280 likes | 291 Views
A Security Framework for a World of Post-PC Clients and Infrastructure-based Services. Steven Ross, Jason Hill, Michael Chen, Anthony D. Joseph, David E. Culler, Eric A. Brewer Computer Science Division U.C. Berkeley {stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu
E N D
A Security Framework for a World of Post-PC Clients and Infrastructure-based Services Steven Ross, Jason Hill, Michael Chen, Anthony D. Joseph, David E. Culler, Eric A. Brewer Computer Science Division U.C. Berkeley {stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu http://www.cs.berkeley.edu/~stevross
Typical (Traditional) Internet Service The Internet HTTP/SSL • Assumes: • Private / trusted access device and software • Sufficient computational resources to secure connection and display content
Scenario: Kiosks - Untrusted Endpoints Public (untrusted) computers will be pervasive Content filter hides private information Control filter limits operations performed Decrease the content value instead of increasing the security level
Scenario: Low Power Info Appliances • Limited computational abilities • Low physical security • Low reliability • Limited input and display capabilities • Users have multiple devices
Enable Secure Access from all Devices • Security is fundamental to Universal Computing • Tremendous diversity emerging • No pre-planning: wide array of services and clients • Info flowing over wide array of insecure links and clients • Key leverage: Composable Secure Services • Automating scalability and availability eases task authoring • Build new services from component services • Key Tool: Transcoding Operators • Adapt content, and security level to desired use
Bridging the Gap Composable Security Framework PDA Stock Trading Trusted Infrastructure Kiosk Banking Cell Phone Mail Pager Laptop Desktop
Content Transformers Composable Security Framework • Client Side • Decouple device I/O capabilities from services • New client transformer enables access existing content • Server Side • Transform content and control to canonical representation • Filtered by application logic • Easily rendered by client side content transformer PDA Stock Trading Trusted Infrastructure Kiosk Banking Cell Phone CTc CTs Mail Pager CT: Content Transformer Laptop Desktop
Composable Security Framework PDA Stock Trading Trusted Infrastructure Kiosk SA Banking Cell Phone Mail Pager SA Laptop Desktop Security Adaptors • Secure channel in depends on device capabilities • Secure channel out depends on Internet service • Examples • Low power info appliance • International Kiosk CTc CTs SA: Security Adapter CT: Content Transformer
Identity Service Identity Service Composable Security Framework • Secure repository • Key component for enabling access from untrusted endpoints • Critical level of indirection and information hiding • Mitigates problem of replicating identities • Promotes use of secure username/password pairs PDA Stock Trading Trusted Infrastructure Kiosk SA Banking Cell Phone CTc CTs Mail Pager SA SA: Security Adapter CT: Content Transformer Laptop Desktop
Filter and Control Modifier Composable Security Framework • Identity Translation • Add new or remove existing control functionality • Add logout button • Remove ability to trade, write checks, drop class, etc. • Remove sensitive content • Account balances, email addresses, names PDA Stock Trading Trusted Infrastructure Kiosk SA Banking Cell Phone CTc CTs Mail FCM Pager SA SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier Laptop Identity Service Desktop
Illustration: Datek Access from Kiosk Composable Security Framework • Kiosk browser interacts with security adaptor Datek Trusted Infrastructure SA SSL SSL Kiosk CTc SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTs FCM SA SSL Identity Service
Illustration: Datek Access from Kiosk Composable Security Framework • HTTP request passed to FCM • no content transformer in prototype Datek Trusted Infrastructure SA SSL SSL Kiosk CTc SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTs FCM SA SSL Identity Service
Illustration: Datek Access from Kiosk Composable Security Framework • FCM authenticates pseudonym and one time password • Substitutes real identity Datek Trusted Infrastructure SA SSL SSL Kiosk CTc SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTs FCM SA SSL User Identity Identity Service
Illustration: Datek Access from Kiosk Composable Security Framework • FCM passes substituted data through to outgoing security adaptor Datek Trusted Infrastructure SA SSL SSL Kiosk CTc SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTs FCM SA SSL User Identity Identity Service
Illustration: Datek Access from Kiosk Composable Security Framework • SA communicates with Datek Service • FCM Filters all remaining traffic • Removes sensitive information: i.e. account name, email address • Performs control filtering: adds logout button Datek Trusted Infrastructure SA SSL SSL Kiosk SSL CTc SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTs FCM SA SSL User Identity Identity Service
Illustration: Datek Access from PDA Composable Security Framework • Pilot connects to security adaptor PDA Stock Trading Trusted Infrastructure SA Blowfish Blowfish SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTc CTs FCM SA SSL Identity Service
Illustration: Datek Access from PDA Composable Security Framework • Shared secret key identity verified PDA Stock Trading Trusted Infrastructure SA Blowfish SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTc CTs FCM SA SSL Identity Service
Illustration: Datek Access from PDA Composable Security Framework • Content transformer • simple pilot commands to http requests • html to plain text pilot app format PDA Stock Trading Trusted Infrastructure SA Blowfish SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTc CTs FCM SA SSL Identity Service
Illustration: Datek Access from PDA Composable Security Framework • FCM examines HTTP requests performs identity substitution PDA Stock Trading Trusted Infrastructure SA Blowfish SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTc CTs FCM SA SSL User Identity Auth Client Identity Service
Illustration: Datek Access from PDA Composable Security Framework • Modified packets sent to security adaptor PDA Stock Trading Trusted Infrastructure SA Blowfish SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTc CTs FCM SA SSL User Identity Auth Client Identity Service
Illustration: Datek Access from PDA Composable Security Framework • Security Adaptor establishes HTTPS connection to Datek service PDA Stock Trading Trusted Infrastructure SA Blowfish SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier CTc CTs FCM SA SSL User Identity Auth Client Identity Service
SA SA SA SA SA SA Composable Security Framework Composable Security Framework • Paths from devices to services canbe dynamically created • Multiple transcoders may be composed for a path PDA Stock Trading Trusted Infrastructure Kiosk CTc CTs Banking FCM Cell Phone CTc CTs Mail FCM Pager SA: Security Adapter CT: Content Transformer FCM: Filter & Control Modifier Laptop User Identity Auth Service Auth Client Identity Service Desktop
Key Design Points • Security and Content both transformed • Security adaptors based on device capability and link • Information hiding based on device, user role, and link • Composing services • Trust model must be carefully considered • Extensible • New devices easily added by writing appropriate component if it doesn’t already exist • Scalability/ Fault Tolerance • Runs in Ninja distributed execution environment • Components replicated among nodes in cluster
Other Applications Meta-trade environment Aggregation: provide most valuable composition of content Multi-user or manager account Owner of account can view all content Account manager only views selected pieces essential to role Example: Trade-bot only needs stock quotes and rules Account value, and private information hidden from Trade-bot Short lived and persistent pseudonyms Support sharing of PDAs Now have untrusted low power device Compose kiosk FCM and PDA components to handle scenario
Security Assessment Untrusted endpoint May still alter information Identity Service A primary point to attack PDA Keys I/O methods limit strength of generated keys Dynamic Trust Model New Functionality added I.e. Citibank online payment User must explicitly grant functionality for each profile
Future Work Implementation of additional content, control and security transformer Additional web services Other services IMAP, LDAP, e-commerce, etc Additional Devices Pagers, phones Development of common data change format for FCM XML for canonical representation, XSL for rendering to device
Take-Away • New security requirements of Post-PC devices • Supports access from insecure endpoints • Precise control of information exposure (access device / role) • Composable Services in the infrastructure • New level of “programming” • Towards an Architecture for Universal Computing • Diverse concurrent development: 1 to many, meta-svcs, aggregation svcs • Many to one, heterogeneous clients • Eureka phenomenon • Most fundamental services probably yet to be discovered • Ex: identity service • Only find them by building the world and living in it
A Security Framework for a World of Post-PC Clients and Infrastructure-based Services Steven Ross, Jason Hill, Michael Chen, Anthony D. Joseph, David E. Culler, Eric A. Brewer Computer Science Division U.C. Berkeley {stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu http://www.cs.berkeley.edu/~stevross