Multidomain Event-Based Middleware using Decentralised Information Flow Control

Event-based middleware systems have tried to interoperate with various platforms and languages. As this goal became reality for the most important and widespread platforms, the adoption of these systems begun. IBM’s WebSphere MQ, Sun’s JMS together with non event based architectures like CORBA, were industrial solutions that soon functioned as the interconnection mechanism behind server platforms like WebSphere and J2EE. Even though the interoperability achieved by these systems is impressive, most of the time they assume that all the code that is executed is equal in terms of quality, auditing and debugging. This assumption holds for most parts of an event-based system but it is not always true. Features such as client provided operators, event transformation routines and multinode systems under different administrative domains result in deployments where not all the code can be equally trusted. Moreover, as systems become more complicated, they are prone to bugs that can affect the security of the whole platform. In scenarios like these, code testing may vary greatly from detailed to completely unavailable, yet all processing components have to access the events that they operate on. As seen in the example of Figure 1, a third party instantiates in the system an event processor which transforms the name that appears on certain events. Suppose that this event stream contains medical information and the patient’s personal details must be protected from disclosure. As a result, this processor component will have to access the sensitive name part of the events, yet it must not communicate it to untrusted receivers. If no guarantees are given, then the system’s security will be directly dependant upon this component’s behaviour: the component can choose to communicate the name to any receiver that it wishes. The component may as well be part of the event-based system’s internal codebase; protection is then useful in limiting the effects of possibly exploitable bugs. In order to provide security in a multidomain application like the above, two fundamental properties must be guaranteed by the system: data confidentiality and integrity.