Berkeley NOW - PowerPoint by Levone

VIEWS: 7 PAGES: 28

									A Security Framework for a World of Post-PC
  Clients and Infrastructure-based Services

      Steven Ross, Jason Hill, Michael Chen,
 Anthony D. Joseph, David E. Culler, Eric A. Brewer

                Computer Science Division
                     U.C. Berkeley
      {stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu
                   http://www.cs.berkeley.edu/~stevross
Typical (Traditional) Internet Service


                                     HTTP/SSL


                    • Assumes:
                       • Private / trusted access
                         device and software
                       • Sufficient computational
                         resources to secure
                         connection and display
                         content
Scenario: Kiosks - Untrusted Endpoints


                  • Public (untrusted)
                    computers will be pervasive
                  • Content filter
                     – hides private information
                  • Control filter
                     – limits operations performed
                  • Decrease the content value
                    instead of increasing the
                    security level
   Scenario: Low Power Info Appliances


• Limited computational abilities
• Low physical security
• Low reliability
• Limited input and display capabilities
• Users have multiple devices
Enable Secure Access from all Devices

 • Security is fundamental to Universal Computing
 • Tremendous diversity emerging
    – No pre-planning: wide array of services and clients
    – Info flowing over wide array of insecure links and clients

 • Key leverage: Composable Secure Services
    – Automating scalability and availability eases task authoring
    – Build new services from component services

 • Key Tool: Transcoding Operators
    – Adapt content, and security level to desired use
Bridging the Gap
             Composable Security Framework
 PDA                                          Stock
                   Trusted Infrastructure    Trading
Kiosk
                                             Banking
 Cell
Phone

 Pager                                        Mail


Laptop

Desktop
 Content Transformers
                         Composable Security Framework
 PDA                                                                Stock
                               Trusted Infrastructure              Trading
 Kiosk
                                                                   Banking
  Cell
 Phone
                            CTc                    CTs
 Pager                                                              Mail


Laptop                                                           CT: Content
                                                                 Transformer
Desktop

• Client Side
    – Decouple device I/O capabilities from services
    – New client transformer enables access existing content
• Server Side
    – Transform content and control to canonical representation
          » Filtered by application logic
          » Easily rendered by client side content transformer
Security Adaptors
                       Composable Security Framework
 PDA                                                            Stock
                             Trusted Infrastructure            Trading
Kiosk            SA
                                                              Banking
 Cell
Phone
                          CTc                    CTs
 Pager                                                          Mail
                                                       SA

Laptop                                                      SA: Security Adapter

Desktop                                                     CT: Content
                                                            Transformer

 • Secure channel in depends on device capabilities
 • Secure channel out depends on Internet service
 • Examples
         – Low power info appliance
         – International Kiosk
Identity Service
                   Composable Security Framework
 PDA                                                        Stock
                        Trusted Infrastructure             Trading
Kiosk         SA
                                                          Banking
 Cell
Phone
                     CTc                    CTs
 Pager                                                      Mail
                                                   SA

Laptop                                                  SA: Security Adapter
                             Identity
                              Service                   CT: Content
Desktop
                                                        Transformer

 •   Secure repository
 •   Key component for enabling access from untrusted endpoints
 •   Critical level of indirection and information hiding
 •   Mitigates problem of replicating identities
 •   Promotes use of secure username/password pairs
Filter and Control Modifier
                           Composable Security Framework
 PDA                                                                      Stock
                                  Trusted Infrastructure                 Trading
Kiosk               SA
                                                                        Banking
 Cell
Phone
                              CTc                     CTs
                                         FCM                              Mail
 Pager                                                           SA

Laptop                                                                SA: Security Adapter
                                       Identity                       CT: Content
Desktop                                 Service                       Transformer
                                                    FCM: Filter & Control
 • Identity Translation                             Modifier
 • Add new or remove existing control functionality
         – Add logout button
         – Remove ability to trade, write checks, drop class, etc.
 • Remove sensitive content
         – Account balances, email addresses, names
Illustration: Datek Access from Kiosk
                    Composable Security Framework
                                                             Datek
                         Trusted Infrastructure
        SSL   SA
Kiosk         SSL


                       CTc
                                                          SA: Security Adapter
                                             CTs
                                FCM                 SA
                                                    SSL
                                                          CT: Content
                                                          Transformer

                              Identity
                                                          FCM: Filter & Control
                               Service                    Modifier


•   Kiosk browser interacts with security adaptor
Illustration: Datek Access from Kiosk
                    Composable Security Framework
                                                             Datek
                         Trusted Infrastructure
        SSL   SA
Kiosk         SSL


                       CTc
                                                          SA: Security Adapter
                                             CTs
                                FCM                 SA
                                                    SSL
                                                          CT: Content
                                                          Transformer

                              Identity
                                                          FCM: Filter & Control
                               Service                    Modifier


•   HTTP request passed to FCM
    • no content transformer in prototype
    Illustration: Datek Access from Kiosk
                        Composable Security Framework
                                                                  Datek
                             Trusted Infrastructure
            SSL   SA
    Kiosk         SSL


                           CTc
                                                               SA: Security Adapter
                                                   CTs
                                    FCM                  SA
                                                         SSL
                                                               CT: Content
                                                               Transformer
                                       User Identity

                                  Identity
                                                               FCM: Filter & Control
                                   Service                     Modifier


•    FCM authenticates pseudonym and one time
     password
•    Substitutes real identity
Illustration: Datek Access from Kiosk
                    Composable Security Framework
                                                              Datek
                         Trusted Infrastructure
        SSL   SA
Kiosk         SSL


                       CTc
                                                           SA: Security Adapter
                                               CTs
                                FCM                  SA
                                                     SSL
                                                           CT: Content
                                                           Transformer
                                   User Identity

                              Identity
                                                           FCM: Filter & Control
                               Service                     Modifier


•   FCM passes substituted data through to
    outgoing security adaptor
Illustration: Datek Access from Kiosk
                    Composable Security Framework
                                                              Datek
                         Trusted Infrastructure
        SSL   SA
Kiosk         SSL
                                                             SSL
                       CTc
                                                           SA: Security Adapter
                                               CTs
                                FCM                  SA
                                                     SSL
                                                           CT: Content
                                                           Transformer
                                   User Identity

                              Identity
                                                           FCM: Filter & Control
                               Service                     Modifier

•   SA communicates with Datek Service
•   FCM Filters all remaining traffic
    – Removes sensitive information: i.e. account name,
      email address
    – Performs control filtering: adds logout button
Illustration: Datek Access from PDA
                       Composable Security Framework
PDA                                                              Stock
                            Trusted Infrastructure              Trading
             SA
 Blowfish   Blowfish




                         CTc                                 SA: Security Adapter
                                                CTs
                                   FCM
                                                       SA    CT: Content
                                                       SSL
                                                             Transformer

                                 Identity
                                                             FCM: Filter & Control
                                  Service                    Modifier


• Pilot connects to security adaptor
Illustration: Datek Access from PDA
                    Composable Security Framework
PDA                                                           Stock
                         Trusted Infrastructure              Trading
          SA
         Blowfish




                      CTc                                 SA: Security Adapter
                                             CTs
                                FCM
                                                    SA    CT: Content
                                                    SSL
                                                          Transformer

                              Identity
                                                          FCM: Filter & Control
                               Service                    Modifier


• Shared secret key identity verified
Illustration: Datek Access from PDA
                         Composable Security Framework
PDA                                                                Stock
                              Trusted Infrastructure              Trading
               SA
              Blowfish




                           CTc                                 SA: Security Adapter
                                                  CTs
                                     FCM
                                                         SA    CT: Content
                                                         SSL
                                                               Transformer

                                   Identity
                                                               FCM: Filter & Control
                                    Service                    Modifier


• Content transformer
      – simple pilot commands to http requests
      – html to plain text pilot app format
Illustration: Datek Access from PDA
                   Composable Security Framework
PDA                                                                Stock
                             Trusted Infrastructure               Trading
         SA
        Blowfish




                     CTc                                       SA: Security Adapter
                                                   CTs
                                    FCM
                                                         SA    CT: Content
                                                         SSL
                                                               Transformer
                                       User Identity
                    Auth
                                  Identity
                                                               FCM: Filter & Control
                    Client
                                   Service                     Modifier


• FCM examines HTTP requests performs identity
  substitution
Illustration: Datek Access from PDA
                    Composable Security Framework
PDA                                                                 Stock
                              Trusted Infrastructure               Trading
          SA
         Blowfish




                      CTc                                       SA: Security Adapter
                                                    CTs
                                     FCM
                                                          SA    CT: Content
                                                          SSL
                                                                Transformer
                                        User Identity
                     Auth
                                   Identity
                                                                FCM: Filter & Control
                     Client
                                    Service                     Modifier


• Modified packets sent to security adaptor
Illustration: Datek Access from PDA
                   Composable Security Framework
PDA                                                                Stock
                             Trusted Infrastructure               Trading
         SA
        Blowfish




                     CTc                                       SA: Security Adapter
                                                   CTs
                                    FCM
                                                         SA    CT: Content
                                                         SSL
                                                               Transformer
                                       User Identity
                    Auth
                                  Identity
                                                               FCM: Filter & Control
                    Client
                                   Service                     Modifier


• Security Adaptor establishes HTTPS connection
  to Datek service
Composable Security Framework
               Composable Security Framework
 PDA                                                               Stock
                         Trusted Infrastructure                   Trading
Kiosk     SA                                              SA
                 CTc                          CTs
                                FCM                              Banking
 Cell
          SA                                              SA
Phone
                 CTc                           CTs
                                FCM                                Mail
 Pager                                                    SA
          SA

Laptop                             User Identity      Auth     SA: Security Adapter
                Auth                                 Service
                Client
                              Identity                         CT: Content
Desktop                        Service
                                                               Transformer
                                                               FCM: Filter & Control
 • Paths from devices to services can                          Modifier
   be dynamically created
 • Multiple transcoders may be composed
   for a path
Key Design Points

• Security and Content both transformed
   – Security adaptors based on device capability and link
   – Information hiding based on device, user role, and link

• Composing services
   – Trust model must be carefully considered

• Extensible
   – New devices easily added by writing appropriate component
     if it doesn’t already exist

• Scalability/ Fault Tolerance
   – Runs in Ninja distributed execution environment
   – Components replicated among nodes in cluster
Other Applications

• Meta-trade environment
  – Aggregation: provide most valuable composition of content

• Multi-user or manager account
  –   Owner of account can view all content
  –   Account manager only views selected pieces essential to role
  –   Example: Trade-bot only needs stock quotes and rules
  –   Account value, and private information hidden from Trade-bot

• Short lived and persistent pseudonyms
• Support sharing of PDAs
  – Now have untrusted low power device
  – Compose kiosk FCM and PDA components to handle
    scenario
Security Assessment

• Untrusted endpoint
   – May still alter information

• Identity Service
   – A primary point to attack

• PDA Keys
   – I/O methods limit strength of generated keys

• Dynamic Trust Model
   – New Functionality added
       » I.e. Citibank online payment
   – User must explicitly grant functionality for each profile
Future Work

• Implementation of additional content, control
  and security transformer
   – Additional web services
   – Other services
       » IMAP, LDAP, e-commerce, etc
   – Additional Devices
       » Pagers, phones

• Development of common data change format for
  FCM
   – XML for canonical representation, XSL for rendering to device
 Take-Away
• New security requirements of Post-PC devices
   – Supports access from insecure endpoints
   – Precise control of information exposure (access device / role)
• Composable Services in the infrastructure
   – New level of “programming”
• Towards an Architecture for Universal Computing
   – Diverse concurrent development: 1 to many, meta-svcs, aggregation svcs
   – Many to one, heterogeneous clients
• Eureka phenomenon
   – Most fundamental services probably yet to be discovered
       » Ex: identity service
   – Only find them by building the world and living in it
A Security Framework for a World of Post-PC
  Clients and Infrastructure-based Services

      Steven Ross, Jason Hill, Michael Chen,
 Anthony D. Joseph, David E. Culler, Eric A. Brewer

                Computer Science Division
                     U.C. Berkeley
      {stevross, jhill, mikechen, adj, culler, brewer}@cs.berkeley.edu
                   http://www.cs.berkeley.edu/~stevross

								
To top