SOA End to End Security presents about Security Challenges in SOA, Project Summary, Prototype Development, Transition to Cloud Computing, Demo/Evaluation of the Proposed Solution (Security and Performance), Schedule and Timeline, Future Tasks.
SOA End to End Security Department of Computer Science Purdue University West Lafayette, Indiana Program Manager: Asher Sinclair, AFRL/RISE Award No FA8750-10-2-0152 09/27/2011 People Involved In the Project • Two Faculty Members • Ten graduate students Outlines • Security Challenges in SOA – Problem Overview • Project Summary • Prototype Development – System Architecture and Baseline Scenario • Use Case Scenario – Service Domain Internals and Implementation – SOA Authentication Scheme (CAC/IDM) – WS-* Standard Integration – Trust Broker Subsystem – Service Registry – Taint Analysis Subsystem • Transition to Cloud Computing • Demo/Evaluation of the Proposed Solution (Security and Performance) • Schedule and Timeline • Future Tasks • Discussion Security Challenges in SOA • Authentication and authorization may not take place across intended end points • Intermediate steps of service execution might expose messages to hostile threats • External services are not verified or validated dynamically (Uninformed selection of services by user) • User has no control on external service invocation within an orchestration or through a service in another service domain • Violations and malicious activities in a trusted service domain remain undetected SOA End to End Security Architecture End to End Security Architecture Description Figure shows problems in end to end SOA security as follow: • In this figure the current Air Force infrastructure is shown above the red dashed line In this architecture, all services are available in the local trusted service domain and everything is under the control of domain A • Client at the edge platform decides to use a service from domain A He will use his CAC (common access card) to authenticate into the system • The security token is sent to the IDM (identity management system) for validation check • If the user is authorized, IDM gives permission to the requested service (e.g MX or mail service) for communication with user • New security token (which is created temporarily for the current service session) is sent back to the user and user can use the service • In a class of extended scenarios (use cases) the services in service domain A may want to use external services which are not in the same local trust boundary In this case, other components come to the picture (below the dashed red line) This figure shows when service domain A (e.g Air Force service portal) tries to access other governmental or public services (from external domains), it will lose track of end to end security This figure shows that end points can be accessible to the client directly We have addressed these issues by adding trust broker server and taint analysis modules (in external trusted service domains) Use Case Scenario • An emergency response use case scenario is implemented to demonstrate the end-to-end secure service communication In this scenario, a chemical spill near an air base is announced and there is a need to evacuate its workers safely A service consumer/client will need three different services to gather the information necessary to announce the evacuation plan • These services will include but it is not limited to; • a trusted local service that provides shelter locations in the city, a public weather service for determining the chemical plume direction, and a public timer web service that estimates the time required for workers to be evacuated to safety, which can possibly depend on another service This scenario is highly generic, and the involved services can be rearranged in any order to demonstrate an end-to-end secure service communication We are also evaluating other scenarios for complex service interactions Project Summary To address these challenges, we designed and implemented: – A comprehensive security architecture for SOA – A novel service invocation control mechanism for SOA using dynamic taint analysis (TA) – A trust broker (TB) system that maintains trust and classifies services TB is used for dynamic validation and verification of services and keeps track of history of service invocations – functionality for using widely adopted web service WS-* standards (WS-Security, WS-Trust) for enterprise Air Force systems – A secure end-to-end message origin authentication for web service client requests and web service providers to ensure confidentiality and integrity—even in the presence of man-in-the-middle attacks This solution is based on CAC – A prototype implementation of proposed approaches based on open source technologies that can be possibly integrated into existing government-off-theshelf (GOTS) components in an operational environment System Architecture and SOA Baseline Scenario UDDI Registry request Forwarding the service list to Trust Broker and receive a categorized list Invoking a selected service Second invocation by service in domain A Invoking a service in public service domain End points (Reply to user) Baseline Scenario Details • Steps: Global UDDI Registry request • User receives a list of services related to the requested category User sends a refined list of services to Trust Broker module • • Trust Broker categorizes the list of services and returns a classified list Trust categories: Certified, Trusted, Untrusted services Service Request • User selects a service based on its criteria (QoS, Trust category of service, Security preference, etc.) and invokes that service • User creates a session with Trust Broker and selected service in Trusted Domain A (Trust sessions are shown with dashed lines) 10 Provisioning Cloud Cost On Demand Instances http://aws.amazon.com/ec2/pricing/ 57 Provisioning Cloud Cost (cont.) Reserved Instances http://aws.amazon.com/ec2/pricing/ 58 Provisioning Cloud Cost (cont.) Data Transfer http://aws.amazon.com/ec2/pricing/ 59 Cloud Auto-Scaling (Elasticity) Provided by Amazon CloudWatch: • Scales out Amazon EC2 instances seamlessly and automatically when demand increases • Sheds unneeded Amazon EC2 instances automatically to save money when demand subsides • Scales dynamically based on Amazon CloudWatch metrics, or predictably according to a defined schedule 60 Challenges/Issues • Active Bundle solution – Active bundle concept is prototyped based on a mobile agent framework (JADE) – Discovered redundancy between capability of Active Bundles and JBoss ESB • Taint Analysis – Standard solutions are mainly low level (OS level) and are not suitable for intercepting services in an application server – Current solutions for taint analysis are generally heavy weight and are not suitable for application servers – We decided to use AOP technology to overcome these challenges – Several AOP solutions available – AspectJ and Spring AOP are not suitable for current setting (Level of granularity and performance) 61 Challenges/Issues (cont.) • Trust Broker – Prone to DoS attacks – Can become single point of failure – Fixing with Load Distribution and Clustering • WS-Security – Introduces significant delay in response time and computational overhead on services and trust broker 62 Schedule and Timeline 63 Demo Scenario • Two evacuation timer services (ET1:certified, ET2:untrusted) and two weather report services (W1:certified, W2:untrusted) • ET1 has dynamic service composition: For zipcodes < 20000, it invokes W2, for others W1 • ET2 always uses W2 for getting the weather report • All communication is encrypted using WSSecurity 64 End-to-End Security Demo 65 Attack Scenario Screenshots 66 Potential Tasks • Offloading the non-security-critical computation to the cloud • Using TPMs along with taint analysis framework to provide a stronger security • Providing active defense and attackresiliency using cloud computing • 67 Discussion 68 Appx A Papers (Under preparation) • The Design and Implementation of End to End Security in Service Oriented Architecture • Enabling End to End Security in Service Oriented Architecture Using Taint Analysis • Security of Service Oriented Architecture in Cloud Computing • Harnessing the Power of Trust Management to Secure Service Oriented Architecture • Adapting Web Service Security Standards for Securing Service Oriented Architecture • SOA Security: Challenges and Solutions (A Survey Paper) 69 Appx B: Published Papers • B Bhargava, P Angin, R Sivakumar, M Linderman, and M Kang, A Sinclair, A Trust- based Approach for Secure Data Dissemination in a Mobile Peer-to- Peer Network of UAVs, To appear in Special Session on Collaboration for Dynamic Resource Management in Mobile P2P Networks (CDRM 2011), International Conference on Collaboration Technologies and Systems (CTS 2011), May 2011, Philadelphia • N Idika, B Bhargava A Kolmogorov Complexity Approach for Measuring Attack Path Complexity, in Proceedings of IFIP International Information Security (SEC 2011) conference, June 2011, Lucerne, Switzerland • P Angin, B Bhargava, R Ranchal, N Singh, L Lilien, L Othmane, M Linderman A User-Centric Approach for Privacy and Identity Management in Cloud Computing, in Proceedings of 29th IEEE Symposium on Reliable Distributed System (SRDS), Nov 2010, New Delhi, India • R Ranchal, B Bhargava, L Othmane, L Lilien, A Kim, M Kang, M Linderman Protection of Identity Information in Cloud Computing without Trusted Third Party, in Proceedings of Third International Workshop on Dependable Network Computing and Mobile Systems (DNCMS 2010) in conjunction with 29th IEEE Symposium on Reliable Distributed System (SRDS), Oct 2010, New Delhi, India • B Bhargava, N Singh, A Sinclair, Privacy and Security in Cloud Computing through Identity Management: Microsoft Cardspace, appear in International Conference on Advances in Computing and Communication ICACC-11, April, 2011, 70 Appx B: Published Papers (Cont.) • T Bao, Y Zheng, Z Lin, X Zhang and D Xu, Strict Control Dependence and Its Effect on Dynamic Information Flow Analyses ,International Symposium on Software Testing and Analysis, Trento, Italy, 2010 • Z Lin, X Zhang, and D Xu, Convicting Remote Exploitable Vulnerabilities: An Efficient Input Provenance Based Approach, Proceedings of IEEE/IFIP International Conference on Dependable Systems and Networks, 2008 71 ... trusted service domain remain undetected SOA End to End Security Architecture End to End Security Architecture Description Figure shows problems in end to end SOA security as follow: • In this figure... portal) tries to access other governmental or public services (from external domains), it will lose track of end to end security This figure shows that end points can be accessible to the client... workers to be evacuated to safety, which can possibly depend on another service This scenario is highly generic, and the involved services can be rearranged in any order to demonstrate an end- to- end