Security in CORBA

1
Security in CORBA

• CORBA Security Service

2
Security

• Definition of security
• Safety or freedom from worry
• Types of protection
• Authorization
• Access control and data protection
• Accountability
• Audit and non-repudiation
• Availability
• Service continuity and disaster recovery
• Assurance

3
Threats

• Information compromise
• Masquerading, spoofing, eavesdropping
• Integrity violations
• Trapdoor, virus
• Denial of service
• Flooding
• Repudiation of some action
• Audit modification
• Malicious or negligent misuse
• Browsing, inference, harassment

4
Countermeasures

• Identification and authentication
• Access control
• Security audit
• Communications protection
• Non-repudiation
• Security administration
• Segregation
• Automatic security enforcement

5
Security Services

• Protection
• Objects (access control)
• Communication (confidentiality/integrity) secure
  invocation
• Auditing
• Accountability/non-repudiation

6
ORB Core Architecture
7
CORBA Security Model

• Security protection based upon policy
• Policy may be domain specific
• Policy enforced by ORB
• Execution contexts store user information
• Credentials define identities and privileges
• The ORB enforces
• Access control
• Message protection
• Audit policy

8
Policies

• Describe the allowed and forbidden user actions.
• Imperative and conditional rules.
• Subject verb(action) object.
• Anyone may read unclassified.
• Subject verb(action) object condition.
• Fred may execute financial transactions under
  1000, between 8 AM and 5 PM on business days.
• If condition.
• Then subject may, must, may not, or must not
• Do action to object.

9
Access Control Policy

• Access control policy form
• Subject may do invoke to object
• Access control is enforced by access control
  objects
• Examples
• Alice may do invoke deposit to account(alice)
• Bob may do invoke deposit to account(alice)
• Alice may do invoke writeCheck to account(alice)

10
Message Protection Policy

• ORB must do apply specified quality of
  protection(QOP) to message
• Authentication
• Integrity
• Confidentiality

11
Quality of Protection

• Message origin authentication
• Message confidentiality
• Message integrity

12
Audit Policy

• Audit Policy Form
• If action matches pattern then system must do
  generate to new audit event
• AuditDecision objects control audit events
• Client, Target and Application policies may exist
• Example
• If openAccount is invoked then the system must
  do generate to audit log

13
Non-repudiation

• Non-repudiation evidence
• Evidence of origination
• Evidence of submission
• Evidence of receipt
• Non-repudiation policy form
• If action matches pattern then subject
  initiating action (request) must do generate
  (verify) to new non-repudiation evidence
• Arbitrators evaluate non-repudiation evidence
• Example
• If writeCheck amountgt100,000 then the subject
  must do generate to evidence of origination

14
Object Security Issues - Naming

• Issues
• No names
• No unique names
• Aliases
• difficult to state security policies
• Requirement
• Ability to define object security policy without
  having to know its name

15
Object Security Issues - Scale

• Issue
• Too many objects
• Named-based grouping is not good for security
  grouping
• Requirement
• Policy -gt policy groups,objects -gt policy groups
• Operation-level control, operations -gt policy
  groups, no knowledge of operation semantics

16
Object Security Issues - Encapsulation

• No knowledge of the internals, difficult to know
  what policy is needed to protect the system

17
CORBA Security Model
Client Application (Message Sender)
Target Object
ORB
Security Enforcement Subsystem
Execution Context
Message
Domain
Credential
Policy Enforcement Code
Domain Policy
Identity
Privileges
18
Access Control Concepts

• Principals sets of security attributes
• Generic Rights in Familiesfamily corba g, s,
  u, m
• Policies assign effective Rights to Principals
• Operations require Rights
• Rights Combinators any, all

19
Subjects

• Security attributes
• Identities username, certificates
• Privilege attributes groups, roles
• Credentials are containers for security
  attributes
• Active entities in the system identifiable using
  credentials
• The PrincipalAuthenticator object authenticates
  subjects and assigns non-public security
  attributes

20
Actions

• Methods invocations
• ORB can look at each request or response and see
  whether its legal according to the security
  policy rules
• ORB provides security transparent

21
User Authentication
Client Application
User Sponsor
ORB
Security Enforcement System
Execution Context
Credential
Principal Authenti cator
Identity
Privileges
22
Execution Contexts

• Credentials are stored in execution contexts
• Own credentials
• belongs to the current subject
• Received credentials
• Belongs to the subject that most recently sent a
  message
• Invocation credentials
• The subject identity that will be used when
  sending the next message

23
Execution Contexts
Execution Context
Own Credential
Received Credential
Invocation Credential
Identities
Identities
Identities
Privileges
Privileges
Privileges
24
CORBA Access Model

• Rights in families corbagsmu (rwmx)
• Specification in two tablesrequired rights
  vs. Effective rights
• Example policy for name service access
• Resolve a name
• List bindings
• Bind a name
• Bind a subcontext
• Unbind names, destroy contexts

25
General Model
Credentials
Credentials
Target
Client
Current
Current
Policy
Policy
Obj-Reference
Access Decision
Access Decision
Security Association
Security Association
ORB Core ORB Core
Secure Inter-operability
26
Access Decision Objects

• Access Decision Function
• adf Policy ? Aci ? allow,deny
• Mechanism
• Implementation of adf()
• (DS Middleware masks heterogeneity)
• Policy
• Specification of rules

27
Access Decision Objects
Client Application (Message Sender)
Target Object
ORB
Security Enforcement Subsystem
Message
Execution Context
Domain
Credential
Policy Enforcement Code (Access Decision Object)
Domain Policy
Identity
Privileges
28
Access Control information
allow/deny access?
Object
Object
Client
Object

• Grouping of Objects with the same Policy in
  Policy-Domains

29
Access Decision Procedure
Access decision grant or deny
Domain
Domain Access Policy
Security Attributes
Target Object
Access decision object
Method
Required Rights Object
Access allowed ? Security attributes Target
object method
30
Required Rights

• Group operations by sensitivity
• specified system-wide

31
Effective Rights

• Granted by policy

32
Effective Vs. Required Rights

• Group operations by sensitivity
• Specified by developers
• Per-type!
• System-wide!

• Granted by Policy
• per domain

33
Access Matrix Model
Object nNamingCtx o2Paper o3Review
o4T Role
resolve Employee bind
read
bind_new_ctx. Secretary
resolve append
correct list
read
read resolve
read read TechAuthor
list, bind, write
ResolvingBinding
34
Delegation

• Delegation allows a object to send its
  identity/credentials along with a message
  invocation
• Delegation Policy
• No delegation
• Simple delegation
• Composite delegation
• Combined privileges delegation
• Traced delegation

35
Delegation
No delegation
Client Object
Intermediate Object
Target Object
Client Credentials
Intermediate Credentials
Simple delegation
Intermediate Object
Intermediate Object
Client Object
Client Credentials
Client Credentials
36
Delegation
Composite delegation
Client Object
Intermediate Object
Client and Intermediate Credentials
Intermediate Object
Client Credentials
Combined privileges delegation
Client and Intermediate privileges in single
credential
Client Object
Intermediate Object
Intermediate Object
Client Credentials

• Traced delegation

Client Object
Intermediate Object
Chain of credentials
Client Credentials
37
Security Policy Domains

• Policy domains set of objects with the same
  policy
• Hierarchical and overlapping domains
• Policy conflicts?

38
Policy domains

• Scale problem in big Systems Management of
  Objects and Policies
• Solution Grouping of Objects with the same
  Policy in Policy-Domains
• OMG RFP Security Domain Membership Management
  Service

Domain A
Domain B
39
Domain hierarchies

• Structuring and Generalisation (Policies
  according to organisation structure,
  responsibilities)

Europe
US Branch
RD
40
Security Levels

• Security Level 1
• Subject may not choose the privilege level at
  which they will operate
• Current object returns the security attributes
  of the object domain
• Security Level 2
• Allows replaceability of security mechanisms
• Support for Current, RequiredRights,
  PrincipalAuthenticator, Credential objects

41
Secure Interoperability (CSI)

• Invocations across domain boundaries
• technology, policy
• Establish Security Association
• negotiate technology (algorithms) and parameters
  (key lengths, etc.)
• currently under revision at OMG
• define standard Privilege Attribute Cert.

42
Common Secure Interoperability

• CSI Level 0
• Identity based policy
• No delegation
• CSI Level 1
• Identity based policy
• Unrestricted delegation
• CSI Level 2
• Identity and privilege based policy
• Controlled delegation

43
CSI Protocols

• Secure Inter-ORB Protocol (SECIOP)
• IOR contain extra tag information that specify
  the protocol and security mechanisms that the
  objects server supports
• Sequencing Layer
• Context Manager Layer
• SSL over IOP
• used when SSL has been chosen as a security
  mechanism

44
References

• Bob Blakey
• CORBA Security
• An introduction to safe computing with objects
• Ulrich Lang, Rudolf Schreiner
• Developing Secure Distributed Systems with CORBA
• OMG
• Security Service Specification, Version 1.8,March
  2002

45

• Thank you for your attention !