Security Design in
Distributed Computing Applications
Michael P. Zeleznik
Computer Science Department
University of Utah
The software developer designing a security architecture for a distributed
application is often faced with practical constraints that further complicate
an already difficult task. These include limited resources and conflicting
requirements. The goal will often be to simply provide as much effective
security as possible, targeted at the end-user security needs. To achieve
this goal, the developer must be able to systematically determine where
security problems exist, understand the impact of security mechanisms as they
are designed, determine which problems have and have not been addressed,
explore alternative designs, and build on the architecture in the future.
Current approaches to secure system design do not meet these requirements.
Although much is understood about many aspects of computer security, little
attention has been given to the the issue of how to integrate this knowledge
into a design process; of how to generate and maintain a security
architecture in a systematic, predictable manner.
In this dissertation, this issue is examined in the context of a distributed
information retrieval system. The security design problem is analyzed,
defining and characterizing its underlying causes and the tools desirable to
address it. This is followed by a classification and analysis of current
security design approaches in relation to this problem, including a detailed
case history of our efforts to employ risk management paradigms,
demonstrating their strengths and limitations.
A new security design methodology is then presented, which provides the
desired tools. All aspects of the application, supporting software,
hardware, physical environments, and attack scenarios are modeled in a
unified, object-oriented manner. An information flow analysis is applied
to automatically discover security violations. Safeguards can then be
modeled and added to the flow analysis to readily assess their effects and
interrelationships. Although the developer must create the
application-specific models, the remaining models such as those for the
operating system, hardware, environments, and attack scenarios are
application-independent, and can evolve over time to represent generic
security knowledge bases. These can be utilized by any developer employing
this design methodology, regardless of their security background.
Slides: Overview of Dissertation
Slides: Overview of Security Design Methodology only
Full Dissertation (PDF) (1.2 MB)