Transparent Mobile Storage Protection in Trusted Virtual Domains

Mobile Storage Devices, such as USB flash drives, offer a flexible solution for the transport and exchange of data. Nevertheless, in order to prevent unauthorized access to sensitive data, many enterprises require strict security policies for the use of such devices with the effect of rendering their advantages rather unfruitful. Trusted Virtual Domains (TVDs) provide a secure IT infrastructure offering a homogeneous and transparent enforcement of access control policies on data and network resources, however, the current model does not specifically deal with Mobile Storage Devices. In this paper, we present an extension of the TVD architecture to incorporate the usage of Mobile Storage Devices. Our proposal addresses three major issues: coherent extension of TVD policy enforcement by introducing architectural components that feature identification and management of transitory devices; transparent mandatory encryption of sensitive data stored on mobile devices; and highly dynamic centralized key management service. In particular we address offline scenarios allowing users to access and modify data while being temporarily disconnected from the domain. We also present a prototype implementation based on the Turaya security kernel.

[1]  Qian Wang,et al.  Plutus: Scalable Secure File Sharing on Untrusted Storage , 2003, FAST.

[2]  Christian Cachin,et al.  Integrity Protection for Revision Control , 2009, ACNS.

[3]  Stefan Berger,et al.  TVDc: managing security in the trusted virtual datacenter , 2008, OPSR.

[4]  Frederik Armknecht,et al.  An efficient implementation of trusted channels based on openssl , 2008, STC '08.

[5]  Ahmad-Reza Sadeghi,et al.  Flexible and secure enterprise rights management based on trusted virtual domains , 2008, STC '08.

[6]  Trent Jaeger,et al.  Trusted virtual domains: toward secure distributed services , 2005 .

[7]  Chris I. Dalton,et al.  Towards automated provisioning of secure virtualized networks , 2007, CCS '07.

[8]  Jonathan S. Shapiro,et al.  Access and Integrity Control in a Public-Access, High-Assurance Configuration Management System , 2002, USENIX Security Symposium.

[9]  Jean-Jacques Quisquater,et al.  A "Paradoxical" Indentity-Based Signature Scheme Resulting from Zero-Knowledge , 1988, CRYPTO.

[10]  Michael Backes,et al.  Secure Key-Updating for Lazy Revocation , 2006, ESORICS.

[11]  Giuseppe Ateniese,et al.  Verifiable audit trails for a versioning file system , 2005, StorageSS '05.

[12]  Randal C. Burns,et al.  Ext3cow: a time-shifting file system for regulatory compliance , 2005, TOS.

[13]  Ronald Perez,et al.  Linking remote attestation to secure tunnel endpoints , 2006, STC '06.

[14]  Peter A. Dinda,et al.  Wayback: A User-level Versioning File System for Linux (Awarded Best Paper!) , 2004, USENIX Annual Technical Conference, FREENIX Track.

[15]  Patrick Röder,et al.  A Robust Integrity Reporting Protocol for Remote Attestation , 2006 .

[16]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[17]  Michiharu Kudo,et al.  Towards Multi – Layer Trusted Virtual Domains , 2006 .

[18]  Craig A. N. Soules,et al.  Metadata Efficiency in Versioning File Systems , 2003, FAST.

[19]  Simon Edward Parkin,et al.  The Impact of Unavailability on the Effectiveness of Enterprise Information Security Technologies , 2008, ISAS.

[20]  Ahmad-Reza Sadeghi,et al.  Beyond secure channels , 2007, STC '07.

[21]  Hermann Härtig,et al.  VPFS: building a virtual private file system with a small trusted computing base , 2008, Eurosys '08.

[22]  Bernhard Jansen,et al.  Trusted Virtual Domains: Secure Foundations for Business and IT Services , 2005 .

[23]  Michael Fabian Endpoint security: managing USB-based removable devices with the advent of portable applications , 2007, InfoSecCD '07.

[24]  Matt Blaze,et al.  A cryptographic file system for UNIX , 1993, CCS '93.

[25]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[26]  M. Angela Sasse,et al.  Modelling the Human and Technological Costs and Benefits of USB Memory Stick Security , 2008, WEIS.

[27]  Michael Backes,et al.  Lazy revocation in cryptographic file systems , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[28]  Erez Zadok,et al.  A Versatile and User-Oriented Versioning File System , 2004, FAST.

[29]  Javier Herranz,et al.  On the Generic Construction of Identity-Based Signatures with Additional Properties , 2006, ASIACRYPT.

[30]  Brent Byunghoon Kang,et al.  Concord: A Secure Mobile Data Authorization Framework for Regulatory Compliance , 2008, LISA.

[31]  Ahmad-Reza Sadeghi,et al.  Trusted Privacy Domains - Challenges for Trusted Computing in Privacy-Protecting Information Sharing , 2009, ISPEC.

[32]  Dennis Shasha,et al.  Secure Untrusted Data Repository (SUNDR) , 2004, OSDI.

[33]  Giuseppe Cattaneo,et al.  Design and Implementation of a Transparent Cryptographic File System for Unix , 2007 .

[34]  Walter F. Tichy,et al.  Implementation and evaluation of a revision control system , 1982 .

[35]  Avishai Wool,et al.  Toward securing untrusted storage without public-key operations , 2005, StorageSS '05.