Roy Campbell

1
Cherubim Dynamic Security System
http//choices.cs.uiuc.edu/Security/cherubim

• Roy Campbell

University of Illinois at Urbana-Champaign March
24, 2014
2
Contents

• Project Overview
• Process Management Application
• Access Control Policy
• Active Capability Framework
• Policy Management System
• Cryptographic Policy
• Conclusion

3
Motivation

• Traditional access control schemes lack the
  flexibility required for emerging applications
  like active networking
• Some security systems are vulnerable to
  eavesdropping attacks
• Cherubim allows fine grain access control with
  strong encryption and authentication

4
Existing Solutions

• Firewall, VPN, Kerberos, SSL, SOCKS
• Limited support for fine-grained application
  specific security
• Hard to evolve, adapt and inter-operate
• No guard against grudging insiders
• Too complex and resource intensive for mobile
  clients

5
Overview of Cherubim

• CORBA based security services
• Access control is specified using small pieces of
  code in Java
• Encryption and authentication performed using SSL
• Access control and cryptographic policies can be
  changed while the object is running

6
Object Access in Cherubim
7
Key Features of Cherubim
Architecture for and Demonstration of

• Dynamic Policies
• Compatibility
• Extensibility
• Customizability
• Interoperability

• Multiple Policies
• Multiple Mechanisms
• Multiple Protocols
• Secure Orb, Security Server
• Public Key Infrastructure

8
Bootstrap from Smart Card

• File -gt passphrase decryption -gt credentials
• Credentials
• home server, public key, private key
• Mutual authentication with home server
• Download Jacorb, security classes, application
  with active capabilities

Cherubim Smart Card
9
(No Transcript)
10
Core Security Services

• Abstracts underlying cryptographic functionality
• Provides five basic functions
• Encryption
• Decryption
• Signature
• Signature Verification
• Authentication

11
Core Implementation

• Based on Cryptix Package, a free implementation
  of the Java Cryptographic Architecture
• Authentication Protocol
• 2048 bit prime for Diffie-Hellman exchange
• 1024 bit DSA keys for signatures on key exchange
  and mobile classes
• 128 bit IDEA session keys

12
Authentication
Server
Client
b
a
ltga, destination, timestamp, algorithm,
keylengthgt, signature
gab
ltgb, destination, timestamp, algorithm,
keylengthgt, signature
gab
SHA-1
SHA-1
IDEA Session key
IDEA Session key
13
Class Request Data Format
Packet Data Format

Class Name
TimeStamp (5 min)
Sequence Number
Destination
Signature
Encrypted with IDEA Key
14
Class Response Data Format
Packet Data Format

Class Name
TimeStamp (5 min)
Sequence Number
Destination
Class
Signature
Encrypted with IDEA Key
15
Classloader Hierarchy
Specific policies, remote application classes
CORBA Classloader
Jacorb classes, home application classes,
Cherubim policy library
Jurassic Classloader
Java core classes, Necessary Cryptix and
Cherubim classes
Primordial Classloader
16
Process Management Application

• Three main components
• User Application (GUI) - one per user
• System Manager - one for the whole cluster
• Host Manager - one per machine on cluster

17
(No Transcript)
18
Process Management Application
19
Access Control Policies

• Framework
• Primitives (sets, maps, mappings)
• OS entities (devices, processes, users)
• Interfaces with
• Security Policy Decision Function
• Underlying system
• Policy classes (DAC, NDAC, DSP)
• Demo examples atop framework

20
Demo Policy

• Double Discretionary Access Control
• 3 hosts (system objects)
• 3 users
• 8 process management operations
• Allowed and denied lists for various accesses
• CORBA monitoring and authentication for method
  invocations

21
Active Capabilities

• Issued by administrator via System Manager
• Verified by System Manager transparently
• Could be verified by the Host Managers for a
  fully distributed approach

22
Active Capability

• Unforgable Java scripts for application specific
  access control functions
• Flexible means for enforcing and interoperating
  different access policies
• better integration with active messages in active
  networks

23
Active Capability Format
24
Active Capability Architecture
Policy Server
ACManager
ACManager
Client
Server
ORB
Active Capability
Active Capability
25
Active Capability Architecture

• One ACManager runs on every ORB to manage and
  install active capabilities
• Policy server uses push model to change policies
  and distribute active capability dynamically
• Interceptors are used to integrate transparently
  the active capabilities with CORBA objects

26
Policy Classes

• DAC - Discretionary Access Control
• Double DAC
• NDAC - Non ...
• DONDAC, Domain Oriented ...
• MAC formed from customized NDAC
• DSP Device Specific Policies
• DANDAC, Device Aware ...

27
Policy Framework
DONDAC
DANDAC
DDAC
DSP
DAC
NDAC
OS
Interfaces
Primitives
28
Role-Base Access Control

• Separation of duties
• Invocation of mutually exclusive roles for a task
  to increase security
• Least privilege
• Assign only needed role/right to users
• Simplified authorization management
• Independent mappings role-permission, user-role,
  and role-role relationships
• Suitable for dynamic mobile environment

29
Role Management

• Hierarchical roles
• Simple, clear role management
• Object classes
• Classify objects based on access type
• Roles to manage roles
• Administrative roles
• Net effect of a configuration open question

30
Environment

• System defines role permissions
• Can dynamically define new role, or modify
  permissions, though should do so infrequently
• User-role binding by password/certificate
• User can dynamically attain role
• Can attain multiple non-exclusive roles

31
Policy Management System

• Allows quick response in revoking active
  capabilities
• Simplifies policy administration to reduce errors
• Distributed approach prevents overburdening any
  one system

32
(No Transcript)
33
Cryptographic Policy

• SSL is used for the client to communicate with
  the System Manager
• Communication from System Manager to Host
  Managers is considered secure
• Dynamic policy maintains tight security while
  avoiding overhead from using excessive encryption
  

34
Cryptographic Policy Formulation

• Which SSL cipher suite to use is determined by
  four things
• Host name to which client is connecting
• Port number to which client is connecting
• Network type - Wired, Wireless, Modem
• Foreign Agent

35
Foreign Agent

• Term from mobile IP
• Foreign Agent is the nearest machine to the
  client
• All client communication will go through the
  foreign agent
• Host name of foreign agent tells the client where
  it is in the network

36
Cryptographic Policy for our Application

• Wired Networks
• SSL_RSA_WITH_NULL_SHA (authentication only) if
  foreign agent and remote machine are within
  nsa.gov
• SSL_RSA_WITH_DES_CBC_SHA (authentication and 56
  bit encryption) within .gov and .mil
• SSL_RSA_WITH_IDEA_CBC_SHA (authentication and 128
  bit encryption) otherwise
• Wireless Network or Modem
• SSL_RSA_WITH_IDEA_CBC_SHA (authentication and 128
  bit encryption)

37
Future Work Active Networks
http//choices.cs.uiuc.edu/Security/seraphim

• Dynamic Security Policies
• Secure Active Node Architecture
• Reference Monitor
• Active Capabilities
• Network Administration

38
Building Dynamic Interoperable Security
Architecture for Active Networks
Secure Active Packet Execution
APPROACH
Dynamic Interoperable Security Policy

• Extensible Security Policy Representation
  Framework
• Universal Naming of Node Resources

Dynamic Application Specific Access Control

• Active Capability Based Flexible Authorization
  Model
• Different Deployment Schemes Using Smart Packets

Smart Packet
Active Capability
Minimal Core Security Services

• Configurable Core Security Services for Mobile
  Agents
• Architecture Aware Visualization and Management

Program Data
Policy State
MILESTONES
ADVANTAGES

• Interoperable Secure Active Networking
• Prompt Response to the Changes of Active
• Networks
• Easy Extensions to Active Network Security
• Architecture
• User Configurable Security Measures for
• Application Level Smart Packets

Policy Naming and Deployment
Active Capability in Active Networks
Dynamic Security Systems for ActiveNets
Reflective Core Security Services and
Architecture Aware Visualization
Dynamic Interoperable Policy Framework
Analysis and Demo
The University of Illinois at Urbana-Champaign
Roy Campbell, Dennis Mickunas
39
Architecture Dynamic Security Policies

• Security is a Foundation!!! No afterthought.
• Node security/integrity guarantees
• A universal policy is inadequate for Active
  Networks
• Allow varied security schemes for anticipated
  unknown applications

40
Reference Monitor

• All accesses to node resources go through
  reference monitor
• Core security services verify the signature on
  the active capability
• Reference monitor evaluates the active capability
  to check access

41
Active Capabilities

• Global capabilities
• Specify access user has to node resources,
  independent of execution environment
• Issued by the administrator
• Local capabilities
• Specific capabilities issued by the
  Administrative E.E. in response to global ones

42
Network Administration

• Administrative Execution Environment capsules
  have highest priority
• Preempt all other capsules
• Policy change
• Capability revocations
• Certificate revocations
• Universal naming of node resources (e.g. like
  SNMP)

43
Secure Active Node Architecture
Resource Reference Local Capability
Local Capability Revocation
Policy Change
Flow
Flow
Flow
Flow
Flow
Flow
Admin. EE
EE
EE
Node OS
Reference Monitor
Core
Node Resources
44
Cherubim Conclusion

• CORBA based process management and Chat
  applications
• Secure and versatile bootstrapping mechanism
• Fine grain and dynamic access control
• Strong and flexible encryption and authentication