Günter Karjoth

A security model for Aglets

Mobile agents offer a new paradigm for distributed computation, but their potential benefits must be weighed against the very real security threats they pose. These threats originate not just in malicious agents but in malicious hosts as well. For example, if there is no mechanism to prevent attacks, a host can implant its own tasks into an agent or modify the agents state. This can lead in turn to theft of the agents resources if it has to pay for the execution of tasks, or to loss of the agents reputation if its state changes from one host to another in ways that alter its behavior in negative ways. Aglets are mobile agents developed at IBMs Tokyo Research Laboratory. The article describes a security model for the Aglets development environment that supports flexible architectural definition of security policies.

Routing on longest-matching prefixes

This article describes the dynamic prefix tries, a novel data structure with algorithms for insertion, deletion, and retrieval to build and maintain a dynamic database of binary keys of arbitrary length. These tries extend the concepts of compact digital (Patricia) tries to support the storage of prefixes and to guarantee retrieval times at most linear in the length of the input key irrespective of the trie size, even when searching for longest-matching prefixes. The new design permits very efficient, simple and nonrecursive implementations of small code size and minimal storage requirements. Insert and delete operations have strictly local effects, and their particular sequence is irrelevant for the structure of the resulting trie, thus maintaining at all times the desired storage and computational efficiency. The algorithms have bees successfully employed in experimental communication systems and products for a variety of networking functions such as address resolution, maintenance and verification of access control lists, and high-performance routing tables in operating system kernels.

Protecting the Computation Results of Free-Roaming Agents

When mobile agents do comparison shopping for their owners, they are subject to attacks of malicious hosts executing the agents. We present a family of protocols that protect the computation results established by free-roaming mobile agents. Our protocols enable the owner of the agent to detect upon its return whether a visited host has maliciously altered the state of the agent, thus providing forward integrity and truncation resilience. In an environment without public-key infrastructure, the protocols are based only on a secret hash chain. With a public-key infrastructure, the protocols also guarantee non-repudiability.

E-P3P privacy policies and privacy authorization

Enterprises collect large amounts of personal data from their customers. To ease privacy concerns, enterprises publish privacy statements that outline how data is used and shared. The Platform for Enterprise Privacy Practices (E-P3P) defines a fine-grained privacy policy model. A Chief Privacy Officer can use E-P3P to formalize the desired enterprise-internal handling of collected data. A particular data user is then allowed to use certain collected data for a given purpose if and only if the E-P3P authorization engine allows this request based on the applicable E-P3P policy. By enforcing such formalized privacy practices, E-P3P enables enterprises to keep their promises and prevent accidental privacy violations.

Access control with IBM Tivoli access manager

Web presence has become a key consideration for the majority of companies and other organizations. Besides being an essential information delivery tool, the Web is increasingly being regarded as an extension of the organization itself, directly integrated with its operating processes. As this transformation takes place, security grows in importance. IBM Tivoli Access Manager offers a shared infrastructure for authentication and access management, technologies that have begun to emerge in the commercial marketplace. This paper describes the Authorization Service provided by IBM Tivoli Access Manager for e-business (AM) and its use by AM family members as well as third-party applications. Policies are defined over a protected object namespace and stored in a database, which is managed via a management console and accessed through an Authorization API. The protected object namespace abstracts from heterogeneous systems and thus enables the definition of consistent policies and their centralized management. ACL inheritance and delegated management allow these policies to be managed efficiently. The Authorization API allows applications with their own access control requirements to decouple authorization logic from application logic. Policy checking can be externalized by using either a proxy that sits in front of the Web servers and application servers or a plug-in that examines the request. Thus, AM familiy members establish a single entry point to enforce enterprise policies that regulate access to corporate data.

Aglets: Programming Mobile Agents in Java

Mobile agents are programs that can be dispatched from one computer and delivered to a remote computer for execution. Arriving at the remote computer, they present their credentials and obtain access to local services and data. They also provide a single uniform paradigm for distributed object computing, encompassing synchrony and asynchrony, message-passing and object-passing, and stationary objects and mobile objects. In this paper, we describe our Java-based mobile agents called Aglets and present its programming interface, called Java Aglet API.

The Authorization Service of Tivoli Policy Director

This paper presents the Authorization Service provided by Tivoli Policy Director (PD) and its use by PD family members as well as third-party applications. Policies are defined over an object namespace and stored in a database, which is managed via a management console and accessed through an Authorization API. The object namespace abstracts from heterogeneous systems and thus enables the definition of consistent policies and their centralized management. ACL inheritance and delegated management allow these policies to be managed efficiently. The Authorization API allows applications with their own access control requirements to decouple authorization logic from application logic. By intercepting the traffic over well-defined communication protocols (TCP/IP HTTP IIOP and others), PD family members establish a single entry point to enforce enterprise policies that regulate access to corporate data.

Obstruction-free authorization enforcement: Aligning security and business objectives

Access control is fundamental in protecting information systems but it also poses an obstacle to achieving business objectives. We analyze this tradeoff and its avoidance in the context of systems modeled as workflows restricted by authorization constraints including those specifying Separation of Duty (SoD) and Binding of Duty (BoD).To begin with, we present a novel approach to scoping authorization constraints within workflows with loops and conditional execution. Afterwards, we consider enforcements effects on business objectives. We identify the notion of obstruction, which generalizes deadlock within a system where access control is enforced, and we formulate the existence of an obstruction-free enforcement mechanism as a decision problem. We present lower and upper bounds for the complexity of this problem and also give an approximation algorithm that performs well when authorizations are equally distributed among users.

Dynamic enforcement of abstract separation of duty constraints

Separation of Duties (SoD) aims at preventing fraud and errors by distributing tasks and associated authorizations among multiple users. Li and Wang [2008] proposed an algebra (SoDA) for specifying SoD requirements, which is both expressive in the requirements it formalizes and abstract in that it is not bound to a workflow model. In this article, we bridge the gap between the specification of SoD constraints modeled in SoDA and their enforcement in a dynamic, service-oriented enterprise environment. We proceed by generalizing SoDAs semantics to traces, modeling workflow executions that satisfy the respective SoDA terms. We then refine the set of traces induced by a SoDA term to also account for a workflows control-flow and role-based authorizations. Our formalization, which is based on the process algebra CSP, supports the enforcement of SoD on general workflows and handles changing role assignments during workflow execution, addressing a well-known source of fraud. The resulting CSP model serves as blueprint for a distributed and loosely coupled architecture where SoD enforcement is provisioned as a service. This concept, which we call SoD as a Service, facilitates a separation of concerns between business experts and security professionals. As a result, integration and configuration efforts are minimized and enterprises can quickly adapt to organizational, regulatory, and technological changes. We describe an implementation of SoD as a Service, which combines commercial components such as a workflow engine with newly developed components such as an SoD enforcement monitor. To evaluate our design decisions and to demonstrate the feasibility of our approach, we present a case study of a drug dispensation workflow deployed in a hospital.

Service-oriented Assurance — Comprehensive Security by Explicit Assurances

Flexibility to adapt to changing business needs is a core requirement of today’s enterprises. This is addressed by decomposing business processes into services that can be provided by scalable service-oriented architectures. Service-oriented architectures enable requesters to dynamically discover and use subservices. Today, service selection does not consider security. In this paper, we introduce the concept of Service-Oriented Assurance (SOAS), in which services articulate their offered security assurances as well as assess the security of their sub-services. Products and services with well-specified and verifiable assurances provide guarantees about their security properties. Consequently, SOAS enables discovery of sub-services with the “right” level of security. Applied to business installations, it enables enterprises to perform a well-founded security/price tradeoff for the services used in their business processes.