Security and Trust Software Architecture Lecture 21 Copyright Richard N Taylor Nenad Medvidovic and Eric M Dashofy All rights reserv Software Architecture Foundations Theory and Practice Outline Security Design Principles Architectural Access Control Access Control Models Connector Centric Architectural Access Control Trust Trust Model Reputation based Systems Architectural Approach to Decentralized Trust Management 2 Software Architecture Foundations Theory and Practice Security The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity availability and confidentiality of information system resources includes hardware software firmware information data and telecommunications National Institute of Standards and Technology 3 Software Architecture Foundations Theory and Practice Confidentiality Integrity and Availability Confidentiality Preserving the confidentiality of information means preventing unauthorized parties from accessing the information or perhaps even being aware of the existence of the information I e secrecy Integrity Maintaining the integrity of information means that only authorized parties can manipulate the information and do so only in authorized ways Availability Resources are available if they are accessible by authorized parties on all appropriate occasions 4 Software Architecture Foundations Theory and Practice Design Principles for Computer Security Least Privilege give each component only the privileges it requires Fail safe Defaults deny access if explicit permission is absent Economy of Mechanism adopt simple security mechanisms Complete Mediation ensure every access is permitted Design do not rely on secrecy for security 5 Software Architecture Foundations Theory and Practice Design Principles for Computer Security cont d Separation of Privilege introduce multiple parties to avoid exploitation of privileges Least Common Mechanism limit critical resource sharing to only a few mechanisms Psychological Acceptability make security mechanisms usable Defense in Depth have multiple layers of countermeasures 6 Software Architecture Foundations Theory and Practice Security for Microsoft IIS from Wing 2003 7 Software Architecture Foundations Theory and Practice Architectural Access Control Models Decide whether access to a protected resource should be granted or denied Discretionary access control Based on the identity of the requestor the resource and whether the requestor has permission to access Mandatory access control Policy based 8 Software Architecture Foundations Theory and Practice Discretionary Access Control Database A Component Q Interface F Alice Read Write Always Bend Yes Bob Read Write Between 9 and 5 Fold No Charles No access Spindle No Dave No access Mutilate Yes Eve Read only Always None No 9 Software Architecture Foundations Theory and Practice Mandatory Access Control Bob Secret Alice Confidential Tom Top Secret Arrows show access read write privileges What about just appending 10 Software Architecture Foundations Theory and Practice Connector Centric Architectural Access Control Decide what subjects the connected components are executing for Regulate whether components have sufficient privileges to communicate through the connectors Provide secure interaction between insecure components Propagate privileges in architectural access check Participate in deciding architectural connections Static analysis of architectures coupled with dynamic Route messages according to established policies checking 11 Software Architecture Foundations Theory and Practice Decentralization No centralized authority to coordinate and control entities Independent peers with possibly conflicting goals interact with each other and make local autonomous decisions Presence of malicious peers in open decentralized applications Need for measures to protect peers against malicious attacks 12 Software Architecture Foundations Theory and Practice Some Threats of Decentralization Impersonation Mallory says she is Bob to Alice Fraudulent Actions Mallory doesn t complete transactions Misrepresenting Trust Mallory tells everyone Bob is evil Collusion Mallory and Eve tell everyone Bob is evil Trust management can serve as a Addition of Unknowns Alice has never met Bob potential countermeasure Trust relationships help peers establish confidence in other peers 13 Software Architecture Foundations Theory and Practice Decentralized Auctioning Open decentralized application Independent buyers sellers Potentially malicious participants Need to counter threats Carol Bob Alice Decentralized Auctioning Marvin malicious Mallory malicious 14 Software Architecture Foundations Theory and Practice Impersonation Bob Alice Bob is reliable and everyone has a good opinion about Bob I am Bob Mallory malicious 15 Software Architecture Foundations Theory and Practice Fraudulent Actions Alice pays for the items Marvin seller malicious Marvin does not ship the items Alice buyer 16 Software Architecture Foundations Theory and Practice Misrepresentation Bob Alice Bob is reliable and everyone has a good opinion about Bob Bob is unreliable Mallory malicious 17 Software Architecture Foundations Theory and Practice Collusion Bob Alice Bob is reliable and everyone has a good opinion about Bob Bob is unreliable Marvin malicious Mallory malicious 18 Software Architecture Foundations Theory and Practice Addition of Unknowns Carol new entrant in the system Bob has no information about Carol he is not sure whether to interact with Carol Bob Carol is new and does not know Alice she is not sure whether to interact with Alice Alice 19 Software Architecture Foundations Theory and Practice Background Trust Management Trust Trust is a particular level of the subjective probability with which an agent assesses that another agent will perform a particular action in a context that affects his actions Gambetta 1990 Reputation Expectation about an entity s behavior based on past behavior Abdul Rahman 2000 May be used to determine trust Two types of trust management systems Credential and Policy based Reputation based 20 Software Architecture Foundations Theory and Practice Role of Trust Management Each entity peer must protect itself against these threats Trust Management can serve as a potential countermeasure Trust relationships between peers help establish confidence Two types of decentralized trust management systems Credential and policy based