Enabling dynamic security policy in the Java security manager - - PowerPoint PPT Presentation

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Enabling dynamic security policy in the Java security manager

Fabien Autrel, Fr´ ed´ eric Cuppens, Nora Cuppens

FPS’2012 symposium

October 26th 2012

1

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

1

Introduction

2

JVM sandbox

3

Modelisation

4

Example and implementation

5

Conclusion

2

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Introduction Context

Security in large computer infrastructures Several different execution environments Several different security components

Global security configuration

Several ad-hoc configuration languages Manual configuration No global view

Policy enforcement Security requirements

3

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Introduction (cont) Need for a common security policy model

Expression of a global security policy Organization Based Access Control (OrBAC)

Dynamic policy Implementation-independent

Automatic policy deployment

Policy translation to ad-hoc configuration languages No need to manually modify the configurations

4

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Case study: Java Virtual Machine (JVM) sandbox JVM sandbox

Isolates a Java program from the host Boundary defined by an ad-hoc policy language Enforced by the security manager

// Standard extensions get all permissions by default grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; }; ... // default permissions granted to all domains grant { // allows anyone to listen on un-privileged ports permission java.net.SocketPermission "localhost:1024-", "listen"; // "standard" properies that can be read by anyone permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; }; 5

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Security policy language Policy: keystore + grants

Keystore: private key database Grant: set of permissions

grant signedBy "signer_names", codeBase "URL" { permission permission_class_name "target_name", "action", signedBy "signer_names"; permission permission_class_name "target_name", "action", signedBy "signer_names"; ... }; 6

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Sandbox boundaries Sandbox boundaries defined by permission types Implies all permissions: AllPermission Other permissions: SecurityPermission, AWTPermission, FilePermission, SerializablePermission, ReflectPermission, RuntimePermission, NetPermission, SocketPermission, SQLPermission, PropertyPermission, LoggingPermission, SSLPermission, AuthPermission, PrivateCredentialPermission, DelegationPermission, ServicePermission, AudioPermission, UnresolvedPermission Our work covers FilePermission and NetPermission types

7

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

The OrBAC model Models a security policy centered on the organization which defines it or manages it Specification done at the abstract level

Roles, activities and views abstract respectively subjects, actions and objects Abstract rules: permissions, prohibitions and obligations Contexts: dynamic rules, can be combined

The concrete policy is inferred from the abstract policy and the assignment of concrete entities to abstract entities:

is permitted(Subject, Action, Object) : − permission(Org, Role, Activity, View, Context), empower(Org, Subject, Role), consider(Org, Action, Activity), use(Org, Object, View), hold(Org, Subject, Action, Object, Context).

8

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Expressing JVM policies in OrBAC Use case

Java client application accessing a database Modelisation limited to FilePermission and SocketPermission

Reuse organizational entities

Existing roles, activities and views Organizational structure

JVM hosts modelisation

An organization models a set of machines running the same applications

Represented as an array of host names/ip Absolute keystore URL

Use of an organization hierarchy

A default JVM organization as the hierarchy root

9

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Expressing JVM policies in OrBAC FilePermission modelisation Path name Set of actions (read, write, execute and delete) Example

permission Java.io.FilePermission "${user.home}${/}foo", "read,write";

Activities: read, write, execute, delete and handle

handle as a super-activity of read, write and delete

Views: depends on the target application

In our use case: directory structure Objects have a targetPath attribute

10

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Expressing JVM policies in OrBAC SocketPermission modelisation Host specification

host = (host name | IPaddress)[:portrange] portrange = portnumber | -portnumber | portnumber-[portnumber]

Set of operations which specifies how connections can be established with the host (accept, connect, listen and resolve) Example

grant signedBy "Bob" { permission java.net.SocketPermission "some.server.com:8080", "connect, accept"; }; 11

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Expressing JVM policies in OrBAC SocketPermission modelisation Activities: abstraction of network services

all protocols, tcp, udp and icmp bidirectionnal, send and receive defined in JVM organization Actions have a port attribute

Views: sets of hosts

Example: toDatabase represents hosts with a database Objects have an address attribute View definitions can be used use(hospital, H, toDatabase) :- networkAddress(H, A), subNet(A, 10.0.0.0, 24), ¬use(hospital, H, toBackup).

12

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Expressing JVM policies in OrBAC Contexts: modelisation of code source and signed code codeBase context hold(JVM, S, , , codeBaseFoo) :- byteCode(S, B), codeBase(B, database.intranet.mycompany.com). signedCode context hold(JVM, S, , , signedCodeFoo) :- byteCode(S, B), signedBy(B, someDevelopper).

13

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Example Physicians in a hospital using a mobile device. A java applet is used to access the patients data in a database The java applet must be signed by the main developer bob The applet can connect to the database but not the opposite The applet uses four directories

appletDir Three sub directories: resource (read only), log (write only) and temp (read and write)

Applet started by visiting http : //applet.intranet.hospital.com Mysql 5 database hosted on database.intranet.hospital.com

14

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Example OrBAC abstract security policy Policy defined in the appletOrg organization, sub-organization

• f JVM

Three contexts:

hold(appletOrg, S, , , cbCtx) :- byteCode(S, B), codeBase(B, applet.intranet.hospital.com). hold(appletOrg, S, , , scCtx) :- byteCode(S, B), signedBy(B, bob). visitTime temporal context

15

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Example OrBAC abstract security policy Abstract rules: permission(appletOrg, doctor, send, database, scCtx&cbCtx&visitTime) permission(appletOrg, doctor, read, resource, scCtx&cbCtx) permission(appletOrg, doctor, write, log, scCtx&cbCtx) permission(appletOrg, doctor, handle, temp, scCtx&cbCtx)

16

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Example OrBAC concrete security policy Inferred concrete rules: permission(daniel, mysql, db1) permission(daniel, readFilesystem, resource applet1) permission(daniel, writeFilesystem, log applet1) permission(daniel, readFilesystem, temp applet1) permission(daniel, writeFilesystem, temp applet1) Generated JVM policy:

grant signedBy "bob", codeBase "http://applet.intranet.hospital.com" { permission Java.io.FilePermission "\${user.home}\${/}appletDir\${/}resource", "read"; permission Java.io.FilePermission "\${user.home}\${/}appletDir\${/}log", "write"; permission Java.io.FilePermission "\${user.home}\${/}appletDir\${/}temp", "read,write"; permission Java.net.SocketPermission "database.intranet.hospital.com:3306", "connect"; };

17

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Dynamic policy management Managing policy modifications Context state change

Events triggering state changes are inferred from context definitions Activated/deactivated concrete rules are identified upon context state change JVM policies are generated and transfered using rsync and public key authentication A modified security manager detects security policy file change

Translation process also triggered when policy is modified

For example new physician: empower(hospital, didier, doctor)

18

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Implementation

19

Outline Introduction JVM sandbox Modelisation Example and implementation Conclusion

Conclusion Abstract representation of JVM policies into OrBAC policies Global view over security policy Dynamic JVM policies The AdOrBAC administration model can be used Implementation as a MotOrBAC plugin

http://motorbac.sourceforge.net plugin available for download

Direct integration of the OrBAC API into the Java security manager

20