Information Sharing and Security in Dynamic Coalitions CSE

Information Sharing and Security in Dynamic Coalitions CSE 5095 Steven A. Demurjian Computer Science & Engineering Department 371 Fairfield Road, Box U-2155 The University of Connecticut Storrs, Connecticut 06269 -2155 http: //www. engr. uconn. edu/~steve@engr. uconn. edu DCP-1

Overview of Presentation m CSE 5095 m m m The Dynamic Coalition Problem q Civilian Organizations q Military Involvement/GCCS Information Sharing and Security q Federating Resources q Data Integrity q Access Control (DAC and MAC) q Other Critical Security Issues Stepping Back q Security Issues for Distributed and Component. Based Applications Conclusions and Future Work DCP-2

Crisis and Coalitions m CSE 5095 m m m A Crisis is Any Situation Requiring National or International Attention as Determined by the President of the United States or UN A Coalition is an Alliance of Organizations: Military, Civilian, International or any Combination A Dynamic Coalition is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the Crisis Dynamic Coalition Problem (DCP) is the Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Formed Quickly DCP-3

Near Simultaneous Crises CSE 5095 Crisis Point NATO Hq Olympic Games BOSNIA (NATO) KOSOVO (US, UK) Earthquake (United Nations) Ship Wreck (UK, SP) DCP-4

Crises in 2005 m CSE 5095 m m Tidal Wave in Southeast Asia Hurricanes in US q Katrina – Louisiana and Mississippi q Rita – Texas and Louisiana Mudslides in Guatemala Earthquake in Pakistan/India Key Questions q How do we React to Such Crises? q What is Potential Role for Computer Scientists and Engineers in Process? q Can we Automate the Interactions Required for the Critical Computing Infrastructure? DCP-5

Emergent Need for Coalitions m CSE 5095 “Coalitions must be flexible and no one coalition is or has the answer to all situations. ” » Secretary of Defense, Donald Rumsfeld m “Whenever possible we must seek to operate alongside alliance or coalition forces, integrating their capabilities and capitalizing on their strengths. ” » U. S. National Security Strategy m “Currently, there is no automated capability for passing command control information and situational awareness information between nations except by liaison officer, fax, telephone, or loaning equipment. ” » Undersecretary of Defense for Advanced Technology DCP-6

The Dynamic Coalition Problem (DCP) m CSE 5095 m m m Dynamic Coalition Problem (DCP) is the Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Formed Quickly Private Organizations (PVO) q Doctors Without Boarders q Red Cross Non-Government Organizations (NGO) q State and Local Government q Press Corps Government Agencies q FBI, CIA, FEMA, CDC, etc. q Military DCP-7

Supporting Advanced Applications DCP Objectives for Crisis m CSE 5095 m m m Federate Users Quickly and Dynamically Bring Together Resources (Legacy, COTs, GOTs, DBs, etc. ) Without Modification Dynamically Realize/Manage Simultaneous Crises Identify Users by Roles to Finely Tune Access Authorize, Authenticate, and Enforce a Scalable Security Policy that is Flexible in Response to Collation Needs Provide a Security Solution that is Portable, Extensible, and Redundant for Survivability Include Management/Introspection Capabilities to Track and Monitor System Behavior DCP-8

DCP: Coalition Architecture Clients Using Services CSE 5095 U. S. Army Client Federal Agencies (FEMA, FBI, CIA, etc. ) Client Resources Provide Services COTS LFCS (Canada) U. S. Navy Client SICF (France) French Air Force Client HEROS U. S. Legacy System (Germany) SIACCON NATO Database Client German COTS Client NATO SYS (Italy) NGO/PVO (Red Cross, NYPD, etc. ) Client GCCS (US) NGO/PVO Resource DCP-9

DCP Joint and Combined Information Flow Common Operating Environment ARMY CSE 5095 GCCS-A GCCS CORPS Joint Task Force ABCS MCS XX Coalition Partners NATO Systems Coalition Systems GCCS-AF CSSCS ASAS TBMCS GCCS-M FAADC 2 I MCS Adjacent Marines DIV Air Force Combined: Many Countries AFATDS X TCO Navy GCCS-N JMCIS XX BDE BSA || BN TOC MCS || BN || MCS CO FBCB 2 Joint - Marines, Navy, Air Force, Army DCP-10

DCP: Combined Information Flow CSE 5095 Maneuver Logistics GCCS - Joint/Coalition - Air Defense/Air Operations Fire Support Combined Database Intelligence Network and Resource Management DCP-11

DCP: Coalition Artifacts and Information Flow – Military Engagement U. S. Global C 2 Systems Air Force CSE 5095 Joint Command System Battle Management System NGO/ PVO GCCS U. N. NATO Navy U. S. A Army Battle Command System Army Combat Operations System Marine Corps Dynamic Coalition AFATDS GOAL: Leverage information in a fluid, dynamic environment ASAS FADD ABCS CSSCS GCCS-A MCS Other Army C 2 DCP-12

DCP: Coalition Artifacts and Information Flow – Civilian Engagement CSE 5095 Red Cross Transportation Pharma. Companies MDs w/o Borders Military Medics Govt. Local Health Care CDC EMTs ISSUES: Privacy vs. Availability in Medical Records Support Life-Threatening Situations via Availability of Patient Data on Demand MDs Other RNs State Health DCP-13

DCP: Global Command Control System GLOBAL C 2 SYSTEMS CSE 5095 MOBILE SUBSCRIBER EQUIPMENT DATA RADIO SATELLITE MISSION PLANNING MET SUPPORT INTEL SATCOM XX MANEUVER CONTROL TOPO AIR DEFENCE ARTY Client/Server AIR DEFENCE MET MISSION PLANNING SUPPORT INTEL X MANEUVER CONTROL Client/Server SATCOM GCCS Provides: - Horizontal and Vertical Integration of Information to Produce a Common Picture of the Battlefield - 20 separate automated systems - 625 locations worldwide - private network ARTY TOPO Company AIR DEFENCE SUPPORT INTEL Client/Server SATCOM ARTY MANEUVER CONTROL Situational Awareness FBCB 2 /EBC Platoon Tactical BATTLEFIELD C 2 SYSTEM Internet. EMBEDDED BATTLE COMMAND FBCB 2 /EBC Squad MOBILE SUBSCRIBER EQUIPMENT DCP-32

DCP: Global Command Control System CSE 5095 Joint Services : Weather Video Teleconference Joint Operations Planning and Execution System Common Operational Picture Transportation Flow Analysis Logistics Planning Tool Defense Message System NATO Message System Component Services : Army Battle Command System Air Force Battle Management System Marine Combat Operations System Navy Command System a. k. a METOC TLCF JOPES COP JFAST LOGSAFE DMS CRONOS ABCS TBMCS TCO JMCIS DCP-33

DCP: Global Command Control System Common Operational Picture CSE 5095 Common Picture DCP-34

DCP: Critical Requirements m CSE 5095 m m m Difficult to Establish Roles q Requires Host Administrator q Not Separate Roles No Time Controllable Access q Time Limits on Users q Time Limits on Resource Availability q Time Limits on Roles No Value Constraints q Unlimited Common Operational Picture q Unlimited Access to Movement Information Difficult to Federate Users and Resources q U. S. Only system q Private Network (Not Multi-Level Secure) DCP-35

GCCS Shortfalls: User Roles m CSE 5095 m m m Currently, GCCS Users have Static Profile Based on Position/Supervisor/Clearance Level Granularity Gives “Too Much Access” Profile Changes are Difficult to Make - Changes Done by System Admin. Not Security Officer What Can User Roles Offer to GCCS? q User Roles are Valuable Since They Allow Privileges to be Based on Responsibilities q Security Officer Controls Requirements q Support for Dynamic Changes in Privileges q Towards Least Privilege DCP-36

Non-Military Crisis: User Roles m CSE 5095 m m m Emergent Crisis (Katrina) Requires a Response Some Critical Issues q Who’s in Charge? q Who is Allowed to do What? q Who can Mobilize Governmental Resources? Roles can Help: q Role for Crisis Commander q Roles for Crisis Participants q Roles Dictate Control over Resources For Katrina: Lack of Leadership & Defined Roles q Army Corps of Engineers Only Allowed to Repair Levees – Not Upgrade and Change DCP-37

GCCS Shortfalls: Time Controlled Access m CSE 5095 m Currently, in GCCS, User Profiles are Indefinite with Respect to Time q Longer than a Single Crisis q Difficult to Distinguish in Multiple Crises q No Time Controllable Access on Users or GCCS Resources What can Time Constrained Access offer GCCS? q Junior Planners - Air Movements of Equipment Weeks before Deployment q Senior Planners - Adjustment in Air Movements Near and During Deployment q Similar Actions are Constrained by Time Based on Role DCP-38

Non-Military Crisis: Time Controlled Access m CSE 5095 m m Multiple Crisis Require Ability to Distinguish Between Roles Based on Time and Crisis Occurrence of Rita (one Crisis) Impacted the Ongoing Crisis (Katrina) Need to Manage Simultaneous Crisis w. r. t. Time q Different Roles Available at Different Times within Different Crises q Role Might be “Finishing” in one Crisis (e. g. , First Response Role) and “Starting” in Another q Individual May Play Different Roles in Different Crisis q Individual May Play Same Role with Different Duration in Time w. r. t. its Activation DCP-39

GCCS Shortfalls: Value Based Access m CSE 5095 m Currently, in GCCS, Controlled Access Based on Information Values Difficult to Achieve q Unlimited Viewing of Common Operational Picture (COP) q Unlimited Access to Movement Information q Attempts to Constrain would have to be Programmatic - which is Problematic! What can Value-Based Access Offer to GCCS? q In COP Ø Constrain Display of Friendly and Enemy Positions Ø Limit Map Coordinates Displayed Ø Limit Tier of Display (Deployment, Weather, etc. ) DCP-40

Non-Military Crisis: Value Based Access m CSE 5095 m In Katrina/Rita, What People can See and Do May be Limited Based on Role q Katrina Responders Limited to Katrina Data q Rita Responders Limited to Rita Data q Some Responders (Army Corps Engineers) May Need Both to Coordinate Activities Within Each Crisis, Information Also Limited q Some Katrina Roles (Commander, Emergency Responders, etc. ) see All Data q Other Katrina Roles Limited (Security Deployment Plans Not Available to All q Again – Customization is Critical DCP-41

GCCS Shortfalls: Federation Needs m CSE 5095 m Currently, GCCS is Difficult to Use for DCP q Difficult to Federate Users and Resources q U. S. Only system q Incompatibility in Joint and Common Contexts q Private Network (Not Multi-Level Secure) What are Security/Federation Needs for GCCS? q Quick Admin. While Still Constraining US and Non-US Access q Employ Middleware for Flexibility/Robustness q Security Definition/Enforcement Framework q Extend GCCS for Coalition Compatibility that Respects Coalition and US Security Policies DCP-42

Non-Military Crisis: Federation Needs m CSE 5095 m m Crisis May Dictate Federation Capabilities Katrina q Devastated Basic Communication at All Levels q There was No Need to Federate Computing Systems at Crisis Location with No Power, etc. Rita q Crisis Known Well in Advance q However, Didn’t Prevent Ø Disorganized Evacuation Ø 10+ Hour Highway Waits Ø Running out of Fuel q Federation Myst Coordinate Critical Resources DCP-43

Information Sharing and Security Federated Resources CSE 5095 RESOURCES Command&Control Vehicles Army Airborne Command & Control System JSTARS Unmanned Aerial Vehicle Satellites Army Battle Command System Embedded Command System INTEL FUSION Embedded Battle Command AIR DEFENCE Embedded Battle Command FIELD ARTILLERY Embedded Battle Command MANEUVER CONTROL Embedded Battle Command Common Picture PERSONNEL AND LOGISTICS Embedded Battle Command Fwd Support Element Ammo/Fuel Refit ABCS Bradley / EBC Embedded Battle Command DCP-44

Information Sharing and Security Syntactic Considerations m CSE 5095 m m m Syntax is Structure and Format of the Information That is Needed to Support a Coalition Incorrect Structure or Format Could Result in Simple Error Message to Catastrophic Event For Sharing, Strict Formats Need to be Maintained In US Military, Message Formats Include q Heading and Ending Section Ø United States Message Text Formats (USMTF) Ø 128 Different Message Formats Text Body of Actual Message Problem: Formats Non-Standard Across Different Branches of Military and Countries q m DCP-45

Information Sharing and Security Semantics Concerns m CSE 5095 Semantics (Meaning and Interpretation) q USMTF - Different Format, Different Meaning Ø Each of 128 Messages has Semantic Interpretation Ø Communicate Logistical, Intelligence, and Operational Information m Semantic Problems q NATO and US - Different Message Formats q Different Interpretation of Values Ø Distances (Miles vs. Kilometers) Ø Grid Coordinates (Mils, Degrees) Ø Maps (Grid, True, and Magnetic North) DCP-46

Information Sharing and Security Syntactic & Semantic Considerations m CSE 5095 m m m m What’s Available to Support Information Sharing? How do we Insure that Information can be Accurately and Precisely Exchanged? How do we Associate Semantics with the Information to be Exchanged? What Can we Do to Verify the Syntactic Exchange and that Semantics are Maintained? Can Information Exchange Facilitate Federation? How do we Deal with Exchange to/from Legacy Applications? Can this be Handled Dynamically? Or, Must we Statically Solve Information Sharing in Advance? DCP-47

Information Sharing and Security Pragmatics Issues m CSE 5095 m Pragmatics Require that we Totally Understand Information Usage and Information Meaning Key Questions Include: q What are the Critical Information Sources? q How will Information Flow Among Them? q What Systems Need Access to these Sources? q How will that Access be Delivered? q Who (People/Roles) will Need to See What When? q How will What a Person Sees Impact Other Sources? DCP-48

Information Sharing and Security Pragmatics Issues m CSE 5095 m Pragmatics - Way that Information is Utilized and Understood in its Specific Context For Example, in GCCS DCP-49

Information Sharing and Security Pragmatics Issues Pragmatics in GCCS m DR DR GBS SEN VTel BVTC Info/Intel/Plans BVTC Mobility BVTC TGT/Fires XXX DR BVTC SEN BVTC GBS DR CMDR TAC BCV DR BVTC SEN DR DR MVR BN GBS DR DR DR GBS DR DR 704 MSB Node Estimate Current FDD laydown has 53 autonomous Command Post/TOCs (i. e. , nodes) MVR BN GBS 204 FSB DR GBS DR DR Relay SEN GBS 299 ENG 1 st BDE SINCGARS (FS) EPLRS (AD) GBS XX Sustainment SINCGARS (FS) EPLRS (AD) GBS DISCOM DIV REAR DR For a full Corps >200 nodes MVR BN GBS 4 -42 FA LEN X SEN GBS BVTC SEN XX Division Slice GBS DR GBS 124 th SIG BN DR HCLOS GBS SEN SINCGARS (FS) EPLRS (AD) SEN X DR 4 ENG GBS DR TAC BVTC SINCGARS (FS) EPLRS (AD) GBS 1/4 AVN BN DR DTAC 1 BVTC SINCGARS (FS) EPLRS (AD) GBS 2/4 AVN BN DR 9 -1 FA DR DR DR Relay GBS DR DR BCV MVR BN GBS XX 4 th BDE BVTC SEN GBS DR 64 FSB 3 -29 FA DR 1/10 CAV CMDR BCV DR DR GBS DR DR DR MVR BN GBS SEN MVR BN GBS Basic Distribution Requirement • Distribution Polices • Automation & Notification • User Controls • Transport Mechanisms • System and Process Monitors • Security, Logs, and Archives CMDR DR GBS DR DR 3 rd BDE DR MVR BN GBS DR DR 404 ASB GBS DR DR DR MVR BN GBS 3 -16 FA GBS SEN DR MVR BN DR DR DR GBS DR DR BCV DR GBS SEN CMDR DR GBS BVTC GBS DR DR DIV CDR DMAIN DR TAC 4 FSB Relay A 2 C 2 S VTel GBS DR 2 nd BDE DIV CDR GBS BVTC 588 ENG GBS DR DR DR C 2 V Theater Injection Point (TIP) SEN GBS SINCGARS (FS) EPLRS (AD) HCLOS SEN DR DR DR DIVARTY XXX CSE 5095 GBS DSCS DR Distribution Policy • What • How • When - Prioritized • Where - Encrypted - Network 1/10 CAV Sqdn Note: 3 rd BDE not part of 1 DD in Sep 2000. DCP-50

Information Sharing and Security Data Integrity m CSE 5095 m Concerns: Consistency, Accuracy, Reliability Accidental Errors q Crashes, Concurrent Access, Logical Errors q Actions: Ø Integrity Constraints Ø GUIs Ø Redundancy m Malicious Errors q Not Totally Preventable q Actions: Ø Authorization, Authentication, Enforcement Policy Ø Concurrent Updates to Backup DBs Ø Dual Homing DCP-51

Information Sharing and Security Discretionary Access Control m CSE 5095 m What is Discretionary Access Control (DAC)? q Restricts Access to Objects Based on the Identity of Group and /or Subject q Discretion with Access Permissions Supports the Ability to “Pass-on” Permissions DAC and DCP q Pass on from Subject to Subject is a Problem Ø Information Could be Passed from Subject (Owner) to Subject to Party Who Should be Restricted q For Example, Ø Local Commanders Can’t Release Information Ø Rely on Discretion by Foreign Disclosure Officer q Pass on of DAC Must be Carefully Controlled! DCP-52

Information Sharing and Security Role Based Access Control m CSE 5095 m What is Role Based Access Control (RBAC)? q Roles Provide Means for Permissions to Objects, Resources, Based on Responsibilities q Users May have Multiple Roles Each with Different Set of Permissions q Role-Based Security Policy Flexible in both Management and Usage Issues for RBAC and DCP q Who Creates the Roles? q Who Determines Permissions (Access)? q Who Assigns Users to Roles? q Are there Constraints Placed on Users Within Those Roles? DCP-53

Information Sharing and Security Mandatory Access Control m CSE 5095 m What is Mandatory Access Control (MAC)? q Restrict Access to Information, Resources, Based on Sensitivity Level (Classification) Classified Information - MAC Required q If Clearance (of User) Dominates Classification, Access is Allowed MAC and DCP q MAC will be Present in Coalition Assets q Need to Support MAC of US and Partners q Partners have Different Levels/Labels q Need to Reconcile Levels/Labels of Coalition Partners (which Include Past Adversaries!) DCP-54

Information Sharing and Security Other Issues m CSE 5095 Intrusion Detection q Not Prevention q Intrusion Types: Ø Trojan Horse, Data Manipulation, Snooping q Defense: Ø Tracking and Accountability m Survivability q Reliability and Accessibility q Defense: Ø Redundancy m Cryptography q Fundamental to Security q Implementation Details (key distribution) DCP-55

A Service-Based Security Architecture CSE 5095 DCP-56

Required Security Checks CSE 5095 DCP-57

Stepping Back Security for Distributed Environments m CSE 5095 m m m Background and Motivation q What are Key Distributed Security Issues? q What are Major/Underlying Security Concepts? q What are Available Security Approaches? Identifying Key Distributed Security Requirements Frame the Solution Approach Outline UConn Research Emphasis: q Secure Software Design (UML and AOSD) q Middleware-Based Realization (CORBA/JINI) q Information Exchange via XML DCP-58

Security for Distributed Applications CSE 5095 How is Security Handled for Individual Systems? COTS Database Legacy What if Security Never Available for Legacy/COTS/Database? Security Issues for New Clients? New Servers? Across Network? Legacy COTS NETWORK Java Client What about Distributed Security? Security Policy, Model, and Enforcement? Legacy Database COTS DCP-59

DC for Military Deployment/Engagement U. S. Global C 2 Systems Air Force CSE 5095 NGO/ PVO OBJECTIVES: Navy Joint Command System Battle Management System GCCS Securely Leverage Information in a U. N. Combat Fluid Environment Army Battle Command Operations NATO Protect Information While Simultaneously. System U. S. A System Army Marine Corps Promoting the Coalition Security Infrastructure in Support of DCP LFCS Canada HEROS Germany SICF France AFATDS ASAS ABCS CSSCS GCCS-A MCS SIACCON Italy FADD Other DCP-60

DC for Medical Emergency CSE 5095 Red Cross Transportation Pharma. Companies MDs w/o Borders Military Medics Govt. Local Health Care CDC EMTs ISSUES: Privacy vs. Availability in Medical Records Support Life-Threatening Situations via Availability of Patient Data on Demand MDs Other RNs State Health DCP-61

Security Issues: Confidence in Security m CSE 5095 Assurance q Do Security Privileges for Each User Support their Needs? q What Guarantees are Given by the Security Infrastructure in Order to Attain: Ø Safety: Nothing Bad Happens During Execution Ø Liveness: All Good Things can Happen During Execution m Consistency q Are the Defined Security Privileges for Each User Internally Consistent? Least-Privilege Principle q Are the Defined Security Privileges for Related Users Globally Consistent? Mutual-Exclusion DCP-62

Security for Coalitions m CSE 5095 m m Dynamic Coalitions will play a Critical Role in Homeland Security during Crisis Situations Critical to Understand the Security Issues for Users and System of Dynamic Coalitions Multi-Faceted Approach to Security q Attaining Consistency and Assurance at Policy Definition and Enforcement q Capturing Security Requirements at Early Stages via UML Enhancements/Extensions q Providing a Security Infrastructure that Unifies RBAC and MAC for Distributed Setting DCP-63

Four Categories of Questions m CSE 5095 m m m Questions on Software Development Process q Security Integration with Software Design q Transition from Design to Development Questions on Information Access and Flow q User Privileges key to Security Policy q Information for Users and Between Users Questions on Security Handlers and Processors q Manage/Enforce Runtime Security Policy q Coordination Across EC Nodes Questions on Needs of Legacy/COTS Appls. q Integrated, Interoperative Distributed Application will have New Apps. , Legacy/COTS, Future COTS DCP-64

Software Development Process Questions m CSE 5095 m m What is the Challenge of Security for Software Design? q How do we Integrate Security with the Software Design Process? q What Types of Security Must be Available? How do we Integrate Security into OO/Component Based Design? q Integration into OO Design? q Integration into UML Design? What Guarantees Must be Available in Process? q Assurance Guarantees re. Consistent Security Privileges? q Can we Support Security for Round-Trip and Reverse Engineering? DCP-65

Software Development Process Questions m CSE 5095 m m What Techniques are Available for Security Assurance and Analysis? q Can we Automatically Generate Formal Security Requirements? q Can we Analyze Requirements for Inconsistency and Transition Corrections Back to Design? How do we Handle Transition from Design to Development? Can we Leverage Programming Languages in Support of Security for Development? q Subject-Oriented Programming? q Aspect-Oriented Programming? q Other Techniques? DCP-66

Information Access and Flow Questions m CSE 5095 m Who Can See What Information at What Time? q What Are the Security Requirements for Each User Against Individual Legacy/cots Systems and for the Distributed Application? What Information Needs to Be Sent to Which Users at What Time? q What Information Should Be “Pushed” in an Automated Fashion to Different Users at Regular Intervals? DCP-67

Information Access and Flow Questions m CSE 5095 m What Information Needs to Be Available to Which Users at What Time? q What Information Needs to Be “Pulled” Ondemand to Satisfy Different User Needs in Time-critical Situations How Are Changing User Requirements Addressed Within the Distributed Computing Application? q Are User Privileges Static for the Distributed Computing Application? q Can User Privileges Change Based on the “Context” and “State” of Application? DCP-68

Security Handlers/Processing Questions m CSE 5095 What Security Techniques Are q Needed to Insure That the Correct Information Is Sent to the Appropriate Users at Right Time? q Necessary to Insure That Exactly Enough Information and No More Is Available to Appropriate Users at Optimal Times? q Required to Allow As Much Information As Possible to Be Available on Demand to Authorized Users? DCP-69

Security Handlers/Processing Questions m CSE 5095 m m How Does the Design by Composition of a Distributed Computing Application Impact on Both the Security and Delivery of Information? q Is the Composition of Its “Secure” Components Also Secure, Thereby Allowing the Delivery of Information? Can We Design Reusable Security Components That Can Be Composed on Demand to Support Dynamic Security Needs in a Distributed Setting? What Is the Impact of Legacy/cots Applications on Delivering the Information? DCP-70

Security Handlers/Processing Questions m CSE 5095 m m How Does Distribution Affect Security Policy Definition and Enforcement? Are Security Handlers/enforcement Mechanisms Centralized And/or Distributed to Support Multiple, Diverse Security Policies? Are There Customized Security Handlers/enforcement Mechanisms at Different Levels of Organizational Hierarchy? q Does the Organizational Hierarchy Dictate the Interactions of the Security Handlers for a Unified Enforcement Mechanism for Entire Distributed System? DCP-71

Legacy/COTS Applications Questions m CSE 5095 When Legacy/COTS Applications are Placed into Distributed, Interoperable Environment: q At What Level, If Any, is Secure Access Available? q Does the Application Require That Secure Access Be Addressed? q How is Security Added if it is Not Present? What Techniques Are Needed to Control Access to Legacy/COTS? q What is the Impact of New Programming Languages (Procedural, Object-oriented, Etc. ) And Paradigms? DCP-72

Focusing on MAC, DAC and RBAC m CSE 5095 m m For OO Systems/Applications, Focus on Potential Public Methods on All Classes Role-Based Approach: q Role Determines which Potential Public Methods are Available q Automatically Generate Mechanism to Enforce the Security Policy at Runtime q Allow Software Tools to Look-and-Feel Different Dynamically Based on Role Extend in Support of MAC (Method and Data Levels) and DAC (Delegation of Authority) DCP-73

Legacy/COTS Applications m CSE 5095 m m Interoperability of Legacy/COTS in a Distributed Environment Security Issues in Interoperative, Distributed Environment q Can MAC/DAC/RBAC be Exploited? q How are OO Legacy/COTS Handled? q How are Non-OO Legacy/COTS Handled? q How are New Java/C++ Appls. Incorporated? q Can Java Security Capabilities be Utilized? q What Does CORBA/ORBs have to Offer? q What about other Middleware (e. g. JINI)? Explore Some Preliminary Ideas on Select Issues DCP-74

A Distributed Security Framework m CSE 5095 m m m What is Needed for the Definition and Realization of Security for a Distributed Application? How can we Dynamically Construct and Maintain Security for a Distributed Application? q Application Requirements Change Over Time q Seamless Transition for Changes q Transparency from both User and Distributed Application Perspectives Support MAC, RBAC and DAC (Delegation) Cradle to Grave Approach q From Design (UML) to Programming(Aspects) q Information Exchange (XML) q Middleware: Interoperating Artifacts & Clients DCP-75

A Distributed Security Framework m CSE 5095 m m Distributed Security Policy Definition, Planning, and Management q Integrated with Software Development: Design (UML) and Programming (Aspects) q Include Documents of Exchange (XML) Formal Security Model with Components q Formal Realization of Security Policy q Identifiable “Security” Components Security Handlers & Enforcement Mechanism q Run-time Techniques and Processes q Allows Dynamic Changes to Policy to be Seamless and Transparently Made DCP-76

Interactions and Dependencies CSE 5095 Java Client Legacy Client DB + SH Java Client DB Client L + SH Server + SH COTS Client CO+ SH Enforcement Mechanism Collection of SHs CO+ SH DB + SH Server + SH L + SH Security Components L + SH DB + SH Formal Security Model L: Legacy CO: COTS DB: Database SH: Security Handler Distributed Security Policy DCP-77

Policy Definition, Planning, Management m CSE 5095 m m Interplay of Security Requirements, Security Officers, Users, Components and Overall System Minimal Effort in Distributed Setting - CORBA Has Services for q Confidentiality, Integrity, Accountability, and Availability q But, No Cohesive CORBA Service Ties Them with Authorization, Authentication, and Privacy Difficult to Accomplish in Distributed Setting q Must Understand All Constituent Systems q Interplay of Stakeholders, Users, Sec. Officers DCP-78

Three-Pronged Security Emphasis Secure Software Design via UML with MAC/RBAC CSE 5095 Secure Information Exchange via XML with MAC/RBAC Assurance RBAC, Delegation MAC Properties: Simple Integrity, Simple Security, etc. Safety Liveness Secure MAC/RBAC Interactions via Middleware in Distributed Setting DCP-79

Secure Software Design - T. Doan CSE 5095 Address Security in Use-Case Diagrams, Class Diagrams, Sequence Diagrams, etc. Bi-Directional Translation - Prove that all UML Security Definitions in UML in Logic. Based Policy Language and vice-versa Extending UML for the Design and Definition of Security Requirements Iterate, Revise Formal Security Policy Definition using Existing Approach (Logic Based Policy Language) Must Prove Generation Captures all Security Requirements Other Possibilities: Reverse Engineer Existing Policy to Logic Based Definition UML Model with Security Capture all Security Requirements! Security Model Generation RBAC 99 GMU RBAC/MAC UConn Oracle Security DCP-80

RBAC/MAC at Design Level m CSE 5095 m m Security as First Class Citizen in the Design Process Use Cases and Actors (Roles) Marked with Security Levels Dynamic Assurance Checks to Insure that Connections Do Not Violate MAC Rules DCP-81

Secure Software Design - J. Pavlich m CSE 5095 m m What are Aspects? q System Properties that Apply Across an Entire Application q Samples: Security, Performance, etc. What is Aspect Oriented Programming? q Separation of Components and Aspects from One Another with Mechanisms to Support Abstraction and Composition for System Design What is Aspect Oriented Software Design? q Focus on Identifying Components, Aspects, Compositions, etc. q Emphasis on Design Process and Decisions DCP-82

Aspects for Security in UML m CSE 5095 Consider the Class Diagram below that Captures Courses, Documents, and Grade Records q What are Possible Roles? q How can we Define Limitations of Role Against Classes? DCP-83

A Role-Slice for Professors CSE 5095 DCP-84

A Role Slide for Students CSE 5095 DCP-85

Middleware-Based Security - C. Phillips Database Artifacts: DB, Legacy, COTS, GOTS, with APIs CSE 5095 m New/Existing Clients use Database APIs m Can we Control Access to Client APIs (Methods) by … Java q Role (who) Client q Classification (MAC) q Time (when) q Working Data (what) Security Authorization Security Policy Prototype Delegation q Client (SAC) Client (SPC) COTS Client m Available using CORBA, JINI, Java, Oracle Legacy COTS Legacy Client GOTS NETWORK Security Delegation Client (SDC) Unified Security Resource (USR) Security Policy Services Security Authorization Services Security Registration Services Security Analysis and Tracking (SAT) DCP-86

Process-Oriented View CSE 5095 Security Administrative and Management Tools Unified RBAC/MAC Security Model Security Policy Definition RBAC/MAC Enforcement Framework Security Middleware Analyses of RBAC/MAC Model/Framework Against SSE-CMM Design Time Security Assurance Run Time Security Assurance Evaluation of RBAC/MAC Model Using DCP-87

Security for XML Documents m CSE 5095 m Emergence of XML for Document/Information Exchange Extend RBAC/MAC to XML q Collection of Security DTDs Ø DTDs for Roles, Users, and Constraints Ø Capture RBAC and MAC q Apply Security DTDs to XML Documents Ø An XML Document Appears Differently Based on Role, MAC, Time, Value Ø Security DTD Filters Document Security DTDs n Role DTD n User DTD n Constraint DTD Security Officer Generates Security XML files for the Application DTDs and XML Application DTDs Application XML Files Appl_Role. xml Appl _User. xml Appl_Constraint. xml Application User’s Role Determines the Scope of Access to Each XML Document DCP-88

Concluding Remarks m CSE 5095 m m Objective is for Everyone to Think about the Range, Scope, and Impact of Security Question-Based Approach Intended to Frame the Discussion Proposed Solution for Distributed Environment Current UConn Foci q Secure Software Design q Middleware Realization q XML Document Customization Consider these and Other Issues for DCP-89