Professional Documents
Culture Documents
Modelos de Seguridad
Modelos de Seguridad
Yuri Demchenko
Advanced Internet Research Group (AIRG)
University of Amsterdam
demch@science.uva.nl
www.eu-egee.org
INFSO-RI-508833
Enabling Grids for E-sciencE
Outline
www.eu-egee.org
INFSO-RI-508833
Addressing Known Security
Enabling Grids for E-sciencE Vulnerabilities
• Grid Operational Centers (and JSPG :-) know major
security vulnerabilities
– Those that are actually obvious
Reason why it happened?
– We can expect more will be discovered when we apply regular
security vulnerability analysis and risk assessment
• Approach for security/operational people?
– Actively search for vulnerabilities OR wait until somebody will
discover them and (mis)use
• (Already perceived) Problems
– There is no common approach/model for analysing security
vulnerabilities in Web Services and Grids
– All security models and methodologies are complex and
multifaceted
Grid is new but not unique – better learn from others’ expereince
Need some efforts and willinness to learn or to listen to experts
INFSO-RI-508833 3
Vulnerability-Incident life-cycle
Enabling Grids for E-sciencE
INFSO-RI-508833 4
Basic steps in attacking
Enabling Grids for E-sciencE methodology
Clean or forge
track of activity
Unauthorised use
of Resource
INFSO-RI-508833 5
Known Vulnerabilities and
Enabling Grids for E-sciencE Threats Classifications
• OWASP (Open Web Application Security Project)
– http://www.owasp.org/documentation/topten.html
– Developed in 2003-2004 and industry adopted
• EVDL (Enterprise Vulnerability Description Language)
– OASIS WG
– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was
• Web Applications Security Threats Model by Microsoft
– http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp
• XML Web Services Security Vulnerabilities/Threats
classification
– Proposed in MJRA3.4 and updated in MJRA3.6
INFSO-RI-508833 6
Top 10 OWASP vulnerabilities
Enabling Grids for E-sciencE
• A1 - Unvalidated Input
• A2 - Broken Access Control
• A3 - Broken Authentication and Session Management
• A4 - Cross Site Scripting (XSS) Flaws
• A5 - Buffer Overflows
• A6 - Injection Flaws
• A7 - Improper Error Handling
• A8 – Insecure Credentials Storage
• A9 - Denial of Service
• A10 - Insecure Configuration Management
INFSO-RI-508833 7
XML Web Services threats/
Enabling Grids for E-sciencEattacks classification (1)
• XWS1 – Web Services Interface probing
– WSDL scanning, WSDL parameters tampering, WSDL error
interface probing
• XWS2 – XML parsing system
– Recursive XML document content, oversized XML document
• XWS3 – Malicious XML content
– Malicious code exploiting known vulnerabilities in back-end
applications, viruses or Trojan horse programs, malicious XPath
or XQuery built-in operations, malicious Unicode content
• XWS4 – External reference attacks
– Malicious XML Schema extensions, namespace resolution
manipulation, external entity attacks
INFSO-RI-508833 8
XML Web Services threats/
Enabling Grids for E-sciencEattacks classification (2)
• XWS5 – SOAP/XML Protocol attacks
– SOAP flooding attack, replay attack, routing detour, message
eavesdropping, “Main-in-the-middle” attack
• XWS6 – XML security credentials tampering
– XML Signature manipulation, secure XML content manipulation,
Unicode content manipulation, XML credentials replay,
application session hijacking
• XWS7 – Secure key/session negotiation tampering
– Poor WS-Security implementation, poor key generation, poor
key/trust management; weak or custom encryption
INFSO-RI-508833 9
Threats/Attacks grouping in
Enabling Grids for E-sciencE interacting services
Site Services/Resources
Requestor/User
SecureCreds SrvReqst
SrvDeliv SecureAssert
UCV ESV
Accounting/Logging
SMV
MIA – Malifactor
UCA - User Initiated Attacks ESA – End Service
Credentials Attack * DoS Attacks
* Creds theft * Brute Force * Malicious input
* Creds compromise * Dictionary Attacks * XSS
* User impersonation * WSDL probing * XML/SQL Injection
WIA – Wire Intelligence * Dynamic XML
Attacks * Malicious content
* Misuse & Quota
* Network eavesdropping SMA – Service
* “Man in the middle” (MITM) Management Attacks
* Brute Force * Configuration vuln
* Credentials compromise * Improp Key/Trust Mngnt
* Replay/Session hijack * Improper Priv Mngnt
* XML/SOAP protocol * Improper Error Handl
* Insecure audit/log
INFSO-RI-508833 10
Threats/Attacks grouping (1)
Enabling Grids for E-sciencE
INFSO-RI-508833 11
Threats/Attacks grouping (1)
Enabling Grids for E-sciencE
INFSO-RI-508833 12
Security models for interacting
Grid/XWS services
Enabling Grids for E-sciencE
Site Services/Resources
Requestor/User
SecureCreds SrvReqst
SrvDeliv SecureAssert
UCA ESA
Accounting/Logging
SMA
INFSO-RI-508833 13
Requestor/User site security
Enabling Grids for E-sciencE zones
Zone X Zone D Zone C Zone B Zone A
X.509 X.509
PKCert PKCert
Proxy/Client Cache
External Creds Local Creds (Temp/Proxy Cookie/SessionID Internet Zone
Storage Storage Creds Storage) Applets
INFSO-RI-508833 14
Service/Resource site security
Enabling Grids for E-sciencE zones
Appl
Req/User FW Srvr/ AuthN AuthZ Resource Resource/
Client/System Contnr (SSO) (Policy IF/Agent Service
Enforcemnt) (IntFW)
Creds PEP ACL
(ResAuthZ)
Attrib PDP
UserDB Local
FileSyst
Site AuthN
Internet/Network Identity/Attributes Site AuthZ Resource IF/Agent Resource
Access (TA/BA/VO Contx) (Policy Enforcement) Resource Manager (Local File System)
INFSO-RI-508833 15
Example use of security models
Enabling Grids for E-sciencE
INFSO-RI-508833 16
Authorisation Service operation in a
CNL2 Demo system
Enabling Grids for E-sciencE
JNLP – Java
Network
Remote CNL Launch
3. JNLP Instrument
Surabaya Protocol
CHEF –
Web 5,10 startSession() Instrument Collaborative
PEP
Client 11,14 goLeft() Controller tool
4. getJobInfo() Surabaya –
2. JNLP 6,9 startSession()
Collaborative
12,13 checkAuthZStatus() Workspace
1. Login
environment
gAAA Server
CHEF 7,8 requestDecision()
INFSO-RI-508833 17
Security and trust issues in the OCE
Job-centric security model
Enabling Grids for E-sciencE
Site Services/Resources
Resource
Customer Broker Resource Agent
Org
Order/
OrderDoc CRM RAM
Biz/Admin
TR1
TA1 OrderDoc Order
(document) Job Policy
TR8/TA1 (template) (template)
Resource/
Service
PI/Admin JobDescr
Job/ JobDescr TR1
TA2 RBAC Job Policy
AdmT (instance) (instance)
TR3/TA2 TR4
AA Resource IF
TR1
User UserList Attributes
DB
Policy PEP/PDP
AA
User AuthN/
AuthN/ SSO TR3
CT SSO AuthzReq
TR7 PDP
UserDB PEP
TR5
AuthnTkt TR6 TR2
Users
SrvDeliv AuthzTkt
TA – Trust Anchor; TR# - trust path from root (resource); RAM – Resource
Allocation and Management; UserCT – User Collaborative Tools
INFSO-RI-508833 18
Trust relations in distributed
Enabling Grids for E-sciencE access control infra
Customer
Resource
Site Services/Resources
Trust/credentials chain and
Broker Resource Agent
Org
Order/ delegation between
OrderDoc CRM RAM
Biz/Admin
TA1 OrderDoc Order
TR1 major modules:
(document) Job Policy
TR8/TA1 (template) (template)
JobDescr
Resource/
Service User =>
PI/Admin Job/ TR1
=> HomeOrg.staff(TA2)
JobDescr
TA2 RBAC Job Policy
AdmT (instance) (instance)
TR3/TA2 TR4
AA Resource IF => Job.members
TR1
User
DB
UserList Attributes
Policy PEP/PDP
=> Member.roles
AuthN/ SSO
User
CT
AuthN/
AA
TR3
=> Role.permissions
SSO AuthzReq
TR7 PDP
UserDB PEP
TR5
AuthnTkt TR6 TR2
Users
SrvDeliv AuthzTkt
INFSO-RI-508833 19
Summary and next steps
Enabling Grids for E-sciencE
INFSO-RI-508833 20
Additional materials
Enabling Grids for E-sciencE
• Users vs hackers
• Application security layers
• Host security components
• Implementation suggestions for OCE/CNL Job-centric
security architecture
INFSO-RI-508833 21
Users vs hackers
Enabling Grids for E-sciencE
INFSO-RI-508833 22
Application Security Layers
Enabling Grids for E-sciencE
Operating System
INFSO-RI-508833 23
Host security components
Enabling Grids for E-sciencE
INFSO-RI-508833 24
Trust relations in distributed
Enabling Grids for E-sciencE Access Control
Implementation suggestions for OCE/CNL security model
– Root of trust and authority belong to the Resource
– Trust anchor TA2 embedded into the Job Description is the main
trust anchor shared between the resource and the customer.
In more business integrated model the signed order may contain
TA1
Both TA2 and TA1 may have the same trust path to the
root/resource
– To become a shared trust anchor for the resource and the
customer trust domains, the Order or JobDescription must
contain mutually signed credentials/certificates
– Although the main PEP operation assumes authorisation
decision request from the trusted PDP, in general PEP may
accept an AuthzTicket from other trusted/external PDP
INFSO-RI-508833 25