local Name Certificate
Local Name Certificate
![Page 13: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/13.jpg)
9/24/15 Cells @ FCS 2002 13
SDSI/SPKI Groups
Bob ID : 1..3 LOC : sdsi://cs.jhu.edu
ID 1..3
ID 2..9
ID 7..1
Andy ID : 2..9 LOC : sdsi://starwars.com
Local Name Certificate
Local Name Certificate
Group Membership Certificate
Friend {Bob, Bob’s Andy}
![Page 14: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/14.jpg)
9/24/15 Cells @ FCS 2002 14
Cell Naming Lookup Table
Bob CID : 1..3 CVM :4..7 LOC : cell://cs.jhu.edu
CID 1..3
CID 2..9
CID 7..1
Andy CID : 2..9 CVM :5..5 LOC : cell://starwars.com
CID: 4..7 cell://cs.jhu.edu
CID: 5..5 cell://starwars.com Friend {Bob, Bob’s Andy}
CID: 9..5 cell://home.org
![Page 15: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/15.jpg)
9/24/15 Cells @ FCS 2002 15
Cell Naming Lookup Table
l Online nature makes local name certificates unnecessary, unlike SDSI/SPKI – More suited for mobility
l Maintained by naming lookup interface, a concept closer to programming languages
l Naming entries can be effectively secured by using hooks
l Compatible with SDSI/SPKI
![Page 16: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/16.jpg)
9/24/15 Cells @ FCS 2002 16
Name Lookup Process
Bob CID : 1..3 CVM :4..7 LOC : cell://cs.jhu.edu
CID 1..3
CID 2..9
CID 7..1
Andy CID : 2..9 CVM :5..5 LOC : cell://starwars.com
Bob’s Andy?
![Page 17: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/17.jpg)
9/24/15 Cells @ FCS 2002 17
A More Expressive Algorithm
Anthony CID : 9..9 CVM :4..7 LOC : cell://cs.jhu.edu
CID 1..3 CID
2..9
Andy CID : 2..9 CVM :5..5 LOC : cell://starwars.com
Tony?
Tony Andy’s Anthony
CID 9..9
![Page 18: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/18.jpg)
9/24/15 Cells @ FCS 2002 18
Cycles Alice CID : 1..3
CVM :5..7 LOC : cell://cs.jhu.edu
CID 1..3
CID 2..9 Andy CID : 2..9
CVM :5..5 LOC : cell://starwars.com
Tony’s Bob?
Tony Andy’s Anthony
CID 9..9
Anthony Alice’s Tony
![Page 19: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/19.jpg)
9/24/15 Cells @ FCS 2002 19
A cycle exists
Same local name expansion entry encountered twice
Solution: l Keep track of the path l Raise an exception if the same name
encountered twice
Cycle Detection Sketch
![Page 20: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/20.jpg)
9/24/15 Cells @ FCS 2002 20
Security Policy
subject resource access right
hook deleg bit
owner unit Bob thiscell connector1 connect NULL 0
Group1 thiscell service1 invoke NULL 1
Alice Tim service1 invoke h 0
l Each cell holds a security policy table, SPT. l Each policy is a 5-tuple.
![Page 21: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/21.jpg)
9/24/15 Cells @ FCS 2002 21
Subjects, Resources, Access Rights
l Subjects – Cells and a group of cells – Local names, extended names, cell references
l Resources – Services, connectors, operations – Partial order relations among them
l Access rights – Connect and invoke
l Application level protection: meaningful services and meaningful connections.
![Page 22: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/22.jpg)
9/24/15 Cells @ FCS 2002 22
Hooks
l Designed for fine-grained access control – Protect a naming lookup entry: lookup(“Tony”) – Protect a specific file: read(“abc.txt”)
l Associated with operations l Operation parameters verified via a predicate l Predicate checked when the associated
operation is triggered – Example:
Hooklookup(arg1) = { arg1=“Tony” }
![Page 23: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/23.jpg)
9/24/15 Cells @ FCS 2002 23
SDSI/SPKI Delegation
ID 3..3
ID 1..1
ID 5..5
AuthC1
AuthC3
AuthC1
AuthC3
AuthC1
“Access Granted”
![Page 24: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/24.jpg)
9/24/15 Cells @ FCS 2002 24
Cell Delegation
l Implements SDSI/SPKI delegation l Each cell holds all certificates (both delegation
and revocation) in a certificate store. l Security policy table supports delegation
– The owner of the resource might not be thiscell – The delegation bit indicating whether certificates
can be further delegated l Certificates are implicitly passed for
delegation chain detection – No need for manual user intervention
![Page 25: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/25.jpg)
9/24/15 Cells @ FCS 2002 25
Goals Revisited l Simplicity
– No complex algorithms/data structures – Clearly defined principals and resources
l Generality – Not just cells, but components in general – Not limited to certain applications
l Interoperability – Built on SDSI/SPKI standard – Communicate with any infrastructure that supports
SDSI/SPKI l Extensibility
– Consideration for future additions: mobility, etc
![Page 26: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/26.jpg)
9/24/15 Cells @ FCS 2002 26
Future Work
l Security for Mobile Components – Cells can migrate – Mobile devices, PDAs
l Hierarchical Security Policy l Interoperability
![Page 27: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/27.jpg)
9/24/15 Cells @ FCS 2002 27
jcells.org
![Page 28: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/28.jpg)
9/24/15 Cells @ FCS 2002 28
Dynamic Component
l Components are named, addressable entities, running at a particular location.
l Components have interfaces which can be invoked.
l Components may be distributed across the network
![Page 29: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/29.jpg)
9/24/15 Cells @ FCS 2002 29
Summary l Security infrastructure in a component programming
language l Cell identity and CVM identity (president cell) l Naming lookup table/interface
– More expressive lookup algorithm and cycle detection
l Fine-grained access control l Unification of security artifacts and programming language
ones l Formalization of SDSI/SPKI l API from programming language perspective
![Page 30: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/30.jpg)
9/24/15 Cells @ FCS 2002 30
Traditional Security Model
allow request from alice.jhu.edu
![Page 31: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/31.jpg)
9/24/15 Cells @ FCS 2002 31
…Fails for Mobile Devices
allow request from alice.jhu.edu
![Page 32: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/32.jpg)
9/24/15 Cells @ FCS 2002 32
Cell Security Infrastructure
allow request from CVM with CID 3333333
![Page 33: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/33.jpg)
9/24/15 Cells @ FCS 2002 33
…Adapts Well with Mobile Devices
allow request from CVM with CID 3333333
![Page 34: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/34.jpg)
9/24/15 Cells @ FCS 2002 34
Extended Name
An extended name is a sequence of local names [n1, n2, …, nk], where each ni+1 is a local name defined in the name space of the cell ni.
![Page 35: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/35.jpg)
9/24/15 Cells @ FCS 2002 35
Example: Traditional Security Model
allow request from alice.jhu.edu
![Page 36: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/36.jpg)
9/24/15 Cells @ FCS 2002 36
…Fails in Cell Migration
allow request from alice.jhu.edu
![Page 37: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/37.jpg)
9/24/15 Cells @ FCS 2002 37
Example: Cell Security Infrastructure
allow request from cell with CID 1234567
![Page 38: A Component Security Infrastructure · SDSI/SPKI Cells Build software systems using components . ... 9/24/15 Cells @ FCS 2002 30 Traditional Security Model allow request from alice.jhu.edu](https://reader033.vdocuments.us/reader033/viewer/2022050111/5f486dad7e0690286a6f4e7a/html5/thumbnails/38.jpg)
9/24/15 Cells @ FCS 2002 38
…Adapts Well in Cell Migration
allow request from cell with CID 1234567