Transcript A Comprehensive Trust Model for Component Software

Autonomic Trust
Management for a
Pervasive System
Zheng Yan
Nokia Research Center, Helsinki, Finland
Secrypt’08, July 27, 2008, Porto,
Portugal
1
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Outline
• Introduction and motivation
• Related work
• Fundamental technologies
• Solution: autonomic trust management
• An example application
• Further discussion
• Conclusions and future work
2
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Introduction & motivation
• Pervasive systems
• Allow seamless interactions among various portable and networked processing
devices, distributed at all scales throughout everyday routine life
• Decentralized, distributed, open, dynamic
• Communications depend on trust among devices: classical, centralized securitymanaging mechanisms unusable
• Trust becomes a crucial issue to ensure effective collaborations among various
devices for expected services
• A holistic notion of trust
• Include several properties, such as security, availability and reliability, depending on
the requirements of a trustor.
• The assessment of a trustor on how well the observed behavior that can be measured
through a number of quality attributes of a trustee meets the trustor’s own standards
for an intended purpose
3
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Related work
• Xu, Xin, and Lu (2007): a hybrid model encompassing a trust model, a security model and
a risk model for pervasive computing
• Shand, Dimmock, and Bacon (2004): a trust and risk framework to facilitate secure
collaboration
• Claycomb and Shin (2006): a visual framework for securing impromptu collaboration
• Yin, Ray, and Ray (2006): a trust model for pervasive computing applications and
strategies for establishing trust between entities to support dynamic of trust
• Spanoudakis (2007): a platform for dynamic trust assessment of software services
• Wolfe, Ahamed, and Zulkernine (2006): trust management based on a scheme for
categorizing devices, calculating trust, and facilitating trust-related communications
• Remarks
• Mainly on establishing distinct trust models based on different theories or methods in terms of
various scenes and motivations.
• Apply trust, reputation and/or risk analysis mechanism based on fuzzy logic, probabilistic theory, cloud
theory, traditional authentication and cryptography methods and so on to manage trust
• Did not support autonomic control of trust for the fulfillment of an intended service.
• Influence the effectiveness of trust management since trust is both subjective and dynamic.
4
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Main idea of our paper
• An autonomic trust management solution for the pervasive system
• Based on a trusted computing platform
• Support autonomic trust control on the trustee device based on the trustor device’s
specification
• An adaptive trust control model.
• Assume several trust control modes, each of which contains a number of control
mechanisms or operations
• Ensure a suitable set of control modes are applied
• A Fuzzy Cognitive Map to model the factors related to trust for control mode prediction and
selection
• Use runtime trust assessment result as a feedback to autonomously adapt weights in the
adaptive trust control model in order to find a suitable set of control modes in a specific pervasive
computing context.
5
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Fundamental technologies (1): a mechanism to
sustain trust
• Trust form
• Trustor A trusts trustee B for purpose P
under condition C based on root trust R
Platform trusted booting record
• Root trust (RT) module
register
• Hardware-based security module
• Register, protect and manage the
conditions for trust sustaining and selfregulating
• Monitor any computing platform’s change
including any alteration or operation on
hardware, software and their
configurations.
• Check changes and restrict them based on
the trust conditions, as well as notifying the
trustor accordingly.
• Approaches to notify changes
• active method and passive method
6
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Root Trust Module
conditions
for trust
sustaining
and selfregulating
register
Secure
Registers
Reporter
report
signal of
distrust
Monitor
Controller
monitor & notify
control
Hardware and Software
A mechanism to sustain trust: protocol
•
•
•
•
7
Root trust challenge and
attestation to ensure the trustor’s
basic trust dependence at the
trustee in steps 1-2;
Trust establishment by specifying
the trust conditions and
registering them at the trustee’s
RT module for trust sustaining in
steps 3-6;
Sustaining the trust relationship
through the monitor and control
by the RT module in steps 7-8;
Re-challenge the trust
relationship if necessary when
any changes against trust
conditions are reported.
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Device A
fail
Device B
Root Trust Module
of Device B
1. Root trust challenge from A
2. Evidence of root trust from B
evidence
verification
3. Trust relationship establishment request from A
4. Confirmation from B
5. Trust relationship conditions C
re-challenge
needed
6. Confirmation of conditions from B
Trustor A
Trustee B
7. Transaction and cooperation
between A and B
local environment
change against
conditions
8.1 Restrictions on changes
take corresponding
action
8.2 Notification of distrust to A (optional)
conditions
verification &
registration
Fundamental technologies (2): an adaptive trust
control model
• Considering the trustworthiness is
influenced by a number of quality
attributes .
• These quality attributes are ensured or
controlled through a number of control
modes.
w1
• A weight is used to indicate the
importance rate of the quality attribute
• An influence factor of control mode is set
based on impact of the control mode to
the quality attributes
• We also apply a selection factor of control
mode to indicate which control mode is
actually applied in the system
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
w2
BC
V QA
2
wn
VQA
VQA
1
2
QA1
QA2
BC
BC
1
QAn
m
cw21
cw12
• A control mode contains a number of
control mechanism or operations.
8
T
Trustworth iness
cwm 2
cw11
cwmn
cw22
C1
C2
Cm
VC
VC
1
VC
2
n

T  f   wiVQA  T old 
 i1

i
m
old
VQAi  f   cw jiVC j BC j  VQA
i
 j 1

VC  f T  BC  VCold
j
j
j




m
n
Autonomic trust management: a system
definition
• User
• Pervasive system
Pervasive
System
uses
• Pervasive computing
devices
User
includes
uses
Device
• Trusted computing
platform
includes
includes
offers
• Root Trust module
• Autonomic trust
management
framework (ATMF)
• Operating System (OS)
• A performance
observer
• Services
9
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Trusted Computing
Platform
has
Root Trust
Module
protects
OS, Performance
Observer
contains
supports
Runs &
monitors
manages
Autonomic Trust
Management framework
Service
Autonomic Trust Management Framework
(ATMF)
• Responsibility: Manage the
trustworthiness of a trustee service
• Configure its trust properties
• Switch on/off the trust control
mechanisms, i.e. selecting a suitable set
of control modes
• Secure storages
Service 1
…...
Service 2
Service n
Operating System with Performance Observer
Trusted Computing Platform
• Experience base
• Policy base
• Mechanism base
Autonomic Trust
management Framework
Evaluation, Decision and Selection (EDS) Engine
• ATMF secure access to the RT module
• Extract the policies into the policy base
for trust assessment if necessary
• An evaluation, decision and selection
engine (EDS engine)
• Trust assessment
• Make trust decision
• Select suitable trust control modes
10
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Experience Base
Policy Base
secure access
Root Trust Module
Mechanism Base
Autonomic trust management procedure
Service collaboration
starts
• Remote service collaboration
check
Is it local service
collaboration?
No
Root trust challenge and attestation
on the device of trustee service
• Yes, trust sustaining
mechanism
• Embed device trust
conditions (including trust
policies) into RT
Extract trust policies for trust assessment
from the trust conditions
Input trust policies into the policy base of
the trustee device’s ATMF
• Extract trust policies, save
into policy base
• Trustworthiness and trust
control mode prediction,
selection
Trustworthiness and trust
control mode prediction
Raise warning or optimize
trust control mode
configurations
No
• Monitor performance and
behavior
Trust control mode selection
Are suitable modes found?
Yes
Apply selected control modes
• Adjust trust control model
Monitor the behavior of
trustee service at runtime
Is trust assessment on trustee
positive?
No
11
AutonomicTrustManagementforaPervasiveSystem
Yes
Specify the trust conditions and registering
them at the trustee device RT module
Zheng Yan
Adaptive trust control model
adjustment
Yes
Algorithms
• Trust assessment
• Trust value generator:
• Weighted summation:
  p /( p  n  r), r  1
 T   iri i
• Control mode prediction and selection
• Anticipate the performance or feasibility of all possibly applied trust control modes.
• Select a set of suitable trust control modes based on the control mode prediction
results.
• Adaptive Trust Control Model Adjustment
• Adjust the influence factors of the trust control model in order to make it reflect the
real system situation or context
12
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Trust Control Mode Prediction and Selection
• The control modes are predicted through
evaluating all possible modes and their
compositions S k based on the adaptive
trust control model
• The prediction algorithm
• The control modes are selected based on
the control mode prediction results
• The selection algorithm
K
• Calculate selection threshold
tr 
 Tk
k 1
;
K
• - Compare VQA ,k and T k ofS k totr , set
selection factor SFS  1 if VQA ,k  tr  Tk  tr
; setSFS  1 ifVQA ,k  tr  Tk  tr
;
i
•
, whileTk  Tk  Tk
S k (k  1,...,K )

VC ,k  f Tk  BC ,k  VCold,k
j
VQA ,k
i
j
j
old


j
k
i
i
k
• - For SFS  1 , calculate the distance ofVQA ,k
and T k to tr as d k  min{VQA ,k  tr , Tk  tr }
VQA , k
; ForSFS  1
, calculate the distance of
and T k to tr as dk  max{VQA ,k  tr , Tk  tr }
only
when VQA ,k  tr and T  tr ;
i
k
m
old 

 f   cw jiVC ,k BC ,k  VQA
,k 
 j 1

j
, do
i
j
i
k
n
old 
Tk  f   wiVQA ,k  Tk 
 i 1

i
i
i
k
• - If SFS  1 , select the best winner with
the biggest d k ; elseSFS  1 , select the
best loser with the smallest d .
k
k
k
13
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Adaptive Trust Control Model Adjustment
• Subjective & dynamic support
• The equal adjustment scheme
• Context-aware trust model adjustment
• The influencing factors of each control mode
should be context-aware.
• The trust control model should be dynamically
maintained and optimized in order to reflect the
real system situation.
• Observation based trust assessment plays as
the feedback for adaptive model adjustment.
• Two schemes
• Equal adjustment scheme: each control mode
has the same impact on the deviation between
VQA _ monitor
i
andVQA
_ predict
i
• Unequal adjustment scheme: the control mode
with the biggest absolute influencing factor
always impacts more on the deviation between
VQA _ monitor
i
andVQA _ predict
• While
VQA _ monitorVQA _ predict  
i
, do
i
cw ji
• a) If VQA _ monitor  VQA _ predict
, for
, cw ji  cw ji  
cw ji  1, cw ji  1
;
cw ji , if
i
i
cw ji for
 cw ji   ,
• Else,
cw ji  1, cw ji  1
, if
• b) Run the control mode prediction
function
• The unequalVQAadjustment
_ monitorVQA _scheme
predict  
i
• While
i
max( cw ji ,) do
VQA _ monitor  VQA _ predict
i
i
• a)cwIfji  cw ji  
,
cw ji  cw ji  
• Else,
, for
cw ji  1, cw ji  1
, if
cw ji  1, cw ji  1
, if
i
• b) Run the control mode prediction
function
14
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
;
An application example: mobile healthcare
• System devices
• A potable mobile device
• a health sensor: monitor a user’s health status;
• a healthcare client service: provide multiple ways to transfer health data to other devices and receive health guidelines.
• A healthcare centre
• A healthcare consultant service: provide health guidelines to the user according to the health data reported, inform a
hospital service at a hospital server if necessary.
• A hospital server
• A hospital service
• Trust requirements
• Each device and service’s trustworthiness
• Trustworthy cooperation of all related devices and services
• Satisfy trust requirements with each other and its user’s
• Examples
•
•
•
Confidentiality: the healthcare client service provides a secure network connection and communication;
Availability: respond to the request from the health sensor within expected time;
Reliability: perform reliably without any break in case of an urgent health information transmission.
• Example application scenario: the user’s health is monitored by the mobile device which reports
his/her health data to the healthcare centre in a secure and efficient way. In this case, the hospital
service should be informed since the user’s health needs to be treated by the hospital immediately.
Meanwhile, the consultant service also provides essential health guidelines to the user.
15
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Autonomic trust management for a healthcare
application
16
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Discussion
• Two-level autonomic trust management
• Autonomic trust management among different system devices (hard trust solution)
• Apply the mechanism to sustain trust, embed trust policies for remote trusted service collaboration
• Autonomic trust management on pervasive services for their trustworthy collaboration (soft trust solution)
• Both levels of autonomic trust management can cooperate to ensure the trustworthiness of the entire
pervasive system.
• Standardized devices (supported by TCG compatible devices)
• Implementation of the RT module and Autonomic Trust Management Framework
• Designed and implemented inside a secure main chip in the mobile computing platform
• The RT module functionalities and the ATMF functionalities can be implemented by a number of protected
applications.
•
•
•
•
•
Small applications dedicated to performing security critical operations inside a secure environment.
Strict size limitations and resemble function libraries.
Access any resource in the secure environment.
Communicate with normal applications in order to offer security services.
New protected applications can be added to the system at any time, Signature based protection.
• Onboard Credential based implementation for the secure register of the RT module, the policy base,
the execution base and the mechanism base
• A flexible and light secure storage mechanism supported by the trusted computing platform
17
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Conclusions and future work
• Presented our arguments for autonomic trust management in the pervasive
system.
• Proposed an autonomic trust management solution based on the trust sustaining
mechanism and the adaptive trust control model.
• Main contribution:
• Support two levels of autonomic trust management: between devices as well as
between services offered by the devices.
• Effectively avoid or reduce risk by stopping or restricting any potential risky activities
based on the trustor’s specification
• Demonstrated the effectiveness of our solution by applying it into an example
pervasive system
• Discussed the advantages of and implementation strategies for the solution.
• Future work: study the performance through a prototype implementation on the
basis of a mobile trusted computing platform
18
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan
Thank You!
Questions and Comments!
19
AutonomicTrustManagementforaPervasiveSystem
Zheng Yan