trusted computing models prof. ravi sandhu executive director and endowed chair
DESCRIPTION
Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio June 2008 [email protected] www.profsandhu.com. Change Drivers. Stand-alone computers. Internet. Vandals. - PowerPoint PPT PresentationTRANSCRIPT
INSTITUTE FOR CYBER SECURITY
1
Trusted Computing Models
Prof. Ravi SandhuExecutive Director and Endowed Chair
Institute for Cyber SecurityUniversity of Texas at San Antonio
June 2008
[email protected] www.profsandhu.com
INSTITUTE FOR CYBER SECURITY Change Drivers
Stand-alone computers Internet
Enterprise securityMutually suspicious yet mutually dependent security
Vandals Criminals, Nation states, Terrorists
Few standard servicesMany and newinnovative services
INSTITUTE FOR CYBER SECURITY
3
Basic Assumptions (Axioms)
Information needs to be protected In motion At rest In use
Absolute security is impossible and unnecessary Trying to approximate absolute security is a bad
strategy “Good enough” security is feasible and meaningful
Security is meaningless without application context Cannot know we have “good enough” without this
context Models and abstractions are all important
Without a conceptual framework it is hard to separate “what needs to be done” from “how we do it”
We are not very good at doing any of this
INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers
INSTITUTE FOR CYBER SECURITY Access Control Models
Discretionary Access Control (DAC) Owner controls access but only to the original, not to
copies Mandatory Access Control (MAC)
Access based on security labels Labels propagate to copies
Role-Based Access Control (RBAC) Access based on roles Can be configured to do DAC or MAC
Attribute-Based Access Control (ABAC) Access based on attributes, to possibly include roles,
security labels and whatever
5
INSTITUTE FOR CYBER SECURITY
Usage Control Model (UCON)
Rights(R)
Authorizations
(A)
Subjects(S)
Objects(O)
Subject Attributes (SA) Object Attributes (OA)
Obligations(B)
Conditions(C)
UsageDecisions
before-usage ongoing-Usage after-usage
Continuity ofDecisions
pre-decision ongoing-decision
pre-update ongoing-update post-update
Mutability ofAttributes
• unified model integrating• authorization• obligation• conditions
• and incorporating• continuity of decisions• mutability of attributes
INSTITUTE FOR CYBER SECURITY What makes UCON different?
UCON is an attribute-based authorization modelBUT Attributes are mutable, in that the system updates them
automatically as a result of usage Allows count-limited, rate-limited, quota-limited policies to be
expressed and enforced E.g., can access upto 10 documents per hour
Access may require explicit actions by the user attempting access, other users or the system
Enables human-in-the-loop just-in-time decisions E.g., access requires confirmation by a superior officer Enables notification of access E.g., access is notified to a designated audit authority Enables clean-up after access is completed E.g., delete cryptographic keys, plaintext content
Access can depend on system condition and mode E.g., in emergency mode access is enabled (or disabled)
Access mediation can continue while access is in progress E.g., if credentials are revoked access is immediately terminated E.g., if system mode changes from normal to emergency access is
terminated7
INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers
INSTITUTE FOR CYBER SECURITY
9
Policy Model
Initial state:Never been a
member
State I
Currently a member
State II
Past member
State III
enroll dis-enroll
enroll
1. Straight-forward. User has no access to any group documents.
1. Access to current documents only (or)2. Access to current documents and past
documents3. Access can be further restricted with rate
and/or usage limits4. Access can be further restricted on basis of
individual user credentials
1. Past member loses access to all documents (or)2. can access any document created during his membership (or)3. can access documents he accessed during membership (or)4. can access all documents created before he left the group (this
includes the ones created before his join time)5. all subject to possible additional rate, usage and user credential
restrictions
1. No rejoin of past members is allowed, rejoin with new ID (or)2. Past members rejoin the group just like any other user who
has never been a member3. The same access policies defined during his prior membership
should again be enforced (or)4. access policies could vary between membership cycles
INSTITUTE FOR CYBER SECURITY
10
Policy Model
Initial state:Never been a
group doc
State I
Currently a group doc
State II
Past group doc
State III
add remove
add
1. Straight-forward. No access to group members.1. Access allowed only to
current group members2. Access allowed to current and
past group members
1. No one can access2. Any one can access3. Past members can access
1. Cannot be re-added.2. When a document is re-added, it will
be treated as a new document that is added into the group.
3. Only current members can access.4. Past members and current members
can access
INSTITUTE FOR CYBER SECURITY
11
Enforcement Model
3
1
2 4 5
Group-Admin MemberJoining Member
Control Center (CC)
7
Ideal Model: steps 3 and 4 are coupledApproximate Model: steps 3 and 4 are de-coupled
D-Member
6
• Member enroll and dis-enroll (steps 1-2, 5)• Document add and remove (step 6, 7)• Read policy enforcement (step 3)• Attribute update (step 4)
Two sets of attributes• Authoritative: as known to the CC• Local: as known on a member’s computer
INSTITUTE FOR CYBER SECURITY
12
Implementation Model
TPM
VMM
Update Internal PCR
Linux Kernel + TPM Driver + MAC Policies
Internal PCRs
AppPCRs
TRM TVTSS
Indirect communication
Boot time measurement
Isolated executionVM0
VM1
• Use TC mechanisms to bind group key + attributes to TRM
INSTITUTE FOR CYBER SECURITY Trusted Computing Technology
Need crypto and access control Requirements
Hide the root keys Authorize use of root keys
Wrt software Wrt people
Curtained memory Remote attestation Translation of policy
E.g., Policy in XACML to policy in SELinux
13
INSTITUTE FOR CYBER SECURITY Conclusion
Some very interesting challenges ahead and some very exciting research to be done
Requires collaboration between Domain experts Technology experts Security experts
14