Session # 2883

Managing Applications Comprised of Untrusted Components

Michael ThomeSenior ScientistBBN Technologies

Session # 28832

Presentation Goal

Beginning

Learn how to manage the risks associated with allowing Components you do not trust into your application using a Model inspired by the JavaBeans™ BeanContext API.

Session # 28833

Learning Objectives

• As a result of this presentation, you will understand:– some of the risks and benefits of allowing

“untrusted” components into your application.

– how to protect your application from such components.

– how to use the Cougaar Component Model API to simplify the job.

Beginning

Session # 28834

Speaker’s Qualifications

• Senior Scientist, BBN Technologies, Distributed Systems and Logistics department

• Chief Software Architect of Cougaar Core development team

• Designed and Implemented Cougaar Component Model

Beginning

Session # 28835

Plugin == Trojan Horse?

“A data structure is just a stupid programming language.”

- Bill Gosper

“A programming language is a very dangerous data structure.”

- Guy Steele

Beginning

Session # 28836

Agenda

• Component Models

• “Untrusted” Components

• Cougaar Component Model

• Examples

• Implications

• Questions and Answers

Beginning

Session # 28837

Component Models

• Component– Modular software entity– Well-defined interface to other Components

• Component Model– Method of connecting Components– Method of storing connections– Service model integration– Trust model

Session # 28838

Untrusted Components

• What is an Untrusted Component?

• What can they do?– System/VM abuse– Java abuse– Application abuse

• Why do they do it?– Bugs and other mistakes– Evil developers

Session # 28839

Untrusted Components (cont’d)

• Where do they come from?

• Why accept the risk?– Contractual obligations– Competition– Flexibility– Extensibility– Reuse

Session # 288310

Traditional Protection Methods

• Documentation

• Interface

• Class/member protection/visibility

• Final methods in base class

• Proxy objects/Delegation

• SecurityManager

• Classloader namespaces

Session # 288311

Cougaar: Design Context

• Widely distributed p2p agent network

• Goals: Secure, Scalable, Robust

• OSS & free

• Many contributors and users

• Several applications

• More than 1MLOC (core+BBN)

Session # 288312

Context: Cougaar Implications

• Code base too large to audit

• Too many developers to code review

• Wide range of skills, experience

• Red-team Attacks and Exploits

• Policy-driven restrictions on behavior, resource-use

• Highly constrained and dynamic environment

Session # 288313

BeanContext API

• Extensible Runtime Containment and Services Protocol for JavaBeans Version 1.0, Laurence Cable, 1998

• Adds to JavaBeans™– Hierarchical structure– Service model

• But– Single hierarchy/VM– Tuned for integration with UI (e.g. AWT)

Session # 288314

BeanContext with Services

BeanContextChild

BeanContextServiceProvider

ServiceInstance

BeanContextServices

Session # 288315

Cougaar Component Model

• “Binder” = Proxy Abstraction

• Separate Service from Containment

• Drop UI focus

• Require interface layer

• Add simple StateModel

• Add explicit persistence state collection

• Add ComponentDescription

Session # 288316

Classes:BeanContext versus Cougaar

BeanContext Cougaar

BeanContext Container

BeanContextChild Component

BeanContextServices ServiceBroker

BeanContextServiceProvider ServiceProvider

Session # 288317

Cougaar Component Hierarchy

Component

ServiceProvider

ServiceInstance

ContainerServiceBroker

Session # 288318

Binder = Component Wrapper

Component

ServiceProvider

ServiceInstance

ContainerServiceBroker

Binder

Session # 288319

interface BindingSite {// let us get to servicesServiceBroker getServiceBroker();

// required control over component statevoid requestStop();

}

BindingSite

• Component’s view of parent:

Session # 288320

Component Construction

• ComponentDescription – Full specification of Component

• BinderFactory– Instantiate a Binder given a

ComponentDescription

• Binder – Instantiate Component from

ComponentDescription

Session # 288321

class ComponentDescription {public String getName(){}public String getInsertionPoint(){}public String getClassname(){}public URL getCodebase(){}public Object getParameter(){}public Object getCertificate(){}public Object getLeaseRequested(){}

}

ComponentDescription

• Uninstantiated Component

Session # 288322

interface BinderFactory extends Component {// priority (for Binder combination)int getPriority();

// create a Binder for a CD (or component)Binder getBinder(Object child);

// Utility for Binder instance to instantiate// a Component from a ComponentDescriptionComponentFactory getComponentFactory();

}

BinderFactory

• Component for choosing peer binders

Session # 288323

Binder Proxy Structure

Component

ServiceProvider

ServiceInstance

ContainerServiceBroker

ContainerProxy

ServiceBrokerProxy

ServiceInstanceProxy …

Session # 288324

Proxy Capabilities

• Opportunities– Incoming calls– Return values– Callbacks

• Options– Veto– Audit/Log– Alter– Buffer

Session # 288325

Hierarchy of Binders

Component

Container ServiceBroker

ContainerProxy B

ServiceBrokerProxy B

ServiceInstanceProxy B

ServiceProvider

ServiceInstance

ContainerServiceBroker

ContainerProxy A Service

BrokerProxy A

ServiceInstanceProxy A

Session # 288326

Binder Roles

• Insulation– Veto requests– Modify in/out information

• Management– Control– Support

• Probe point

Session # 288327

A Securely Bound Service

ComponentD

ContainerA

ContainerProxy A1

ContainerB1

ContainerProxy B1

ContainerC

ContainerProxy C

ServiceProvider

B2

ServiceBroker

ContainerB2

ContainerProxy A2

ServiceInstance

Session # 288328

Binder as Container Proxy

• Management– Construction– State control– Support methods– Scheduling

• Access to hierarchy– ServiceBroker– Alias other services

Session # 288329

Binder as ServiceBroker Proxy

• Mediated Service discovery and rendezvous– Reflection at initialization time– getService() like

• Service requests– Proxy/veto/audit– Passthrough to next level up

Session # 288330

Binder as Service Proxy

• Method wrapper– Audit– Veto– Proxy callbacks (both directions)– Proxy returned objects

• Insulate

• Translate

• Authorization

Session # 288331

Implications: Safety

• All interactions with other components mediated by Binder

• Each Binder may implement own policies

• Multi-level interactions mediated by all intervening Binders

• Proxies prevent casting attacks

Session # 288332

Implications: Performance

• Insulating Proxies usually thin

• Connect-time versus invocation-time

• Can escalate management level at runtime

• Optimizations possible

Session # 288333

Implications: Other

• Information Translation/Transformation– Encryption

• Hierarchy of management policy– Properly nesting Policy

• Testing– Lash-ups, jigs, logging, tracing

• Decoupling development of Components– Enforcing modular programming practices

Session # 288334

Other: Binder Combination

• Binding a Binder– Allow untrusted Binders

• Multiple binders for one Component– Allow composition of function– Binder overlays/filters

Session # 288335

Example 1: Basic Service Binder

class MyBinderFactory extends ServiceFilter {// select the BinderClass getBinderClass(Object child) {

return MyFilteringBinder.class;}

}class MyFilteringBinder extends ServiceFilterBinder {

protected ServiceBroker createFilteringServiceBroker(

ServiceBroker sb) { return new MyFilteringServiceBroker(sb); }}class MyFilteringServiceBroker extends FilteringServiceBroker {

public MyFilteringServiceBroker(ServiceBroker sb){ super(sb);}

}

Session # 288336

Example 2: Service Firewall

interface NameService { URL lookup(String name);}

class MyFilteringServiceBroker extends FilteringServiceBroker {

// return false to veto requestprotected boolean allowService(Class serviceClass){ return serviceClass.equals(NameService.class);

}}

Session # 288337

Example 3: Proxy a Service

class MyFilteringServiceBroker extends FilteringServiceBroker {

protected Object getServiceProxy(Object service,Class serviceClass,Object client) {

if (serviceClass.equals(NameService.class)) {return new NameServiceProxy(service, client);

} else { return null; }}

}class NameServiceProxy implements NameService {

public URL lookup(String name) {if (isLookupAllowed(name, this.client)) {

return this.service.lookup(name);} else { return null; }

}private boolean isLookupAllowed(..){}

}

Session # 288338

Future

• Other forms of Binder Combination

• Automatic Service Proxy creation

• Library of generic Binders

• “Remote” Binders

• Unloadable Binders

• Can Containment be just another Service?

Session # 288339

Further information

• Cougaar home:– http://www.cougaar.org

• Presentation web site:– http://www.alpine.bbn.com/~mthome/javaone

• BeanContext whitepaper:– http://java.sun.com/products/javabeans/

glasgow/

Session # 288340

Contact information

• mthome@bbn.com

• cougaar-developers@cougaar.org

• cougaar-help@cougaar.org

Session # 288341

Summary

• Components are good

• Untrusted Components are scary

• Cougaar Component Model is like the BeanContext API with a Proxy layer between all Components and between Components and Services.

End

Session # 288342

Binders are the Chaperones of the Component Dating Game

End

As applications get larger and the boundaries between them blur we will need some way of increasing the level of trust if we are to get any work done.

Session # 2883

Session # 2883