l c sl c s security research in project oxygen srini devadas ronald l. rivest students: burnside,...

L C S

Security Research in Project Oxygen

Srini Devadas

Ronald L. Rivest

Students: Burnside, Clarke, Gassend, Kotwal, Raman

Oxygen Visitors: Marten van Dijk (Philips)

Kevin Chuang, Shawn Wang (Acer)

Oxygen Alliance Annual Meeting — June 12 - 13, 2002Srini Devadas — Lab for Computer Science

Major Question

How can we securely utilize a multitude of inexpensive, potentially untrustworthy, potentially indistinguishable devices?


Approaches

– Security automation for cheap devices: proxy-based security protocols access controlled resource discovery

– Two-way user/proxy authentication through untrusted devices: secure image verification & secure user authentication

– Secure hardware architectures: physical unknown functions on-chip


Intentional Naming

• Resource discovery and service location system for dynamic networks

• Uses a simple language based on attributes and values to identify resources

• Language used to describe the desired resource– Applications describe what they are looking for, not where

to find it

[building = lcs [floor = 2 [service = printer [load <= 4]]]

pulp.lcs.mit.edu

INS DNS


Intentional Naming

root

service location

printer camera

name-record

lcsai-labspeakers mit

NAME-TREE


Integrating Security into INS

• INS is a naming service; designed to be a layer below security– No built-in mechanism to implement access control

– Cannot explicitly reject requests from unauthorized users

• Integrate access control decision making into INS

• Application should find best resource to which it has access– Increases scalability and performance

– Costly to perform full authentication check


The Naïve Solution

K21 Proxy

root

service location

printer 1 printer 2 lcsai-labprinter 3 mit

NAME-TREE

Intentional Naming Service

[service = printer [load <= 2]]

Printer 1Proxy

User A

User C

Printer 2Proxy

User D

Printer 3Proxy

User A

User B

User Bprinter1.lcs.mit.edu

authentication[user B]



printer2.lcs.mit.eduprinter3.lcs.mit.edu

<print>

<ok>


A Scalable Solution

Cricket Listener

Wireless Comm.

K21 Proxy

Cricket Beacon

{print to closest, least-loaded printer}

K21 Proxy

K21 Proxy

Intentional Name Routers

pulp.lcs.mit.edu

Printer Proxy

K21

{request}

Proxy-to-proxysecurity

name


Key Ideas

• Store ACL as attribute-value pair on each resource proxy AND at nodes of the INS name-tree

• INS routers maintain dynamic name-trees – Propagate ACLs up the tree when they are modified

– “OR” () ACLs at each parent node

• Access Control decisions made during traversal– Name-Lookup algorithms will eliminate resources based on

membership in intermediate ACLs

• K21 Proxy performs transitive closure of its certificates and sends appropriate rules to INS with request


Integration of Access Control

root

servicelocation

printer camera

name-record

lcsai-labspeakers mit

NAME-TREE

ACL1 ACL2ACL3

Resource-level ACLs

Name record resolution

Periodic Updates

ACL1 ACL2 ACL3

ACL1 ACL2 ACL3

Constructed ACL


System Architecture Revisited

K21 Proxy

K21 Proxy

K21 Proxy

Intentional Name RoutersK21’s Certificates

K1 students K2 students

K2 students Kc

192.168.0.45

Printer Proxy

Proxy-to-proxysecurity

{request}

(*) K2 students Kc

K1 students K2 students

Transitive Closure of K21’s Certificates

(*) K1 students Kc

Cricket Listener

Wireless Comm.

{print to closest, least-loaded printer}

Cricket Beacon

K21

name


Scalable Solution

K21 Proxy

root

service location

printer 1

ACL1

printer 2

ACL2

lcsai-labprinter 3

ACL3

mit

NAME-TREE

Intentional Naming Service

[service = printer [load <= 2]]&& [Relevant Certificates]

Printer 1Proxy

User A

User C

Printer 2Proxy

User D

Printer 3Proxy

User A

User B

User B


printer3.lcs.mit.edu

<print>

<ok>

ACL1 ACL2 ACL3


Results

• If naïve strategy queries more than one resource, then the scalable (OR’ed ACL) strategy outperforms it.

• For large number of resources (> 100), naïve strategy is not feasible– Could take several seconds to find accessible resource

• ACL maintenance can be performed periodically and does not cause significant network overheads

l c sl c s security research in project oxygen srini devadas ronald l. rivest students: burnside,...

Documents