Project Summary
Project Summary
Presentations
Active Capability Based Authorization
Reflective Security Constructure
Deliverables
Papers and Reports
Our approach employs a secure node architecture built within an active network using mobile agents, active capabilities and customizable security policies. The agent-based security architecture enables both static and runtime application-aware reconfiguration. Adaptation allows the security provisions of the network to meet specific individual security requirements within different application scenarios. It permits run-time adaptation in the face of unexpected security attacks - conditions vital to mission critical environments like military systems. This mobile agent security research includes agent schemes to solve node- related security problems and mechanisms for the secure transfer of agents between nodes. It exploits the unique flexibility and expressiveness of the agent-based paradigm to provide security solutions for wide-area dynamic distributed applications. In essence we embed security functions in `smart security packets' in active networks. These smart packets implement user-level policy or capabilities as scripts using inherited or parameterized polymorphic security behaviors made safe through typing. Static security behaviors bound to reference monitors are inherited or used as arguments in mobile security agents to bootstrap basic auditing provisions or enforce mandatory security provisions.
The center pieces of our architecture are meta-level components used to define the process of verifying the authority and validity of new security services and policies, enforcing the restriction of system resource access by these services and policies. These components provide an orderly yet flexible way of injecting new security services and policies into the base systems. We assume that the architecture has a preconfigured core security service. It provides basic public-key encryption, authentication and basic auditing facilities upon which the meta-level structure is built. This core security service along with a set of default meta-level components forms a security manager with basic facilities supporting dynamic security agents. Thereafter new security measures can be dyanamically injected into this basic system. Hence our architecture supports reflection and permits run-time modification of policy, access, and auditing mechanisms. Such modification is the basis for adaptive security schemes that react to security attacks. The meta-level structure of the architecture permits reflection; that is, it permits the semantics of the operations of the security model to be changed dynamically. Thus, the architecture allows the system security personnel to easily change the default behaviors of security agents using a well-defined meta-level protocol. Applications of reflection in a security architecture include improved control of the system; counter-attacking security attacks by increasing surveillance, auditing, and security measures; isolating, monitoring, and spoofing compromised remote nodes; providing fault-tolerance by reconfiguring a security system as nodes fail; and replacing compromised encryption or security algorithms. To achieve these goals, we extend the IDL language to support hidden security features, building customizable binding mechanisms for method dispatching and interface-class mapping and architecture- Aware visualization for monitoring and refinement.
Our architecture will also provide frameworks for dynamic security services and polices to provide building blocks for doing active capabilities based authorization, and active policies. Together they provide a descriptive and flexible means of supporting fine grained dynamic access control. The function of an active capability is to determine whether a subject has the right to invoke an operation. The active capability authorization framework supports a spectrum of authorization protocols from centralized access control lists to decentralized capabilities. It also facilitates user-oriented revocation schemes based on such as validation time, used-once semantics, and negative access control list. Our auditing framework is integrated with an architecture-aware visualization system in the manner of our prior work on architecture-aware instrumentation. This provides a novel base-line support for monitoring internal system structures and their runtime behaviors. In our architecture active policies are specified as a framework of classes that represent security policy statements as data structures. The data structure are sets and mapping at low level, access control lists, labels and rules at higher-level, and at its highest level, classes representing a variety of complete policy-forms including (but not limited to) types of discretionary and non-discretionary access control.
Although building a reflective security architecture is attractive from an object-oriented programming perspective, it also raises practical analysis and performance concerns. We are seeking to utilize Java's inheritance/ subclassing mechanisms to ensure the safety of dynamic security policies by applying the results of various type theories. Well-founded type theories offer a wealth of machinery when applied to reason about the operation of security agents; in particular, type theories offer the prospect of proving certain properties about the security model. On the other hand, since our approach makes heavy use of Java to perform security authentication and access control we are investigating whether it is possible to identify certain libraries of code that can be optimized so that security tasks can be performed very efficiently. Moreover compiler-based techniques can be used to optimize these security related codes and make the verification process of security agents more efficient.
Please direct comments and questions to Tin Qian (tinq@cs.uiuc.edu)
Project Quad Chart 
Software Downloading