Information Sharing and Security in
Dynamic Coalitions
CSE333
Steven A. Demurjian
Computer Science & Engineering Department
371 Fairfield Road, Box U-2155
The University of Connecticut
Storrs, Connecticut 06269-2155
http://www.engr.uconn.edu/~steve
[email protected]
DCP-1
Overview of Presentation

CSE333



The Dynamic Coalition Problem
 Civilian Organizations
 Military Involvement/GCCS
Information Sharing and Security
 Federating Resources
 Data Integrity
 Access Control (DAC and MAC)
 Other Critical Security Issues
Stepping Back
 Security Issues for Distributed and
Component-Based Applications
Conclusions and Future Work
DCP-2
Crisis and Coalitions

CSE333



A Crisis is Any Situation Requiring National or
International Attention as Determined by the
President of the United States or UN
A Coalition is an Alliance of Organizations:
Military, Civilian, International or any
Combination
A Dynamic Coalition is Formed in a Crisis and
Changes as Crisis Develops, with the Key Concern
Being the Most Effective way to Solve the Crisis
Dynamic Coalition Problem (DCP) is the Inherent
Security, Resource, and/or Information Sharing
Risks that Occur as a Result of the Coalition Being
Formed Quickly
DCP-3
Near Simultaneous Crises
CSE333
Crisis Point
NATO Hq
Olympic Games
BOSNIA
(NATO)
KOSOVO
(US,UK)
Earthquake
(United Nations)
Ship Wreck
(UK,SP)
DCP-4
Crises in 2005

CSE333




Tidal Wave in Southeast Asia
Hurricanes in US
 Katrina – Louisiana and Mississippi
 Rita – Texas and Louisiana
Mudslides in Guatemala
Earthquake in Pakistan/India
Key Questions
 How do we React to Such Crises?
 What is Potential Role for Computer Scientists
and Engineers in Process?
 Can we Automate the Interactions Required for
the Critical Computing Infrastructure?
DCP-5
Emergent Need for Coalitions

CSE333
“Coalitions must be flexible and no one coalition is
or has the answer to all situations.”
» Secretary of Defense, Donald Rumsfeld

“Whenever possible we must seek to operate
alongside alliance or coalition forces, integrating
their capabilities and capitalizing on their
strengths.”
» U.S. National Security Strategy

“Currently, there is no automated capability for
passing command and control information and
situational awareness information between nations
except by liaison officer, fax, telephone, or loaning
equipment.”
» Undersecretary of Defense for Advanced Technology
DCP-6
The Dynamic Coalition Problem (DCP)

CSE333



Dynamic Coalition Problem (DCP) is the Inherent
Security, Resource, and/or Information Sharing
Risks that Occur as a Result of the Coalition Being
Formed Quickly
Private Organizations (PVO)
 Doctors Without Boarders
 Red Cross
Non-Government Organizations (NGO)
 State and Local Government
 Press Corps
Government Agencies
 FBI, CIA, FEMA, CDC, etc.
 Military
DCP-7
Supporting Advanced Applications
DCP Objectives for Crisis

CSE333






Federate Users Quickly and Dynamically
Bring Together Resources (Legacy, COTs, GOTs,
DBs, etc.) Without Modification
Dynamically Realize/Manage Simultaneous Crises
Identify Users by Roles to Finely Tune Access
Authorize, Authenticate, and Enforce a Scalable
Security Policy that is Flexible in Response to
Collation Needs
Provide a Security Solution that is Portable,
Extensible, and Redundant for Survivability
Include Management/Introspection Capabilities to
Track and Monitor System Behavior
DCP-8
DCP: Coalition Architecture
Clients Using Services
CSE333
U.S. Army
Client
Federal Agencies
(FEMA, FBI, CIA, etc.)
Client
Resources Provide Services
COTS
LFCS
(Canada)
U.S. Navy
Client
SICF
(France)
French
Air Force
Client
HEROS
U.S. Legacy
System
(Germany)
SIACCON
NATO
Database
Client
German
COTS
Client
NATO SYS
(Italy)
NGO/PVO
(Red Cross, NYPD, etc.)
Client
GCCS (US)
NGO/PVO
Resource
DCP-9
DCP
Joint and Combined Information Flow
Common Operating Environment
ARMY
CSE333
Combined: Many
Countries
GCCS-A
GCCS
CORPS
Joint Task Force
ABCS
MCS
XX
Coalition
Partners
NATO
Systems
Coalition
Systems
Marines
DIV
Air Force
GCCS-M
FAADC2I
MCS
Adjacent
Navy
GCCS-N
GCCS-AF
CSSCS
AFATDS
ASAS
TBMCS
TCO
JMCIS
X
BDE
BSA
TOC
MCS
||
BN
||
BN
||
MCS
MCS
CO
FBCB2
Joint - Marines, Navy, Air Force, Army
DCP-10
DCP: Combined Information Flow
CSE333
Maneuver
Logistics
GCCS - Joint/Coalition -
Air Defense/Air Operations
Fire Support
Combined Database
Intelligence
Network and Resource
Management
DCP-11
DCP: Coalition Artifacts and Information
Flow – Military Engagement
U.S. Global C2 Systems
Air Force
CSE333
Joint
Command
System
Battle
Management
System
NGO/
PVO
GCCS
U.N.
NATO
Navy
U.S.A
Army Battle
Command
System
Army
Combat
Operations
System
Marine Corps
Dynamic Coalition
AFATDS
GOAL: Leverage information
in a fluid, dynamic
environment
ASAS
FADD
ABCS
CSSCS
GCCS-A
MCS
Other
Army C2
DCP-12
DCP: Coalition Artifacts and Information
Flow – Civilian Engagement
CSE333
Red
Cross
Transportation
Pharma.
Companies
MDs w/o
Borders
Military
Medics
Govt.
Govt.
Local
Health
Care
CDC
EMTs
ISSUES:
Privacy vs. Availability in Medical Records
Support Life-Threatening Situations via
Availability of Patient Data on Demand
RNs
MDs
Other
State
Health
DCP-13
DCP:
Global Command and Control System
GLOBAL C2 SYSTEMS
CSE333
MOBILE SUBSCRIBER EQUIPMENT
DATA RADIO
SATELLITE
MISSION PLANNING
MET
SUPPORT
INTEL
SATCOM
MANEUVER
CONTROL
TOPO
AIR DEFENCE
ARTY
Client/Server
AIR DEFENCE
MET
MISSION PLANNING
SUPPORT
INTEL
MANEUVER
CONTROL
Client/Server
SATCOM
GCCS Provides:
- Horizontal and Vertical Integration
of Information to Produce a
Common Picture of the Battlefield
- 20 separate automated systems
- 625 locations worldwide
- private network
ARTY
TOPO
Company
AIR DEFENCE
SUPPORT
INTEL
Client/Server
SATCOM
ARTY
MANEUVER
CONTROL
Situational Awareness
FBCB2
/EBC
Tactical BATTLEFIELD C2Platoon
SYSTEM
EMBEDDED BATTLE COMMAND
Internet
FBCB2
/EBC
Squad
MOBILE SUBSCRIBER EQUIPMENT
DCP-14
DCP:
Global Command and Control System
CSE333
Joint Services
:
Weather
Video Teleconference
Joint Operations Planning and Execution System
Common Operational Picture
Transportation Flow Analysis
Logistics Planning Tool
Defense Message System
NATO Message System
Component Services
:
Army Battle Command System
Air Force Battle Management System
Marine Combat Operations System
Navy Command System
a.k.a
METOC
TLCF
JOPES
COP
JFAST
LOGSAFE
DMS
CRONOS
ABCS
TBMCS
TCO
JMCIS
DCP-15
DCP:
Global Command and Control System
Common Operational Picture
CSE333
Common Picture
DCP-16
DCP: Critical Requirements

CSE333



Difficult to Establish Roles
 Requires Host Administrator
 Not Separate Roles
No Time Controllable Access
 Time Limits on Users
 Time Limits on Resource Availability
 Time Limits on Roles
No Value Constraints
 Unlimited Common Operational Picture
 Unlimited Access to Movement Information
Difficult to Federate Users and Resources
 U.S. Only system
 Private Network (Not Multi-Level Secure)
DCP-17
GCCS Shortfalls: User Roles

CSE333



Currently, GCCS Users have Static Profile Based
on Position/Supervisor/Clearance Level
Granularity Gives “Too Much Access”
Profile Changes are Difficult to Make - Changes
Done by System Admin. Not Security Officer
What Can User Roles Offer to GCCS?
 User Roles are Valuable Since They Allow
Privileges to be Based on Responsibilities
 Security Officer Controls Requirements
 Support for Dynamic Changes in Privileges
 Towards Least Privilege
DCP-18
Non-Military Crisis: User Roles

CSE333



Emergent Crisis (Katrina) Requires a Response
Some Critical Issues
 Who’s in Charge?
 Who is Allowed to do What?
 Who can Mobilize Governmental Resources?
Roles can Help:
 Role for Crisis Commander
 Roles for Crisis Participants
 Roles Dictate Control over Resources
For Katrina: Lack of Leadership & Defined Roles
 Army Corps of Engineers Only Allowed to
Repair Levees – Not Upgrade and Change
DCP-19
GCCS Shortfalls: Time Controlled Access

CSE333

Currently, in GCCS, User Profiles are Indefinite
with Respect to Time
 Longer than a Single Crisis
 Difficult to Distinguish in Multiple Crises
 No Time Controllable Access on Users or
GCCS Resources
What can Time Constrained Access offer GCCS?
 Junior Planners - Air Movements of Equipment
Weeks before Deployment
 Senior Planners - Adjustment in Air
Movements Near and During Deployment
 Similar Actions are Constrained by Time Based
on Role
DCP-20
Non-Military Crisis:
Time Controlled Access

CSE333


Multiple Crisis Require Ability to Distinguish
Between Roles Based on Time and Crisis
Occurrence of Rita (one Crisis) Impacted the
Ongoing Crisis (Katrina)
Need to Manage Simultaneous Crisis w.r.t. Time
 Different Roles Available at Different Times
within Different Crises
 Role Might be “Finishing” in one Crisis (e.g.,
First Response Role) and “Starting” in Another
 Individual May Play Different Roles in
Different Crisis
 Individual May Play Same Role with Different
Duration in Time w.r.t. its Activation
DCP-21
GCCS Shortfalls: Value Based Access

CSE333

Currently, in GCCS, Controlled Access Based on
Information Values Difficult to Achieve
 Unlimited Viewing of Common Operational
Picture (COP)
 Unlimited Access to Movement Information
 Attempts to Constrain would have to be
Programmatic - which is Problematic!
What can Value-Based Access Offer to GCCS?
 In COP
 Constrain Display of Friendly and Enemy Positions
 Limit Map Coordinates Displayed
 Limit Tier of Display (Deployment, Weather, etc.)
DCP-22
Non-Military Crisis: Value Based Access

CSE333

In Katrina/Rita, What People can See and Do May
be Limited Based on Role
 Katrina Responders Limited to Katrina Data
 Rita Responders Limited to Rita Data
 Some Responders (Army Corps Engineers)
May Need Both to Coordinate Activities
Within Each Crisis, Information Also Limited
 Some Katrina Roles (Commander, Emergency
Responders, etc.) see All Data
 Other Katrina Roles Limited (Security
Deployment Plans Not Available to All
 Again – Customization is Critical
DCP-23
GCCS Shortfalls: Federation Needs

CSE333

Currently, GCCS is Difficult to Use for DCP
 Difficult to Federate Users and Resources
 U.S. Only system
 Incompatibility in Joint and Common Contexts
 Private Network (Not Multi-Level Secure)
What are Security/Federation Needs for GCCS?
 Quick Admin. While Still Constraining US and
Non-US Access
 Employ Middleware for Flexibility/Robustness
 Security Definition/Enforcement Framework
 Extend GCCS for Coalition Compatibility that
Respects Coalition and US Security Policies
DCP-24
Non-Military Crisis: Federation Needs

CSE333


Crisis May Dictate Federation Capabilities
Katrina
 Devastated Basic Communication at All Levels
 There was No Need to Federate Computing
Systems at Crisis Location with No Power, etc.
Rita
 Crisis Known Well in Advance
 However, Didn’t Prevent
 Disorganized Evacuation
 10+ Hour Highway Waits
 Running out of Fuel

Federation Myst Coordinate Critical Resources
DCP-25
Information Sharing and Security
Federated Resources
CSE333
RESOURCES
Command&Control Vehicles
Army Airborne Command & Control
System
JSTARS
Unmanned Aerial Vehicle
Satellites
Army Battle Command System
Embedded Command System
INTEL FUSION
Embedded Battle Command
AIR DEFENCE
Embedded Battle Command
FIELD ARTILLERY
Embedded Battle Command
MANEUVER CONTROL
Embedded Battle Command
Common Picture
PERSONNEL AND LOGISTICS
Embedded Battle Command
Fwd Support Element
Ammo/Fuel
Refit
ABCS
Bradley / EBC
Embedded Battle Command
DCP-26
Information Sharing and Security
Syntactic Considerations

CSE333



Syntax is Structure and Format of the Information
That is Needed to Support a Coalition
Incorrect Structure or Format Could Result in
Simple Error Message to Catastrophic Event
For Sharing, Strict Formats Need to be Maintained
In US Military, Message Formats Include
 Heading and Ending Section
 United States Message Text Formats (USMTF)
 128 Different Message Formats
Text Body of Actual Message
Problem: Formats Non-Standard Across Different
Branches of Military and Countries


DCP-27
Information Sharing and Security
Semantics Concerns

CSE333
Semantics (Meaning and Interpretation)
 USMTF - Different Format, Different Meaning
 Each of 128 Messages has Semantic Interpretation
 Communicate Logistical, Intelligence, and
Operational Information

Semantic Problems
 NATO and US - Different Message Formats
 Different Interpretation of Values
 Distances (Miles vs. Kilometers)
 Grid Coordinates (Mils, Degrees)
 Maps (Grid, True, and Magnetic North)
DCP-28
Information Sharing and Security
Syntactic & Semantic Considerations

CSE333







What’s Available to Support Information Sharing?
How do we Insure that Information can be
Accurately and Precisely Exchanged?
How do we Associate Semantics with the
Information to be Exchanged?
What Can we Do to Verify the Syntactic Exchange
and that Semantics are Maintained?
Can Information Exchange Facilitate Federation?
How do we Deal with Exchange to/from Legacy
Applications?
Can this be Handled Dynamically?
Or, Must we Statically Solve Information Sharing
in Advance?
DCP-29
Information Sharing and Security
Pragmatics Issues

CSE333

Pragmatics Require that we Totally Understand
Information Usage and Information Meaning
Key Questions Include:
 What are the Critical Information Sources?
 How will Information Flow Among Them?
 What Systems Need Access to these Sources?
 How will that Access be Delivered?
 Who (People/Roles) will Need to See What
When?
 How will What a Person Sees Impact Other
Sources?
DCP-30
Information Sharing and Security
Pragmatics Issues

CSE333

Pragmatics - Way that Information is Utilized and
Understood in its Specific Context
For Example, in GCCS
In te r-T O C
• M e ssa g in g
T O C -1
M -1 0 6 8
M -1 0 6 8
• VMF
• USM TF
• S itu a tio n A w a re n e ss
• B F A u n iq u e
• F ile s a n d D B S n a p sh o ts
• U n ica st F T P
• M u ltica st F T P
• E -m a il
• G lo b a l B ro a d ca st S a te llite
(G B S )
O p e ra tio n a l
O p e ra tio n a l
C h a lle n g e s
C h a lle n g e s
• A u to n o m y
• A u to n o m y
• Ju m p T O C s
• Ju m p T O C s
• S p lit T O C s
• S p lit T O C s
• S u rviva b ility
• S u rviva b ility
• B a n d w id th
• B a n d w id th
C o n te n tio n
C o n te n tio n
• S ca la b ility
• S ca la b ility
T O C 2 /A -C e ll
M -1 0 6 8
M -1 0 6 8
M -1 0 6 8
M -1 0 6 8
• D a ta b a se R e p lica tio n
In tra -T O C
In tra -T O C
• ACDB DB
• ACDB DB
S yn ch ro n iza tio n
S yn ch ro n iza tio n
(R P C -b a se d S R )
(R P C -b a se d S R )
T a c tic a l
W AN
M ixtu re o f clie n ts a n d
se rve rs
M -1 0 6 8
M -1 0 6 8
T O C 2 /B -C e ll
DCP-31
Information Sharing and Security
Pragmatics Issues
Pragmatics in GCCS

GBS
DSCS
CSE333
DR DR
GBS
SEN
VTel
BVTC
Info/Intel/Plans
BVTC
Mobility
BVTC
TGT/Fires
BVTC
SEN
SEN
DR
DR
SEN
DR
MVR BN
GBS
204FSB
DR
GBS DR DR
704MSB
LEN
Current FDD laydown has 53
autonomous Command
Post/TOCs (i.e., nodes)
GBS DR
DR
GBS
BCV
MVR BN
GBS
Node Estimate
CMDR
DR
BVTC
DR
Relay
SEN
GBS
DR
TAC
GBS DR DR
1st BDE
GBS
GBS
GBS DR
BVTC
SINCGARS (FS)
EPLRS (AD)
GBS
XX
Sustainment
XXX
DR
DISCOM
DIV REAR
SINCGARS (FS)
EPLRS (AD)
GBS
299
ENG
DR
For a full Corps >200 nodes
MVR BN
GBS
4-42FA
X
SEN
GBS
DIVARTY
BVTC
SEN
XX
Division
Slice
GBS
DR
GBS
124th SIG BN
DR
HCLOS
XXX
GBS DR
SEN
GBS GBS
SINCGARS (FS)
EPLRS (AD)
BCV
BVTC
DR
MVR BN
GBS
DR
SEN
GBS DR
DR
MVR BN
GBS
4 FSB
Relay
DR
GBS DR DR
DR
DR
MVR BN
GBS
3-16FA
X
DIV CDR
DMAIN
CMDR
DR
2nd BDE
A2C2S
VTel
DR
TAC
DIV CDR
GBS
BVTC
588
ENG
GBS DR DR
DR
C2V
Theater
Injection Point
(TIP)
SEN
GBS
SINCGARS (FS)
EPLRS (AD)
HCLOS
SEN
DR DR
DR
DR DR
DR
GBS
DR
4
ENG
GBS DR
TAC
Basic Distribution Requirement
• Distribution Polices
• Automation & Notification
• User Controls
• Transport Mechanisms
• System and Process Monitors
• Security, Logs, and Archives
CMDR
BCV
GBS
SEN
404 ASB
SEN
GBS DR DR
4th BDE
BVTC
SINCGARS (FS)
EPLRS (AD)
GBS DR DR
DTAC 1
BVTC
BVTC
SINCGARS (FS)
EPLRS (AD)
DR
DR
Relay
SEN
GBS DR
1/4 AVN BN
DR
GBS
2/4 AVN BN
DR
DR
DR
GBS
Distribution Policy
DR
MVR BN
GBS
64 FSB
GBS DR DR
GBS
DR
MVR BN
GBS
XX
SEN
DR
GBS DR DR
3rd BDE
MVR BN
GBS DR DR
9-1FA
3-29FA
DR
1/10
CAV
CMDR
BCV
SEN
GBS
DR
• What • How
• When
- Prioritized
• Where - Encrypted
- Network
1/10 CAV Sqdn
Note: 3rd BDE not part of 1DD in Sep 2000.
DCP-32
Information Sharing and Security
Data Integrity

CSE333

Concerns: Consistency, Accuracy, Reliability
Accidental Errors
 Crashes, Concurrent Access, Logical Errors
 Actions:
 Integrity Constraints
 GUIs
 Redundancy

Malicious Errors
 Not Totally Preventable
 Actions:
 Authorization, Authentication, Enforcement Policy
 Concurrent Updates to Backup DBs
 Dual Homing
DCP-33
Information Sharing and Security
Discretionary Access Control

CSE333

What is Discretionary Access Control (DAC)?
 Restricts Access to Objects Based on the
Identity of Group and /or Subject
 Discretion with Access Permissions Supports
the Ability to “Pass-on” Permissions
DAC and DCP
 Pass on from Subject to Subject is a Problem
 Information Could be Passed from Subject (Owner)
to Subject to Party Who Should be Restricted

For Example,
 Local Commanders Can’t Release Information
 Rely on Discretion by Foreign Disclosure Officer

Pass on of DAC Must be Carefully Controlled!
DCP-34
Information Sharing and Security
Role Based Access Control

CSE333

What is Role Based Access Control (RBAC)?
 Roles Provide Means for Permissions to
Objects, Resources, Based on Responsibilities
 Users May have Multiple Roles Each with
Different Set of Permissions
 Role-Based Security Policy Flexible in both
Management and Usage
Issues for RBAC and DCP
 Who Creates the Roles?
 Who Determines Permissions (Access)?
 Who Assigns Users to Roles?
 Are there Constraints Placed on Users Within
Those Roles?
DCP-35
Information Sharing and Security
Mandatory Access Control

CSE333

What is Mandatory Access Control (MAC)?
 Restrict Access to Information, Resources,
Based on Sensitivity Level (Classification)
Classified Information - MAC Required
 If Clearance (of User) Dominates
Classification, Access is Allowed
MAC and DCP
 MAC will be Present in Coalition Assets
 Need to Support MAC of US and Partners
 Partners have Different Levels/Labels
 Need to Reconcile Levels/Labels of Coalition
Partners (which Include Past Adversaries!)
DCP-36
Information Sharing and Security
Other Issues

CSE333
Intrusion Detection
 Not Prevention
 Intrusion Types:
 Trojan Horse, Data Manipulation, Snooping

Defense:
 Tracking and Accountability

Survivability
 Reliability and Accessibility
 Defense:
 Redundancy

Cryptography
 Fundamental to Security
 Implementation Details (key distribution)
DCP-37
A Service-Based Security Architecture
CSE333
DCP-38
Required Security Checks
CSE333
DCP-39
Stepping Back
Security for Distributed Environments

CSE333



Background and Motivation
 What are Key Distributed Security Issues?
 What are Major/Underlying Security
Concepts?
 What are Available Security Approaches?
Identifying Key Distributed Security Requirements
Frame the Solution Approach
Outline UConn Research Emphasis:
 Secure Software Design (UML and AOSD)
 Middleware-Based Realization (CORBA/JINI)
 Information Exchange via XML
DCP-40
Security for Distributed Applications
CSE333
How is Security Handled
for Individual Systems?
COTS
Database
Legacy
What if Security Never Available
for Legacy/COTS/Database?
Security Issues for New Clients?
New Servers? Across Network?
Legacy
COTS
NETWORK
Java
Client
Java
Client
What about Distributed
Security?
Legacy
Database
Security Policy, Model,
and Enforcement?
COTS
DCP-41
DC for Military Deployment/Engagement
U.S. Global C2 Systems
Air Force
CSE333
NGO/
PVO
OBJECTIVES:
Navy
Joint
Command
System
Battle
Management
System
GCCS
Securely Leverage Information in a
U.N.
Battle
Combat
Fluid Environment Army
Command
Operations
NATO Protect
U.S.A
System
System
Information While Simultaneously
Army
Marine Corps
Promoting the Coalition
Security Infrastructure in Support of DCP
LFCS
Canada
HEROS
Germany
SICF
France
AFATDS
ASAS
ABCS
CSSCS
GCCS-A
MCS
SIACCON
Italy
FADD
Other
DCP-42
DC for Medical Emergency
CSE333
Red
Cross
Transportation
Pharma.
Companies
MDs w/o
Borders
Military
Medics
Govt.
Govt.
Local
Health
Care
CDC
EMTs
ISSUES:
Privacy vs. Availability in Medical Records
Support Life-Threatening Situations via
Availability of Patient Data on Demand
RNs
MDs
Other
State
Health
DCP-43
Security Issues: Confidence in Security

CSE333
Assurance
 Do Security Privileges for Each User Support
their Needs?
 What Guarantees are Given by the Security
Infrastructure in Order to Attain:
 Safety: Nothing Bad Happens During Execution
 Liveness: All Good Things can Happen During
Execution

Consistency
 Are the Defined Security Privileges for Each
User Internally Consistent? Least-Privilege
Principle
 Are the Defined Security Privileges for Related
Users Globally Consistent? Mutual-Exclusion
DCP-44
Security for Coalitions

CSE333


Dynamic Coalitions will play a Critical Role in
Homeland Security during Crisis Situations
Critical to Understand the Security Issues for
Users and System of Dynamic Coalitions
Multi-Faceted Approach to Security
 Attaining Consistency and Assurance at Policy
Definition and Enforcement
 Capturing Security Requirements at Early
Stages via UML Enhancements/Extensions
 Providing a Security Infrastructure that Unifies
RBAC and MAC for Distributed Setting
DCP-45
Four Categories of Questions

CSE333



Questions on Software Development Process
 Security Integration with Software Design
 Transition from Design to Development
Questions on Information Access and Flow
 User Privileges key to Security Policy
 Information for Users and Between Users
Questions on Security Handlers and Processors
 Manage/Enforce Runtime Security Policy
 Coordination Across EC Nodes
Questions on Needs of Legacy/COTS Appls.
 Integrated, Interoperative Distributed
Application will have New Apps.,
Legacy/COTS, Future COTS
DCP-46
Software Development Process Questions

CSE333


What is the Challenge of Security for Software
Design?
 How do we Integrate Security with the
Software Design Process?
 What Types of Security Must be Available?
How do we Integrate Security into OO/Component
Based Design?
 Integration into OO Design?
 Integration into UML Design?
What Guarantees Must be Available in Process?
 Assurance Guarantees re. Consistent Security
Privileges?
 Can we Support Security for Round-Trip and
Reverse Engineering?
DCP-47
Software Development Process Questions

CSE333


What Techniques are Available for Security
Assurance and Analysis?
 Can we Automatically Generate Formal
Security Requirements?
 Can we Analyze Requirements for
Inconsistency and Transition Corrections Back
to Design?
How do we Handle Transition from Design to
Development?
Can we Leverage Programming Languages in
Support of Security for Development?
 Subject-Oriented Programming?
 Aspect-Oriented Programming?
 Other Techniques?
DCP-48
Information Access and Flow Questions

CSE333

Who Can See What Information at What Time?
 What Are the Security Requirements for Each
User Against Individual Legacy/cots Systems
and for the Distributed Application?
What Information Needs to Be Sent to Which
Users at What Time?
 What Information Should Be “Pushed” in an
Automated Fashion to Different Users at
Regular Intervals?
DCP-49
Information Access and Flow Questions

CSE333

What Information Needs to Be Available to Which
Users at What Time?
 What Information Needs to Be “Pulled” Ondemand to Satisfy Different User Needs in
Time-critical Situations
How Are Changing User Requirements Addressed
Within the Distributed Computing Application?
 Are User Privileges Static for the Distributed
Computing Application?
 Can User Privileges Change Based on the
“Context” and “State” of Application?
DCP-50
Security Handlers/Processing Questions

CSE333
What Security Techniques Are
 Needed to Insure That the Correct Information
Is Sent to the Appropriate Users at Right Time?
 Necessary to Insure That Exactly Enough
Information and No More Is Available to
Appropriate Users at Optimal Times?
 Required to Allow As Much Information As
Possible to Be Available on Demand to
Authorized Users?
DCP-51
Security Handlers/Processing Questions

CSE333


How Does the Design by Composition of a
Distributed Computing Application Impact on
Both the Security and Delivery of Information?
 Is the Composition of Its “Secure” Components
Also Secure, Thereby Allowing the Delivery of
Information?
Can We Design Reusable Security Components
That Can Be Composed on Demand to Support
Dynamic Security Needs in a Distributed Setting?
What Is the Impact of Legacy/cots Applications on
Delivering the Information?
DCP-52
Security Handlers/Processing Questions

CSE333


How Does Distribution Affect Security Policy
Definition and Enforcement?
Are Security Handlers/enforcement Mechanisms
Centralized And/or Distributed to Support
Multiple, Diverse Security Policies?
Are There Customized Security
Handlers/enforcement Mechanisms at Different
Levels of Organizational Hierarchy?
 Does the Organizational Hierarchy Dictate the
Interactions of the Security Handlers for a
Unified Enforcement Mechanism for Entire
Distributed System?
DCP-53
Legacy/COTS Applications Questions

CSE333
When Legacy/COTS Applications are Placed into
Distributed, Interoperable Environment:
 At What Level, If Any, is Secure Access
Available?
 Does the Application Require That Secure
Access Be Addressed?
 How is Security Added if it is Not Present?
What Techniques Are Needed to Control
Access to Legacy/COTS?
 What is the Impact of New Programming
Languages (Procedural, Object-oriented, Etc.)
And Paradigms?
DCP-54
Focusing on MAC, DAC and RBAC

CSE333


For OO Systems/Applications, Focus on Potential
Public Methods on All Classes
Role-Based Approach:
 Role Determines which Potential Public
Methods are Available
 Automatically Generate Mechanism to Enforce
the Security Policy at Runtime
 Allow Software Tools to Look-and-Feel
Different Dynamically Based on Role
Extend in Support of MAC (Method and Data
Levels) and DAC (Delegation of Authority)
DCP-55
Legacy/COTS Applications

CSE333


Interoperability of Legacy/COTS in a Distributed
Environment
Security Issues in Interoperative, Distributed
Environment
 Can MAC/DAC/RBAC be Exploited?
 How are OO Legacy/COTS Handled?
 How are Non-OO Legacy/COTS Handled?
 How are New Java/C++ Appls. Incorporated?
 Can Java Security Capabilities be Utilized?
 What Does CORBA/ORBs have to Offer?
 What about other Middleware (e.g. JINI)?
Explore Some Preliminary Ideas on Select Issues
DCP-56
A Distributed Security Framework

CSE333



What is Needed for the Definition and Realization
of Security for a Distributed Application?
How can we Dynamically Construct and Maintain
Security for a Distributed Application?
 Application Requirements Change Over Time
 Seamless Transition for Changes
 Transparency from both User and Distributed
Application Perspectives
Support MAC, RBAC and DAC (Delegation)
Cradle to Grave Approach
 From Design (UML) to Programming(Aspects)
 Information Exchange (XML)
 Middleware: Interoperating Artifacts & Clients
DCP-57
A Distributed Security Framework

CSE333


Distributed Security Policy Definition, Planning,
and Management
 Integrated with Software Development:
Design (UML) and Programming (Aspects)
 Include Documents of Exchange (XML)
Formal Security Model with Components
 Formal Realization of Security Policy
 Identifiable “Security” Components
Security Handlers & Enforcement Mechanism
 Run-time Techniques and Processes
 Allows Dynamic Changes to Policy to be
Seamless and Transparently Made
DCP-58
Interactions and Dependencies
Java
Client
Legacy
Client
Java
Client
DB Client
COTS
Client
CSE333
DB + SH
L + SH
Server + SH
CO+ SH
Enforcement Mechanism Collection of SHs
CO+ SH
DB + SH
Server + SH
L + SH
Security Components
L + SH
DB + SH
Formal Security Model
L: Legacy
CO: COTS
DB: Database
SH: Security
Handler
Distributed Security Policy
DCP-59
Policy Definition, Planning, Management

CSE333


Interplay of Security Requirements, Security
Officers, Users, Components and Overall System
Minimal Effort in Distributed Setting - CORBA
Has Services for
 Confidentiality, Integrity, Accountability, and
Availability
 But, No Cohesive CORBA Service Ties Them
with Authorization, Authentication, and
Privacy
Difficult to Accomplish in Distributed Setting
 Must Understand All Constituent Systems
 Interplay of Stakeholders, Users, Sec. Officers
DCP-60
Three-Pronged Security Emphasis
Secure Software Design
via
UML
with MAC/RBAC
CSE333
Secure Information
Exchange
via XML
with MAC/RBAC
Assurance
RBAC, Delegation
MAC Properties:
Simple Integrity,
Simple Security,
etc.
Safety
Liveness
Secure MAC/RBAC
Interactions via
Middleware in
Distributed Setting
DCP-61
Secure Software Design - T. Doan
Address Security in Use-Case
Diagrams, Class Diagrams,
Sequence Diagrams, etc.
Bi-Directional Translation - Prove that
all UML Security Definitions in UML in LogicBased Policy Language and vice-versa
Extending UML for the Design
and Definition of Security Requirements
CSE333
Iterate,
Revise
Formal Security Policy Definition using
Existing Approach (Logic Based Policy Language)
Must Prove Generation
Captures all Security
Requirements
Other Possibilities:
Reverse Engineer Existing Policy to
Logic Based Definition
UML Model with Security
Capture all Security Requirements!
Security Model Generation
RBAC99
GMU
RBAC/MAC
UConn
Oracle
Security
DCP-62
RBAC/MAC at Design Level

CSE333


Security as
First Class
Citizen in the
Design
Process
Use Cases
and Actors
(Roles)
Marked with
Security
Levels
Dynamic
Assurance
Checks to
Insure that
Connections
Do Not
Violate
MAC Rules
Poll Topic Archived System
Poll Topic Admin - TS
<<extend>>
<<extend>>
<<extend>>
Supervisor - T S
Enter Poll
Activate Poll
T opic - S
T opic - TS
Deactivate Poll
T opic - TS
<<include>>
<<include>>
<<include>>
Enter Question - C
Verify T opic - S
<<include>>
Categorize
Question - C
Enter
Enter
Junior
Ordinary
Special
Operator
Question - C
Question - S
<<extend>>
Enter Category - S
Senior Staff - S
-C
DCP-63
Secure Software Design - J. Pavlich

CSE333


What are Aspects?
 System Properties that Apply Across an Entire
Application
 Samples: Security, Performance, etc.
What is Aspect Oriented Programming?
 Separation of Components and Aspects from
One Another with Mechanisms to Support
Abstraction and Composition for System
Design
What is Aspect Oriented Software Design?
 Focus on Identifying Components, Aspects,
Compositions, etc.
 Emphasis on Design Process and Decisions
DCP-64
Aspects for Security in UML

CSE333
Consider the Class Diagram below that Captures
Courses, Documents, and Grade Records
 What are Possible Roles?
 How can we Define Limitations of Role
Against Classes?
DCP-65
A Role-Slice for Professors
CSE333
DCP-66
A Role Slide for Students
CSE333
DCP-67
Middleware-Based Security - C. Phillips
Database
Artifacts: DB, Legacy,
COTS, GOTS, with APIs
CSE333  New/Existing Clients use
Database
APIs
 Can we Control Access to Client
APIs (Methods) by …
Java
 Role (who)
Client
 Classification (MAC)
 Time (when)
(what)
Working Data
Security Authorization
Security Policy
Prototype Delegation
Client (SAC)
Client (SPC)
COTS
Client

Available
using
CORBA,
JINI, Java,
Oracle
Legacy
COTS
Legacy
Client
GOTS
NETWORK
Security Delegation
Client (SDC)
Unified Security Resource (USR)
Security
Policy
Services
Security
Authorization
Services
Security
Registration
Services
Security
Analysis and
Tracking (SAT)
DCP-68
Process-Oriented View
Security
Administrative
CSE333 and Management
Tools
Unified
RBAC/MAC
Security Model
Security Policy
Definition
RBAC/MAC
Enforcement
Framework
Security
Middleware
Analyses of RBAC/MAC
Model/Framework
Against SSE-CMM
Design Time
Security
Assurance
Run Time
Security
Assurance
Evaluation of
RBAC/MAC Model
Using DCP
DCP-69
Security for XML Documents

CSE333

Emergence of XML for
Document/Information
Exchange
Extend RBAC/MAC to XML
 Collection of Security
DTDs
 DTDs for Roles, Users, and
Constraints
 Capture RBAC and MAC

Apply Security DTDs to
XML Documents
 An XML Document Appears
Differently Based on Role,
MAC, Time, Value
 Security DTD Filters
Document
Security DTDs
n Role DTD
n User DTD
n Constraint DTD
Security Officer
Generates Security
XML files for the
Application
Application
DTDs and
XML
Application
DTDs
Application
XML Files
Appl_Role.xml
Appl _User.xml
Appl_Constraint.xml
Application
User’s Role
Determines
the Scope of
Access
to Each XML
Document
DCP-70
Concluding Remarks

CSE333




Objective is for Everyone to Think about the
Range, Scope, and Impact of Security
Question-Based Approach Intended to Frame the
Discussion
Proposed Solution for Distributed Environment
Current UConn Foci
 Secure Software Design
 Middleware Realization
 XML Document Customization
Consider these and Other Issues for DCP
DCP-71
Descargar

No Slide Title