240 likes | 260 Views
Chameleon: Towards Usable RBAC. A. Chris Long Courtney Moskowitz, Greg Ganger ECE Department Carnegie Mellon University. Problem: Malware. Malware: viruses, trojan horses, worms, etc. Current approaches are inadequate Few address typical home user
E N D
Chameleon: Towards Usable RBAC A. Chris Long Courtney Moskowitz, Greg Ganger ECE Department Carnegie Mellon University
Problem: Malware • Malware: viruses, trojan horses, worms, etc. • Current approaches are inadequate • Few address typical home user • Malware enabler: all software has permission to do everything
Trojan horse Prepareforreinstall Theft of trade secrets Transfer btwn. work & home Problem: Higher Level View • The computer is too ignorant • Are these secure? • format c: • cp confidential-info /mnt/floppy • Can we get users to tell the computer more about what’s allowable?
Project Inspiration • People understand physical access • Different access at home for plumbers vs. accountant • What about file access control? • Answer: too fine-grained, rarely used • Few people can manage fine-grained security (e.g., file permissions) • Can we improve de facto security with coarse-grained security?
Chameleon: Coarse-grained Security • Partition computer into “roles”, e.g.: • Vault • Communication • Internet • Testing • System • Each app confined to its own role • Can we make this model usable?
Introduction Related Work Chameleon User Studies Discussion,Future Work, & Conclusions Outline
Related Work • HCISEC • Security usability [Whitten & Tygar 1999] • Design guidelines [Yee 2002] • WindowBox [Balfanz & Simon 2000] • HCI • Desktop info organization [Barreau & Nardi 1995] • WorkspaceMirror [Boardman 2002]
Related Work (cont’d) • Security models • Compartmented mode workstation[Berger, et al 1990] • Role-based access control[Ferraiolo & Kuhn 1992] • Sandboxing [Schmid, et al 2002]
Introduction Related Work Chameleon User Studies Discussion,Future Work, & Conclusions Outline
Chameleon • Research agenda • Interface design • Awareness • Control • Usability vs. and security • File organization synergy • Software design
Usable Role Management • Target audience: typical home computer user • Key properties • Intelligible • Convenient • Key tasks • Switching roles • Moving data & files across roles “Plan to throw the first one away. You will, anyway.” — Fred Brooks
Paper Prototype Security manager Unsafeapp. Personal files Comm. app.
Introduction Related Work Chameleon User Studies Discussion,Future Work, & Conclusions Security in Context Security Mechanisms Software prototype Outline
User Study 1:Security In Context • Goals • Observe ease of use of securityfeatures in realistic task • Explicit vs. implicit role switching • Results • Positive opinions about roles • Interface implications • Changed to single clipboard model • Keep implicit role switching • Keep plan for role customization
User Study 2: Security Interface Mechanisms • Goals • Evaluate desktop display options • Evaluate methods for security operations • Result summary • Generally positive: 5/6 would use interface • Opinion divided on desktop icon display • Liked drag and drop “I wish some of [your] designs…would be common practice amongst big leading software companies.” — An enthusiastic participant
Software Prototype Comm. apps. Testing app. Internet app.
Study 3: Software Prototype • Goals • Continue usability evaluation • Investigate appropriate feedback levels • 3 levels: minimal, animated, dialog box • Issues: subjective impact, prevent being tricked • Results • No quantitative effect of feedback on being tricked • Few participants caught tricks • Overall positive view of Chameleon • Security concerns generally correlated with positive views of Chameleon
Introduction Related Work Chameleon User Studies Discussion,Future Work, & Conclusions Outline
Discussion • Chameleon lessons • Make UI role-aware (file dialog) • Eliminate “active” role • Role purposes must be clear • Add “Neutral” or “Default” role • Make indicators active (Security Manager) • Need better role awareness • HCISEC evaluation • Laboratory setting ill-suited for evaluation of interaction with “normal” tasks
Future Work • Chameleon development • Improve UI design • Implement prototype usable by real apps • Deploy Chameleon for daily use • Continue investigation of • Security awareness & control • Software architecture for security
Conclusions • Chameleon work in progress • HCISEC UI design issues • Software architecture • HCISEC evaluation • Usable RBAC seems feasible
<= 0.5-baked Idea • Problem: How to run software with less than all permissions? • Solution: Attach trust/authority/ permission to user action (capability) • Propagate capability • Starts at input device • To OS, to toolkit, to application
Thank You chrislong@acm.org http://www.cs.cmu.edu/~chrisl (1 spot in my car for a short person)