Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Operating Systems

Trust and Security in Virtual Communities Andrew Martin

advertisement 
security trust trustworthy infrastructure theme
Trust and Security in Virtual Communities
Andrew Martin
Oxford University Software Engineering Centre
eSI, January 2008, Theme Launch
(joint work with . . . lots of people)
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Roadmap
1
security
previous focus
vulnerabilities
examples
2
trust
defining trust
non-transitivity
3
trustworthy infrastructure
4
theme
5
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
e-Science Security So Far
much focus on requirements — good
much focus on separating authZ from authN — good
architecture of Grid has been most influential:
PKI identity certificates; proxy certificates; myProxy;
Shibboleth
VOM, VOMS, Permis, attribute certificates
we know there are significant usability problems
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
e-Science Security So Far
much focus on requirements — good
much focus on separating authZ from authN — good
architecture of Grid has been most influential:
PKI identity certificates; proxy certificates; myProxy;
Shibboleth
VOM, VOMS, Permis, attribute certificates
we know there are significant usability problems
we have been aware of relatively few known attacks
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
e-Science Security So Far
much focus on requirements — good
much focus on separating authZ from authN — good
architecture of Grid has been most influential:
PKI identity certificates; proxy certificates; myProxy;
Shibboleth
VOM, VOMS, Permis, attribute certificates
we know there are significant usability problems
we have been aware of relatively few known attacks
there are plenty of application domains whose users would
not dream of deploying real data (and/or software/models)
under existing middleware
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Security: Functional and non-functional
“I can manage who gets access to this data-set”.
“Certificates need to be signed by a recognised CA.”
“This provenance data is reliable.”
“The bad people can’t get in.”
“These controls cannot be circumvented.”
“This data will be deleted after use.”
Most non-functional security requirements involve proving a
negative — testing doesn’t help very much.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Widest Picture
Dimensions in technology, management, and psychology;
security measures may be technical, organisational, physical.
Appropriate security relies on risk assessment — it has to be
‘good enough’, not perfect.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Widest Picture
Dimensions in technology, management, and psychology;
security measures may be technical, organisational, physical.
Appropriate security relies on risk assessment — it has to be
‘good enough’, not perfect.
Intuition about rare/low-likelihood events is usually poor.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Widest Picture
Dimensions in technology, management, and psychology;
security measures may be technical, organisational, physical.
Appropriate security relies on risk assessment — it has to be
‘good enough’, not perfect.
Intuition about rare/low-likelihood events is usually poor.
The fatal approach is to leave security until later; make it
someone else’s problem.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Likelihood
Feasible for
casual user
Certain
Determined power
user can achieve
'Script Kiddie'
will do this
Likely
Requires motivation
and resourcing
Province of organised crime,
industrial espionage only
Requires Government-scale
resources
Resource
requirements are
just one aspect of
likelihood
Possible
Implausible
Disclosure of
much personal data
Total loss of
resource
Disclosure of
some personal data
Falsification/tampering
with experimental results
Andrew Martin
Misappropriation
of limited compute
resources
Premature disclosure
of experimental data
Impact
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Another Picture
Security as inhibitor
vs
Security as enabler
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Another Tension
“Users are not the enemy” [Adams and Sasse]
We must make it easy for people to do their work, and hard to
do things they shouldn’t.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Another Tension
“Users are not the enemy” [Adams and Sasse]
We must make it easy for people to do their work, and hard to
do things they shouldn’t.
Most of the authN/authZ work has been on the extent to which
we trust the user.
What about the extent to which they trust the system?
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Software has vulnerabilities
Every non-trivial piece of software has security problems.
BOINC (SETI@home, climateprediction.net)
154 MB source distribution; vulnerabilities found by Cooper
Condor
214 MB source distribution
Globus
583 MB source distribution
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Software has vulnerabilities
Hard to determine the scope of a given problem: but:
Windows, Linux, Mozilla have much larger test/QA
operations than our eScience software.
Announcements of problems tend to minimise the real
impact, for commercial reasons.
Targetted attacks are becoming commonplace.
eScience resources can be very valuable.
Ever since computing embraced multiprogramming, job
separation has been a huge challenge – one which
remains today.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
The shape of the challenge
Software has vulnerabilities
some are inherent to the design/architecture
some arise from coding flaws
we need to limit their impact
Systems (of software, hardware, people, etc.) have
vulnerabilities: (e.g. there are untrustworthy system
administrators!)
we need to limit their impact
The whole business of creating VOs which span
administrative boundaries causes deep, inherent problems.
for many reasons, not least because there is no ‘super
administrator’
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
climateprediction.net
in the style of SETI@home
users donate computer time
running a climate model from the UK
Met. Office
predict 2050 climate, through a
Monte Carlo simulation
promoted by the BBC
100 000+ users
BOINC platform
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
climateprediction.net security goals
Derive from over-all goal:
To collect sufficient simulation data to enable validation of the
climate model and accurate predictions of future climate
behaviour.
need to recruit and retain sufficient participants
they need confidence in the software
need the returned data to be faithful to the model and
parameters expected
project needs confidence in the participants’ computers
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
climateprediction.net security questions
Will this application damage my computer?
Are there viruses in it?
Will it steal my personal information?
Will it prevent me from using my computer normally?
Does my data-set represent the result of running my chosen
climate model?
Does this particular data item come from the expected
model?
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
climateprediction.net security questions
Will this application damage my computer?
Are there viruses in it?
Will it steal my personal information?
Will it prevent me from using my computer normally?
Does my data-set represent the result of running my chosen
climate model?
Does this particular data item come from the expected
model?
c.f. Can I have confidence that the search process is complete?
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Classical Dual Problem
from the user’s perspective
untrusted code — trusted host
from the scientist’s perspective
trusted code — untrusted host
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Condor
climateprediction.net has participants all over the world.
Condor pools generally cover a single campus.
Are the Condor security goals similar to those for
climateprediction.net, or different?
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Clusters
Condor clients are on the desktops of users all over the
campus. Compute clusters are locked in a machine room.
Are the Condor security goals similar to those for a compute
cluster, or different?
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
Clusters
Condor clients are on the desktops of users all over the
campus. Compute clusters are locked in a machine room.
Are the Condor security goals similar to those for a compute
cluster, or different?
And so on, for whatever large scale resource you care to
mention.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
eHealth
strong legal and ethical constraints on data confidentiality,
privacy, secure deletion
home/remote working scenarios are problematic
interplay of clinical and research goals
big problem with data export
data enclaves are a partial solution
same issues crop up in many other contexts (social
networking, government security . . . )
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
previous focus vulnerabilities examples
More
durable mobile credentials
eService, evidence, provenance
eGovernment
. . . [looking to collect lots more eScience examples]
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Andrew Martin
defining trust non-transitivity
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Trust as an expectation of behaviour
“Do you trust me?”
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Steps to Trust
[pace Proudler]
1
identify the entity
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Steps to Trust
[pace Proudler]
1
identify the entity
2
verify normal behavior
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Steps to Trust
[pace Proudler]
1
identify the entity
2
verify normal behavior
3
develop experience of consistent behaviour
(or rely on third parties’ experience)
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Steps to Trust
[pace Proudler]
1
identify the entity
2
verify normal behavior
3
develop experience of consistent behaviour
(or rely on third parties’ experience)
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Trust as a prerequisite for security
Trust (or Trustworthiness) is about an expectation of behaviour.
We need trustworthy systems in order to build secure systems.
Compare “Trusted Computer Systems Evaluation Criteria” —
military security
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Chains of Trust
the user has to trust “the system” to enforce a security
policy
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Chains of Trust
the user has to trust “the system” to enforce a security
policy
applications have to trust middleware
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Chains of Trust
the user has to trust “the system” to enforce a security
policy
applications have to trust middleware
middleware has to trust the operating system
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Chains of Trust
the user has to trust “the system” to enforce a security
policy
applications have to trust middleware
middleware has to trust the operating system
which has to trust the hardware
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Chains of Trust
the user has to trust “the system” to enforce a security
policy
applications have to trust middleware
middleware has to trust the operating system
which has to trust the hardware
. . . has to trust operators
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
Chains of Trust
the user has to trust “the system” to enforce a security
policy
applications have to trust middleware
middleware has to trust the operating system
which has to trust the hardware
. . . has to trust operators
We have to trust operators of unknown systems “in the cloud”
[many low-probability failures; any one might be enough to
cause a bad outcome; resulting likelihood becomes
unpleasant.]
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
defining trust non-transitivity
But . . .
trust is not a binary property
and it isn’t typically transitive (or we have to work hard to build
contexts in which it is).
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Trustworthy Infrastructure
Industry-led initiative to improve the trust characteristics of
hardware and software — to enable, eventually, improved
security.
Highest profile element: Trusted Platform Module (TPM).
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Trusted Computing
Add an extra component to the platform which enables you to:
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Trusted Computing
Add an extra component to the platform which enables you to:
bootstrap knowledge, to a good degree of assurance, of
what software is running on the machine;
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Trusted Computing
Add an extra component to the platform which enables you to:
bootstrap knowledge, to a good degree of assurance, of
what software is running on the machine;
report this information to a third party, using a
cryptographic signature
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Trusted Computing
Add an extra component to the platform which enables you to:
bootstrap knowledge, to a good degree of assurance, of
what software is running on the machine;
report this information to a third party, using a
cryptographic signature
use encryption to lock (“seal”) arbitrary data to a particular
platform/configuration
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Implementation
Industry consortium has defined a Trusted Platform Module
(TPM) to do this.
TPM is just a logical bundle of functionality: could be hardware
or software.
To prevent the platform from being subverted by software, a
hardware TPM is needed somewhere (e.g. by adding a chip to
the motherboard, on the LPC bus).
80% of ‘enterprise class’ laptops shipping today have a TPM
built in.
Gradual adoption in servers, desktops, etc. and disc drives,
mobile phones, etc.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
TPM Details
hash
processor
I/O
non-volatile shielded
memory
registers
MAC
key
generation
PCR
clock/
counter
power
detection
asymmetric
crypto
AIK
TPM
root of trust for storage; root of trust for reporting
(core) root of trust for measurement in BIOS boot block
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Trusted Platform Ecosystem
authenticated boot vs late launch
increased management of memory, bus, DMA, . . .
use of whole machine virtualization, for improved
manageability and trusted isolation
trusted peripherals — limited progress
fully-encrypting disc drives — locked to particular trusted
platform(s)
encrypt all data on device
specially encrypt particular partitions
private data — software licences — digital cash
very good for portable devices
eliminates a class of usability problems
Trusted Network Connect — let me onto your LAN (for
example) if I pass policy tests (on identity, patch level, etc.)
Mobile Trusted Module (MTM) builds on TPM
...
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Security Evaluation
The TPM design is intended to be robust in the face of all
software-based attacks.
CESG and NSA appear to have confidence that this has
been achieved.
Physical access to the platform is a different matter entirely.
So the TPM is strongest when ‘proving’ to you that your
system is untampered — imperfect (but still useful) for
proving this to other parties
Nevertheless, Microsoft Vista’s BitlockerTM has been
certified for some classes of Official Secrets. Expect to see
similar with encrypted hard disk products.
It should be noted that the Trusted Platform approach has
some strong critics.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Trusted Infrastructure Research
Delivering the low-level benefits via middleware; incremental
benefits — moving the feasibility line
strong platform identity
including dynamic provisioning of hosts
strong software identity; locked secrets
Security Hardware Enhanced MyProxy (SHEMP)
Daonity/Daoli secure migration of credentials in a VO
trusted data centre?
trustworthy cycle-stealing/high-throughput computing
improved VPN/remote working capability
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Enabler of New Models
“Digital Rights Management for all”
Virtual Data Enclaves?
Processing of data from many sources, without giving up
control
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Theme Objective
To work out what it will take to widen the applicability of
eScience approaches, through the use of technologies for
improved trust, giving rise to enhanced security characteristics.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Theme Objective
To work out what it will take to widen the applicability of
eScience approaches, through the use of technologies for
improved trust, giving rise to enhanced security characteristics.
led by concrete examples from the potential user
community
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Theme Objective
To work out what it will take to widen the applicability of
eScience approaches, through the use of technologies for
improved trust, giving rise to enhanced security characteristics.
led by concrete examples from the potential user
community
employing pragmatic and incremental approaches to
technology
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Theme Objective
To work out what it will take to widen the applicability of
eScience approaches, through the use of technologies for
improved trust, giving rise to enhanced security characteristics.
led by concrete examples from the potential user
community
employing pragmatic and incremental approaches to
technology
encourage meeting of minds between eScience leaders
and trusted computing technologists
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Theme Methodology
Survey and promote understanding of current security
work in eScience.
Collect and document concrete requirements from some
potential user communities.
Build consensus around architectural principles which will
enable those requirements to be met.
Educate eScience community in Trusted Infrastructure
Technologies.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Theme Activities
At eSI and at OeRC
Visitors and invited seminars
Workshops around each of the major headings above
Application communities’ requirements workshop in early
March
Tutorial at eSI
Visits and promotion
Your participation is invited. The eSI Wiki is a good place to
start.
Andrew Martin
Trust and Security in Virtual Communities
security trust trustworthy infrastructure theme
Summary
Security is an exciting enabler of new patterns of
interaction
New technologies have potential to make a step-change
difference in the quality of security and in usability
This is an immense opportunity to broaden the scope of
eScience
Andrew Martin
Trust and Security in Virtual Communities
Related documents
Weekly Reading Log
Weekly Reading Log
Planning Summary
Planning Summary
ACTIVITY 2: Activating Prior Knowledge
ACTIVITY 2: Activating Prior Knowledge
Weekly Reading Log
Weekly Reading Log
Weekly Reading Log STUDENT NAME___________________________ # ______
Weekly Reading Log STUDENT NAME___________________________ # ______
SHORT STORY ELEMENTS CHART
SHORT STORY ELEMENTS CHART
Download
advertisement