REFEREE: Trust Management for Web Applications

Yang-hua Chu (MIT/W3C)

Joint Work with

Joan Feigenbaum (AT&T Labs)

Brian LaMacchia (AT&T Labs)

Paul Resnick (AT&T Labs)

Martin Strauss (AT&T Labs)

Outline

• Problem statement

• Trust management

• REFEREE trust management system

• REFEREE reference implementation demo

• Conclusion

Example: code signing• Away from shrink-wrapped model

• Toward code distribution through network

Trust FAQ• Does X contain a virus that will erase my HD?

[security]• Does X secretly collect information without my

knowledge? [privacy]• Will X run on my 386? [capability]• Is X fun to play? [content]• Has X been tampered with? [integrity]• Who wrote X? [authentication]• Should I trust Y who vouches for X [delegation]?

Current technology is not enough: why should I trust those bits?

• Digital Signature (RSA, DSA)– How many bits of signature is trustworthy?

– What does the signature mean [PICS]?

– How do I get the right public key to verify the signature?

• Public Key Infrastructure (X.509, PGP, SDSI)– How do I get the CA’s public key?

– What is this certificate authorized to do?

• Whom do I trust to vouch for X?– X=give me public key of person Y, sign code,

authenticate document, make this assertion, …etc.

Trust management

• ‘Decentralized Trust Management’ [BFL96]

• Probes the question– ‘Does this requested action, supported by

credentials, conform to my policy?’

• PolicyMaker– certificates are programs

Trust management in code signing

• Requested action: download and run this code.• Security policy: download the code only if signed

by two entities that MIT endorses, and both entities must state in the signature that X is ‘safe’ according to MIT’s code safety practice.

• Security credentials: relevant PICS labels and certificates.

Other trust management applications in WWW

• document authentication and integrity

• access control

• on-line negotiation

• electronic commerce

• privacy protection

• intellectual property rights

• … more

REFEREE

• “Rule-controlled Environment For Evaluation of Rules and Everything Else”

• Joint effort by researchers from AT&T Labs and W3C

• Goal: create a general-purpose trust management system for Web applications

REFEREE design principle

• A ‘policy’ is a program– has a fixed language syntax and semantics– may call another policy

• ‘Policy’ controls everything– order of execution under policy control– credential fetching under policy control– departure from PolicyMaker[BFL96] approach

REFEREE API• a sub-system embedded inside a Web application

– can be in a browser, a proxy, or a server

Application

REFEREE

Input API : request with argumentsOutput API : answer with justification

Dispatch Actions

REFEREE Primitive Data Types

• tri-values– TRUE, FALSE, UNKNOWN

• statements and statement-lists– each statement is an s-expression– a pair of (<context>, <content>), both are also

s-expressions

( “code-signing”, ((virus-checked 1) (network-access 0) … ) )

REFEREE Primitive Data Types (continued)

• policy– a triplet (<policy-name>, <policy description>,

<language-name>)– (“code-signing”, ..., “code-signing-language”)– (“code-signing”, <Java-code>, “Java”)

• interpreter– a pair (<language-name>, <interpreter>)– (“code-signing-language”, <Java-code>)

Bootstrapping REFEREE

• The host application loads REFEREE initial setting:– trust assertions– a database of policies– a database of interpreters

• all bootstrapping information is unconditionally trusted

Invoking REFEREE

• input a requested action and additional arguments

• REFEREE gets the corresponding policy for that action

• REFEREE executes the policy with the additional arguments

• output a tri-value and a list of statements

REFEREE Demo• in English: “I only execute code if PCWeek says OK

according to MIT code safety practice.”

(invoke "load-label" STATEMENT-LIST URL "http://web.mit.edu/safety" ("http://labels.com/"))(invoke "check-hash" STATEMENT-LIST)(false-if-unknown (match (("check-hash" *) (* ((version "PICS-1.1") * (service "http://web.mit.edu/safety") * (by "mailto:rater@pcweek.com") * (ratings * (RESTRICT > overall 8) * ))))

STATEMENT-LIST))

Components of the REFEREE

Calling Module

REFEREE

Fetcher

Profiles-0.92

Label-loader

Check-hash

bootstrap invoke1 2

3

4

5

6

Sample Query

• application calls REFEREE – (“code-signing”, “http://foo/bar.class”)

• line 1: gets the PICS label from the label bureau “http://label-bureau”

(PICS-1.1 "http://web.mit.edu/safety" labels by "mailto:rater@pcweek.com" md5 "7A2B1a2bA72BxyzyplehJQ==" ratings (crash 2 overall 10 virus 0))

Sample Query (Continued)

• line 2: authenticates the signature and checks the source integrity

• line 3: checks the confidence level > 8

• return TRUE (10 > 8)

Recap of major REFEREE design principles

• Local policy controls everything

• Separate security policy specification from policy evaluation– policies are programs– Profiles-0.92 vs. PICS RULZ

• Systematic, consistent, and modular management of trust

Conclusion: Now and Future

• Trust management is an important component for Web applications

• REFEREE is our initial attempt to tackle the problem in the context of the WWW and it provides insight for future research and development.

Reference

• REFEREE Website– http://www.w3.org/pub/WWW/PICS/TrustMgt– link to the REFEREE demo– link to [BFL96] paper

• M. Blaze, J. Feigenbaum, J. Lacy, “Decentralized Trust Management”, in Proceedings of the 1996 Symposium on Security and Privacy, pp. 164-173

• Friday, 4/11, 4pm-5:30pm– trust management for Electronic Commerce