• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Security Architecture and Modeling

Administration for Remote Trusted Systems

Abstract:
This project is developing a survivable security infrastructure to support distributed applications. The infrastructure will consist of distinct security services that can be composed in different ways to meet the needs of applications. Alternate compositions will be used to provide fault tolerance.

Objective:
The next generation of survivable distributed systems will include components that are autonomous, self-contained units of software that have the properties of being portable, transportable, and mobile. For secure operation, interactions between these components must be controlled and regulated by distributed security mechanisms. The security mechanisms must have these same properties, so that security enforcement does not constrain these software components' flexibility of operation-- the same flexibility that is necessary for the system to achieve its goals of survivability and adaptability. Therefore, these distributed security mechanisms must be autonomous and must support a diverse range of kinds of software components. As a result, survivable systems must rest on a security infrastructure consisting of independent security services that have complex inter-relationships, and yet are composable and pluggable. We are developing a collection of distributed security services that embody the properties needed for survivability: independence, multiplicity, fault-tolerance, variability, and composability.

These services will provide an infrastructure of security middleware used by applications in an manner independent of various OS and networking technologies. There are significant challenges to implementing these properties. Each security service must be independent of other services (both security and application services). Each service implementation must be insulated from the implementation of the security services it uses, so that multiple, alternative implementations can be used equally well. Finally, scalability is a critical requirement, as the number of services grows, and as the inter-relationships among them become more complex, and as the number of variable diverse implementations increases. A coherent and analyzable security infrastructure must be composed from a large set of such inter-related services.

Approach:
To demonstrate how to meet these challenges, we will develop specific security services with the required properties such as composability and pluggability. We will identify a suite of necessary security services (e.g. identification, authentication, authorization, attribute services, accountability, communications security). We will define how they interrelate while being separate and independent, and we will demonstrate how they provide adequate security. We will develop reference implementations of selected services, including two diverse implementations of at least two critical services in the suite. We will use the reference implementations to demonstrate a security architecture that accommodates composability of services, and multiple variable, diverse implementations of service APIs. As we design the services, we will rigorously define their inter-relationships in order to assess the survivability of the overall security infrastructure. This technique will allow us to methodically assess the survivability impact of changes and additions to the suite of services, and adjust it to maximize survivability. Finally, we will adapt or construct distributed applications to demonstrate usage of these services, and also to demonstrate that the application's security requirements are met in a survivable manner.

We have identified several services which may be a starting point for the proposed work. These are: cryptographic services, key distribution services, public key infrastructure (PKI) services, authentication services, identity and attribute services, access control policy services, and auditing services. We anticipate that more services will be needed, that most or all services may exist in multiple alternative implementations, and that we will be able to demonstrate how the multiple implementations can be used by applications. Multiple instances of services may use the same or different implementations. As an example of composition of services, an access control service might be built from one or more authentication and attribute services, and a policy service. Another service would then use such an access control service in the manner appropriate for access to application objects. It would define a set of security attributes and modes (of accessors and accessed objects) pertinent to the application domain, authenticate those attributes, and pass them to an access decision function that determines whether the policy permits such access.

It will be necessary to follow a methodology in the development of the architecture, in order to address certain aspects of scalability and survivability. As the number of security services grows, interactions between them will become more complex. Our approach derives, in part, from ongoing work on public-key infrastructure (PKI). Even with the relatively small number of services needed for PKI, we have found that multiplicity and variability of service implementation yield significantly complex service architectures. Similarly, as more services are implemented, multiply implemented, and multiply deployed, it is important to verify that survivability is not adversely effected, e.g., no single point of failure has been introduced. We will identify and demonstrate the use of analytic and control techniques on the architecture to address these issues of controlling complexity as the architecture scales and maintaining survivability as the architecture changes. We will show how this methodology can be used to track overall survivability as there are incremental increases in functionality due to new services or new compositions of services. Security Management and Administration is rapidly becoming a critical problem, particularly as it applies to distributed heterogeneous systems. As more security services are introduced and applied to a multitude of heterogeneous components, it becomes increasingly difficult to properly configure and maintain the services consistently. An error by an administrator in maintaining a consistent configuration of security services can easily lead to a security vulnerability.

• Architecture Report
• Presentation at DARPA Wrappers and Composability PI Meeting Aug. 14-15, 1997
• Quad Chart