14
INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University of Texas at San Antonio June 2008 [email protected] www.profsandhu.com

INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

Embed Size (px)

Citation preview

Page 1: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY

1

Trusted Computing Models

Prof. Ravi SandhuExecutive Director and Endowed Chair

Institute for Cyber SecurityUniversity of Texas at San Antonio

June 2008

[email protected] www.profsandhu.com

Page 2: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY Change Drivers

Stand-alone computers Internet

Enterprise securityMutually suspicious yet mutually dependent security

Vandals Criminals, Nation states, Terrorists

Few standard servicesMany and newinnovative services

Page 3: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY

3

Basic Assumptions (Axioms)

Information needs to be protected In motion At rest In use

Absolute security is impossible and unnecessary Trying to approximate absolute security is a bad

strategy “Good enough” security is feasible and meaningful

Security is meaningless without application context Cannot know we have “good enough” without this

context Models and abstractions are all important

Without a conceptual framework it is hard to separate “what needs to be done” from “how we do it”

We are not very good at doing any of this

Page 4: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers

Page 5: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY Access Control Models

Discretionary Access Control (DAC) Owner controls access but only to the original, not to

copies Mandatory Access Control (MAC)

Access based on security labels Labels propagate to copies

Role-Based Access Control (RBAC) Access based on roles Can be configured to do DAC or MAC

Attribute-Based Access Control (ABAC) Access based on attributes, to possibly include roles,

security labels and whatever

5

Page 6: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY

Usage Control Model (UCON)

Rights(R)

Authorizations

(A)

Subjects(S)

Objects(O)

Subject Attributes (SA) Object Attributes (OA)

Obligations(B)

Conditions(C)

UsageDecisions

before-usage ongoing-Usage after-usage

Continuity ofDecisions

pre-decision ongoing-decision

pre-update ongoing-update post-update

Mutability ofAttributes

• unified model integrating• authorization• obligation• conditions

• and incorporating• continuity of decisions• mutability of attributes

Page 7: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY What makes UCON different?

UCON is an attribute-based authorization modelBUT Attributes are mutable, in that the system updates them

automatically as a result of usage Allows count-limited, rate-limited, quota-limited policies to be

expressed and enforced E.g., can access upto 10 documents per hour

Access may require explicit actions by the user attempting access, other users or the system

Enables human-in-the-loop just-in-time decisions E.g., access requires confirmation by a superior officer Enables notification of access E.g., access is notified to a designated audit authority Enables clean-up after access is completed E.g., delete cryptographic keys, plaintext content

Access can depend on system condition and mode E.g., in emergency mode access is enabled (or disabled)

Access mediation can continue while access is in progress E.g., if credentials are revoked access is immediately terminated E.g., if system mode changes from normal to emergency access is

terminated7

Page 8: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY PEI Models: 3 Layers/5 Layers

Page 9: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY

9

Policy Model

Initial state:Never been a

member

State I

Currently a member

State II

Past member

State III

enroll dis-enroll

enroll

1. Straight-forward. User has no access to any group documents.

1. Access to current documents only (or)2. Access to current documents and past

documents3. Access can be further restricted with rate

and/or usage limits4. Access can be further restricted on basis of

individual user credentials

1. Past member loses access to all documents (or)2. can access any document created during his membership (or)3. can access documents he accessed during membership (or)4. can access all documents created before he left the group (this

includes the ones created before his join time)5. all subject to possible additional rate, usage and user credential

restrictions

1. No rejoin of past members is allowed, rejoin with new ID (or)2. Past members rejoin the group just like any other user who

has never been a member3. The same access policies defined during his prior membership

should again be enforced (or)4. access policies could vary between membership cycles

Page 10: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY

10

Policy Model

Initial state:Never been a

group doc

State I

Currently a group doc

State II

Past group doc

State III

add remove

add

1. Straight-forward. No access to group members.1. Access allowed only to

current group members2. Access allowed to current and

past group members

1. No one can access2. Any one can access3. Past members can access

1. Cannot be re-added.2. When a document is re-added, it will

be treated as a new document that is added into the group.

3. Only current members can access.4. Past members and current members

can access

Page 11: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY

11

Enforcement Model

3

1

2 4 5

Group-Admin MemberJoining Member

Control Center (CC)

7

Ideal Model: steps 3 and 4 are coupledApproximate Model: steps 3 and 4 are de-coupled

D-Member

6

• Member enroll and dis-enroll (steps 1-2, 5)• Document add and remove (step 6, 7)• Read policy enforcement (step 3)• Attribute update (step 4)

Two sets of attributes• Authoritative: as known to the CC• Local: as known on a member’s computer

Page 12: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY

12

Implementation Model

TPM

VMM

Update Internal PCR

Linux Kernel + TPM Driver + MAC Policies

Internal PCRs

AppPCRs

TRM TVTSS

Indirect communication

Boot time measurement

Isolated executionVM0

VM1

• Use TC mechanisms to bind group key + attributes to TRM

Page 13: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY Trusted Computing Technology

Need crypto and access control Requirements

Hide the root keys Authorize use of root keys

Wrt software Wrt people

Curtained memory Remote attestation Translation of policy

E.g., Policy in XACML to policy in SELinux

13

Page 14: INSTITUTE FOR CYBER SECURITY 1 Trusted Computing Models Prof. Ravi Sandhu Executive Director and Endowed Chair Institute for Cyber Security University

INSTITUTE FOR CYBER SECURITY Conclusion

Some very interesting challenges ahead and some very exciting research to be done

Requires collaboration between Domain experts Technology experts Security experts

14