SecureBus: Towards Application-Transparent Trusted Computing with Mandatory Access Control Xinwen Zhang 1 , Songqing Chen 2 Michael J. Covington 3 , and Ravi Sandhu 2 1 Samsung Information Systems America, San Jose, CA, USA 2 George Mason University, Fairfax, VA USA 3 Intel Corporation, Hillsboro, OR, USA Effective June 1, 2007 I am leaving George Mason after 18 years to be Founding Director and Chief Scientist of the new Institute for Cyber-Security Research at the University of Texas, San Antonio
21
Embed
SecureBus: Towards Application- Transparent Trusted Computing with Mandatory Access Control Xinwen Zhang 1, Songqing Chen 2 Michael J. Covington 3, and.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
SecureBus: Towards Application-Transparent Trusted Computingwith Mandatory Access Control
Xinwen Zhang1, Songqing Chen2
Michael J. Covington3, and Ravi Sandhu2
1Samsung Information Systems America, San Jose, CA, USA2George Mason University, Fairfax, VA USA
3Intel Corporation, Hillsboro, OR, USA
Effective June 1, 2007 I am leaving George Mason after 18 years to be Founding Director and Chief Scientist of the new Institute for
Cyber-Security Research at the University of Texas, San Antonio
What is Trusted Computing (TC)? TC = TChw + TCsw
TChw = TPM + (TXT or SEM)TCsw = whatever
TPM: Trusted Platform Module – Standard defined by Trusted Computing Group (TCG)– Combines cryptography with access control– Root keys never leave TPM– Root keys can only be used by approved software (as measured by hash
chains themselves rooted in TPM)– Remote attestation allows computer A to find out if computer B is running
4. SB2 verifies the signature, and sends D1 to P2 if success
5. P2 takes D1 and generates output D2, which can be verified by P1
Mandatory Access Control between Processes
Requirements:– Fine-grained– Configurable policies– Policy neutral: role/domain/type/history-based policies– Minimum of PEP – put policy management outside
Features:– Separation of policy definition and application development
• enable parallel development
– Support composition of PDPs
Access Control Model Attribute-based access control model Subjects: processes Subject attributes: the user (pid) context
– domain/group, clearance, role– Application-specific– Can be from external attribute authorities
Objects: processes and pure objects (e.g., files) Object attributes:
– Type, directory, user context info of the processes– Application-specific: e.g., last accessing subject id
Attribute values can be updated as side-effects of accesses– e.g., Labels for history-based policies
User authentication: – To get valid user context info – Prerequisite for policy enforcement– Not included here
Chinese Wall Policies History-based access control policies Can be described with a lattice-based model (Sandhu’93)
– Create subject/object• (u, s, create) (u, s, create) L(s) L(s) L Lmm(u),(u),• (s, o, create) (s, o, create) L(o) L(o) L(s) L(s)
– No-read-up (simple property)• (s, o, read) (s, o, read) L(s) L(s) L(o) L(o)
– No-write-down (*-property)• (s, o, write) (s, o, write) L(s) L(s) L(o) L(o)
– High-watermark for subject label: Update of subject label• (s, o, read) (s, o, read) L(s)’ = (L(s) L(s)’ = (L(s) L(o)) L(o)) (L(s)’ (L(s)’ L Lmm(u))(u))• (s(s11, s, s22, write) , write) L(s L(s22)’ = (L(s)’ = (L(s11) ) L(s L(s22)) )) (L(s (L(s22)’ )’ L Lmm(u(u22))))• Where LLmm(u)(u) is the user’s maximum label of a process.
SB provides mechanisms for recording security labels and trusted updates
Prototype Implementation
Process isolation with virtualization– User-Mode-Linux (UML), user-space VMs
SB is implemented as a daemon in host OS IPC with Socket
– Communicate with Tun/Tap interface in host OS
VM1
Tun/tap
Reference Monitor
Tun/tap
VM2
token
send/recv
VMM
Host OS
Host OS user space
s o
Access Control Performance Read/Write accesses are implemented with send/recv
method of TCP socket. Security labels:
– Process security labels are set of groups names of the user– file/directory labels are defined with SB_LABEL file in the same
directory A security token is issued by SB for an access request. Performance can be improved with a token caching
mechanism.
Conclusions
We propose SecureBus architecture:– Process-level isolation and attestation– Trusted communication between processes– Comprehensive integrity protection:
• Code integrity
• Input/output authenticity
• Mandatory access control of interactions
– Can be built in a layer transparent to applications
Ongoing and Future Work XACML implementation of a general PDP for SB
– OASIS standard access control policy specification and enforcement– Support general subject and object attributes – Can support multiple-level PDPs in distributed systems
Support general MAC models– Lattice-based, Role-based, domain/type-based, history-based, and usage-
based policies
Trusted collaborative computing systems– Grids, Web Services, and P2P systems– Virtual domains/organizations/coalitions
Prototype implementation with TPM/TXT-enabled platform