290 likes | 411 Views
Evaluating the Usability of Usage Controls in Electronic Collaboration. José Brustoloni, Ricardo Villamarín-Salomón, Peter Djalaliev and David Kyle Dept. Computer Science University of Pittsburgh {jcb,rvillsal,peterdj,dkyle}@cs.pitt.edu. Electronic collaboration and info misuse.
E N D
Evaluating the Usability of Usage Controls in Electronic Collaboration José Brustoloni, Ricardo Villamarín-Salomón, Peter Djalaliev and David Kyle Dept. Computer Science University of Pittsburgh {jcb,rvillsal,peterdj,dkyle}@cs.pitt.edu
Electronic collaboration and info misuse • Electronic collaboration can greatly increase productivity • Many examples in design, supply chain, service • Impediment: risk of and liability for information misuse • Existing solution: non-disclosure agreements (NDAs) • Legally obligates collaborator • Can take months to get signed • Very expensive and time-consuming to enforce in court • Result: many potential collaborations don’t happen J. Brustoloni
Usage controls • Usage controls enable information providers to limit technically how recipients may use the information • e.g., copy, print, redistribute, retain beyond a certain time • Applications increasingly provide them • e.g., Adobe Acrobat, OpenOffice • Might reduce expected cost of NDAs, or replace them • Problems • Recipes for cracking easily available from Web • Often do not interoperate • Usability? J. Brustoloni
Example from OpenOffice J. Brustoloni
UCLinux • Linux Security Module • Enables hardening software-based usage controls (e.g., PDF’s) with hardware-based ones • Hardware-based usage controls employ security coprocessor (TPM) and are harder to crack • Web server and browser are modified • No modifications needed in other applications (e.g., Acrobat, OpenOffice, xpdf) J. Brustoloni
Outline • Threat model • Background on TPMs • Overview of UCLinux • User interfaces • Authoring • Acceptance • Hierarchical • User study • Related work • Conclusions J. Brustoloni
Threat model • Attacker is merely opportunistic • May have administrative rights • Can use any software-based attack • Does not use any hardware-based attacks J. Brustoloni
Background on Trusted Platform Modules • Standardized, low-cost security coprocessors • Present in many commercially available computers • Require immutable TPM-aware BIOS boot block • Chain of trust • Each component in boot sequence measures integrity of next component and extends result into a TPM platform configuration register (PCR) • Only way to undo is to reset computer • Attestation: Secure verification of remote computer’s configuration • TPM signs nonce and PCR values • Sealing: Binding a secret to a particular configuration • TPM decrypts secret only if PCR values are same J. Brustoloni
UCLinux: TCB prelogging and usage-controlled file system • At boot time, UCLinux optimistically extends expected integrity measurement of each TCB component, according to configuration file (TCB list) • Results in repeatable PCR values • UCFS is encrypted file system with secret key sealed to PCR values that result from boot sequence and TCB list • Can be mounted only if system has not been tampered • Hardware-based usage policies stored as extended attributes of UCFS files • May specify integrity measurements of programs trusted to open the file J. Brustoloni
UCLinux: Policy enforcement • UCLinux measures the integrity of each program kernel executes • When program opens file with hardware-based usage policies, UCLinux enforces them • Cracked applications cannot open files with usage policies • Applications do not need to be changed to get this protection J. Brustoloni
UCLinux: Exceptions • UCLinux monitors imminent security violation (ISV) exceptions: • TCB component’s integrity measurement at load time differs from that in TCB list, or • Privileged program loaded and is not in TCB list, or • Privileged user attempts to log interactively into system • In each case, UCLinux’s subsequent ability to enforce policies could be subverted J. Brustoloni
UCLinux: Exception handling • Applications may register handler for ISV exception • Erase secrets from memory • UCLinux: • aborts processes with UCFS file open that have not have registered a handler • unmounts UCFS and erases any copy in memory of UCFS key • erases pages freed • After exception handling, system can be used normally, but without UCFS • UCFS remounted when system rebooted into trusted state J. Brustoloni
Web server and browser modifications • If requested file has prepared usage policies, Web server returns these to client and requests TLS upgrade with TLS extension • If user accepts usage policies, browser initiates connection upgrade • During connection upgrade, Web server obtains client’s attestation • If Web server finds that client’s configuration is trustworthy, it completes upgrade and returns file • Browser stores file with usage policies in UCFS J. Brustoloni
Preventing abuses • Browser is in TCB list and revealed in attestation • UCLinux guarantees that only trusted browser can get attestation and store files in UCFS • UCLinux enforces usage policies only for UCFS files J. Brustoloni
Authoring: Contextual menu option for setting hardware-based usage policies J. Brustoloni
Binding file to trusted application J. Brustoloni
Specifying allowed period for accessing file J. Brustoloni
Contextual menu option for posting file to Web site J. Brustoloni
Dialog for confirming or canceling file posting J. Brustoloni
Acceptance: Dialog for accepting usage policies of download file J. Brustoloni
Hierarchical overriding policies: Dialog for confirming or canceling file posting J. Brustoloni
Dialog for accepting usage policies of download file J. Brustoloni
User study • Users role-played an engineer making a design decision based on usage-controlled files retrieved from Web • Two scenarios in automobile industry • First scenario performed without usage controls, second with • Based on specified criteria, select from 7 potential suppliers: • Alternative-fuel engine (electric, biodiesel, etc.) • Tires • Among the 7 documents: • 4 had acceptable usage policies and useful information (set A) • 3 did not have acceptable policies and indicated information was unavailable (set B) • No hierarchical overriding policies J. Brustoloni
Participant characteristics J. Brustoloni
User study results J. Brustoloni
Interpretation of results • As desired, usage controls: • Greatly reduced number of documents with unacceptable policies downloaded • One participant downloaded but, after checking policies, did not open file with unacceptable policies • Had no impact on documents with acceptable policies downloaded • Most users (9/10) were able to post correct decision with correct usage policies, despite lack of training • One participant posted correct decision, but with incorrect usage policies • Slight increase in task completion time, but not statistically significant J. Brustoloni
Participant perceptions • Users seem to find system usable and acceptable J. Brustoloni
Related work • IBM Integrity Measurement Architecture (tcgLinux): • Loader measures and extends into TPM integrity of every program • Attempts to ensure that any tampering is measured, extended into TPM, and reported • Problems: • PCR values depend on load sequence • Sealing not possible • Mechanisms guarantee integrity but not confidentiality • Privacy: even programs that are not TCB components are disclosed • Bear/Enforcer: • Sealing but no attestation • Client’s system administrator (but not server) can set usage policies • Vulnerable to root attacks J. Brustoloni
Conclusions • Hardware-based usage controls can prevent cracked applications from opening files with usage policies • UCLinux allows adding such controls without modifying existing applications (e.g., OpenOffice, xpdf) • UCLinux’s interfaces for posting and downloading files with usage policies are usable by untrained users • Insignificant impact on task accuracy or completion time J. Brustoloni