Communications systems incorporating client-server architectures are subject to security related issues including, but not limited to, confidentiality, integrity and availability. Components and systems to defend against malicious security attacks are being developed and implemented in networks and commercial products. These components and systems, whether in hardware, software or firmware, are typically implemented as full-service security packages including security features that may or may not be required by the application program. This frequently results in the allocation of considerable memory for storing security services while somewhat less security and hence less system storage may be sufficient for a particular application. For example, a mobile device has limited storage capacity and the installation of a complete security package may unnecessarily use resources that may be required for other functions.
To get around this misuse of system resources it is known to install minimum security services in a system on configuration and then add further security services when needed. Heretofore, the addition of such further security services has necessitated the static reconfiguration of the system with the resulting temporary loss of service.
The prior art includes a number of publications and conference presentations dealing with distributed systems and security functionality associated therewith. In a paper entitled An Approach To Dynamic Reconfiguration Of Distributed Systems Based On Object Middleware by Almeida et al. Proceedings of the 19th Brazilian Symposium on Computer Networks, Santa Catarina, May 2001, dynamic reconfiguration is discussed. This reference is concerned with an increasing demand for long running and highly available systems. According to the paper this demand holds particularly for distributed systems based on object middleware which is becoming increasingly popular. Dynamic reconfiguration consists of modifying the configuration of the system during run time, contributing to the availability of the system. The paper introduces a novel approach to dynamic reconfiguration of the distributed systems based on object middleware. The paper also discusses some issues related to the implementation of this approach and proposes a design for a dynamic reconfiguration service using CORBA standard mechanisms. The approach of handling dynamic reconfiguration described in this paper is a general one focussed on insuring state consistency during reconfiguration. There is no mention of security or the security implications of reconfiguration in this reference.
A second reference is a paper entitled “Trust-adapted Enforcement of Security Policies in Distributed Component-Structured Applications” by Herrmann and Krumm, IEEE, 2001. In this paper software component technology is described as supporting cost effective development of specialized applications. This technology, however, introduces special security problems. According to the paper some major problems can be solved by the automated run time enforcement of security policies. Each component is controlled by a wrapper which monitors the components behavior and checks its compliance with the security behavior constraints of the components employment contract. Since control functions and wrappers can cause substantial overhead the paper discusses trust-adapted control functions where the intensity of monitoring and behavior checks depends on the level of trust, the component, its hosting environment and its vendor have currently in the eyes of the application administration. The paper reports on wrappers and a trust information service which outline the embedding security model and architecture and describes a Java-bean based experimental implementation. The paper considers security issues such as policy enforcement and trust management within a distributed component environment. It describes automated run time enforcement of security policies using a trust adapted algorithm for minimizing the overhead of satisfying a component's employment contract before rendering the service to the consumer. Distributed security issues are well described but the issue of dynamically synchronizing security state between software components is not addressed in this publication.
A third paper of interest is entitled “Security Characterization and Integrity Assurance for Component-Based Software by Khan, Han and Zheng in Software Methods and Tools 2000. In this paper a security characterization structure of software components and their composition is proposed. A structure provides a preliminary modeling of security properties of stand-alone software components and some of their compositional primitives. In this paper security properties related to user data protection of software components are discussed. The proposed compositional specification makes an attempt to model the resulting effect between security attributes of two contracting components. The compositional specification structure can capture the results of combined security specifications of two participating components in a contract. The security specification syntax is based on four compositional elements: identities of contracting components, actions to be performed in a compositional relationship, security attributes supported by components, and resources to be used by other components. The structure is used in an example of secure interactions over a network to illustrate the applicability of the proposed work. The paper does not address live reconfiguration issues instead focussing on static component-based systems and how security assurance is propagated up to the system from the individual components. The present invention focuses on dynamic reconfiguration which deals with issues of temporal synchronicity and conflict resolution in addition to the static issues addressed in the article.
Finally, a paper entitled “Composing Security-Ware Software” by Khan and Han, IEEE Software, Volume 19, Issue 1, January-February 2002, discusses component security concerns as being two-fold: how to build secure components and secure composite systems from components and how to discuss disclosed components security properties to others. The article addresses the latter, rather than propose any new security structure they present a security characterization framework. Their approach concerns the security functions of software components by exposing their required and ensured security properties. Through a compositional security contract between participating components, system integrators can reason about the security affects of one component on another. This paper describes a security characterization framework for exposing the security functions of software components through a compositional security contract (CSC). The contract is meant to allow system integrators to assess both how security services interact between components and how they sum to determine the overall system security characteristics. However, the article makes no attempt to propose any new security architecture which is an aspect of the present invention. The present invention proposes a distinct security integration environment for security components. This ensures that, within the confines of the secured environment, components are protected and are able to interact securely in order to provide predictable aggregated security service to external applications.
Therefore, although the prior art separately addresses dynamic reconfiguration and component based security systems it fails to address the problem of dynamically reconfiguring a component based security system. This is the problem to which the present invention provides a solution.
The present invention is directed to a Secure Security-Services server containing security components which together form an encapsulated security architecture. Each component possesses an independent security state which allows a transaction-oriented state acquisition to occur in accordance with the dependencies between the security components. The system relies on a separation of security functions from business services in carrying out the security services.
Accordingly, the present invention relates to the adding, in real-time, of a new security component (e.g. in order to provide a new security service), into a secure environment and the acquisition of the state of other active security components on which the new component is dependent (a dependency exists when the security state of the new component depends on acquiring security state information from another component(s)).
Therefore, in accordance with a first aspect of the present invention there is provided a security server for providing security services to a client-server application program requiring secure access to a database comprising: a first secure communication channel interface for securely communicating with an application server running a server portion of the client-server application program; a second secure communication channel interface for securely communicating with the database; and a plurality of security components, each security component providing a unique security service to a client portion of the client-server application program.
In accordance with a second aspect of the present invention there is provided a method of acquiring security state information for a security component in a component-based security system, the method comprising the steps of: determining, responsive to a state of the security component being dependent on security state information of other security components, a dependency chain of security components upon which the state of the security component depends; acquiring the security state information from all the security components in the dependency chain; and informing the security component of the acquired state information.