Presentation - Prof. Ravi Sandhu
advertisement
INSTITUTE FOR CYBER SECURITY Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio June 2008 ravi.sandhu@utsa.edu www.profsandhu.com 1 INSTITUTE FOR CYBER SECURITY Change Drivers Stand-alone computers Internet Vandals Criminals, Nation states, Terrorists Enterprise security Mutually suspicious yet mutually dependent security Few standard services Many and new innovative services INSTITUTE FOR CYBER SECURITY Information needs to be protected Trying to approximate absolute security is a bad strategy “Good enough” security is feasible and meaningful Security is meaningless without application context In motion At rest In use Absolute security is impossible and unnecessary Basic Assumptions (Axioms) Cannot know we have “good enough” without this context Models and abstractions are all important Without a conceptual framework it is hard to separate “what needs to be done” from “how we do it” We are not very good at doing any of this 3 INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers INSTITUTE FOR CYBER SECURITY Discretionary Access Control (DAC) Access based on security labels Labels propagate to copies Role-Based Access Control (RBAC) Owner controls access but only to the original, not to copies Mandatory Access Control (MAC) Access Control Models Access based on roles Can be configured to do DAC or MAC Attribute-Based Access Control (ABAC) Access based on attributes, to possibly include roles, security labels and whatever 5 INSTITUTE FOR CYBER SECURITY Usage Control Model (UCON) unified model integrating • authorization • obligation • conditions • and incorporating • continuity of decisions • mutability of attributes • Continuity of Decisions pre-decision ongoing-decision before-usage ongoing-Usage pre-update ongoing-update Mutability of Attributes Rights (R) Subjects (S) Objects (O) Usage Decisions Subject Attributes (SA) after-usage post-update Object Attributes (OA) Authoriz ations (A) Obliga tions (B) Condi tions (C) INSTITUTE FOR CYBER SECURITY What makes UCON different? UCON is an attribute-based authorization model BUT Attributes are mutable, in that the system updates them automatically as a result of usage Access may require explicit actions by the user attempting access, other users or the system Enables human-in-the-loop just-in-time decisions E.g., access requires confirmation by a superior officer Enables notification of access E.g., access is notified to a designated audit authority Enables clean-up after access is completed E.g., delete cryptographic keys, plaintext content Access can depend on system condition and mode Allows count-limited, rate-limited, quota-limited policies to be expressed and enforced E.g., can access upto 10 documents per hour E.g., in emergency mode access is enabled (or disabled) Access mediation can continue while access is in progress E.g., if credentials are revoked access is immediately terminated E.g., if system mode changes from normal to emergency access is terminated 7 INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers Policy Model INSTITUTE FOR CYBER SECURITY 1. 1. 1. 2. 2. 3. 4. 3. 3. 5. 4. 4. Pastrejoin No member past losesmembers access toisall allowed, documents rejoin (or) with new ID (or) Access toofcurrent documents only (or) Straight-forward. User hasjust can access Past members rejoin document the group created during like any his other membership user who (or) Access toany current documents and past has can never accessbeen documents a member he accessed during membership (or) no access to any group documents The can access same access all documents policies defined created during before he hisleft prior themembership group (this documents. Accessagain canones beenforced further(or) restricted includes should the be created before his joinwith time)rate and/or usage limits all subject access policies to possible could vary additional between rate, membership usage andcycles user credential restrictions Access can be further restricted on basis of individual user credentials Initial state: Never been a member Currently a member enroll Past member State III State II State I enroll disenroll 9 Policy Model INSTITUTE FOR CYBER SECURITY 1. 1. 2. 3. 4. Cannot Nobe one re-added. can access Straight-forward. When 2. Any a document one can No access is re-added, it will 1. access Access allowed only to to group members. be 3. treated Past as members a new document can accessthat is current group members added into the group. 2. Access allowed to current and Only current members can access. past group members Past members and current members can access 1. add Initial state: Never been a group doc Currently a group doc Past group doc State I State II State III add remove 10 Enforcement Model INSTITUTE FOR CYBER SECURITY Control Center (CC) 4 2 7 3 5 1 Two sets of attributes • Authoritative: as known to the CC • Local: as known on a member’s computer Member enroll and dis-enroll (steps 1-2, 5) • Document add and remove (step 6, 7) • Read policy enforcement (step 3) • Attribute update (step 4) • Joining Member Group-Admin 6 Member D-Member Ideal Model: steps 3 and 4 are coupled Approximate Model: steps 3 and 4 are de-coupled 11 Implementation Model INSTITUTE FOR CYBER SECURITY • Use TC mechanisms to bind group key + attributes to TRM Indirect communication Boot time measurement Isolated execution VM0 TRM TSS TV VM1 Linux Kernel + TPM Driver + MAC Policies VMM TPM App PCRs Internal PCRs Update Internal PCR 12 INSTITUTE FOR CYBER SECURITY Trusted Computing Technology Need crypto and access control Requirements Hide the root keys Authorize use of root keys Wrt software Wrt people Curtained memory Remote attestation Translation of policy E.g., Policy in XACML to policy in SELinux 13 INSTITUTE FOR CYBER SECURITY Conclusion Some very interesting challenges ahead and some very exciting research to be done Requires collaboration between Domain experts Technology experts Security experts 14
