Improving MultiTier Security Using Redundant Authentication

1
Improving Multi-Tier Security Using Redundant
Authentication

• Jodie P. Boyer, Ragib Hasan, Lars E. Olson,
  Nikita Borisov, Carl A. Gunter, and David Raila
• University of Illinois at Urbana-ChampaignDepts.
  Of Computer Science andElectrical and Computer
  Engineering

2
Multi-tier Security

• Many websites use multi-tier system to protect
  the backend resources of their system
• The application server often needs full access on
  the backend system

3
Example
4
Redundant Authentication

• Requires request to a backend server to be
  performed on behalf of an authenticated user
• Backend server can then enforce that users
  privileges instead of the broad privileges
  usually given to an application server.
• Requires a non-repudiable token from an
  authentication authority

5
Example
6
Case study Building Automation Systems

• Building Automation Systems

• Controls systems in the building such as door
  locks, lighting, HVAC, etc.
• Used for energy savings
• Centrally managed by a building manager
• Kept secure by being on a dedicated network

7
Case Study Building Automation Systems

• Advantages

• Risks

• Allows systems to be managed by users
• Can improve usability of the building
• Reduces workload for building administrators

• Building administrators are hesitant to give
  access
• Attackers with full access to the BAS can be
  powerful
• Control temperatures in the building
• Unlock all the doors and steal expensive
  equipment
• Hold a building hostage

8
Case Study Building Automation Systems
9
Case Study Building Automation Systems
10
Case Study Building Automation Systems
11
Gateway

• Proxy system designed to protect the BAS
• Only incoming connections from the application
  server
• Only outgoing connections to the BAS
• Last line of defense for the BAS
• Locked down, minimal system

12
Redundant Authentication
13
Redundant Authentication
Open sensitive room
14
Building Automation Middleware

• A prototype system designed for the Siebel Center
  for Computer Science
• The BAS is the Andover Continuum System
• Focuses on two applications
• Mobile Access
• Delegated Access
• Interfaces with Bluestem, the UIUC enterprise
  authentication system

15
Building Automation Middleware
16
Building Automation Middleware

• Runs an IIS web server
• Implements a standard oBIX interface
• Commands are issued to the gateway through the
  oBIX interface
• Applications may have their own authorization
  policies

17
Building Automation Middleware

• Has a thin interface that accepts and interprets
  commands sent to the BAS
• Sends commands to the BAS using OPC
• Accesses the BAS Database using SQL
• Enforces a sandboxing policy

18
Applications

• Mobile Access

• Access Delegation

19
Risk Analysis

• The application server is the most at risk
• The gateway and authentication proxy are
  considered trustworthy components.
• If the application server is compromised, the
  worst it can do is execute commands on behalf of
  recently authenticated users.

20
Related Work

• Sandboxing
• Goldberg et. al. 1996Peterson et. al.
  2002Provos 2003 Garfinkle et. al. 2004
  Acharya, Raje, 2006
• Privilege Separation
• Brumley, Song 2004
• Intrusion detection

21
Single Sign-On

• Problem could potentially be solved with single
  sign-on systems
• Authentication proxy could be the Identity
  provider
• Application server and gateway would be service
  providers
• The application server would provide a formatted
  message that the user would have to pass onto the
  gateway
• The gateway would then check the identity again
• The direct communication with the gateway makes
  it unnecessarily vulnerable

22
Conclusions

• Presented a technique called Redundant
  Authentication
• Presented the use of proxy authentication
• Demonstrated the use of redundant authentication
  and proxy authentication in a prototype system

23
Questions?

• http//seclab.uiuc.edu/bam