1 / 22

REFEREE: Trust Management for Web Applications

REFEREE: Trust Management for Web Applications. Yang-hua Chu (MIT/W3C) Joint Work with Joan Feigenbaum (AT&T Labs) Brian LaMacchia (AT&T Labs) Paul Resnick (AT&T Labs) Martin Strauss (AT&T Labs). Outline. Problem statement Trust management REFEREE trust management system

terry
Download Presentation

REFEREE: Trust Management for Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. REFEREE: Trust Management for Web Applications Yang-hua Chu (MIT/W3C) Joint Work with Joan Feigenbaum (AT&T Labs) Brian LaMacchia (AT&T Labs) Paul Resnick (AT&T Labs) Martin Strauss (AT&T Labs)

  2. Outline • Problem statement • Trust management • REFEREE trust management system • REFEREE reference implementation demo • Conclusion

  3. Example: code signing • Away from shrink-wrapped model • Toward code distribution through network

  4. Trust FAQ • Does X contain a virus that will erase my HD? [security] • Does X secretly collect information without my knowledge? [privacy] • Will X run on my 386? [capability] • Is X fun to play? [content] • Has X been tampered with? [integrity] • Who wrote X? [authentication] • Should I trust Y who vouches for X [delegation]?

  5. Current technology is not enough: why should I trust those bits? • Digital Signature (RSA, DSA) • How many bits of signature is trustworthy? • What does the signature mean [PICS]? • How do I get the right public key to verify the signature? • Public Key Infrastructure (X.509, PGP, SDSI) • How do I get the CA’s public key? • What is this certificate authorized to do? • Whom do I trust to vouch for X? • X=give me public key of person Y, sign code, authenticate document, make this assertion, …etc.

  6. Trust management • ‘Decentralized Trust Management’ [BFL96] • Probes the question • ‘Does this requested action, supported by credentials, conform to my policy?’ • PolicyMaker • certificates are programs

  7. Trust management in code signing • Requested action: download and run this code. • Security policy: download the code only if signed by two entities that MIT endorses, and both entities must state in the signature that X is ‘safe’ according to MIT’s code safety practice. • Security credentials: relevant PICS labels and certificates.

  8. Other trust management applications in WWW • document authentication and integrity • access control • on-line negotiation • electronic commerce • privacy protection • intellectual property rights • … more

  9. REFEREE • “Rule-controlled Environment For Evaluation of Rules and Everything Else” • Joint effort by researchers from AT&T Labs and W3C • Goal: create a general-purpose trust management system for Web applications

  10. REFEREE design principle • A ‘policy’ is a program • has a fixed language syntax and semantics • may call another policy • ‘Policy’ controls everything • order of execution under policy control • credential fetching under policy control • departure from PolicyMaker[BFL96] approach

  11. Actions REFEREE API • a sub-system embedded inside a Web application • can be in a browser, a proxy, or a server Application Dispatch REFEREE Input API : request with arguments Output API : answer with justification

  12. REFEREE Primitive Data Types • tri-values • TRUE, FALSE, UNKNOWN • statements and statement-lists • each statement is an s-expression • a pair of (<context>, <content>), both are also s-expressions ( “code-signing”, ((virus-checked 1) (network-access 0) … ) )

  13. REFEREE Primitive Data Types (continued) • policy • a triplet (<policy-name>, <policy description>, <language-name>) • (“code-signing”, ..., “code-signing-language”) • (“code-signing”, <Java-code>, “Java”) • interpreter • a pair (<language-name>, <interpreter>) • (“code-signing-language”, <Java-code>)

  14. Bootstrapping REFEREE • The host application loads REFEREE initial setting: • trust assertions • a database of policies • a database of interpreters • all bootstrapping information is unconditionally trusted

  15. Invoking REFEREE • input a requested action and additional arguments • REFEREE gets the corresponding policy for that action • REFEREE executes the policy with the additional arguments • output a tri-value and a list of statements

  16. REFEREE Demo • in English: “I only execute code if PCWeek says OK according to MIT code safety practice.” (invoke "load-label" STATEMENT-LIST URL "http://web.mit.edu/safety" ("http://labels.com/")) (invoke "check-hash" STATEMENT-LIST) (false-if-unknown (match (("check-hash" *) (* ((version "PICS-1.1") * (service "http://web.mit.edu/safety") * (by "mailto:rater@pcweek.com") * (ratings * (RESTRICT > overall 8) * )))) STATEMENT-LIST))

  17. Components of the REFEREE Calling Module 2 1 6 bootstrap invoke REFEREE Profiles-0.92 Check-hash 5 Label-loader 3 4 Fetcher

  18. Sample Query • application calls REFEREE • (“code-signing”, “http://foo/bar.class”) • line 1: gets the PICS label from the label bureau “http://label-bureau” (PICS-1.1 "http://web.mit.edu/safety" labels by "mailto:rater@pcweek.com" md5 "7A2B1a2bA72BxyzyplehJQ==" ratings (crash 2 overall 10 virus 0))

  19. Sample Query (Continued) • line 2: authenticates the signature and checks the source integrity • line 3: checks the confidence level > 8 • return TRUE (10 > 8)

  20. Recap of major REFEREE design principles • Local policy controls everything • Separate security policy specification from policy evaluation • policies are programs • Profiles-0.92 vs. PICS RULZ • Systematic, consistent, and modular management of trust

  21. Conclusion: Now and Future • Trust management is an important component for Web applications • REFEREE is our initial attempt to tackle the problem in the context of the WWW and it provides insight for future research and development.

  22. Reference • REFEREE Website • http://www.w3.org/pub/WWW/PICS/TrustMgt • link to the REFEREE demo • link to [BFL96] paper • M. Blaze, J. Feigenbaum, J. Lacy, “Decentralized Trust Management”, in Proceedings of the 1996 Symposium on Security and Privacy, pp. 164-173 • Friday, 4/11, 4pm-5:30pm • trust management for Electronic Commerce

More Related