Theses
Thesis/Dissertation Collections
1990
Enhancements to the XNS
authentication-by-proxy model
Peter D. Wing
Follow this and additional works at:
http://scholarworks.rit.edu/theses
This Thesis is brought to you for free and open access by the Thesis/Dissertation Collections at RIT Scholar Works. It has been accepted for inclusion
in Theses by an authorized administrator of RIT Scholar Works. For more information, please contact
Recommended Citation
Enhancements to the XNS Authentication-by-Proxy Model
by
Peter D. Wing
+
A thesis, submitted to
The Faculty ofthe Computer Science Department
in partial fulfillment of the requirements for the degree of
Master of Science in Computer Science
Approved by:
Professor Peter H. Lutz
Mr. Paul A. Rulli
Professor Peter G. Anderson
Title of Thesis: Enhancements to the XNS Authentication-by-Proxy Model
I, Peter D. Wing, must be contacted each time a request for reproduction of my
above named graduate thesis is received. Reproduction rights are absolutely
forbidden in lieu of the possession of a written document bearing my signature as
shown below expressing permission the contrary. I may be reached to request such
rights at the following address:
94 Hefner Drive
Webster, New York
14580
have
everhad
of afather-in-law
served asthe
foremost
ofmany
inspirations to
Acknowledgements
This
workis
uniquely
my
productby
only
the
most superficial of perspectives.While
anexhaustive enumeration
ofthose
whocontributed
to
its
completion woulditself
be
aformidable
challenge,
many
warrant recognition onthe
basis
oftheir
critical rolesin
the
endeavor.
I
amimmeasureably
gratefulto these
very
specialindividuals.
Whomever
coinedthe
phrase"behind
every
successful man stands a goodwasclose
to
describing
my
wife,
Kelly.
Her
love
throughout
ourmany
yearstogether
is
the
primary
enabler ofthis
graduate educationwork,
as well as most other activitiesin
whichI
participate.Especially
admiredis her
decision
to
indefinitely
postpone apromising
softwareengineering
careerin
lieu
of oneclearly
moreimportant
though
counter society'slatest
normsinvesting
in the
future
representedby
ourchildren.This
being
the case, I
clearly
recognizethat
"beside
this
very
lucky
man stands one greatwoman."Our
children,
Meaghan
andKevin,
arelikewise
sources of unboundedlove
and support.More
than
anything
else,
they
areunfailing
role models ofthe
virtues ofinnocence.
At
the
sametime,
they
have
provided a good share ofthe
motivationto
capitalize onthe
availability
ofthis
outstanding
educational opportunity.It is my
sincerehope
that their
sensitivity
to the
importance
of perseverancein
the
pursuit of personaldreams has
increased
through
their
participationin
this
experiencedespite
their
very young
age.This
wasbut
one ofthe
countlessinvaluable lessons
I
learned
from
my
parents,
Marie
andBob
Wing.
Among
the
others notablein
this
contextis
astrong
convictionto
apriority
schemeheaded
by
God
andfamily. No
doubt
their
ownunfailing
commitmentto
live
by
the
value systemthey
espousehas
greatly
influenced my
aspirationsto
do
likewise.
Completion
ofthis
degree
programis
as much a creditto
their
successin
instilling
adedication
to
apply my
talents
consistent withtheir
valuesasany
othersinglefactor.
At the
age of15 I
first
metthe
wonderful couple who yearslater
became
my
in
laws,
Jeannette
andLarry
Fogarty.
They
have
alwaystreated
me sincein
a manner of whichevery
son shouldbe
soblessed.
Few
individuals in today's
society
have
the
advantage ofa single setofterrific
parents.I
have
had
two.
Remaining
family
members and closefriends
also contributedsignificantly
towards
completion ofthis thesis
in
various capacities.Common to all,
however,
was supportivenessin
dealing
withthe time
demands my
studies entailed.This
rangedbroadly
from
good-natured acceptance ofmy
inability
to
fully
participatein
various activitiesto
gently reining
mein
whenI
wasattempting
to
do
too
much.Their
flexibility
andunderstanding
in
light
of suchimpositions
has been
admirable.Many
individuals
have
enrichedmy
career experience andindividual capabilities,
but
none morethan
Bob Hurtz.
The
enjoymentI
have derived
in
the
course of ourengineering methodology
establishment
is
eclipsedin
the
work environmentonly
by
ourfriendship.
Few
of usareendowed
withthe
abilities anddrive
to
apply
them
whichBob
possesses andreadily
shares.Larry
Rourke
is
distinguished
asuniquely providing
the
environmentin
whichmy
focus
turned to
protection as aconcentration
area.His uncompromising
foresight
and
admirable
ability
to
movecorporate
inertia
towards
suchhigh
opportunity
applications arelargely
responsiblefor
the
fact
that this thesis
pertainsto
authentication and notany
ofathousand
otherpertinenttopics.
One
canonly
hope
that the
valuable productsof oureffortswithBob
Hurtz
cometo
fruition.
A
number ofmanagershave
alsobeen
quiteinstrumental
in
motivating my
pursuitofa graduate
degree,
Bob
Wolf
being
the
first.
Though
we workedtogether
before
this
courseworkactually
began,
it
wasBob
who most reinforced andfacilitated
pursuit of prior aspirations of advanced
formal
credentials withinthe
computer science profession.Denny
Ulrich
wasa saviorproviding
friendship,
autonomy,
and much-neededideological
reinforcement under adverse circumstances.Jim Iverson
epitomizedthe
advantages of skills andstrategy
over position and resources.Jim
alsonotably
reaffirmedthe
importance
of abalanced lifestyle
through
both
word and act.All
ofthese
men setvery
high
expectationsfor my
performanceMaslow's
formula
for
self-actualization.Finally,
Bill
Valentine
providedthe
environment under whichthe
applied research skillsfostered
through
these
graduate studies was allowedto
maturesignificantly
through
applicationto
his
critical softwareengineering
productdevelopmentresponsibilities.Xerox Corporation
supportedmy
graduate studies via such means astuition
aid,
computing
facilities,
on-sitecourseadministration,
workforcedevelopment
policies,
and achallenging
engineering
environment comprised ofhighly
skilled associates.It
alsofunded
a significantpercentage ofthe
underlying
research anddevelopment
comprising
the
foundation
of protectionliterature.
Finally,
thanks
aredue
those
members ofthe
RIT
graduatefaculty
from
whomI
studied.Particular
recognitionis
due
my highly-skilled
thesis
committee:Peter Lutz
andPaul
Rulli. Their
diligent
verification ofmy
interim
thesis
outputsboth greatly
acceleratedtheir
completion schedule and quality.The
intended
consistenttheme
throughout
these
acknowledgementsis my
greatfortune
in
having
been
associated with each ofthese men,
women,
and childrenAbstract
Authentication
is
the
secure network architecture mechanismby
which a pair of suspicious principalscommunicating
overpresumably
unsecure channels assurethemselves that
eachis
that
whomit
claimsto
be.
The
Xerox Network Systems
architecture proposes one such authentication scheme.This
thesis
examinesthe
system consequencesofthe
XNS
model's uniqueproxy
variant,
by
which a principalmay
temporarily
commission a second networkentity
to
assumeits
identity
as a means ofauthority
transfer.
Specific
attendant systemfailure
modes arehighlighted.
The
student's associated original contributionsinclude
proposedmodel revisions which
rectify
authentication shortfalls yetfacilitate
the temporal
authority
transfer
motivating
the
proxy
model.Consistent
withthe
acknowledgementthat
no single solutionis
defensible
asbest
under circumstances ofsuchtechnical
and administrativecomplexity, three
viable such architectures are specified.Finally,
the
demand
for
adisciplined
agent management mechanism within adistributed
system such asXNS is resoundingly
affirmedin
the
course ofthese
first-order
pursuits.Computing
Review Categories
andSubject
Descriptors
Primary:
D.4.6
[Operating
Systems]:
Security
andProtection
-access
controls,
authentication,
cryptographic controlsSecondary:
C.2.0 [Computer-Communication
Networks]: General
-security and protectionC.2.2 [Computer-Communication Networks]: Network Protocols
- protocolarchitecture,
XNS
C. 2.
4 [Computer-Communication Networks]: Distributed Systems
-distributed
applicationsGeneral Terms
Design,
Security
Additional
Key
Words
andPhrases
Table
ofContents
1
Introduction
andBackground
1
1.1
Problem Statement
1
1.2
Authentication
andAuthority
Transfer:
to
Couple
or notto Couple?
2
1.3
Information
Acquisition
Methods
3
1
.4Notation
4
2
Previous
Work
5
2.1
Protection Primitives
5
2.1.1
Reference Monitor
6
2.1.2
Threats
7
2. 1
.2.1
Unauthorized Disclosure
8
2.1.2.2
Unauthorized
Modification
9
2.1.2.3
Denial
ofService
9
2.1.3
Access Control
Paradigms
.. .9
2.1
.4Access Right Representation Schemes
11
2.2
Protection
withinNetworked Systems
12
2.2.1
Open Systems Architecture
13
2.2.2
Threats
14
2.2.2.1
Release
ofMessage
Contents
14
2.2.2.2
Traffic Analysis
15
2.2.2.3
Message Stream
Modification
15
2.2.2.4
Denial
ofMessage Service
15
2.2.2.5
Spurious
Association
Initiation
16
2.2.3
Protection
Mechanisms
16
2.2.3.1
Encryption
17
2.2.3.1.1
Invertible
vs.One-Way
Translations
17
2.2.3.1.2 Private
vs.Public Keys
18
2.2.3.1.3
Link
vs.End-to-End Measures
19
2.2.3.2
Digital Signature
20
2.2.3.3
Notarization
20
2.2.3.4
Data
Integrity
20
2.2.3.5
Access Control
21
2.2.3.6
Authentication
22
2.3
Authentication
Survey
23
2.3.1
Architecture
23
2.3.2
Models
24
2.3.2.1
Simple
24
2.3.2.2
Base
Strong
25
2.3.2.3
Cached
Authenticator
26
2.3.2.4
Timestamp
26
2.3.2.5
Nonce-Protected
Conversation
Key
27
2.4
Xerox
Network Systems
30
2.4.1
Application: Distributed Document
Management
30
2.4.2
Architecture
32
2.4.2.1
Data
Communications
32
2.4.2.2
Distributed Systems
Differentiators
33
2.4.2.3
Functional
Decomposition
34
2.4.2.4
User
Perspective
35
2.4.3
Authentication Model
36
2.4.3.1
Base
37
2.4.3.2
Proxy
37
2.4.3.2.
1
Motivation
38
2.4.3.2.2 Model
40
3
Theoretical Development
42
3.1
XNS
Authentication Model
Enhancement Opportunities
42
3.1.1
Base
42
3.1.1.1
Conversation
Liveness Assurance
43
3.1.1.2
Identity
Assurance
44
3.1.2
Proxy
44
3.1.2.1
Identity
Assurance
45
3.1.2.2
Authorization
Scoping
46
3.1.2.3
Threat
Immunity
48
3.1.2.4
Extensibility
50
3.2
Architectural Enhancements
52
3.2.1
Opportunity
Analysis
53
3.2.1.1
Interdependence
53
3.2.1.2
Prioritization
54
3.2.2
The
Agent
Debate
55
3.2.2.1
The Purist
Perspective
55
3.2.2.2
The
Pragmatic
Perspective
56
3.2.2.2.1
Functional
Efficiency
57
3.2.2.2.2
Delegation
ofIntent
58
3.2.2.2.3
Discretionary
Access Control Model
Fidelity
59
3.2.3
Alternative Agent Models
60
3.2.3.1
Authentication-Coupled
61
3.2.3.1.1
Preserved
Base Model
61
3.2.3.1.2
Enhanced Base Model
64
3.2.3.2
Access
Control-Coupled
65
4
Conclusions
70
4.1
Unanticipated Problems
70
4.2
Residual Opportunities
70
Glossary
72
1
Introduction
andBackground
This
document
satisfiesthe
prescribed
role ofthe thesis
report element ofthe
Master
ofScience
degree
requirements under
Rochester
Institute
ofTechnology's Graduate Computer
Science
program.Consistent
withthis
mission,
the
discussion
to
follow details
the
innovative
products createdby
the
student's
particular research anddevelopment
activity.The
emphasisthereof
is
largely
one ofdistributed
systems requirements analysis andarchitecture specification.
A
significant element ofthis
reportthus
lies in
Section
2,
which surveys pertinent previouswork.This
is
comprised oftwo
primary
components: a generictreatment
of relevant principlesfrom
establishedliterature
anddetailed
examination ofthe
particularbaseline
modelto
be
enhanced.Notably
original contributions are providedin
this
document
with respectto the
identification
of significantimprovement
opportunities.These
are presentedin Section
3,
in
associationwith numerouscandidate modelsby
whichthey
may
be
realized.Section
4
summarizesthe
key
contributions ofthis
thesis,
as well as potentialoutstanding
tasks.
The
remainder of
this
sectionintroduces
the
student'stopic, describes
the
supporting
information
acquisition methodsemployed,
and presents notationalconventionsto
be
appliedhereafter.
This
organizationis
consistent withthe
guideline presentedin
the
defined
thesis
development
process given exclusion ofits
software project emphasis. 1&1.1
Problem
Statement
Authentication
is
the
secure networkarchitecture mechanismby
which a pair of suspicious principalscommunicating
overpresumably
unsecure channels assurethemselves
that
eachis
that
whomit
claimsto
be. The
Xerox
Network
Systems
[XNS]
architecture proposes one suchauthentication scheme.
This
thesis
examinesthe
system consequences ofthe
XNS
model's uniqueproxy
variant,
by
which a principalmay
temporarily
commission a second networkentity
to
assumeits
identity
as a means ofauthority
transfer.
Specific
attendant systemfailure
modes arehighlighted.
The
student's associated original contributionsinclude
proposed model revisions whichrectify
authentication shortfalls yetfacilitate
the
temporal
authority
transfer
motivating
the
proxy
model.Consistent
withthe
acknowledgementthat
no single solutionis
defensible
asbest
under circumstances of suchtechnical
and administrativecomplexity, three
viable such architectures are specified.The utility
of an agent management mechanism within adistributed
systemis
challengedin
the
course ofthis
discussion,
asis
its
architectural12
Authentication
andAuthority
Transfer:
to
Couple
or notto
Couple?
As
vividly
demonstrated
by
the
recent"Cornell
worm",
akey
shortfall of most moderndistributed
systemsis
the
relativeineffectiveness
oftheir
protection mechanismsJ?This
inadequacy
has
percolatedto the
top
ofthose
constraining
the
rateby
which such state-of-the-art architectureshave
become
state-of-the-practice.
Even in
many
ofthose
applications wheredistributed
systemshave
made successfulinroads,
considerableoperating
risk mustbe
tolerated
as atradeoff
againstthe
immediate
benefits
of adistributed
organization.This
thesis
considers a particularsignificant
element ofbut
one such network protection scheme:the
Xerox Network
System's
Authentication-by-Proxy
mechanism.To
review,
protectionis
a simple case ofenforcing
a set of rules which constrainthe
operations which active system entities[i.e.
subjects]
may
apply
to
passive system entities[i.e.
objects].Implicit
in this
statementis
the
fundamental
assumptionthat the
identity
ofeach ofthe
principalsto
the transaction
has been accurately
established.The
utility
in
this
knowledge
is
ofthe
first
orderin
the
caseofdiscretionary
policies,
which control subjectto
object accesspurely
as a consequence ofidentity.
Alternatively,
a second-order effectis
witnessedin
light
ofmandatory
rules,
by
whichidentity
is
mappedto
clearancethe
ultimatebasis
of accesscontrol.Consequently,
impersonation is
aparticularly
attractive means ofsubverting
protection safeguards.The introduction
of adistributed
system architectureappreciably
shiftsthe
risk/reward profilein
favor
ofthe
would-beintruder.
This
is
an unfortunate side-effect ofthe
loosely-coupled organizationgenerally
appliedto
the
underlying
networking
media.That
is,
system administratorsintentionally
have
minimal control overthe
equipmentconfigurationcomprising
the
domain for
whichthey
have
protection responsibility.Subject to the architecture,
distributed
system usersareoften at
liberty
to vary
any
aspectofthe
nodewhich acts astheir
network surrogateincluding
the
hardware,
the
operating
systemkernel,
andthe
applicationssoftware.In
light
ofthis
degree
of network configurationfreedom,
the
only
reasonably
effective modelby
which each principalto
atransaction
may
establishthe
identity
ofits
prospective partnersis
through
mutual suspicion.This
is
the
role of authentication mechanisms.A
greatmany
suchtechniques
have
been developed
giventhe
significance
ofthe
impersonation threat
andthe
subtle complexities ofthe
problem.2
sometimes
architecturally
convenient
to
dispatch
athird-party
to
conduct
affairs onbehalf
ofthe
original authorizedparty,
the
transaction
initiator.
Of
particular
noteis
the
fact
that the
party
with whomthe
exchange
is
targeted,
the recipient,
generally
requires proof ofthe
initiator's
delegation
ofauthority
to
his
agent.Such
aproxy
represents
the
agent's rightto
fully-engage
in
transactions
with completeresponsibility for
the
resultant effectstransferring
to the
initiator.
The XNS
modelto
be
consideredin this thesis
achievestemporary
authority
transfer
through
controlledimpersonation
in
the
authentication mechanism.It
is
this
apparent significantinconsistency
ofemploying impersonation
in
conjunction withthe
authentication mechanismto
achieveauthority
transfer
whichinterests
the
student.This
thesis
is
therefore
devoted
to
dissecting
the
effectivenessofthis
coupling
in
light
ofcomplementary
system protection considerations.1.3
Information
Acguisition
Methods
Exceptionally
extensivededicated
research provides a soundfoundation
upon whichthis thesis
is
constructed.This is
afortunate
conseguence ofhaving
charted adirect
pathtowards
athesis
concentratedin
the
area ofdistributed
systems protectionearly
in the
curriculum cycle.Such
wasthe
motivationbehind
atrilogy
of research reportsdelivered
in
partial satisfaction ofthe
reguirements ofthree
separate courses.2-3,
4|n
succession, this
research expandedfrom
the
protection primitives associated withsecurity
kernels
to
encompass secure open systemsdevelopments,
concluding
with asurvey
of notable authentication models.The
last
ofthese
wasspecifically intended
to
establishthe
baseline
existence of significant prior researchactivity
with respectto
authentication.Section 2
ofthis
reportis
largely
anintegration
ofthose
portions ofthe three
original research reportsdirectly
applicableto this
thesis.
A
considerablelag
between
completion ofthe
authenticationsurvey
andthesis
initiation
promptedthe incremental
needfor
alibrary
searchto
identify
subseguent relevant researchin
June
of1989.
No
majorinformation
was acguiredthrough
this
effort, though
a seriesof relevant articlesdescribing
the
"Cornell
worm"
avenue
unexpectedly
yieldedthe
fundamental
engineering
principlesby
whichthe
final
architectural modelswere produced.1.4
Notation
The
data flow diagram
(DFD)
is
the
primary
graphical representationtool
employedto
complement narrativetext throughout this
report.18Each
authentication
modelconsidered
is
explainedusing
both
ofthese
communicationtools.
Message
legibility
accruesfrom
such reliance uponconsistent notation.
The
active entitiesin
the
models[i.e.
processes],
principals and authenticationservices,
are represented as circles.These
are connectedby
named vectors[i.e.
flows],
the
labels
of whichindicate
passiveexchanged message contents.
Notational
liberty
has been
taken
withrespect
to
DFD
conventionsin
applying
numbersto
the
vectorsdepicting
message
ordering
as aninformational
expediant.In
addition,
a pair of parallellines
representfiles,
semantically
indicating
time-delayed
data
exchange as opposed
to the
instantaneous
nature ofdata flow
acrossnamed vectors.
The
DFD
source and sink constructs are unusedin
this
work.
The
second notable convention pertainsto the
encryption of messagesand
fields
thereof
passing between
authentication model communicantsin
the DFDs. In
this
instance,
a pair ofcurly braces
'{}'
delimits
the
encrypted message.
The
cleartextis
identified
between
these
braces,
withthe
encryptionkey
denoted
as a superscriptfollowing
the
trailing
brace.
For
instance,
{mydata}<A
representsthe
ciphertextformed
by
encrypting
"mydata"
under
key
KA.
Those
messagefields
notdelimited
2
Previous
Work
As
its
nameconveys,
the
intent
ofthis
sectionis solely
to
establishthe
target
set ofexisting
affairsto
be
extendedby
the
original workcomprising
this thesis.
Of
course, this
end canonly
be
achievedthrough
adiscussion
ofthe
specifictopic
ofthe
student's research:the
currentXerox
Network
Systems
Authentication-by-Proxy
model.Equally
asrelevant
to
adistributed
systems research effort such asthis
is
anappreciation
ofthe
larger
architecturein
whichthis
particular authentication service plays anintegral
role,
XNS. It is imperative
that the
reviewer understandboth
the
broad
organization ofthe
encompassing
architecture
andthe
specific role ofthe
particular service underinvestigation
in
orderto
accurately
verify
the
needfor
andsufficiency
ofproposed architectural modificationsproduced
by
the
student.The
committee's verification ofthese
attributes ofthe
student's workis
the
means ofthesis
evaluation.The
other qualificationnecessary
to
performthis
function
is
an appreciation of established protection principles.This
sectiontherefore
setsthese
forth
as well.In
fact,
this
discussion
largely
mirrorsthe
evolutionin
security developments
both
in
a
historical
sense andby
the
student.That
is,
the
fundamental
set of protectionbasics
establishedin
the
course of computersecurity
mechanismsfor
standalone systemsis
extendedto
networkedconfigurations,
finally
concentrating
on authentication.These
topics
aretreated
in
considerabledetail in
the
student's prior research reports.2-3,4Only
the
most relevant ofthese
established practices aredescribed
below.
2.1
Protection Primitives
Security
systemsin
the
non-computing
sense are quite mature as a consequence of considerablehistorical
research.For the
samereason,
protection mechanismsin
standalonecomputing
systems are quite well-understood atthis
pointin
time.
While
this
knowledge
is
far from
complete,
those
pursuing
the
problem nowpossess considerablecapacity
to
deliver
effective computer protectionfacilities.
Of course, total
systemsecurity in
any
computing
environmentis
a multi-faceted problem representedby
the
expression :13
S
=f(P1
*P2
*A
*C1
*
According
to
its
proponents,
each ofthese
factors
may
be
thought
of asvarying
by
weightfrom
zeroto
oneaccording
to the
applicationenvironment.
If
any
single componentis
deficient,
total
systemsecurity is
at riskofsomemagnitude
in
spite ofeffectivecomplementary
measures.Likewise,
redundantinvestments
acrossthese
factors
provide no additional overall assurance whileinflating
costs.The
trick
as asecurity
systems architectis
to
strike an effectivebalance
among
these
various control pointsgiventhe
potentialleverage
of each.While
all ofthese
factors
areinteresting,
the
last
two
arethose
most pertinentto this
research.The primary
reasonfor
introducing
this
broader
view systems view atthis
pointis
to
emphasizethe
urgent needto
comprehend andactively
managethe
systemimpact
consequentto
decisions
atthe
individual
protection mechanismlevel.
This
pointunderscored, the
discussion
now resumesits
computersecurity
theme.
In
particular, the
remainder ofthis
sectionhighlights
the
basic
elements ofcomputing
protection.2.1.1
Reference
Monitor
Among
the
fundamental
properties ofcomputing
systemsis
the
sharing
of a common set ofresourcesamong
many
clients asillustrated
in
Figure
2.1.1.1.
Depending
uponthe
specifics ofthe situation,
sharing
provides significantopportunity
with respectto
such systemquality
factors
asefficiency, reliability,
and usability.22However,
architectural accomodations mustbe
madein
orderto reap the
potentialbenefits
of resource sharing.The
most studied ofthese
deal
withthe
synchronization ofclientreferencesto the
shared resources.The
semaphore provides aprimitive,
though
complete andwidely-utilized,
means of synchronization.A
glaring
shortfall ofthe
semaphoreis
the
fact
that
its
effectivenessis
heavily
reliant uponthe
correctness ofits
explicit useby
each ofthe
resource clients.By
centralizing
the
synchronizationlogic,
the
monitor provides a more attractive means of resource referencetiming
arbitrationfrom
suchquality
perspectives asreliability, verifiability,
and maintainability.22-23
Protection
is
a second architectural accomodation whichis
consequentto
the
goal oforderly
resource sharing.Rather than
coordinating
protection
enforcement
primitive.!2This
model classifiesthose
sharedresources
to
be
protected asobjects,
withtheir
clients referredto
as subjects.Note
that
not all shared resources needbe
protected.Typical
subjects
include human
users andthe
processes which servethem.
Files,
documents,
records,
devices,
memory
segments,
andinstructions
aregenerally
categorizedby
the
system architect as objectsto
be
protected.This
organization establishesthe
granularity
of protection providedby
the
system.Each
subsequent
attemptby
a subjectto
access an object mustbe
mediatedby
the
reference monitorbased
uponthe
predefined relationsto
whichit
alonehas
access.The
reference monitoritself
also needbe
isolated from influence
by
the
subjects as an additional means ofassuring
the
reliability
ofits
operation.This
assuranceis
alsobolstered
by
explicitly engineering
those
quality
criteriasupporting
verifiability
into
the
reference monitor.6,22
These
requirements are manifestedin the
security kernel
element ofthe
systemdepicted
in
Figure
2.1.1.3.
This
diagram
represents system architecture as ahierarchy
of virtualmachines,
consistent withthe
contemporary
trend.
24Note
that the
security kernel
providesthe
base-level
virtual machineby
managing
all protectedshared-resources,
thereby
satisfying
the
required reference monitorproperty
of mediation.It
likewise
maintains a separate executiondomain
for itself
perthe
requirement ofisolation.
Finally,
such centralization and size minimizationfacilitate
verification ofits
correct operation.To
completethe architecture, the
supervisor exportsremaining operating
system servicesto the
applicationslayer,
whichin
turn
servesthe
end-usersJ22.1.2
Threats
A
prerequisiteto the
design
of effective protection schemesis
anunderstanding
ofthe
threats
to
be
countered.This
process ofmatching
requirementsto
design is
nodifferent
than that
ofany
other aspect of system engineering.A quality
solutionis
particularly
criticalin
the
instance
of protectionfeatures,
however,
as end-userutility is
directly
proportionalto the
number ofdesign
oversights.Even
a singleflaw
in
the solution,
if sufficiently
significant,
could renderthe
remaining
protection considerations useless.
At the
very
least,
user confidenceis
severely
erodedby
identification
ofprotection shortfalls.One
mightconsiderthe
above claim ofthe
needfor
absolute protectionintegrity
to
be
an unreasonablequality
demand.
Therein
lies
the
exists
between
the
ease of resourcesharing
and protection schemeseverity.
The
middle ground most often chosenis
to
adopt sufficientprotection
asto
reducethe
reward associated with successfulintrusion to
alevel
asto
be
unwarrantedby
the
costto
do
so.21Once
again,
attainment
ofthis
goalimplies
a comprehensiveunderstanding
of potentialthreats.
Such threats may
be
evaluatedaccording
to
various orientations.That
whichis
mostwidely
acclaimedin
the
mediais
the
motivationbehind
the
compromise.
In
fact,
many
equate protectionsolely
withthe
goal ofpreventing
deliberate
intrusion. This
perspective represents adangerous
simplification-one which
has led
many
an organizationto
ignore
those
prudent precautions which could prevent
the
inevitable
accidentalthreats
onthe
flip
side ofthe
motivational coin.It
is
sometimeseasy
to
effectively
arguethat the
cost of protectionis
superflous onthe
basis
ofthe
inherent
goodness ofthose
comprising
the
work group.In
adistributed
systemenvironment,
such an argumentis
muchless
convincing
giventhe
potentialdisparity
of usersandparticipating
nodes.In
any
case, the
addedcomplexity introduced
by
distribution
begs
for
effective protectionif
only
onthe
basis
ofthe
risk associated withinadvertent
sourcesoffailure.
A
second orientationby
whichthreats
may
be
interpreted
is
as passive or active.Whereas
the
valuein considering
threat
motivationlies in
assessing
the
probability
of compromiseoccurrence, this
view considersthe
post-intrusion state ofthe
system.This
information,
in
turn,
constrainsthe
attributes ofthe
set of mechanismsby
whichthe
threat
may effectively
be
countered.A
passivethreat
is
defined
to
be
onein
which unauthorizeddisclosure
ofinformation
occurs withoutimpacting
system statein
a noticeable way.On the
otherhand,
an activethreat
is
onein
whichdamage
is inflicted
through
a changein
system state.This
distinction
is
significantin
that
passivethreats
mustbe
preventedas,
by
definition,
they
cannotbe
detected
afterthe
fact.
In contrast,
activethreats
often cannotbe
preventedbut
canabsolutely
be detected.
As
a systemresponse, this implies the
minimal needto
detect
suchattacks,
ideally
complemented with correction mechanisms.The
netimpact
of a compromise uponthe target
objectis
the
mosttangible
of all possibleinterpretations. Given
suchrelevance, these
have
been
setforth
below in distinct
subsections.2.1.2.1
Unauthorized Disclosure
otherwise.
14
Unauthorized disclosure
is generally
a consequence of passivethreats.
Prevention
is
thus the
protectionstrategy
oftenassociated
with specificforms
ofit. Examples
ofthis
class ofthreat to
whichthe
readermay
relateinclude
reading
from
memory
regionsto
which one
is
notprivy
and wire-tapping.2.1.2.2
Unauthorized Modification
In this type
ofthreat,
information
is
modifiedby
one not authorizedto
do
so.This is
referredto
asdeception
when unauthorized modification occurs as a consequence of adeliberate
act,
and as alteration otherwise. 14Unauthorized
modificationis generally
a consequence of activethreats.
Detection is
thus the
protectionstrategy
often associated with specificforms
ofit.
Examples
ofthis
class ofthreat to
whichthe
readermay
relateinclude
writing
to
memory
regionsto
which oneis
notintended
access and modification of messages ondata
communicationslines.
2.1.2.3
Denial
ofService
In this type
ofthreat,
accessto
an objectfor
which oneis sufficiently
authorizedis wrongly
preventedby
another.This is
referredto
asdisruption
whendenial
ofservice occursas a consequenceofadeliberate
act,
and asinterruption
otherwise.14Denial
of serviceis equally
likely
to
be
a consequence ofthreats
which are passive oractivein
nature.This
is
often aparticularly
difficult
type
ofthreat
to
handle.
When
preventionis
not an alternative protectionstrategy,
detection
is
employed.Even
detection is
sometimesineffective. Examples
ofthis
class ofthreat
to
whichthe
readermay
relateinclude
allocation of all availablememory
andinfinite
executionloops.
2.1.3
Access Control Paradigms
Having
partitionedthe
system elementsinto
subject and objectsets, the
system architect mustdefine
the
protectionpolicy
to
be
enforcedby
the
reference monitor.Thanks in
large
partthe
existence ofthe
broadly-accepted
Bell
andLaPadula
formal
security
model, this
is
one wheel which need notbe
constantly
reinventedbut
simply
balanced
against application-specific needs.This
modelis
the
product ofDepartment
ofDefense-sponsored
research conductedin
the
mid-1970's atMitre
Corporation
andCase Western Reserve
University.
classifications associated with
the
particularsubject and objectinvolved
in
any
transaction.
Discretionary,
or need-to-knowpolicies,
enable subjectsto
create new objects andto
determine
the
scopeto
which othersubjects will
be
allowed access.A
particular reference monitormay
enforce a combination of
these
policiesdepending
uponthe
level
ofassurance
reguiredto
supportthe
system'sintended
application.As
introduced
above,
monitor enforcement of amandatory
policy is
based
uponthe
clearance ofthe subject, the
sensitivity
ofthe object,
andthe type
of access.Considerable
mandatory
policy
tailoring
to
application
needsmay
be
performed giventhe
alternatives ofhierarchical
and nonhierarchical classification schemes.4A
pair ofkey
principles
determine
the
acceptability
of atype
of accessby
subjectto
objectindependent
of categorization scheme:the
simplesecurity
condition and
the
*-property
(pronounced "star-property").
The
simplesecurity
condition statesthat
only
those
subjectspossessing
clearance greater
than
or egualto the
sensitivity
ofthe
objectmay
acguire
(i.e.
read)
its
contents.A
somewhat more subtle aspect ofthe
unauthorizeddisclosure
threat
is
addressedby
enforcement ofthe
*-property.
Under this
rule,
object modification(i.e.
write)
is
grantedto
only
those
subjects whose clearanceis
less
than
or egualto
that
ofthe
object's sensitivity.Application
ofthe
*-property
preventsmany
ofthose
potential"Trojan
Horse"attacks
in
which unauthorized objectdeclassification
is
perpetrated as a side effect of validdata
acguisitionby
a subject.A
simple suchthreat
scenario could occurin
conjunction withthe
introduction
of autility
to
be
sharedthroughout
a user population ofvarying
clearance.While apparently performing
to the
completesatisfaction of
its
clients,
such autility
could also seekto
record acopy
ofall
information
to
whichit is
exposedin
a minimumsensitivity repository
whichmay subseguently
be
legitimately
accessedindiscriminately
underthe
conditions ofthe
simplesecurity
condition.This intrusion
is
preventedthrough
enforcement ofthe
*-property,
for
whilethe
utility
remainsrightly
allowedto
acguire objects consistent withthe
clearanceneed-to-know
withrespect
to that
object.The granularity
of suchdiscrimination
varies
from
coarsein the
case of agroup
structure schemeto
fine
in the
more robust access or
capability list
representationstouched
uponbelow.4
The
success ofobject protection under a
discretionary
policy
is
thus
directly
proportionalto the
accuracy
ofthe
owner'sdecision,
the
diligence
with whichthis
responsibility
is
exercised,
andthe granularity
ofthe
mechanism.A
discretionary
policy is
thus
particularly
well-suitedto those
situationsin
which a number of subjects ofindistinguishable
clearance cooperate
to
complete an operation.2.1.4
Access
Right Representation Schemes
Important
consequencesderive from
the
access right representation mechanism selected under adiscretionary
accesscontrol policy.Basically,
the
choiceis
between
association ofthe
rights withthe
object orthe
subject.The
more commonformer
instance
is
referredto
as an accesslist,
whilethe
latter is
termed
acapability list.
25Conceptually,
eachentry
of an accesslist
describes
the
rights of a subject with respectto the
associated object.Reference
mediation given anaccess
list
representation consists ofsearching
the
object's accesslist for
the
rights ofthe
referencing
subject.Unfortunately,
this
canbe
somewhat
time-consuming
and provides no simple means ofidentifying
the
complete rights of a particular subject across all objects.23
Capability
lists
have
just
the
opposite profileit is easy
to
determine
the
scope of a subject's rights across allobjects,
but
very
costly
to trace the
rights of all subjects against a given object.Consequently,
rights revocationis
quite costly.In
this case,
eachentry
in
the
list
names an object anddescribes
the
subject's particular access rightsin its
regard.Each
such constructis
referredto
as a capability.When the
subjectwishesto
exerciseits
rights under such ascheme,
it
presentsits
capability
for
the
target
objectto the
reference monitor.The
reference monitor equates22
Protection
withinNetworked Systems
Until
quiterecently, the
emphasisof protection mechanism research anddevelopment
focused
on non-networked system architectures.Most
ofthe
spadework
pertaining
to
security between
communicating
systemshad been
focused
onthe
fundamental
mechanisms of encryption andidentification due
to their
utility in
timesharing
applications.This
wassufficient
giventhe
fact
that
networking
technologists
weresimultaneously
working
to
demonstrate
the
achievability
oftheir
open systemideal.
In
light
of marked commercial systemdisparity,
their
task
has been
to
develop
modelsenabling
arbitrary
communications amongst aheterogeneous
collection ofhosts,
each of whichis
an element of someindependently
managed,
interconnected
network.8
Restriction
of exchanges whichnecessarily
shouldbe
prevented was not anissue
aslong
asthe
technology
was ofthe
naturethat
suchinternetworking
was not possible.Each
discipline has
now maturedto the
pointthat
serious consideration ofthe
requirementto
engineer secure open systemsis
underway.The
following
factors
areamong
the
primary
motivationsfor
such endeavors:8The growing quantity
and value ofinformation
made vulnerableby
the
breaching
of networksecurity
make networkstempting
targets.
Computer
systems connectedby
networksarelikely
to
cooperatein
various waysto
provide resourcesharing
for
a user community.As
a result ofthis sharing,
the
security
ofinformation
on a givenhost
may
become dependent
onthe
security
measures employedby
the
networkandby
otherhosts.
The
development
ofnew networktechnologies
facilitates
certainkinds
of attacks on communicationssystems;
for
example,
it is
easy
for
anintruder to
monitorthe
transmission
of satellite and radio networks.The
increased
use of networksto
provide remote accessto
computerfacilities,
coupled withimproved
physicalsecurity
measures at computer
sites,
makesattacking
networks more attractiveto
anintruder.
2.2.1
Open Systems
Architecture
No
survey
ofcontemporary
network architecture wouldbe
sufficientif
it
omitted
the
International Organization for
Standardization's Open
Systems Interconnection Reference
Model
depicted
in Figure
2.2.1.1.20The OSI
protocol reference modellayers
network architecturein
such away
asto
be maximally
consistent withhighly-accepted
existing
systemsarchitecture
yet extensibleto
accomodate projected application andtechnological
developments.
Pursuit
ofthese
goals supportsthe
model'smission:
to
provide a platform upon which commercial systems vendorswill
deliver interoperable
products.Both
computing
vendors andcustomers are
the
endbeneficiaries
of suchdevelopments
along
suchsystem
quality dimensions
asfunctionality,
performance,
cost,
andlongevity.
Among
the
key
messagesthe
reader should gleanfrom
Figure 2.2.1.1
is
the
logical
nature of exchangesbetween
communicating
nodes atany
single
layer in
the
networkhierarchy.
Processes executing
withinthe
respective
nodes,
physically
separatedby
the
network communicationsmechanism,
are referredto
as peers.Another
pertinent noteis
that
peercommunications are constrained
to
processesin
equivalentlayers
ofthe
model.
This
is
contrastedby
physical exchanges acrossthe
interface
between
adjacent architecturallayers
within a single node.Peer
exchanges represent
semantics,
whileinterface
exchanges supportcommunications.
The diagram
alsoillustrates
akey
distinction
relatedto
the
nature of exchangesbetween
processesin
layers
onethrough
three,
collectively
known
asthe
communicationssubnet,
andthose
ofthe
higher-order
four
layers. Subnet
interactions
occuramong
a variable number ofadjacent
IMPs,
or messageswitches,
along
the
routefrom
sourceto
destination
node.These
exchanges addnothing
to the
semantichandling
ofthe
exchange,
but
merely
facilitate
moving
the
messagealong
the
pathto
its final destination.
In the
Transport
through
Applications
layers,
traffic
is
end-to-endin
the
sensethat
only
the
intended
processes withinthe
source anddestination
nodesparticipate.The layered
systemsdecomposition
employedin
the OSI
modelis
based
upon
the Principle
ofSteps,
ahierarchical ordering
principle exhibitedby
complex systems
throughout
the
universeincluding
operating
systems and networks.24
Three
observationscomprisethis
notion:The
universeis mostly empty
space.At
eachstep
there
are well-defined objects with well-definedThe
objectsofa givenstep
are composed of objects oflower
steps and are constituentsofobjects ofhigher
steps.Such
partitioning facilitates
anorderly
migration ofthe
system overtime
based
uponthe
localized
evolution
ofits
componentlayers.
The
following
particulardesign
rules guidedthe
ISO in
its development
ofthe
sevenlayers comprising its
model.20
A
layer
shouldbe
created where adifferent
level
of abstractionis
needed.Each layer
should perform a welldefined function.
The
function
ofeachlayer
shouldbe
chosen with an eyetoward
defining internationally
standardized protocols.The
layer
boundaries
shouldbe
chosento
minimizethe
information flow
acrossthe
interfaces.
The
number oflayers
shouldbe large
enoughthat
distinct
functions
need notbe
thrown together
in
the
samelayer
out ofnecessity,
andbe
small enoughthat the
architecturedoes
notbecome
unwieldy.The
consequentfunctional decomposition
of network architecture underthe
OSI
modelis
presentedin
Figure
2.2.1.2.15Due
to the
lack
ofurgency
atthe time
ofits
development
notedpreviously,
no provisionsfor
protection are specifiedin the
base
model.2.2.2
Threats
Five
additionalthreats
accruefrom
the
nature of communicationsbetween
networked systems.Whereas
all representflavors
ofthe
unauthorizeddisclosure,
unauthorizedmodification,
anddenial
of servicethreats
presentedearlier,
eachis
endowed special character given such an architectural expansion.As
before,
understanding
suchthreats
is
a prerequisiteto
successfully countering
their
occurrenceas required.2.2.2.1
Release
ofMessage Contents
Distributed
systems areparticularly
susceptibleto this
passivethreat
of unauthorizeddisclosure.
This
is
largely
a conseguenceofthe
fact
that the
set of messagescomprising
eachtransaction
between cooperating
principals must passthrough
the
intervening
networkmachinery
oneach end-nodein
additionto the
communications subnet.Depending
upon suchfactors
asthe
effectiveness ofthe
computersecurity
at eachswitch,
the
physicalsecurity
ofthe
transmission
media,
andthe
nature ofthe
subnet,
messagesface
the very
distinct possibility
ofinterception
by
an2.2.2.2
Traffic Analysis
A
very
subtlesource
ofunauthorized
disclosure
is
that
whichmay
occuras a
conseguence
ofmonitoring
the
demographics
oftraffic
patterns onthe
underlying
communications
subnet.That
is,
anintruder may
glean a significant volume ofinformation
as a side-effect ofthe
freguency,
length,
andsource-to-destination traffic
attributes.Traffic
analysisis
a seriousthreat
as a potential coverttiming
channel.13Communicants
A
andB
may
deliberately
chooseto
interact
in
defined
patterns as a means ofclueing
party
C
into
sensitiveinformation. As in
the
standalone machinecase,
suchdisclosures
arebest fought
by
channelbandwidth
reductionbelowthe
threshold
ofdesireability.
21,
28
2.2.2.3
Message Stream Modification
Threats
ofthis
sort referto
attacks onthe
integrity,
authenticity,
and/orthe
ordering
of messagespassing between
principals.13Integrity
meansthat
a messagehas
notbeen
modified en route.Authenticity,
oureventual subject
focal
point,
meansthat
the
issuer
ofthe the
messageis
that
whomthe
receiver expectsit
to
be.
And
ordering
meansthat
the
message canbe
properly
located
in
the
message seguencepassing
between
the
communicants.Attacks
to
authenticity include
insertion
ofbogus
or replayed messages whilethose to
ordering include
messagedeletion
orduplication
andaltering
the
order of messages withinthe
stream.
These
three
properties share a uniguerelationship
in
that
measuresto
addressintegrity
arefundamental
to
insuring
authenticity,
whichis
likewise basic
to
message orderpreservation.132.2.2.4
Denial
ofMessage Service
This
type
of attackmay be
perceived as a persistent message stream modification attack.Such
attacksinclude
discarding
ordelaying
all messagespassing in
either orboth
directions
of an associationbetween
two
communicants.8As
is
true
ofits
standalone machineeguivalent, this
threat
variantis
sometimes guitedifficult
to
detect.
This
is particularly
true
during
those
intervals
when an exchangeis
guiescent.At that
pointin
time,
eachparty
to the
conversationgenerally
has
noway
ofpredicting
whenthe
next message will arrivefrom
its
associate.An
attackwhich
completely
reduces message arrivalsfrom
the
otherparty
cannotbe
detected:
"is my
partnerreally
2.2.2.5
Spurious
Association Initiation
While sharing
the
characteristic
ofbeing
the
conseguence of an active attack withthe
previoustwo
forms
discussed,
spurious associationinitiation differs from
its
counterparts
in
its
timing
relativeto the
communications
lifecycle itself.
That
is,
this type
of attack occurs whilethe two
parties arein
the
process ofestablishing
aconnection,
whereasthe
otherstake
place after successful completion ofthis
phase ofthe
interchange.
The
two
forms
of spurious associationinitiation
mostfreguently
encountered are:8impersonation:
an attemptto
establish an association under afalse
identity.
replay:
repeating
arecording
of a previouslegitimate
associationinitiation
seguence or portionthereof.
The
interactive form
ofauthentication of whichthe
subjectXNS
modelis
aninstance
existsspecifically
to
prevent successful spurious associationinitiations.
This
pointis
likely
self-evidentto the
reader.In
light
thereof,
whatis
the
significancein
understanding
the
four remaining
classes ofthreat
described
above?Quite
simply,
while authenticationis
a meansto
combat spurious messageinitiation,
the
messagesby
whichit
providesthat
protection arethemselves
subjectto the
samethreats
as areany
interchanges
among
distributed
system components.Other
than that
oftraffic analysis,
an effective means ofcountering
each ofthe
threats
described
aboveis
a prereguisiteto
dependable
authentication models.This
represents a second observation ofthe
fragile
interdependence
of protection components upon net effectiveness.2.2.3
Protection Mechanisms
2.2.3.1
Encryption
Fittingly,
ourdiscussion
of protection mechanismsbegins
withthat
whichis
clearly both
the
mostwidely-recognized
and versatile.As
aconseguence
ofjudicious
message
encryption,
passiveintrusions may
largely
be
prevented and active attacksdetected.
Such
potency
has
led
to
widespreaddevelopment
and adoption of encryption algorithms.Conseguent
to
suchheavy
application,
this
mechanismis
alsothe
freguent
target
ofvulnerability identification
research, colloquially
known
ashacking
orcracking.For
the
purpose ofthis
discussion,
encryptionis
interesting
only
asto
the
mannerin
whichit is
applied as a means of messageisolation
between
distributed
communicants.Though
technically-challenging,
algorithm mechanics arebeyond
the
scope ofthis
need.It
is
withinthose
constraintsthat
ourdiscussion
proceeds.2.2.3.1.1
Invertible
vs.One-Way
Translations
Encryption
refersto
the
process oftranslating
cleartextinto
ciphertextfor
the
interval
oftime
during
whichit is
subjectto
attack andback
to
cleartext whenit is
againin
a securedomain.
The
conversionfrom
cleartextto
ciphertextis
referredto
asencryption,
whilethe
reverse processis
termed
decryption.
This is
inherently
aninvertible
process.That
is,
an explicitencryption goalis
to
reliably
recoverthe
originaltext
atthe
destination
with noinformation loss. The
translation
to
ciphertextform is
atemporal
response
to the
requirementto
passsecurely
through
notably
untrustedterritory.
The
definition
ofpassing securely may
representany
of a number of goals.Among
them
is
that
ofmaintaining
exclusiveinformation privacy
between
a setofinteracting
principals.This
goalis
diametrically
opposedto the threat
ofthe
release of message contents.Other
potential goals areto
enablethe
message recipientto
validatethat
it
originated atthe
expectedintiator,
as well asthat
the
message was not altered en route.Each
ofthese
objectivespotentially
motivatethe
needto
encypt[read.
isolate]
for
afinite
time-interval.
A
closely-related
text translation
concept as relatedto
protectionis
that
ofthe
one-way
function.
This
scheme
has
traditionally
been
appliedto
the authentication
component
ofnon-networked
systems.27As
the
name
conveys, its
majordistinction
from invertible functions
is
that the
original valuemay
notbe
recovered
after application ofthe
one-way
function.
The
goalin
this
instance
is
notto
temporarily
isolate
information from
potentialintruders,
but
ratherto
provide a schemeunder which possession of
the
original cleartextis itself
sufficient proof ofidentity.
Figure 2.2.3.1.1
demonstrates
such atechnique,
in
whichthe
cleartextX
is
presented
to the
one-way function
arbitratorto
yield atranslated
value.
This is
then
compared withthe
entry
of a previously-establishedpublic
lookup
table
which mapsA's
useridentity
to the
expected such value.The
success of such a schemeis
dependent
uponthe
absoluteinability
to
invert
this
function.
An
additional notable assumptionis
that
the
value producedby
the
function differs for
each originalvalue,
as anincreas