l c sl c s security research in project oxygen srini devadas ronald l. rivest students: burnside,...
TRANSCRIPT
L C S
Security Research in Project Oxygen
Srini Devadas
Ronald L. Rivest
Students: Burnside, Clarke, Gassend, Kotwal, Raman
Oxygen Visitors: Marten van Dijk (Philips)
Kevin Chuang, Shawn Wang (Acer)
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Major Question
How can we securely utilize a multitude of inexpensive, potentially untrustworthy, potentially indistinguishable devices?
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Approaches
– Security automation for cheap devices: proxy-based security protocols access controlled resource discovery
– Two-way user/proxy authentication through untrusted devices: secure image verification & secure user authentication
– Secure hardware architectures: physical unknown functions on-chip
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Intentional Naming
• Resource discovery and service location system for dynamic networks
• Uses a simple language based on attributes and values to identify resources
• Language used to describe the desired resource– Applications describe what they are looking for, not where
to find it
[building = lcs [floor = 2 [service = printer [load <= 4]]]
pulp.lcs.mit.edu
INS DNS
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Intentional Naming
root
service location
printer camera
name-record
lcsai-labspeakers mit
NAME-TREE
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Integrating Security into INS
• INS is a naming service; designed to be a layer below security– No built-in mechanism to implement access control
– Cannot explicitly reject requests from unauthorized users
• Integrate access control decision making into INS
• Application should find best resource to which it has access– Increases scalability and performance
– Costly to perform full authentication check
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
The Naïve Solution
K21 Proxy
root
service location
printer 1 printer 2 lcsai-labprinter 3 mit
NAME-TREE
Intentional Naming Service
[service = printer [load <= 2]]
Printer 1Proxy
User A
User C
Printer 2Proxy
User D
Printer 3Proxy
User A
User B
User Bprinter1.lcs.mit.edu
authentication[user B]
authentication[user B]
authentication[user B]
printer2.lcs.mit.eduprinter3.lcs.mit.edu
<print>
<ok>
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
A Scalable Solution
Cricket Listener
Wireless Comm.
K21 Proxy
Cricket Beacon
{print to closest, least-loaded printer}
K21 Proxy
K21 Proxy
Intentional Name Routers
pulp.lcs.mit.edu
Printer Proxy
K21
{request}
Proxy-to-proxysecurity
name
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Key Ideas
• Store ACL as attribute-value pair on each resource proxy AND at nodes of the INS name-tree
• INS routers maintain dynamic name-trees – Propagate ACLs up the tree when they are modified
– “OR” () ACLs at each parent node
• Access Control decisions made during traversal– Name-Lookup algorithms will eliminate resources based on
membership in intermediate ACLs
• K21 Proxy performs transitive closure of its certificates and sends appropriate rules to INS with request
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Integration of Access Control
root
servicelocation
printer camera
name-record
lcsai-labspeakers mit
NAME-TREE
ACL1 ACL2ACL3
Resource-level ACLs
Name record resolution
Periodic Updates
ACL1 ACL2 ACL3
ACL1 ACL2 ACL3
Constructed ACL
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
System Architecture Revisited
K21 Proxy
K21 Proxy
K21 Proxy
Intentional Name RoutersK21’s Certificates
K1 students K2 students
K2 students Kc
192.168.0.45
Printer Proxy
Proxy-to-proxysecurity
{request}
(*) K2 students Kc
K1 students K2 students
Transitive Closure of K21’s Certificates
(*) K1 students Kc
Cricket Listener
Wireless Comm.
{print to closest, least-loaded printer}
Cricket Beacon
K21
name
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Scalable Solution
K21 Proxy
root
service location
printer 1
ACL1
printer 2
ACL2
lcsai-labprinter 3
ACL3
mit
NAME-TREE
Intentional Naming Service
[service = printer [load <= 2]]&& [Relevant Certificates]
Printer 1Proxy
User A
User C
Printer 2Proxy
User D
Printer 3Proxy
User A
User B
User B
authentication[user B]
printer3.lcs.mit.edu
<print>
<ok>
ACL1 ACL2 ACL3
Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science
Results
• If naïve strategy queries more than one resource, then the scalable (OR’ed ACL) strategy outperforms it.
• For large number of resources (> 100), naïve strategy is not feasible– Could take several seconds to find accessible resource
• ACL maintenance can be performed periodically and does not cause significant network overheads