1 / 46

Trust

Trust. CS 239 Advanced Topics in Computer Security Bernie Perez Vahab Pournaghshband November 9th, 2010. Trust (social sciences) is: willingness of trustor to be vulnerable to the actions of the trustee; confidence that the trustee will behave as expected;

halle
Download Presentation

Trust

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Trust CS 239 Advanced Topics in Computer Security Bernie Perez Vahab Pournaghshband November 9th, 2010

  2. Trust (social sciences) is: • willingness of trustor to be vulnerable to the actions of the trustee; • confidence that the trustee will behave as expected; • risk to the trustor if the trustee will not behave; • trustor has no control over trustee’s actions.

  3. What is trust in computer terms?

  4. Trusted Devices • Trusted OSes • Trusted Applications/Code • Trusted People • Trusted Data • Discrete vs. Continuous • Static vs. Dynamic • Policy-based vs. Reputation-based

  5. Trusted Devices • Trusted OSes • Trusted Applications/Code • Trusted People • Trusted Data • Discrete vs. Continuous • Static vs. Dynamic • Policy-based vs. Reputation-based All covered in the 40-page paper we posted … sorry

  6. The Ken Thompson Hack

  7. Unix OS Code Snippet bool login(un,pw) { // KT Hack Step 1 if (un == "KThompson")     return True; if (lookupPW(un)==pw)     return True; else     return False; }

  8. Unix OS Code Snippet bool login(un,pw) { // KT Hack Step 1 if (un == "KThompson")     return True; if (lookupPW(un)==pw)     return True; else     return False; } Easy to spot

  9. Ah Ha! UNIX is complied with a C compiler I'll put the hack into the compiler

  10. C Compiler Code Snippet void compile(code) { // KT Hack Step 2 if (isUNIXLoginCode(code))     generateLoginBackdoor(code); else     compileNormally(code); } Good Hack!

  11. But same problem C Compiler Code Snippet void compile(code) { // KT Hack Step 2 if (isUNIXLoginCode(code))     generateLoginBackdoor(code); else     compileNormally(code); } Easy to spot

  12. Good to GREAT!

  13. "Chicken and Egg" Problems The C compiler is written in C

  14. C Compiler Code Snippet void compile(code) { // KT Hack Step 3 if (isUNIXLoginCode(code))     generateLoginBackdoor(code); elseif (isCompilerCode(code))     generateCompilerBackdoor(code); else     compileNormally(code); }

  15. C Compiler Code Snippet void compile(code) { // KT Hack Step 3 if (isUNIXLoginCode(code))     generateLoginBackdoor(code); elseif (isCompilerCode(code))     generateCompilerBackdoor(code); else     compileNormally(code); } C Compiler w/ Hacked Binary

  16. C Compiler Code Snippet void compile(code) {     // Move along,     // nothing to see here.     compileNormally(code); }

  17. C Compiler Code void compile(code) {     // Move along,     // nothing to see here.     compileNormally(code); } C Compiler w/ Hacked Binary Unix OS Code bool login(un,pw) { if (lookupPW(un)==pw)     return True; else     return False; }

  18. C Compiler Binary void compile(code) { // KT Hack Step 3 if (isUNIXLoginCode(code))     generateLoginBackdoor(code); elseif (isCompilerCode(code))     generateCompilerBackdoor(code); else     compileNormally(code); } C Compiler Code void compile(code) {     // Move along,     // nothing to see here.     compileNormally(code); } C Compiler w/ Hacked Binary Unix OS Binary bool login(un,pw) { // KT Hack Step 1 if (un == "KThompson")     return True; if (lookupPW(un)==pw)     return True; else     return False; } Unix OS Code bool login(un,pw) { if (lookupPW(un)==pw)     return True; else     return False; }

  19. Moral: "You can't trust code that you did not totally create yourself"

  20. Moral: "You can't trust code that you did not totally create yourself" • Any program-handling program: • Assemblers • Loaders • Hardware Controllers

  21. Completely malicious violation of people's trust G-Archiver

  22. What can we do to Trust code?

  23. Reputation Liability Directive Proven In Use Trust Models Trust based on different types of rationales Weak Interest Blind Strong Interest Idealism

  24. Trust along the supply chain Producer Directive Acquirer Reputation Liability Producer Producer Acquirer Producer Proven In Use Acquirer

  25. Tamper-Proof Delivery Source authenticity  - Came from the correct supplier Integrity  - Artifact unchanged from supplier

  26. Certificates?

  27. XBox.com Login XBox Certificate

  28. XBox.com Login XBox Certificate Technically complex for end-users

  29. Managing multiple certificates, keys, certificate expirations, and their revocation lists Technically complex for end-users

  30. How do you get the certificates?

  31. Trust Management and PKI

  32. Trust Management • was first coined by Blaze et. al 1996 • a coherent framework for the study of • Security policies • Security credentials • Trust relationships

  33. Trust Management Policy-Based Trust Systems Reputation-Based Trust Systems

  34. Trust Management Policy-Based Trust Systems Reputation-Based Trust Systems • Example: PolicyMaker • Peers use credential verification to establish a trust relationship • Unilateral, only the resource-owner request to establish trust

  35. Trust Management Policy-Based Trust Systems Reputation-Based Trust Systems • Example: P2PRep, … • Based on measuring Reputation • Evaluate the trust in the peer and the trust in the reliability of the resource

  36. AT&T Labs-Policy Maker (1996)KeyNote(1998) Abdul-Rahman & Hailes (2000) Aberer & Despotovic (2001) CONFIDANT (2002) SECURE (2003) EigenTrust (2003) Chun & Bavier(2004) UCL- hTRUST (2004)McNamara et al. (2006) STRUDEL (2006)MATE (2006) Donato et al. (2007) Bhargav et al.(2007) Genealogy of TM Models

  37. Local policies, authenticated credentials, action string Application PolicyMaker INPUT OUTPUT yes/no or additional requirements for request to be acceptable PolicyMaker • DB query engine for the application • Advice rather than policy enforcement

  38. PolicyMaker: Assertions SourceASSERTS AuthorityStruct WHEREFilter policy ASSERTS pgp:“OxO1234567abcdeafOblc2d3e45fa6b7” WHERE PREDICATE=regexp:”Organization: Bob Labs”; pgp:”OxOl234567abcdefaOblc2d3e4f5a6b7” ASSERTS pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” WHERE PREDICATE=regexp:”From: Alice”;

  39. PolicyMaker: Requests key1, key2,..., keyn REQUESTSActionString pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” REQUESTS “From: Alice Organization: Bob Labs”; pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” REQUESTS “From: Alice Organization: Matt Labs”; pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” REQUESTS “From: John Organization: Bob Labs”;

  40. PKI Trust Management • Digital Signatures • ◌Private key signs, public key verifies • But, are we using the “right” public key? • ◌Key verification problem

  41. Subordinated Hierarchy

  42. Cross-Certified Mesh

  43. Hybrid

  44. Bridge CA

  45. Review • Defined Trust • Example mis-trust in applications • Software Trust Models • Trust Management • PKI Trust Models

  46. Questions?Discussion…

More Related