220 likes | 356 Views
REFEREE: Trust Management for Web Applications. Yang-hua Chu (MIT/W3C) Joint Work with Joan Feigenbaum (AT&T Labs) Brian LaMacchia (AT&T Labs) Paul Resnick (AT&T Labs) Martin Strauss (AT&T Labs). Outline. Problem statement Trust management REFEREE trust management system
E N D
REFEREE: Trust Management for Web Applications Yang-hua Chu (MIT/W3C) Joint Work with Joan Feigenbaum (AT&T Labs) Brian LaMacchia (AT&T Labs) Paul Resnick (AT&T Labs) Martin Strauss (AT&T Labs)
Outline • Problem statement • Trust management • REFEREE trust management system • REFEREE reference implementation demo • Conclusion
Example: code signing • Away from shrink-wrapped model • Toward code distribution through network
Trust FAQ • Does X contain a virus that will erase my HD? [security] • Does X secretly collect information without my knowledge? [privacy] • Will X run on my 386? [capability] • Is X fun to play? [content] • Has X been tampered with? [integrity] • Who wrote X? [authentication] • Should I trust Y who vouches for X [delegation]?
Current technology is not enough: why should I trust those bits? • Digital Signature (RSA, DSA) • How many bits of signature is trustworthy? • What does the signature mean [PICS]? • How do I get the right public key to verify the signature? • Public Key Infrastructure (X.509, PGP, SDSI) • How do I get the CA’s public key? • What is this certificate authorized to do? • Whom do I trust to vouch for X? • X=give me public key of person Y, sign code, authenticate document, make this assertion, …etc.
Trust management • ‘Decentralized Trust Management’ [BFL96] • Probes the question • ‘Does this requested action, supported by credentials, conform to my policy?’ • PolicyMaker • certificates are programs
Trust management in code signing • Requested action: download and run this code. • Security policy: download the code only if signed by two entities that MIT endorses, and both entities must state in the signature that X is ‘safe’ according to MIT’s code safety practice. • Security credentials: relevant PICS labels and certificates.
Other trust management applications in WWW • document authentication and integrity • access control • on-line negotiation • electronic commerce • privacy protection • intellectual property rights • … more
REFEREE • “Rule-controlled Environment For Evaluation of Rules and Everything Else” • Joint effort by researchers from AT&T Labs and W3C • Goal: create a general-purpose trust management system for Web applications
REFEREE design principle • A ‘policy’ is a program • has a fixed language syntax and semantics • may call another policy • ‘Policy’ controls everything • order of execution under policy control • credential fetching under policy control • departure from PolicyMaker[BFL96] approach
Actions REFEREE API • a sub-system embedded inside a Web application • can be in a browser, a proxy, or a server Application Dispatch REFEREE Input API : request with arguments Output API : answer with justification
REFEREE Primitive Data Types • tri-values • TRUE, FALSE, UNKNOWN • statements and statement-lists • each statement is an s-expression • a pair of (<context>, <content>), both are also s-expressions ( “code-signing”, ((virus-checked 1) (network-access 0) … ) )
REFEREE Primitive Data Types (continued) • policy • a triplet (<policy-name>, <policy description>, <language-name>) • (“code-signing”, ..., “code-signing-language”) • (“code-signing”, <Java-code>, “Java”) • interpreter • a pair (<language-name>, <interpreter>) • (“code-signing-language”, <Java-code>)
Bootstrapping REFEREE • The host application loads REFEREE initial setting: • trust assertions • a database of policies • a database of interpreters • all bootstrapping information is unconditionally trusted
Invoking REFEREE • input a requested action and additional arguments • REFEREE gets the corresponding policy for that action • REFEREE executes the policy with the additional arguments • output a tri-value and a list of statements
REFEREE Demo • in English: “I only execute code if PCWeek says OK according to MIT code safety practice.” (invoke "load-label" STATEMENT-LIST URL "http://web.mit.edu/safety" ("http://labels.com/")) (invoke "check-hash" STATEMENT-LIST) (false-if-unknown (match (("check-hash" *) (* ((version "PICS-1.1") * (service "http://web.mit.edu/safety") * (by "mailto:rater@pcweek.com") * (ratings * (RESTRICT > overall 8) * )))) STATEMENT-LIST))
Components of the REFEREE Calling Module 2 1 6 bootstrap invoke REFEREE Profiles-0.92 Check-hash 5 Label-loader 3 4 Fetcher
Sample Query • application calls REFEREE • (“code-signing”, “http://foo/bar.class”) • line 1: gets the PICS label from the label bureau “http://label-bureau” (PICS-1.1 "http://web.mit.edu/safety" labels by "mailto:rater@pcweek.com" md5 "7A2B1a2bA72BxyzyplehJQ==" ratings (crash 2 overall 10 virus 0))
Sample Query (Continued) • line 2: authenticates the signature and checks the source integrity • line 3: checks the confidence level > 8 • return TRUE (10 > 8)
Recap of major REFEREE design principles • Local policy controls everything • Separate security policy specification from policy evaluation • policies are programs • Profiles-0.92 vs. PICS RULZ • Systematic, consistent, and modular management of trust
Conclusion: Now and Future • Trust management is an important component for Web applications • REFEREE is our initial attempt to tackle the problem in the context of the WWW and it provides insight for future research and development.
Reference • REFEREE Website • http://www.w3.org/pub/WWW/PICS/TrustMgt • link to the REFEREE demo • link to [BFL96] paper • M. Blaze, J. Feigenbaum, J. Lacy, “Decentralized Trust Management”, in Proceedings of the 1996 Symposium on Security and Privacy, pp. 164-173 • Friday, 4/11, 4pm-5:30pm • trust management for Electronic Commerce