Security
Part II
CS403/534
Distributed Systems
Erkay Savas
Sabanci University
1
Access Control
• Authorization: granting access rights
• Access control: verifying the access rights
• General Issues
• Firewalls
• Secure mobile code
– Protecting mobile code
– Protecting the host against mobile code
2
Access Control: a Model
• General model of controlling access to objects.
Reference
Subject Object
Monitor
Request for Authorized
operation Request
• Subject: a process acting on behalf of users, or objects
that need the services of other objects
• Access control is about protecting the object against
invocations by subjects that are not authorized to have
specific methods to be carried out.
• Protection is enforced by a program called a reference
monitor that must be tamperproof 3
Access Control Mechanisms (1)
• Essence: Maintain an access control matrix
(ACM) in which entry ACM[S, O] lists the
operations that S is allowed to perform on
object O.
O1 O2 Oj Om
S1 e11 e12 0 e1m
e2 j e2 m
S 2 e21 e22
Si 0 ei 2 eij eim
S n en1 en 2 enj enm
• With many subjects and objects, the matrix would
be very large and many entries would probably be
empty
4
Access Control Mechanisms (2)
• Alternatives
1. Access Control List (ACL): Each object O maintains a
list (ACL) of the access rights of subjects that want
to access the object. Distribute the columns of ACM
to associated objects leaving out the empty entries
Oj
S1 0
e 2j
S 2 e 2j o
o o
⇒ e ij
S i e ij
o
o o e nj
S n e nj
5
Access Control Mechanisms (3)
• Alternatives
2. Capabilities: Each subject is given a list of capability
it has for each object.
– Not having a capability for a specific object means
the subject has no access rights for the object.
– Capability can be compared to a ticket giving its
holder certain rights
O1 O 2 l O j l Om
[
S i 0 e i2 l e ij l e im ]
⇓
[
S i e i2 l e ij l e im ]
– Capability must be protected against modifications
by the holder 6
ACL vs. Capabilities
Client Server
ACL Object
Create access request
R as subject S. (S, R)
If(S appears in ACL)
if ( R appears in ACL[S])
grant access;
Client Server
C
Object
Create access request
R for object O. (O, R), C
Pass capability C if ( R appears in C)
grant access;
7
Protection Domains
• Issue: ACL or a capability list can still become
quite large. Reduce ACLs by means of protection
domains.
– A protection domain is an execution environment
shared by a collection of processes (subjects).
– It contains a set of (object, access rights) pairs,
listing the object than can be accessed by all
processes executing within the domain and specifying
the operations permitted on each resource.
– For example, in UNIX, the protection domain of a
process is determined by the group identifier attached
to the process at login time.
• Implementation types
– Groups: users belongs to a specific group that has
associated access rights 8
Protection Domains: Groups of Users
World
Sabanci Anonymous
Sabanci_Student Sabanci_Faculty Sabanci_IT
… …
Erkay Ahmet Mehmet
• The hierarchical organization of protection
domains as groups of users. 9
Protection Domains
– When a user belongs to certain group wants to access
to a resource
• The reference monitor needs to lookup the access
rights of this group
• Then it has to check if the group contains the user.
• To figure out the user’s membership may be costly
– Alternatively, a user can carry a certificate listing the
groups it belongs to.
– Question: How can a certificate be protected?
• Roles: (Role-based access control) The role that a
user assumes (project manager, employee, head
of department, etc. and sometimes more than one
simultaneously) determines the access rights (or
more precisely the protection domain in which he
operates) 10
Grouping Objects
• Instead of determining access rights for every
single object, the objects can be grouped.
– For example, objects can be grouped according to the
interfaces they implement.
– Many object may be implementing the same interface
– When a user wants to make an invocation using an
interface, the reference monitor checks if the user
can invoke a method in the associated interface.
– The access control is not done on the basis of specific
objects.
11
Firewalls (1)
• As long as an isolated distributed system is
concerned, the techniques we have seen so far
protect the system.
• But, what happens when outsiders are allowed to
access the resources controlled by the
distributed system?
• External accesses are controlled by a special
type of reference monitor known as a Firewall.
• Basically two types:
1. Packet Filtering Gateway (router): It operates as a
router and makes decisions as to whether or not to
pass a network packet based on the source and
destination address contained in the packet’s header.
12
Firewalls (2)
• A common implementation of a firewall.
Protect against incoming packets
Filter outgoing packets 13
Firewalls (3)
2. Application-level gateway:
– It inspects the content of incoming or outgoing
messages.
– For example, a mail gateway discarding any e-mail
messages exceeding a certain size.
– More sophisticated mail gateways are capable of
filtering spam e-mail.
– Proxy gateway works as a front end to specific kind
of application and ensures that only those messages
meeting certain criteria are passed.
• For example, in order to prevent scripts and
applets contained in Web pages from being
downloaded in the LAN, all Web traffic is directed
through a web proxy gateway.
• Web proxy appears as a regular Web server.
14
Secure Mobile Code
• Migrating code is great for balancing
communication and computation load.
• There are security issues
1. A malicious host may try to steal or modify
information carried by the mobile code.
2. Hosts must also be protected against malicious mobile
codes.
– A user cannot decide whether to trust or not a
program he downloads from another host.
– Should we allow the mobile code to access the local
resources, and to what extent?
– We are trying to support the code mobility not to
stifle it.
– Issue: Allow access to local resources in a flexible,
yet fully controlled manner. 15
Protecting Mobile Agents (1)
• A mobile agent is roaming a distributed system
freely on behalf of a user
– Suppose it is searching for the cheapest airplane
ticket from Istanbul to New York.
– It has the authorization to make a reservation; hence
it carries user’s credit card number.
– Issue: Protection of the credit card number against
being stolen and overcharging.
• Mobile agents cannot be fully protected against
all kinds of attacks
– But, it is possible that tampering with a mobile agent
can at least be detected.
16
Protecting Mobile Agents (2)
• Ajanta system provides three mechanisms:
1. Read-only state: consists of a collection of data items
signed by the agent’s owner. It is easy to detect if
the read-only state of the agent has been tampered
with.
2. Append-only logs: Agent can securely collect
information while moving. Data can only be appended
to the log. It is not possible to modify or remove data
without the owner noticing this.
• When the log is empty, it has only associated
checksum
Cinit = K+owner (N)
where N is a secret nonce known only to the owner.
• Adding data X by server S to the log
Cnew = K+owner (Cold, sig(S, X), S) 17
Protecting Mobile Agents (3)
• Ajanta
2. Append-only logs (cont.):
• Removing data from the log:
K-owner (Clast) Cprevious, sig(S, X), S
allowing the owner to check the integrity of X
3. Selective revealing: provide an array of data items,
each of which is intended for a designated server.
• Each entry is encrypted with the public key of the
designated server to ensure confidentiality
• The entire array is signed by the owner’s private
key to ensure the integrity of the array as a whole.
• If any entry is modified by a malicious host, any of
the designated servers will notice it.
18
Protecting the Target: Models (1)
• Detecting that your resources have been
tampered with is not sufficient
• Protection is necessary. Methods:
1. Sandbox model:
• Policy: Remote code is allowed to access only a
predefined collection of resources and services
• Mechanism: Check each instruction for illegal
access to resources and services. If an illegal
access is detected stop the execution.
2. Playground model: A separate, designated machine is
exclusively reserved for running mobile code.
• Resources local to playground, files, network
connections to external servers are available to
programs executing in the playground.
19
Protecting the Target: Models (2)
a) A sandbox
b) A playground
20
Protection in Java
• It implements sandbox model.
– It is easy to implement sandbox model with
interpreted code.
• Overview:
– Each Java code consists of a number of classes from
which objects are created.
– No global variables, and functions; everything is part
of a class.
– Program execution starts at a method called main.
– A Java program is compiled into a set of instructions
(so called bytecode) interpreted by JVM.
– JVM executes the bytecode by interpreting each of
its instructions.
21
Class Loaders
1. Class Loader:
– is responsible for downloading a specified class from a
location and installing it in the client’s address space at
run time.
– JVM can create objects by instantiating the
downloaded classes.
– A Class loader is just another Java class.
– Java uses only trusted class loaders.
– A developer can write his own class loader for
specialized purposes such as carrying out special
security check before passing the bytecodes to the
JVM.
– A Java program can install a class loader; but it cannot
change its own class loader by which it could
circumvent the way the class loading is normally
handled. 22
Bytecode Verifier
2. Bytecode Verifier:
• The second component in the sandbox model which
checks whether a downloaded class obeys the security
rules.
• No illegal instructions, instructions that could corrupt
the stack and memory, uninitialized variables, etc.
• Only classes downloaded from external servers are
checked.
• Classes located on client’s machine are generally
trusted.
• Question: A class file generated by a compiler for the
Java programming language always passes bytecode
verification. Why is it necessary then to check the
bytecode with the verifier?
23
Protection in Java: Overview
• The organization of a Java sandbox.
Loaded
class Class
Class Class
object verifier
repository repository
Java program
Request
class
Loader Loader
for local for remote
Java Interpreter
classes classes
Local Site Remote Site 24
Security Manager
• A security manager performs various checks at
runtime.
– Java programs intended to be loaded are forced to use
a security manager (applets, servlets, RMI codes).
They cannot circumvent the security manager.
– e.g., an I/O operation is checked for validity and will
not be carried out if the security manager says “no”.
– Early versions of Java (JDK1.0) strictly implemented
the sandbox model: applet security manager denied all
access to local resources by downloaded code. No file
access, no internet connections, etc.
– Later, remote code, signed by a trusted entity, was
granted the same permissions as local classes (JDK1.1)
25
Security Manager
Example: When an applet calls exit method of Runtime
class, checkexit method of the security manager is called.
public void exit(int status)
{
SecurityManager security = System.getSecurityManager();
if (security != NULL)
security.checkExit(status);
exitInternal(status); // private method
}
– One security manager at a time
– A security manager can be replaced by other if the
former agrees to it.
• The Java 2 platform has a much more flexible
mechanism. A security policy maps code sources
to permission sets.
26
Java Security Mechanism (1)
– The security policy grants codes access rights
depending on their source
– Code Location: a code base URL or a JAR file.
– A permission is any property checked by a security
manager A security policy
Code source 1 Permission Set 1
Code location Permission #1a
Certificate Permission #1b
Code source 2 Permission Set 2
Code location Permission #2a
Certificate Permission #2b
27
Java Security Mechanism (2)
• Policy Object:
– Class loader assigns permissions when loading classes,
by asking a policy object to lookup the permissions for
the code source of each class.
– The standard policy object reads policy files that
contains instructions for mapping code sources to
permissions.
– Example:
grant codeBase www.sabanciuniv.edu/~erkays/classes
{
permission java.io.FilePermission “/tmp/*”,
“read, write”;
}
This grants permission to read and write files in the
“/tmp” directory to all code that was downloaded from
www.sabanciuniv.edu/~erkays/classes.
28
Java Security Mechanism (3)
• Relationship between security classes
loads Class queries Policy
Loader Object
creates
An object that
encapsulates both
Class Protection the code source and
Domain the collection of
permission of the class
CodeSource
URL Permissions
…
Certificate 29
RMI Security Manager
• In a RMI application, the client program must install a
new security manager.
• System.setProperty("java.security.policy", "client.policy");
System.setSecurityManager(new RMISecurityManager());
• Security manager is a class that controls whether a
specific operation is permitted.
• grant
{
//Allow everything for now
permission java.net.SocketPermission "*:1024-65535",
"accept, connect, listen";
};
• In the command line,
java –Djava.security.policy = client.policy program
30
How Security Manager Works - 1
• When the SecurityManager needs to check permission,
it looks at the classes currently on the call stack.
• It gets the protection domains of all classes and asks
each protection domain if its permission collection allows
the operation that is currently being checked.
• If all protection domains agree, then the check passes,
• Otherwise, a SecurityException is thrown.
• Example: Suppose init method of an applet wants to
open a file. It might call
Reader in = new FileReader(name);
31
How Security Manager Works - 2
• Call stack during permission checking
Class Method Code Source Permission
SecurityManager SecurityManager null AllPermission
SecurityManager checkRead null AllPermission
FileInputStream constructor null AllPermission
FileReader constructor null AllPermission
applet init applet code applet
source permissions
32