Finished Projects
Distributed Systems Security
CORBA Security
Assess COTS ORB Security Features
Commercial ORB vendors are now beginning to ship their initial
implementations of the CORBA Security specification. DARPA has made
CORBA an integral part of the AITS Reference Architecture, and therefore
CORBA Security is expected to play a key role in application security.
We are participants in several ORB vendors' beta testing programs for
their Security implementations. Security implementations are being
evaluated with respect to their compliance with the specification,
completeness of the implementation, ease of administration, performance,
and ability to be extended through interceptors and replacability.
Object-Oriented Domain and Type Enforcement (OO-DTE)
OO-DTE provides scalable, role based access control for CORBA systems.
OO-DTE is an object oriented extension of DTE which has previously been
implemented for the Unix operating system. Under DTE, each resource is
assigned a type and each process runs under a domain. The DTE policy
specifies the privileges for the domain to read and write certain types.
In OO-DTE, each CORBA operation is assigned a type. The client and
server processes each run in a domain. A client process can invoke an
operation if it has the invoke privilege for the operation's type. A
server process can implement an operation if it has the implement
privilege for the operation's type. The language for expressing OO-DTE
policy is called DTEL++.
OO-DTE has been implemented on both a DTE-kernel based system and on standard Solaris using a COTS ORB. A DTE-kernel based system provides non-bypassable access control for CORBA systems. ILU, a freely available ORB from Xerox PARC, has been modified to support OO-DTE on a DTE-enhanced version of BSD/OS. An above-kernel implementation of OO-DTE has been developed for Orbix on the Solaris operating system. Above-kernel OO-DTE performs access control in an Orbix filter. Although this version of OO-DTE lacks the non-bypassability feature of the kernel-based version, it has the benefit of using a COTS operating system and ORB. The two versions of OO-DTE are inter-operable and use the same access control policy.
Current work is focusing on adding SSL to above-kernel OO-DTE and improving security policy administration. SSL certificates will convey domain information between client and server ORBs. SSL will also provide strong authentication, confidentiality, and integrity. Policy distribution and synchronization tools are being developed that will allow a centrally administered DTEL++ policy to be automatically distributed to CORBA systems within the enclave.
ORB Gateway
An ORB Gateway provides access control for CORBA operations entering an
enclave. The ORB Gateway functions like a firewall proxy, but with a
finer degree of control over the CORBA access policy than typically
provided by a proxy. ORB Gateway access control policy is expressed in
DTEL++, like OO-DTE. Each operation request is assigned a type according
to the DTEL++ policy. The domain is determined by how the request's
principal is authenticated to the ORB Gateway.
A portion of the ORB Gateway policy specifies how much trust to place in the authentication mechanism. Unauthenticated principals may be placed in a domain with relatively few privileges. Strongly authenticated principals may carry explicit domain information in their credentials. Currently, SSL is supported as an authentication mechanism. DCE and IPSec may be used in the future.
In the future, the ORB Gateway may also be used as a security technology bridge on an enclave boundary. Public key-based mechanisms, such as SSL, will undoubtedly be popular for CORBA used on the Internet. Private key mechanisms, such as DCE or Kerberos, may be more prevalent within enclaves. The ORB Gateway will be able to accept invocations using one security technology and re-invoke the operation with another security technology using equivalent credentials.