ENforCE-Defense - University of Colorado Colorado Springs

Download Report

Transcript ENforCE-Defense - University of Colorado Colorado Springs

ENgine for Controlling Emergent
Hierarchical Role-Based Access
(ENforCE HRBAccess)
Osama Khaleel
Thesis Defense
May 2007
Master of Science in Computer Science
University of Colorado, Colorado Springs
Committee Members:
Dr. Edward Chow, Chair
Dr. Terry Boult
Dr. Xiaobo Zhou
5/1/2007
okhaleel / ENforCE
1
Thesis Defense Outlines









Intro & Background
Design
Implementation
Performance Analysis
Lessons Learned
Future Work
Contribution
Demo
Q&A
5/1/2007
okhaleel / ENforCE
2
Introduction

Roles in any organization are Hierarchical by their nature.

Resources in any organization vary:



Mission becomes more complicated when users should
access resources:



From a simple HTML web page,
To RDP/SSH access in which a user can gain full control.
Securely and
Based on their ROLES.
Password-based protection is way far from satisfying
high-level security requirements.
5/1/2007
okhaleel / ENforCE
3
5/1/2007
ROLE
NAME
DIRECT
ACCESS
CEO
PAM ZALABAK
Admin Tool
CFO
BRIAN BURNETT
Finance-Mgmt
SSH
MySQL
Project
Manager
TERRY BOULT
Projects-Manager
RDP
IT Manager
KATE TALLMAN
Resource-Manager
Passwords-Reset
Sales
Manager
JIM TIDWELL
Sales-Write
Accounting
Manager
JULIE BREWSTER
Finance-Write
Network
Admin
EDWARD CHOW
VLAN-Manager
SSH
Database
Admin
XIAOBO ZHOU
MySQL Interface
MySQL
SSH IF(ITMgr & CEO)
Developer
OSAMA KHALEEL
Reports-Submission
RDP IF (ProjMgr)
Engineer
BILL KRETSCHMER
Engineer-update-Read
Accountant
AMIE WOODY
View-Orders
MySQL IF(ANY)
Salesman
LEVI GRAY
Sales-Read
okhaleel / ENforCE
4
Background

Authentication










Privilege Management Infrastructure
(PMI)
Core
Hierarchical
Policy
eXtensible Access Control Markup Language (XACML)


Attribute Certificate (AC)
Attribute Authority (AA)
Role-Based Access Control (RBAC)


Public Key Infrastructure
(PKI)
Authorization


Public Key Certificate (PKC)
Certificate Authority (CA)
Certificate Revocation List (CRL)
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Engine
Active Directory (AD) [store certificates]
ISAPI Filter [secure web-resource access]
ASP.NET Application File (Global.asax) [secure net-resource access]
Iptables [system firewall]
5/1/2007
okhaleel / ENforCE
5

RBAC: a mechanism/model for restricting access based on
the Role of authorized users.



Core: roles are assigned to users, and permissions are associated with
roles – not directly with users.
Hierarchical: an enhancement to the core, in which senior roles inherit
permissions from more junior roles.
XACML: an XML-based OASIS standard that describes:


A policy language
A request/response language

The main three components in XACML are Rule, Policy, and
PolicySet

XACML RBAC profile has two main components:



Permission PolicySet (PPS)
Role PolicySet (RPS).
One PPS and one RPS for each defined Role .
5/1/2007
okhaleel / ENforCE
6

PPS:


defines Policies and Rules needed to the
Permissions associated with a certain Role.
Contains a set of PPS references using
"<PolicySetIdReference>" to inherit permissions
from the more junior role associated with this
PPS reference

RPS:
defines the Role name
 includes ONLY one PPS to
associate this Role with its
permissions defined in the
corresponding PPS.

<PolicySet PolicySetId="CFOPermissions">
<Policy PolicyId="PolicyForCFORole">
<Rule RuleId="FinanceManagementRule" Effect="Permit">
<PolicySet PolicySetId="RPS:CFO">
<Target>
<Target>
<Subjects> <AnySubject/> </Subjects>
<Subjects>
<Resources>
<Subject>
<Resource>
<SubjectMatch MatchId="function: string-equal">
<ResourceMatch MatchId="function: regexp-string-match">
<SubjectAttributeDesignator
<AttributeValue DataType=“string">
DataType="string" AttributeId="role"/>
https://ncdcrx3.uccs.edu/financial/finMgmt.aspx
<AttributeValue DataType="string">
</AttributeValue>
CFO
</ResourceMatch>
</AttributeValue>
</Resource>
</SubjectMatch>
</Resources>
</Subject>
</Target>
</Subjects>
</Rule>
</Target>
</Policy>
<PolicySetIdReference>CFOPermissions</PolicySetIdReference>
<PolicySetIdReference>SalesMgrPermissions</PolicySetIdReference>
<PolicySetIdReference>AccMgrPermissions</PolicySetIdReference>
</PolicySet>
</PolicySet>
5/1/2007
okhaleel / ENforCE
7
Design

By taking advantage of the concepts &
technologies just mentioned, the goal is to
build a structure/engine that provides:






5/1/2007
Authentication
Authorization
Secure access based on users ROLES
Protection for ANY type of resources
Fine grained control based on active sessions
PKI & PMI management tool
okhaleel / ENforCE
8
ENforCE Test-Bed
128.198.162.53
128.198.162.52
128.198.162.51
128.198.162.50
Main switch
FedoraCore4
Gateway/Firewall
10.0.0.1
Local
switch
10.0.0.11
10.0.0.13
Win2003 IIS
5/1/2007
10.0.0.12
Windows XP
okhaleel / ENforCE
10.0.0.10
Win2003 DC
9
ENforCE “Big Picture”
User
Request
Permit/Deny access
Protected web
resources
IIS Authentication
ISAPI
ASP.NET
Global.asax
Application
Http request
Http request
XML response
RPS
PPS
Networkresource
Access
XML response
Policy
Decision
Point
Get
Decision
Policy
Enforcement
Point
Open/Close
commands
Check
session
policy
Session
policy
source
Get User's AC
Iptables Control Daemon
FC4 machine (Firewall)
Permit/Deny
Active
Directory
Domain Controller
Protected Network
resources
5/1/2007
okhaleel / ENforCE
10
Implementation

Two types of access:


Web-based resources (http://ncdcrx3.uccs.edu)
Network-based resources (http://ncdcrx4.uccs.edu)

Web resources: accessed directly through IIS using https (port 443)

Network resources:








Activate a web-session first
ENforCE will open the firewall for the specified service
Physically access the service through the firewall.
Service port varies (e.g. SSH:22, RDP:3389)
ISAPI Filter  Enforces Web-Resource Access (C/C++ - MFC)
Global.asax  Enforces Net-Resource Access (C#/ASP.NET)
Policy Engine  PEP, PDP, Policy, RBAC (XACML - Java)
Firewall Daemon  Updates Iptables Rules (Java - JSSE)
5/1/2007
okhaleel / ENforCE
11
Web resources (ISAPI)
1) Web request
IIS
IIS Authentication
2) Http request with attributes
ISAPI
5) XML response with decision
Policy
Enforcement
Point
6) Permit/Deny access
4) Get Decision
Protected web
resources
Policy
Decision
Point
3) Get User's
AC
Active
Directory
Domain Controller
5/1/2007
okhaleel / ENforCE
12
Network resources (Global.asax)
IIS
1) Request a
session
ASP.NET
Application
IIS Authentication
Global.asax
2) Http request
with attributes
8) Physically
access the
services
7) XML response
with decision
FC4 machine (Firewall)
6) Open/Close
commands
Iptables Control Daemon
3) Get
User's AC
Protected
Network
resources
AD
DC
5/1/2007
okhaleel / ENforCE
Policy
Enforcement
Point
4) Get decision
PDP
5) Check
session
policy
Session
policy
source
13
Requests to PEP
1)
From ISAPI (Access a web resource):
http://localhost:8080/sispep/servlets/sispep ?
•
•
•
•
2)
From Global.asax (Open a network resource):
http://localhost:8080/sispep/servlets/sispep ?
•
•
•
•
•
•
3)
subject= CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer Science &
URL=https://ncdcrx3.uccs.edu/it/img.jpg &
method=GET &
service=web
subject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science &
URL=https://ncdcrx4.uccs.edu/ssh/session.aspx &
service=ssh &
IP=128.198.55.11 &
sessionID=23hjhY43 &
action=open
From Global.asax (Close a network resource):
http://localhost:8080/sispep/servlets/sispep ?
•
subject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science &
•
URL=https://ncdcrx4.uccs.edu/ssh/session.aspx &
•
service=ssh &
•
IP=128.198.55.11 &
•
sessionID=23hjf73G2 &
•
action=close
5/1/2007
okhaleel / ENforCE
14
Conditional Active-Session Access (CASA)



Idea : Junior role can ONLY access a network resource IF its Senior role has an
active session for that resource.
Why? To add finer access control
How? PEP maintains a table. An entry looks like:
29gY3k0*ssh
Engineer
Subject
https://ncdcrx4.uccs.edu/ssh/net.aspx
PEP reads an XML policy file (session policy).
The session policy file supports 3 cases:
1) A CERTAIN Senior Role is required
2) ANY Senior Role is required
(NOT including itself)
3) N-Senior Roles are required
5/1/2007
128.198.162.50
<Service name “SSH”>
<Senior>ProjectMngr </Senior>
<Junior>Developer </Junior>
</Service>
<Service name=“ MySQL”>
<Senior>ANY</Senior>
<Junior>Accountant </Junior>
</Service>
<Service name=“SSH”>
<Senior>ITManager </Senior>
<Junior>DB Admin </Junior>
</Service>
<Service name=“SSH”>
<Senior>CEO </Senior>
<Junior>DBAdmin </Junior>
</Service>
okhaleel / ENforCE
15
CASA (cont’d)

PEP reads the session policy file and creates two things:
1) Hierarchical-Role tree
2) Session Policy Table
To answer: Is Role A senior to Role B ?
To decide: For the requested service, Is
Junior’s access constrained by Senior’s ?
SSH
CFO : Sales Mngr
ANY : Developer
RDP
CEO : DB Admin
ITMngr : DB Admin
Senior : Junior
5/1/2007
okhaleel / ENforCE
16
Code Highlights (1)

ISAPI Filter: should define 2 functions:

GetFilterVersion(): register event notifications


PVer->dwFlags = SF_NOTIFY_SECURE_PORT| SF_NOTIFY_AUTH_COMPLETE;
HttpFilterProc(): put the actual code that will be executed;

Intercept URL:


Intercept request method:


pfc->ServerSupportFunction(pfc, HSE_REQ_GET_CERT_INFO_EX, &ccex,
dwSize);
Submit a request to the PEP:


pfc->GetServerVariable(pfc, “REQUEST_METHOD”, methBuf, &bufSize2);
Intercept user’s PKC:


pfc->GetServerVariable(pfc, “URL”, reqUrlBuf, &bufSize);
HttpFile = (CHttpFile*) pHttpSession.OpenURL(pepUrl);
Parse the XML response:
 CMarkup xml; and use this object to traverse the XML response.
5/1/2007
okhaleel / ENforCE
17
Code Highlights (2)

Global.asax:

Application_BeginRequest()




User’s PKC: Request.ClientCertificate.Subject;
URL: Request.Url.AbsoluteUri;
IP: Request.ServerVariables["REMOTE_ADDR"];
Application_AcquireRequestState()






Session.Timeout = 1; // in minutes
srvSessionID = Session.SessionID;
uri = new Uri(PolicyEnforcementPointUrl);
webReq = WebRequest.Create(“PEPURI”);
PEPResponse = webReq.GetResponse();
If (! Permit)


Response.Redirect(“Error Page”);
Session_End()

Similar to AcquireRequestState()’s code but the action is “close”.
5/1/2007
okhaleel / ENforCE
18
Code Highlights (3)

Iptables Daemon:

Create SSL context:


Define keyStores:






sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null) ;
SSLServerSocketFactory ssf = sslctx.getServerSocketFactory();
Init the SSL server socket:



KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509" , "SunJSSE");
kmf.init(PEPstore , keypass);
Init the SSL context:


TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509" , "SunJSSE");
tmf.init(PEPtrust);
Define & init the owned keystore (for the private key):


PEPstore = KeyStore.getInstance("JKS" , "SUN");
PEPtrust = KeyStore.getInstance("JKS", "SUN");
Define & init the trusted keystore:


sslctx = SSLContext.getInstance("TLSv1" , "SunJSSE");
secSock = (SSLServerSocket) ssf.createServerSocket(9876);
secSock.setNeedClientAuth(true);
Execute commands on Fedora Core OS:


rt = Runtime.getRuntime();
rt.exec(“cmd1”);
5/1/2007
okhaleel / ENforCE
19
Performance Analysis
Unit: ms
Web resources (ISAPI)
Resource
Retrieve AC from AD
PDP decision
Total request time
Finance Mgmnt
5.4750
3.0345
10.3476
Sales Write
6.2864
4.3872
13.7203
Posting orders
6.9820
4.92345
13.8433
View orders
5.1734
4.1093
11.7390
Network resources (Global.asax) – new session
Resource
Retrieve AC
from AD
PDP decision
CASA
decision
Firewall
update
SSH
5.8730
RDP
MySQL
Total request
time
3.8264
2.3654
15.5093
29.4374
5.7639
4.9276
3.1093
17.1204
32.2841
6.1927
3.1043
2.5831
14.7627
30.6392
Network resources (Global.asax) – session refresh
Resource
Retrieve AC
from AD
PDP decision
CASA decision
Total request
time
SSH
6.8093
4.3298
3.9485
20.5912
RDP
7.7602
3.8749
2.2037
20.5382
6.3175
3.7829
okhaleel
/ ENforCE
2.5582
19.704520
MySQL
5/1/2007
Lessons Learned

It is not a good idea to use too many packages with different programming
languages in one component (i.e. the Admin tool).

At the vary beginning, I tried to use a package called "CryptLib" [59] to create ACs,
but it didn't work.

I tried to use an HttpModule, but it turned out that it is triggered by aspx pages and
can handle request-level events only. On the other hand, ISAPI filters and
Global.asax were very good choices to go for:


ISAPI is very fast and works with any type of files.
Global.asax has the ability to deal with session and application level events.

Don't start implementing something from scratch unless you have spent sufficient
time to do research about it and to make sure that it is not already exist.

Generally speaking, it is really a good thing that a developer does not limit
him/herself to a certain programming language or technology.


In fact, when I started working on this thesis, I only knew Java and some security related
things, so it took me some time to teach myself the required stuff to get this work done.
Now anyone who reads about this thesis can see that Java, C#, ASP.NET, JSP, C/C++,
XACML, Iptables, X509 certificates, ISAPI filters, OpenSSL, Tomcat, IIS, and Active
Directory have been used. It wasn't easy though!
5/1/2007
okhaleel / ENforCE
21
Future Work

Extend the system to work in a multi-agency environment.

Develop more services that can take advantage of the
existing RBAC architecture. For instance:




RBAC
RBAC
RBAC
RBAC
E-Voting: users can vote based on their roles.
Instant Messenger: users can chat based on their roles.
E-Mail: users can send e-mails based on their roles.
XXX and so on…

Support more Operating systems (Mac, Solaris …)

Improve the Admin tool to initialize and modify Active
Directory, and to be able to generate XACML policies.

Support Wireless access.
5/1/2007
okhaleel / ENforCE
22
Thesis Contributions

Filed an Invention
Disclosure with CU TTO
Provide an architecture for small-mid sized (potentially largescale) companies to address accessing sensitive resources
securely according to hierarchical role-based access policy.

Extend XACML’s implementation to handle Hierarchical RoleBased Access Control (HRBAC) model.

Add a new concept of secure access in which a Senior Role
can restrict its Junior Role's access using active sessions.

Enhance IIS 6.0 with two components:



ENforCE-ISAPI Filter
ENforCE-Global.asax
Simplify PKI and PMI management, therefore, reducing
management cost and errors.
5/1/2007
okhaleel / ENforCE
23
ENforCE Demo
Q&A
For References and more details, please refer to the Thesis report:
http://cs.uccs.edu/~gsc/pub/master/okhaleel/doc/osamaThesisReport.doc
5/1/2007
okhaleel / ENforCE
24


Authentication: the process in which someone provides some kind of
credentials to prove his or her identity.
CA: a trusted third party that issues digital certificates to be used by other
parties. It guarantees that the individual granted the certificate is really who
claims to be.

PKC: a digitally signed document that binds a public key to a subject
(identity). This binding is asserted by a trusted CA.

CRL: a list signed by the issuing CA that contains the serial numbers of the
revoked certificates.

Authorization: the process that is used to determine whether the subject
has the required permissions to access some protected resources.

AC: a digitally signed document that binds a set of attributes like
membership, role, or security clearance to the AC holder.

AA: a trusted third party that is responsible for issuing, maintaining, and
revoking ACs.
5/1/2007
okhaleel / ENforCE
25

AD: a distributed directory service included in the Windows server
2000/2003



ISAPI filters: DLLs that can be used to enhance and modify the
functionality of IIS.


Powerful -> they can modify both incoming and outgoing DataStream for
EVERY request.
Global.asax: a file resides in the root directory of the ASP.NET
application.


The Microsoft's implementation of LDAP
Used to store and manage all information about network resources across the
domain: computers, groups, users, …
Contains code to handle application-level and session-level events raised by
ASP.NET.
Iptables: a generic table structure for defining a set of rules to deal with
network packets.



Rules are grouped into chains.
Chains are grouped into tables
Each table is associated with a different kind of packet processing.
5/1/2007
okhaleel / ENforCE
26