Scribd Logo
Upload

Welcome to Scribd!

  • Three Design Patterns For Secure Distributed Systems Alan H. Karp Kevin Smathers

    Uploaded by

    Kristin Pate
    45 views38 pages
    Three design patterns are proposed to improve security in distributed systems: 1) Separate authorization from access control to simplify management and scaling; 2) Mediate between clients and services to enforce policies and audit trails without trusting either; 3) Use a local proxy for remote users to limit damage from attacks and enforce local policies. These patterns aim to address issues arising from untrusted components, dynamic changes, and lack of central control in distributed environments.

    Original Description:

    ppt hp

    Original Title

    Secure Patterns

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Three design patterns are proposed to improve security in distributed systems: 1) Separate authorization from access control to simplify management and scaling; 2) Mediate between clients and services to enforce policies and audit trails without trusting either; 3) Use a local proxy for remote users to limit damage from attacks and enforce local policies. These patterns aim to address issues arising from untrusted components, dynamic changes, and lack of central control in distributed environments.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    45 views38 pages

    Three Design Patterns For Secure Distributed Systems Alan H. Karp Kevin Smathers

    Uploaded by

    Kristin Pate
    Three design patterns are proposed to improve security in distributed systems: 1) Separate authorization from access control to simplify management and scaling; 2) Mediate between clients and services to enforce policies and audit trails without trusting either; 3) Use a local proxy for remote users to limit damage from attacks and enforce local policies. These patterns aim to address issues arising from untrusted components, dynamic changes, and lack of central control in distributed environments.

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    Three Design Patterns for

    Secure Distributed Systems


    Alan H. Karp
    Kevin Smathers

    Hewlett-Packard Laboratories

    The Eight Fallacies of Distributed


    Computing

    The network is reliable


    Latency is zero
    Bandwidth is infinite
    The network is secure
    Topology doesn't change
    There is one administrator
    Transport cost is zero
    The network is homogeneous
    Peter Deutsch

    Secure Distributed Systems

    Aspects of Security Not Covered

    Physical security
    Has the hardware or software been corrupted?
    Is someone reading my keystrokes?
    Is my private key safe from a sledgehammer?
    Authentication
    Who am I talking to?
    Authorization
    How do I decide what this party is allowed to do?
    Non-repudiation
    Can I pretend I never made this deal?
    Privacy
    Can someone I dont know about see this thing?
    Secure Distributed Systems

    Aspects of Security Covered

    Anonymity
    Who can know Ive seen this thing?
    Auditing
    How do I know who did what to whom when?
    Access control
    Should I honor this request?

    Denial of service

    Can my machine be rendered unusable?

    Secure Distributed Systems

    Assumptions
    Modest scale Extremely large scale
    Relatively static Wildly dynamic
    Trusted remote systems Malicious remote systems
    Reasonably homogeneous Heterogeneity rules the day

    Little sharing across domains Be all and end all

    Secure Distributed Systems

    Patterns

    Separate authorization from access control

    Enhances scalability
    Eases crossing administrative boundaries

    Mediate between requester and service

    Enforces audit policies


    Simplifies access control decisions

    Use a local proxy for remote users

    Improves control over remote parties


    Prevents some attacks
    Limits damage done when attack succeeds

    Secure Distributed Systems

    What These Patterns Cant Help

    Attacks against underlying OS


    Attacks against network stack
    Many attacks against the application
    Many denial of service attacks
    Misplaced trust
    Social engineering
    Careless users

    Secure Distributed Systems

    Pattern 1

    Separate Authorization

    From
    Access Control

    Secure Distributed Systems

    Existing Systems

    User

    Service

    User
    Service

    Request +
    Credentials
    Secure Distributed Systems

    The Sad Tale of Zebra Copy

    Mom and Pop copy center


    Contract with HP

    Problem

    2,000 HP employees with right to order jobs


    HP told Zebra Copy when an HP employee changed jobs
    Zebra copy updated its list
    HP has over 10,000 such partners
    Zebra copy had over 500 such contracts

    Zebra copy now out of business

    Secure Distributed Systems

    Problems

    User needs credential per service

    Every service needs to do

    different types of credentials


    different rules for use
    too many passwords
    authentication
    authorization
    access control

    Too many updates


    Authentication doesnt tell what service needs to know

    Secure Distributed Systems

    Access Pattern

    Service

    Access Rule

    Authorizer
    Access Rule

    User

    Service

    Request + Rights
    Secure Distributed Systems

    Zebra Copy Done Better

    HP and Zebra Copy reach agreement

    Zebra Copy gives HP a token representing contract


    Order honored if accompanied by valid token

    Zebra Copy responsibilities

    Verify token validity


    Revoke and re-issue when asked by HP

    HP responsibilities

    Delegate token properly


    Revoke privilege when people change jobs
    Pay for any use involving a valid token
    Ask for replacement token when necessary

    Secure Distributed Systems

    Benefits

    Service only needs simple access control mechanisms


    An access right can be meaningful to one service
    Rules can be registered by third party
    Each company manages its own employees
    Admits multiple management schemes for one service
    Can add new service, types of access, etc. without
    affecting management mechanisms
    Can add new management mechanisms without
    affecting services

    Secure Distributed Systems

    Pattern 2

    Mediate between
    Client and Service

    Secure Distributed Systems

    Existing Systems

    Use
    Service

    User

    Find
    Register
    Locator

    Secure Distributed Systems

    The Jini Jive

    Designed for sharing of resources in trusted workgroup

    Promised access control within a year


    Still doesnt have it (some talk about ACLs but no details)

    System structure is the problem

    Look up the service by interface


    Invoke service directly

    Control points

    JavaSpace only knows interface, not specifics of service


    Service is a printer

    Do you really want to do authentication, authorization,


    and access control in every device?

    Secure Distributed Systems

    Problems

    Each service needs to

    authenticate users
    make authorization decisions
    produce audit trail
    protect against malicious or erroneous users

    Common library linked with service

    guaranteeing proper use


    rolling forward versions

    Secure Distributed Systems

    Mediation Pattern

    Service

    User

    Register
    Use

    Mediator
    Locator

    Secure Distributed Systems

    Find
    Use

    Mediation Pattern

    Locator
    Find

    Register

    Service

    User

    Use

    Use
    Mediator

    Secure Distributed Systems

    Benefits

    Mediator provides

    Service and client dont have to trust each other directly

    trusted path
    additional metadata
    mutual anonymity
    audit information
    turns N*M problem into N+M

    Mediator can translate authorization information into a


    form meaningful to service
    Mediator can verify protocol adherence

    Secure Distributed Systems

    Pattern 3

    Use a Service-side Proxy


    for Remote Users

    Secure Distributed Systems

    Existing Systems

    User

    Use

    Use

    Service

    User

    Find
    Find

    Register
    Find
    Locator

    Locator

    Register

    Secure Distributed Systems

    Web Server Woes

    Clients talk directly with server

    Server has more privileges than any client

    denial of service attacks hard to prevent


    confused deputy a possibility
    successful attack can give client all server privileges

    No place to enforce system policies

    Secure Distributed Systems

    Problems

    Every service subject to a variety of network attacks


    Successful attack can do anything service can do
    Crashing server cuts off all users
    Service must

    deal with authentication, authorization, access control


    enforce machine-specific policies

    Secure Distributed Systems

    Proxy Pattern

    Service

    User

    User

    Proxy

    Proxy

    User

    Secure Distributed Systems

    Use a Proxy for Remote Users

    Service

    User

    User

    Proxy

    User

    Secure Distributed Systems

    Benefits

    Crashing proxy cuts off attacker


    Protection domain of remote user under local control
    Proxy can be dumb and repeat requests verbatim
    Proxy can be smart and filter requests
    Smarts added to proxy implementation protect all
    services

    Secure Distributed Systems

    Example of Use

    Secure Distributed Systems

    E-speak E-xplained

    First attempt at a web services infrastructure

    Fully integrated platform

    Naming, discovery, security, manageability

    Several novel features

    Alpha 1.0 May 1999


    Beta 2.2 December 1999
    Release 1.0 June 2000

    Access control with capabilities


    Extensible ontology system
    Path dependent naming
    Powerful event system

    Abandoned in May 2001


    Secure Distributed Systems

    Single Machine View


    Event Distributor
    Service
    User

    Monitor

    Naming

    Permission

    Protection
    Domain

    Service
    Provider

    Router

    Repository

    Host OS

    Secure Distributed Systems

    Protection
    Domain

    = Core

    Using a Remote Resource

    Secure Distributed Systems

    Key Features

    Service sees only local requests


    Client makes only local requests
    Core sees only local requests
    Only proxies know about the wire
    Brokering comes for free
    Secure firewall traversal for messages
    Events are messages

    Secure Distributed Systems

    Design Principles

    Separation of responsibility

    Separation of control

    Authorities determined when protection domain attached


    Access control independent of authorization mechanism
    Only components that talk on the wire know about the wire
    Each machine sets own policy via proxy protection
    domains
    Different mechanisms for authentication and access
    control

    Limit damage done by a successful attack

    Limited permissions of proxies


    Mediator can filter some bad requests
    Strong and rapid revocation
    Secure Distributed Systems

    Summary

    Secure Distributed Systems

    Fundamental Idea

    Design patterns

    useful in object oriented coding


    no reason they wont help in distributed systems

    Propose using three patterns

    separate authorization from access control


    mediate between client and service
    use a local proxy for remote users

    Others

    connection manager
    your favorite here

    Secure Distributed Systems

    A Definition

    A distributed system is one in which a component I


    never heard of can make my computer unusable.
    Leslie Lamport

    Secure Distributed Systems

    You might also like