data and applications security developments and directions
DESCRIPTION
Data and Applications Security Developments and Directions. Dr. Bhavani Thuraisingham The University of Texas at Dallas Secure Object Systems October 1, 2010. Outline. Background on object systems Discretionary security Multilevel security Objects for modeling secure applications - PowerPoint PPT PresentationTRANSCRIPT
Data and Applications Security Developments and Directions
Dr. Bhavani Thuraisingham
The University of Texas at Dallas
Secure Object Systems
October 1, 2010
Outline
Background on object systems Discretionary security Multilevel security Objects for modeling secure applications Object Request Brokers Secure Object Request Brokers Secure frameworks Secure Multimedia and Geospatial Systems
Concepts in Object Database Systems
Objects- every entity is an object
- Example: Book, Film, Employee, Car Class
- Objects with common attributes are grouped into a class Attributes or Instance Variables
- Properties of an object class inherited by the object instances Class Hierarchy
- Parent-Child class hierarchy Composite objects
- Book object with paragraphs, sections etc. Methods
- Functions associated with a class
Example Class Hierarchy
DocumentClass
D1 D2
Book Subclass
B1# of Chapters Volume #
Print-doc-att(ID)
Method1:
JournalSubclass
J1
Print-doc(ID)
Method2:
ID Name
Author
Publisher
Example Composite Object
CompositeDocument
Object
Section 1Object
Section 2Object
Paragraph 1Object
Paragraph 2Object
Security Issues
Access Control on Objects, Classes, Attributes etc. Execute permissions on Methods Multilevel Security Security impact on class hierarchies Security impact on composite hierarchies
Objects and Security
Secure OOMUnified Object Model is Evolving
Secure OODBPersistentdata store
Secure OODADesign and analysis
Secure DOMInfrastructure
Secure OOPLProgramming
languageSecure FrameworksBusiness objects
Secure OOTTechnologies
Access Control
EMP ClassInstance Variables:SS#, Ename, Salary, D#
OID = 100 OID = 200
OID = 300
1, John, 20K, 10 2, Paul, 30K, 20
3, Mary, 40K, 20
Increase-Salary(OID, Value)
Read-Salary(OID, amount)
Amount := Amount + Value
Write-Salary(OID, Amount)
DEPT ClassInstance Variables:D#, Dname, Mgr
OID = 500
OID = 60010, Math, Smith
20, Physics, Jones
Access Control Rules:John has update access to EMP ClassJane has read access to DEPT ClassJane has update access to object with OID = 500Mary has execute access to Increase Salary method
Access Control Hierarchies
M GRSubclass
ENGSubclass
EM PClass Access Control Rules on Class Hierarchy
John has update access to EM P ClassJohn has read access to M GR Class
Book
Object
Introduction
Set of Sections
References
Access Control Rules on Aggregate HierarchyJohn has update access to Introduction and ReferencesJohn has read access to Set of Sections
Secure Object Relational Model
BOOK
ISBN# Bname Contents
1 X
2 Y
3 Z
+ + + +
########
John has update access to Book object with ISBN #1Jane has read access to Book object with ISBN #2
Access Control Rules
Policy Enforcement
Policy Enforcement Mechanisms:
Query Modification Algorithm on objects and instance variables
Rule processing integrated with method execution for enforcing access control
Visualizing access control policies on objects using UML and other specifications
Sample Systems
Example Systems:Security forGemstone (originally Servio Logic)Objectstore (originally Object Design)Ontos (originally Ontos Inc)Starburst (IBM Almaden)O2 (Altair Group)ORION (MCC)IRIS (HP Labs)
Multilevel Security
Book
Object
Book
Object
Introduction
Set of Sections
References
Unclassified
TopSecret
Secret
Some Security Properties
Security level of an instance must dominate the level of the class Security level of a subclass must dominate the level of the
superclass Classifying associations between two objects Method must execute at a level that dominates the level of the
method
Multilevel Secure Object Relational Systems
BOOK
ISBN# Bname Contents
1 X
2 Y
3 Z
+ + + +
########
Level
TopSecret
Secret
Unclassified
Sample MLS Object Systems
Design Approaches:SORION (Thuraisingham, MITRE)SO2 (Thuraisingham, MITRE)Millen-Lunt (Millen and Lunt, SRI)SODA (Keefe et al, U. of MN)Morgenstern (Morgenstern, SRI)UFOS (Rosenthal et al, MITRE)Message Passing (Jajodia and Kogan, GMU)
Objects for Secure Applications
Object Modeling Technique for Secure Database Applications:
Object Model: Models the static aspects of the application and security properties using objects
Dynamic Model: Models the activities and the security properties of the activities
Functional Model: Generates the data flow diagrams and the security levels of the methods
Object Modeling
SHIP ClassRange: Unclassified ---- Secret
Unclassified Attributes:IDNameGroup
Secret AttributesCaptainMission
SHIP InstanceID: YYYName: FloridaGroup: ZZZCaptain: SmithMission: AAA
Dynamic Model
CaptainLevel: UOperational Level C
ShipLevel: U
Mission-PlanLevel: UWith U, C and S attributes
MissionLevel: UOperational level: S
Reserve ship:security problem-information flow from C to U
Reserved status
Carry out mission
Get mission details
Mission details
Mission statusProblem: information flow from S to C
Functional Model
SHIP
plan
good status
Mission ID
bad status
status
GET PLAN
EXECUTE MISSION
CAPTAINRESERVE
MISSION PLAN
UML and PoliciesPolicy A: User has Roles
User Class:Attributes of the UserNameAgeGender- - - - - -
Role Class:Attributes of the RoleNameFunctions- - - - - - -Has
User Class:Attributes of the UserNameAgeGender- - - - - -
Activity Class:Attributes of the ActivityNameDescription- - - - - - -Carries
out
Policy B: User Carries out Activities
User Class:Attributes of the UserNameAgeGender- - - - - -
Role Class:Attributes of the RoleNameFunctions- - - - - - -
Has
Activity Class:Attributes of the ActivityNameDescription- - - - - - -
Carries out
Merged Policy C: User has Roles andCarries out Activities
Policy A: User has Roles
User Class:Attributes of the UserNameAgeGender- - - - - -
Role Class:Attributes of the RoleNameFunctions- - - - - - -Has
User Class:Attributes of the UserNameAgeGender- - - - - -
Activity Class:Attributes of the ActivityNameDescription- - - - - - -Carries
out
Policy B: User Carries out Activities
User Class:Attributes of the UserNameAgeGender- - - - - -
Role Class:Attributes of the RoleNameFunctions- - - - - - -
Has
Activity Class:Attributes of the ActivityNameDescription- - - - - - -
Carries out
Carries out Activities
Distributed Object Management Systems
Integrates heterogeneous applications, systems and databases Every node, database or application is an object Connected through a Bus Examples of Bus include
- Object Request Brokers (Object Management Group)
- Distributed Component Object Model (Microsoft)
Object-based Interoperability
Object Request Broker
Client
Object
Server
Object
Example Object Request Broker: Object Management Group’s (OMG) CORBA (Common Object Request Broker Architecture)
Javasoft’s RMI (Remote Method Invocation)
RMI Business Objects
Clients Java-based Servers
Objects and Security
Secure OOMUnified Object Model is Evolving
Secure OODBPersistentdata store
Secure OODADesign and analysis
Secure DOMInfrastructure
Secure OOPLProgramming
languageSecure FrameworksBusiness objects
Secure OOTTechnologies
Secure Object Request Brokers
Object Request Broker:
Client
Object
Server
Object
Security Service:Ensures secure communication between client and server
Object
CORBA (Common Object Request Broker Architecture) Security
Security Service provides the following:
- Confidentiality
- Integrity
- Accountability
- Availability URLs
- http://www.javaolympus.com/J2SE/NETWORKING/CORBA/CORBASecurity.jsp
- http://student.cosy.sbg.ac.at/~amayer/projects/corbasec/sec_overview.html
- www.omg.org
OMG Security Specifications
ATLAS:Service that supports obtaining authorization tokens to access a target system
CSlv2:Service that supports interoperation, authentication, delegation and privileges
CORBA Security Service:Provides basic security for the infrastructure
DataOMG SecuritySpecifications
CORBA (Common Object Request Broker Architecture) Security
Security Service provides the following:
- Confidentiality
- Integrity
- Accountability
- Availability URLs
- http://www.javaolympus.com/J2SE/NETWORKING/CORBA/CORBASecurity.jsp
- http://student.cosy.sbg.ac.at/~amayer/projects/corbasec/sec_overview.html
- www.omg.org
CORBA (Common Object Request Broker Architecture) Security - 2
Identification and Authentication of Principles Authorization and Access Control Security Auditing Security of communications Administration of security information Non repudiation
Dependable Object Request Brokers
Technology
provided by
Project
Technology
provided by
Project
Hardware
Display Processor
&Refresh
Channels
Consoles(14)
Navigation
Sensors
Data LinksData Analysis Programming
Group (DAPG)
FutureApp
FutureApp
FutureApp
Multi-SensorTracks
SensorDetections
Real Time Operating System
MSIApp
DataMgmt. Data
Xchg.
Infrastructure Services
Integrate Security, Real-time and Fault Tolerance Computing
Integrate Security, Real-time and Fault Tolerance Computing
Secure Frameworks
Framework A consisting ofComponents B, C, D
Component C
Component D
Component Y
Component Z
Framework X consisting ofComponents Y and Z
Access Control on Components and Frameworks:John has update access to components B, C, and YJane has update access to Framework A and read access to Framework X
Component B
Directions Object Models
- UML for Security applications is becoming common practice
- Secure distributed object systems has gained popularity
- Evolution into secure object-based middleware
- Secure object-based languages
- Integrating security and real-time for object systems
Distributed Objects
- Security cannot be an afterthought for object-based interoperability
- Use ORBs that have implemented security services
- Trends are moving towards Java based interoperability and Enterprise Application Integration (EAI)
- Examples of EAI products are Web Sphere (IBM) and Web Logic (BEA)
- Security has to be incorporated into EAI products
Why Multimedia Data Management System?
Need persistent storage for managing large quantities of multimedia data
A Multimedia data manager manages multimedia data such as text, images, audio, animation, video
Extended by a Browser to produce a Hypermedia data management system
Heterogeneity with respect to data types Numerous Applications
- Entertainment, Defense and Intelligence, Telecommunications, Finance, Medical
Architectures:Loose Integration
MultimediaFile Manager
Metadata
Module for IntegratingData Manager with File Manager
User Interface
Data Manager for Metadata
MultimediaFiles
Architectures:Tight Integration
User InterfaceUser Interface
MM-DBMS:Integrated data manager and file manager
MM-DBMS:Integrated data manager and file manager
MultimediaDatabase
MultimediaDatabase
Data Model:Scenario
Example:Object representation
Object A2000 Frames
4/95 8/95
5/95 10/95
Object B3000 Frames
Multimedia Data Access: Some approaches
Text data
- Selection with index features
- Methods: Full text scanning, Inverted files, Document clustering Audio/Speech data
- Pattern matching algorithms Matching index features given for searching and ones
available in the database Image data
- Identifying geometric boundaries, Identifying spatial relationships, Image clustering
Video data
- Retrieval with metadata, Pattern matching with images
Metadata for Multimedia
Metadata may be annotations and stored in relations
- I.e., Metadata from text, images, audio and video are extracted as stored as text
- Text metadata may be converted to relations by tagging and extracting concepts
Metadata may be images of video data
- E.g., certain frames may be captured as metadata Multimedia data understanding
- Extracting metadata from the multimedia data
Storage Methods
Single disk storage
- Objects belonging to different media types in same disk Multiple disk storage
- Objects distributed across disks Example: individual media types stored in different disks I.e., audio in one disk and video in another Need to synchronize for presentation (real-time techniques)
Multiple disks with striping
- Distribute placement of media objects in different disks Called disk striping
Security Issues
Access Control Multilevel Security Architecture Secure Geospatial Information Systems
Access Control for Multimedia Databases Access Control for Text, Images, Audio and Video Granularity of Protection
- Text John has access to Chapters 1 and 2 but not to 3 and 4
- Images John has access to portions of the image Access control for pixels?
- Video and Audio John has access to Frames 1000 to 2000 Jane has access only to scenes in US
- Security constraints Association based constraints
E.g., collections of images are classified
MLS Security
Book
Object
Introduction
Set of Sections
References
Introduction: Level = UnclassifiedSet of Sections: Level = TopSecretReferences: Level = Secret
Example Security Architecture: Integrity Lock
MultimediaDatabase
Trusted Agentto computechecksums
Sensor
Data Manager
UntrustedMultimedia DataManager
Compute ChecksumBased on say multimedia data value(such as video object content)Security level and Checksum
Compute ChecksumBased on multimedia data valueand Security level retrievedfrom the stored multimedia database
Inference Control
Metadata,Constraints
User Interface Manager
Inference EngineActs as an Inference Controller
MultimediaDatabase
MultimediaDatabaseManager
Securing Geospatial Data
Geospatial images could be Digital Raster Images that store images as pixels or Digital Vector Images that store images as points, lines and polygons
GSAM: Geospatial Authorization Model specifies subjects, credentials, objects (e.g, points, lines, pixels etc.) and the access that subjects have to objects
Reference: Authorization Model for Geospatial Data; Atluri and Chun, IEEE Transactions on Dependable and Secure Computing, Volume 1, #4, October – December 2004.
Bhavani M. Thuraisingham, Gal Lavee, Elisa Bertino, Jianping Fan, Latifur Khan: Access control, confidentiality and privacy for video surveillance databases. SACMAT 2006: 1-10
Details will be given in one of the lectures after the mid-term.
Secure Geospatial Data Management
Secure Geospatial data management References:
- Vijayalakshmi Atluri, Soon Ae Chun: An Authorization Model for Geospatial Data. IEEE Trans. Dependable Sec. Comput. 1(4): 238-254 (2004)
- Elisa Bertino, Bhavani M. Thuraisingham, Michael Gertz, Maria Luisa Damiani: Security and privacy for geospatial data: concepts and research directions. SPRINGL 2008:6-19
Securing Geospatial Data
Geospatial images could be Digital Raster Images that store images as pixels or Digital Vector Images that store images as points, lines and polygons
GSAM: Geospatial Authorization Model specifies subjects, credentials, objects (e.g, points, lines, pixels etc.) and the access that subjects have to objects
Reference: Authorization Model for Geospatial Data; Atluri and Chun, IEEE Transactions on Dependable and Secure Computing, Volume 1, #4, October – December 2004.
Framework for Geospatial Data Security (Joint with UCDavis and Purdue U.)
DATA PRESENTATION COMPONENTS
Access Control Module
Geospatial Data Registration
spatial and temporal registration of geospatial data
Data Integration Services&
Data Repository Access
DATA ACCESS LAYER
DAC/RBAC Policy Specification
Policy ReasoningEngine
Trust & Privacy Management
Authentic Data Publication
Auditing
Misuse Detection
SECURITY LAYER
OpenGeospatialConsortiumFramework
Core &ApplicationSchemas
GeospatialFeatures
GeographyMarkupLanguage
Metadata
GIS Web ServicesTraditional GIS
Wrapper
GeospatialDataRepositories
Example of several GIS repositories and GIS themes/layers for Northern California (Gertz, Bertino, Thuraisingham)
Assume a single GIS data repository that manages information about parcels (being the basic units of geography for local government) and cadastre, including land use and zoning, environmental areas, and municipal utility services.
Such type of repository is typically used by public sector staff to assist property owners and to support emergency, fire, and police operations.
The latter type of usage includes identifying property structures and owners. Parcel maps in particular can be useful to do damage assessment after a disaster.
Example (Continued)
They are also an important access point during emergencies for linking data from different GIS repositories. While such types of geospatial are used to serve the public, e.g., through Web-based interfaces, not all data layers are made publicly available. For example, property owner information is not publicly accessible
A similar separation of public and private GIS data can be made for other types of themes. For example, environmental theme layers do not make information about locations of endangered species or nesting sites public.
Based on this type of separation of GIS data, the following question arises: “What security mechanisms are used to specify and enforce different types of access to data in a single GIS repository?”
In particular, “What provisions do GSI data managers have to (1) give public sector staff only access to GIS data relevant to their function, and (2) ensure that no sensitive geospatial data (e.g., parcel owner information) is made publicly available?”
Ideally, GIS repositories should provide access control models and techniques similar to those developed for traditional (relational) databases. However, the diversity of geospatial data (feature-based versus field-based) and the complexity of feature-based geospatial data complicate a coherent and uniform access control model.
Policy Example (Bertino, Gertz, Thuraisingham)
Deny/allow policies with flexible granularity, grouping mechanisms for protected objects, and space-related access restrictions.
Deny/allow policies will be supported through the use of positive/negative authorizations; negative authorizations are crucial in order to support exceptions, by which, for example, an authorization is assigned to all objects in a set but one. In our context this paradigm is complicated by the larger options that we provide for denoting protected objects and by the presence of different object representations and dimensions. The main mechanism that we provide to support flexible grouping is based on the notions of object-locator and spatial window. An object-locator is a query expression that may include predicates against properties of feature types, metadata and provenance data. Predicates may also refer to topological relationships holding among the data objects, such as Within and Touches. An example of a policy using Touches is the one allowing a subject, which has access to information on a particular land parcel, to access information about all adjacent land parcels. The query expression may also include a projection component to specify an object representation and components. A spatial window is simply a spatial region in the reference space and denotes the set of object that are inside the boundary of the region. By combining such two mechanisms, one can specify sets of objects such as “all shelters occupying an area greater than 3000sf in Montgomery County”; in such case Montgomery County represents the authorization window. The use of spatial windows is particularly important to
Policy Example (Continued)
Active policies.
These are policies that when applied to a protected object perform certain transformations on the object, before returning it to the requester. Two relevant classes are the filtering policies and the obfuscating policies. Filtering policies refer to policies that filter out some portions of the objects before returning them to the users. These policies are directly supported by our object locator mechanisms.
Obfuscating policies
These policies act like filter policies except that they do not simply select objects but perform possibly complex computations on the feature(s) to be returned. Typical examples include computing a lower resolution image, and distorting some vector data (but preserving topological relationships). One can even specify policies that return incorrect data (e.g., as a honey pot in the context of misuse detection). In our model these policies are supported by the projection component, suitably extended with the possibility of invoking functions, of the object locator. We will provide a library including a variety of functions to support obfuscating policies.
Policy Example (Concluded)
Context-dependent access control policies.
Under such policies, information from the environment is taken into account by the access control module when taking decisions about access requests. Typical contextual information includes time and subject location. Subject location information is used to specify policies allowing a subject to access a resource only if the current location of the subject verifies certain spatial constraints. Context-dependent access policies will be supported by the introduction of a context component, as part of authorization rules, and by attribute-based specification of subjects in authorization rules.
Event-based access control policies.
Event-based access control policies are novel and are based on the idea that policies can be enabled/disabled depending on the occurrence of specified events. Events can include data modifications, very much like in database triggers, or application-dependent events, such as an emergency. We notice that current sensor networks and intelligent appliances make it very easy for a computer system to detect events arising in the environments. Our model will take advantage of such capabilities.
Policy Language
Take existing geospatial language/model and extend for security
- E.g., GML Take a security model/language and extend for geospatial
- E.g, XACML has been extended to Geo-XACML Develop from scratch
- GRDF, Secure GRDF (developed at UTDallas by Alam Ashraful for PhD research)
• The strength of RDF lies in the ease of composition with which RDF based formalisms can be integrated with other similar languages.
• On the Semantic Web, the goal is to minimize human intervention and to make way for machines to perform rule based automated reasoning.
• We are developing GRDF for geospatial data representation
• Why not use GML? - same reasons for using RDF and not XML – semantics
•Secure GRDF – security extensions for GRDF
Geospatial Semantic Web: GRDF
Directions
Multimedia data security is getting some attention Little research on Geospatial data security Digital watermarking is getting some attention Our focus at UTD is to develop a secure geospatial semantic
web We have developed a system called DAGIS and
demonstrating secure interoperability Details will be given later