infso-ri-508833 enabling grids for e-science models for security vulnerabilities and threats yuri...
DESCRIPTION
Enabling Grids for E-sciencE INFSO-RI Addressing Known Security Vulnerabilities Grid Operational Centers (and JSPG :-) know major security vulnerabilities –Those that are actually obvious Reason why it happened? –We can expect more will be discovered when we apply regular security vulnerability analysis and risk assessment Approach for security/operational people? –Actively search for vulnerabilities OR wait until somebody will discover them and (mis)use (Already perceived) Problems –There is no common approach/model for analysing security vulnerabilities in Web Services and Grids –All security models and methodologies are complex and multifaceted Grid is new but not unique – better learn from others’ expereince Need some efforts and willinness to learn or to listen to expertsTRANSCRIPT
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Models for Security Vulnerabilities and Threats
Yuri DemchenkoAdvanced Internet Research Group (AIRG)University of [email protected]
INFSO-RI-508833
Enabling Grids for E-sciencE
www.eu-egee.org
Outline
• Background: Addressing known security vulnerabilities• From Vulnerability to Incident •Existing classifications and models• Proposed security threats classification and models
3
Enabling Grids for E-sciencE
INFSO-RI-508833
Addressing Known Security Vulnerabilities
• Grid Operational Centers (and JSPG :-) know major security vulnerabilities – Those that are actually obvious
Reason why it happened?– We can expect more will be discovered when we apply regular
security vulnerability analysis and risk assessment• Approach for security/operational people?
– Actively search for vulnerabilities OR wait until somebody will discover them and (mis)use
• (Already perceived) Problems– There is no common approach/model for analysing security
vulnerabilities in Web Services and Grids– All security models and methodologies are complex and
multifaceted Grid is new but not unique – better learn from others’ expereince Need some efforts and willinness to learn or to listen to experts
4
Enabling Grids for E-sciencE
INFSO-RI-508833
Vulnerability-Incident life-cycle
Vulnerability => Exploit => Threat => Attack/Intrusion => Incident
Vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy
Exploit is a known way to take advantage of a specific software vulnerability
Threat is a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm
Attack is an assault on system security that derives from an intelligent threat
Incident is a result of successful Attack
5
Enabling Grids for E-sciencE
INFSO-RI-508833
Basic steps in attacking methodology
Survey and Assess
Exploit and Penetrate
Escalate Privileges
Maintain Access Deny Service
Unauthorised use of Resource
Clean or forge track of activity
6
Enabling Grids for E-sciencE
INFSO-RI-508833
Known Vulnerabilities and Threats Classifications
• OWASP (Open Web Application Security Project) – http://www.owasp.org/documentation/topten.html– Developed in 2003-2004 and industry adopted
• EVDL (Enterprise Vulnerability Description Language) – OASIS WG– http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was
• Web Applications Security Threats Model by Microsoft – http://msdn.microsoft.com/library/en-us/dnnetsec/html/ThreatCounter.asp
• XML Web Services Security Vulnerabilities/Threats classification– Proposed in MJRA3.4 and updated in MJRA3.6
7
Enabling Grids for E-sciencE
INFSO-RI-508833
Top 10 OWASP vulnerabilities
• A1 - Unvalidated Input• A2 - Broken Access Control• A3 - Broken Authentication and Session Management• A4 - Cross Site Scripting (XSS) Flaws• A5 - Buffer Overflows• A6 - Injection Flaws• A7 - Improper Error Handling• A8 – Insecure Credentials Storage• A9 - Denial of Service • A10 - Insecure Configuration Management
8
Enabling Grids for E-sciencE
INFSO-RI-508833
XML Web Services threats/ attacks classification (1)
• XWS1 – Web Services Interface probing– WSDL scanning, WSDL parameters tampering, WSDL error
interface probing• XWS2 – XML parsing system
– Recursive XML document content, oversized XML document• XWS3 – Malicious XML content
– Malicious code exploiting known vulnerabilities in back-end applications, viruses or Trojan horse programs, malicious XPath or XQuery built-in operations, malicious Unicode content
• XWS4 – External reference attacks– Malicious XML Schema extensions, namespace resolution
manipulation, external entity attacks
9
Enabling Grids for E-sciencE
INFSO-RI-508833
XML Web Services threats/ attacks classification (2)
• XWS5 – SOAP/XML Protocol attacks– SOAP flooding attack, replay attack, routing detour, message
eavesdropping, “Main-in-the-middle” attack• XWS6 – XML security credentials tampering
– XML Signature manipulation, secure XML content manipulation, Unicode content manipulation, XML credentials replay, application session hijacking
• XWS7 – Secure key/session negotiation tampering– Poor WS-Security implementation, poor key generation, poor
key/trust management; weak or custom encryption
10
Enabling Grids for E-sciencE
INFSO-RI-508833
Threats/Attacks grouping in interacting services
Reqr/User Client
Site Services/Resources Requestor/User
Resource/Resource
Agent
SrvDeliv SecureAssert
AuthZ AuthN (SSO)
Creds
SrvReqst SecureCreds
SMV
ESV UCV
MIA – Malifactor Initiated Attacks * DoS * Brute Force * Dictionary Attacks * WSDL probing * Malicious content
UCA - User Credentials Attack * Creds theft * Creds compromise * User impersonation
SMA – Service Management Attacks * Configuration vuln * Improp Key/Trust Mngnt * Improper Priv Mngnt * Improper Error Handl * Insecure audit/log
ESA – End Service Attacks * Malicious input * XSS * XML/SQL Injection * Dynamic XML * Misuse & Quota
WIA – Wire Intelligence Attacks * Network eavesdropping * “Man in the middle” (MITM) * Brute Force * Credentials compromise * Replay/Session hijack * XML/SOAP protocol
WIA – Wire Intelligence Attacks * Network eavesdropping * “Man in the middle” (MITM) * Brute Force * Credentials compromise * Replay/Session hijack * XML/SOAP protocol
Accounting/Logging
11
Enabling Grids for E-sciencE
INFSO-RI-508833
Threats/Attacks grouping (1)• WIA – “Wire” Intelligence Attacks
– Network eavesdropping– “Man in the middle” (MITM)– Brute Force– Credentials compromise– Replay/Session hijack– XML/SOAP protocol
• MIA – Melifactor Initiated Attacks– Denial of Service (DoS)– Brute Force– Dictionary Attacks– WSDL probing
• UCA – User Credentials Attacks– Credentials theft– Credentials compromise– User impersonation
12
Enabling Grids for E-sciencE
INFSO-RI-508833
Threats/Attacks grouping (1)
• SIA – Site Management Attacks– Configuration vulnerabilities– Improper Key/Trust Management– Improper Privilege Management– Improper Error Handling– Insecure audit/logging
• ESA – End Services Attacks– Resource misuse and quota violation– Malicious input– Dynamic XML– XML/SQL Injection– (XSS)
13
Enabling Grids for E-sciencE
INFSO-RI-508833
Security models for interacting Grid/XWS services
Reqr/User Client
Site Services/Resources Requestor/User
Resource/Resource
Agent
SrvDeliv SecureAssert
AuthZ AuthN (SSO)
Creds
SrvReqst SecureCreds
SMA
ESA UCA Accounting/Logging
• Requestor/User site security zones• Service/Resource site security zones
14
Enabling Grids for E-sciencE
INFSO-RI-508833
Requestor/User site security zones
Local Creds
Storage
Ext Creds Storage
Req/User Client/Proxy
Temp Creds
Storage (Cache)
Cache (Cookie, applets,
etc)
X.509 PKCert
Browser/ Application
Server
Resource/ Service
Zone A Zone X Zone D Zone C Zone B
Internet Zone External Creds Storage
Local Creds Storage
Proxy/Client (Temp/Proxy
Creds Storage)
Cache Cookie/SessionID
Applets
Requestor Site Services
X.509 PKCert
User Pswd
Init Pswd
15
Enabling Grids for E-sciencE
INFSO-RI-508833
Service/Resource site security zones
AuthN (SSO)
AttrA
Zone R1 Zone R0 Zone RN Zone RA Zone RAA
Resource IF/Agent Resource Manager
Resource (Local File System)
Internet/Network Access
Site AuthN Identity/Attributes
(TA/BA/VO Contx)
Site AuthZ (Policy Enforcement)
Resource/Service Site IdentP TA/BA
UserDB
Req/User Client/System
PolicyA
AuthZ (Policy
Enforcemnt)
PEP
PDP
Resource IF/Agent (IntFW)
ACL
(ResAuthZ)
Resource/ Service
FW Appl Srvr/
Contnr
Data
Local FileSyst
Creds
Attrib
PolicyA
16
Enabling Grids for E-sciencE
INFSO-RI-508833
Example use of security models
Collaboratory.nl project (CNL)• Providing secure remote access to unique analytical
equipment
• Job-centric security model for Open Collaborative Environment– Distributed security services model– Security context handling addressed– Trust model for distributed security services
17
Enabling Grids for E-sciencE
INFSO-RI-508833
Authorisation Service operation in a CNL2 Demo system
JNLP – Java Network Launch Protocol
CHEF – Collaborative tool
Surabaya – Collaborative Workspace environment
WebClient
gAAA Server
Remote CNLInstrumentSurabaya
InstrumentController
PDP
PEP
CHEF
3. JNLP
1. Login
2. JNLP
5,10 startSession()11,14 goLeft()
Job Mgt.
4. getJobInfo() 6,9 startSession()
7,8 requestDecision()
Note: we assume SSL TCP connections all over.
12,13 checkAuthZStatus()
Locations
18
Enabling Grids for E-sciencE
INFSO-RI-508833
Security and trust issues in the OCE Job-centric security model
TA – Trust Anchor; TR# - trust path from root (resource); RAM – Resource Allocation and Management; UserCT – User Collaborative Tools
Users
Site Services/Resources
Resource/ Service
TR1
Resource Broker
Attributes
User CT
AuthzReq
AuthnTkt
Job/ RBAC AdmT
Order/ CRM
Customer Org
PI/Admin TA2
Biz/Admin TA1 Order
(document) TR8/TA1
AA TR3
PEP TR2
AuthN/ SSO TR7
RAM TR1
SrvDeliv
SrvReq AuthnTkt
AuthzTkt
Policy
AuthzTkt
JobDescr
OrderDoc
OrderDoc
JobDescr
Job (template)
Job (instance) TR3/TA2
Policy (template)
Policy (instance)
TR4
PDP TR5 UserDB
TR6
UserList
AuthN/ SSO
AA
User DB
Resource IF TR1
PEP/PDP
Resource Agent
19
Enabling Grids for E-sciencE
INFSO-RI-508833
Trust relations in distributed access control infra
Obtaining required permissions to perform requested action by the user:
User => AuthN(HomeOrg.staff, Job.members) => => AuthZ(Member.roles, Policy.permissions) => => Resource.permissions
Users
Site Services/Resources
Resource/ Service
TR1
Resource Broker
Attributes
User CT
AuthzReq
AuthnTkt
Job/ RBAC AdmT
Order/ CRM
Customer Org
PI/Admin TA2
Biz/Admin TA1 Order
(document) TR8/TA1
AA TR3
PEP TR2
AuthN/ SSO TR7
RAM TR1
SrvDeliv
SrvReq AuthnTkt
AuthzTkt
Policy
AuthzTkt
JobDescr
OrderDoc
OrderDoc
JobDescr
Job (template)
Job (instance) TR3/TA2
Policy (template)
Policy (instance)
TR4
PDP TR5 UserDB
TR6
UserList
AuthN/ SSO
AA
User DB
Resource IF TR1
PEP/PDP
Resource Agent Trust/credentials chain and
delegation between major modules:
User => => HomeOrg.staff(TA2) => Job.members => Member.roles => Role.permissions
20
Enabling Grids for E-sciencE
INFSO-RI-508833
Summary and next steps
• Security vulnerabilities and attacks classification provides an input to further analysis of existing and to be discovered vulnerabilities
• Proposed Requestor and Resource security models need discussion and trial with analysing real middleware products– Need to be developed to cover case with the delegation
• Need some organisational form to proceed as an ad-hoc activity to target improving Grid middleware security
21
Enabling Grids for E-sciencE
INFSO-RI-508833
Additional materials
• Users vs hackers• Application security layers• Host security components• Implementation suggestions for OCE/CNL Job-centric
security architecture
22
Enabling Grids for E-sciencE
INFSO-RI-508833
Users vs hackers
• Users go regular route• Potential hacker use any possible opportunity to bypass
23
Enabling Grids for E-sciencE
INFSO-RI-508833
Application Security Layers • Grid and application
security must be build on solid base of lower layers
• Grid middleware constitutes Tier 3 layer and must protect actual applications from possible attacks
Tier 1 - Secure the Network
Operating System
Runtime Services and Components
Platform Services and Components
Tier 2 - Secure the Host
Presentation Logic
Business Logic
Data Access Logic
Tier 3 - Secure the Application
24
Enabling Grids for E-sciencE
INFSO-RI-508833
Host security components
• Protocols and Ports that provides network access and communication services for applications.
• Common OS Services• Files and Directories• User Accounts and privileges • Registries• Auditing and Logging• Patches and Updates management
25
Enabling Grids for E-sciencE
INFSO-RI-508833
Trust relations in distributed Access Control
Implementation suggestions for OCE/CNL security model– Root of trust and authority belong to the Resource– Trust anchor TA2 embedded into the Job Description is the main
trust anchor shared between the resource and the customer. In more business integrated model the signed order may contain
TA1 Both TA2 and TA1 may have the same trust path to the
root/resource– To become a shared trust anchor for the resource and the
customer trust domains, the Order or JobDescription must contain mutually signed credentials/certificates
– Although the main PEP operation assumes authorisation decision request from the trusted PDP, in general PEP may accept an AuthzTicket from other trusted/external PDP