2024年5月24日发(作者:)

Latest update: December 4, 2000

10. Security

Security is a basic aspect of distributed systems, especially those connected to the

Internet.

Internet security is now very weak and successful attacks occur frequently [Fer00]. This

is due (among other reasons) to weaknesses in each architectural level and to the lack of

coordination of the defenses at each level [Fer98]. Lack of security is one of the main

reasons given by people who do not want to use the Internet for electronic commerce.

Security for commercial systems is based on the access matrix model [Sum97]. This

defines authorizations that should be based on roles and use cases [Fer99]. User roles are

the basis for many enterprise models, including cooperative work models and workflow

models. Role-based access control is an attempt to associate authorization rights with

specific user roles [Sand96]; that is, this approach is an embodiment of the least privilege

principle, where users acquire rights according to their functions. Once defined at the

highest level, rights should be propagated to the lower levels. The authorizations can be

mapped to EJB authorizations, to CORBA authorizations, to database system

authorizations, and to file permissions in the operating system. This mapping is facilitated

if the different mechanisms at each level are described as patterns [Fer00a], [Fer00b].

EJBs have Deployment Descriptors, which contain Access Control Entries. Each entry

identifies a person, group, or role that can access the whole bean or some specific

methods. Accessing server objects in CORBA requires some type of adapter. Access to

an object can be intercepted by the adapter and access control can be applied (see the

Interceptor pattern below) [Chi99]. JNDI also can be used to associate authorizations

with attributes or objects. DBMSs, e.g., Oracle and Informix, have authorization systems

that can implement RBAC. All these systems can support the mapping of high-level

authorizations. However, operating systems such as Unix do not implement a full access

matrix model and cannot fully support an RBAC model. Because the operating system is

the lowest software level, this is a serious flaw. Some vendors, e.g., IBM, HP, and

Bulldog offer strengthened versions of Unix; other operating systems such as Windows

2000 can provide support for RBAC.

Downloaded contents poses additional risks and there has been a large amount of work

on its security aspects. This makes Java a strongly secure system compared to the

weaknesses of current operating systems.

A problem is that most companies think that Internet security is synonymous with

cryptography. This is a misconception, while cryptography is useful, none of the recent

attacks could have been prevented by cryptography alone [Fer00]. As an example, a

recent announcement by IONA says that they are securing their iPortal suite by using

public key techniques [ION00]. They don’t mention hardening the operating system, a

much more effective measure.

Clearly, security is not just a technical problem, there are administrative aspects which

are extremely important to obtain a secure system. The combination of technical and

administrative aspects can currently produce strong systems, what is needed is that the

enterprises take a serious approach to security.

Interceptor Pattern [POSA2]

Intent: Allows services to be added transparently to a framework and triggered automatically by

specific events

Example: A design for a new ORB will require a variety of hard-to-predict services. If these

services are incorporated in the initial ORB there may be missing services as well as unnecessary

services. If they are incorporated in the application, performance and security may suffer because

they need to be integrated with the core structure.

Context: Frameworks that should be extended transparently

.

Forces:

• A framework should allow the integration of additional services without requiring

deep modifications.

• Existing components or frameworks should not be affected.

• Applications using a framework may need to observe or control its behavior.

Solution: Register services with the framework via predefined interfaces. The services

would be triggered when specific events occur.

Define context objects to introspect and control some aspects of the framework’s internal

state.

CRC model: Concrete Framework

Interceptor—defines an interface for integrating services

Concrete interceptor

Dispatcher—Registers and removes concrete interceptors

Context object—Allows services to obtain information from the concrete

framework.

Application—Runs on the concrete framework, implements concrete

interceptors.

Class diagram: p. 115

Sequence diagram: p. 116

Known uses: Component-based application servers

CORBA implementations

Web browsers

References

[Ben95] M. Benantar, y, and n, "Approach to object security in

Distributed SOM", IBM Sys. J. , vol. 35, No 2, 1996, 192-203.