Feb 16, 1996 - it supports delegation and revocation in dynamic communication environments like mobile computing it decouples high level security functions, ...
Active Capability: A Uni ed Security Model for Supporting Mobile, Dynamic and Application Speci c Delegation White Paper Roy H. Campbell Tin Qian Willy Liao Zhaoyu Liu Department of Computer Science University of Illinois, Urbana-Champaign Digital Computer Laboratory 1304 W. Spring eld Urbana, IL 61801 February 16, 1996
1 Introduction As the internet becoming a house hold name, there is a great interest in providing services, like banking, shopping and cable TV, via the internet. Although this vision is widely expected to come into reality soon and several experimental services have already been set up over the internet, many di�cult issues still remain. Particularly the concerns on the security of internet have seriously hindered the wide deployment of internet-based services. The di�culties of devising security infrastructure for the internet are largely due to the autonomous, dynamic, diverse and distributed nature of the internet. Internet is a federation of di�erent computer systems with very diverse security policies. In [3] P. Janson et al. listed several typical scenarios with di�erent security protection boundaries. They pointed out that the great diversity arising in the di�erent combinations and re nements of these scenarios requires a broad set of protection and security functions. The recent advances in mobile computing have turned the internet into a dynamic communication environment, which presents even greater challenge in employing secure communication, authentication and privacy measures. The emerging point-to-point high speed networks like ATM haven't solved the security problem. On the contrary existing study [1] showed ATM networks are also vulnerable to eavesdropping and denial of service attack. Security issue in ATM networks presents new challenges. Another inadequately studied issue on computer security is denial of service protection. The few existing research in this area were mostly about de ning access-control policies which are largely based on the traditional access matrix model. Millen in [5] pointed out that the access matrix model "is not expressive enough to elucidate the problem of denial of service". Moreover access control policies are inherently application dependent. Especially in internet environment it is highly desirable to enable the constrained interconnection between autonomous network domains so that people who want to connect their networks to internet would not worry about malicious attacks at the availability of the services they provide. To address these problems, we propose a new security model based on the recent innovations on type safe scripting language, extendible systems software, and software protection. The basic idea is to augment conventional capability-based security and protection model with user-supplied script. The principles behind this design are: � it provides a uni ed framework for incorporating di�erent security models � it supports delegation and revocation in dynamic communication environments like mobile computing � it decouples high level security functions, such as delegation, access control, from underlying facilities, such as authentication, encryption. � it allows application to de ne its own security policy in a descriptive way � it provides a minimum policy-free core of security functions which can be implemented e�ciently � it enables extendibility, recon gurability and adaptability by keeping the complexity of application speci c security policies in user-level scripts
2 Active Capability The integration of security models is critical to provide genuine security functions since a security hole in any part of the system will seriously compromise the e�ort made by the rest of the sys1
tems. However in a large information networking environment like internet security is enforced autonomously. Therefore it is inherently vulnerable to security attacks. With active capability we can provide a uni ed security and protection model for internet without sacri cing its autonomousity.
Conceptual Model Traditionally security systems often use access matrix to model access con-
trol policies. Each column of an access matrix represents a protected object and each row corresponds to a principal who wants to access that object. Each matrix entry de nes the access rights the potential principal has on that object. The limitation of this model is that it can only model static access control policies. Our active capability model goes beyond this limitation by replacing passive access rights with executable scripts. In this way we can use this augmented access matrix as a general model to unify the modeling of many di�erent policies and services dynamically and
exibly.
Active Capability Active capability is an active object which carries out security functions for protecting and controlling access to the object(s) it is associated with. In our design it is realised as a piece of unforgeable script so that it can reside in user space and be freely passed around. When a principal want to access an object, it has to present the capability and the desired operations. It is essential that the system can safely run the script in a domain di�erent from the one in which the script originated. Thus we advocate the use of a safe language such as Java [2] which is type safe and can be checked for security violations. Another bene t of using Java is that we can construct active capability in an object-oriented fashion. For example capabilities with delegation support can reuse the authentication part code through subclassing the authenticated capabilities. Also we may use metaobjects to describe the internal structure and validation procedures of those capabilities. To reduce the capability's size for the common cases, system can provide standard capability bases and user can use references to those scripts instead of the scripts themselves. Security Agent A security agent de nes the low level security protocols used between active capabilities and security managers, such as authentication, encryption methods. It runs in security managers as part of their runtime. Since it is written in Java script, it can be easily distributed and loaded/unloaded into security managers. Security Manager A security manager mainly consists of a java interpreter and a security runtime. The responsibility of a security manager is to create and validate active capabilities. It provide security management to conventional name servers by maintaining security information about objects(servers) such as public/private keys, passwords and identity certi cates. Each security manager provides a minimum set of security services and most functionality is extended through run-time loading in security agents and active capabilities. Object Manager
Object managers can be persistent objects, databases, kernel services or libraries. Conceptually they mainly consists of two kinds, static ones like persistent objects or dynamic ones like object factories. In the active capability model, an object manager creates and manages objects whose access rights are de ned and interpreted by the manager. Figure 1 shows the basic interaction among those objects described before. Whenever a client want to access an object it passes desired operations to the capability associated with this object. The security manager dispatches a compatible security agent to verify the capability and provide appropriate runtime environment for the capability to determine if this access will be granted or
2
OID/OP Security Agent
CA
Security Agent
CA OP
CA
OP
Object Manager
Object Manager
Security Manager OID/OP
OP
Client CA: Active Capability OID: Object Identifier OP: Operation
Figure 1: Active Capability Model not. If it is granted, the security agent sends a message to an object manager who manages the desired object with information about the identi er of the object and operations.
3 Delegation As more and more information distributed through the network, a task can not be done without the co-operation from other principals. Often it is necessary to delegate subtasks and possible access to those foreign principals so that they can do the work on your behalf. In particular, frequent disconnection operations in a ubiquitous computing environment require mobile systems to delegate the computation or communication-intensive processing to more powerful servers. In our model delegation is supported by constructing delegatable capabilities which accepts delegate operation and generates new capabilities for delegatees. We illustrate how the active capability model can unify the existing delegation models in the rest of this section. 3.1
Centralized Model
Many existing delegation architectures [4] use a centralized authentication server to provide delegation services. Because of the di�erent delegation requirements, they often devise several di�erent delegation mechanisms in one system. However with the active capability model, the diversity of delegation mechanisms is encapsulated in an active capability itself. 3.2
Distributed Model
The major disadvantage of the centralized approach is that the delegation server can be a serious bottleneck to the entire system even though some applications don't require any security function at all. So some people have proposed several distributed delegation models [8].
Service-Based Delegation In one of our previous study on the security of mobile computing
[8] we designed a customizable framework supporting frequent delegation and revocation. In that model we performed delegation in a per-service base, i.e. delegation attributes are maintained and interpreted solely by the service being delegated. Like other static access control list approaches [6], this model is inadequate for specifying dynamic and ne-grain delegation restrictions. In the active capability model, this delegation model can be easily implemented by just letting active capabilities talk to service providers whenever users want to access the service via those active capabilities. 3
Because of the descriptiveness of the Java script language, arbitrary restrictions can be put on those delegation capabilities.
Client-Based Delegation One of the most distinctive features of the active capability model is that it can support client-based delegation, with which the delegation service can be construct in a fully distributed way. The essential idea is that with the property of some asymmetric encryptions like the RSA [7] active capabilities can be veri ed and authorized locally. One of the ways to implement this is to let each principle involved in a delegation process give the capability a certi cate signed by its private key. Therefore the security agent or event the active capability itself can verity its validity. It also makes cascading delegation very simple. As to revocation, depending what the applications requirement is, di�erent revocation mechanisms can be realized by de ning a application-speci c authentication and authorization protocol between active capabilities and security agents.
4 Progress To Date The rst step we have done towards the fully implementation of the Active Capability model is to employ encryption and authentication provision in Java. The authentication mechanism currently implemented is kerberos. Basicly we took the authentication and encryption libraries from kerberos version 5 and added them to Java runtime as native methods. We de ned the interface of accessing these basic security functions as a composible and extendible encryption and authentication framework so that the rest of security systems will not depend on one speci c encryption and authentication mechanisms and the system can be easily customized and extended via subclassing without a�ecting other system components and existing applications.
References [1] Daniel Stevenson, Nathan Hillery, and Grey Byrd. Secure communications in atm networks. Communication of ACM, 38(2):45{52, February 1995. [2] James Gosling and Henry McGilton. The Java Language Enviroment: a White Paper. Technical report, Sun Microsystems Computer Company, Mountain View, CA 94043, USA, May 1995. [3] P. Janson and R. Molva. Security in open networks and distributed systems. Computer Networks and ISDN Systems, 22(5):323{346, October 1991. [4] J. Kohl and C. Neuman. The kerberos network authentication service (v5). Technical Report Internet RFC 1510, September 1993. [5] Jonathan K. Millen. A resource allocation model for denial of service. In 1992 IEEE Symposium on Security and Privacy, pages 137{147, Oakland, California, May 1992. [6] B. Cli�ord Neuman. Proxy-based authorization and accounting for distributed systems. In Proceedings of the 13th International Conference on Distributed Computing Systems, May 1993. [7] R. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communication of the ACM, 21(2):120{127, February 1978. 4
[8] Roy Campbell, Daniel Sturman, and Theron Tock. Mobile computing, security and delegation. In the International Workshop on Mobile Computing, Japan, 1994.
5
