evaluating the usability of usage controls in electronic collaboration josé brustoloni, ricardo...
TRANSCRIPT
Evaluating the Usability of Evaluating the Usability of Usage Controls in Usage Controls in
Electronic CollaborationElectronic Collaboration
José Brustoloni, Ricardo Villamarín-Salomón, Peter Djalaliev and David Kyle
Dept. Computer ScienceUniversity of Pittsburgh
{jcb,rvillsal,peterdj,dkyle}@cs.pitt.edu
J. Brustoloni 2SOUPS 2008
Electronic collaboration and info misuseElectronic collaboration and info misuse
♦ Electronic collaboration can greatly increase productivity Many examples in design, supply chain, service
♦ Impediment: risk of and liability for information misuse
♦ Existing solution: non-disclosure agreements (NDAs) Legally obligates collaborator Can take months to get signed Very expensive and time-consuming to enforce in court
♦ Result: many potential collaborations don’t happen
J. Brustoloni 3SOUPS 2008
Usage controlsUsage controls
♦ Usage controls enable information providers to limit technically how recipients may use the information e.g., copy, print, redistribute, retain beyond a certain time
♦ Applications increasingly provide them e.g., Adobe Acrobat, OpenOffice
♦ Might reduce expected cost of NDAs, or replace them
♦ Problems Recipes for cracking easily available from Web Often do not interoperate Usability?
J. Brustoloni 4SOUPS 2008
Example from OpenOfficeExample from OpenOffice
J. Brustoloni 5SOUPS 2008
UCLinuxUCLinux
♦ Linux Security Module♦ Enables hardening software-based usage controls
(e.g., PDF’s) with hardware-based ones♦ Hardware-based usage controls employ security
coprocessor (TPM) and are harder to crack♦ Web server and browser are modified♦ No modifications needed in other applications
(e.g., Acrobat, OpenOffice, xpdf)
J. Brustoloni 6SOUPS 2008
OutlineOutline
♦ Threat model♦ Background on TPMs♦ Overview of UCLinux♦ User interfaces
Authoring Acceptance Hierarchical
♦ User study♦ Related work♦ Conclusions
J. Brustoloni 7SOUPS 2008
Threat modelThreat model
♦ Attacker is merely opportunistic♦ May have administrative rights♦ Can use any software-based attack♦ Does not use any hardware-based attacks
J. Brustoloni 8SOUPS 2008
Background on Trusted Platform ModulesBackground on Trusted Platform Modules
♦ Standardized, low-cost security coprocessors♦ Present in many commercially available computers ♦ Require immutable TPM-aware BIOS boot block♦ Chain of trust
Each component in boot sequence measures integrity of next component and extends result into a TPM platform configuration register (PCR)
Only way to undo is to reset computer♦ Attestation: Secure verification of remote computer’s
configuration TPM signs nonce and PCR values
♦ Sealing: Binding a secret to a particular configuration TPM decrypts secret only if PCR values are same
J. Brustoloni 9SOUPS 2008
UCLinux: TCB prelogging and UCLinux: TCB prelogging and usage-controlled file systemusage-controlled file system
♦ At boot time, UCLinux optimistically extends expected integrity measurement of each TCB component, according to configuration file (TCB list) Results in repeatable PCR values
♦ UCFS is encrypted file system with secret key sealed to PCR values that result from boot sequence and TCB list Can be mounted only if system has not been tampered
♦ Hardware-based usage policies stored as extended attributes of UCFS files May specify integrity measurements of programs trusted
to open the file
J. Brustoloni 10SOUPS 2008
UCLinux: Policy enforcementUCLinux: Policy enforcement
♦ UCLinux measures the integrity of each program kernel executes
♦ When program opens file with hardware-based usage policies, UCLinux enforces them Cracked applications cannot open files with usage
policies Applications do not need to be changed to get this
protection
J. Brustoloni 11SOUPS 2008
UCLinux: ExceptionsUCLinux: Exceptions
♦ UCLinux monitors imminent security violation (ISV) exceptions: TCB component’s integrity measurement at load time
differs from that in TCB list, or Privileged program loaded and is not in TCB list, or Privileged user attempts to log interactively into system
♦ In each case, UCLinux’s subsequent ability to enforce policies could be subverted
J. Brustoloni 12SOUPS 2008
UCLinux: Exception handlingUCLinux: Exception handling
♦ Applications may register handler for ISV exception Erase secrets from memory
♦ UCLinux: aborts processes with UCFS file open that have not have
registered a handler unmounts UCFS and erases any copy in memory of UCFS
key erases pages freed
♦ After exception handling, system can be used normally, but without UCFS
♦ UCFS remounted when system rebooted into trusted state
J. Brustoloni 13SOUPS 2008
Web server and browser modificationsWeb server and browser modifications
♦ If requested file has prepared usage policies, Web server returns these to client and requests TLS upgrade with TLS extension
♦ If user accepts usage policies, browser initiates connection upgrade
♦ During connection upgrade, Web server obtains client’s attestation
♦ If Web server finds that client’s configuration is trustworthy, it completes upgrade and returns file
♦ Browser stores file with usage policies in UCFS
J. Brustoloni 14SOUPS 2008
Preventing abusesPreventing abuses
♦ Browser is in TCB list and revealed in attestation♦ UCLinux guarantees that only trusted browser
can get attestation and store files in UCFS♦ UCLinux enforces usage policies only for UCFS
files
J. Brustoloni 15SOUPS 2008
Authoring: Contextual menu option for setting Authoring: Contextual menu option for setting hardware-based usage policieshardware-based usage policies
J. Brustoloni 16SOUPS 2008
Binding file to trusted applicationBinding file to trusted application
J. Brustoloni 17SOUPS 2008
Specifying allowed period for accessing fileSpecifying allowed period for accessing file
J. Brustoloni 18SOUPS 2008
Contextual menu option for Contextual menu option for posting file to Web siteposting file to Web site
J. Brustoloni 19SOUPS 2008
Dialog for confirming or canceling file postingDialog for confirming or canceling file posting
J. Brustoloni 20SOUPS 2008
Acceptance: Dialog for accepting Acceptance: Dialog for accepting usage policies of download fileusage policies of download file
J. Brustoloni 21SOUPS 2008
Hierarchical overriding policies: Hierarchical overriding policies: Dialog for confirming or canceling file postingDialog for confirming or canceling file posting
J. Brustoloni 22SOUPS 2008
Dialog for accepting usage policies of Dialog for accepting usage policies of download filedownload file
J. Brustoloni 23SOUPS 2008
User studyUser study
♦ Users role-played an engineer making a design decision based on usage-controlled files retrieved from Web
♦ Two scenarios in automobile industry♦ First scenario performed without usage controls, second
with♦ Based on specified criteria, select from 7 potential
suppliers: 1. Alternative-fuel engine (electric, biodiesel, etc.)2. Tires
♦ Among the 7 documents: 4 had acceptable usage policies and useful information (set A) 3 did not have acceptable policies and indicated information
was unavailable (set B)♦ No hierarchical overriding policies
J. Brustoloni 24SOUPS 2008
Participant characteristicsParticipant characteristics
J. Brustoloni 25SOUPS 2008
User study resultsUser study results
J. Brustoloni 26SOUPS 2008
Interpretation of resultsInterpretation of results
♦ As desired, usage controls: Greatly reduced number of documents with unacceptable
policies downloaded One participant downloaded but, after checking policies,
did not open file with unacceptable policies Had no impact on documents with acceptable policies
downloaded♦ Most users (9/10) were able to post correct decision with
correct usage policies, despite lack of training One participant posted correct decision, but with incorrect
usage policies♦ Slight increase in task completion time, but not statistically
significant
J. Brustoloni 27SOUPS 2008
Participant perceptions Participant perceptions
♦ Users seem to find system usable and acceptable
J. Brustoloni 28SOUPS 2008
Related workRelated work
♦ IBM Integrity Measurement Architecture (tcgLinux): Loader measures and extends into TPM integrity of every program Attempts to ensure that any tampering is measured, extended into
TPM, and reported Problems:
PCR values depend on load sequence Sealing not possible
Mechanisms guarantee integrity but not confidentiality Privacy: even programs that are not TCB components are
disclosed♦ Bear/Enforcer:
Sealing but no attestation Client’s system administrator (but not server) can set usage
policies Vulnerable to root attacks
J. Brustoloni 29SOUPS 2008
ConclusionsConclusions
♦ Hardware-based usage controls can prevent cracked applications from opening files with usage policies
♦ UCLinux allows adding such controls without modifying existing applications (e.g., OpenOffice, xpdf)
♦ UCLinux’s interfaces for posting and downloading files with usage policies are usable by untrained users
♦ Insignificant impact on task accuracy or completion
time