1 / 29

Evaluating the Usability of Usage Controls in Electronic Collaboration

This study evaluates the usability of usage controls in electronic collaboration to address the risk of information misuse. It explores the potential of usage controls to reduce the reliance on non-disclosure agreements (NDAs) and increase collaboration opportunities.

eliciaj
Download Presentation

Evaluating the Usability of Usage Controls in Electronic Collaboration

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Evaluating the Usability of Usage Controls in Electronic Collaboration José Brustoloni, Ricardo Villamarín-Salomón, Peter Djalaliev and David Kyle Dept. Computer Science University of Pittsburgh {jcb,rvillsal,peterdj,dkyle}@cs.pitt.edu

  2. Electronic collaboration and info misuse • Electronic collaboration can greatly increase productivity • Many examples in design, supply chain, service • Impediment: risk of and liability for information misuse • Existing solution: non-disclosure agreements (NDAs) • Legally obligates collaborator • Can take months to get signed • Very expensive and time-consuming to enforce in court • Result: many potential collaborations don’t happen J. Brustoloni

  3. Usage controls • Usage controls enable information providers to limit technically how recipients may use the information • e.g., copy, print, redistribute, retain beyond a certain time • Applications increasingly provide them • e.g., Adobe Acrobat, OpenOffice • Might reduce expected cost of NDAs, or replace them • Problems • Recipes for cracking easily available from Web • Often do not interoperate • Usability? J. Brustoloni

  4. Example from OpenOffice J. Brustoloni

  5. UCLinux • Linux Security Module • Enables hardening software-based usage controls (e.g., PDF’s) with hardware-based ones • Hardware-based usage controls employ security coprocessor (TPM) and are harder to crack • Web server and browser are modified • No modifications needed in other applications (e.g., Acrobat, OpenOffice, xpdf) J. Brustoloni

  6. Outline • Threat model • Background on TPMs • Overview of UCLinux • User interfaces • Authoring • Acceptance • Hierarchical • User study • Related work • Conclusions J. Brustoloni

  7. Threat model • Attacker is merely opportunistic • May have administrative rights • Can use any software-based attack • Does not use any hardware-based attacks J. Brustoloni

  8. Background on Trusted Platform Modules • Standardized, low-cost security coprocessors • Present in many commercially available computers • Require immutable TPM-aware BIOS boot block • Chain of trust • Each component in boot sequence measures integrity of next component and extends result into a TPM platform configuration register (PCR) • Only way to undo is to reset computer • Attestation: Secure verification of remote computer’s configuration • TPM signs nonce and PCR values • Sealing: Binding a secret to a particular configuration • TPM decrypts secret only if PCR values are same J. Brustoloni

  9. UCLinux: TCB prelogging and usage-controlled file system • At boot time, UCLinux optimistically extends expected integrity measurement of each TCB component, according to configuration file (TCB list) • Results in repeatable PCR values • UCFS is encrypted file system with secret key sealed to PCR values that result from boot sequence and TCB list • Can be mounted only if system has not been tampered • Hardware-based usage policies stored as extended attributes of UCFS files • May specify integrity measurements of programs trusted to open the file J. Brustoloni

  10. UCLinux: Policy enforcement • UCLinux measures the integrity of each program kernel executes • When program opens file with hardware-based usage policies, UCLinux enforces them • Cracked applications cannot open files with usage policies • Applications do not need to be changed to get this protection J. Brustoloni

  11. UCLinux: Exceptions • UCLinux monitors imminent security violation (ISV) exceptions: • TCB component’s integrity measurement at load time differs from that in TCB list, or • Privileged program loaded and is not in TCB list, or • Privileged user attempts to log interactively into system • In each case, UCLinux’s subsequent ability to enforce policies could be subverted J. Brustoloni

  12. UCLinux: Exception handling • Applications may register handler for ISV exception • Erase secrets from memory • UCLinux: • aborts processes with UCFS file open that have not have registered a handler • unmounts UCFS and erases any copy in memory of UCFS key • erases pages freed • After exception handling, system can be used normally, but without UCFS • UCFS remounted when system rebooted into trusted state J. Brustoloni

  13. Web server and browser modifications • If requested file has prepared usage policies, Web server returns these to client and requests TLS upgrade with TLS extension • If user accepts usage policies, browser initiates connection upgrade • During connection upgrade, Web server obtains client’s attestation • If Web server finds that client’s configuration is trustworthy, it completes upgrade and returns file • Browser stores file with usage policies in UCFS J. Brustoloni

  14. Preventing abuses • Browser is in TCB list and revealed in attestation • UCLinux guarantees that only trusted browser can get attestation and store files in UCFS • UCLinux enforces usage policies only for UCFS files J. Brustoloni

  15. Authoring: Contextual menu option for setting hardware-based usage policies J. Brustoloni

  16. Binding file to trusted application J. Brustoloni

  17. Specifying allowed period for accessing file J. Brustoloni

  18. Contextual menu option for posting file to Web site J. Brustoloni

  19. Dialog for confirming or canceling file posting J. Brustoloni

  20. Acceptance: Dialog for accepting usage policies of download file J. Brustoloni

  21. Hierarchical overriding policies: Dialog for confirming or canceling file posting J. Brustoloni

  22. Dialog for accepting usage policies of download file J. Brustoloni

  23. User study • Users role-played an engineer making a design decision based on usage-controlled files retrieved from Web • Two scenarios in automobile industry • First scenario performed without usage controls, second with • Based on specified criteria, select from 7 potential suppliers: • Alternative-fuel engine (electric, biodiesel, etc.) • Tires • Among the 7 documents: • 4 had acceptable usage policies and useful information (set A) • 3 did not have acceptable policies and indicated information was unavailable (set B) • No hierarchical overriding policies J. Brustoloni

  24. Participant characteristics J. Brustoloni

  25. User study results J. Brustoloni

  26. Interpretation of results • As desired, usage controls: • Greatly reduced number of documents with unacceptable policies downloaded • One participant downloaded but, after checking policies, did not open file with unacceptable policies • Had no impact on documents with acceptable policies downloaded • Most users (9/10) were able to post correct decision with correct usage policies, despite lack of training • One participant posted correct decision, but with incorrect usage policies • Slight increase in task completion time, but not statistically significant J. Brustoloni

  27. Participant perceptions • Users seem to find system usable and acceptable J. Brustoloni

  28. Related work • IBM Integrity Measurement Architecture (tcgLinux): • Loader measures and extends into TPM integrity of every program • Attempts to ensure that any tampering is measured, extended into TPM, and reported • Problems: • PCR values depend on load sequence • Sealing not possible • Mechanisms guarantee integrity but not confidentiality • Privacy: even programs that are not TCB components are disclosed • Bear/Enforcer: • Sealing but no attestation • Client’s system administrator (but not server) can set usage policies • Vulnerable to root attacks J. Brustoloni

  29. Conclusions • Hardware-based usage controls can prevent cracked applications from opening files with usage policies • UCLinux allows adding such controls without modifying existing applications (e.g., OpenOffice, xpdf) • UCLinux’s interfaces for posting and downloading files with usage policies are usable by untrained users • Insignificant impact on task accuracy or completion time J. Brustoloni

More Related