Open Command and Control (OpenC2) was designed to facilitate the orchestration of heterogeneous cyber-defense technologies through a vendor-agnostic language. However, while the standard inte- grates secure transfer protocols, it lacks a common prescriptive mecha- nism for (IAM). This choice leaves a significant architectural gap, jeopar- dizing the applicability of Managed Security Service (MSS), where cross- domain delegation is a critical issue. This paper addresses this gap by proposing a robust (IAM) framework based on the OAuth2 mechanism. Our work addresses the ‘impedance mismatch’ between the browser- centric approach of OAuth2 and automated, non-interactive OpenC2 controllers. To this end, we introduce a novel Headless User Agent com- ponent that manages user credentials without requiring human interac- tion via a browser or other tools. Additionally, we integrate fine-grained access control for the execution of OpenC2 commands, which imple- ments the basic security principle of least privileges. The overall solution is implemented as a modular extension of the otupy OpenC2 library, and supports both HTTP and MQTT transfer bindings. Experimental vali- dation demonstrates the functional correctness of the identity manage- ment and access control layers. At the same time, performance analysis quantifies the overhead introduced by per-request token introspection at approximately 14.5 ms, confirming the approach’s viability for real-time operational environments.
Homogeneous Control of Security Functions via Cross-Domain Delegation
Canavese, DanieleWriting – Review & Editing
;Repetto, MatteoSupervision
2026
Abstract
Open Command and Control (OpenC2) was designed to facilitate the orchestration of heterogeneous cyber-defense technologies through a vendor-agnostic language. However, while the standard inte- grates secure transfer protocols, it lacks a common prescriptive mecha- nism for (IAM). This choice leaves a significant architectural gap, jeopar- dizing the applicability of Managed Security Service (MSS), where cross- domain delegation is a critical issue. This paper addresses this gap by proposing a robust (IAM) framework based on the OAuth2 mechanism. Our work addresses the ‘impedance mismatch’ between the browser- centric approach of OAuth2 and automated, non-interactive OpenC2 controllers. To this end, we introduce a novel Headless User Agent com- ponent that manages user credentials without requiring human interac- tion via a browser or other tools. Additionally, we integrate fine-grained access control for the execution of OpenC2 commands, which imple- ments the basic security principle of least privileges. The overall solution is implemented as a modular extension of the otupy OpenC2 library, and supports both HTTP and MQTT transfer bindings. Experimental vali- dation demonstrates the functional correctness of the identity manage- ment and access control layers. At the same time, performance analysis quantifies the overhead introduced by per-request token introspection at approximately 14.5 ms, confirming the approach’s viability for real-time operational environments.| File | Dimensione | Formato | |
|---|---|---|---|
|
978-3-032-27993-4_37.pdf
solo utenti autorizzati
Descrizione: Version pubblicata
Tipologia:
Versione Editoriale (PDF)
Licenza:
NON PUBBLICO - Accesso privato/ristretto
Dimensione
892.33 kB
Formato
Adobe PDF
|
892.33 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
|
OpenC2OAuth2_IFIPSEC26.pdf
embargo fino al 03/06/2027
Descrizione: Versione dopo revisione
Tipologia:
Documento in Post-print
Licenza:
Creative commons
Dimensione
532.3 kB
Formato
Adobe PDF
|
532.3 kB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
