Electronic Business: Concepts, Methodologies, Tools, and Applications (4-Volumes) P227 pdf

Time limited blackbox security: Protecting mobile agents from malicious hosts.. Time limited blackbox security: Protecting mobile agents from malicious hosts.. Chapter 7.15Secure Authent

Trang 1

Language Support for Safety

The features of the language needed to ensure

that various code units do not interfere with each

other, and with the system are given next

• Heavy address space protection

mecha-nisms

• Type-safe feature to ensure that arrays stay in

bounds, pointers are always valid, and code

cannot violate variable typing (such as placing

code in a string and then executing it)

• Designing a modular system, separating

in-terfaces from implementations in programs,

and with appropriate layering of libraries and

module groups, with particular care being

taken at the interfaces between security

boundaries

• Replace general library routines that could

FRPSURPLVH VHFXULW\ ZLWK PRUH VSHFL¿F

VDIHURQHV)RUH[DPSOHDJHQHUDO¿OHDFFHVV

routine can be replaced with one that can

ZULWH¿OHVRQO\LQDWHPSRUDU\GLUHFWRU\

• Granting access to resources:

Determin-ing exactly which resources a particular

code unit is to be granted access to That

is, there is a need for a security policy that

GHWHUPLQHVZKDWW\SHDFFHVVDQ\³PRELOH

code” unit has This policy may be:

restrictive but easy, and the approach

cur-rently is used to handle applet security in

Web browsers such as Netscape

2 8VHUYHUL¿HVHDFKVHFXULW\UHODWHGDFFHVV

requests: Relatively easy, but rapidly gets

annoying, and eventually is self-defeating

when users stop taking notice of the details

of the requests Whilst there is a place for

querying the user, it should be used

exceed-ingly sparexceed-ingly

Much harder, as some basis is needed for

negotiation, perhaps based on various

pro-¿OHVEXWXOWLPDWHO\WKLVLVOLNHO\WREHWKH best approach

OS Level Security

The types of events to be monitored in association with the agent execution are very similar to those audited for the system’s users Moreover, the agents can be easily grouped and differentiated within the system In addition to extensive authentication and authorization mechanisms, accounting and auditing mechanisms should be implemented

,QDV\VWHPOLNH³GLVWULEXWHGDJHQWVRQWKHJR´ (DAGO) (Felmetsger & Vigna, 2005), a mobile agent is viewed as an ordinary system’s user who logs in to the host and uses some of the system’s resources for its own needs Every incoming mobile agent is given an individual account and DXQLTXHXVHULGHQWL¿HU8,'IRUWKHGXUDWLRQRI its execution on a host This approach allows the hosting OS to apply to mobile agents the same set of rules and policies that are applied by the

OS to all of its users

In Unix, a number of logging, auditing, and accounting mechanisms are available to monitor the action of its users and the status of its resources These tools can work at the system call level and can EHFRQ¿JXUHGEDVHGRQGLIIHUHQWW\SHVRIHYHQWVVXFK DVRSHQLQJDQGFORVLQJRI¿OHVUHDGVDQGZULWHVSUR-grams executed, and so on They also can allow one

to specify groups of system objects to be monitored for certain activities, and can track system usage by recording the statistics about CPU and memory us-age, I/O operations, running time, and other forms of system resource usage, along with the user IDs of the processes involved These tools can be easily leveraged and extended to a multiagent environment

A variety of customizable tools, such as SNARE — system intrusion analysis and report-ing environment (SNARE, 2005), BSM — basic security module provide a greater degree of secu-rity assurance SNARE is a dynamically loadable

Trang 2

2195

Mobile Code and Security Issues

kernel nodule that can be used as a stand-alone

auditing system or as a distributed tool The tool

FDQEHFRQ¿JXUHGWRPRQLWRUHYHQWVDVVRFLDWHG

ZLWKFHUWDLQJURXSVRIXVHUV¿OWHUWKHPRQLWRUHG

HYHQWVZLWKVSHFL¿F³VHDUFKH[SUHVVLRQV´DQGVXE-mit reports in different formats and time frames

7KHW\SHRIHYHQWVPRQLWRUHGFDQEHHLWKHUGH¿QHG

by a category (for example, system calls) or by an

LGHQWL¿HUVXFKDV³GHQLHGDFFHVV´

Safety Policies for Mobile Code

Programs

A safety policy is a set of restrictions placed

upon locally run untrusted code to ensure that

the program does not behave in a manner that is

detrimental to the system or to the system security

At the very least, a safety policy should

guaran-tee the following fundamental safety properties

(Muller, 2000):

• &RQWUROÀRZVDIHW\The program should

never jump to and start executing code that

lies outside of the program’s own code

seg-ment All function calls should be to valid

function entry points, and function returns

should return to the location from where the

function was called

be allowed to access random locations in

memory The program should only access

memory in its own static data segment, live

system heap memory that has been explicitly

allocated to it, and valid stack frames

allowed to access the top of the stack

Ac-cess to other areas of the stack should be

completely restricted

These three properties, combined, offer the

minimum nontrivial level of security for mobile

code More complicated security policies are

pos-sible, depending on the application

Trust

Security is based on the notion of trust Basically, software can be divided into two categories, namely, software that is trusted and software that

is not, separated by an imaginary trust boundary All software on our side of the trust boundary is trusted and is known as the trusted code base All security implementations rely on some trusted code As a result, a trust model of a particu-lar implementation can be made The trust model EDVLFDOO\VSHFL¿HVZKLFKFRGHLVWREHLQFOXGHGLQ the trusted-code base and which code lies outside

of the trust boundary

At the very least, the trusted-code base should include the local operating system kernel, but can also include other items of trusted software, like trusted compilers or trusted program run-time environments (e.g., the Java interpreter) It

is desirable, however, to keep the trusted-code base as small as possible to reduce the security vulnerabilities

Performance and Security

Unfortunately, as it is in most applications, per-IRUPDQFHLVVDFUL¿FHGIRULQFUHDVHGVHFXULW\,W ZRXOGKRZHYHUEHSUR¿WDEOHWRKDYHDSSOLFDWLRQV that are both secure and perform well at the same time For this reason, there is much research con-FHUQHGZLWKUHVROYLQJWKHFRQÀLFWEHWZHHQWKHVH concepts in some way

CONCLUSION

The purpose of this chapter is to raise readers’ awareness of mobile code and various approaches

to addressing security of mobile code and agents All of the techniques discussed in this chapter of-fer difof-ferent approaches to combating malicious mobile code However, the best approach is prob-ably a combination of security mechanisms The

Trang 3

sandbox and code signing approaches are already

K\EULGL]HG &RPELQLQJ WKHVH ZLWK ¿UHZDOOLQJ

techniques, such as the playground, gives an extra

layer of security PCC is still very much in the

research and development phase at present

In order to make the mobile code approach

practical, it is essential to develop advanced and

innovative solutions to restrict the operations that

mobile code can perform, but without unduly

restricting its functionality It is also necessary

to develop formal, extremely easy–to-use safety

languages to specify safety policy

Organizations relying on the Internet face

VLJQL¿FDQWFKDOOHQJHVWRHQVXUHWKDWWKHLUQHWZRUNV

operate safely, and that their systems continue to

provide critical services, even in the face of attack

Even the strictest of security policies will not be

able to prevent security breaches Educating

us-ers in social-engineering attacks based around

mobile code is also necessary

REFERENCES

Alfalayleh, M., & Brankovic, L (2004) An

over-view of security issues and techniques in mobile

agents Retrieved from http://sec.isi.salford.ac.uk/

FPV3URJUDP&06¿QDOSDSGI

Brown, L (1996) Mobile code security [Electronic

version] Retrieved from http://www.unsw.adfa

edu.au/~lpb/papers/mcode96.html

Chan, H W., & Anthony (1999) Secure mobile

agents: Techniques, modeling and application.

Retrieved from http://www.cse.cuhk.edu.hk/~lyu/

student/mphil/anthony/term3.ppt

Felmetsger, V., & Vigna, G (2005) Exploiting

OS-level mechanisms to implement mobile code

security Retrieved from http://www.cs.ucsb.edu/

~vigna/pub/2005_felmetsger_vigna_ICECCS05

pdf

Ghezzi, C., & Vigna, G (1997) Mobile code

paradigms and technologies: A case study In K

Rothermet & R Popescu-Zeletin (Eds.), Mobile agents, First International Workshop, MA’97, Proceedings (LNCS 1219, pp 39-49) Berlin,

Germany: Springer

Hefeeda, M., & Bharat, B (n.d.) On mobile code security Center of Education and Research in

Information Assurance and Security, and Depart-ment of Computer Science, Purdue University, West Lafayette, IN Retrieved from http://www cs.sfu.ca/~mhefeeda/Papers/OnMobileCodeSe-curity.pdf

Hohl, F (1997) An approach to solve the problem of malicious hosts Universität Stuttgart, Fakultät

In-formatik, Fakultätsbericht Nr 1997/03 Retrieved from http://www.informatik.uni-stuttgart.de/cgi-bin/ncstrl_rep_view.pl?/inf/ftp/pub/library/ncstrl XVWXWWJDUWB¿7575ELE

Hohl, F (1998) Time limited blackbox security: Protecting mobile agents from malicious hosts.

Retrieved from http://citeseer.ist.psu.edu/hohl-98time.html

Hohl, F (1998) Mobile agent security and reli-ability Proceedings of the Ninth International

Symposium on Software Reliability Engineering

(ISSRE ’98).

Hohl, F (1998) Time limited blackbox security:

Protecting mobile agents from malicious hosts Mobile Agents and Security, 1419 of LNCS.

Springer-Verlag

IBM Aglets (2002) Retrieved from http://www trl.ibm.com/aglets/

Jansen, W., & Karygiannis, T (n.d.) Mobile agent security (NIST Special Publication 800-19)

Retrieved from http://csrc.nist.gov/publications/ nistpubs/800-19/sp800-19.pdf

Java Agent Development Framework (2005) Retrieved from http://jade.tilab.com/

Karjoth, G., Lange, D B., & Oshima, M (1997)

A security model for aglets IEEE Internet

Trang 4

2197

Mobile Code and Security Issues

Computing, 1(4), 68-77 [Electronic version]

Retrieved from

http://www.ibm.com/java/educa-tion/aglets/

Loureiro, S., Molva, R., & Roudier, Y (2000,

February) Mobile code security Proceedings

of ISYPAR 2000 (4ème Ecole d’Informatique

des Systems Parallèles et Répartis), Code

Mo-bile, France Retrieved from www.eurecom

fr/~nsteam/Papers/mcs5.pdf

Lucco, S., Sharp, O., & Wahbe, R (1995)

Om-niware: A universal substrate for mobile code In

Fourth International World Wide Web

Confer-ence, MIT [Electronic version] Retrieved from

http://www.w3.org/pub/Conferences/WWW4/

Papers/165/

McGraw, G., & Morrisett, G (2000) Attacking

malicious code Retrieved from http://www.

cs.cornell.edu/Info/People/jgm/lang-based-se-curity/maliciouscode.pdf

Mobile Code and Mobile Code Security (2005)

Retrieved from http://www.cs.nyu.edu/~yingxu/

privacy/0407/main.html

Mobile Code Security (1996) [Electronic

ver-sion] Retrieved from http://www.unsw.adfa.edu

au/~lpb/papers/mcode96.html

Mobile Code Security and Computing with

En-crypted Functions [Electronic version] Retrieved

from

http://www.zurich.ibm.com/security/mo-bile

Motlekar, S (2005) Code obfuscation Retrieved

from http://palisade.paladion.net/issues/2005Aug/

code-obfuscation/

Muller, A (2000) Mobile code security: Taking

the Trojans out of the Trojan horse Retrieved

from www.cs.uct.ac.za/courses/CS400W/NIS/

papers00/amuller/essay1.htm

Necula, G C., & Lee, P (1998) Safe, untrusted

agents using proof-carrying code Lecture Notes

in Computer Science, (1419) Springer-Verlag.

Oppliger, R (2000) Security technologies for the World Wide Web Computer Security Series

Artech House Publishers

Proof-Carrying Code (2002) Retrieved from http://raw.cs.berkeley.edu/pcc.html

Robust Obfuscation (2005) Retrieved from http://www.cs.arizona.edu/~collberg/Research/ Obfuscation/

Roger, A G (2001) Malicious mobile code: Vi-rus protection for Windows [Electronic version]

O’Reilly & Associates

Rubin, A D., & Geer, D E (1998) Mobile code

security IEEE Internet Computing.

Sander, T., & Tschudin, C (1998a) Towards mobile cryptography Proceedings of the IEEE Symposium on Security and Privacy.

Sander, T., & Tschudin, C (1998b) Protecting mobile agents against malicious hosts [Electronic version] In G Vigna (Ed.) Mobile agents and

se-curity, Lecture Notes in Computer Science, 1419

(pp 44-60) Retrieved from http://citeseer.ist.psu edu/article/sander97protecting.html

SNARE — System iNtrusion Analysis and Re-porting Environment (2005) [Electronic version] Retrieved from http://www.intersectalliance com/projects/Snare

Telescript Language Reference (1995) Retrieved from http://citeseer.ist.psu.edu/inc95telescript html

Tennenhouse, D L., & Wetherall, D J (1996)

Towards an active network architecture Computer Communication Review Retrieved from http://

www.tns.lcs.mit.edu/publications/ccr96.html Vigna, G (1997, June) Protecting mobile agents

through tracing Proceedings of the 3rd ECOOP Workshop on Mobile Object Systems, Jyvälskylä,

Finland Retrieved from http://www.cs.ucsb edu/~vigna/listpub.html

Trang 5

Chapter 7.15

Secure Authentication Process for High Sensitive

Data E-Services:

A Roadmap

Claudio Agostino Ardagna

University of Milan, Italy

Ernesto Damiani

Fulvio Frati

Salvatore Reale

Siemens Mobile Communication S.p.A., Italy

EXECUTIVE SUMMARY

The widespread diffusion of online services

pro-YLGHGE\SXEOLFDQGSULYDWHRUJDQL]DWLRQV¿UVWO\

driven by commerce and more recently by

e-government applications, has stressed the need

of secure ways to authenticate users who need

to access online resources The huge number of

resources accessible on the Web leads to

differ-ent authdiffer-entication mechanisms implemdiffer-entations

that often require multiple log-on actions also in

intradomain multiservices scenario In case of

high sensitive services, users’ authentication plays

a role of paramount importance In this article

is presented a case study that gives a roadmap

of authentication mechanisms implemented at different levels of services’ software structure The discussion starts by illustrating different authentication solutions implemented at operating system, application server or components level to conclude with Single Sign-On approach For each solution, pros and cons are discussed The SSO system, called CAS++, developed as an extension

to Yale University’s CAS, is then presented

Trang 6

2199

Secure Authentication Process for High Sensitive Data E-Services

ORGANIZATION BACKGROUND

Established in early July 2002, Siemens Mobile

Communications S.p.A (SMC) is involved in

PRELOHQHWZRUNVIRU,WDO\DQG¿[HGDQGPRELOH

network access systems (for the international

market) It works in close collaboration with

the Siemens AG Information and

Communica-tion Mobile group The company is among the

foremost research and development centers in

the telecommunications industry, with a large

percentage of its staff employed at the Cassina

dè Pecchi and Cinisello Balsamo (Milan)

prem-ises Manufacturing mainly takes place at the

Marcianise plant (in the province of Caserta), as

well as in Cassina

Turnover for 2003–2004 came in at 1,171

mil-lion euros, with staff levels at 2,562

Siemens Mobile Communications’

busi-ness divisions are marked by their aggressively

market-oriented approach and a commitment to

excellence in partnerships with mobile operators

– regardless of whether they are new or existing

clients – in every area of telecommunications,

fully capitalizing on the synergies offered by

the Siemens Information and Communications

group in Italy and internationally The company

comprises two business divisions:

Com-munication proposes itself as one of the

lead-ing companies in the mobile communication

market Its products are made to answer in

the better possible way to the requirements

of the costumers The infrastructure range

includes technologies for GSM, GPRS e

3G systems The processes of technological

innovation realized by the research centers

pose Siemens always at the highest level in

the development of new technologies for the

Mobile Network

Net-works division has a lead-house role in

Siemens with the mission of developing,

manufacturing, promoting, selling, and sup-porting microwave and WiMAX products Siemens offers innovative radio products and solutions for the transmission and access to WKHPRELOHDQG¿[HGQHWZRUNVWKDQNVWRWKH proven turn-key capability and world-wide presence

SETTING THE STAGE

The increasing usage of GSM mobile phones and the upcoming of a new generation of mobile systems (called third-generation or 3G) have led

to the development of applications that manage the mobile network and provide new services to users

In this scenario, every network technician, that has to use multiple parallel services, must manage several pairs username/password, raising a great amount of security concerns (Bettini, Jajodia, Sean Wang & Wijesekera, 2002) In particular, when the organization manages very sensitive data, the main problem that has to be addressed LVWKHHI¿FLHQF\DQGVHFXULW\RIWKHDXWKHQWLFDWLRQ SURFHVVWKH¿UVWSRLQWRIFRQWDFWEHWZHHQXVHUV and systems Hence, in this scenario, the major challenges were to improve authentication pro-cess in order to avoid malicious acpro-cesses, privacy violations and data correlation The importance of security mechanisms, in fact, arose when a solu-tion for remote management had been adopted for simplifying and improving network management performances In this scenario, the high sensibility

of the information and the risks introduced by the adoption of remote services imposed to provide

a strong solution to security issues

7KH SUHVHQWHG FDVH VWXG\ QDPHG ³3LWDJRUD Project”, is managed in the context of a joint research project that involved Siemens Mobile Communication S.p.A and the Software Engi-neering and Advanced Architectures Group of the Department of Information Technology of Crema (DTI), University of Milan This project, started in January 2004, is focused on security

Trang 7

and authentication issues applied to real-life

ex-periences of Information Technology (IT) in an

important organization

Project Pitagora gave a solution that allowed

the implementation of security architecture, also

in an e-services scenario, that integrated and

protected all the services, components, and

ap-plications composing the studied environment

More in detail, this environment included the

IROORZLQJLQQRYDWLYHDSSOLFDWLRQVLQWKH¿HOGRI

mobile communication:

from March 2004 to November 2004, which

provided and controlled the access,

request-ed by users/technicians, to the Operation

and Maintenance Center system (OMC), the

system used to manage the network elements

that composed the real mobile network In

particular, users were able to manage,

con-¿JXUHDQGFKHFNWKH20&PRELOHQHWZRUN

using different technologies and devices,

such as traditional PCs/laptops, PDAs, and

mobile phones Hence, IMW managed all

the communication processes between

us-ers and the OMC system, through different

technologies such as Web browsers and the

HTTP/HTTPS protocol, WAP browsers, and

SMS IMW kept the technicians informed

on the supervised network state, notifying

alarms and warnings, at which the users were

previously registered To conclude, the users

FRXOGFRQ¿JXUHDQGGHWHFWWKHFRPSRQHQWV

VWDWHUHFHLYLQJDODUPQRWL¿FDWLRQVLQFDVHRI

hardware or software failures, and could try

to solve the problems running actions and

tests over the damaged components To

sum-PDUL]H,0:IXO¿OOHGDOOWKHUHTXLUHPHQWV

for the remote management environment for

mobile networks

application involved in the geo-location

of customers mobiles (Anisetti, Bellandi,

Damiani & Reale, 2005) In particular, i-Geo

WRRODOORZHGWKHGH¿QLWLRQRIWKHQXPEHUDQG position of mobile antennas, the calculation RISURGXFHGHOHFWURPDJQHWLF¿HOGWKHFDOFX-lation of sensibility map, the geo-location of DPRELOHSKRQHDQG¿QDOO\WKHFRPSXWDWLRQ

of the path of a mobile phone during a time interval Future enhancements could be pro-vided to compute the best antennas positions

to optimize the mobile signal covering The i-Geo application implementation, started in September 2004 is still under development ,WV¿UVWYHUVLRQKDVEHHQFRPSOHWHGLQ$SULO 2005;

developed in 2004, used to monitor the network usage focusing on maximizing performance and guaranteeing a healthy environment, with respect to the current laws (Damiani & Montel, 2005; Montel, 2004) GEMFIS provided features for memoriza-tion, visualizamemoriza-tion, and management of the environmental data In particular, it provided LQIRUPDWLRQDERXWHOHFWURPDJQHWLF¿HOGDQG acoustic level compared with environmental rules It also managed an historical database related to the installed facilities, disposal of waste material, and variation of electromag-QHWLF¿HOG

Both of the proposed applications hold and manage a huge amount of sensible data or ser-vices that must be protected from unauthorized accesses The risks of malicious actions improve

in case of remote requests and interactions In this scenario, as said before, the need for a stable and strong mechanism to authenticate the users arises Before Pitagora Project, Siemens managed several parallel applications as stand alone services, with their own authentication mechanism based on username-password pairs In particular, all the user/technicians that had to use these applications were faced with different types of authentication processes and different sets of authentication information, thus increasing the probability of

Trang 8

2201

errors or intrusions that Siemens wanted to solve

to be able to expose the services to the Net

CASE DESCRIPTION

Accessing information on the global Net has

be-come a fundamental requirement of the modern

economy Recently, focus has shifted from access

to traditional information stored in WWW sites

to e-services such as e-government services,

remote banking, or airline reservation systems

(Corallo, Cremonini, Damiani, De Capitani di

Vimercati, Elia & Samarati, 2005; Damiani,

Khosla & Grosky, 2003; Feldman, 2000) In

particular, the perceived importance of e-services

is growing and, consequently, many works try to

develop methods and models to make uniform

the e-services development process Today, it is

widely acknowledged that e-services should

fol-low a layered software structure as outlined in

)LJXUH7KHVWUXFWXUHGHSLFWHG¿WVDOVRWKHUHDO

case described in this article and it is composed

RIWKUHHOD\HUVZKHUHWKH¿UVWFRPSULVHVDFRP-munity of e-services components, managed by an application server (second layer) in turn running

on an Operating System platform (third layer) More in detail:

• E-services components layer All software

components that implement an e-Service

• Application server layer Middleware over

which the applications will be deployed It provides some additional functionalities such as management of security and per-sistence In this manner, the developer can focus on the implementation of application components

Operating System platform over which the applications will be distributed

In this scenario, where data represent one of the major critical assets for the enterprises and are shared among strangers, the need for secu-rity arises becoming the most critical issue in e-services implementations The fact that users are potentially strangers, during a negotiation,

Figure 1 E-services three-layered structure

Trang 9

makes security a research issue involving and

DIIHFWLQJ VHYHUDO ¿HOGV DV DFFHVV FRQWURO WUXVW

and reputation and several technologies as

bio-metric systems This article, however, focuses on

the major authentication solutions for e-services

discussing their pro and cons, in an e-services

three-layered structure Then, it presents and

discusses single sign-on and federation approaches

that are the emergent technologies providing an

infrastructure to integrate and coordinate

authen-tication processes

The discussion starts from the experience

gathered in a real case study involving Siemens

Mobile Communication S.p.A and the University

of Milan In particular, Siemens Mobile

Commu-nication S.p.A had perceived the needs to open

its applications to the technicians also through

the Net and not only in a closed network The

exposition of the application interface had

intro-duced the need of redesigning and strengthening

the authentication process due to the high

sensi-bility of the exchanged data, whose corruption

or unauthorized release could cause enormous

economic losses This sensibility, in fact, had in

the past defected any tentative to expose Siemens

services to the technicians through the Net and

KDGLPSRVHGWKHGH¿QLWLRQRIVHYHUDOUHVWULFWLYH

requirements that the security architecture must

IXO¿OOWRUHGXFHLQWUXVLRQULVNFORVHGWR]HUR

CURRENT CHALLENGES/

PROBLEMS FACING THE

ORGANIZATION

Before describing the solution for the case study,

the roadmap, which brought to its adoption, is

pre-sented explaining pro and cons of all the analyzed

authentication practices The following solutions

represent the most important methodologies in

current e-services implementations

Looking at the picture in Figure 1, the three

levels structure of e-services could implicitly

sug-gest the application of an authentication

mecha-nism at one of its layers In formalizing Pitagora’s components, each level was examined and studied

to implement an authentication mechanism

In the following sections, the resulting three scenarios together with emergent solutions are presented and each approach is described focus-ing on the advantages and disadvantages that it provided

Operating System Level Authentication

7KH¿UVWFRQVLGHUHGVROXWLRQZDVWRUHO\RQWKH authentication features provided directly by the operating system platforms Each user (in this case a technician) that tried to enter the system had to provide her credentials (username and password) at system start up Operating systems internally manage a user repository that grants access only to registered users, associated with simple authorization roles (e.g., administrator and guest)

If login process succeeded, applications based

on operating system repository retrieved and FROOHFWHGXVHUQDPHDQGUROHWKURXJKSUHGH¿QHG system calls, and used them to give services access whenever possible based on their authorization rules

This solution, also if reduced the effort in user and authentication process management and avoided any code customization, raised a set of crucial issues First of all, operating system ac-count repository (composed only by username and role) is not fully satisfactory for what concerns the management of access control in e-services and, therefore, applications had to maintain its own user accounts repository, reducing all the EHQH¿WVJLYHQE\WKLVVROXWLRQ

Usually, roles managed by applications was more than two (administrator and guest) and more additional credentials were needed to determine which actions the user could perform Further-more, the user that gained the access could not

be the one that made use of the application, since

Trang 10

2203

system and application start-up could happen at

different time instants, without the sureness of

the identity of the user that was accessing the

application

Finally, operating systems do not provide

stan-dard methods to obtain logon information

requir-ing system-dependent authentication process

Due to the concerns above mentioned,

operat-ing system level authentication was not applicable

to Pitagora Project and alternative solutions were

explored

Application Server Level

Authentication

Going up in the pyramid structure depicted in

Figure 1, the focus switched from operating

sys-tem to application server layer that is responsible

for the lifecycle management of the applications

and provides additional horizontal functionalities

such as management of security and persistence

The authentication process, then, could be easily

delegated to Application Server, taking advantage

of horizontal functionalities and libraries that

ap-plication servers provide In particular, Pitagora’s

applications were based on JBoss (JBoss, 2005;

Scott, 2003), a widely accepted Open Source

J2EE1 compatible Application Server, kept up

WRGDWHZLWKWKH-((VSHFL¿FDWLRQVDQGZKRVH

proposals are often taken into account in its

formalization

JBoss allows a complete security environment

implementation without custom programming

inside business components (Ardagna, Damiani,

Frati & Montel, 2005; Damiani & Montel, 2005)

&XUUHQW-((VSHFL¿FDWLRQVGH¿QHDVLPSOHUROH

based security model for Enterprise Java Beans2

(EJBs) and Web components JBoss provides

a component framework that handles security

The JBoss security extension provides support

for both the role-based security model as well as

integration of custom security through a security

proxy layer

The default implementation of the security model is based on Java Authentication and Au-thorization Service (JAAS) login modules and subjects that are the package enabling services

to authenticate and enforce access controls upon users The security model advocated by the J2EE VSHFL¿FDWLRQV LV D GHFODUDWLYH PRGHO DQG VHFX-rity roles and permissions are described using a standard XML descriptor rather than embedding security into business components

%\ FRQ¿JXULQJ WKH -$$6 ORJLQ PRGXOHV bundled with JBoss the integration of security without custom programming can be completed and supported JAAS includes a set of standard PRGXOHVIRUWKHXVHRI¿OHGDWDEDVHDQG/LJKW-weight Directory Access Protocol (LDAP)-based security information Every user is able to write RZQ VHFXULW\ PRGXOHV WKDW IXO¿O PRUH VSHFL¿F requirements

In particular, the development of a security environment is composed by three main parts: FRQ¿JXUDWLRQRIDGDWDEDVHVHFXULW\GRPDLQ GH¿QLWLRQRIDXWKHQWLFDWLRQDQGVSHFL¿FD-tion of authorizaGH¿QLWLRQRIDXWKHQWLFDWLRQDQGVSHFL¿FD-tion process All these phases are entirely accomplished through the customization RI$SSOLFDWLRQ6HUYHU-%RVVDQG7RPFDWVSHFL¿F deployment descriptors Tomcat is a Web server and servlet container, bundled with JBoss applica-tion server, responsible for the management of Web applications; it provides several functionalities E\PHDQVRIGHSOR\PHQWGHVFULSWRUV;0/¿OH customization, such as security functionalities 7RDGGWKHFKRVHQGDWDEDVHFRQ¿JXUDWLRQWR WKH DSSOLFDWLRQ WKH M%RVV ORJLQFRQ¿J[PO ¿OH LV FRQ¿JXUHG GH¿QLQJ WKH IROORZLQJ PRGXOHV (see Figure 2): (1) dsJndiName: JNDI3 name

of the database containing user and role tables; (2) principalsQuery: SQL statement to retrieve WKHSDVVZRUGIRUDVSHFL¿FXVHUUROHV4XHU\ SQL statement to retrieve a user’s role; (4) ha-shAlgorithm: hashing algorithm used to encrypt passwords; (5) hashEncoding: statement to select the encoding algorithm to convert the binary hash value to a string

Sander, T., & Tschudin, C (1998b) Protecting mobile agents against malicious hosts [Electronic version] In G Vigna (Ed.) Mobile agents and

se-curity,...

manufacturing, promoting, selling, and sup-porting microwave and WiMAX products Siemens offers innovative radio products and solutions for the transmission and access to WKHPRELOHDQG¿[HGQHWZRUNVWKDQNVWRWKH... administrator and guest)

If login process succeeded, applications based

on operating system repository retrieved and FROOHFWHGXVHUQDPHDQGUROHWKURXJKSUHGH¿QHG system calls, and used

Định dạng
Số trang	10
Dung lượng	379,44 KB