Evaluating the Usability of
Usage Controls in
Electronic Collaboration
José Brustoloni, Ricardo Villamarín-Salomón,
Peter Djalaliev and David Kyle
Dept. Computer Science
University of Pittsburgh
{jcb,rvillsal,peterdj,dkyle}@cs.pitt.edu
Electronic collaboration and info misuse
♦
Electronic collaboration can greatly increase productivity

Many examples in design, supply chain, service
♦
Impediment: risk of and liability for information misuse
♦
Existing solution: non-disclosure agreements (NDAs)
Legally obligates collaborator
 Can take months to get signed
 Very expensive and time-consuming to enforce in court

♦
Result: many potential collaborations don’t happen
SOUPS 2008
J. Brustoloni
2
Usage controls
♦
Usage controls enable information providers to limit technically
how recipients may use the information

♦
e.g., copy, print, redistribute, retain beyond a certain time
Applications increasingly provide them

e.g., Adobe Acrobat, OpenOffice
♦
Might reduce expected cost of NDAs, or replace them
♦
Problems



Recipes for cracking easily available from Web
Often do not interoperate
Usability?
SOUPS 2008
J. Brustoloni
3
Example from OpenOffice
SOUPS 2008
J. Brustoloni
4
UCLinux
♦
♦
♦
♦
♦
Linux Security Module
Enables hardening software-based usage controls
(e.g., PDF’s) with hardware-based ones
Hardware-based usage controls employ security
coprocessor (TPM) and are harder to crack
Web server and browser are modified
No modifications needed in other applications (e.g.,
Acrobat, OpenOffice, xpdf)
SOUPS 2008
J. Brustoloni
5
Outline
♦
♦
♦
♦
Threat model
Background on TPMs
Overview of UCLinux
User interfaces
Authoring
 Acceptance
 Hierarchical

♦
♦
♦
User study
Related work
Conclusions
SOUPS 2008
J. Brustoloni
6
Threat model
♦
♦
♦
♦
Attacker is merely opportunistic
May have administrative rights
Can use any software-based attack
Does not use any hardware-based attacks
SOUPS 2008
J. Brustoloni
7
Background on Trusted Platform Modules
♦
♦
♦
♦
Standardized, low-cost security coprocessors
Present in many commercially available computers
Require immutable TPM-aware BIOS boot block
Chain of trust
Each component in boot sequence measures integrity of next
component and extends result into a TPM platform configuration
register (PCR)
 Only way to undo is to reset computer

♦
Attestation: Secure verification of remote computer’s
configuration

♦
TPM signs nonce and PCR values
Sealing: Binding a secret to a particular configuration

TPM decrypts secret only if PCR values are same
SOUPS 2008
J. Brustoloni
8
UCLinux: TCB prelogging and
usage-controlled file system
♦
At boot time, UCLinux optimistically extends expected
integrity measurement of each TCB component,
according to configuration file (TCB list)

♦
UCFS is encrypted file system with secret key sealed
to PCR values that result from boot sequence and
TCB list

♦
Results in repeatable PCR values
Can be mounted only if system has not been tampered
Hardware-based usage policies stored as extended
attributes of UCFS files

May specify integrity measurements of programs trusted to
open the file
SOUPS 2008
J. Brustoloni
9
UCLinux: Policy enforcement
♦
♦
UCLinux measures the integrity of each program
kernel executes
When program opens file with hardware-based usage
policies, UCLinux enforces them


Cracked applications cannot open files with usage policies
Applications do not need to be changed to get this protection
SOUPS 2008
J. Brustoloni
10
UCLinux: Exceptions
♦
UCLinux monitors imminent security violation (ISV)
exceptions:



♦
TCB component’s integrity measurement at load time differs
from that in TCB list, or
Privileged program loaded and is not in TCB list, or
Privileged user attempts to log interactively into system
In each case, UCLinux’s subsequent ability to enforce
policies could be subverted
SOUPS 2008
J. Brustoloni
11
UCLinux: Exception handling
♦
Applications may register handler for ISV exception

♦
Erase secrets from memory
UCLinux:



aborts processes with UCFS file open that have not have
registered a handler
unmounts UCFS and erases any copy in memory of UCFS key
erases pages freed
After exception handling, system can be used
normally, but without UCFS
♦ UCFS remounted when system rebooted into trusted
state
♦
SOUPS 2008
J. Brustoloni
12
Web server and browser modifications
♦
♦
♦
♦
♦
If requested file has prepared usage policies, Web
server returns these to client and requests TLS
upgrade with TLS extension
If user accepts usage policies, browser initiates
connection upgrade
During connection upgrade, Web server obtains
client’s attestation
If Web server finds that client’s configuration is
trustworthy, it completes upgrade and returns file
Browser stores file with usage policies in UCFS
SOUPS 2008
J. Brustoloni
13
Preventing abuses
♦
♦
♦
Browser is in TCB list and revealed in attestation
UCLinux guarantees that only trusted browser can
get attestation and store files in UCFS
UCLinux enforces usage policies only for UCFS files
SOUPS 2008
J. Brustoloni
14
Authoring: Contextual menu option for setting
hardware-based usage policies
SOUPS 2008
J. Brustoloni
15
Binding file to trusted application
SOUPS 2008
J. Brustoloni
16
Specifying allowed period for accessing file
SOUPS 2008
J. Brustoloni
17
Contextual menu option for
posting file to Web site
SOUPS 2008
J. Brustoloni
18
Dialog for confirming or canceling file posting
SOUPS 2008
J. Brustoloni
19
Acceptance: Dialog for accepting
usage policies of download file
SOUPS 2008
J. Brustoloni
20
Hierarchical overriding policies:
Dialog for confirming or canceling file posting
SOUPS 2008
J. Brustoloni
21
Dialog for accepting usage policies of
download file
SOUPS 2008
J. Brustoloni
22
User study
♦
♦
♦
♦
Users role-played an engineer making a design decision based on
usage-controlled files retrieved from Web
Two scenarios in automobile industry
First scenario performed without usage controls, second with
Based on specified criteria, select from 7 potential suppliers:
Alternative-fuel engine (electric, biodiesel, etc.)
2. Tires
1.
♦
Among the 7 documents:
4 had acceptable usage policies and useful information (set A)
 3 did not have acceptable policies and indicated information was
unavailable (set B)

♦
No hierarchical overriding policies
SOUPS 2008
J. Brustoloni
23
Participant characteristics
SOUPS 2008
J. Brustoloni
24
User study results
SOUPS 2008
J. Brustoloni
25
Interpretation of results
♦
As desired, usage controls:


♦
Most users (9/10) were able to post correct decision with correct
usage policies, despite lack of training

♦
Greatly reduced number of documents with unacceptable policies
downloaded
 One participant downloaded but, after checking policies, did not
open file with unacceptable policies
Had no impact on documents with acceptable policies downloaded
One participant posted correct decision, but with incorrect usage
policies
Slight increase in task completion time, but not statistically
significant
SOUPS 2008
J. Brustoloni
26
Participant perceptions
♦
Users seem to find system usable and acceptable
SOUPS 2008
J. Brustoloni
27
Related work
♦
IBM Integrity Measurement Architecture (tcgLinux):



♦
Loader measures and extends into TPM integrity of every program
Attempts to ensure that any tampering is measured, extended into
TPM, and reported
Problems:
 PCR values depend on load sequence
 Sealing not possible
 Mechanisms guarantee integrity but not confidentiality
 Privacy: even programs that are not TCB components are
disclosed
Bear/Enforcer:



Sealing but no attestation
Client’s system administrator (but not server) can set usage policies
Vulnerable to root attacks
SOUPS 2008
J. Brustoloni
28
Conclusions
♦
Hardware-based usage controls can prevent cracked
applications from opening files with usage policies
♦
UCLinux allows adding such controls without
modifying existing applications (e.g., OpenOffice, xpdf)
♦
UCLinux’s interfaces for posting and downloading
files with usage policies are usable by untrained users
♦
Insignificant impact on task accuracy or completion
time
SOUPS 2008
J. Brustoloni
29