1 / 33

PEI Models towards Scalable, Usable and High-assurance Information Sharing

PEI Models towards Scalable, Usable and High-assurance Information Sharing. Ravi Sandhu Institute for Cyber-Security Research Univ of Texas at San Antonio. Kumar Ranganathan Intel Systems Research Center Bangalore, India. Ram Krishnan Laboratory for Information Security Technology

nevin
Download Presentation

PEI Models towards Scalable, Usable and High-assurance Information Sharing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. PEI Models towards Scalable, Usable and High-assurance Information Sharing Ravi Sandhu Institute for Cyber-Security Research Univ of Texas at San Antonio Kumar Ranganathan Intel Systems Research Center Bangalore, India Ram Krishnan Laboratory for Information Security Technology George Mason University

  2. Presentation Outline • Problem Description & Motivation • Background • Trusted Computing • Information Sharing • PEI Models for SIS • Future Work • Q&A

  3. Problem Description & Motivation • Secure Information Sharing (SIS) • Share but protect • Distribute information and still retain control • Long-standing and unsolved problem • Current approaches to SIS: • Discretionary Access Control (DAC), Lampson 1971 • Fundamentally limited • Controls access to the original but not to copies (or extracts) • Mandatory Access Control (MAC), Bell-LaPadula 1971 • Solves the problem for coarse-grained sharing • Does not scale to fine-grained sharing • Explosion of security labels • Originator Control (ORCON), Graubart 1989 • Let copying happen but propagate ACLs to copies (or extracts)

  4. …continued • SIS problem further amplified by the client-server model • No control once information leaves server • Current approaches are software-based • Inherently weak • Fundamental question: • How can I trust that policies will be enforced on clients in a trust-worthy manner? • Trusted Computing (TC) Technology features root of trust at hardware level • Potential to provide strong controls on client • Potential to solve SIS problem • We need a family of models to guide TC-based solutions

  5. Background

  6. Trusted Computing • An industry standard/alliance • Proposed by Trusted Computing Group • Basic premise • Software alone cannot provide an adequate foundation for trust • TCG proposes root of trust at the hardware level using a Trusted Platform Module or TPM

  7. TPM: 3 novel features • Trusted storage for keys • Encrypt user keys with a chain of keys • Root key is stored in TPM & never exposed • Trusted Capabilities • Operations exposed by the TPM • Guaranteed to be trust-worthy • Platform Configuration Registers (PCR) • Hardware registers used to store integrity of software (e.g. boot-chain)

  8. TPM: An example functionality • Seal • Trusted capability • Encrypts and binds data to a PCR value • Data can be unsealed iff PCR value at unseal time matches with PCR value in sealed blob • Seal can be used to restrict data access • E.g. A program can access sensitive information only if the platform is in trustworthy state

  9. What is Information Sharing? • Share but protect • Distribute information and still retain control • Requires strong controls on client • Server controls “information release” only • Purpose is larger than retail DRM... →

  10. What is Information Sharing? Roshan Thomas and Ravi Sandhu, “Towards a Multi-Dimensional Characterization of Dissemination Control.” POLICY04.

  11. With current state of knowledge the information sharing space is too complex to characterize in a comprehensive manner Look for areas that are of practical interest and where progress can be made Roshan Thomas and Ravi Sandhu, “Towards a Multi-Dimensional Characterization of Dissemination Control.” POLICY04.

  12. PEI Models for SDS

  13. Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology SDS Objectives • Super-distribution (encrypt once, access wherever authorized) • Requires a notion of a “group” • A subject is authorized to access a document if he is a group member • Problem scope: group-based SDS • Offline access • Document-level access control • Read-only document access

  14. Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology SDS Policy Model • Characterize policies applicable to a group-based SDS problem domain

  15. Various states of a group member • Access to current documents only (or) • Access to current documents and past documents • Access can be further restricted with rate and/or usage limits • Access can be further restricted on basis of individual user credentials • Past member loses access to all documents (or) • can access any document created during his membership (or) • can access documents he accessed during membership (or) • can access all documents created before he left the group (this includes the ones created before his join time) • all subject to possible additional rate, usage and user credential restrictions • No rejoin of past members is allowed, rejoin with new ID (or) • Past members rejoin the group just like any other user who has never been a member • The same access policies defined during his prior membership should again be enforced (or) • access policies could vary between membership cycles • Straight-forward. User has no access to any group documents. enroll Initial state: Never been a member State I Currently a member State II Past member State III enroll dis-enroll

  16. Various states of a group document • Cannot be re-added. • When a document is re-added, it will be treated as a new document that is added into the group. • Only current members can access. • Past members and current members can access • No one can access • Any one can access • Past members can access • Straight-forward. No access to group members. • Access allowed only to current group members • Access allowed to current and past group members add Initial state: Never been a group doc State I Currently a group doc State II Past group doc State III add remove

  17. Policy model: member enroll/dis-enroll enroll member TS-join TS-leave null null null True time of join null False time of join time of leave dis-enroll enroll enroll enroll, dis-enroll: authorized to Group-Admins Initial state: Never been a member State I Currently a member State II Past member State III enroll dis- enroll UCON elements: Pre-Authorization, attribute predicates, attribute mutability

  18. Policy model: document add/remove add D-member D-TS-join D-TS-leave null null null True time of join null False time of join time of leave remove add add, remove : authorized to Group-Admins add Initial state: Never been a group doc State I Currently a group doc State II Past group doc State III remove add UCON elements: Pre-Authorization, attribute predicates, attribute mutability

  19. Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology Enforcement Models • Develop enforcement models for SDS

  20. SDS Enforcement Model Control Center (CC) • Two sets of attributes • Authoritative: as known to the CC • Local: as known on a member’s computer 4 2 3 5 7 1 • Member enroll and dis-enroll (steps 1-2, 5) • Document add and remove (step 6, 7) • Read policy enforcement (step 3) • Attribute update (step 4) Joining Member Group-Admin Member 6 D-Member Faithful Model: steps 3 and 4 are coupled Approximate Model: steps 3 and 4 are de-coupled

  21. Security and system goals (requirements/objectives) Policy models Enforcement models Implementation models Target platform, e.g., Trusted Computing Technology Implementation Models • Develop implementation models for SDS

  22. Implementation Model • Build a Trusted Reference Monitor (TRM) • The reference monitor on the group members that enforces group policies in a trust-worthy manner • Identify the Trusted Computing Base (TCB) • A minimal collection of entities that is absolutely essential to be in integral state in order to preserve security of the entire system • Objective • Build a TCB in order to enforce document read on group members using a TRM • Two Key requirements • Only TRM can access the group key and read/write subject and object attributes • TRM is provided with isolated environment to safely use the group/document keys

  23. Implementation Model (continued) • Use TC mechanisms to bind group key + attributes to TRM

  24. Coffee Shop Book Store Credit Credit Alice Future Work • Formal analysis of SIS policy models • SDS: object level • SCS: attribute level • Document/object Read and Write • SIS across multiple groups • Information flow issues • Document/object-level querying • Obtain sections of document/object SCS in M-commerce Scenario

  25. Q&A Thanks! Policy, Enforcement, Implementation (PEI) layers Information Sharing Usage CONtrol model (UCON) Trusted Computing (TC)

  26. Backup

  27. Policy model: document read (S,O,read) • Pre-authorization check • member(S) ≠ null AND D-member(O) ≠ null AND TS-join(S) ≠ null AND D-TS-join(O) ≠ null AND • TS-leave(S) = null AND TS-join(S) ≤ D-TS-join(O) OR • TS-leave(S) ≠ null AND TS-join(S) ≤ D-TS-join(O) ≤ TS-leave(O) • Ongoing-authorization check: terminate if • D-TS-leave(O) ≠ null Details depend on details of group-level policy UCON elements: Pre-Authorization, attribute predicates, attribute mutability Ongoing-authorization

  28. Enforcement Models • Design Principle • Do not inject new policy • Focus on trade-offs for instant and pre-emptive revocation versus off-line access • Faithful Enforcement w/o Off-line Access (Faithful Model): • We need continuous online touch (at start of every access and during access) • Continuous on-line touch can only be approximated • Usage-limited Off-line Access (Approximate Model): • We need online touch periodically after some duration (at start of every access and during access) • Duration between online touches can be based on time, but time is not practical for TPM-based TC • Duration between online touches can be based on usage count, which is practical for TPM-based TC

  29. Faithful model highlights • enroll a member: two steps • Step 1: Group-admin issues enrollment token to Joining Member • Step 2: Joining Member presents token to CC and receives group membership credential • Group key (symmetric key) • Local attribute values • dis-enroll a member • Updates authoritative attributes at CC • Takes effect on local attributes at next update • add a document • Updates authoritative attributes at CC • remove a document • Updates authoritative attributes at CC • Propagated to clients as DRLs (Document Revocation List)

  30. Faithful model highlights: (S,O,read) • Pre-Obligation • Local attributes of S and O are updated based on authoritative values from CC • Local DRL updated from authoritative DRL at CC • Pre-Condition • Requires connectivity to enable updates • Pre-Authorization • Based on just updated local attributes of S and O and DRL • Ongoing-Obligation • Local attributes of S and O continuously updated based on authoritative values from CC • Local DRL continuously updated from authoritative DRL at CC • Ongoing-Condition • Requires connectivity to enable updates • Ongoing-Authorization • Based on continuously updated local attributes of S and O and DRL UCON elements: Requires full power of UCON

  31. Approximate model highlights • enroll a member: two steps • Step 1: Group-admin issues enrollment token to Joining Member • Step 2: Joining Member presents token to CC and receives group membership credential • Group key (symmetric key) • Local attribute values • dis-enroll a member • Updates authoritative attributes at CC • Takes effect on local attributes at next update • add a document • Updates authoritative attributes at CC • remove a document • Updates authoritative attributes at CC • Propagated to clients as DRLs (Document Revocation List) Different from Faithful model

  32. Approximate model highlights: (S,O,read) • Pre-Obligation • Local attributes of S and O are periodically updated based on authoritative values from CC • Pre-Condition • Requires connectivity to enable updates when required • Pre-Authorization • Based on just updated local attributes of S and O • Ongoing-Obligation • Local attributes of S and O are continuously periodically updated based on authoritative values from CC • Ongoing-Condition • Requires connectivity to enable updates when required • Ongoing-Authorization • Based on continuously periodically updated local attributes of S and O UCON elements: Requires full power of UCON

  33. Contributions & Conclusions • SIS is a broad and complex problem • PEI framework, UCON model and TC are highly useful for approaching the SIS problem space • First steps towards developing a family of models for SIS problem domain • Classify SIS into two distinct levels: • Object-level SIS • Attribute-level SIS • Analyze object-level and attribute-level SIS • Demonstrate how TC can be used to address this long-standing problem • Possibly extend the UCON model • Leave with more open questions!

More Related