A secure PLAN (extended version)

Active networks promise greater flexibility than current networks, but threaten safety and security by virtue of their programmability. We describe the design and implementation of a security architecture for the active network PLANet (Hicks et al., 1999). Security is obtained with a two-level architecture that combines a functionally restricted packet language, PLAN (Hicks et al., 1998), with an environment of general-purpose service routines governed by trust management (Blaze et al., 1996). In particular, we employ a technique which expands or contracts a packet's service environment based on its level of privilege, termed namespace-based security. As an application of our security architecture, we present the design and implementation of an active-network firewall. We find that the addition of the firewall imposes an approximately 34% latency overhead and as little as a 6.7% space overhead to incoming packets.

[1]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[2]  David Wetherall,et al.  Experiences with capsule-based active networking , 2002, Proceedings DARPA Active Networks Conference and Exposition.

[3]  Damien Doligez,et al.  The Objective Caml system release 2.04 , 2002 .

[4]  Erik L. Nygren,et al.  The design and implementation of a high-performance active network node , 1998 .

[5]  William A. Arbaugh,et al.  The SwitchWare active network architecture , 1998, IEEE Netw..

[6]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[7]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[8]  Brian N. Bershad,et al.  Dynamic binding for an extensible system , 1996, OSDI '96.

[9]  Angelos D. Keromytis,et al.  The price of safety in an active network , 2001, Journal of Communications and Networks.

[10]  Jerome H. Saltzer,et al.  Kerberos authentication and authorization system , 1987 .

[11]  David Wetherall,et al.  Active network vision and reality: lessons from a capsule-based system , 2002, Proceedings DARPA Active Networks Conference and Exposition.

[12]  Angelos D. Keromytis,et al.  Automated Recovery in a Secure Bootstrap Process , 1998, NDSS.

[13]  Angelos D. Keromytis,et al.  Secure quality of service handling: SQoSH , 2000, IEEE Commun. Mag..

[14]  Michael Hicks Plan System Security , 1998 .

[15]  Stephen E. Deering,et al.  Path MTU discovery , 1990, RFC.

[16]  George C. Necula,et al.  Safe kernel extensions without run-time checking , 1996, OSDI '96.

[17]  Joan Feigenbaum,et al.  Compliance Checking in the PolicyMaker Trust Management System , 1998, Financial Cryptography.

[18]  Xavier Leroy,et al.  Security properties of typed applets , 1998, POPL '98.

[19]  Scott Nettles,et al.  Compiling PLAN to SNAP , 2001, IWAN.

[20]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.

[21]  Amr Sabry,et al.  What is a purely functional language? , 1998, Journal of Functional Programming.

[22]  Paul C. van Oorschot,et al.  Authentication and authenticated key exchanges , 1992, Des. Codes Cryptogr..

[23]  Scott M. Nettles,et al.  Practical active packets , 2002 .

[24]  John V. Guttag,et al.  ANTS: a toolkit for building and dynamically deploying network protocols , 1998, 1998 IEEE Open Architectures and Network Programming.

[25]  Carl A. Gunter,et al.  Policy-directed certificate retrieval , 2000, Softw. Pract. Exp..

[26]  Frann Cois Rouaix A Web Navigator with Applets in Caml , 1996 .

[27]  Angelos D. Keromytis,et al.  Scalable Resource Control in Active Networks , 2000, IWAN.

[28]  Angelos D. Keromytis,et al.  A secure active network environment architecture: realization in SwitchWare , 1998, IEEE Netw..

[29]  Dan S. Wallach,et al.  Understanding Java stack inspection , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[30]  Larry L. Peterson,et al.  Scout: a communications-oriented operating system , 1995, Proceedings 5th Workshop on Hot Topics in Operating Systems (HotOS-V).

[31]  Mike Hibler,et al.  Janos: a Java-oriented OS for active network nodes , 2001, IEEE J. Sel. Areas Commun..

[32]  Joan Feigenbaum,et al.  REFEREE: Trust Management for Web Applications , 1997, Comput. Networks.

[33]  Mike Hibler,et al.  An OS interface for active routers , 2001, IEEE J. Sel. Areas Commun..

[34]  David Wetherall,et al.  Active network vision and reality: lessons from a capsule-based system , 1999, OPSR.

[35]  Paul Menage RCANE: A Resource Controlled Framework for Active Network Services , 1999, IWAN.

[36]  Angelos D. Keromytis,et al.  A secure PLAN , 1999, IEEE Trans. Syst. Man Cybern. Part C.

[37]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[38]  Karl Crary,et al.  Resource bound certification , 2000, POPL '00.

[39]  Robin Fairbairns,et al.  The Design and Implementation of an Operating System to Support Distributed Multimedia Applications , 1996, IEEE J. Sel. Areas Commun..

[40]  Deyu Hu,et al.  Implementing Multiple Protection Domains in Java , 1998, USENIX Annual Technical Conference.

[41]  Sun Meifeng,et al.  KeyNote Trust Management System , 2002 .

[42]  G.J. Minden,et al.  A survey of active network research , 1997, IEEE Communications Magazine.

[43]  R. D. Rockwell,et al.  Smart Packets for active networks , 1999, 1999 IEEE Second Conference on Open Architectures and Network Programming. Proceedings. OPENARCH '99 (Cat. No.99EX252).

[44]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[45]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[46]  Mike Hibler,et al.  Janos: a Java-oriented OS for active network nodes , 2001, Proceedings DARPA Active Networks Conference and Exposition.

[47]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[48]  Carl A. Gunter,et al.  PLAN: a packet language for active networks , 1998, ICFP '98.

[49]  Joan Feigenbaum,et al.  Managing trust in an information-labeling system , 1997, Eur. Trans. Telecommun..

[50]  David Wetherall,et al.  Active network vision and reality: lessions from a capsule-based system , 1999, SOSP.

[51]  Ralph Howard,et al.  Data encryption standard , 1987 .

[52]  Carl A. Gunter,et al.  PLANet: an active internetwork , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[53]  Wilson C. Hsieh,et al.  Processes in KaffeOS: isolation, resource management, and sharing in java , 2000, OSDI.

[54]  Joan Feigenbaum,et al.  The Role of Trust Management in Distributed Systems Security , 2001, Secure Internet Programming.

[55]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[56]  Sotiris Ioannidis,et al.  Sub-operating systems: a new approach to application security , 2002, EW 10.

[57]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[58]  Robert Grimm,et al.  Providing Policy-Neutral and Transparent Access Control in Extensible Systems , 2001, Secure Internet Programming.

[59]  D. P. Maher,et al.  Music on the Internet and the intellectual property protection problem , 1997, ISIE '97 Proceeding of the IEEE International Symposium on Industrial Electronics.

[60]  Robert N. M. Watson,et al.  Strong security for active networks , 2001, 2001 IEEE Open Architectures and Network Programming Proceedings. OPENARCH 2001 (Cat. No.01EX484).

[61]  Jonathan M. Smith,et al.  Alien: a generalized computing model of active networks , 1998 .

[62]  Joan Feigenbaum,et al.  Decentralized trust management , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[63]  Angelos D. Keromytis,et al.  DHCP++: Applying an efficient implementation method for fail-stop cryptographic protocols , 1998 .

[64]  Deyu Hu,et al.  J-Kernel: A Capability-Based Operating System for Java , 2001, Secure Internet Programming.

[65]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[66]  Cédric Fournet,et al.  Stack inspection: Theory and variants , 2003, TOPL.

[67]  Matt Blaze,et al.  Transparent Internet E-mail Security , 1996 .

[68]  John K. Ousterhout,et al.  The Safe-Tcl Security Model , 1998, USENIX Annual Technical Conference.

[69]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[70]  Scott Nettles,et al.  Practical programmable packets , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[71]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[72]  Jan Vitek,et al.  Secure Internet Programming: Security Issues for Mobile and Distributed Objects , 1999 .

[73]  Jonathan T. Moore,et al.  Mobile Code Security Techniques , 1998 .