Trust Management for the World Wide Web Yang-hua Chu Supervisor Jim Miller, MIT/W3C Joan Feigenbaum, AT&T Labs Master of Engineering Thesis Presentation April 28, 1997

Download Report

Transcript Trust Management for the World Wide Web Yang-hua Chu Supervisor Jim Miller, MIT/W3C Joan Feigenbaum, AT&T Labs Master of Engineering Thesis Presentation April 28, 1997 

Trust Management for the
World Wide Web
Yang-hua Chu
Supervisor
Jim Miller, MIT/W3C
Joan Feigenbaum, AT&T Labs
Master of Engineering Thesis Presentation
April 28, 1997
Outline
•
•
•
•
•
Problem statement
Trust management
REFEREE trust management system
REFEREE reference implementation demo
Conclusion
Example: code signing
• Away from shrink-wrapped model
• Toward code distribution through network
Trust FAQ
• Has X been tampered with during transmission?
[integrity]
• Does X contain a virus that will erase my HD?
[security]
• Does X secretly collect information without my
knowledge? [privacy]
• Will X run on my 386? [capability]
• Is X fun to play? [content]
• Who wrote X? [authentication]
• Should I trust Y who vouches for X [delegation]?
Current Technology
• Sandbox (Java Virtual Machine)
• Code Signing
– Microsoft Authenticode (for ActiveX)
• Proof Carrying Code
Current technology is not enough:
why should I trust those bits?
• Digital Signature (RSA, DSA)
– How many bits of signature is trustworthy?
– What does the signature mean [PICS]?
– How do I get the right public key to verify the signature?
• Public Key Infrastructure (X.509, PGP, SDSI)
– How do I get the CA’s public key?
– What is this certificate authorized to do?
• Whom do I trust to vouch for X?
– X=give me public key of person Y, sign code,
authenticate document, make this assertion, …etc.
Trust management
• ‘Decentralized Trust Management’ [BFL96]
• Probes the question
– ‘Does this requested action, supported by
credentials, conform to my policy?’
• PolicyMaker
– certificates are programs
Trust management in code signing
• Requested action: download and run this code.
• Security policy: download the code only if signed
by two entities that MIT endorses, and both
entities must state in the signature that X is ‘safe’
according to MIT’s code safety practice.
• Security credentials: relevant PICS labels and
certificates.
Other trust management
applications in WWW
•
•
•
•
•
•
•
document authentication and integrity
access control
on-line negotiation
electronic commerce
privacy protection
intellectual property rights
… more
REFEREE
• “Rule-controlled Environment For
Evaluation of Rules and Everything Else”
• Joint effort by researchers from AT&T Labs
and W3C
• Goal: create a general-purpose trust
management system for Web applications
REFEREE design principle
• A ‘policy’ is a program
– has a fixed language syntax and semantics
– may call another policy
• ‘Policy’ controls everything
– order of execution under policy control
– credential fetching under policy control
– departure from PolicyMaker[BFL96] approach
REFEREE API
• a sub-system embedded inside a Web application
– can be in a browser, a proxy, or a server
Application
Actions
Dispatch
REFEREE
Input API : request with arguments
Output API : answer with justification
REFEREE Primitive Data Types
• tri-values
– TRUE, FALSE, UNKNOWN
• statements and statement-lists
– each statement is an s-expression
– a pair of (<context>, <content>), both are also
s-expressions
( “code-signing”,
((virus-checked 1) (network-access 0) … ) )
REFEREE Primitive Data Types
(continued)
• policy
– a triplet (<policy-name>, <policy description>,
<language-name>)
– (“code-signing”, ..., “code-signing-language”)
– (“code-signing”, <Java-code>, “Java”)
• interpreter
– a pair (<language-name>, <interpreter>)
– (“code-signing-language”, <Java-code>)
Bootstrapping REFEREE
• The host application loads REFEREE initial
setting:
– trust assertions
– a database of policies
– a database of interpreters
• all bootstrapping information is
unconditionally trusted
Invoking REFEREE
• input a requested action and additional
arguments
• REFEREE gets the corresponding policy for
that action
• REFEREE executes the policy with the
additional arguments
• output a tri-value and a list of statements
REFEREE Demo
• in English: “I only execute code if PCWeek says
OK according to MIT code safety practice.”
(invoke "load-label" STATEMENT-LIST URL
"http://web.mit.edu/safety" ("http://labels.com/"))
(invoke "check-hash" STATEMENT-LIST)
(false-if-unknown
(match (("check-hash" *)
(* ((version "PICS-1.1") *
(service "http://web.mit.edu/safety") *
(by "mailto:[email protected]") *
(ratings * (RESTRICT > overall 8) * ))))
STATEMENT-LIST))
Components of the REFEREE
Calling Module
bootstrap
2
1
6
invoke
REFEREE
5
Check-hash
Profiles-0.92
3
Label-loader
4
Fetcher
Sample Query
• application calls REFEREE
– (“code-signing”, “http://foo/bar.class”)
• line 1: gets the PICS label from the label
bureau “http://label-bureau”
(PICS-1.1 "http://web.mit.edu/safety"
labels
by "mailto:[email protected]"
md5 "7A2B1a2bA72BxyzyplehJQ=="
ratings (crash 2 overall 10 virus 0))
Sample Query (Continued)
• line 2: authenticates the signature and
checks the source integrity
• line 3: checks the confidence level > 8
• return TRUE (10 > 8)
Recap of major REFEREE
design principles
• Local policy controls everything
• Separate security policy specification from
policy evaluation
– policies are programs
– Profiles-0.92 vs. PICS RULZ
• Systematic, consistent, and modular
management of trust
Conclusion: Now and Future
• Trust management is an important
component for Web applications
• REFEREE is our initial attempt to tackle the
problem in the context of the WWW and it
provides insight for future research and
development.
Take It With You!
• Trust != Cryptography
Reference
• REFEREE Website
– http://www.w3.org/pub/WWW/PICS/TrustMgt
– link to the REFEREE demo
– link to [BFL96] paper
• M. Blaze, J. Feigenbaum, J. Lacy, “Decentralized
Trust Management”, in Proceedings of the 1996
Symposium on Security and Privacy, pp. 164-173
• Friday, 4/11, 4pm-5:30pm
– trust management for Electronic Commerce