Trustworthy Computing Vijay Varadharajan Professor and Microsoft Chair in Computing, Director : Information and Networked System Security (INSS) Research Macquarie University, Australia
[email protected]
Talk Overview
ICT Context & Drivers Trustworthy Computing Security, Privacy and Trust Trusted Systems and Applications Trusted Platforms Secure Distributed Computing and Trust Security, Mobility and Trust Trust Enhanced Security Mobile Systems, P2P Computing, Web Services Concluding Remarks Key Research Challenges
Vijay Varadharajan
MSR-A May 2005
1
Context and Drivers Users Mobile & Wireless Networks
Internet/ Intranet
Pervasive Mobile Networked Computing Information and Services
OS/Distributed Services/ Applications
Vijay Varadharajan
Mobile Code/Agents Inf. Appliances and Network Computers
MSR-A May 2005
2
Some Glimpses of Future Computing
Computing power doubles every 18 months (Moore’s Law) 100-fold improvement every 10 years Disk Densities double every 12 months 1000-fold improvement every 10 years Optical bandwidth doubling every 9 months 10000-fold improvement every 10 years Near Future home with giga PCs connected by gigabit networks Near Future : Giga-PC, 2015 : Tera-PC, 2030 : Peta-PC
Vijay Varadharajan
MSR-A May 2005
3
Some Glimpses of the Future
We can probably store almost everything 300 Million Books : 100 terabytes (approx $1M) All Movies made todate : 1 petabyte All Music recorded todate : 1 petabyte 1 Billion Photos : 1 petabyte Capture everything you said from the time you are born to the time you die. Less than one percent of a petabyte Everything you ever did and experienced can be captured in living color With only a few petabytes. With 1.6 terabits per second on a single fiber In one second, you can transmit 10 HDTV movies, or 40 regular fulllength feature films. Less than a minute to transmit all the books in a typical large national library
Vijay Varadharajan
MSR-A May 2005
4
Challenges
Several Technical Challenges Scalability How can a billion users access the services? Dependability Availability, Security, Reliability of Information Services and Management of Interactions over the Network Managing Trust between Autonomous Unfamiliar Entities in the Provision of Services over the Internet Policies : Security, Trust, Privacy Propagation, Administration and Enforcement of Policies Content Management How to manage and extract useful information? Infrastructure Seamless integration of wired and wireless infrastructure with mobile devices and services
Vijay Varadharajan
MSR-A May 2005
5
Trustworthy Computing
Basis for someone to trust a system
Security Privacy Reliability Business Integrity
Trustworthy Computing Making something trustworthy requires a social infrastructure as well as solid engineering Software, Computers, Systems, Services and Organizations
Vijay Varadharajan
MSR-A May 2005
6
Security
Security Peace of Mind Trust A Business Necessity
Security Relative to Threats Cost, Time, Customer Expectations, User Requirements Penetrator versus Designer
Vijay Varadharajan
MSR-A May 2005
7
Security Challenges Pervasiveness Operating Systems, Networks and Protocols, Databases, Applications, Hardware, Users
Multiple Security Models Multiple Platforms Different Vendors Different Security Policies Several Security Standards Interoperability Some Consequences Research : Different parts of the puzzle Interconnections Æ Overall System Organizational Challenges
Vijay Varadharajan
MSR-A May 2005
8
...
Security Architectures and Solutions Defence Telecom Medical Finance Internet Commerce and Services SECURITY MANAGEMENT
Auditing
...
Non-Repudiation
HW
Integrity
OS
Confidentiality
MW
Authentication
AP
... ... ...
Access Control
USERS
... ... ... ...
USERS AP MW OS HW
Network
AP
= Application
MW = Middleware
Vijay Varadharajan
MSR-A May 2005
OS
= Operating System
HW
= Hardware
9
Distributed System Security User
Login
App B
App A Encryption
Signature
Hashing
AuthN/Cert Server
AuthZ Server
Vijay Varadharajan
Encryption
MSR-A May 2005
Signature
ACI
Hashing
Naming Server
10
Distributed Systems Security Smart Card
Mobile Personal Inf Appliances
User
Login
App B
App A Encryption
AuthZ Server
Vijay Varadharajan
Signature
Hashing
AuthN/Cert Server
Encryption
Audit/Monit Server
MSR-A May 2005
Signature
TTP (E.g Notary, Arbitration)
ACI
Hashing
Naming Server
11
Security in a Federated Distributed Environment
Vijay Varadharajan
MSR-A May 2005
12
Security and Privacy
Security Owner of Information has control Security is Not Privacy Privacy Subject of Information has control Privacy requires Security Anonymity Has no subject Requires Security and guarantees Privacy, but is neither
Vijay Varadharajan
MSR-A May 2005
13
Trust
Trust has been around for many decades (if not for centuries) in different disciplines in different disguises Psychology, Philosophy, Sociology as well as in Technology Some Notions Luhman: “we as humans would not be able to face the complexity of the world without resorting to trust” Gambetta: “trust is the subjective probability by which an individual, A, expects that another individual, B, performs a given action on which its welfare depends” Trust : “It will not harm me”, “No Surprises” Trust : From a malicious point of view
Vijay Varadharajan
MSR-A May 2005
14
Trust
Trust Relationship Trustor : an entity that trusts another entity (target) Trustee : an entity that is trusted Action Context Trust Relationship is a belief by a trustor on the trustee’s actions Competency : Ability Honesty : Intentions Reliability : Correctness and commitments Availability : Resources within a context
Vijay Varadharajan
MSR-A May 2005
15
Trust Several Characteristics Transitivity General Within a Context Action-Dependent Time-Dependent Non Monotonic Trust Building, Trust Destroying Trusted Authorities Multiple
Vijay Varadharajan
MSR-A May 2005
16
Trusted and Trustworthy Platforms
Terminology : Some Subtleties If a secret service employee is observed at an airport selling material to a foreign diplomat, then assuming the operation is not authorized, we can describe him as “trusted and not trustworthy” Trusted Æ “Failure can break the security policy” Trustworthy Æ “A system that won’t fail”
Vijay Varadharajan
MSR-A May 2005
17
Trusted Systems
Trusted Computer System Evaluation Criteria (TCSEC) (Orange Book) in the late 1970s and early 1980s
Trust Æ Process of convincing the observers that a system (model, design or implementation) is correct and secure
Set of ratings is defined for classification of systems Higher the level, greater the assurance that one has that the system will behave according to its specifications Æ higher level of “trust” C1, C2, B1, B2, A1
TCSEC, ITSEC, Federal and Common Criteria Functionality and Assurance
Vijay Varadharajan
MSR-A May 2005
18
Trusted Systems
Trusted Computing Base (TCB) “totality of protection mechanisms needed to enforce the security policy” Hardware and Software Particularly in the Operating System Context Reference Monitor Security Kernel based OS Architectures “Trusted” Processes These processes are trusted in that they will not do any harm even though they may violate the security policies of the system
Vijay Varadharajan
MSR-A May 2005
19
Distributed Systems Security Smart Card
Mobile Personal Inf Appliances
User
Login
App B
App A Encryption
AuthZ Server
Vijay Varadharajan
Signature
Hashing
AuthN/Cert Server
Encryption
Audit/Monit Server
MSR-A May 2005
Signature
TTP (E.g Notary, Arbitration)
ACI
Hashing
Naming Server
20
Security and Trust in Distributed Systems
Some Examples of Trust Trustor “trusts” a trustee entity to access and use the resources s/he owns or controls (e.g. application or service) Trustor (e.g. a user) “trusts” a trustee entity (e.g. CA/AS) to perform authentication and certification of another entity (Authentication Trust) Trustor (e.g. a user) “trusts” a trustee entity (e.g. AuthZ) to perform authorization actions (Authorization Trust) Trustor “trusts” a trustee entity to make a delegation on its behalf (Delegation Trust) Trustor (e.g. a user) “trusts” a trustee entity (e.g. network) to provide certain services (Infrastructure Trust)
Vijay Varadharajan
MSR-A May 2005
21
Security, Mobility and Trust in Distributed Systems
Mobility Software Mobility Programs may come from unknown or untrusted sources Difficulty : Identification of creator and/or sender principal associated with a program How to associate a level of trust with the program ? The principal most relevant for determining trust may not be known to the system Complicates the issue of determining whether or not an action requested by the program is to be allowed May not be safe to assume that when a program requests a certain action, any particular person intends that action
Vijay Varadharajan
MSR-A May 2005
22
Security, Mobility and Trust in Distributed Systems
Proliferation of barriers and problems involved in crossing them Programs cross Administrative Domains Domains may have different of levels of trust Programs may not choose to perform certain actions in certain domains Different programs coming from the same user but created at different sources, may need to be treated differently
Vijay Varadharajan
MSR-A May 2005
23
Trusted Computing Platforms A Trusted Computing Platform
has a trusted component (s) in the form of built-in hardware and uses this to create a foundation of trust for software processes PC, Server, PDA, Printer, Mobile Phone “Trusted” by local and remote users and software and entities Basis of Trust: Declaration on the computing platform behaves as expected the software running on a machine behaves as expected what entity and to whom the user is talking to the information is transmitted accurately and its privacy protected
Vijay Varadharajan
MSR-A May 2005
24
Trusted Computing Platform Alliance (TCPA/TCG)
TCPA view of Trust Something is trusted “if it always behaves in the expected manner for the intended purpose”
TCPA: Vouches for the State of the Machine Whether a platform can be trusted? Collect and provide evidence of system behaviour
Whether a platform should be trusted? Provide confidence on the collection and evidence mechanisms Provide confidence that particular values of evidence represent that the platform is in a “good” state”
Vijay Varadharajan
MSR-A May 2005
25
Trusted Computing Platform Alliance (TCPA/TCG)
Basic Idea A trusted party assesses the platform and declares that if the measurements for the platform are such and such, it can be trusted for such and such purpose. Measurement Process Storage and Reporting of measurements Matching with standard expected values PC BIOS Boot Block starts the measurements and stores the results in Trusted Platform Module (TPM) – tamper resistant chip TPM has a Public Key – Private Key Pair installed at manufacturing time Certificate released by the Company Manufacturer
Vijay Varadharajan
MSR-A May 2005
26
Trusted Computing Platform Alliance (TCPA/TCG)
Basic Operation BIOS Boot Block measures some aspects of the platform – including the first measurement agent – and records results in TPM. This is compared with the expected values First measurement agent then measures some other aspects of the platform – including the second measurement agent – and records results in TPM and compared with the expected values and so on. This happens for all loading of software and before their execution BIOS Æ OS Loader Æ OS Kernel Æ Applications
Vijay Varadharajan
MSR-A May 2005
27
Trusted Computing Platform Alliance (TCPA/TCG)
Vijay Varadharajan
PC booted into a known state with an approved combination of hardware and software (e.g. whose licences have not expired). Now TPM can certify to third parties about the state of the PC. E.g. certifying that the PC is currently running an authorised application program X Third parties can now have secure information transfer with the platform -- information protected with a key which is in turn protected by TPM key. TPM releases the appropriate key to the authorised application program X.
MSR-A May 2005
28
Microsoft NGSCB Trusted Computing
Commercial Reality Many different hardware components and devices
CPU, printers, graphics, imaging chipsets etc.
Many different applications Î Mass market of personal computers and rich and diverse operating environment Assurance Small Trusted Computing Base (TCB) NGSCB Basically create an isolated computing environment in a common PC Allows rich mass market applications and “secure” applications to coexist. Allows applications to have a small TCB on a regular PC
Vijay Varadharajan
MSR-A May 2005
29
NGSCB Trusted Computing
Approach Different operating systems in isolation on the same computer
E.g. one rich mass market operating system and the other constrained “secure” operating system
Need to protect these operating systems from each other
Isolation Kernel Provides isolated execution environments Layer of software that sits just above the hardware and beneath one or more operating systems Accesses to CPU, Memory and Devices controlled by the Isolation Kernel
CPU Management, Memory Isolation and Device Management
Part of trusted computing base (TCB)
Vijay Varadharajan
MSR-A May 2005
30
NGSCB Approach
Rich mass market operating system
Small system with a small TCB
anything
anything
Isolation kernel CPU
Vijay Varadharajan
memory
MSR-A May 2005
disk
network
31
Isolation Kernel
CPU Management Isolation kernel hosts guests Guest: Any software running within an isolated execution environment Performance requirement: Almost all guest instructions must be executed directly by the CPU (not interpreted). But any guest instruction that might violate isolation must be “inspected” by the isolation kernel (trap). Example: any instruction that affects how the CPU accesses memory
Vijay Varadharajan
MSR-A May 2005
32
Problem Ring 3
Apps
App Legacy
Ring 1
Ring 0
OS kernel Legacy OS kernel
App Legacy OS kernel
Isolation Kernel
z
In general, the OS will only work in ring 1 if all instructions look as if they were executing in ring 0.
z
The isolation kernel will have to hide the differences
z
Solvable, but quite complex if instructions do not trap
z
The x86 instruction set is not virtualizable
Vijay Varadharajan
MSR-A May 2005
33
Isolation Kernel
CPU Management: One Possible Solution Hardware Changes
Upcoming Versions of x86 Processor New CPU Mode that is more privileged than Ring 0 Effectively Ring -1
Isolation Kernel executes in Ring -1 Guest Operating Systems operate in Ring 0
Vijay Varadharajan
MSR-A May 2005
34
Isolation Kernel
Memory Isolation Partitions the physical memory of the machine among multiple guests Controlling the virtual to physical mapping for each guest Shadow page table algorithm Device Drivers Device drivers for a small number of devices E.g. disk, network card Code physically separated from the rest of the isolation kernel (and executes as a guest) Drivers for other consumer peripherals such as cameras, scanners, printers etc. managed by the guest operating system.
Vijay Varadharajan
MSR-A May 2005
35
Isolation Kernel
But PC hardware gives DMA devices unrestricted access to the full physical address space of the machine. A guest in control of a DMA device can access any memory belonging to the isolation layer or other guests. Possible Solution : Change of Hardware Add a simple access control system for DMA devices to the PC platform Access control policy: One bit for each physical page decides between
Vijay Varadharajan
Unrestricted access to the page by all DMA devices No DMA access to the page by any device
MSR-A May 2005
36
Authenticated Boot
The isolation kernel is not the first code to run after the machine is switched on. cf. BIOS
Must protect against subversion by that code. Solution: Authenticated Boot Allow the isolation kernel to start execution in a welldefined initial state without resetting all devices.
Vijay Varadharajan
MSR-A May 2005
37
One Configuration
Video game
DVD player
Small Application
Small Operating System with small TCB
Mass market operating System Device driver
Device driver
Device driver
Device driver
Isolation Kernel Vijay Varadharajan
MSR-A May 2005
38
Trusted Platforms & Distributed System Security Impact of Trusted Platforms on Security Architectures “Distribution” of the Security Service to the “most appropriate” location Authentication Capturing Aspects of Authentication Server within the Trusted Platform of the Client/Server Authorization Creating instances of authorization service. Mutual or two-way authorization policies at both requester and service provider ends
Applications based on Trusted Platforms
Vijay Varadharajan
MSR-A May 2005
39
Trust Enhanced Security
Tour of some Trust Concepts in the Secure Computing World
Trust Enhanced Security Concept of Hybrid Trust : “Hard” and “Soft” Trust Model and Design of Trust Enhanced Secure Systems Explicit use of Trust in Secure Decision Making
Application to Mobile Software Agent based Internet Systems, Web Services and Peer to Peer Computing Applications
Vijay Varadharajan
MSR-A May 2005
40
Trust Enhanced Security
Hard Trust Trust beliefs derived from concrete security mechanisms E.g. Authentication Trust Belief on the trustworthiness of public keys derived from certificate digitally signed by a certificate authority binding the key to an entity Characterized by “certainity” Underlying belief is that the certificate authority is “trusted” in that it is honest and competent in correctly authenticating the user before signing the user’s public key.
Vijay Varadharajan
MSR-A May 2005
41
Trust Enhanced Security
Soft Trust Trust derived from social control mechanisms and intangible information such as reputation, experiences and cooperation Beliefs not based on concrete security credentials such as authentication and privilege information Characterized by “uncertainity” Dependent on past behaviours Often involves recommendations from multiple entities (“web of trust”) Progressively tune the beliefs over time
Vijay Varadharajan
MSR-A May 2005
42
Trust Enhanced Security
Soft Trust E.g. Trust Saturation
Long history of positive experiences A malicious entity cooperating for a certain period and accumulating high trust and then defaulting on a critical transaction
Hybrid Trust : Combining “Hard” and “Soft” Trust Calculate the overall trust by allocating certain weighting factors to hard and soft trust components Fair amount of analysis and developed a trust management system based on hybrid trust Applications to Mobile Software Agents, Web Services and Peer to Peer Computing Applications
Vijay Varadharajan
MSR-A May 2005
43
Trust Enhanced Security Mobile Agent based System
Agent attacking the Agent Base Agent Base attacking the Agents Agents attacking each other Attacks against Agents during Network Transfer
Vijay Varadharajan
MSR-A May 2005
44
Security Enhanced Mobile Agents Agent Base
Agent Base
SeA
SMC
SeA
MA+P
SMC
Policy Base Host A
Policy Base Host B
SMA
Vijay Varadharajan
MSR-A May 2005
45
Trust Enhanced Secure Mobile Agent System
Vijay Varadharajan
Trust Management
Trust Management
Security
Security
MA OS
MA OS
MSR-A May 2005
46
Trust Enhanced Secure Mobile Agent System
Trust Enhanced Security Solution Trust Model that is capable of capturing Range of Trust Relationships Direct, Recommended, Derived Different types of Trust Authentication, Execution and Code Trust Management Architecture Representation, Evaluation and Updating of Trust Relationships and Decisions Trust Outcomes Enhance Security Model and Decision Making
Vijay Varadharajan
Trust based Itinerary Æ Execution Trust (Mobile Code Security Malicious Host Problem) Trust based Authorization Æ Code Trust (Host Security -Malicious Agent Problem)
MSR-A May 2005
47
Trust Enhanced Security Architecture
Vijay Varadharajan
MSR-A May 2005
48
Successful Transaction Rate
Vijay Varadharajan
MSR-A May 2005
49
A Typical P2P File Sharing System
Any two peers to directly access files from each other Two interfaces Resource Discovery (RD): Allows a peer to find out what other peers offer to share as well as letting other peers know to what is available for sharing in its machine File Transfer (FT) : Transfers files from one peer to another during the download transaction. Existing P2P systems often build the interface on top of protocols such as TCP/IP or HTTP.
Vijay Varadharajan
MSR-A May 2005
50
Trust Enhanced P2P File Sharing System Network Infrastructure
RD
P2P System
FT
Trust Enhanced Access Control Layer
Local File System
Physical Storage
Vijay Varadharajan
MSR-A May 2005
51
Trust Enabled P2P File Sharing System
Trust Model Direct Trust Host’s belief on the client’s capacities, honesty and reliability based on the host’s direct experiences Recommended Trust Host’s belief on the client’s capacities, honesty and reliability based on recommendations from other peers Direct Contribution Contribution of the client to the host in term of information volume downloaded and uploaded between them Indirect Contribution Contribution of the client to the network in term of information volume the client exchange with other peers
Vijay Varadharajan
MSR-A May 2005
52
Trust Enhanced P2P File Sharing Model
Four weightings, CT for direct trust, CR for recommended trust, CQ for direct contribution and CP for indirect contribution must satisfy 1 = CT + CR 1 = CQ + CP Hosts sets these Weightings Weightings may be set the same for all of a host’s files, for sets of the host’s files, or may be set on an individual file basis. Overall Trust Value (A) that a host has on a client peer is a weighted summation of direct trust and indirect trust. Overall Contribution Score (B) is a weighted summation of direct contribution and indirect contribution. Overall Trust and Contribution of Client j to Host i regarding a file are Aij = CT*Tij + CR*Rij Bij = CQ*Qij + CP*Pij
Vijay Varadharajan
MSR-A May 2005
53
Trust Enhanced P2P File Sharing Model
Vijay Varadharajan
Different Trust Policies Weightings Thresholds for A and B Minimum Values for T, R, Q and P Different Environments Number of Malicious Users Degree of Maliciousness
MSR-A May 2005
54
Secure Web Services 3
Requester
Security Request Credentials 4
2
1
Web Service
Policy
Secure Credential Service
Vijay Varadharajan
MSR-A May 2005
55
Secure Web Services Policy Security Credential Service
Policy
Security Credential
Requester Security Credential
Policy Security Credential
Vijay Varadharajan
MSR-A May 2005
Web Service
56
Securing Distributed Web Services (INSS and Microsoft) AuthN Service
AuthZ Service
AuthN Service
AuthZ Service
WS
WS
R
j WS
Peer to Peer Hierarchical i Combination
Vijay Varadharajan
WS
MSR-A May 2005
57
Web Services Authorization Architecture (WSAA)
Vijay Varadharajan
MSR-A May 2005
58
Web Services Authorization Architecture (WSAA)
Vijay Varadharajan
MSR-A May 2005
59
Trust Enhanced Secure Web Service Trust Management Trust
Trust
Trust
Policy
Decision
Engine
Security Management
Vijay Varadharajan
Access
Sec. Authz
Auth Eval
Policy
Decision
Engine
MSR-A May 2005
60
Trust Enhanced Secure Web Services (INSS and Microsoft) Trust and Policy Management Secure Federation Management Authorization Mgmt Today
Privacy Mgmt
WS - Security SOAP Foundation
Vijay Varadharajan
MSR-A May 2005
61
Concluding Remarks ¾ ICT Context ¾ Security, Privacy and Trust ¾ Trusted Computing ¾Trust Enhanced Secure Systems and Apps Several Challenges and Issues in Developing and Deploying Secure Trusted Computing Systems and Applications
Vijay Varadharajan
MSR-A May 2005
62
Key Research Challenges
Scalable large scale secure dynamic distributed systems Creating and managing trust between autonomous unfamiliar entities, thereby enabling them to trade and interact over the internet in a secure manner Protection of mobile software applications and their privilege management in a network environment with malicious hosts. Verify that software obtained from a third party correctly implements stated functionality and only that functionality Efficient techniques for detection and prevention of distributed denial of service attacks and network intrusions on the Internet Seamless security services and infrastructure for mobile and fixed applications over wired and wireless networks Understanding the nature of risk in future information architectures and distributed virtual enterprises and developing security risk management and analysis models Development of trusted platforms and trusted services and applications
Vijay Varadharajan
MSR-A May 2005
63
Information and Networked System Security Research (http://www.comp.mq.edu.au/~inss)
Dist.System
Network
E-Commerce
Security
Security
Security
Mobile System Trusted Computing Security
Platforms
Formal Tech. & Applied Crypto
Security Models and Architecture Security Services and Management Schemes Security Protocols and Technologies Secure Systems and Applications
Research Team Professor Vijay Varadharajan Dr. Michael Hitchens (Macquarie) Dr. Yan Wang (Macquarie) Dr. Paul Watters (Macquarie) Dr.Yi Mu (Macquarie/UoW) Dr. Chun Ruan (UWS) Prof. Doan Hoang (UTS) Prof. Isabelle Chrisement (INRIA) Dr. Ghassan Chaddoud (London) Dr. Hua Wang (USQ) A/Prof. Zaobin (HUST) Prof. Liu Zhen (NDUST)
Vijay Varadharajan
Mr. David Foster Mr. Weilang Zhao Mr. S.Indrakanthi Mr. Uday Tupakula Mr. Venkat Mr. Janson Zhang Mr. Ching Lin Mr. Rajan Shankaran Mr. Huu Truan Ms. Aarthi Nagarajan Mr. Gilbert Mr. Aungkhoon MSR-A May 2005
64
