• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Distributed Systems Security

CORBA Security

Security for Object-Oriented Distributed Systems
One of the challenging aspects of security in object-oriented distributed systems is managing large-scale deployments while retaining fine-grained access control. Scaling problems develop when there are large numbers of users, large numbers of objects, complex interfaces, or all of the above. Although there are security standards for popular object-oriented architectures, the standards have largely ignored issues of scalability and management.

Under DARPA funding, SPARTA ISSO, the security research division of SPARTA, is developing two key security technologies for object-oriented distributed systems. The first is a security plug-in for CORBA (Common Object Request Broker Architecture from the Object Management Group) that provides access control for distributed objects. Object-Oriented Domain and Type Enforcement (OO-DTE) provides selective access to specific objects and methods by individual users according to their assigned roles. For example, an individual acting as a Planner might be allowed to invoke the "changePlanObjective" method belonging to a crisis action plan object while a Logistics Clerk is allowed to invoke the "assignSuppliesToMission" method.

The prototype OO-DTE plug-in is designed to be inserted into an Object Request Broker (ORB), the foundation of the CORBA infrastructure. An ORB is typically implemented as a set of libraries linked into each client and server application process. As shown in the figure above, when a client invokes a method on a remote object, the client-side ORB transmits an invocation request message to the ORB in the corresponding server. Before passing the request on to the server application, the ORB calls the OO-DTE plug-in to obtain an authorization check. If the check succeeds, the request is passed to the server application; if the check fails, the request is rejected and an exception is transmitted to the client. In many cases, the presence of OO-DTE can be transparent to the application, requiring only initialization changes. The prototype OO-DTE plug-in has been integrated with Inprise's Visibroker ORB.

Controlling access in large, object-oriented systems can be difficult because there may be many thousands of objects, classes, and methods that must be protected. Using conventional access control lists compounds this problem because each list can contain multiple entries whose combined effect is based on ordering and precedence rules. The result is a proliferation of complex access control information and a loss of understandability.

OO-DTE addresses these problems by providing a compilable high-level policy language called DTEL++ for specifying the desired access control configuration. DTEL++ closely resembles CORBA's interface definition language (IDL) so that application architects can use the same identifiers and terminology in DTEL++ that they used to define the client-to-server interfaces in IDL. DTEL++ provides a variety of "wild-card" techniques so that access control attributes can propagate by default through the inheritance hierarchy or the lexical name space. As a result, a small number of DTEL++ statements can easily specify the access control configuration for a large application system.

OO-DTE improves scalability by separating the authentication and authorization steps. The Secure Socket Layer (SSL) protocol provides authentication and transport security. A Role Authorization Database (RAD) provides authorization information by mapping each user identity onto a set of authorized roles. After establishing an SSL session, the OO-DTE plug-in sends the user's desired role in the header of the first request sent to the server. The OO-DTE plug-in validates the user's requested role against the RAD using the identity information provided by SSL. The plug-in uses that role for all subsequent access checks on the connection. OO-DTE has a policy distribution mechanism that allows role authorization and access control policy changes to be pushed to all OO-DTE hosts from a central management point.

The second key security technology being developed by SPARTA ISSO is the Multi-Protocol Object Gateway (MPOG), a security gateway for CORBA and Java RMI traffic. As shown in the figure above, the MPOG prototype acts like an application firewall proxy protecting CORBA and Java RMI servers on a local area network while providing selective access to them by remote clients. The MPOG uses OO-DTE to limit the objects and methods that such clients can access. Although the MPOG interoperates with OO-DTE clients and servers using SSL, it has been designed to support multiple authentication technologies for non-OO-DTE hosts. MPOG provides highly configurable facilities for weighting and combining multiple security attributes into composite authorization ratings. MPOG also supports dynamic role authorization and policy updates using OO-DTE's policy distribution facilities.

Research Focus

Two Key Security Technologies
SPARTA ISSO is developing two key security technologies for Object-Oriented Distributed Systems:

• Object-Oriented Domain and Type Enforcement (OO-DTE); and
• The Multi-Protocol Object Gateway (MPOG).

OO-DTE is a security plug-in for CORBA applications that provides access control for distributed objects. OO-DTE provides selective access to specific objects and methods by individual users according to their assigned roles. SPARTA ISSO designed the prototype OO-DTE plug-in to be inserted into an Object Request Broker (ORB), the foundation of the CORBA infrastructure. OO-DTE provides transparent access control for security unaware applications.

SPARTA ISSO is also developing the MPOG, a security gateway for CORBA traffic. The MPOG prototype runs on a firewall protecting CORBA and Java RMI severs. It provides selective access to the servers for remote clients. The MPOG uses the OO-DTE access control mechanisms and policy language.

Additional Information
For additional technical information regarding Security for Object Oriented Distributed Systems, contact Gregg Tally at 443-430-8000 or visit our Web page.