Trust CS 239 Advanced Topics in Computer Security Bernie Perez Vahab Pournaghshband November 9th, 2010

TrustCS 239

Advanced Topics in Computer SecurityBernie Perez

Vahab Pournaghshband

November 9th, 2010

Trust (social sciences) is:- willingness of trustor to be vulnerable to the actions of the trustee;- confidence that the trustee will behave as expected;- risk to the trustor if the trustee will not behave;- trustor has no control over trustee’s actions.

What is trust in computer terms?

• Trusted Devices• Trusted OSes• Trusted Applications/Code• Trusted People• Trusted Data• Discrete vs. Continuous• Static vs. Dynamic• Policy-based vs. Reputation-based

• Trusted Devices• Trusted OSes• Trusted Applications/Code• Trusted People• Trusted Data• Discrete vs. Continuous• Static vs. Dynamic• Policy-based vs. Reputation-based

All covered in the 40-page paper we posted

… sorry

The Ken Thompson Hack

Unix OS Code Snippet

bool login(un,pw) {

// KT Hack Step 1if (un == "KThompson") return True;

if (lookupPW(un)==pw) return True;else return False;}

Unix OS Code Snippet

bool login(un,pw) {



Easy to spot

Ah Ha!

UNIX is complied with a C compiler

I'll put the hack into the compiler

C Compiler Code Snippet

void compile(code) {

// KT Hack Step 2if (isUNIXLoginCode(code)) generateLoginBackdoor(code);else compileNormally(code);}

Good Hack!



// KT Hack Step 2if (isUNIXLoginCode(code)) generateLoginBackdoor(code);else compileNormally(code);}

Easy to spotBut same problem

Good to GREAT!

"Chicken and Egg" Problems

The C compiler is written in C



// KT Hack Step 3if (isUNIXLoginCode(code)) generateLoginBackdoor(code);elseif (isCompilerCode(code)) generateCompilerBackdoor(code);else compileNormally(code);}




C Compilerw/ Hacked Binary


void compile(code) { // Move along, // nothing to see here. compileNormally(code);}

C Compiler Code



Unix OS Code

bool login(un,pw) {


C Compiler Code



C Compiler Binary



Unix OS Binary

bool login(un,pw) {



Unix OS Code

bool login(un,pw) {


Moral:

"You can't trust code that you did not totally create yourself"

Moral:

"You can't trust code that you did not totally create yourself"

Any program-handling program:• Assemblers• Loaders• Hardware Controllers

Completely malicious violation of people's trust

G-Archiver

What can we do to Trust code?

Trust Models

Trust based on different types of rationales

Liability

Reputation

Strong Interest

Weak Interest

Proven In Use

Directive

Idealism

Blind

Producer

Producer

Producer

Producer

Acquirer

Acquirer

Acquirer

Trust along the supply chain

Directive

Reputation Liability

Proven In Use

Tamper-Proof Delivery Source authenticity - Came from the correct supplier

Integrity - Artifact unchanged from supplier

Certificates?

XBox.com Login XBox Certificate

XBox.com Login XBox Certificate

Technically complex for end-users

Managing multiple certificates, keys, certificate expirations, and their revocation lists

Technically complex for end-users

How do you get the certificates?

Trust Management and PKI

• was first coined by Blaze et. al 1996• a coherent framework for the study of

– Security policies– Security credentials – Trust relationships

Trust Management

Trust Management

Policy-Based Trust

Systems

Reputation-Based Trust

Systems

Trust Management

• Example: PolicyMaker • Peers use credential verification to establish a trust relationship• Unilateral, only the resource-owner request to establish trust

Policy-Based Trust

Systems


Systems

Trust Management

Policy-Based Trust

Systems


Systems

• Example: P2PRep, …• Based on measuring Reputation• Evaluate the trust in the peer and the trust in the reliability of the resource

Genealogy of TM ModelsGenealogy of TM ModelsAT&T Labs-Policy Maker (1996)KeyNote(1998)

Abdul-Rahman & Hailes (2000)

Aberer & Despotovic (2001)

EigenTrust (2003)

CONFIDANT (2002)

SECURE (2003)

UCL- hTRUST (2004)McNamara et al. (2006) STRUDEL (2006)MATE (2006)

Donato et al. (2007)

Chun & Bavier(2004)

Bhargav et al.(2007)

PolicyMakerPolicyMaker

• DB query engine for the application• Advice rather than policy enforcement

yes/no or additional requirements for request to be acceptable

PolicyMakerApplicationINPUT

Local policies, authenticated credentials, action string

OUTPUT

Source ASSERTS AuthorityStruct WHERE Filter

PolicyMaker: AssertionsPolicyMaker: Assertions

policy ASSERTS pgp:“OxO1234567abcdeafOblc2d3e45fa6b7” WHERE PREDICATE=regexp:”Organization: Bob Labs”;

pgp:”OxOl234567abcdefaOblc2d3e4f5a6b7” ASSERTS pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” WHERE PREDICATE=regexp:”From: Alice”;

key1, key2,..., keyn REQUESTS ActionString

PolicyMaker: RequestsPolicyMaker: Requests

pgp:”OxfOOl22O3a4b5l677d8O9Oaabb3cdd9e2f” REQUESTS

“From: Alice Organization: Bob Labs”;


“From: Alice Organization: Matt Labs”;


“From: John Organization: Bob Labs”;

PKI Trust ManagementPKI Trust Management Digital Signatures

◌ Private key signs, public key verifies But, are we using the “right” public key?

◌ Key verification problem

Subordinated HierarchySubordinated Hierarchy

Cross-Certified MeshCross-Certified Mesh

HybridHybrid

Bridge CABridge CA

Review

• Defined Trust• Example mis-trust in applications• Software Trust Models• Trust Management• PKI Trust Models

Questions?

Discussion…

Documents

Trust CS 239 Advanced Topics in Computer Security Bernie Perez Vahab Pournaghshband November 9th, 2010