Remote attestation approach by cross-layer security policy translation

The security policy can exactly reflect the security expectations of system models. Besides, it is also an important method of remote attestation of computing environment, which is based on model behaviours. Existing policy measurement approaches focus on single model. However, practical policies usually include various kinds of model properties so that existing methods cannot meet the demands of combined policy measurement and unified expectations of multiple collaborative mechanisms and dynamic control systems. This paper proposes a novel remote attestation approach based on cross-layer security policy translation, CPMA, which is used to verify security expectations and combined policy measurements of multiple model systems. CPMA presents security exception expressions and the descriptions of the high-layer policy and the low-layer policy. It also designs the translation algorithm and verification algorithm with low overhead to achieve the trusted measurement of multiple mechanism policies. Extensive evaluations show that CPMA can measure and verify system actions accurately and effectively.

[1]  Christos Ilioudis,et al.  A formal framework to support dynamic authorisation in collaborative environments , 2014, Int. J. Comput. Sci. Eng..

[2]  Feng Gao,et al.  Modelling the relationship between trust and privacy in network environments , 2014, Int. J. Comput. Sci. Eng..

[3]  Frederik Armknecht,et al.  A security framework for the analysis and design of software attestation , 2013, CCS.

[4]  Zhi Yang,et al.  Optimal mining on security labels for decentralized information flow control , 2012, Comput. Secur..

[5]  Ruby B. Lee,et al.  A software-hardware architecture for self-protecting data , 2012, CCS.

[6]  Emin Gün Sirer,et al.  Logical attestation: an authorization architecture for trustworthy computing , 2011, SOSP.

[7]  Ahmad-Reza Sadeghi,et al.  A practical property-based bootstrap architecture , 2009, STC '09.

[8]  Feng Deng,et al.  Component Property Based Remote Attestation , 2009 .

[9]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[10]  Jean-Pierre Seifert,et al.  Model-based behavioral attestation , 2008, SACMAT '08.

[11]  José Carlos Brustoloni,et al.  Uclinux: a linux security module for trusted-computing-based usage controls enforcement , 2007, STC '07.

[12]  Sushil Jajodia,et al.  Access control policies and languages , 2007, Int. J. Comput. Sci. Eng..

[13]  Jim Alves-Foss,et al.  The MILS architecture for high-assurance embedded systems , 2006, Int. J. Embed. Syst..

[14]  Elaine Shi,et al.  Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems , 2005, SOSP '05.

[15]  D. Richard Kuhn,et al.  Composing and combining policies under the policy machine , 2005, SACMAT '05.

[16]  Elaine Shi,et al.  BIND: a fine-grained attestation service for secure distributed systems , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[17]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[18]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[19]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[20]  Tal Garfinkel,et al.  Terra: a virtual machine-based platform for trusted computing , 2003, SOSP '03.