View
216
Download
0
Tags:
Embed Size (px)
Citation preview
A Security Framework for a World of Post-PC Clients and Infrastructure-based Services
Steven Ross, Jason Hill, Michael Chen,
Anthony D. Joseph, David E. Culler, Eric A. Brewer
Computer Science Division
U.C. Berkeley{stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu
http://www.cs.berkeley.edu/~stevross
Typical (Traditional) Internet Service
• Assumes:• Private / trusted access
device and software• Sufficient computational
resources to secure connection and display content
HTTP/SSL
Scenario: Kiosks - Untrusted Endpoints
• Public (untrusted) computers will be pervasive
• Content filter – hides private information
• Control filter– limits operations performed
• Decrease the content value instead of increasing the security level
Scenario: Low Power Info Appliances
• Limited computational abilities
• Low physical security
• Low reliability
• Limited input and display capabilities
• Users have multiple devices
Enable Secure Access from all Devices
• Security is fundamental to Universal Computing
• Tremendous diversity emerging – No pre-planning: wide array of services and clients
– Info flowing over wide array of insecure links and clients
• Key leverage: Composable Secure Services– Automating scalability and availability eases task authoring
– Build new services from component services
• Key Tool: Transcoding Operators– Adapt content, and security level to desired use
Bridging the Gap
Stock Trading
Banking
PDA
Kiosk
CellPhone
Pager
Desktop
Laptop
Trusted Infrastructure
Composable Security Framework
Content Transformers
• Client Side– Decouple device I/O capabilities from services– New client transformer enables access existing content
• Server Side– Transform content and control to canonical representation
» Filtered by application logic» Easily rendered by client side content transformer
CTc CTs
Stock Trading
Banking
PDA
Kiosk
CellPhone
Pager
Desktop
Laptop
Trusted Infrastructure
Composable Security Framework
CT: Content Transformer
Security Adaptors
• Secure channel in depends on device capabilities
• Secure channel out depends on Internet service
• Examples– Low power info appliance
– International Kiosk
SA
SA
Stock Trading
Banking
PDA
Kiosk
CellPhone
Pager
Desktop
Laptop
Trusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
CTc CTs
Identity Service
• Secure repository
• Key component for enabling access from untrusted endpoints
• Critical level of indirection and information hiding
• Mitigates problem of replicating identities
• Promotes use of secure username/password pairs
Identity Service
SA
CTc CTs
SA
Stock Trading
Banking
PDA
Kiosk
CellPhone
Pager
Desktop
Laptop
Trusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
Filter and Control Modifier
• Identity Translation• Add new or remove existing control functionality
– Add logout button– Remove ability to trade, write checks, drop class, etc.
• Remove sensitive content– Account balances, email addresses, names
Identity Service
SA
CTcFCM
CTs
SA
Stock Trading
Banking
PDA
Kiosk
CellPhone
Pager
Desktop
Laptop
Trusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from Kiosk
• Kiosk browser interacts with security adaptor
Identity Service
SASSL
CTc
FCMCTs
SASSL
Datek
Kiosk
Trusted Infrastructure
Composable Security Framework
SSL
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from Kiosk
• HTTP request passed to FCM
• no content transformer in prototype
Identity Service
SASSL
CTc
FCMCTs
SASSL
Datek
Kiosk
Trusted Infrastructure
Composable Security Framework
SSL
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from Kiosk
• FCM authenticates pseudonym and one time password
• Substitutes real identity
Identity Service
SASSL
CTc
FCMCTs
SASSL
Datek
Kiosk
User Identity
Trusted Infrastructure
Composable Security Framework
SSL
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from Kiosk
• FCM passes substituted data through to outgoing security adaptor
Identity Service
SASSL
CTc
FCMCTs
SASSL
Datek
Kiosk
User Identity
Trusted Infrastructure
Composable Security Framework
SSL
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from Kiosk
• SA communicates with Datek Service• FCM Filters all remaining traffic
– Removes sensitive information: i.e. account name, email address
– Performs control filtering: adds logout button
Identity Service
SASSL
CTc
FCMCTs
SASSL
Datek
Kiosk
User Identity
Trusted Infrastructure
Composable Security Framework
SSLSSL
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from PDA
• Pilot connects to security adaptor
Identity Service
SABlowfish
CTcFCM
CTs
SASSL
Stock Trading
PDATrusted Infrastructure
Composable Security Framework
Blowfish
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from PDA
• Shared secret key identity verified
Identity Service
SABlowfish
CTcFCM
CTs
SASSL
Stock Trading
PDATrusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from PDA
• Content transformer– simple pilot commands to http requests
– html to plain text pilot app format
Identity Service
SABlowfish
CTcFCM
CTs
SASSL
Stock Trading
PDATrusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from PDA
• FCM examines HTTP requests performs identity substitution
Identity Service
SABlowfish
CTcFCM
CTs
SASSL
Stock Trading
PDA
Auth
Client
User Identity
Trusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from PDA
• Modified packets sent to security adaptor
Identity Service
SABlowfish
CTcFCM
CTs
SASSL
Stock Trading
PDA
Auth
Client
User Identity
Trusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Illustration: Datek Access from PDA
• Security Adaptor establishes HTTPS connection to Datek service
Identity Service
SABlowfish
CTcFCM
CTs
SASSL
Stock Trading
PDA
Auth
Client
User Identity
Trusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Composable Security Framework
• Paths from devices to services canbe dynamically created
• Multiple transcoders may be composed for a path
Identity Service
SA
SA
SA
CTc
CTcFCM
CTs
CTs
SA
SA
SA
FCM
Stock Trading
Banking
PDA
Kiosk
CellPhone
Pager
Desktop
LaptopAuth
Client
User Identity Auth Service
Trusted Infrastructure
Composable Security Framework
SA: Security Adapter
CT: Content Transformer
FCM: Filter & Control Modifier
Key Design Points
• Security and Content both transformed– Security adaptors based on device capability and link
– Information hiding based on device, user role, and link
• Composing services– Trust model must be carefully considered
• Extensible– New devices easily added by writing appropriate component
if it doesn’t already exist
• Scalability/ Fault Tolerance– Runs in Ninja distributed execution environment
– Components replicated among nodes in cluster
Other Applications
• Meta-trade environment– Aggregation: provide most valuable composition of content
• Multi-user or manager account– Owner of account can view all content
– Account manager only views selected pieces essential to role
– Example: Trade-bot only needs stock quotes and rules
– Account value, and private information hidden from Trade-bot
• Short lived and persistent pseudonyms
• Support sharing of PDAs – Now have untrusted low power device
– Compose kiosk FCM and PDA components to handle scenario
Security Assessment
• Untrusted endpoint– May still alter information
• Identity Service– A primary point to attack
• PDA Keys– I/O methods limit strength of generated keys
• Dynamic Trust Model– New Functionality added
» I.e. Citibank online payment
– User must explicitly grant functionality for each profile
Future Work
• Implementation of additional content, control and security transformer
– Additional web services
– Other services
» IMAP, LDAP, e-commerce, etc
– Additional Devices
» Pagers, phones
• Development of common data change format for FCM
– XML for canonical representation, XSL for rendering to device
Take-Away
• New security requirements of Post-PC devices– Supports access from insecure endpoints
– Precise control of information exposure (access device / role)
• Composable Services in the infrastructure– New level of “programming”
• Towards an Architecture for Universal Computing– Diverse concurrent development: 1 to many, meta-svcs, aggregation svcs
– Many to one, heterogeneous clients
• Eureka phenomenon– Most fundamental services probably yet to be discovered
» Ex: identity service
– Only find them by building the world and living in it
A Security Framework for a World of Post-PC Clients and Infrastructure-based Services
Steven Ross, Jason Hill, Michael Chen,
Anthony D. Joseph, David E. Culler, Eric A. Brewer
Computer Science Division
U.C. Berkeley{stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu
http://www.cs.berkeley.edu/~stevross