A Security Framework for a World of Post-PC Clients and Infrastructure-based Services Steven Ross, Jason Hill, Michael Chen, Anthony D. Joseph, David E

A Security Framework for a World of Post-PC Clients and Infrastructure-based Services

Steven Ross, Jason Hill, Michael Chen,

Anthony D. Joseph, David E. Culler, Eric A. Brewer

Computer Science Division

U.C. Berkeley{stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu

http://www.cs.berkeley.edu/~stevross

Typical (Traditional) Internet Service

• Assumes:• Private / trusted access

device and software• Sufficient computational

resources to secure connection and display content

HTTP/SSL

Scenario: Kiosks - Untrusted Endpoints

• Public (untrusted) computers will be pervasive

• Content filter – hides private information

• Control filter– limits operations performed

• Decrease the content value instead of increasing the security level

Scenario: Low Power Info Appliances

• Limited computational abilities

• Low physical security

• Low reliability

• Limited input and display capabilities

• Users have multiple devices

Enable Secure Access from all Devices

• Security is fundamental to Universal Computing

• Tremendous diversity emerging – No pre-planning: wide array of services and clients

– Info flowing over wide array of insecure links and clients

• Key leverage: Composable Secure Services– Automating scalability and availability eases task authoring

– Build new services from component services

• Key Tool: Transcoding Operators– Adapt content, and security level to desired use

Bridging the Gap

Stock Trading

Banking

Mail

PDA

Kiosk

CellPhone

Pager

Desktop

Laptop

Trusted Infrastructure

Composable Security Framework

Content Transformers

• Client Side– Decouple device I/O capabilities from services– New client transformer enables access existing content

• Server Side– Transform content and control to canonical representation

» Filtered by application logic» Easily rendered by client side content transformer

CTc CTs

Stock Trading

Banking

Mail

PDA

Kiosk

CellPhone

Pager

Desktop

Laptop



CT: Content Transformer

Security Adaptors

• Secure channel in depends on device capabilities

• Secure channel out depends on Internet service

• Examples– Low power info appliance

– International Kiosk

SA

SA

Stock Trading

Banking

Mail

PDA

Kiosk

CellPhone

Pager

Desktop

Laptop



SA: Security Adapter


CTc CTs

Identity Service

• Secure repository

• Key component for enabling access from untrusted endpoints

• Critical level of indirection and information hiding

• Mitigates problem of replicating identities

• Promotes use of secure username/password pairs

Identity Service

SA

CTc CTs

SA

Stock Trading

Banking

Mail

PDA

Kiosk

CellPhone

Pager

Desktop

Laptop





Filter and Control Modifier

• Identity Translation• Add new or remove existing control functionality

– Add logout button– Remove ability to trade, write checks, drop class, etc.

• Remove sensitive content– Account balances, email addresses, names

Identity Service

SA

CTcFCM

CTs

SA

Stock Trading

Banking

Mail

PDA

Kiosk

CellPhone

Pager

Desktop

Laptop





FCM: Filter & Control Modifier

Illustration: Datek Access from Kiosk

• Kiosk browser interacts with security adaptor

Identity Service

SASSL

CTc

FCMCTs

SASSL

Datek

Kiosk



SSL





• HTTP request passed to FCM

• no content transformer in prototype

Identity Service

SASSL

CTc

FCMCTs

SASSL

Datek

Kiosk



SSL





• FCM authenticates pseudonym and one time password

• Substitutes real identity

Identity Service

SASSL

CTc

FCMCTs

SASSL

Datek

Kiosk

User Identity



SSL





• FCM passes substituted data through to outgoing security adaptor

Identity Service

SASSL

CTc

FCMCTs

SASSL

Datek

Kiosk

User Identity



SSL





• SA communicates with Datek Service• FCM Filters all remaining traffic

– Removes sensitive information: i.e. account name, email address

– Performs control filtering: adds logout button

Identity Service

SASSL

CTc

FCMCTs

SASSL

Datek

Kiosk

User Identity



SSLSSL




Illustration: Datek Access from PDA

• Pilot connects to security adaptor

Identity Service

SABlowfish

CTcFCM

CTs

SASSL

Stock Trading

PDATrusted Infrastructure


Blowfish





• Shared secret key identity verified

Identity Service

SABlowfish

CTcFCM

CTs

SASSL

Stock Trading







• Content transformer– simple pilot commands to http requests

– html to plain text pilot app format

Identity Service

SABlowfish

CTcFCM

CTs

SASSL

Stock Trading







• FCM examines HTTP requests performs identity substitution

Identity Service

SABlowfish

CTcFCM

CTs

SASSL

Stock Trading

PDA

Auth

Client

User Identity







• Modified packets sent to security adaptor

Identity Service

SABlowfish

CTcFCM

CTs

SASSL

Stock Trading

PDA

Auth

Client

User Identity







• Security Adaptor establishes HTTPS connection to Datek service

Identity Service

SABlowfish

CTcFCM

CTs

SASSL

Stock Trading

PDA

Auth

Client

User Identity







• Paths from devices to services canbe dynamically created

• Multiple transcoders may be composed for a path

Identity Service

SA

SA

SA

CTc

CTcFCM

CTs

CTs

SA

SA

SA

FCM

Stock Trading

Banking

Mail

PDA

Kiosk

CellPhone

Pager

Desktop

LaptopAuth

Client

User Identity Auth Service






Key Design Points

• Security and Content both transformed– Security adaptors based on device capability and link

– Information hiding based on device, user role, and link

• Composing services– Trust model must be carefully considered

• Extensible– New devices easily added by writing appropriate component

if it doesn’t already exist

• Scalability/ Fault Tolerance– Runs in Ninja distributed execution environment

– Components replicated among nodes in cluster

Other Applications

• Meta-trade environment– Aggregation: provide most valuable composition of content

• Multi-user or manager account– Owner of account can view all content

– Account manager only views selected pieces essential to role

– Example: Trade-bot only needs stock quotes and rules

– Account value, and private information hidden from Trade-bot

• Short lived and persistent pseudonyms

• Support sharing of PDAs – Now have untrusted low power device

– Compose kiosk FCM and PDA components to handle scenario

Security Assessment

• Untrusted endpoint– May still alter information

• Identity Service– A primary point to attack

• PDA Keys– I/O methods limit strength of generated keys

• Dynamic Trust Model– New Functionality added

» I.e. Citibank online payment

– User must explicitly grant functionality for each profile

Future Work

• Implementation of additional content, control and security transformer

– Additional web services

– Other services

» IMAP, LDAP, e-commerce, etc

– Additional Devices

» Pagers, phones

• Development of common data change format for FCM

– XML for canonical representation, XSL for rendering to device

Take-Away

• New security requirements of Post-PC devices– Supports access from insecure endpoints

– Precise control of information exposure (access device / role)

• Composable Services in the infrastructure– New level of “programming”

• Towards an Architecture for Universal Computing– Diverse concurrent development: 1 to many, meta-svcs, aggregation svcs

– Many to one, heterogeneous clients

• Eureka phenomenon– Most fundamental services probably yet to be discovered

» Ex: identity service

– Only find them by building the world and living in it

A Security Framework for a World of Post-PC Clients and Infrastructure-based Services

Steven Ross, Jason Hill, Michael Chen,

Anthony D. Joseph, David E. Culler, Eric A. Brewer

Computer Science Division

U.C. Berkeley{stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu

http://www.cs.berkeley.edu/~stevross

Documents

A Security Framework for a World of Post-PC Clients and Infrastructure-based Services Steven Ross, Jason Hill, Michael Chen, Anthony D. Joseph, David E