SlideShare une entreprise Scribd logo

Building Trust Despite Digital Personal Devices

Javier González
Javier González

Talk given at OpenIT (Tech talks at IT University of Copenhagen) in 2014. The talk covers different aspects of how to protect our privacy when using personal devices.

Technologie
1  sur  35
Télécharger pour lire hors ligne
Building Trust Despite Digital Personal Devices Javier González - jgon@itu.dk Philippe Bonnet - phbo@itu.dk by Javier González OpenIT - 07.03.2014
Users Service Providers Personal Devices Personal Information Services ! Information Flow Distrust Digital Society mails passwords ssh-keys media content certificatespictures apps
Digital Society Privacy Control Personal Devices Privacy?
define: privacy
The social science viewpoint What are the social norms around privacy and personal data processing? How do they evolve in time? How do they evolve with respect to IT evolution? Getting beyond the lame meme - “Privacy is dead – deal with it” - “I’ve done nothing wrong, why should I care?” - “In Denmark, people are very trusting, so privacy is not an issue” !
Contextual Integrity Helen Nissenbaum. Privacy in Context, 2010 Exchange/sharing of personal data is at the core of any social interaction - Privacy is not about “not sharing” personal data! Any social context (work, education, health, ...) defines – more or less explicitly – a social norm, i.e., an appropriate behaviour that is to be expected. Contextual integrity gives a framework to reason about the norms that apply, in a given social context, to the flows of personal data (i.e., information norms)
Users Service Providers Personal Devices Information Flow Digital Society Contextual Integrity
Social Science Framework Computer Science Implementation
UCONABC Jaehong Park and Ravi Sandhu. The UCONabc usage control model. ACM Trans. Inf. Syst. Secur., 7(1):128–174, February 2004.
Audit: a posteriori control of how rights were used Enforcement: a priori control of usage rights Formal Model Strong security Assumptions No implementation! Jaehong Park and Ravi Sandhu. The UCONabc usage control model. ACM Trans. Inf. Syst. Secur., 7(1):128–174, February 2004. Can model complex frameworks UCONABC
Implementing UCONABC Sensitive Data Untrusted Storage Program Program Usage Control Access Control UCON Program root Security Perimeter beyond root domains
Requirements UCONABC UCON needs to be implemented within a security perimeter protected by hardware so that attackers with root privileges cannot disable it using software. From inside the security perimeter it should be possible to “monitor” programs outside the security perimeter Communicating with programs in the security perimeter should entail a low overhead
Secure Platforms Level of Protection Communication Execution Environment Only Software Rich OS Rich OS + TEE SW and Tamper resistant HW Secure Ad-how OS Narrow Interfaces Very High Low Messages, Sockets, SM Software and Hardware Shared Memory Medium/High ARM TrustZone Examples Android, Linux, IOS, Windows IBM CryptoCards, TPM, Secure Token Normal Execution Environment Security Perimeter Monitor With Low Overhead Protected by HardwareAll Sorts of Applications Monitoring Applications
ARM TrustZone
ARM TrustZone Secure memory, rich memory and shared memory Secure acquisition/release of peripherals in runtime (e.g., ethernet, screen, flash) Gatekeeper - Context switch controlled by hardware (AMBA3) Shared processor
Rich/Secure Abstraction Principle 1: Self preservation first. Under the suspicion of a threat, the secure environment isolates itself logically and gives up availability in order to protect data integrity, confidentiality and durability. Rich Environment Secure Environment Client Server User Space Kernel Space Secure Space Hardware root root HardwareSoftware Principle 2: Lead all communications. The secure environment defines all parameters that define this communication: protocol, certificates, encryption keys, etc. Principle 3: Secure all interactions. The secure area has priority to obtain exclusive access to secure peripherals.
Building Trust Users have the certainty that their sensitive information will not be misused by the software running in their devices. Service providers have the certainty that the devices interacting with their systems are not compromised Both should have the freedom to choose who they trust, and the technology should aid giving certainty, not enforcing
Building Trust Protect data in secondary storage Monitor the integrity of the system Enforce usage policies Support different digital contexts
Background Information Trusted Storage Module (TSM) A system providing trusted storage should guarantee data confidentiality, integrity, availability, and durability Today’s security policies rely on data encryption to support confidentiality and integrity. However, if encryption keys can be compromised or stolen on the client computer, then there is not much protection left. Approaches using tamper-resistant hardware: low functionality, physical separated, and narrow interfaces
Thread Model Trusted Storage Module (TSM) Sensitive Data Untrusted Storage Program Program Malware root Memory Access to storage Access to memory Access to peripherals
Trusted Storage Module (TSM) Architecture Rich Environment Secure Environment Data producer App Platform Independent Platform Dependent TSM CI Secure EnvironmentCI TSM Secure Module Tamper Resistant Unit Crypto Module for [i..n] Data Chunk (i) (ii) Storage (iii)(iv) Enc. DataEnc. Keys PDS (v) Enc. Data Metadata
0 0.00375 0.00750 0.01125 0.01500 1KB 10KB 20KB 50KB 100KB Time[s] Store&Object&in&Rich& Store&Object&in&Secure& Trusted Storage Module (TSM) Overhead
Contributions Trusted Storage Module (TSM) Provide a mechanism for rich apps to store securely objects containing sensitive information introducing low overhead Provide a mechanism to enforce access control to the files storing those objects, i.e., encryption, secure memory and secure peripherals Use untrusted storage as a cheap and “unlimited” source of secondary storage
Antifragile Storage Can we learn from successful attacks and improve, being better prepared for future attacks? Successful attacks (hardware and software) that do not entail the collapse of the system are good and welcome (if detectable), and even intentionally provoked The level of hardware tamper resistance is the upper boundary to which the system can benefit from being harmed How do we detect these attacks (e.g., traps, human intervention)? How to learn from them (e.g., AI, machine learning)? * Nassim Nicholas Taleb
Trusted Integrity Module (TIM) Background Information Secondary storage is normally attacked. To survive a reboot or hide from system administrators, attackers make modifications to system files, line commands and system libraries. Running processed produce logs, which are accessible from users space (applications), and therefore can be tampered with. Storage-based integrity checks need to build on top of trusted storage (e.g., TSM)
Architecture Trusted Integrity Module (TIM) Rich App GLIBC System-Call Interface (SCI) VFS file Obj dentry Obj inode Obj super-block Obj Dependencies Attributes SecureEnvironment CommunicationInterface open() close() read() write() flush() struct inode { ... uid_t //user id of owner did_t //group id of owner eid_t //environ. id of owner ... }; Platform Independent Platform Dependent UserSpaceKernelSpace Rich Environment Secure Environment cache FSn SEC. FILE SEC. FILE SEC. FILE VFS Trusted Extension dentry Obj inode Obj super-block Obj cache FSn Shared MemoryFS0 FS0 FSn FSn RICH FILE RICH FILE read / exec all all read nothing all all all VFS Metadata TIM ... CRYPTO hash(file) hash(inode) hash(dentry) TSM Dependencies Attributes secure file Obj sopen() sclose() sread() swrite() sflush() ... Tamper Resistant Unit TIMTSM FS0 FS0 FSn History Logs Transaction Logs Crypto Keys
Contribution Trusted Integrity Module (TIM) TIM is in itself a storage-based Intrusion Detection System (IDS) without much less assumptions than current approaches Provide an architecture to guarantee the integrity of system files adding a low overhead to file system primitives Provide an method to log actions involving system files in trusted storage, preventing attackers to clean after themselves
Next Steps Implement UCON on top of TIM to add complex usage control policies to secure file operations (i.e., enforcement, embedded behaviour, and audit) Extend TIM with a machine learning algorithm to learn from past attacks - antifrigility Exploring how to monitor running processes without introducing a big overhead. Ideas: Use of resources, peripherals, etc.
Example: Supporting different digital “social” contexts
Security today Users Service Providers ? DRM-like Secure Personal Devices Imposition Lock upDistrust Cyberactivism: -Software Freedom -Privacy -Anti Copyright ! * some - normally those involved in media content. * bypass
Lockdown, Freedom, and Certainty Cory Doctorow. The Coming Civil War over General Purpose Computing Lockdown: “Your TPM comes with a set of signing keys it trusts, and unless your bootloader is signed by a TPM-trusted party, you can't run it. Moreover, since the bootloader determines which OS launches, you don't get to control the software in your machine.” Certainty: “You tell your TPM which signing keys you trust - say, Ubuntu, EFF, ACLU and Wikileaks - and it tells you whether the bootloaders it can find on your disk have been signed by any of those parties. It can faithfully report the signature on any other bootloaders it finds, and it lets you make up your own damn mind about whether you want to trust any or all of the above.” Freedom: “Android lets you tick a box to run any code you want.”
Certainty Boot Power On FSBL Boot Loader Secure OS Non Secure Boot Loader Non Secure OS SE Verification Ubuntu Samsung WikiLeaks … Architecture
Certainty Boot Contributions New signing keys can be added to the SE by the user Provide a Trusted Boot using a Secure Element (SE) and TrustZone. The boot sequence is stored in the SE, which can only be accessed from the secure environment. (2-phase verification) Applications can check the boot sequence trace through the secure environment to verify that they trust the running software
Contributions We have a framework that can implement a usage control model defining privacy policies (contextual integrity) in order to build trust in digital interactions Bottom - up: We have a prototype where storage-based usage control policies based on trusted storage and its integrity can easily be implemented: TSM and TIM Top - down: We have one way to give users the freedom to choose their software while giving certainty to both users and and service providers
Building Trust Despite Digital Personal Devices Javier González - jgon@itu.dk Philippe Bonnet - phbo@itu.dk by Javier González OpenIT - 07.03.2014

Recommandé

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
Amr Rashed
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
rajakhurram
 
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMNETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
IJORCS
 
Windows 10: Windows 10 de ITPros a ITPros
Windows 10: Windows 10 de ITPros a ITProsWindows 10: Windows 10 de ITPros a ITPros
Windows 10: Windows 10 de ITPros a ITPros
Juan Ignacio Oller Aznar
 
Network security Topic 2 overview continued
Network security Topic 2 overview continuedNetwork security Topic 2 overview continued
Network security Topic 2 overview continued
Khawar Nehal khawar.nehal@atrc.net.pk
 
10.1.1.44.6790
10.1.1.44.679010.1.1.44.6790
10.1.1.44.6790
Alok Tripathi
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
Mukesh Pathak
 

Recommandé

Information Security Lecture Notes
Information Security Lecture NotesInformation Security Lecture Notes
Information Security Lecture Notes
FellowBuddy.com
 
امن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكاتامن نظم المعلومات وامن الشبكات
امن نظم المعلومات وامن الشبكات
Amr Rashed
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
rajakhurram
 
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEMNETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
NETWORK SECURITY USING LINUX INTRUSION DETECTION SYSTEM
IJORCS
 
Windows 10: Windows 10 de ITPros a ITPros
Windows 10: Windows 10 de ITPros a ITProsWindows 10: Windows 10 de ITPros a ITPros
Windows 10: Windows 10 de ITPros a ITPros
Juan Ignacio Oller Aznar
 
Network security Topic 2 overview continued
Network security Topic 2 overview continuedNetwork security Topic 2 overview continued
Network security Topic 2 overview continued
Khawar Nehal khawar.nehal@atrc.net.pk
 
10.1.1.44.6790
10.1.1.44.679010.1.1.44.6790
10.1.1.44.6790
Alok Tripathi
 
Network Security 2016
Network Security 2016 Network Security 2016
Network Security 2016
Mukesh Pathak
 
Network security
Network securityNetwork security
Network security
Harsh Kishore Mishra
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: Overview
Mohamed Loey
 
Network security
Network securityNetwork security
Network security
nageshkanna13
 
Security data sheet
Security data sheetSecurity data sheet
Security data sheet
INSZoom
 
Network
NetworkNetwork
Network
Saroj Dhakal
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network security
IGZ Software house
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan server
Dedi Dwianto
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating system
Abdullah Khosa
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authentication
mbadhi
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
Bule Hora University
 
Security technology
Security technologySecurity technology
Security technology
Praveen Kumar V
 
Protection and security
Protection and securityProtection and security
Protection and security
mbadhi
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1
Temesgen Berhanu
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
Fat-Thing Gabriel-Culley
 
Cyber tooth briefing
Cyber tooth briefingCyber tooth briefing
Cyber tooth briefing
Andrew Sispoidis
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
Vibrant Event
 
Security management(new) (1)
Security management(new) (1)Security management(new) (1)
Security management(new) (1)
Divyesh Chauhan
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
Atif Rehmat
 
Network security
Network securityNetwork security
Network security
Ali Kamil
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Kuniyasu Suzaki
 
RocksDB meetup
RocksDB meetupRocksDB meetup
RocksDB meetup
Javier González
 
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data CenterIris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Ryousei Takano
 

Contenu connexe

Tendances

Security data sheet
Security data sheetSecurity data sheet
Security data sheet
INSZoom
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan server
Dedi Dwianto
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
Atif Rehmat
 

Tendances (20)

Network security
Network securityNetwork security
Network security
 
Computer Security Lecture 1: Overview
Computer Security Lecture 1: OverviewComputer Security Lecture 1: Overview
Computer Security Lecture 1: Overview
 
Network security
Network securityNetwork security
Network security
 
Security data sheet
Security data sheetSecurity data sheet
Security data sheet
 
Network
NetworkNetwork
Network
 
Introduction Network security
Introduction Network securityIntroduction Network security
Introduction Network security
 
Ancaman & kelemahan server
Ancaman & kelemahan serverAncaman & kelemahan server
Ancaman & kelemahan server
 
Protection and security of operating system
Protection and security of operating systemProtection and security of operating system
Protection and security of operating system
 
Cryptography and authentication
Cryptography and authenticationCryptography and authentication
Cryptography and authentication
 
Chapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganisedChapter1 intro network_security_sunorganised
Chapter1 intro network_security_sunorganised
 
Security technology
Security technologySecurity technology
Security technology
 
Protection and security
Protection and securityProtection and security
Protection and security
 
Computer Security Chapter 1
Computer Security Chapter 1Computer Security Chapter 1
Computer Security Chapter 1
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Cyber tooth briefing
Cyber tooth briefingCyber tooth briefing
Cyber tooth briefing
 
Introduction To Computer Security
Introduction To Computer SecurityIntroduction To Computer Security
Introduction To Computer Security
 
Security management(new) (1)
Security management(new) (1)Security management(new) (1)
Security management(new) (1)
 
Data Network Security
Data Network SecurityData Network Security
Data Network Security
 
Network security
Network securityNetwork security
Network security
 
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)
 

En vedette

Iris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data CenterIris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Ryousei Takano
 
Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...
Javier González
 
AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...
Ryousei Takano
 
クラウド環境におけるキャッシュメモリQoS制御の評価
クラウド環境におけるキャッシュメモリQoS制御の評価クラウド環境におけるキャッシュメモリQoS制御の評価
クラウド環境におけるキャッシュメモリQoS制御の評価
Ryousei Takano
 

En vedette (15)

RocksDB meetup
RocksDB meetupRocksDB meetup
RocksDB meetup
 
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data CenterIris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
Iris: Inter-cloud Resource Integration System for Elastic Cloud Data Center
 
クラウド時代の半導体メモリー技術
クラウド時代の半導体メモリー技術クラウド時代の半導体メモリー技術
クラウド時代の半導体メモリー技術
 
Towards Application Driven Storage
Towards Application Driven StorageTowards Application Driven Storage
Towards Application Driven Storage
 
User-space Network Processing
User-space Network ProcessingUser-space Network Processing
User-space Network Processing
 
Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...Operating System Support for Run-Time Security with a Trusted Execution Envir...
Operating System Support for Run-Time Security with a Trusted Execution Envir...
 
AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...AIST Super Green Cloud: lessons learned from the operation and the performanc...
AIST Super Green Cloud: lessons learned from the operation and the performanc...
 
A Distributed Architecture for Sharing Ecological Data Sets with Access and U...
A Distributed Architecture for Sharing Ecological Data Sets with Access and U...A Distributed Architecture for Sharing Ecological Data Sets with Access and U...
A Distributed Architecture for Sharing Ecological Data Sets with Access and U...
 
不揮発メモリとOS研究にまつわる何か
不揮発メモリとOS研究にまつわる何か不揮発メモリとOS研究にまつわる何か
不揮発メモリとOS研究にまつわる何か
 
A Look Inside Google’s Data Center Networks
A Look Inside Google’s Data Center NetworksA Look Inside Google’s Data Center Networks
A Look Inside Google’s Data Center Networks
 
Optimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDsOptimizing RocksDB for Open-Channel SSDs
Optimizing RocksDB for Open-Channel SSDs
 
USENIX NSDI 2016 (Session: Resource Sharing)
USENIX NSDI 2016 (Session: Resource Sharing)USENIX NSDI 2016 (Session: Resource Sharing)
USENIX NSDI 2016 (Session: Resource Sharing)
 
クラウド環境におけるキャッシュメモリQoS制御の評価
クラウド環境におけるキャッシュメモリQoS制御の評価クラウド環境におけるキャッシュメモリQoS制御の評価
クラウド環境におけるキャッシュメモリQoS制御の評価
 
WALをバックアップとレプリケーションに使う方法
WALをバックアップとレプリケーションに使う方法WALをバックアップとレプリケーションに使う方法
WALをバックアップとレプリケーションに使う方法
 
Flow-centric Computing - A Datacenter Architecture in the Post Moore Era
Flow-centric Computing - A Datacenter Architecture in the Post Moore EraFlow-centric Computing - A Datacenter Architecture in the Post Moore Era
Flow-centric Computing - A Datacenter Architecture in the Post Moore Era
 

Similaire à Building Trust Despite Digital Personal Devices

Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
bora.gungoren
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
Amanda Case
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
KnownId
 
Ch19 OS
Ch19 OSCh19 OS
Ch19 OS
C.U
 
Running head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxRunning head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docx
susanschei
 

Similaire à Building Trust Despite Digital Personal Devices (20)

Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1Portakal Teknoloji Otc Lyon Part 1
Portakal Teknoloji Otc Lyon Part 1
 
Data security
Data securityData security
Data security
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
The new era of mega trends securtity
The new era of mega trends securtityThe new era of mega trends securtity
The new era of mega trends securtity
 
Network_Security1.pdf.pdf
Network_Security1.pdf.pdfNetwork_Security1.pdf.pdf
Network_Security1.pdf.pdf
 
Cyber tooth
Cyber toothCyber tooth
Cyber tooth
 
Insecurity vssut
Insecurity vssutInsecurity vssut
Insecurity vssut
 
Cyber Security: A Hands on review
Cyber Security: A Hands on reviewCyber Security: A Hands on review
Cyber Security: A Hands on review
 
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
 
Is4560
Is4560Is4560
Is4560
 
information security awareness course
information security awareness courseinformation security awareness course
information security awareness course
 
Information Systems.pptx
Information Systems.pptxInformation Systems.pptx
Information Systems.pptx
 
Network and web security
Network and web securityNetwork and web security
Network and web security
 
OSCh19
OSCh19OSCh19
OSCh19
 
OS_Ch19
OS_Ch19OS_Ch19
OS_Ch19
 
Ch19 OS
Ch19 OSCh19 OS
Ch19 OS
 
Security framework for connected devices
Security framework for connected devicesSecurity framework for connected devices
Security framework for connected devices
 
Running head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docxRunning head Assignment 1 Identifying Potential Malicious Attack.docx
Running head Assignment 1 Identifying Potential Malicious Attack.docx
 
Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 

Dernier

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Dernier (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 

Building Trust Despite Digital Personal Devices

  • 1. Building Trust Despite Digital Personal Devices Javier González - jgon@itu.dk Philippe Bonnet - phbo@itu.dk by Javier González OpenIT - 07.03.2014
  • 2. Users Service Providers Personal Devices Personal Information Services ! Information Flow Distrust Digital Society mails passwords ssh-keys media content certificatespictures apps
  • 5. The social science viewpoint What are the social norms around privacy and personal data processing? How do they evolve in time? How do they evolve with respect to IT evolution? Getting beyond the lame meme - “Privacy is dead – deal with it” - “I’ve done nothing wrong, why should I care?” - “In Denmark, people are very trusting, so privacy is not an issue” !
  • 6. Contextual Integrity Helen Nissenbaum. Privacy in Context, 2010 Exchange/sharing of personal data is at the core of any social interaction - Privacy is not about “not sharing” personal data! Any social context (work, education, health, ...) defines – more or less explicitly – a social norm, i.e., an appropriate behaviour that is to be expected. Contextual integrity gives a framework to reason about the norms that apply, in a given social context, to the flows of personal data (i.e., information norms)
  • 7. Users Service Providers Personal Devices Information Flow Digital Society Contextual Integrity
  • 9. UCONABC Jaehong Park and Ravi Sandhu. The UCONabc usage control model. ACM Trans. Inf. Syst. Secur., 7(1):128–174, February 2004.
  • 10. Audit: a posteriori control of how rights were used Enforcement: a priori control of usage rights Formal Model Strong security Assumptions No implementation! Jaehong Park and Ravi Sandhu. The UCONabc usage control model. ACM Trans. Inf. Syst. Secur., 7(1):128–174, February 2004. Can model complex frameworks UCONABC
  • 11. Implementing UCONABC Sensitive Data Untrusted Storage Program Program Usage Control Access Control UCON Program root Security Perimeter beyond root domains
  • 12. Requirements UCONABC UCON needs to be implemented within a security perimeter protected by hardware so that attackers with root privileges cannot disable it using software. From inside the security perimeter it should be possible to “monitor” programs outside the security perimeter Communicating with programs in the security perimeter should entail a low overhead
  • 13. Secure Platforms Level of Protection Communication Execution Environment Only Software Rich OS Rich OS + TEE SW and Tamper resistant HW Secure Ad-how OS Narrow Interfaces Very High Low Messages, Sockets, SM Software and Hardware Shared Memory Medium/High ARM TrustZone Examples Android, Linux, IOS, Windows IBM CryptoCards, TPM, Secure Token Normal Execution Environment Security Perimeter Monitor With Low Overhead Protected by HardwareAll Sorts of Applications Monitoring Applications
  • 15. ARM TrustZone Secure memory, rich memory and shared memory Secure acquisition/release of peripherals in runtime (e.g., ethernet, screen, flash) Gatekeeper - Context switch controlled by hardware (AMBA3) Shared processor
  • 16. Rich/Secure Abstraction Principle 1: Self preservation first. Under the suspicion of a threat, the secure environment isolates itself logically and gives up availability in order to protect data integrity, confidentiality and durability. Rich Environment Secure Environment Client Server User Space Kernel Space Secure Space Hardware root root HardwareSoftware Principle 2: Lead all communications. The secure environment defines all parameters that define this communication: protocol, certificates, encryption keys, etc. Principle 3: Secure all interactions. The secure area has priority to obtain exclusive access to secure peripherals.
  • 17. Building Trust Users have the certainty that their sensitive information will not be misused by the software running in their devices. Service providers have the certainty that the devices interacting with their systems are not compromised Both should have the freedom to choose who they trust, and the technology should aid giving certainty, not enforcing
  • 18. Building Trust Protect data in secondary storage Monitor the integrity of the system Enforce usage policies Support different digital contexts
  • 19. Background Information Trusted Storage Module (TSM) A system providing trusted storage should guarantee data confidentiality, integrity, availability, and durability Today’s security policies rely on data encryption to support confidentiality and integrity. However, if encryption keys can be compromised or stolen on the client computer, then there is not much protection left. Approaches using tamper-resistant hardware: low functionality, physical separated, and narrow interfaces
  • 20. Thread Model Trusted Storage Module (TSM) Sensitive Data Untrusted Storage Program Program Malware root Memory Access to storage Access to memory Access to peripherals
  • 21. Trusted Storage Module (TSM) Architecture Rich Environment Secure Environment Data producer App Platform Independent Platform Dependent TSM CI Secure EnvironmentCI TSM Secure Module Tamper Resistant Unit Crypto Module for [i..n] Data Chunk (i) (ii) Storage (iii)(iv) Enc. DataEnc. Keys PDS (v) Enc. Data Metadata
  • 22. 0 0.00375 0.00750 0.01125 0.01500 1KB 10KB 20KB 50KB 100KB Time[s] Store&Object&in&Rich& Store&Object&in&Secure& Trusted Storage Module (TSM) Overhead
  • 23. Contributions Trusted Storage Module (TSM) Provide a mechanism for rich apps to store securely objects containing sensitive information introducing low overhead Provide a mechanism to enforce access control to the files storing those objects, i.e., encryption, secure memory and secure peripherals Use untrusted storage as a cheap and “unlimited” source of secondary storage
  • 24. Antifragile Storage Can we learn from successful attacks and improve, being better prepared for future attacks? Successful attacks (hardware and software) that do not entail the collapse of the system are good and welcome (if detectable), and even intentionally provoked The level of hardware tamper resistance is the upper boundary to which the system can benefit from being harmed How do we detect these attacks (e.g., traps, human intervention)? How to learn from them (e.g., AI, machine learning)? * Nassim Nicholas Taleb
  • 25. Trusted Integrity Module (TIM) Background Information Secondary storage is normally attacked. To survive a reboot or hide from system administrators, attackers make modifications to system files, line commands and system libraries. Running processed produce logs, which are accessible from users space (applications), and therefore can be tampered with. Storage-based integrity checks need to build on top of trusted storage (e.g., TSM)
  • 26. Architecture Trusted Integrity Module (TIM) Rich App GLIBC System-Call Interface (SCI) VFS file Obj dentry Obj inode Obj super-block Obj Dependencies Attributes SecureEnvironment CommunicationInterface open() close() read() write() flush() struct inode { ... uid_t //user id of owner did_t //group id of owner eid_t //environ. id of owner ... }; Platform Independent Platform Dependent UserSpaceKernelSpace Rich Environment Secure Environment cache FSn SEC. FILE SEC. FILE SEC. FILE VFS Trusted Extension dentry Obj inode Obj super-block Obj cache FSn Shared MemoryFS0 FS0 FSn FSn RICH FILE RICH FILE read / exec all all read nothing all all all VFS Metadata TIM ... CRYPTO hash(file) hash(inode) hash(dentry) TSM Dependencies Attributes secure file Obj sopen() sclose() sread() swrite() sflush() ... Tamper Resistant Unit TIMTSM FS0 FS0 FSn History Logs Transaction Logs Crypto Keys
  • 27. Contribution Trusted Integrity Module (TIM) TIM is in itself a storage-based Intrusion Detection System (IDS) without much less assumptions than current approaches Provide an architecture to guarantee the integrity of system files adding a low overhead to file system primitives Provide an method to log actions involving system files in trusted storage, preventing attackers to clean after themselves
  • 28. Next Steps Implement UCON on top of TIM to add complex usage control policies to secure file operations (i.e., enforcement, embedded behaviour, and audit) Extend TIM with a machine learning algorithm to learn from past attacks - antifrigility Exploring how to monitor running processes without introducing a big overhead. Ideas: Use of resources, peripherals, etc.
  • 30. Security today Users Service Providers ? DRM-like Secure Personal Devices Imposition Lock upDistrust Cyberactivism: -Software Freedom -Privacy -Anti Copyright ! * some - normally those involved in media content. * bypass
  • 31. Lockdown, Freedom, and Certainty Cory Doctorow. The Coming Civil War over General Purpose Computing Lockdown: “Your TPM comes with a set of signing keys it trusts, and unless your bootloader is signed by a TPM-trusted party, you can't run it. Moreover, since the bootloader determines which OS launches, you don't get to control the software in your machine.” Certainty: “You tell your TPM which signing keys you trust - say, Ubuntu, EFF, ACLU and Wikileaks - and it tells you whether the bootloaders it can find on your disk have been signed by any of those parties. It can faithfully report the signature on any other bootloaders it finds, and it lets you make up your own damn mind about whether you want to trust any or all of the above.” Freedom: “Android lets you tick a box to run any code you want.”
  • 32. Certainty Boot Power On FSBL Boot Loader Secure OS Non Secure Boot Loader Non Secure OS SE Verification Ubuntu Samsung WikiLeaks … Architecture
  • 33. Certainty Boot Contributions New signing keys can be added to the SE by the user Provide a Trusted Boot using a Secure Element (SE) and TrustZone. The boot sequence is stored in the SE, which can only be accessed from the secure environment. (2-phase verification) Applications can check the boot sequence trace through the secure environment to verify that they trust the running software
  • 34. Contributions We have a framework that can implement a usage control model defining privacy policies (contextual integrity) in order to build trust in digital interactions Bottom - up: We have a prototype where storage-based usage control policies based on trusted storage and its integrity can easily be implemented: TSM and TIM Top - down: We have one way to give users the freedom to choose their software while giving certainty to both users and and service providers
  • 35. Building Trust Despite Digital Personal Devices Javier González - jgon@itu.dk Philippe Bonnet - phbo@itu.dk by Javier González OpenIT - 07.03.2014