Dynamic Policy Discovery with Remote Attestation

Remote attestation allows programs running on trusted hardware to prove their identity (and that of their environment) to programs on other hosts. Remote attestation can be used to address security concerns if programs agree on the meaning of data in attestations. This paper studies the enforcement of code-identity based access control policies in a hostile distributed environment, using a combination of remote attestation, dynamic types, and typechecking. This ensures that programs agree on the meaning of data and cannot violate the access control policy, even in the presence of opponent processes. The formal setting is a π-calculus with secure channels, process identity, and remote attestation. Our approach allows executables to be typechecked and deployed independently, without the need for secure initial key and policy distribution beyond the trusted hardware itself.

[1]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[2]  Ninghui Li,et al.  Design of a role-based trust-management framework , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[3]  Martin Odersky,et al.  Polarized Name Passing , 1995, FSTTCS.

[4]  Martín Abadi,et al.  A Logical Account of NGSCB , 2004, FORTE.

[5]  Michael Franz,et al.  Semantic remote attestation: a virtual machine directed approach to trusted computing , 2004 .

[6]  Ravi S. Sandhu,et al.  Peer-to-peer access control architecture using trusted computing technology , 2005, SACMAT '05.

[7]  Martín Abadi,et al.  A Calculus for Cryptographic Protocols: The spi Calculus , 1999, Inf. Comput..

[8]  Martín Abadi,et al.  Access Control Based on Execution History , 2003, NDSS.

[9]  Martín Abadi,et al.  Secrecy types for asymmetric communication , 2001, Theor. Comput. Sci..

[10]  Andrew D. Gordon,et al.  Types and effects for asymmetric cryptographic protocols , 2004 .

[11]  William A. Arbaugh,et al.  Improving the TCPA Specification , 2002, Computer.

[12]  Andrew D. Gordon,et al.  Secrecy Despite Compromise: Types, Cryptography, and the Pi-Calculus , 2005, CONCUR.

[13]  Martín Abadi Trusted Computing, Trusted Third Parties, and Verified Communications , 2004, SEC.

[14]  Markus G. Kuhn,et al.  Tamper resistance: a cautionary note , 1996 .

[15]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[16]  Nobuko Yoshida,et al.  Secure Information Flow as Typed Process Behaviour , 2000, ESOP.

[17]  Mark Horowitz,et al.  Implementing an untrusted operating system on trusted hardware , 2003, SOSP '03.

[18]  James Riely,et al.  Resource Access Control in Systems of Mobile Agents , 2002, Inf. Comput..

[19]  Martín Abadi,et al.  Authentication primitives and their compilation , 2000, POPL '00.

[20]  Robin Milner,et al.  On Observing Nondeterminism and Concurrency , 1980, ICALP.

[21]  Vincent Danos,et al.  Transactions in RCCS , 2005, CONCUR.

[22]  Andrew D. Gordon,et al.  A Type Discipline for Authorization in Distributed Systems , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[23]  Michael Franz,et al.  Symmetric behavior-based trust: a new paradigm for internet computing , 2004, NSPW '04.

[24]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[25]  Michele Bugliesi,et al.  Secrecy in Untrusted Networks , 2003, ICALP.

[26]  Martín Abadi,et al.  Secrecy by typing in security protocols , 1999, JACM.

[27]  Michele Bugliesi,et al.  Analysis of typed analyses of authentication protocols , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[28]  Aaron Weiss Trusted computing , 2006, NTWK.

[29]  Andrew D. Gordon,et al.  Authenticity by typing for security protocols , 2003 .

[30]  Dan Boneh,et al.  Architectural support for copy and tamper resistant software , 2000, SIGP.

[31]  Alan Jeffrey,et al.  Pattern-matching spi-calculus , 2004, Inf. Comput..

[32]  Mario Tokoro,et al.  An Object Calculus for Asynchronous Communication , 1991, ECOOP.

[33]  James Riely,et al.  Trust and Partial Typing in Open Systems of Mobile Agents , 2004, Journal of Automated Reasoning.

[34]  Ken Thompson,et al.  Reflections on trusting trust , 1984, CACM.

[35]  Siani Pearson,et al.  Trusted Computing Platforms: TCPA Technology in Context , 2002 .

[36]  Luca Cardelli,et al.  Program fragments, linking, and modularization , 1997, POPL '97.

[37]  Martín Abadi,et al.  Secure Implementation of Channel Abstractions , 2002, Inf. Comput..

[38]  Sean W. Smith,et al.  Building a high-performance, programmable secure coprocessor , 1999, Comput. Networks.

[39]  Ninghui Li,et al.  RT: a Role-based Trust-management framework , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[40]  William A. Arbaugh,et al.  A secure and reliable bootstrap architecture , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[41]  Andrew bunnie Huang Hacking the Xbox , 2003 .

[42]  Martín Abadi,et al.  Mobile values, new names, and secure communication , 2001, POPL '01.

[43]  Cynthia E. Irvine,et al.  A cautionary note regarding the data integrity capacity of certain secure systems , 2001, IICIS.

[44]  Andrew W. Appel,et al.  SAFKASI: a security mechanism for language-based systems , 2000, TSEM.

[45]  Michele Bugliesi,et al.  Compositional Analysis of Authentication Protocols , 2004, ESOP.

[46]  Pierre America,et al.  ECOOP'91 European Conference on Object-Oriented Programming , 1991, Lecture Notes in Computer Science.

[47]  Davide Sangiorgi,et al.  On Bisimulations for the Asynchronous pi-Calculus , 1996, Theor. Comput. Sci..

[48]  Manuel Núñez,et al.  Applying Formal Methods: Testing, Performance, and M/E-Commerce , 2004, Lecture Notes in Computer Science.

[49]  Ahmad-Reza Sadeghi,et al.  Property-based attestation for computing platforms: caring about properties, not mechanisms , 2004, NSPW '04.

[50]  Robin Milner,et al.  A Calculus of Mobile Processes, II , 1992, Inf. Comput..

[51]  Martín Abadi,et al.  A calculus for cryptographic protocols: the spi calculus , 1997, CCS '97.

[52]  Xavier Leroy,et al.  Dynamics in ML , 1991, FPCA.

[53]  Mario Tokoro,et al.  On Asynchronous Communication Semantics , 1991, Object-Based Concurrent Computing.

[54]  Andrew D. Gordon,et al.  A Type Discipline for Authorization Policies , 2005, ESOP.

[55]  Gérard Berry,et al.  The chemical abstract machine , 1989, POPL '90.