Service Communautaire d'Information sur la Recherche et le Développement - CORDIS


COACH Résumé de rapport

Project ID: IST-2001-34445
Financé au titre de: FP5-IST
Pays: United Kingdom

Security policies in complex distributed systems

In the COACH project, Objectsecurity developed OpenPM, a framework for the definition, management and enforcement of security policies in complex distributed systems. It currently supports access control policies for CORBA and CCM, but can be extended to other security policy types (e.g. information filtering), policies in general (e.g. Quality of Service), security mechanisms (e.g. smart cards for authentication) and platforms like Microsoft .NET, Enterprise Java Beans, Web Services or ERP systems.

OpenPMF is inspired by the Object Management Group's Model Driven Architecture and the MetaObject Facilities. Our starting point for the development of OpenPMF was an abstract model of distributed systems and middleware, for which we defined an also abstract model of security policies. Then we transformed (mapped) this platform independent model (PIM) to platform specific models (PSM) for the platforms developed in COACH, CORBA and CCM and to different security mechanisms (SSL and CSIv2). In a similar manner OpenPMF can also be mapped to other platforms.

OpenPMF consists of a compiler for the Policy Definition Language (PDL), a Policy Repository, a generic Policy Evaluator, and mappings to CORBA 2.x and the CORBA Components Model (Qedo).

The Policy Definition Language is used to describe a security policy in a human readable form. PDL is based on an abstract notation of of the entities in distributed systems: Initiator, client, target and operation to invoke. It supports roles, groups and different delegation modes, and has a single formal model from the protocol level to the abstract policy level.

The PDL compiler feeds the policy into a Policy Repository (PR). The PR is derived from a MetaPolicy, a MOF model for policies. This integrates OpenPMF with the Model Driven Architecture and other repositories, e.g. for UML or CCM models, allows different types of processing, including checking of the stored policy for internal contradictions or consistency, and integration with MDA tools or GUIs. Since the repository is generated from a MOF model, it is also possible to use other technologies for access, for example web services or XMI instead of CORBA.

During startup, the application to be protected obtains its policy from the Policy Repository and instantiates an internal representation. At runtime, the invocations are intercepted, and the Policy Evaluator checks whether a call is permitted or not. The information for this decision are obtained by Transformers, which are the interfaces to the underlying security mechanism. Special attentention is paid to runtime efficiency.

We specified and implemented the following parts of OpenPMF:
- Policy Definition Language (PDL) Compiler;

- Policy Repository;

- Adapter for CORBA 2.x based on Portable Interceptors;

- Adapter for CCM based on Component Portable Interceptors (COPI);

- Transformer for CORBASecs version 1.7 with support for pulling security attributes from a directory server with different cache modes and a user configurable mapping;

- Transformer for the SL3 API.

OpenPMF uses MICO and Qedo as reference platform for CORBA and CCM. It is itself based on MICO for internal communications between the PDL compiler, the repository and the different applications. A lot of effort had to be spent for the adapting MICO to the needs of OpenPMF and Qedo, for example to fix bugs, and to implement the low level functionality used by OpenPMF, mainly authentication, message protection, and generation, transport and delegation of security information and credentials.

These enhancements of MICO are part of the MICO open source project (
- CSIv2 Level 1 and 2 protocol;

- Enhanced SL3 API for CSIv2 (SL3 was originally developed by Adiron LLC, used with permission);

- ATLAS server for the generation of authorization tokens for CSIv2, with directory server interface.

An evaluation showed that OpenPMF is well suited for access control for the CORBA and CCM platforms. We plan to enhance and extend OpenPMF both in the direction of functionality (information filtering, OCL based constraints) and other platforms like EJB, .NET and Web Services.

OpenPMF has a lot of benefits compared to older security systems. First of all, it provides a much higher functionality, e.g. fine grained access control based on advanced attributes and delegation. It also reduces the costs and effort for the definition, management and enforcement of complex policies in heterogeneous distributed systems, since security policies are defined in a uniform and manageable manner. OpenPMF is especially useful in components based applications, since it provides a clear separation of functional aspects (implemented in the component) and non-functional aspects (described by policies and enforced in the container). Now the component developer does not need to care about non functionality anymore. This allows a much better reuse of software components and greatly reduces the development effort and costs.

Informations connexes

Reported by

Objectsecurity Limited
St John's Innovation Centre, Cowley Road
CB4 0WS Cambridge
United Kingdom
See on map