REFEREE: Trust Management for Web Applications Yang-hua Chu (MIT/W3C) Joint Work with Joan...
-
Upload
francisco-gregory -
Category
Documents
-
view
214 -
download
0
Transcript of REFEREE: Trust Management for Web Applications Yang-hua Chu (MIT/W3C) Joint Work with Joan...
REFEREE: Trust Management for Web Applications
Yang-hua Chu (MIT/W3C)
Joint Work with
Joan Feigenbaum (AT&T Labs)
Brian LaMacchia (AT&T Labs)
Paul Resnick (AT&T Labs)
Martin Strauss (AT&T Labs)
Outline
• Problem statement
• Trust management
• REFEREE trust management system
• REFEREE reference implementation demo
• Conclusion
Trust FAQ• Does X contain a virus that will erase my HD?
[security]• Does X secretly collect information without my
knowledge? [privacy]• Will X run on my 386? [capability]• Is X fun to play? [content]• Has X been tampered with? [integrity]• Who wrote X? [authentication]• Should I trust Y who vouches for X [delegation]?
Current technology is not enough: why should I trust those bits?
• Digital Signature (RSA, DSA)– How many bits of signature is trustworthy?
– What does the signature mean [PICS]?
– How do I get the right public key to verify the signature?
• Public Key Infrastructure (X.509, PGP, SDSI)– How do I get the CA’s public key?
– What is this certificate authorized to do?
• Whom do I trust to vouch for X?– X=give me public key of person Y, sign code,
authenticate document, make this assertion, …etc.
Trust management
• ‘Decentralized Trust Management’ [BFL96]
• Probes the question– ‘Does this requested action, supported by
credentials, conform to my policy?’
• PolicyMaker– certificates are programs
Trust management in code signing
• Requested action: download and run this code.• Security policy: download the code only if signed
by two entities that MIT endorses, and both entities must state in the signature that X is ‘safe’ according to MIT’s code safety practice.
• Security credentials: relevant PICS labels and certificates.
Other trust management applications in WWW
• document authentication and integrity
• access control
• on-line negotiation
• electronic commerce
• privacy protection
• intellectual property rights
• … more
REFEREE
• “Rule-controlled Environment For Evaluation of Rules and Everything Else”
• Joint effort by researchers from AT&T Labs and W3C
• Goal: create a general-purpose trust management system for Web applications
REFEREE design principle
• A ‘policy’ is a program– has a fixed language syntax and semantics– may call another policy
• ‘Policy’ controls everything– order of execution under policy control– credential fetching under policy control– departure from PolicyMaker[BFL96] approach
REFEREE API• a sub-system embedded inside a Web application
– can be in a browser, a proxy, or a server
Application
REFEREE
Input API : request with argumentsOutput API : answer with justification
Dispatch Actions
REFEREE Primitive Data Types
• tri-values– TRUE, FALSE, UNKNOWN
• statements and statement-lists– each statement is an s-expression– a pair of (<context>, <content>), both are also
s-expressions
( “code-signing”, ((virus-checked 1) (network-access 0) … ) )
REFEREE Primitive Data Types (continued)
• policy– a triplet (<policy-name>, <policy description>,
<language-name>)– (“code-signing”, ..., “code-signing-language”)– (“code-signing”, <Java-code>, “Java”)
• interpreter– a pair (<language-name>, <interpreter>)– (“code-signing-language”, <Java-code>)
Bootstrapping REFEREE
• The host application loads REFEREE initial setting:– trust assertions– a database of policies– a database of interpreters
• all bootstrapping information is unconditionally trusted
Invoking REFEREE
• input a requested action and additional arguments
• REFEREE gets the corresponding policy for that action
• REFEREE executes the policy with the additional arguments
• output a tri-value and a list of statements
REFEREE Demo• in English: “I only execute code if PCWeek says OK
according to MIT code safety practice.”
(invoke "load-label" STATEMENT-LIST URL "http://web.mit.edu/safety" ("http://labels.com/"))(invoke "check-hash" STATEMENT-LIST)(false-if-unknown (match (("check-hash" *) (* ((version "PICS-1.1") * (service "http://web.mit.edu/safety") * (by "mailto:[email protected]") * (ratings * (RESTRICT > overall 8) * ))))
STATEMENT-LIST))
Components of the REFEREE
Calling Module
REFEREE
Fetcher
Profiles-0.92
Label-loader
Check-hash
bootstrap invoke1 2
3
4
5
6
Sample Query
• application calls REFEREE – (“code-signing”, “http://foo/bar.class”)
• line 1: gets the PICS label from the label bureau “http://label-bureau”
(PICS-1.1 "http://web.mit.edu/safety" labels by "mailto:[email protected]" md5 "7A2B1a2bA72BxyzyplehJQ==" ratings (crash 2 overall 10 virus 0))
Sample Query (Continued)
• line 2: authenticates the signature and checks the source integrity
• line 3: checks the confidence level > 8
• return TRUE (10 > 8)
Recap of major REFEREE design principles
• Local policy controls everything
• Separate security policy specification from policy evaluation– policies are programs– Profiles-0.92 vs. PICS RULZ
• Systematic, consistent, and modular management of trust
Conclusion: Now and Future
• Trust management is an important component for Web applications
• REFEREE is our initial attempt to tackle the problem in the context of the WWW and it provides insight for future research and development.
Reference
• REFEREE Website– http://www.w3.org/pub/WWW/PICS/TrustMgt– link to the REFEREE demo– link to [BFL96] paper
• M. Blaze, J. Feigenbaum, J. Lacy, “Decentralized Trust Management”, in Proceedings of the 1996 Symposium on Security and Privacy, pp. 164-173
• Friday, 4/11, 4pm-5:30pm– trust management for Electronic Commerce