Chameleon: Towards Usable RBAC
A. Chris Long
Courtney Moskowitz, Greg Ganger
ECE Department
Carnegie Mellon University
Problem: Malware




Malware: viruses, trojan horses, worms,
etc.
Current approaches are inadequate
Few address typical home user
Malware enabler: all software has
permission to do everything
2
Problem: Higher Level View


Prepare
for
reinstall
The computer is too ignorant
Are these secure?


format c:
cp confidential-info /mnt/floppy
Transfer
btwn. work
& home

Trojan
horse
Theft of
trade
secrets
Can we get users to tell the computer more
about what’s allowable?
3
Project Inspiration






People understand physical access
Different access at home for plumbers vs.
accountant
What about file access control?
Answer: too fine-grained, rarely used
Few people can manage fine-grained security
(e.g., file permissions)
Can we improve de facto security with
coarse-grained security?
4
Chameleon: Coarse-grained
Security

Partition computer into “roles”, e.g.:







Vault
Communication
Internet
Testing
System
Each app confined to its own role
Can we make this model usable?
5
Outline





Introduction
Related Work
Chameleon
User Studies
Discussion,
Future Work, &
Conclusions
6
Related Work

HCISEC




Security usability [Whitten & Tygar 1999]
Design guidelines [Yee 2002]
WindowBox [Balfanz & Simon 2000]
HCI


Desktop info organization [Barreau & Nardi
1995]
WorkspaceMirror [Boardman 2002]
7
Related Work (cont’d)

Security models



Compartmented mode workstation
[Berger, et al 1990]
Role-based access control
[Ferraiolo & Kuhn 1992]
Sandboxing [Schmid, et al 2002]
8
Outline





Introduction
Related Work
Chameleon
User Studies
Discussion,
Future Work, &
Conclusions
9
Chameleon

Research agenda

Interface design



Usability vs. and security


Awareness
Control
File organization synergy
Software design
10
Usable Role Management


Target audience: typical home computer user
Key properties



Intelligible
Convenient
Key tasks


Switching roles
Moving data & files across roles
“Plan to throw the first one away. You will,
anyway.” — Fred Brooks
11
Paper Prototype
Security
manager
Unsafe
app.
Personal files
Comm. app.
12
Outline





Introduction
Related Work
Chameleon
User Studies
Discussion,
Future Work, &
Conclusions



Security in Context
Security Mechanisms
Software prototype
13
User Study 1:
Security In Context

Goals



Observe ease of use of security
features in realistic task
Explicit vs. implicit role switching
Results


Positive opinions about roles
Interface implications



Changed to single clipboard model
Keep implicit role switching
Keep plan for role customization
14
User Study 2:
Security Interface Mechanisms

Goals



Evaluate desktop display options
Evaluate methods for security operations
Result summary



Generally positive: 5/6 would use interface
Opinion divided on desktop icon display
Liked drag and drop
“I wish some of [your] designs…would be common
practice amongst big leading software companies.”
— An enthusiastic participant
15
Software Prototype
Comm.
apps.
Internet
app.
Testing
app.
16
Study 3: Software Prototype

Goals


Continue usability evaluation
Investigate appropriate feedback levels



3 levels: minimal, animated, dialog box
Issues: subjective impact, prevent being tricked
Results




No quantitative effect of feedback on being tricked
Few participants caught tricks
Overall positive view of Chameleon
Security concerns generally correlated with
positive views of Chameleon
17
Outline





Introduction
Related Work
Chameleon
User Studies
Discussion,
Future Work, &
Conclusions
18
Discussion

Chameleon lessons







Make UI role-aware (file dialog)
Eliminate “active” role
Role purposes must be clear
Add “Neutral” or “Default” role
Make indicators active (Security Manager)
Need better role awareness
HCISEC evaluation

Laboratory setting ill-suited for evaluation of
interaction with “normal” tasks
19
Future Work

Chameleon development




Improve UI design
Implement prototype usable by real apps
Deploy Chameleon for daily use
Continue investigation of


Security awareness & control
Software architecture for security
20
Future Work (cont’d)
Level
Pro
Operating
Single implementation
System
Applications Context available
Toolkit
Some context available
Single (or few)
implementations
Con
No context
information
Multiple
impls.
Right
abstractions
unknown
21
Conclusions

Chameleon work in progress




HCISEC UI design issues
Software architecture
HCISEC evaluation
Usable RBAC seems feasible
22
<= 0.5-baked Idea



Problem: How to run software with less
than all permissions?
Solution: Attach trust/authority/
permission to user action (capability)
Propagate capability


Starts at input device
To OS, to toolkit, to application
23
Thank You
chrislong@acm.org
http://www.cs.cmu.edu/~chrisl
(1 spot in my car for a short person)