These will stimulate the development of NA applications. However, the future growth of NA will heavily rely on security. Without users' confidence in security, NA ...
Secure Component Composition for Networked Appliances1 Bob Askwith, Qi Shi, Madjid Merabti School of Computing and Mathematical Sciences Liverpool John Moores University Byrom St., Liverpool, L3 3AF {r.askwith, m.merabti, q.shi}@livjm.ac.uk
Abstract-This paper provides a position statement on the problems of Secure Component Composition for Networked Appliance systems, based on speculative research recently carried out within our research group. We highlight the problems faced by engineers of such systems and give a brief description of Secure Component Composition techniques, and how these can be related to Networked Appliance systems. The remainder of the paper proposes a novel framework for Secure Component Composition for Networked Appliances.
I. INTRODUCTION The evolution of networked computing suggests that we can expect ordinary everyday appliances such as TV’s, home alarms, and cameras to become Networked Appliances. These future generations of ubiquitous computing will integrate pervasive, nearly invisible, appliances together with information suppliers (e.g. the Internet) to greatly enhance the quality of life for individuals and families. This will present to a user the image of a single virtual computer system consisting of all available networked resources [1]. The security protection of such a Networked Appliance (NA) system is paramount [2]. It is built from dynamic, distributed and heterogeneous components including software and hardware, to provide a networked information space. The system should be able to adapt and react to changing requirements and quality of service (QoS) demands that result from its highly fluid and heterogeneous environment [3]. Such requirements are also in line with the demands of active/programmable networks [4]. Due to these characteristics, the system security protection will be complex and is becoming one of the most challenging research issues that need to be addressed within this area. The aim of this paper is to speculatively discuss the requirements and solutions to the problem of secure composition of such NA systems from the viewpoint of their components. Secure Composition is an active research field within computer security, but has not yet 1 This project is supported by the UK Engineering and Physical Sciences Research Council (EPSRC), grant no: GR/S01634/01.
been applied to systems such as NA. Secure Composition techniques are used to determine the security of a software system from the security of its components (e.g. whole programs, plug-ins, or code fragments) in such a way that if each component analysed separately meets some localised security requirements, then the whole system can be guaranteed to satisfy its global security requirements. This simplifies system security evaluation as components are smaller and simpler to evaluate, and facilitates the dynamic construction of a secure system from components with various levels of security. In this sense we see secure component composition as an enabling technology for NA systems. One particular problem where we apply our research is to those NA systems that involve Programmable Networks. We propose an extendable software framework using the secure component composition technique, to provide the runtime security evaluation and control of a NA (software) system based on its components in an automated, dynamic and adaptive manner. The extendibility will permit newly developed secure component composition methods to be incorporated into the framework to improve its cost-effectiveness. The automation means that the framework should operate autonomously with minimal interactions with users. The dynamic feature of the framework will enable the system security to be re-evaluated whenever a change to the system is made, e.g. a new appliance is plugged into the system. The adaptiveness will allow the framework to select appropriate methods available for security evaluation in relation to changes made to the system, and to decide alternative secure solutions when the changes fail to meet the system security requirements. This framework is crucial for a NA system because its dynamic, active/programmable, distributed and heterogeneous characteristics make the boundaries of the system security much more intricate than those for traditional monolithic applications. Expecting users, who today have difficulty in managing the security of
simple systems, to control the security of their own much more complex NA systems in the future is simply not realistic. Nowadays, even systems administered by professionals have problems with security control [5]. One way to give users security assurance is by providing automated system security evaluation and control at runtime, which this project aims to achieve. The software framework proposed in this paper is novel in that to the best of our knowledge, there is no other work on how to determine and control the security of an active/programmable, distributed and heterogeneous NA system at runtime in an automated, dynamic and adaptive manner, although a considerable body of work has been devoted to the topic of secure component composition. The remainder of the paper is structured as follows: in section 2 we discuss the requirements for secure networked appliances before examining the limitations of current NA and Secure Component Composition research in section 3. In section 4 we discuss the proposed framework with conclusions in section 5.
II. SECURE NETWORKED APPLIANCE REQUIREMENTS Our concern is for the security of pervasive systems of devices, typically wireless, and potentially with an underlying networking infrastructure that is programmable. Mobile terminals such as cellular phones, PDAs (Personal Digital Assistants), and notebooks will become the major man-machine interface for NA systems instead of traditional PCs. Over the next few years such devices will become as common as the PC, with most coming Internet enabled through short-range connectivity via techniques such as Bluetooth, HomeRF, and DECT. These will stimulate the development of NA applications. However, the future growth of NA will heavily rely on security. Without users’ confidence in security, NA will not become reality. Thus there are urgent needs for the development of appropriate security protection for NA. This problem is aggravated by the lack of current understanding of the overall security of systems that integrate Active/Programmable network components. The framework proposed in this paper will provide a solution to one of the foremost aspects of such security protection. The traditional security goals of Confidentiality, Integrity and Availability appear in NA systems with much the same importance as they do to other networked systems. However, there are some important issues that limit the immediate application of well understood techniques from the world of desktop computing. 1) Device capabilities: many of the appliances in a NA system will have limited processing power with the consequence that security will need to be distributed throughout the network. This is a divergence from traditional networked systems that place much of the responsibility for security to the end system.
2) Users: it is unreasonable to expect the user of a NA network to be able to understand the detailed security requirements of the system so the management of the system security must be as removed from the user as possible, i.e. as automated as possible. 3) Composition: the range of devices, system software and applications found in a NA system will likely be much larger. Therefore it should be possible to analyse the security of the system as each component is added to or removed from the system. 4) Programmability: the advent of Programmable Networks is likely to impact on NA systems owing to their added flexibility in supporting new and dynamic services across a network. Unfortunately the understanding of the security implications of these systems is yet to be understood in detail. A framework for building NA systems must allow for programmability.
III. BACKGROUND AND CURRENT LIMITATIONS This section gives some background on the problems for security in Networked Appliances, followed by a discussion of secure component composition techniques. A. Networked Appliances From the networking perspective the key drivers of NA will be the security, mobile computing, and wireless communication technologies as well as their integration. They will bring together hardware devices with different computing powers, software supplied by different developers, and information with different sources and security requirements, to enable a NA system to offer individual services in a flexible, customised and secure manner from anywhere at anytime. Specifically, active/programmable networks, software agents, and wireless communications technologies will play important roles. The development of active networks is an important contribution to the fast evolving world of networking [4]. These networks are active in the sense that nodes can perform computations so as to allow the rapid creation, deployment and management of much more dynamic and customisable application services across networks. There are several approaches to active networks, depending on requirements for the service types being developed. Some approaches allow packets to carry mobile agents (consisting of code, data and states) whilst others allow packets to carry only the names of programs to be executed at an ‘active’ node. Active networks provide a well-established execution environment with ample computational, storage and bandwidth resources for the development of flexible and customised NA applications.
One of the main challenges identified in [6] is the facility for a NA application to adapt and react to changing requirements and quality of service (QoS) demands that result from its heterogeneous environment. These requirements are in line with the demands of future active/ programmable networks [4]. One solution suggested by David Clark in [6] is the design and building of a Personal Router, which would meet the above service rich requirements. In particular, David Clark suggests the implementation of a core dynamic application composition framework, and identifies the issues of security and privacy as research challenges to be resolved. Another main challenge is the development of new architectures for an integrated support in personal mobility. Active networks can support agent execution platforms to allow the development of large-scale, loosely coupled distributed systems. An agent is loosely defined as a software program that can operate autonomously to perform given tasks, and may collaborate and communicate with other agents or users. Agents may be either stationary or mobile. Stationary agents reside at a single platform, while mobile agents can suspend their operations on one platform and move to another to continue their operations. Mobile agents could even clone themselves to create new agents on the fly. The use of software agents offers a number of benefits, e.g. reduced network latency, asynchronous and autonomous execution, natural heterogeneity, and fault tolerability [7]. These characteristics will allow software agents to play very important roles in a future NA system. For example, a stationary agent could be employed to manage a person’s finance and operate on a single platform managed by a trusted service provider, and several mobile agents could be used in coordination to search the Internet to purchase a movie at the lowest price which the agents could find, and then save the purchased movie on a networked video device in that person’s house. The convergence of wireless and wired networks enables mobile users to receive Internet services from anywhere at anytime, as well as ad-hoc networks which form according to local service availability [8]. Future wireless communications will further integrate different access technologies, such as cellular, cordless, WLAN, short range connectivity, broadcasting, and wired networking, into a seamless IP-based core network to provide various multimedia services for mobile users at a high data rate in an optimal manner [9]. These services will be essential to the development of NA applications as mobile terminals will be used as the major man-machine interface for the applications and short-range connectivity will be embedded in everyday appliances to network them together. For example, when a family wants to take a holiday in a sunny country, they can use a mobile terminal to send out a mobile agent to book a hotel and later check details, carried back by the agent, about the booked hotel and a map showing how to get to the hotel by car. While the family is on holiday, they can use a Bluetooth enabled
mobile terminal to connect networked security cameras at home to a Bluetooth enabled TV in their hotel room to check whether their house has been burgled. There are a number of security problems involved in the above areas, for which more research efforts are needed to find appropriate solutions. For example, a mobile agent needs to be protected from possible attacks by a malicious host, e.g. spying and manipulation of the mobile code and data. Though some techniques such as mobile cryptography [10] do exist, more generic and practical solutions to mobile agent protection are needed [11]. However, finding solutions to these security problems is not an objective of this research. B. Secure Component Composition A NA system will be built by an assemblage of a dynamically changeable set of components coming from different untrusted, trusted or partially trusted sources and operating in distributed and heterogeneous environments with different levels of security protection. This will make the system security control complex and vulnerable to attacks. One would be unwilling to use the system if valuable and private information such as credit card details and personal medical records could be stolen by malicious software or network hosts, and the security control of networked appliances such as a burglar alarm could be bypassed by technically savvy hackers. Thus security evaluation will be one of the most important issues to be addressed by NA systems. Secure component composition provides an effective way of system security evaluation. A number of models for such composition have been presented in the literature (e.g. [12-16]). These models offer the analysis of component operations and interactions with others to detect both implicit and explicit unauthorised access to sensitive information. Note that access control models can constrain the release of information, but they can neither limit its propagation among components due to their interoperations, nor prevent its disclosure caused by those components such as insecure cryptographic protocols. A main characteristic of these composition models is separability in the sense that the security of a system is decided by analysing the security of each component separately. This simplifies dynamic changes to the system as there is no need to re-evaluate the security of the components unaffected by the changes. Thus these models can offer a cost-effective solution to the determination of NA system security, which would otherwise be very hard if not impossible. Secure component composition models can be divided into three categories. The first consists of information flow based models (e.g. [13]) that examine information flows among components to determine whether or not sensitive information could be accessible by unauthorised components or users. The second
category of models (e.g. [14]) is concerned mainly with the analysis of cryptographic protocols to ensure that sensitive information such as private or secret cryptographic keys are not accessible in an unauthorised way. This category differs from the first mainly due to special features of cryptographic algorithms. There are some discussions on whether these two categories can be unified. The third category (e.g. [16]) includes models for exploring secure component composition using wrappers that encapsulate untrusted components, many of which are only available as object code with some unknown functionality, to control their interactions with others. Although considerable progress in the area of secure component composition has been made, there is no existing work on a software engineering based framework for systematic automation of dynamic security evaluation and control for NA applications at runtime by integrating the three categories of models described above. Currently most models are used for security evaluation at development time. The lack of this software framework will result in inadequate security protection for NA, and consequently put personal information and even properties at risk. This will inevitably hinder the future development of NA. This paper aims to propose such an important software framework.
IV. FRAMEWORK FOR SECURE COMPONENT COMPOSITION FOR NETWORKED APPLIANCES The overall aim of our research is to develop an extendable software framework for secure component composition to evaluate and control the security of a NA system at runtime in an automated, dynamic and adaptive manner. This framework will be an important enabler for the future development of secure NA applications, and it represents a step forward towards the long-term goal of our research for developing a wide range of intelligent security protection for NA. In the following, we give a brief description of the breakdown of work required for the development of the proposed framework. A. Requirements Analysis This requirements analysis must fulfil specification of component and system security requirements for NA. The purposes of the analysis are to understand the characteristics of a NA system and then to derive consistent security requirements for the system and its components. These requirements are fundamental for the subsequent development of the proposed framework. The analysis will consider our previous relevant work (e.g. [15, 17-20]) as well as other NA-related security issues and requirements in the areas of active networks [21], software agents [11], and wireless communications [9]. It is also important to decompose system security requirements into component ones in a consistent manner
to help the analysis and understanding of required security properties of components and their composition. These security requirements will be studied to assess their suitability for the proposed work, to identify conflicts between them, and to make necessary tradeoffs to resolve the conflicts to produce consistent system and component security requirements. B. Framework Design
The design of the framework will accomplish integration of different secure component composition models, and design of an extendable, adaptive and automated implementation framework. The aim of the model integration is to produce practical, implementable and systematic approaches suited for dynamic security evaluation of a NA system by developing and integrating existing secure component composition models. There are two main issues to be addressed by the design. First, the practical applicability of the existing models will be investigated, and the most relevant models selected. Some of the existing models impose very strong security requirements that are difficult to be satisfied by any real systems. The main design principle of these models is to produce perfectly secure systems, which often leads to secure but unusable systems. This task will make the selected models. To fulfil this, we will study existing secure component composition models to collect their security properties, and compare them with the security requirements produced in the requirements analysis to investigate the practical applicability of the models to NA systems. The investigation will result in a selection of the most appropriate models and possibly some modifications to make them practicable. Our previous research work (e.g. [15]) has demonstrated how to relax security constraints to allow a secure system to be composed from some insecure components based on their interfaces. A similar approach could be used for the modifications. The design will propose an extendable framework for an automated, adaptive and dynamic implementation of the integrated approaches and security patterns developed during the design phase. There are three main issues to be considered. First, the issue of how to dynamically execute the integrated approaches will be investigated. The investigation will be focused on testing techniques guided by the approaches rather than theorem proving, as the proving is difficult to implement dynamically. Secondly, the issue of extendibility will be studied to enable newly developed security models and patterns to be incorporated into the proposed framework to strengthen its applicability to new applications. Thirdly, the architecture of NA applications will be examined to accommodate the framework appropriately. This should ensure that the
framework evaluates and controls every change made to a NA system or its security policies at runtime. The framework will be interoperate with other parts of the system, e.g. the detection of an insecure component by security evaluation may lead to changes to access control rules related to the component, which are not managed by the framework. Existing work on security analysis (e.g. [22, 5]) could be useful for the implementation of the framework, e.g. model checkers [2] can offer good automation of testing based analysis. We will also consider relevant existing work (e.g. [23-24]) to address the architectural issue.
[5]
[6]
[7]
[8]
C. Implementation and Evaluation A prototype implementation of the framework will provide the basis for evidence of the usefulness of the theory. By applying the framework to a series of appropriate NA case studies we can evaluate the applicability, assurance and efficacy of the framework. The main aims of the implementation are to transform the design into executable software and to demonstrate its cost-effectiveness. This will consider several issues including programmability, distributability and heterogeneity, as operating environments for NA applications are of such features. Our Networked Appliances laboratory will be used as the workbench for this implementation.
[9]
[10]
[11]
[12]
V. CONCLUSIONS In this paper we have considered the problem of building secure Networked Appliance systems. Security is well known to be one of the most important factors influencing the acceptance of modern computer systems. We propose the use of secure component composition as a tool to enable us to develop a framework for analysing Networked Appliance systems automatically and adaptively. We outline the path towards the framework involving requirements analysis, framework design and implementation and evaluation. We believe this novel framework will provide an essential tool for the developers of future Networked Appliance systems.
REFERENCES [1] [2]
[3]
[4]
MIT Project Oxygen, http://www.oxygen.mit.edu/. S. Moyer, D. Marples, S. Tsang, “A Protocol for Wide-Area Secure Networked Appliance Communication”, IEEE Communications Magazine, October 2001, pp. 52-59. M. Satyanarayanan, “Pervasive Computing: Vision and Challenges”, IEEE Personal Communications, August 2001, pp. 10-17. D.L. Tennenhouse, J.M. Smith, W.D. Sincoskie, at al, “A Survey of Active Network Research”, IEEE Communications Magazine, January 1997, pp. 8086.
[13]
[14]
[15]
[16]
[17]
[18]
R.W. Ritchey, P. Ammann, “Using Model Checking to Analyze Network Vulnerabilities”, Proc. 2000 IEEE Symposium on Security and Privacy, Los Alamitos, CA, USA, 2000, pp.15665. D. A. Clark, J. T. Wroclawski, “The Personal Router White Paper”, MIT Advanced Network Architecture Group, March 2001. D.B. Lange, “Mobile Objects and Mobile Agents: The Future of Distributed Computing?”, Proc. ECOOP'98, Springer-Verlag, Berlin, Germany, 1998, pp. 1-12. A. Mingkhwan, M. Merabti, B. Askwith, "IPMSA: Integrated Personal Mobility Services Architecture", Proc. IEEE International Conference on Communications, New York, USA, April/May, 2002. K. Aretz, M. Haardt, W. Konhauser, W. Mohr, “The Future of Wireless Communications Beyond the Third Generation”, Computer Networks, Vol. 37, 2001, pp. 83-92. T. Sander, C.F. Tschudin, “Towards Mobile Cryptography”, Proc. IEEE Symposium on Security and Privacy, May 1998, pp 215-224. W.A. Jansen, “Countermeasures for Mobile Agent Security”, Computer Communications, Vol. 23, 2000, pp. 1667-1676. R. Canetti, “Universally Composable Security: A New Paradigm For Cryptographic Protocols”, Proc. 42nd IEEE Symposium on Foundations of Computer Science, Los Alamitos, CA, USA, 2001, pp. 136-45. J. McLean, “A General Theory of Composition for a Class of ‘Possibilistic’ Properties”, IEEE Transactions on Software Engineering, Vol. 22, No. 1, 1996, pp. 53-67. B. Pfitzmann, M. Waidner, “A Model For Asynchronous Reactive Systems and Its Application to Secure Message Transmission”, Proc. 2001 IEEE Symposium on Security and Privacy, USA, 2001, pp. 184-200. Q. Shi, N. Zhang, "An Effective Model for Composition of Secure Systems", The Journal of Systems and Software, Elsevier Science, Vol. 43, 1998, pp. 233-244. P. Sewell, J. Vitek, “Secure Composition of Untrusted Code: Wrappers and Causality Types”, Proc. 13th IEEE Computer Security Foundations Workshop, Los Alamitos, CA, USA, 2000, pp. 269-84. R. Askwith, M. Merabti, Q. Shi, "MNPA: A Mobile Network Privacy Architecture", Computer Communications, vol. 23, 2000, pp. 1777-1788. M. Merabti, F.D. Mateos, E. Smith, “Scalable Heterogeneous Bridge for Networked Appliances”, The Second IEEE International Workshop on Networked Appliances, IWNA’2000, New-Jersey, Nov./Dec. 2000.
[19] N. Zhang, Q. Shi, M. Merabti, “A Flexible Approach to Secure and Fair Document Exchange", The Computer Journal, British Computer Society, Vol. 42, No. 7, 1999. [20] N. Zhang, Q. Shi, M. Merabti, "Anonymous PublicKey Certificates for Anonymous and Fair Document Exchange", IEE Proceedings – Communications, Vol. 147, No. 6, December 2000, pp. 345-350. [21] P. Kakkar, C.A. Gunter, M. Abadi, “Reasoning About Secrecy For Active Networks”, Proc. 13th IEEE Computer Security Foundations Workshop, Los Alamitos, CA, USA, 2000, pp. 118-29. [22] P. Herrmann, “Information Flow Analysis of Component-Structured Applications”, Proc. Annual Computer Security Applications Conference, New Orleans, Louisiana, USA, 2001. [23] R.H. Campbell, at al, “Seraphim: Dynamic Interoperable Security Architecture for Active Networks”, IEEE Third Conference on Open Architectures and Network Programming, NJ, USA, 2000, pp. 55-64. [24] B. Hashii, S. Malabarba, P. Pandey, M. Bishop, “Supporting Reconfigurable Security Policies for Mobile Programs”, Computer Networks, Vol. 33, 2000, pp. 77-93.
