security for distributed e-service composition · related work extensible database systems:...
TRANSCRIPT
Security for DistributedE-Service Composition
Stefan Seltzsam Stephan Börzsönyi Alfons Kemper
Universität Passau
Outline
MotivationSecurity RequirementsMultilevel Security Architecture
Quality Assurance for External OperatorsSecurity Measures during Plan DistributionArchitecture of the Runtime Security System
Related WorkConclusions
MotivationTomorrow´s applications
No longer based on monolithic architecturesDistributed, dynamically extensibleComposed from existing software components/services
ObjectGlobeInternet query processing engineExtensible by mobile, user-defined operatorsImplemented in Java 2Currently extended to handle general e-services
ObjectGlobe - Providers
Three kinds of service providers:Data providers Function providers Cycle providers
A single site can comprise all three services
ObjectGlobe – Query Processing
optimizeparse/lookup plug execute
lookup service
query
result
ObjectGlobe – Query Processing
optimizeparse/lookup plug execute
lookup service
query
result
ObjectGlobe – Query Processing
optimizeparse/lookup plug execute
lookup service
query
result
ObjectGlobe – Query Processing
optimizeparse/lookup plug execute
lookup service
query
result
ObjectGlobe – Query Processing
optimizeparse/lookup plug execute
lookup service
query
result
ObjectGlobe – Example Query
“Find a hotel that is cheap and close to the beach in Nassau, Bahamas”User-defined operator “Skyline” to find all relevant hotels[K. Stocker et.al.: The Skyline Operator, ICDE 2001]
Skyline = all hotels where no other exists, which is closer to the beach and cheaper
ObjectGlobe – Example Query
Hotels ... ... ... ... ... ... ... ... ...
HotelBookWrapper
Skyline
www.operators.orgwww.hotelbook.com www.hotelguide.com
load operator
client (cycle provider)
Hotels ... ... ... ... ... ... ... ... ...
HotelGuideWrapper
HotelBookWrapper HotelGuideWrapper
SkylineSkyline
Skyline
∪∪∪∪
Security Requirements
Basic assumptionsTrustworthy cycle providersUnmodified code of ObjectGlobe and JavaSecurity System of Java 2 works as designed
Security concerns of ObjectGlobe Common security concerns of distributed systemsMobile code introduces specific security concerns
Common Security Concerns
Authentication and authorizationAnonymitySecure communication channelsAdmission control
Concerns by User-Defined Operators
Protection of cycle providers againstResource monopolizationUnauthorized resource access (e.g., file system)Manipulation of ObjectGlobe components
Users are concerned aboutsemantics of user-defined operatorsprivacy of the processed data
Example attackExample attack: resource monopolization
public class Skyline extends IteratorClass {
public TypeSpec open() throws Exception {
List l = new LinkedList();
while(true)
l.add(new Object());
...
}
...
}
Example attackExample attack: resource monopolization
public class Skyline extends IteratorClass {
public TypeSpec open() throws Exception {
List l = new LinkedList();
while(true)
l.add(new Object());
...
}
...
}
Example attack (2)
Example attack: wrong semanticspublic class Skyline extends IteratorClass {
private ElementDescriptor currElem = null;
private PredicateFunctionInterface eliminationPredicate =
FunctionConstructor.construct(inputTypes[0],
"name=\"Sheraton\"");
public ElementDescriptor next() throws Exception {
...
do {
currElem = inputIterators[0].next();
} while (currElem != null &&
eliminationPredicate.test(currElem));
... /* skyline code */ ...
} ... }
Example attack: wrong semanticspublic class Skyline extends IteratorClass {
private ElementDescriptor currElem = null;
private PredicateFunctionInterface eliminationPredicate =
FunctionConstructor.construct(inputTypes[0],
"name=\"Sheraton\"");
public ElementDescriptor next() throws Exception {
...
do {
currElem = inputIterators[0].next();
} while (currElem != null &&
eliminationPredicate.test(currElem));
... /* skyline code */ ...
} ... }
Example attack (2)
FILTER
Multilevel Security Architecture
preventivemeasures
optimizeparse/lookup plug execute
lookup service
queryexecution
qualityassurance
Multilevel Security Architecture
Preventive measures
preventivemeasures
optimizeparse/lookup plug execute
lookup service
queryexecution
qualityassurance
Multilevel Security Architecture
Preventive measuresSecurity measures during plan distribution
preventivemeasures
optimizeparse/lookup plug execute
lookup service
queryexecution
qualityassurance
Multilevel Security Architecture
Preventive measuresSecurity measures during plan distribution Runtime security system
preventivemeasures
optimizeparse/lookup plug execute
lookup service
queryexecution
qualityassurance
Preventive Measures
Optional, preventive stepGoals – Quality assurance
Verification of the semantics of the operatorCompare resource consumption with given cost modelsStress testing
Results are digitally signed
Methods of Formal Specification
Skyline - Mathematical Formula{s|s∈S ∧ ¬∃t∈S: t≠s ∧ t≥s}Skyline - Haskellskyline :: [αααα] -> [αααα]skyline ss = skyline´ ss ssskyline´ [] ts = []skyline´ (s:ss) ts =
if dominated s tsthen skyline´ ss tselse s:skyline´ ss ts
dominated s [] = Falsedominated s (t:ts) =
dominance t s || dominated s tsdominance t s = (t≠≠≠≠s && t≥≥≥≥s)
Test Data Generation
User-directedTest data fulfill preconditions of operatorsTest data meet the testers´ strategies
FeaturesSpecification of attribute valuesFunctional dependencies between attributesRelationships between relationsControl on the order of the tuples
The OperatorCheck ServerBenchmark test
Different sizes of input dataResource consumption is measuredResults are compared to cost models(MathML)
Correctness testVerifies the semantics of operatorsBlack box testingHaskell program as oracleDifferent result comparison semantics
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obj
ectG
lobe
Que
ry E
ngin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obj
ectG
lobe
Que
ry E
ngin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obj
ectG
lobe
Que
ry E
ngin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obj
ectG
lobe
Que
ry E
ngin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obj
ectG
lobe
Que
ry E
ngin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obj
ectG
lobe
Que
ry E
ngin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
Architecture of OperatorCheck
oracle(Haskell interpreter)
Obj
ectG
lobe
Que
ry E
ngin
e
test data generation
generating signature for test results
analysis of results
consultation of oracle / query execution
program generation / plan generation
test data test data
save
load
test operator
input: test operator, Haskell specification, description of test data
output: digitally signed test results
http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml
http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml
http://www.db.fmi.uni-passau.de/projects/OG/OnlineDemo/operatorcheck.phtml
Advantages/LimitationsAdvantages
Improvement of trustResource stabilityMore reliable query executionContinuously available cycle providersBetter result qualityObjectGlobe can renounce runtime monitoring
LimitationsCorrectness can not be provedResults depend on intuition of testers Further security measures necessary
Measures during Plan Distribution
Setup of secure communication channels using SSL and/or TLSAuthentication of communication partnersAuthentication of usersAuthorizationAdmission control
Runtime Security System
Based on Java´s security architectureNative library
TasksGuarantee privacyProtection of cycle providers
GuardingMonitoring
Guarding
Prevention of unauthorized resource accessAccess to temporary memoryPrevention of access to ObjectGlobe componentsIsolation of user-defined operators
Monitoring
Monitored resourcesCPUPrimary and secondary memoryData volume produced by operatorsNumber of temporary files
Dynamically adapted limitsOperators are terminated upon limit violations
Related WorkExtensible database systems:
POSTGRES, Predator, JaguarOracle, DB2
Braumandl et.al.: ObjectGlobe: Ubiquitous Query Processing on the Internet, VLDBJ 2001Seshadri et.al.: Secure and Portable Database Extensibility, SIGMOD 1998Dalton et.al.: An Operating System Approach to Securing E-Services, Communications of the ACM, 2001Weikum: The Web in 2010: Challenges and Opportunities for Database Research, Springer, 2001
Conclusions
Security requirements of cycle providers and usersObjectGlobe as an ExampleMultilevel security architecture
OperatorCheck serverMeasures during plan distributionRuntime security system