Abstract

The security characteristics of distributed systems are inherently different from those of centralized systems. These differences stem from the lack of a central authority responsible for physical security and policy enforcement. Security models for distributed systems need to take these differences into account and must scale to a large number of users. This paper discusses the security needs of distributed applications and identifies some implications for security mechanisms and models.

Security characteristics of distributed systems

Security in centralized systems depends on the ability of a trusted computing base to control access to protected resources and secure communication. The size of distributed systems and the fact that they tend to span organizational boundaries means that they are characterized by the following security problems.

• It is difficult or impossible to provide the same level of physical security to all components and communication links.
• Organizations are responsible for enforcing security policies over the components of the system that are under their jurisdiction.
• Composition of two secure sub-systems may create subtle security loopholes [10].
• There is no single, isolated trusted computing base that can mediate all actions by processes and enforce security policies.

The components of a distributed system execute in an environment of mutual suspicion. All communication across the network must be encrypted if it is to be secure. The paradigm is one in which security policies are enforced by the applications in the distributed system as this localizes and reduces the size of the trusted computing base that these applications use [4].

Security framework for distributed systems

Meeting the security requirements for distributed systems depends critically on the nature and security needs of the applications that we expect to emerge. This is a chicken-and-egg problem since the security framework will dictate the applications that are feasible, so it is important to be careful about making assumptions about future applications. However, it is reasonable to assume that most distributed systems will consist of applications whose components run on autonomous processors. For example, CORBA systems consist of applications running on a number of platforms that communicate via the CORBA Object Request Broker(ORB) [5]. Moreover, distributed applications will possess their own user-defined and application-dependent security policies in addition to system-wide policies [7].

Because of the multitude of organizations and the wide range of possible applications, it is highly unlikely that there will ever be one security model that is suitable for all distributed applications. Hence, it would be advantageous to create a security framework for distributed systems that can accommodate policies expressed in different security models. The framework will provide security mechanisms that applications can use to achieve their security goals. The framework should be flexible enough to allow the implementation of a wide range of secure applications while being scalable and easy to use. At a minimum the framework should satisfy the following requirements.

• The framework should distribute the management of trust through the system. Applications can decide whether to trust the credentials presented by a user based on their local policy.
• The framework should separate specification and enforcement of security policy from applications. This allows policies to evolve dynamically without modifying the application to which these policies apply.
• The framework should make security administration as simple as possible. System administrators should not be required to write programs in order to maintain and create new security policies.It should be possible to derive lower-level policies for the components of an application from an application-level policy.
• The framework should also provide mechanisms to compose policies meaningfully and to resolve conflicts amongst policies, if need be by referring to metapolicies that have been stated for this purpose.

In conjunction with this framework, it will be necessary for users and administrators to have a means of expressing their security policies. This "security language" should be amenable to reasoning about composition of policies and also conflict between policies. Ideally, this language should be expressive enough to capture complex policies, including trust relationships. for example, yet simple enough to give users sufficient confidence that they have expressed the policy they intend the system to enforce.

The success of database systems owes much to the fact that they allow administrators to create databases and users to formulate queries without knowing anything of the internal details of the databases. A similar approach to security management may provide users of secure systems with the same benefits. A Security Definition Language similar to Data Definition Languages (DDL) should allow creation of a security schema or model for the expression of security policies. Application users should be able to manipulate security policies using a policy language that parallels query languages in databases. Such a policy language should be flexible enough to allow customizing of security policies to reflect user needs. An additional advantage of such an approach is that potential users of secure systems are already likely to be familiar with databases and would find such a system far easier to use than the systems of today.

Conclusion

Creating secure, distributed systems is a challenging task and one that is both urgent and important. Creating security frameworks is a promising way to achieve the goals of developing secure, distributed applications that can support user-defined security policies.

References

[1] Christophe Bidan and Valerie Issarny, Dealing with Multi-Policy Security in Large Open Distributed Systems, INRIA, February 1997.

[2] Christophe Bidan and Valerie Issarny, Security Benefits of Software Architecture, INRIA, February 1997.

[3] Matt Blaze, Joan Feigenbaum and Jack Lacy, Decentralized Trust Management, Proceedings of IEEE Symposium on Security and Privacy, 1996.

[4] John A. Bull, Li Gong and Karen Sollins, Towards Security in an Open Systems Federation, In Proceedings of the European Symposium on Research in Computer Security, Toulouse, France, November, 1992. Published as Lecture Notes in Computer Science, Vol.648, Springer-Verlag, 1992, pp.3-20.

[5] CORBA Security, OMG Document 95-12-1, December 1995.

[6] George Couloris and Jean Dollimore, Technical Report 674, Department of Computer Science, Queen Mary and Westfield College, University of London, October 1994.

[7] Winfried E. Kuhnhauser, A Paradigm for User-defined Security Policies, Proceedings of the 14th IEEE Symposium on Reliable Distributed Systems, 1995.

[8] Winfried E. Kuhnhauser and Michael von Kopp Ostrowski, A Framework to Support Multiple Security Policies, Proceedings of the 7th Annual Canadian Computer Security Symposium, 1995.

[9] Carl E. Landwehr, Formal Models for Computer Security, Computing Surveys, Vol 13, No. 3, September 1981.

[10] Dan Nessett, Factors Affecting Distributed System Security, IEEE Transactions on Software Engineering, Vol. SE-13, No. 2, February 1987.

[11] Peter G. Neumann, Architectures and Formal Representations for Secure Systems, SRI Project 6401, SRI International EL-243, October 1995.

[12] E.E.O. Roos Lindgreen and I.S. Herschberg, On the validity of the Bell-LaPadula model, Computers & Security, Vol. 13, 1994.

[13] Jose Vazquez-Gomez, Multidomain Security, Computers & Security, Vol. 13, 1994.

under grant CCR-94-12711 and the Advanced Research Projects Agency

(ARPA) under contract DABT-63-95-C-0083.