2024年5月24日发(作者:)
Latest update: December 4, 2000
10. Security
Security is a basic aspect of distributed systems, especially those connected to the
Internet.
Internet security is now very weak and successful attacks occur frequently [Fer00]. This
is due (among other reasons) to weaknesses in each architectural level and to the lack of
coordination of the defenses at each level [Fer98]. Lack of security is one of the main
reasons given by people who do not want to use the Internet for electronic commerce.
Security for commercial systems is based on the access matrix model [Sum97]. This
defines authorizations that should be based on roles and use cases [Fer99]. User roles are
the basis for many enterprise models, including cooperative work models and workflow
models. Role-based access control is an attempt to associate authorization rights with
specific user roles [Sand96]; that is, this approach is an embodiment of the least privilege
principle, where users acquire rights according to their functions. Once defined at the
highest level, rights should be propagated to the lower levels. The authorizations can be
mapped to EJB authorizations, to CORBA authorizations, to database system
authorizations, and to file permissions in the operating system. This mapping is facilitated
if the different mechanisms at each level are described as patterns [Fer00a], [Fer00b].
EJBs have Deployment Descriptors, which contain Access Control Entries. Each entry
identifies a person, group, or role that can access the whole bean or some specific
methods. Accessing server objects in CORBA requires some type of adapter. Access to
an object can be intercepted by the adapter and access control can be applied (see the
Interceptor pattern below) [Chi99]. JNDI also can be used to associate authorizations
with attributes or objects. DBMSs, e.g., Oracle and Informix, have authorization systems
that can implement RBAC. All these systems can support the mapping of high-level
authorizations. However, operating systems such as Unix do not implement a full access
matrix model and cannot fully support an RBAC model. Because the operating system is
the lowest software level, this is a serious flaw. Some vendors, e.g., IBM, HP, and
Bulldog offer strengthened versions of Unix; other operating systems such as Windows
2000 can provide support for RBAC.
Downloaded contents poses additional risks and there has been a large amount of work
on its security aspects. This makes Java a strongly secure system compared to the
weaknesses of current operating systems.
A problem is that most companies think that Internet security is synonymous with
cryptography. This is a misconception, while cryptography is useful, none of the recent
attacks could have been prevented by cryptography alone [Fer00]. As an example, a
recent announcement by IONA says that they are securing their iPortal suite by using
public key techniques [ION00]. They don’t mention hardening the operating system, a
much more effective measure.
Clearly, security is not just a technical problem, there are administrative aspects which
are extremely important to obtain a secure system. The combination of technical and
administrative aspects can currently produce strong systems, what is needed is that the
enterprises take a serious approach to security.
Interceptor Pattern [POSA2]
Intent: Allows services to be added transparently to a framework and triggered automatically by
specific events
Example: A design for a new ORB will require a variety of hard-to-predict services. If these
services are incorporated in the initial ORB there may be missing services as well as unnecessary
services. If they are incorporated in the application, performance and security may suffer because
they need to be integrated with the core structure.
Context: Frameworks that should be extended transparently
.
Forces:
• A framework should allow the integration of additional services without requiring
deep modifications.
• Existing components or frameworks should not be affected.
• Applications using a framework may need to observe or control its behavior.
Solution: Register services with the framework via predefined interfaces. The services
would be triggered when specific events occur.
Define context objects to introspect and control some aspects of the framework’s internal
state.
CRC model: Concrete Framework
Interceptor—defines an interface for integrating services
Concrete interceptor
Dispatcher—Registers and removes concrete interceptors
Context object—Allows services to obtain information from the concrete
framework.
Application—Runs on the concrete framework, implements concrete
interceptors.
Class diagram: p. 115
Sequence diagram: p. 116
Known uses: Component-based application servers
CORBA implementations
Web browsers
References
[Ben95] M. Benantar, y, and n, "Approach to object security in
Distributed SOM", IBM Sys. J. , vol. 35, No 2, 1996, 192-203.
发布评论