330 likes | 425 Views
PEI Models towards Scalable, Usable and High-assurance Information Sharing. Ravi Sandhu Institute for Cyber-Security Research Univ of Texas at San Antonio. Kumar Ranganathan Intel Systems Research Center Bangalore, India. Ram Krishnan Laboratory for Information Security Technology
E N D
PEI Models towards Scalable, Usable and High-assurance Information Sharing Ravi Sandhu Institute for Cyber-Security Research Univ of Texas at San Antonio Kumar Ranganathan Intel Systems Research Center Bangalore, India Ram Krishnan Laboratory for Information Security Technology George Mason University
Presentation Outline • Problem Description & Motivation • Background • Trusted Computing • Information Sharing • PEI Models for SIS • Future Work • Q&A
Problem Description & Motivation • Secure Information Sharing (SIS) • Share but protect • Distribute information and still retain control • Long-standing and unsolved problem • Current approaches to SIS: • Discretionary Access Control (DAC), Lampson 1971 • Fundamentally limited • Controls access to the original but not to copies (or extracts) • Mandatory Access Control (MAC), Bell-LaPadula 1971 • Solves the problem for coarse-grained sharing • Does not scale to fine-grained sharing • Explosion of security labels • Originator Control (ORCON), Graubart 1989 • Let copying happen but propagate ACLs to copies (or extracts)
…continued • SIS problem further amplified by the client-server model • No control once information leaves server • Current approaches are software-based • Inherently weak • Fundamental question: • How can I trust that policies will be enforced on clients in a trust-worthy manner? • Trusted Computing (TC) Technology features root of trust at hardware level • Potential to provide strong controls on client • Potential to solve SIS problem • We need a family of models to guide TC-based solutions
Trusted Computing • An industry standard/alliance • Proposed by Trusted Computing Group • Basic premise • Software alone cannot provide an adequate foundation for trust • TCG proposes root of trust at the hardware level using a Trusted Platform Module or TPM
TPM: 3 novel features • Trusted storage for keys • Encrypt user keys with a chain of keys • Root key is stored in TPM & never exposed • Trusted Capabilities • Operations exposed by the TPM • Guaranteed to be trust-worthy • Platform Configuration Registers (PCR) • Hardware registers used to store integrity of software (e.g. boot-chain)
TPM: An example functionality • Seal • Trusted capability • Encrypts and binds data to a PCR value • Data can be unsealed iff PCR value at unseal time matches with PCR value in sealed blob • Seal can be used to restrict data access • E.g. A program can access sensitive information only if the platform is in trustworthy state
What is Information Sharing? • Share but protect • Distribute information and still retain control • Requires strong controls on client • Server controls “information release” only • Purpose is larger than retail DRM... →
What is Information Sharing? Roshan Thomas and Ravi Sandhu, “Towards a Multi-Dimensional Characterization of Dissemination Control.” POLICY04.
With current state of knowledge the information sharing space is too complex to characterize in a comprehensive manner Look for areas that are of practical interest and where progress can be made Roshan Thomas and Ravi Sandhu, “Towards a Multi-Dimensional Characterization of Dissemination Control.” POLICY04.
Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology SDS Objectives • Super-distribution (encrypt once, access wherever authorized) • Requires a notion of a “group” • A subject is authorized to access a document if he is a group member • Problem scope: group-based SDS • Offline access • Document-level access control • Read-only document access
Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology SDS Policy Model • Characterize policies applicable to a group-based SDS problem domain
Various states of a group member • Access to current documents only (or) • Access to current documents and past documents • Access can be further restricted with rate and/or usage limits • Access can be further restricted on basis of individual user credentials • Past member loses access to all documents (or) • can access any document created during his membership (or) • can access documents he accessed during membership (or) • can access all documents created before he left the group (this includes the ones created before his join time) • all subject to possible additional rate, usage and user credential restrictions • No rejoin of past members is allowed, rejoin with new ID (or) • Past members rejoin the group just like any other user who has never been a member • The same access policies defined during his prior membership should again be enforced (or) • access policies could vary between membership cycles • Straight-forward. User has no access to any group documents. enroll Initial state: Never been a member State I Currently a member State II Past member State III enroll dis-enroll
Various states of a group document • Cannot be re-added. • When a document is re-added, it will be treated as a new document that is added into the group. • Only current members can access. • Past members and current members can access • No one can access • Any one can access • Past members can access • Straight-forward. No access to group members. • Access allowed only to current group members • Access allowed to current and past group members add Initial state: Never been a group doc State I Currently a group doc State II Past group doc State III add remove
Policy model: member enroll/dis-enroll enroll member TS-join TS-leave null null null True time of join null False time of join time of leave dis-enroll enroll enroll enroll, dis-enroll: authorized to Group-Admins Initial state: Never been a member State I Currently a member State II Past member State III enroll dis- enroll UCON elements: Pre-Authorization, attribute predicates, attribute mutability
Policy model: document add/remove add D-member D-TS-join D-TS-leave null null null True time of join null False time of join time of leave remove add add, remove : authorized to Group-Admins add Initial state: Never been a group doc State I Currently a group doc State II Past group doc State III remove add UCON elements: Pre-Authorization, attribute predicates, attribute mutability
Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology Enforcement Models • Develop enforcement models for SDS
SDS Enforcement Model Control Center (CC) • Two sets of attributes • Authoritative: as known to the CC • Local: as known on a member’s computer 4 2 3 5 7 1 • Member enroll and dis-enroll (steps 1-2, 5) • Document add and remove (step 6, 7) • Read policy enforcement (step 3) • Attribute update (step 4) Joining Member Group-Admin Member 6 D-Member Faithful Model: steps 3 and 4 are coupled Approximate Model: steps 3 and 4 are de-coupled
Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology Implementation Models • Develop implementation models for SDS
Implementation Model • Build a Trusted Reference Monitor (TRM) • The reference monitor on the group members that enforces group policies in a trust-worthy manner • Identify the Trusted Computing Base (TCB) • A minimal collection of entities that is absolutely essential to be in integral state in order to preserve security of the entire system • Objective • Build a TCB in order to enforce document read on group members using a TRM • Two Key requirements • Only TRM can access the group key and read/write subject and object attributes • TRM is provided with isolated environment to safely use the group/document keys
Implementation Model (continued) • Use TC mechanisms to bind group key + attributes to TRM
Coffee Shop Book Store Credit Credit Alice Future Work • Formal analysis of SIS policy models • SDS: object level • SCS: attribute level • Document/object Read and Write • SIS across multiple groups • Information flow issues • Document/object-level querying • Obtain sections of document/object SCS in M-commerce Scenario
Q&A Thanks! Policy, Enforcement, Implementation (PEI) layers Information Sharing Usage CONtrol model (UCON) Trusted Computing (TC)
Policy model: document read (S,O,read) • Pre-authorization check • member(S) ≠ null AND D-member(O) ≠ null AND TS-join(S) ≠ null AND D-TS-join(O) ≠ null AND • TS-leave(S) = null AND TS-join(S) ≤ D-TS-join(O) OR • TS-leave(S) ≠ null AND TS-join(S) ≤ D-TS-join(O) ≤ TS-leave(O) • Ongoing-authorization check: terminate if • D-TS-leave(O) ≠ null Details depend on details of group-level policy UCON elements: Pre-Authorization, attribute predicates, attribute mutability Ongoing-authorization
Enforcement Models • Design Principle • Do not inject new policy • Focus on trade-offs for instant and pre-emptive revocation versus off-line access • Faithful Enforcement w/o Off-line Access (Faithful Model): • We need continuous online touch (at start of every access and during access) • Continuous on-line touch can only be approximated • Usage-limited Off-line Access (Approximate Model): • We need online touch periodically after some duration (at start of every access and during access) • Duration between online touches can be based on time, but time is not practical for TPM-based TC • Duration between online touches can be based on usage count, which is practical for TPM-based TC
Faithful model highlights • enroll a member: two steps • Step 1: Group-admin issues enrollment token to Joining Member • Step 2: Joining Member presents token to CC and receives group membership credential • Group key (symmetric key) • Local attribute values • dis-enroll a member • Updates authoritative attributes at CC • Takes effect on local attributes at next update • add a document • Updates authoritative attributes at CC • remove a document • Updates authoritative attributes at CC • Propagated to clients as DRLs (Document Revocation List)
Faithful model highlights: (S,O,read) • Pre-Obligation • Local attributes of S and O are updated based on authoritative values from CC • Local DRL updated from authoritative DRL at CC • Pre-Condition • Requires connectivity to enable updates • Pre-Authorization • Based on just updated local attributes of S and O and DRL • Ongoing-Obligation • Local attributes of S and O continuously updated based on authoritative values from CC • Local DRL continuously updated from authoritative DRL at CC • Ongoing-Condition • Requires connectivity to enable updates • Ongoing-Authorization • Based on continuously updated local attributes of S and O and DRL UCON elements: Requires full power of UCON
Approximate model highlights • enroll a member: two steps • Step 1: Group-admin issues enrollment token to Joining Member • Step 2: Joining Member presents token to CC and receives group membership credential • Group key (symmetric key) • Local attribute values • dis-enroll a member • Updates authoritative attributes at CC • Takes effect on local attributes at next update • add a document • Updates authoritative attributes at CC • remove a document • Updates authoritative attributes at CC • Propagated to clients as DRLs (Document Revocation List) Different from Faithful model
Approximate model highlights: (S,O,read) • Pre-Obligation • Local attributes of S and O are periodically updated based on authoritative values from CC • Pre-Condition • Requires connectivity to enable updates when required • Pre-Authorization • Based on just updated local attributes of S and O • Ongoing-Obligation • Local attributes of S and O are continuously periodically updated based on authoritative values from CC • Ongoing-Condition • Requires connectivity to enable updates when required • Ongoing-Authorization • Based on continuously periodically updated local attributes of S and O UCON elements: Requires full power of UCON
Contributions & Conclusions • SIS is a broad and complex problem • PEI framework, UCON model and TC are highly useful for approaching the SIS problem space • First steps towards developing a family of models for SIS problem domain • Classify SIS into two distinct levels: • Object-level SIS • Attribute-level SIS • Analyze object-level and attribute-level SIS • Demonstrate how TC can be used to address this long-standing problem • Possibly extend the UCON model • Leave with more open questions!