1 / 26

EN gine for C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess)

EN gine for C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess). Osama Khaleel Thesis Defense May 2007 Master of Science in Computer Science University of Colorado, Colorado Springs Committee Members: Dr. Edward Chow, Chair Dr. Terry Boult Dr. Xiaobo Zhou.

kaipo
Download Presentation

EN gine for C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ENgineforControllingEmergent HierarchicalRole-BasedAccess(ENforCE HRBAccess) Osama Khaleel Thesis Defense May 2007 Master of Science in Computer Science University of Colorado, Colorado Springs Committee Members: Dr. Edward Chow, Chair Dr. Terry Boult Dr. Xiaobo Zhou okhaleel / ENforCE

  2. Thesis Defense Outlines • Intro & Background • Design • Implementation • Performance Analysis • Lessons Learned • Future Work • Contribution • Demo • Q & A okhaleel / ENforCE

  3. Introduction • Roles in any organization are Hierarchical by their nature. • Resources in any organization vary: • From a simple HTML web page, • To RDP/SSH access in which a user can gain full control. • Mission becomes more complicated when users should access resources: • Securely and • Based on their ROLES. • Password-based protection is way far from satisfying high-level security requirements. okhaleel / ENforCE

  4. okhaleel / ENforCE

  5. Background Public Key Infrastructure (PKI) • Authentication • Public Key Certificate (PKC) • Certificate Authority (CA) • Certificate Revocation List (CRL) • Authorization • Attribute Certificate (AC) • Attribute Authority (AA) • Role-Based Access Control (RBAC) • Core • Hierarchical • eXtensible Access Control Markup Language (XACML) • Policy Enforcement Point (PEP) • Policy Decision Point (PDP) • Active Directory (AD) [store certificates] • ISAPI Filter [secure web-resource access] • ASP.NET Application File (Global.asax) [secure net-resource access] • Iptables [system firewall] Privilege Management Infrastructure (PMI) Policy Engine okhaleel / ENforCE

  6. RBAC: a mechanism/model for restricting access based on the Role of authorized users. • Core: roles are assigned to users, and permissions are associated with roles – not directly with users. • Hierarchical: an enhancement to the core, in which senior roles inherit permissions from more junior roles. • XACML: an XML-based OASIS standard that describes: • A policy language • A request/response language • The main three components in XACML are Rule, Policy, and PolicySet • XACML RBAC profile has two main components: • Permission PolicySet (PPS) • Role PolicySet (RPS). • One PPS and one RPS for each defined Role . okhaleel / ENforCE

  7. RPS: • defines the Role name • includes ONLY one PPS to associate this Role with its permissions defined in the corresponding PPS. <PolicySet PolicySetId="CFOPermissions"> <Policy PolicyId="PolicyForCFORole"> <Rule RuleId="FinanceManagementRule" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function: regexp-string-match"> <AttributeValue DataType=“string"> https://ncdcrx3.uccs.edu/financial/finMgmt.aspx </AttributeValue> </ResourceMatch> </Resource> </Resources> </Target> </Rule> </Policy> <PolicySetIdReference>SalesMgrPermissions</PolicySetIdReference> <PolicySetIdReference>AccMgrPermissions</PolicySetIdReference> </PolicySet> • PPS: • defines Policies and Rules needed to the Permissions associated with a certain Role. • Contains a set of PPS references using "<PolicySetIdReference>" to inherit permissions from the more junior role associated with this PPS reference <PolicySet PolicySetId="RPS:CFO"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function: string-equal"> <SubjectAttributeDesignator DataType="string" AttributeId="role"/> <AttributeValue DataType="string"> CFO </AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target> <PolicySetIdReference>CFOPermissions</PolicySetIdReference> </PolicySet> okhaleel / ENforCE

  8. Design • By taking advantage of the concepts & technologies just mentioned, the goal is to build a structure/engine that provides: • Authentication • Authorization • Secure access based on users ROLES • Protection for ANY type of resources • Fine grained control based on active sessions • PKI & PMI management tool okhaleel / ENforCE

  9. 128.198.162.53 128.198.162.52 128.198.162.51 128.198.162.50 FedoraCore4 Gateway/Firewall Main switch 10.0.0.1 Local switch 10.0.0.11 10.0.0.13 10.0.0.12 10.0.0.10 Win2003 IIS Windows XP Win2003 DC ENforCE Test-Bed okhaleel / ENforCE

  10. User Request IIS Authentication RPS XACML POLICY PPS Domain Controller Active Directory ASP.NET Application Global.asax Network- resource Access ENforCE “Big Picture” Protected web resources Permit/Deny access ISAPI Http request Http request XML response XML response Policy Decision Point Policy Enforcement Point Get Decision Check session policy Session policy source Open/Close commands Get User's AC FC4 machine (Firewall) Iptables Control Daemon Permit/Deny Protected Network resources okhaleel / ENforCE

  11. Implementation • Two types of access: • Web-based resources (http://ncdcrx3.uccs.edu) • Network-based resources (http://ncdcrx4.uccs.edu) • Web resources: accessed directly through IIS using https (port 443) • Network resources: • Activate a web-session first • ENforCE will open the firewall for the specified service • Physically access the service through the firewall. • Service port varies (e.g. SSH:22, RDP:3389) • ISAPI Filter  Enforces Web-Resource Access (C/C++ - MFC) • Global.asax  Enforces Net-Resource Access (C#/ASP.NET) • Policy Engine  PEP, PDP, Policy, RBAC (XACML - Java) • Firewall Daemon  Updates Iptables Rules (Java - JSSE) okhaleel / ENforCE

  12. Domain Controller Active Directory Web resources (ISAPI) 1) Web request IIS IIS Authentication Policy Enforcement Point 2) Http request with attributes ISAPI 5) XML response with decision 6) Permit/Deny access 4) Get Decision 3) Get User's AC Protected web resources Policy Decision Point okhaleel / ENforCE

  13. DC AD Network resources (Global.asax) IIS 1) Request a session ASP.NET Application Global.asax IIS Authentication 2) Http request with attributes 7) XML response with decision 8) Physically access the services FC4 machine (Firewall) Policy Enforcement Point 6) Open/Close commands Iptables Control Daemon 3) Get User's AC 5) Check session policy 4) Get decision Protected Network resources PDP Session policy source okhaleel / ENforCE

  14. Requests to PEP • From ISAPI (Access a web resource): http://localhost:8080/sispep/servlets/sispep ? • subject= CN=Edward Chow, C=US, S=CO, ...., E=chow@sis.uccs.edu, OU=Computer Science & • URL=https://ncdcrx3.uccs.edu/it/img.jpg & • method=GET & • service=web • From Global.asax (Open a network resource): http://localhost:8080/sispep/servlets/sispep ? • subject= CN=Edward Chow, C=US, S=CO, …., E=chow@sis.uccs.edu, OU=Computer Science & • URL=https://ncdcrx4.uccs.edu/ssh/session.aspx & • service=ssh & • IP=128.198.55.11 & • sessionID=23hjhY43& • action=open • From Global.asax (Close a network resource): http://localhost:8080/sispep/servlets/sispep ? • subject= CN=Edward Chow, C=US, S=CO, …., E=chow@sis.uccs.edu, OU=Computer Science & • URL=https://ncdcrx4.uccs.edu/ssh/session.aspx & • service=ssh & • IP=128.198.55.11 & • sessionID=23hjf73G2& • action=close okhaleel / ENforCE

  15. Conditional Active-Session Access (CASA) • Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource. • Why? To add finer access control • How? PEP maintains a table. An entry looks like: <Service name “SSH”> <Senior>ProjectMngr </Senior> <Junior>Developer </Junior> </Service> • PEP reads an XML policy file (session policy). • The session policy file supports 3 cases: • 1) A CERTAIN Senior Role is required • 2) ANY Senior Role is required • (NOT including itself) • 3) N-Senior Roles are required <Service name=“ MySQL”> <Senior>ANY</Senior> <Junior>Accountant </Junior> </Service> <Service name=“SSH”> <Senior>ITManager </Senior> <Junior>DB Admin </Junior> </Service> <Service name=“SSH”> <Senior>CEO </Senior> <Junior>DBAdmin </Junior> </Service> okhaleel / ENforCE

  16. CASA (cont’d) 1) Hierarchical-Role tree To answer: Is Role A senior to Role B ? 2) Session Policy Table To decide:For the requested service,Is Junior’s access constrained by Senior’s ? • PEP reads the session policy file and creates two things: Senior : Junior okhaleel / ENforCE

  17. Code Highlights (1) • ISAPI Filter: should define 2 functions: • GetFilterVersion(): register event notifications • PVer->dwFlags = SF_NOTIFY_SECURE_PORT| SF_NOTIFY_AUTH_COMPLETE; • HttpFilterProc(): put the actual code that will be executed; • Intercept URL: • pfc->GetServerVariable(pfc, “URL”, reqUrlBuf, &bufSize); • Intercept request method: • pfc->GetServerVariable(pfc, “REQUEST_METHOD”, methBuf, &bufSize2); • Intercept user’s PKC: • pfc->ServerSupportFunction(pfc, HSE_REQ_GET_CERT_INFO_EX, &ccex, dwSize); • Submit a request to the PEP: • HttpFile = (CHttpFile*) pHttpSession.OpenURL(pepUrl); • Parse the XML response: • CMarkup xml; and use this object to traverse the XML response. okhaleel / ENforCE

  18. Code Highlights (2) • Global.asax: • Application_BeginRequest() • User’s PKC:Request.ClientCertificate.Subject; • URL:Request.Url.AbsoluteUri; • IP:Request.ServerVariables["REMOTE_ADDR"]; • Application_AcquireRequestState() • Session.Timeout = 1; // in minutes • srvSessionID = Session.SessionID; • uri = new Uri(PolicyEnforcementPointUrl); • webReq = WebRequest.Create(“PEPURI”); • PEPResponse = webReq.GetResponse(); • If (! Permit) • Response.Redirect(“Error Page”); • Session_End() • Similar to AcquireRequestState()’s code but the action is “close”. okhaleel / ENforCE

  19. Code Highlights (3) • Iptables Daemon: • Create SSL context: • sslctx = SSLContext.getInstance("TLSv1" , "SunJSSE"); • Define keyStores: • PEPstore = KeyStore.getInstance("JKS" , "SUN"); • PEPtrust = KeyStore.getInstance("JKS", "SUN"); • Define & init the trusted keystore: • TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509" , "SunJSSE"); • tmf.init(PEPtrust); • Define & init the owned keystore (for the private key): • KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509" , "SunJSSE"); • kmf.init(PEPstore , keypass); • Init the SSL context: • sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null) ; • SSLServerSocketFactory ssf = sslctx.getServerSocketFactory(); • Init the SSL server socket: • secSock = (SSLServerSocket) ssf.createServerSocket(9876); • secSock.setNeedClientAuth(true); • Execute commands on Fedora Core OS: • rt = Runtime.getRuntime(); • rt.exec(“cmd1”); okhaleel / ENforCE

  20. Performance Analysis Unit: ms Web resources (ISAPI) Network resources (Global.asax) – new session Network resources (Global.asax) – session refresh okhaleel / ENforCE

  21. Lessons Learned • It is not a good idea to use too many packages with different programming languages in one component (i.e. the Admin tool). • At the vary beginning, I tried to use a package called "CryptLib" [59] to create ACs, but it didn't work. • I tried to use an HttpModule, but it turned out that it is triggered by aspx pages and can handle request-level events only. On the other hand, ISAPI filters and Global.asax were very good choices to go for: • ISAPI is very fast and works with any type of files. • Global.asax has the ability to deal with session and application level events. • Don't start implementing something from scratch unless you have spent sufficient time to do research about it and to make sure that it is not already exist. • Generally speaking, it is really a good thing that a developer does not limit him/herself to a certain programming language or technology. • In fact, when I started working on this thesis, I only knew Java and some security related things, so it took me some time to teach myself the required stuff to get this work done. • Now anyone who reads about this thesis can see that Java, C#, ASP.NET, JSP, C/C++, XACML, Iptables, X509 certificates, ISAPI filters, OpenSSL, Tomcat, IIS, and Active Directory have been used. It wasn't easy though! okhaleel / ENforCE

  22. Future Work • Extend the system to work in a multi-agency environment. • Develop more services that can take advantage of the existing RBAC architecture. For instance: • RBAC E-Voting: users can vote based on their roles. • RBAC Instant Messenger: users can chat based on their roles. • RBAC E-Mail: users can send e-mails based on their roles. • RBAC XXX and so on… • Support more Operating systems (Mac, Solaris …) • Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies. • Support Wireless access. okhaleel / ENforCE

  23. Filed an Invention Disclosure with CU TTO Thesis Contributions • Provide an architecture for small-mid sized (potentially large-scale) companies to address accessing sensitive resources securely according to hierarchical role-based access policy. • Extend XACML’s implementation to handle Hierarchical Role-Based Access Control (HRBAC) model. • Add a new concept of secure access in which a Senior Role can restrict its Junior Role's access using active sessions. • Enhance IIS 6.0 with two components: • ENforCE-ISAPI Filter • ENforCE-Global.asax • Simplify PKI and PMI management, therefore, reducing management cost and errors. okhaleel / ENforCE

  24. ENforCE DemoQ & A For References and more details, please refer to the Thesis report: http://cs.uccs.edu/~gsc/pub/master/okhaleel/doc/osamaThesisReport.doc okhaleel / ENforCE

  25. Authentication: the process in which someone provides some kind of credentials to prove his or her identity. • CA: a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the certificate is really who claims to be. • PKC: a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA. • CRL: a list signed by the issuing CA that contains the serial numbers of the revoked certificates. • Authorization: the process that is used to determine whether the subject has the required permissions to access some protected resources. • AC: a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder. • AA: a trusted third party that is responsible for issuing, maintaining, and revoking ACs. okhaleel / ENforCE

  26. AD: a distributed directory service included in the Windows server 2000/2003 • The Microsoft's implementation of LDAP • Used to store and manage all information about network resources across the domain: computers, groups, users, … • ISAPI filters: DLLs that can be used to enhance and modify the functionality of IIS. • Powerful -> they can modify both incoming and outgoing DataStream for EVERY request. • Global.asax: a file resides in the root directory of the ASP.NET application. • Contains code to handle application-level and session-level events raised by ASP.NET. • Iptables: a generic table structure for defining a set of rules to deal with network packets. • Rules are grouped into chains. • Chains are grouped into tables • Each table is associated with a different kind of packet processing. okhaleel / ENforCE

More Related