Clouds of Things Need Information Flow Control with Hardware Roots of Trust

There is a clear, outstanding need for new security mechanisms that allow data to be managed and controlled within the cloud-enabled Internet of Things. Towards this, we propose an approach based on Information Flow Control (IFC) that allows: (1) the continuous, end-to-end enforcement of data flow policy, and (2) the generation of provenance-like audit logs to demonstrate policy adherence and contractual/regulatory compliance. Further, we discuss the role of Trusted Platform Modules (TPMs) in supporting such a system, by providing hardware roots of trust. TPMs can be leveraged to validate software configurations, including the IFC enforcement mechanism, both in the cloud and externally via remote attestation.

[1]  Trent Jaeger,et al.  Runtime verification of authorization hook placement for the linux security modules framework , 2002, CCS '02.

[2]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[3]  Siani Pearson,et al.  Sticky Policies: An Approach for Managing Privacy across Multiple Parties , 2011, Computer.

[4]  Eddie Kohler,et al.  Information flow control for standard OS abstractions , 2007, SOSP.

[5]  Thomas F. J.-M. Pasquier,et al.  Expressing and Enforcing Location Requirements in the Cloud Using Information Flow Control , 2015, 2015 IEEE International Conference on Cloud Engineering.

[6]  Peng Ning,et al.  Remote attestation to dynamic system properties: Towards providing complete system integrity evidence , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[7]  David M. Eyers,et al.  Twenty Security Considerations for Cloud-Supported Internet of Things , 2016, IEEE Internet of Things Journal.

[8]  David Safford,et al.  Trustworthy geographically fenced hybrid clouds , 2014, Middleware.

[9]  David W. Chadwick,et al.  Role-Based Access Control With X.509 Attribute Certificates , 2003, IEEE Internet Comput..

[10]  Trent Jaeger,et al.  Consistency analysis of authorization hook placement in the Linux security modules framework , 2004, TSEC.

[11]  R. K. Shyamasundar,et al.  Realizing Purpose-Based Privacy Policies Succinctly via Information-Flow Labels , 2014, 2014 IEEE Fourth International Conference on Big Data and Cloud Computing.

[12]  Margo I. Seltzer,et al.  A primer on provenance , 2014, CACM.

[13]  Somesh Jha,et al.  Automatic placement of authorization hooks in the linux security modules framework , 2005, CCS '05.

[14]  Niraj K. Jha,et al.  Analysis and design of a hardware/software trusted platform module for embedded systems , 2008, TECS.

[15]  Thomas Morris,et al.  Trusted Platform Module , 2011, Encyclopedia of Cryptography and Security.

[16]  Jatinder Singh,et al.  Data Flow Management and Compliance in Cloud Computing , 2015, IEEE Cloud Computing.

[17]  Sasu Tarkoma,et al.  A gap analysis of Internet-of-Things platforms , 2015, Comput. Commun..

[18]  Stefan Berger,et al.  Scalable Attestation: A Step Toward Secure and Trusted Clouds , 2015, 2015 IEEE International Conference on Cloud Engineering.

[19]  Wenke Lee,et al.  xBook: Redesigning Privacy Control in Social Networking Platforms , 2009, USENIX Security Symposium.

[20]  Hannes Tschofenig,et al.  Securing the Internet of Things: A Standardization Perspective , 2014, IEEE Internet of Things Journal.

[21]  Jorge Sá Silva,et al.  End-to-end transport-layer security for Internet-integrated sensing applications with mutual and delegated ECC public-key authentication , 2013, 2013 IFIP Networking Conference.

[22]  Krishna P. Gummadi,et al.  Towards Trusted Cloud Computing , 2009, HotCloud.

[23]  Claudia Eckert,et al.  Practical information-flow aware middleware for in-car communication , 2013, CyCAR '13.

[24]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[25]  Jatinder Singh,et al.  Camflow: Managed Data-Sharing for Cloud Services , 2015, IEEE Transactions on Cloud Computing.

[26]  Jean-Pierre Seifert,et al.  Beyond Kernel-Level Integrity Measurement: Enabling Remote Attestation for the Android Platform , 2010, TRUST.

[27]  Russ Housley,et al.  An Internet Attribute Certificate Profile for Authorization , 2010, RFC.

[28]  Stefan Berger,et al.  vTPM: Virtualizing the Trusted Platform Module , 2006, USENIX Security Symposium.

[29]  Crispin Cowan,et al.  Linux security modules: general security support for the linux kernel , 2002, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].