CSE333 URBSOO-1 User Role Based Security for Object-Oriented Systems/Applications M.-Y. Hu, S. Demurjian, T.C. Ting Computer Science & Engineering Department.

CSE333 URBSOO-1 User Role Based Security for Object-Oriented Systems/Applications M.-Y. Hu, S. Demurjian, T.C. Ting Computer Science & Engineering Department The University of Connecticut Storrs, Connecticut 06269-3155 {steve, ting@engr.uconn.edu http://www.engr.uconn.edu/~steve (860) 486 - 4818

CSE333 URBSOO-2 Overview of Presentation  Object-Oriented Design Model Concepts  Review: Approaches/Concepts of Security  Motivation of URBS for OO  User Role Based Security for Discretionary Access Control  Concepts and Issues  URBS Example for SDEs  Security Issues for OO Paradigm  URBS Approaches - OO and C++  Advanced Security Code Generation  Software Architectures for URBS  Reflections and Comments

CSE333 URBSOO-3 An Object-Oriented Design Model  Assumptions of OO Design Model  Vocabulary:  What are Object Types?  Attributes?  Methods?  Public Interface vs. Hidden Implementation  Concept of a Profile  Inheritance and its Variants

CSE333 URBSOO-4 OTs, Attributes, and Methods

CSE333 URBSOO-5 Encapsulation and Hiding

CSE333 URBSOO-6 Profiles to Track Design Data  Profiles Contain Detailed Requirements on the Semantic Contex(n)t for All Constructs of Application  Force SWEs to Supply Detailed Design Info. As Application is Designed  All Profiles Share Following:  [Defn. 6:] A base profile (BP) contains: a name for the feature or construct and a prose description for its purpose within application.  We'll Focus on Non-Security Constructs  We'll Provide Examples via earlier Prototype (ADAM) and Health Care Application (HCA)

CSE333 URBSOO-7 Attribute Profile

CSE333 URBSOO-8 Method Profile

CSE333 URBSOO-9 Object Type Profile

CSE333 URBSOO-10 Object Type Profile

CSE333 URBSOO-11 Inheritance Variants  Distinguish Between Type and Instance Level  Employ a Hierarchy to Define Choices:  T-LEVEL: Variants that Dictate the Information and Behavior that is Inherited by Subtype from Supertype  I-LEVEL: Variants that Relate to If and How a Subtype is Instantiated ISA / +-----+ +---------+ / T-LEVEL I-LEVEL / / | +---+ / +----+ | / / | FULL PRIV1 PRIV2 RESTR CONSTRUCTOR / | +--+ | / | ABSTR LEAF(DB) REGULAR(PL)

CSE333 URBSOO-12 Four T-LEVEL Combinations  What Can be Inherited?  Who Can See What When?

CSE333 URBSOO-13 What Dictates Correct Variant? What Dictates Correct Variant?  The OT's Role in Application:  FULL for Unlimited Cooperative Design  PRIV1 for Cooperative Design, No Priv. Data  PRIV2 Limits Access to PPI methods  RESTR Requires Intervention of URBS  The Responsibility SWEs w.r.t. Application  A Time Factor which Mandates Different Interpretations in a Application's Lifetime:  Initially ISA - FULL  Design Partitioned Among Multiple SWEs - PRIV1, PRIV2, and RESTR May be Chosen  User Role(s) of SWEs from URDH are Utilized!  Trying to Integrate Security Concepts into Design

CSE333 URBSOO-14 C++ Equivalents for Variants  To Understand Different Variants, Let's Consider C++ Analogs for Design Model Constructs  Provides a General Indication of Impact of Different Inheritance Combinations on Code Generation

CSE333 URBSOO-15 Impact on Code Generation SUPPOSE: OT1 = (D1, M1), with M1=(HM1,PM1) | OT2 = (D2, M2), with M2=(HM2,PM2) FULL: OT2 = (OTName2, {D1,D2, {M1, M2) C++ : class OT1 { protected: D1, HM1; public : PM1; class OT2: public OT1 { protected: D2, HM2; public : PM2; Notice: OT2 inherits all Data and Methods Only PM1, PM2 have Potential to be Public!

CSE333 URBSOO-16 Impact on Code Generation PRIV1: OT2 = (OTName2, {D2, {M1, M2) C++ : class OT1 { private : D1; protected: HM1; public : PM1; class OT2: public OT1 { protected: D2, HM2; public : PM2; PRIV2: OT2 = (OTName2, {D2, {PM1, M2) C++ : class OT1 { private : D1, HM1; public : PM1; class OT2: public OT1 { protected: D2, HM2; public : PM2;

CSE333 URBSOO-17 Three I-LEVEL Combinations  ABSTR: Short for Abstract Class  Instantiation of a Subtype is Neither Desirable Nor Possible  LEAF: Database Version  Creation (Deletion) of Instances at the Leaves  REGULAR: Programming Version  Creation/Deletion at Any Hierarchy Node  Implications on University Example? Person / Student Employee / UnderGrad Graduate Faculty

CSE333 URBSOO-18 Impact on Code Generation  No Changes to Previous Slides on What Gets Inherited  ABSTR: At Least One Pure Abstract Method  LEAF: Instantiate at Leaf Nodes  REGULAR: Generate Public Constructors  What Happens With Mixed Inheritance Variants?  Which Ones Make Sense?  Which Ones Cause Conflicts? GENERATE protected constructors in C++! PERSON - constructor is protected | EMPLOYEE - constructor is protected | FACULTY - constructor is public

CSE333 URBSOO-19 C++: (REGULAR, FULL) Inheritance

CSE333 URBSOO-20 C++: (LEAF, RESTR1) Inheritance class Record : public Object { // ATTRIBUTES: private: int RecNo; // A unique record number protected: // System defined CONSTRUCTOR & DESTRUCTOR: Prescription(); virtual ~Prescription(); // **** System defined protected methods. protected: void SetRecNo(float toSet); // **** System defined public methods. public: void PrintRecNo(); float GetRecNo(); void printallattrs(); ;

CSE333 URBSOO-21 Glossary of Protection and Security Terms  Access Control List  List of Principals (User, Process, …) Authorized to have Access to Some Object  Authenticate  Verify Identity of Principal Making Request  Authorize  Grant Principal Access to Information  Capability  Unforgeable Ticket as Proof of Authorization of Presenter to Access Named Object  Capability List  List of Protected Objects which Likewise List Authorized Principles

CSE333 URBSOO-22 Glossary of Protection and Security Terms  Certify  Verify Accuracy, Correctness, & Completeness of Security/Protection Mechanism  Confinement  Restricting What a Process Can Do to with Authorized Objects  Domain  Objects Currently Accessed by Principal  (De)Encryption  De(Encoding) of Data According to Transformation Key for Transmission/Storage  Grant  Authorize Access to Objects by Principals

CSE333 URBSOO-23 Glossary of Protection and Security Terms  Password  Encrypted Character String to Authenticate Identity of Individual  Permission  Form of Allowed Access to Object (R, W, RW)  Principal  Entity (Person/Process/etc.) to Which Authorizations are Granted  Privacy  Ability to Decide Whether, When, and to Whom Information is Released  Propagation  Principal Passing on Authorization to Object to Another Principal

CSE333 URBSOO-24 Glossary of Protection and Security Terms  Protected Object  Known Object whose Internal Structure is Inaccessible Except by Protection System  Protection & Security  Mechanisms and Techniques to Control Access to Information by Executing Programs  Revoke  Remove Previously Authorized Access from Principals  Ticket-Oriented  Each Principal Maintains List of Unforgeable Tickets Denoting Objects have been Authorized Glossary from: Saltzer and Schroeder, “The Protection of Information in Computer Systems”, Proc. of IEEE, Vol. 63, No. 9, September 1975.

CSE333 URBSOO-25 Review Fundamental Security Issues  Software Engineers Can Write Complex Programs Limited by Intellectual Capabilities  OS Designer Must Create Protection Scheme that Can’t be Bypassed by Current and Future Software  Users and Processes Initiators  Users have Dedicated and Shared Resources  Resources Shared by User Groups vs. Resources Globally Shared  Users Spawn Processes that Access Resources  Processes May be Local or Remote (on Another Machine Connected via Network)  Protection System of OS Must Support Above According to Organization’s Admin. Policy

CSE333 URBSOO-26 Review Policy & Mechanism  Security Policy Defines Rules for Authorizing Access to Computer and Resources  Who are Users? What are Resources? What Resources are Available to Each User? Etc…  Protection Mechanisms Authenticate  Access to Resources  Insure File and Memory Protection  A Security Policy is an Organizations Strategy to Authorize Access to the Computer’s Resources  Managers have Access to Personnel Files  OS Processes have Access to the Page Table  Security Transcends OS as a Separate Research and Realization for All Types of Systems/Applications

CSE333 URBSOO-27 Review Authentication  User/Process Authentication  Is this User/Process Who It Claims to Be?  Passwords  More Sophisticated Mechanisms  Authentication in Networks  Is this Computer Who It Claims to Be?  File Downloading and Transferring  Obtaining Network Services  What is the Java Promise?  What Does Java Guarantee re. Applets?  What Can Application Do that Applet Can’t?

CSE333 URBSOO-28 Review Authorization  Ability of Principals to Use Machines, Objects, Resources, etc.  Security Policy Defines Capabilities of Each Principal Against Objects, Resources, etc.  Authorization Mechanism Enforces Policy at Runtime  External Authorization  User Attempts to Access Computer  Authenticate Identify and Verify Authorizations  Internal Authorization  Can Process Access a Specific Resource?

CSE333 URBSOO-29 Review User Authentication  Combination of User ID and Password Universal for Access to Computers  However, Cannot Prevent …  Guessing of Passwords  Stolen and Decrypted Passwords  Masquerading of Intended User  Is User Who they are Supposed to be?  What Extra Information Can User be Asked to Supply?  What About Life Critical Situations (DCP)?  Past Invasion of Engineering Computing  yppasswd File Stolen/Decrypted  S. Demurjian’s Sun Workstation Corrupted

CSE333 URBSOO-30 Review Network Authentication  Computers Must Interact with One Another  Classic Example, Transmitting E-Mail Msgs.  Does Transferring Computer have Right to Store a File on Another Computer?  Viruses: Passive Penetrating Entity  Software Module Hidden in Another Module  When Container Executed, Virus Can Penetrate and Wreak Havoc  Worms: Active Penetrating Entity  Actively Seeks to Invade Machine  Morris’s Worm Penetrated via Unix Finger  Passed String that Executed Allocated Memory  Destroyed Runtime Stack/Allowed Worm Execute

CSE333 URBSOO-31 Review What are Available Security Approaches?  Mandatory Access Control (MAC)  Bell/Lapadula Security Model  Security Levels for Data Items  Access Based on Clearance of User  Discretionary Access Control (DAC)  Richer Set of Access Modes  Focused on Application Needs/Requirements  User-Role Based Security (URBS)  Variant of DAC  Responsibilities of Users Guiding Factor  Facilitate User Interactions while Simultaneously Protecting Sensitive Data

CSE333 URBSOO-32 Security in Software Applications Focusing on DAC and URBS  Extensive Published Research (Demurjian, et al) in Last Ten Years for DAC/URBS for OO  Efforts in  Automatically Generatable and Reusable Enforcement Mechanisms  MAC/DAC/URBS Security within Distributed Setting  Premise:  Customizable Public Interface of Class  Access to Public Interface is Variable and Based on User Needs and Responsibilities  Only Give Exactly What’s Needed and No More

CSE333 URBSOO-33 Motivation User-Role Based Security for OO  Public Interface is Union of All Privileges for All Potential Users No Explicit way to Prohibit Access  Customizable Public Interface of Class  Access to Public Interface is Variable and Based on User Needs and Responsibilities  Only Give Exactly What’s Needed and No More public class PatientRecord { private: Data/Methods as Needed; public: write_medical_history(); write_prescription(); get_medical_history(); get_diagnosis(); set_payment_mode(); etc… For MDs and Nurses For MDs Only For Admitting

CSE333 URBSOO-34 Focusing on DAC and URBS   We’ve Explored DAC/URBS for OO Systems and Applications   Potential Public Methods on All Classes   Role-Based Approach:  User Role Determines which Potential Public Methods are Available  Automatically Generate Mechanism to Enforce the Security Policy at Runtime  Allow Software Tools to Look-and-Feel Different Dynamically Based on Role   Approaches have Stressed Exploiting OO/PL Capabilities (Inheritance, Exceptions, Generics) While Limiting SW Engineers Knowledge

CSE333 URBSOO-35 What are Key Security Concepts? What are Key Security Concepts?  Assurance  Are the Security Privileges for Each User Adequate to Support their Activities?  Do the Security Privileges for Each User Meet but Not Exceed their Capabilities?  Consistency  Are the Defined Security Privileges for Each User Internally Consistent?  Least-Privilege Principle: Just Enough Access  Are the Defined Security Privileges for Related Users Globally Consistent?  Mutual-Exclusion: Read for Some-Write for Others

CSE333 URBSOO-36 URBS for OO Systems/Applications  User Role Based Security for Discretionary Access Control  OO Design Model Enhancements  URs, UTs, and UCs  User-Role Definition Hierarchy  Node Profiles for Privileges  URBS Example for SDEs  Security Issues for OO Paradigm  URBS Approaches - OO, ADAM, and C++  Advanced Security Code Generation  Software Architectures and URBS

CSE333 URBSOO-37 What is User-Role Based Security(URBS)?  Most OO Programming and Database Languages have a Single Public Interface that is Shared by All Users of OT/Class  Consequently, Public Interface Often Union of all Possible Methods Required by All Likely Users  Discretionary Access Control:  Occurs at Type-Level  Different Portions of Public Interface Available to Different Users at Different Times Depending on User-Roles  Promote Potential Public Interface

CSE333 URBSOO-38 Motivating Security for OO Paradigm  OO Paradigm Provides Minimal Support via Public Interface and Private Implementation  Public Interface Represents UNION of all Possible Privileges Needed by All Potential Users  A Method in the Public Interface for One Specific User Available to ALL Users  Can Access to Public Interface be Customized?  Can Individuals have Particular Access to Specific Subsets of Public Interface?  Can Access be Based on (Potentially) Dynamic User Roles?  Can Code be Automatically Generated to Implement an Enforcement Mechanism?  Role of OO Paradigm in Support a Generic, Evolvable, Reusable Enforcement Mechanism?

CSE333 URBSOO-39 Why is URBS Needed?  Many Situations When OT Library Designer (SWE) Could Utilize More Fine-Grained Control to Access of Public Interface  Tradeoff Between Developers and End-Users  SWEs Have Different Roles Based on Their Responsibilities Related to Cooperative Design on an Application  SWEs Should Only See Those Portions of the Application That They Need to See or That They Will Be Responsible for Implementing  End-users Must Be Limited in Their Interactions and Access Depending on Their Roles

CSE333 URBSOO-40 Why is URBS Needed?  For Example:  In SDEs, the public interface for Modules has methods that read (for SWEs and Managers) and modify instances (only for SWEs)  In HTSS, the public interface for Items has methods that read (for Scanner, I-Controller) and modify instances (only for I-Controller)  In HCA, different health care professionals (e.g., Nurses vs. Physicians vs. Administrators, etc.) require select access to sensitive patient data

CSE333 URBSOO-41 What is URBS Approach?  Collects User Role, User Type, and User Class into User-Role Definition Hierarchies for Application  To Establish Privileges: Assign Different Methods of PIs to Different UCs, UTs, and URs  Defined Security Must be Enforced:  For SWEs - by Supporting Environment  For End-Users - by Application and Its Tools  URBS Approach Intentionally Obscures Information and Its Access  Consistent with OO Principles on Hiding  Force SWEs to Focus on Abstract Concepts  Incorporate URBS into OO in a Manner Consistent with OO Principles and Philosophy

CSE333 URBSOO-42 FYI: The ADAM Environment +---------------------------------------------+ | ADAM OO GUI Code Generation | | +----------------+ +---------------+ | | | OO Design and |-------| Ada83, Ada95 | | | | URBS Definition| | C++, Ontos C++| | | +----------------+ | Latex Documen.| | | | | Eiffel, IDL | | | | | ---------| | | +-------------+ | JAVA |Mod-3 | | | | Server | +---------------+ | | | Abstraction | <--- Supports Design | | +-------------+ Persistence | | / | | | Unix Ontos Other DBS... | | File OODBS | | System | | ADAM/UNIX, IV3.1, X, SparcStation | | ADAM/PC, Windows95, Borland C++ | | ADAM/NT, WindowsNT, Java | +---------------------------------------------+

CSE333 URBSOO-43 OO Design Model Enhancements  Extend OO Design Model to Support URBS  Extensions are Consistent with Model and OO Paradigm  Focus on:  User-Role Definition Hierarchy  Identifying Relevant Profiles  Detailing Privilege Acquisition Process  Changes to Existing Profiles  Automatic Analyses for Information Consistency

CSE333 URBSOO-44 The Health Care Application - OTs

CSE333 URBSOO-47 The Health Care Application - RTs

CSE333 URBSOO-48 The User Role Definition Hierarchy  Characterize Individual/Group Application Access via Hierarchy in Three Abstraction Levels :  User-Roles (URs) for Fine-Grained Activities  grade-recorder (changes and corrections)  transcript-issuer (fill transcript request)  User-Types (UTs) for Similarities that are Shared Among Set of URs  registrar-staff is common responsibilities (access student records) among URs  User-Classes (UCs) for Commonalities Across UTs  non-academic-staff (UTs: purchasing-staff, campus-police, maintenance-staff, etc.)  academic-staff (UTs: dept-staff, registrar-staff, presidents-office, etc.)

CSE333 URBSOO-49 User Role Definition Hierarchy for HCA Users UC:Medical_Staff UT:Nurse UT:Physcian UR:Manager UR:Staff_RN UR:Education UR:Discharge_Plng UR:PrivateUR:Attending UC:Support_Staff Etc. UT:Technician UR:Director UR:LabUR:Pharmacy UR:Radiology

CSE333 URBSOO-50 User Role Definition Hierarchy for HTSS Users / \ +---+ +-----+ / \ non-academic-staff academic-staff / \ \ / \ \.... / \ \ / \ purchasing campus-police... dept-staff registrar-staff... / \...... / \ grade-recording transcript-issuing

CSE333 URBSOO-51 Privilege Definition Process  Assignment  Assign Methods to Various Nodes of URDH  Methods that are Assigned are Positive Privileges  Indicate they can be Invoked by User (via a Software Application/Client)  Prohibition  Indicate the Methods which Can’t be Called  These represent the Negative Privileges  Attempt to Invoke by User (via a Software Application/Client) Results in Exception  Why are Prohibited Methods Necessary?

CSE333 URBSOO-52 Privilege Acquisition Process  Assignment  Assigned to UR for Its Use Only  Assigned to UT and Passed to Its URs  Assigned to UC and Passed to Its UTs  Employ OO Concepts: Inheritance w.r.t. Privileges  Specialization (UT to URs)  Generalization (URs to UT, UTs to UC)  Notes:  A UR Under 2 UTs May Have Diff. Meaning  URs Cannot be Further Specialized  Granularity of UR: Designer Definable!  Vitals, SetIV, etc., in HCA  OrderItem, TakeInventory, etc., in HTSS

CSE333 URBSOO-53 Node Profiles and Privileges Node Profiles and Privileges  Profiles Contain Detailed Requirements on the Semantic Contex(n)t for Security Related Aspects of Application

CSE333 URBSOO-54 Node Descriptions Examples from HCA

CSE333 URBSOO-55 Role Security Requirements Examples from HCA

CSE333 URBSOO-56 Assignment of Methods Positive Privileges for Nodes  Explicit Access to PPI Methods of OTs  Staff_RN Assigned:  Get_Symptom of Visit and Get_Medication of Prescription  Get_Patient_Name of Record and Get_Test of Medical_R  Set_Symptom (record symptoms on patients)  Set_Test_Code (record test to be conducted)  Set_Patient_Name and Insert_Med_History  Discharge_Plng and Education Assigned:  Similar Get Methods  Limited Write: Insert_Med_History

CSE333 URBSOO-57 Implied Methodology for Assignment  Privileges Associated with URs  Shared Privileges for URs Under Same UT Can be Moved to UT  Shared Privileges for UTs Under Same UC Can be Moved to UC  However, Methods Assigned to:  UC Available to Its UTs/URs  UT Available to Its URs  Observe that:  Commonalities Push Up Tree  Differences Flow Down Tree

CSE333 URBSOO-58 Two Important Concepts  Methods Call Other Methods  “8” Methods Assigned to Staff_RN  Direct Methods/Explicitly Assigned  “n” Indirect Methods Assigned to Staff_RN  “8” Methods Assigned Call Other Methods  In Turn, Other Methods Call Still Other Methods  Hence, Chaining Effect of Implied (Actual) Calls  Methods on URDH Mirror Inheritance Concepts  Methods on UC Available to all of its UR  Methods on UR Specific to that Role

CSE333 URBSOO-59 Prohibited Methods Non-Allowed Actions/Negative Privileges  Important To Give Explicitly, Since:  Methods Call Other Methods (MP)  Assigned Methods Map to Larger Set Due to Calls and Inheritance  Staff_RN Prohibited:  Set_Treatment of Visit  Set_Medication of Prescription  Get_All methods from Medical_R  Prohibition w.r.t. Hierarchy:  On a UR Implies on Its UT/UC  On a UT(UC) Implies on Its URs(UTs)

CSE333 URBSOO-60 Consistency Criteria Relationships Between URDH Nodes Consistency Criteria Relationships Between URDH Nodes  Equivalence - URDH Nodes Must Have Same Capabilities per Assigned/Prohibited Methods  Physical  Respiratory  Respiratory  Occupational  Education  Discharge_Plng  Subsumption - Ordering Among URDH Nodes w.r.t. Capabilities  Staff_RN Discharge_Plng  Manager Staff_RN  Transitive Closure Applies

CSE333 URBSOO-61 A Complete Node Profile

CSE333 URBSOO-62 The Software Development Environment (SDE) Example

CSE333 URBSOO-63 The SDE URDH UC:SE UC:Manager

CSE333 URBSOO-64 Notation: Extending PPI Concepts

CSE333 URBSOO-65 The SDE URDH with Assigned Methods “Lousy” Assignment UC:SE {LPI1, M2.3, M3.3} UC:Manager(LPI1) {LPI4} {LPI2} {LPI4} {LPI3, M2.1, M2.2} {M2.4,2.5 M3.4,3.5} {M2.4,2.5 M3.4,3.5} {M2.4, M4.1} Notes: 1-SDECommon, 2-Project, 3-System, 4-Module

CSE333 URBSOO-66 Overview: Assigned Methods  UC SE: LPI1, M2.3, M3.3  All Methods from SDECommon  Retr_System (M2.3) from Project  Retr_Module (M3.3) from System  All UTs of SE Share Methods  UT SE-Regular: LPI4  Full Access to all Module Methods  Shared by All URs of SE-Regular  UR Report_Bugs: M4.1 Restricted Access

CSE333 URBSOO-67 Detailed Scope and Rational How are Flaws Identified/Corrected?

CSE333 URBSOO-68 Revising Privileges via URDH  Too Much: M-Division UT  LPI1 (SDECommon) from MANAGER  Add_User and Del_User  Remove LPI1 from MANAGER  Replace with M1.1, M1.4, M1.5, M2.4  Not Enough: SE-Maintain/Document} UR  M4.* Methods Not Accessible  Not Present on UT or UC  Assign Subset of LPI4  M4.1, M4.2, and M4.11

CSE333 URBSOO-69 Revising Privileges via URDH  Too Much: SE-Regular/Document UR  All Module Methods via LPI4  Includes Modification Methods  Move LPI4 Down Hierarchy  Assign Subset of LPI4

CSE333 URBSOO-70 Revising Privileges via OTs  Which URs Access an OT?  Shouldn't Have: {\tt SDECommon} OT  MANAGER/M-Division/Report has Access  Realization that Role is Not Needed - Remove  SE-Regular has Access to Add_User} and Del_User  Move LPI4 Down Hierarchy to Specific Roles  Should Have: Module OT  SE-Maintain/Document} Not On List  Correct Oversight as Previously Discussed  Note: Complementary Nature of Analyses w.r.t. URDH vs. OTs

CSE333 URBSOO-71 The SDE URDH with Assigned Methods Revised “Better” Assignment UC:SE{M1.5,M2.3,M3.3,M4.11} UC:Manager{M1.1,M1.4, M1.5,M2.4} {LPI4} {M2.1, {LPI4 M2.2, w/o M3.1, M4.1 M3.2, M4.2} LPI4} {M1.1, M2.4, M3.4, M4.1} Notes: 1-SDECommon, 2-Project, 3-System, 4-Module {M1.4,1.6 M2.4,2.5 M3.4,3.5 M4.1,4.2} {M1.4,1.6 M2.4,2.5 M3.4,3.5 M4.1,4.2} {M4.1}{GPI2}{M2.5}

CSE333 URBSOO-72 Last Thoughts on SDE Example  What Actions have Occurred?  Differences Trickle Downward  Commonalities Move Upward  Too Many/Few Privileges  Possible URDH Changes:  Method Assignments  Add a New Role/Delete an Existing Role  Split a Role into Two or More Roles  Possible Application Changes:  Add/Delete OTs  Modify Private Data Items  Change Inheritance  Add/Modify/Delete Methods

CSE333 URBSOO-73 Security Issues for OO Paradigm  MAC/DAC/URBS - Existing Security Approaches  Must Security for OO Systems Embody an Existing Approach?  Is there a `Better' or `New' Choice to Consider?  Are there Characteristics/Features of OO Paradigm, Systems, and Applications that Should Dictate Approach?  Focus on Impact/Influence of:  Encapsulation, Hiding, and Inheritance  OO Application Characteristics  Polymorphism, Dispatching, Overloading  Object-Oriented Paradigm Claim

CSE333 URBSOO-74 Encapsulation, Hiding, and Inheritance  Object Types (OTs)/Classes Involve:  Encapsulated: Data and Methods  Public Interface to Access OT  Hidden Implementation Fosters Representation Independence  Encapsulation: Reduces Allowable Actions via the Public Interface  Hiding: Masks Sensitive Details in Implementation  Inheritance: Controlled Sharing Among OTs Transfers Privileges from Ancestor(s) to Descendant(s)  All Three Embody Security Concepts!

CSE333 URBSOO-75 What's in an OO Application? What's in an OO Application?  Application Characteristics:  High Volumes of Persistent Data  Varied/Disparate Data  Multiple Individuals/Unique Needs  Distributed: Agencies/Individuals/Systems  Public Interface of OT Provides:  Methods, Parameters, Return Type  One Interface for All Users  Can't Control/Limit Access to Public Methods  Need: Selective/Customizable Control of Public Interface Based on an Individual's Role

CSE333 URBSOO-76 What's in an OO Application? What's in an OO Application?  OT/Class Libraries Contain:  Hundreds (or More) OTs  Instances/OT Range from Very Few (10s or Less) to Very Many (1000s or More)  Instances Can Change Types  Instances/OT Can Change Radically Over Time  Conflicts with MAC:  Relational Data, Few OTs (10s), Many Instances (1000s)  Control at Instance and Attribute Value Levels

CSE333 URBSOO-77 Polymorphism, Dispatching, Overloading All Three Embody Security Concepts!  Polymorphism:  Type-Independent Software Promotes Reuse  Realized via Generics or Parameterized Types  Can Polymorphism be Used in a Role Independent Security Library for Authentication and Enforcement?  Dispatching:  Run-Time Method Invocation Based on Type  Strong Ties to Inheritance, Reuse, and Extensibility  Can Dispatching Support Execution of Security Code by Invoking Different Methods Based on User Roles?  Overloading:  Methods with Same Name and Different Signatures  Ada, C++, SML, etc., Support User-Defined Overloading  Overloading Supports Polymorphism and Dispatching

CSE333 URBSOO-78 Object-Oriented Paradigm Claims Object-Oriented Paradigm Claims  Accepted Claims:  Stresses Modularity  Promotes Software Reuse  Facilitates Software Evolution  Difficult-to-Prove Claims:  Controls Data Consistency  Increases Productivity  For OO Security, Reuse and Evolution are Critical!  Both Strongly Linked to Definition and Maintenance of OT/Class Libraries

CSE333 URBSOO-79 Security Issues and Approaches  Security Defn./Enforcement Consistent with OO Precepts and Principles  Support for Wide-Variety of User-Roles  User Roles - Extensibility/Evolution Critical  Target Emerging Systems:  Focused on OO Systems Supporting C++/Java  Programming, SW Engineering, Databases, Security  URBS within Joint Object-Oriented Framework  Framework Facilitates Development of Application Code Against Persistent Class Library (and its Underlying DB)  Role-Based Enforcement Mechanism is Part of Executable Image After Compilation  During Runtime, Role of Logged In Individual Utilized to Enforce Security

CSE333 URBSOO-80 Related Work -- All Examine Generated Code to Realize Security  Aspects/Richardson and Schwarz - Emerging  Aspects Extend OO Data Models with Roles  New Operations/Data Possible for New Roles  Our Work has Classes as Superset of Operations and Data that are Available to Roles  Object-Level Control/Richardson, et al.  Capabilities and ACLs Let Owners of Objects Control Who can Invoke Methods on Instances  Instance Level without Obvious Means to Include User Roles  Subject-Oriented Programming/Harrison & Ossher  Classes can have Different Subjective Views  Very Similar to Our Work

CSE333 URBSOO-81 Core Level URBS Approaches  General Solution Issues  Present Set of Goals for Security:  Extensibility and Flexibility  Hiding & Encapsulation  Reusability  Goals Relevant for both Application and URBS Enforcement Mechanism  Approaches Include:  Brute-Force  User-Role Subclass - Application Perspective  URDH Class Library - User Roles Perspective

CSE333 URBSOO-82 General Solution Issues  OO Security Designed/Implemented via Libraries Geared to Reuse, Extension, and Evolution  Applications Customize Libraries:  Generic Libraries Acquire Domain Specifics  Libraries Provide Security Definition/Authentication  Dynamic Policies: Enforced/Changed Based on Roles  Software Tool/Client Application Acquires Security and Behaves Differently Based on User Roles  URBS Enforcement Mechanisms (EM):  URDH and Assigned/Prohibited Methods  Brute Force: Method Level Code Changes  User-Role Subclassing: Inheritance to Deny Access  URDH CLass Library: Inheritance with Both URDH and Application  Utilize C++ (Java Versions Later)

CSE333 URBSOO-83 Goals for URBS Enforcement Mechanism Goals for URBS Enforcement Mechanism  Extensibility: Application Perspective:  New Classes, Methods, Roles, etc.  Automatic Adjustment by URBS EM?  Extensibility: URBS EM Perspective:  New Security Policies/Approaches  Can you go from MAC to DAC?  Flexibility: Application Perspective:  Changes to Roles, Methods, Classes, etc.  How does URBS EM Adapt?  Flexibility: URBS EM Perspective:  Change to Security Restrictions/Policy  Reimplementation of URBS EM?

CSE333 URBSOO-84 Goals for URBS Enforcement Mechanism Goals for URBS Enforcement Mechanism  Hiding & Encapsulation: Application Perspective:  Invisible to Users and Components  Minimize Impact on Actual Software  Hiding & Encapsulation: URBS EM Perspective:  Representation Independence a Must  Exploit OO Paradigm/Principles  Reusability: Application Perspective:  Reuse of Classes, Methods, Roles  Does URBS EM Always Need Regeneration?  Reusability: URBS EM Perspective:  Is URBS EM Application Specific?  Is there a Generic URBS EM?

CSE333 URBSOO-85 Goals for URBS Enforcement Mechanism Goals for URBS Enforcement Mechanism  Software Engineering Related  Software Itself  How Pervasive are the Security Additions?  Easy to Change/Modify as Privileges Change?  Adheres to Existing OOPL Capabilities  Software Engineer  How Much Does the Software Engineer Need to Know about Security?  What can be Hidden from Software Engineering?  Can we Prevent Software Engineer from Getting at Restricted Software?  For Example, Putting in Trap Door

CSE333 URBSOO-86 Quantifying URBS Approaches  Brute-Force (BFA)  Focus on Code Level Changes  Include “Conditionals” for Each UR Allowed to Access a Method in Each Methods Code  User-Role Subclass (URSA)  Specify “Subclasses” for Each User Role that Correspond to Each Application Class/OT  Override Prohibited Methods to Return Nulls  URDH Class Library (UCLA)  Employ a Separate Class Library that Mirrors the URDH and Contains Privileges  Requires Casting to Insure Correct Behavior

CSE333 URBSOO-87 Brute Force Approach  Consider HCA Prescription Class:  UR: Staff_RN Assigned Following Methods class Prescription { Public: Set_Prescription_No(....); Get_Prescription_No(....); Set_Pharmacist_Name(....); Get_Pharmacist_Name(....); Set_Medication(....); Get_Medication(....); Protected: char* patient_name, address,..... } Get_Prescription_No(....); Get_Pharmacist_Name(....); Get_Medication(....);

CSE333 URBSOO-88 Brute Force Approach  Method Implementation:  Comments on BFA:  Code for IFs Easily Generated  Any Changes Have Significant Impact  Encapsulation is Poor - Spread Across OTs  No Identifiable Enforcement Mechanism char* Prescription::Get_Prescription_No (....) { /* Check if a valid user is accessing the method */ if (User.User_Role == Staff_RN) || (User.User_Role == Physician) || (etc.) { //.... method code for the access..... } else return (NULL);

CSE333 URBSOO-89 User-Role Subclassing Approach  Consider HCA Prescription Class  Associated Privileges: class Prescription { public: virtual Get_Prescription_No(....); virtual Set_Prescription_No(....); virtual Get_Pharmacist_Name(....); virtual Set_Pharmacist_Name(....); virtual Get_Medication(....); virtual Set_Medication(....); private: char* prescription_no, pharmacist_name,... } UR: Attending_MD PM: Set_Pharmacist_Name AMs: All of the Rest UR: Staff_RN AMs: Get_Pharmacist_Name Get_Prescription_No Get_Medication PMs: Set_Prescription_No Set_Pharmacist_Name Set_Medication

CSE333 URBSOO-90 User-Role Subclassing Approach  Generate User-Role Subclasses: class Staff_RN_Prescription: public Prescription{ public: virtual void Set_Prescription_No(...) {return;}; virtual void Set_Pharmacist_Name(...) {return;}; virtual void Set_Medication(...) {return;}; }; class Attending_MD_Prescription: public Prescription{ public: virtual void Set_Pharmacist_Name(...) {return;}; };

CSE333 URBSOO-91 User-Role Subclassing Approach  Behavior at Runtime: Consider the Call  Type of ptr Determines Which Method is called:  If Staff_RN User Role, the Method  is Called Which Returns Nothing (Overridden) ptr->Set_Prescription_No(); virtual void Set_Prescription_No(...) {return;};

CSE333 URBSOO-92 User-Role Subclassing Approach main() { char user_name[20], user_role[20]; Prescription* P; Staff_RN_Prescription* SP; int Number; char* Medication; cout << "Please input your name:"; cin >> user_name; cout << "Please input your role:"; cin >> user_role; // Simulates a URDH and Authorization List Current_User=new User(user_name, user_role); P = new Prescription("Jessica", "3-9-95", 100, "Kitty", "Cold");

CSE333 URBSOO-93 User-Role Subclassing Approach // This is a portion of application code if (strcmp(user_role, "Staff_RN")==0) { // Create a Instance to Hold “Staff_RM” SP = new Staff_RN_Prescription("", "", 0, "", ""); // Copy from the Parent Prescription Object SP->copy_object(P); //copy attributes from parent // Attempt to Invoke a Method as Staff_RN SP->Set_Prescription_No(200); // Set No to 200 //Get the Result of Invocation Number=SP->Get_Prescription_No(); // Staff_RN Doesn’t have Privileges - output 100 cout << "Number==" << Number << "\n"; P->copy_object(SP); //copy attributes from child delete SP; }

CSE333 URBSOO-94 User-Role Subclassing Approach Application Code Still UR Specific  Comments on URSA:  Extensible via New User-Role Subclasses  Hindered by Switch/Recompilation  Encapsulation of Security at Method Level  Enforcement Mechanism Still Vague void Fill_Patient_Prescription(..., Prescription* p_rec) { // Determine the role of the user currently switch (User.User_Role()) { case Staff_RN: ((Staff_RN_Prescription *) p_rec)->Set_Prescription_No(...); break; case Attending_MD: ((Attending_MD_Prescription *) p_rec)->Set_Prescription_No(...); break; }

CSE333 URBSOO-95 URDH Class Library Approach  Objectives  Utilize Structure of URDH to Record Privileges  Track all of Methods Assigned to User Roles, User Types, and User Classes  Result  Class Hierarchy Corresponding to URDH  Contains all Permissions  Turn Off Permissions at Root Node  Turn On Permissions to Correspond to Assigned Methods  Invocation only if Method “Turned On”

CSE333 URBSOO-96 URDH Class Library Approach Partial Class Hierarchy for URDH Root UsersUC:Medical Staff UT:Nurse UR:Staff RNUR:ManagerUR:Education Turn Off All “Check” Methods at Root Node Turn On Check Methods To Correspond to Assigned Methods Call “Check” Method Prior to Invoking Actual Method

CSE333 URBSOO-97 URDH Class Library Approach URDH Classes  Consider Following URDH Subset:  and its Corresponding Class Library: UR: Staff_RN Assigned methods: Get_Prescription_No() (to Staff_RN) Get_Pharmacist_Name() (to Staff_RN) Get_Medication() (to Nurse) class Root: all methods return False; class Users: public Root class Medical_Staff: public Root class Nurse: public Users, public Medical_Staff { int Check_Prescription_Get_Medication(){return True;} }; class Staff_RN: public Nurse { int Check_Prescription_Get_Prescription_No(){return True;} int Check_Prescription_Get_Pharmacist_Name(){return True;} };

CSE333 URBSOO-98 URDH Class Library Approach Impact on Application Classes  Introduce “Object” Class to Track Current User and Tie into URDH Class Hierarchy  Note User Part of Prescription Constructor class Object { protected: Root* current_user;... } class Item: public Object{... } class Prescription: public Item { public : Prescription(Root* u, char* Name,...); int Get_Prescription_No();... };

CSE333 URBSOO-99 URDH Class Library Approach Impact on Application Classes  Focus on Actual Method Implementations  Wrap Check Method Call Around Method Body  Note Other Gets and Sets are Similar int Prescription::Get_Prescription_No() { if(current_user-> Check_Prescription_Get_Prescription_No()) return(Prescription_No); else return(NULL); } void Prescription::Set_Prescription_No(int No) { if(current_user-> Check_Prescription_Set_Prescription_No()) {Prescription_No=No;} }

CSE333 URBSOO-100 URDH Class Library Approach main() { Prescription* P; char user_name[64]; char user_role[64]; int Number; Root* current_user; cout << "Please input your name:"; cin >> user_name; cout << "Please input your role:"; cin >> user_role; // Create and Simulate a New User if (strcmp(user_role, "Staff_RN") == 0) { current_user = new Staff_RN(user_name); } else current_user = new Root(user_name);

CSE333 URBSOO-101  Key Issues:  Create User to Coincide with Entry in URDH Class Hierarchy and Set Current User  Change Each Method Code to Invoke Check Method Prior to Actual Invocation (Body) URDH Class Library Approach P = new Prescription(current_user,"Jim", "3-9-95", 1, "Ron", "Flu"); // FOLLOWING Set HAS NO EFFECT IF A STAFF_RN // IS ATTEMPTING TO MAKE THE CHANGE P->Set_Prescription_No(100); Number=P->Get_Prescription_No(); cout << "Number==" << Number << "\n"; }

CSE333 URBSOO-102 Comments on URDH Class Library Approach  Since Changes aren't Allowed by Unauthorized Individuals the Need to Undo is Eliminated  Extensibility: As new URs are Changed/Added, Only URDH Class Library Must be Recompiled  Hides Security Code Once a User has been Identified  Better Job at Encapsulation of Enforcement Mechanism  Still Difficult to Quantify Entire Mechanism as a Single Unit  Steamlines Application Code  Reusability is Definitely Utilized/Superior

CSE333 URBSOO-103 Compare/Contrast the Three Approaches  Application Perspective  URBS Enforcement Mechanism Perspective

CSE333 URBSOO-104 Advanced URBS Approaches  Generic Security Classes  Streamline Security Defn. Process  Achieve Uniformity/Promote Reuse  Independent Design/Implementation/Validation  Exception Handling  Hide Security Code with Handlers  Raise Violations when UR Attempts Unauthorized Access  Review Four Approaches  Generic URSA (GURSA)  Basic Exception Approach (BEA)  Generic Exception Approach (GEA)  Advanced Exception Handling

CSE333 URBSOO-105 Generic URSA (GURSA)  Incorporates Generics into URSA  Introduce Generic_Prescription Template  Parameterized by URType  current_UR Pointer Determines Method Called Based on UR  Concepts  Each UR Has Own Copy of Prescription Class  Cast Based on Role  Review both Template and Main  Highlight Disadvantages

CSE333 URBSOO-106 The Item.h File #ifndef Item_h #define Item_h class Item { protected: char Physician_Name[64]; char Date[10]; public : Item(char* Name,char* D); char* Get_Physician_Name(); void Set_Physician_Name(char*); char* Get_Date(); void Set_Date(char*); }; #endif

CSE333 URBSOO-107 The Prescription.h File #ifndef Prescription_h #define Prescription_h #include "item.h" class Prescription: public Item { protected: int Prescription_No; char Pharmacist_Name[64]; char Medication[128]; public : Prescription(char* Name,char* D,int No, char* Name1,char* Med); virtual void copy_object(Prescription* P); virtual int Get_Prescription_No(); virtual void Set_Prescription_No(int); virtual char* Get_Pharmacist_Name(); virtual void Set_Pharmacist_Name(char*); virtual char* Get_Medication(); virtual void Set_Medication(char*); }; #endif

CSE333 URBSOO-108 The Staff RN Prescription.h File (s_pres.h) #ifndef Staff_RN_Prescription_h #define Staff_RN_Prescription_h #include "pres.h" class Staff_RN_Prescription: public Prescription { public : Staff_RN_Prescription(char* Name,char* D, int No,char* Name1,char* Med): Prescription(Name,D,No,Name1,Med){;} // int Get_Prescription_No(); void Set_Prescription_No(int); // char* Get_Pharmacist_Name(); void Set_Pharmacist_Name(char*); // char* Get_Medication(); void Set_Medication(char*); }; #endif

CSE333 URBSOO-109 The Attending MD.h File (a_pres.h) #ifndef Attending_MD_Prescription_h #define Attending_MD_Prescription_h #include "pres.h" class Attending_MD_Prescription: public Prescription { public : Attending_MD_Prescription(char* Name,char* D, int No,char* Name1,char* Med): Prescription(Name,D,No,Name1,Med){;} void Set_Pharmacist_Name(char*); }; #endif

CSE333 URBSOO-110 Generic_Prescription Template #include "s_pres.h" //Staff_RN_Prescription Class #include "a_pres.h" //Attending_MD_Prescription Class template class Generic_Prescription { private: URType *current_UR; public : Generic_Prescription() {current_UR = new URType("", "", 0, "", "");} int Get_Prescription_No() {return(current_UR->Get_Prescription_No());} void Set_Prescription_No(int No) {current_UR->Set_Prescription_No(No);} char* Get_Pharmacist_Name() {... etc...} void Set_Pharmacist_Name(char* Name) {... etc...} char* Get_Medication() {... etc...} void Set_Medication(char* Med) {... etc...} void copy_object(Prescription *P) {... etc...} };

CSE333 URBSOO-111 The Main Program - GURSA main() {Prescription* P; char user_name[64], char user_role[64], *Medication, *Name; int Number; cout > user_name; cout > user_role; P=new Prescription("Jessica","3-9-95”,1,"Kitty","Cold"); if (strcmp(user_role, "Staff_RN")==0) {Generic_Prescription *SP = new Generic_Prescription (); SP->copy_object(P); //copy Attributes from the parent SP->Set_Prescription_No(200); // Fails Number=SP->Get_Prescription_No(); // Succeeds cout << "Number==" << Number << "\n"; }

CSE333 URBSOO-112 The Main Program - GURSA else if (strcmp(user_role, "Attending_MD")==0) { Generic_Prescription *AP =new Generic_Prescription (); AP->copy_object(P); //copy attributes from the parent AP->Set_Prescription_No(200); // Succeeds AP->Set_Pharmacist_Name("Steve"); // Fails Number=AP->Get_Prescription_No(); // Succeeds Name = AP->Get_Pharmacist_Name(); // Succeeds cout << "Number==" << Number << "\n"; cout << "Name== " << Name << "\n"; } } // end of main

CSE333 URBSOO-113 Comments on GURSA  Current UR Encapsulated  Conditional Statement Hinders Code  Extensibility Severely Limited  IDevE Must Understand URBS  Can Presence of Conditional be Minimize?

CSE333 URBSOO-114 Minimizing Conditional What are Problems Here? if (strcmp(user_role, "Staff_RN")==0) Generic_Prescription *PP =new Generic_Prescription (); else if (strcmp(user_role, "Attending_MD")==0) Generic_Prescription *PP =new Generic_Prescription (); // Would allow one block of user-role independent code. PP->copy_object(P); //copy attributes from the parent //Success/Failure of Next Four Callas Based on UR PP->Set_Prescription_No(200); PP->Set_Pharmacist_Name("Steve"); Number=PP->Get_Prescription_No(); Name = PP->Get_Pharmacist_Name(); cout << "Number==" << Number << "\n"; cout << "Name== " << Name << "\n";

CSE333 URBSOO-115 Basic Exception Approach (BEA)  C++ Supports Excepting Handling  try Encapsulates a Block of Code that has Potential to Raise Exception  throw Used to Raise Exception  catch Process Exception  Recast Exception Handling to Support the Raising Catching, and Processing of Security Violations  BEA as Follows:  Extend Class with Exception Handling Methods  Capture Assigned/Prohibited Methods in Runtime Data Structure  Allows UR to be Validated via URDH

CSE333 URBSOO-116 Modifications to Prescription Class class Prescription: public Item { // Private data has been omitted public: Prescription(char* Name,char* D, int No,char* Name1,char* Med); int Get_Prescription_No(); void Set_Prescription_No(int); char* Get_Pharmacist_Name(); void Set_Pharmacist_Name(char*); char* Get_Medication(); void Set_Medication(char*); // New Methods for Exception Handling int rtn_int_check_valid_UR(int); char* rtn_str_check_valid_UR(char*); void set_int_check_valid_UR(int*,int); void set_str_check_valid_UR(char*,char*); void Check_UR(); // Can UR access method. class Unauthorized_UR { }; };

CSE333 URBSOO-117 Prescription Implementation Pseudo-Code to Illustrate Concepts int Prescription::Get_Prescription_No() { return(rtn_int_check_valid_UR(Prescription_No));} int Prescription::rtn_int_check_valid_UR(int AInt) { try {// try block has potential to raise exception this->Check_UR(); } // catch block processes any raised exceptions catch (Prescription::Unauthorized_UR) { cout << ”Access by unauthorized UR" << endl; return(INT_NULL); } return(AInt); } void Prescription::Check_UR() {// Shows invalid URs for Get_Prescription_No method. if ((Current_User->Get_User_Role() != Staff_RN) || (Current_User->Get_User_Role() != Attending_MD)) throw Unauthorized_UR(); // raises exception }

CSE333 URBSOO-118 main() Program for BEA main() { Prescription* P; char* Name, Date, Medication, name, role; int Number; char user_name[64], user_role[64]; cout << "Please input your name:"; cin >> user_name; cout << "Please input your role:"; cin >> user_role; Current_User = new User(user_name, user_role); name = Current_User->Get_User_Name() ; role = Current_User->Get_User_Role() ;

CSE333 URBSOO-119 main() Program for BEA // Data is set as: // MDName, Date, Presc#, PharName, Medication P = new Prescription("Lois", "2-13-96", 1, "John", "Aspirin"); Name = P->Get_Physician_Name(); cout << "Name==" << Name << "\n"; Date = P->Get_Date(); cout << "Date==" << Date << "\n"; // Will fail for UR except Staff_RN or Attending_MD Number = P->Get_Prescription_No(); cout << "Pre_No==" << Number << "\n"; //If fails-Null // Will fail for Staff_RN P->Set_Pharmacist_Name("MeiYu"); // Unchanged if Staff_RN Name = P->Get_Pharmacist_Name(); cout << "Name==" << Name << "\n"; } // end of main

CSE333 URBSOO-120 Comments on BEA  Advantages Include:  Methods rtn, set, Check_UR Encapsulates URBS  Once UR is Set - Conditionals not Needed (GURSA)  Drawbacks Include:  Exception Handling Code Pervasive  Extensibility Problem When Changes to Prescription  Replicated Code in set and rtn  Reuse not Attained

CSE333 URBSOO-121 Generic Exception Approach (GEA)  Extends BEA with Generics  Alleviates BEA's Disadvantages  Template Class Centralizes Security Violation Code  Once Defined, Template Class can be Reused as Needed  Core Ideas Include:  rtn, set, prt Methods for Basic Types  Ability to Uniquely Identify Classes and Methods  Parameterized by Type of Application Class

CSE333 URBSOO-122 Generic Security Template template class Gen_Security { protected: int C_ID; // Class ID int M_ID; // Method ID public: Gen_Security() {C_ID = M_ID = 0;} void GS_Check_UR(); class Unauthorized_UR { }; // Exception int rtn_int_check_valid_UR(int); float rtn_flt_check_valid_UR(float); char* rtn_str_check_valid_UR(char*); char rtn_chr_check_valid_UR(char); void set_int_check_valid_UR(int*,int); void set_flt_check_valid_UR(float*,float); void set_str_check_valid_UR(char*,char*); void set_chr_check_valid_UR(char,char); void prt_int_check_valid_UR(int); void prt_flt_check_valid_UR(float); void prt_str_check_valid_UR(char*); void prt_chr_check_valid_UR(char); };

CSE333 URBSOO-123 Generic Security Implementation template void Gen_Security ::GS_Check_UR() { // Call Check of Owner Class if (Type::Check_UR(C_ID+M_ID) == FAIL) throw Unauthorized_UR(); } template void Gen_Security ::prt_str_check_valid_UR(char* AString) { try {// try block has potential to raise exception this->GS_Check_UR(); } // catch block processes raised exception catch (Gen_Security::Unauthorized_UR) { cout << "Attempt to access by unauthorized UR" << endl; return; // return control without printing } cout << AString << endl;//output if no exception raised } // WHEN APPLIED TO PRESCRIPTION CLASS GS_CHECK_UR BECOMES: if (Prescription::Check_UR(C_ID+M_ID) == FAIL) throw Unauthorized_UR(); // THIS VERIFIES IF UR CAN ACCESS METHOD C_ID+M_ID

CSE333 URBSOO-124 The Item Header Class #include "gen_security.C" class Item { // Private data has been omitted public : Item(char* Name,char* D); char* Get_Physician_Name(); void Set_Physician_Name(char*); void Print_Physician_Name(); char* Get_Date(); void Set_Date(char*); void Print_Date(); // Class specific URBS static int Check_UR(int); // Assigned methods static int Assigned_Methods(int); // Template Declaration Gen_Security Item_Sec; };

CSE333 URBSOO-125 The Prescription Header Class class Prescription: public Item {//Private data omitted public: Prescription(char* Name,char* D, int No,char* Name1,char* Med); int Get_Prescription_No(); void Set_Prescription_No(int); void Print_Prescription_No(); char* Get_Pharmacist_Name(); void Set_Pharmacist_Name(char*); void Print_Pharmacist_Name(); char* Get_Medication(); void Set_Medication(char*); void Print_Medication(); // Class specific URBS static int Check_UR(int); //Assigned methods static int Assigned_Methods(int); //Template declaration Gen_Security Pres_Sec; };

CSE333 URBSOO-126 Prescription Implementation void Prescription::Print_Pharmacist_Name() { Pres_Sec.prt_str_check_valid_UR(Pharmacist_Name); } int Item::Check_UR(int unique_method_id) { return(Item::Assigned_Methods(unique_method_id)); } int Prescription::Assigned_Methods(int meth_id) { // For now - simulate by hard-coding response. if ((strcmp(Current_User->Get_User_Role(), "Staff_RN")==0) ||(strcmp(Current_User->Get_User_Role(), "Attending_MD")==0)) return SUCC; else return FAIL; }

CSE333 URBSOO-127 Comments on GEA  Enhances BEA Advantages via Template  Software Reuse is Strongly promoted  Changes to Prescription/ Item Methods Don't Alter Method Signatures  URBS Enforcement is Therefore Hidden

CSE333 URBSOO-128 Advanced Exception Handling  Expand BEA and GEA with Advanced Capabilities  Focus on Added Code to Process Security Violations  Recast Generic Security Template Class with Multiple Exceptions  Explore Hypothetical Examples

CSE333 URBSOO-129 Revised Generic Security Template template class Gen_Security { protected: int C_ID; // Object ID int M_ID; // Method ID public: Gen_Security() {C_ID = M_ID = 0;} void GS_Check_UR(); class Unauthorized_UR { public: int meth_id; Unauthorized_UR(int m_id) { meth_id = m_id; // Remaining code to process exception cout " << meth_id << endl; cout << "by Unauthorized User Role!!!!" << endl; } }; // End Unauthorized_UR exception Class

CSE333 URBSOO-130 Revised Generic Security Template class Logauthorized_UR { public: int meth_id; FILE *f_id; Logauthorized_UR(int m_id) { meth_id = m_id; // Remaining code to process exception // Print message to FILE f_id that logs all // accesses to methods by authorized URs. } }; // End Logauthorized_UR exception Class // rtn, set, prt methods as given without changes };

CSE333 URBSOO-131 Revised Generic Security Template template void Gen_Security ::GS_Check_UR() { // Call Check of Owner Class if (Type::Check_UR(C_ID+M_ID) == FAIL) throw Unauthorized_UR(C_ID+M_ID); else throw Logauthorized_UR(C_ID+M_ID); } // Two catches needed in relevant Gen_Security methods catch (Gen_Security::Unauthorized_UR) { cout << "Attempt to access by unauthorized UR" << endl; return; // return control without printing } catch (Gen_Security::Logauthorized_UR) { cout << "Logging of authorized access by UR" << endl; }

CSE333 URBSOO-132 Compare/Contrast the Four Exception Handling Based Approaches  How do the Four Approaches Compare?  Extensibility  Flexibility  Hiding/Encapsulation  Reusability  Is One Easier than Another?  How do they Rate vs. Earlier Three Approaches?  What’s Missing in the Process?

CSE333 URBSOO-133 Software Architectures for Consistency and Assurance of URBS Policies  Motivation  “How will Assurance and Consistency be Attained during the Definition and Usage of an application's User-Role Based Security Policy, particularly in an Object-Oriented context that stresses Change and Evolution?”  What is Consistency?  The Ability to Capture and Maintain Inter-Role and Inter-User Privileges as Changes are Made to the Security Policy over Time  What is Assurance?  The Ability to Guarantee that the Privileges of each User and Role are Adequate to Satisfy their Respective Functions over Time

CSE333 URBSOO-134 Context and Objectives  Programming Language Role - C++, Ada95, Java  Security Across Internet/Intranet  Impact of Application Domain  Health-Care: Life-Critical  CAD: Cooperation/Productivity  Promote Security as an Up-Front, Integral Player in Design and Development  Security Not Just a Database Requirement  Cohesive/Comprehensive Sec. Policy  Emphasize User Capabilities  Equal Partner in Process

CSE333 URBSOO-135 Background and Objectives  Consistent with OO Precepts and Principles  User-Role Based Security: Responsibility Focus  Integrate Programming, Software Engineering, Databases, and Security  Provide a Framework that Facilitates Development of Application Code Against Persistent Class Library (and its Underlying DBS)  During Runtime, Role of Logged In Individual Utilized to Enforce Security  Goal: Minimize Amount of Knowledge of Security by Software Engineer

CSE333 URBSOO-136Focus  Expand Research in Two Dimensions  Consistency and Assurance  Consistency of Security Policy in a Changing Environment  Assurance of Operation, Security, and Results  Instantaneous Availability of ``Correct'' Health Care Data in Life-Critical Situations  Software Architectures  URBS at System-Component Level  Class Libraries as Building Blocks  Alternative Integration Strategies  Single and Multi- Process and Processor Solutions

CSE333 URBSOO-137Overview  Assurance, Consistency, and Analyses  Software Architectures and URBS Mechanisms  Concepts and Definitions  Layered Systems  Communicating Processes - Client/Server  Comparison and Critique  Concluding Remarks on SW Architectures

CSE333 URBSOO-138 Assurance, Consistency, and Analyses  Who has Responsibility for URBS Policies?  What Tools and Techniques are Needed?  Design Techniques for:  Software & Security Engineers  Precisely/Accurately Define Applications  Non-Security and URBS Requirements  Suite of Tools for:  Design  Automatic Analyses of Impact When Changes Occur to Application or Its Security Policy  On-Demand Analyses to Assess State of Design  Generation of URBS Enforcement Mechanisms

CSE333 URBSOO-139 Consistency for User-Roles URs for OO Systems are Dynamic  Extension/Evolution of OO Systems is Norm  Consistency of User Roles  New UR: Internal Consistency  Modify UR: Intra-Role Consistency  Between URs: Inter-Role Consistency  Among URs: Intra-Hierarchy Consistency  Adhere to Two Principles  Least-Privilege: Necessary Privileges and No More for a UR  Mutual-Exclusion: Careful Definition of Can vs. Can't w.r.t. Privileges for URs  Analyses to Assess Attainment of Consistency and Principles

CSE333 URBSOO-140 Consistency for End User Authorizations URs for OO Systems are Dynamic  Trade off of End-users Behavior  Play Exactly One Role at Some Time  Play Multiple Roles Concurrently at Some Time  End-User Consistency  Relation of User to other Users Based on UR This is Inter-User Consistency by Role  If User Can Play Multiple Roles Must Consider Dependencies Among Simultaneous Roles This is Intra-User Consistency by Role  Analyses to Assess Attainment of Consistency and Principles

CSE333 URBSOO-141 Concepts and Definitions  OO Assumptions: Shared Class Library  Tools Designed Against Class Library  End-Users Access Application via Tools  Security Policy Enforced via Tools  Different Class Libraries  AppCL: Shared Application Class Lib.  SCL: Security Class Lib. with URBS Defn. and Enforcement  TCL: Tool Class Lib., e.g., a patient GUI  Software Architectures  Explore Variants for OO and URBS  Layered Systems  Communicating Processes

CSE333 URBSOO-142 Layered System Version 1 LS1: Application-Based Approach  Security at Level of Method Invocation  Processed by SCL Prior to Access Against Instance in ACL  Security Managed at Application Level  All Requests Pass Through Shared SCL  Once SCL OKs, Passed Through to ACL

CSE333 URBSOO-143 Layered System Version 2 LS2: Class-Based Approach  Like LS1, Security at Level of Method Invocation  Processed by SCL Prior to Access Against Instance in ACL  Security Managed at Instance Level  Tools Must Interact with Multiple SC/AppC Pairs  Sec. Policy and Application Distributed  Problem if Instances Refer to Non-Local Instances

CSE333 URBSOO-144 Communicating Processes Version 1 CP1: Single Process, Base Case, no C/S  Similar to LS1 - Each Tool Standalone Process  SCL and AppCL Analogous to Math Library  SCL Filter between TCLi and AppCL  SCL/AppCL Partially Replicated/Distributed  Changes to SCL/AppCL Impact Multiple Tools  Unclear How Sharing/DB Supported

CSE333 URBSOO-145 Communicating Processes Version 2 CP2: Multi-Process/Shared AppCL  AppCL Separated into Own Process  SCL Still only Subset Needed by TCLi  Like CP1, SCL Changes Impact Multiple TCLs  Less Impact for Changes to AppCL  Unlike CP1, Database Integration Supported

CSE333 URBSOO-146 Communicating Processes Version 3 CP3: Multi Process/Shared SCL/AppCL  SCL has Entire Security Policy  Changes to SCL/AppCL Shouldn't Impact TCLs  SCL/AppCL Potential Performance Bottleneck  Particularly with Database Integration

CSE333 URBSOO-147 Communicating Processes Version 4 CP4: C/S, Replctd SCL/Shared AppCL  Independence of TCLs (CP2)  Alleviate Performance Problems of CP3  Replicated/Entire SCL  Facilitates Database System Incorporation

CSE333 URBSOO-148 Comparison of Variants

CSE333 URBSOO-149 Critique of Variants Summary/Assessment of 6 Variants  Consistency/Assurance of Security Policy  Impact when Security Policy Evolves  Support for Persistency

CSE333 URBSOO-150 Concluding Remarks on SW Architectures  Consistency and Assurance for OO Systems Must Be an Equal Partner in Design Process  Consider Evolution of Application and Its Security Policy  Explore Solutions that Transcend Traditional Approaches  Software Architectures Offer  Componentwise Conceptualization and Realization  Variants LS1, CP3, and CP4 which are Comparable in Pros and Cons  CP4 which More Easily Supports Evolution to Include OODBS

CSE333 URBSOO-1 User Role Based Security for Object-Oriented Systems/Applications M.-Y. Hu, S. Demurjian, T.C. Ting Computer Science & Engineering Department.

Similar presentations

Presentation on theme: "CSE333 URBSOO-1 User Role Based Security for Object-Oriented Systems/Applications M.-Y. Hu, S. Demurjian, T.C. Ting Computer Science & Engineering Department."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

CSE333 URBSOO-1 User Role Based Security for Object-Oriented Systems/Applications M.-Y. Hu, S. Demurjian, T.C. Ting Computer Science & Engineering Department.

Similar presentations

Presentation on theme: "CSE333 URBSOO-1 User Role Based Security for Object-Oriented Systems/Applications M.-Y. Hu, S. Demurjian, T.C. Ting Computer Science & Engineering Department."— Presentation transcript:

Similar presentations

About project

Feedback