Evaluating the Usability of Evaluating the Usability of Usage Controls in Usage Controls in

Electronic CollaborationElectronic Collaboration

José Brustoloni, Ricardo Villamarín-Salomón, Peter Djalaliev and David Kyle

Dept. Computer ScienceUniversity of Pittsburgh

{jcb,rvillsal,peterdj,dkyle}@cs.pitt.edu

J. Brustoloni 2SOUPS 2008

Electronic collaboration and info misuseElectronic collaboration and info misuse

♦ Electronic collaboration can greatly increase productivity Many examples in design, supply chain, service

♦ Impediment: risk of and liability for information misuse

♦ Existing solution: non-disclosure agreements (NDAs) Legally obligates collaborator Can take months to get signed Very expensive and time-consuming to enforce in court

♦ Result: many potential collaborations don’t happen

J. Brustoloni 3SOUPS 2008

Usage controlsUsage controls

♦ Usage controls enable information providers to limit technically how recipients may use the information e.g., copy, print, redistribute, retain beyond a certain time

♦ Applications increasingly provide them e.g., Adobe Acrobat, OpenOffice

♦ Might reduce expected cost of NDAs, or replace them

♦ Problems Recipes for cracking easily available from Web Often do not interoperate Usability?

J. Brustoloni 4SOUPS 2008

Example from OpenOfficeExample from OpenOffice

J. Brustoloni 5SOUPS 2008

UCLinuxUCLinux

♦ Linux Security Module♦ Enables hardening software-based usage controls

(e.g., PDF’s) with hardware-based ones♦ Hardware-based usage controls employ security

coprocessor (TPM) and are harder to crack♦ Web server and browser are modified♦ No modifications needed in other applications

(e.g., Acrobat, OpenOffice, xpdf)

J. Brustoloni 6SOUPS 2008

OutlineOutline

♦ Threat model♦ Background on TPMs♦ Overview of UCLinux♦ User interfaces

Authoring Acceptance Hierarchical

♦ User study♦ Related work♦ Conclusions

J. Brustoloni 7SOUPS 2008

Threat modelThreat model

♦ Attacker is merely opportunistic♦ May have administrative rights♦ Can use any software-based attack♦ Does not use any hardware-based attacks

J. Brustoloni 8SOUPS 2008

Background on Trusted Platform ModulesBackground on Trusted Platform Modules

♦ Standardized, low-cost security coprocessors♦ Present in many commercially available computers ♦ Require immutable TPM-aware BIOS boot block♦ Chain of trust

Each component in boot sequence measures integrity of next component and extends result into a TPM platform configuration register (PCR)

Only way to undo is to reset computer♦ Attestation: Secure verification of remote computer’s

configuration TPM signs nonce and PCR values

♦ Sealing: Binding a secret to a particular configuration TPM decrypts secret only if PCR values are same

J. Brustoloni 9SOUPS 2008

UCLinux: TCB prelogging and UCLinux: TCB prelogging and usage-controlled file systemusage-controlled file system

♦ At boot time, UCLinux optimistically extends expected integrity measurement of each TCB component, according to configuration file (TCB list) Results in repeatable PCR values

♦ UCFS is encrypted file system with secret key sealed to PCR values that result from boot sequence and TCB list Can be mounted only if system has not been tampered

♦ Hardware-based usage policies stored as extended attributes of UCFS files May specify integrity measurements of programs trusted

to open the file

J. Brustoloni 10SOUPS 2008

UCLinux: Policy enforcementUCLinux: Policy enforcement

♦ UCLinux measures the integrity of each program kernel executes

♦ When program opens file with hardware-based usage policies, UCLinux enforces them Cracked applications cannot open files with usage

policies Applications do not need to be changed to get this

protection

J. Brustoloni 11SOUPS 2008

UCLinux: ExceptionsUCLinux: Exceptions

♦ UCLinux monitors imminent security violation (ISV) exceptions: TCB component’s integrity measurement at load time

differs from that in TCB list, or Privileged program loaded and is not in TCB list, or Privileged user attempts to log interactively into system

♦ In each case, UCLinux’s subsequent ability to enforce policies could be subverted

J. Brustoloni 12SOUPS 2008

UCLinux: Exception handlingUCLinux: Exception handling

♦ Applications may register handler for ISV exception Erase secrets from memory

♦ UCLinux: aborts processes with UCFS file open that have not have

registered a handler unmounts UCFS and erases any copy in memory of UCFS

key erases pages freed

♦ After exception handling, system can be used normally, but without UCFS

♦ UCFS remounted when system rebooted into trusted state

J. Brustoloni 13SOUPS 2008

Web server and browser modificationsWeb server and browser modifications

♦ If requested file has prepared usage policies, Web server returns these to client and requests TLS upgrade with TLS extension

♦ If user accepts usage policies, browser initiates connection upgrade

♦ During connection upgrade, Web server obtains client’s attestation

♦ If Web server finds that client’s configuration is trustworthy, it completes upgrade and returns file

♦ Browser stores file with usage policies in UCFS

J. Brustoloni 14SOUPS 2008

Preventing abusesPreventing abuses

♦ Browser is in TCB list and revealed in attestation♦ UCLinux guarantees that only trusted browser

can get attestation and store files in UCFS♦ UCLinux enforces usage policies only for UCFS

files

J. Brustoloni 15SOUPS 2008

Authoring: Contextual menu option for setting Authoring: Contextual menu option for setting hardware-based usage policieshardware-based usage policies

J. Brustoloni 16SOUPS 2008

Binding file to trusted applicationBinding file to trusted application

J. Brustoloni 17SOUPS 2008

Specifying allowed period for accessing fileSpecifying allowed period for accessing file

J. Brustoloni 18SOUPS 2008

Contextual menu option for Contextual menu option for posting file to Web siteposting file to Web site

J. Brustoloni 19SOUPS 2008

Dialog for confirming or canceling file postingDialog for confirming or canceling file posting

J. Brustoloni 20SOUPS 2008

Acceptance: Dialog for accepting Acceptance: Dialog for accepting usage policies of download fileusage policies of download file

J. Brustoloni 21SOUPS 2008

Hierarchical overriding policies: Hierarchical overriding policies: Dialog for confirming or canceling file postingDialog for confirming or canceling file posting

J. Brustoloni 22SOUPS 2008

Dialog for accepting usage policies of Dialog for accepting usage policies of download filedownload file

J. Brustoloni 23SOUPS 2008

User studyUser study

♦ Users role-played an engineer making a design decision based on usage-controlled files retrieved from Web

♦ Two scenarios in automobile industry♦ First scenario performed without usage controls, second

with♦ Based on specified criteria, select from 7 potential

suppliers: 1. Alternative-fuel engine (electric, biodiesel, etc.)2. Tires

♦ Among the 7 documents: 4 had acceptable usage policies and useful information (set A) 3 did not have acceptable policies and indicated information

was unavailable (set B)♦ No hierarchical overriding policies

J. Brustoloni 24SOUPS 2008

Participant characteristicsParticipant characteristics

J. Brustoloni 25SOUPS 2008

User study resultsUser study results

J. Brustoloni 26SOUPS 2008

Interpretation of resultsInterpretation of results

♦ As desired, usage controls: Greatly reduced number of documents with unacceptable

policies downloaded One participant downloaded but, after checking policies,

did not open file with unacceptable policies Had no impact on documents with acceptable policies

downloaded♦ Most users (9/10) were able to post correct decision with

correct usage policies, despite lack of training One participant posted correct decision, but with incorrect

usage policies♦ Slight increase in task completion time, but not statistically

significant

J. Brustoloni 27SOUPS 2008

Participant perceptions Participant perceptions

♦ Users seem to find system usable and acceptable

J. Brustoloni 28SOUPS 2008

Related workRelated work

♦ IBM Integrity Measurement Architecture (tcgLinux): Loader measures and extends into TPM integrity of every program Attempts to ensure that any tampering is measured, extended into

TPM, and reported Problems:

PCR values depend on load sequence Sealing not possible

Mechanisms guarantee integrity but not confidentiality Privacy: even programs that are not TCB components are

disclosed♦ Bear/Enforcer:

Sealing but no attestation Client’s system administrator (but not server) can set usage

policies Vulnerable to root attacks

J. Brustoloni 29SOUPS 2008

ConclusionsConclusions

♦ Hardware-based usage controls can prevent cracked applications from opening files with usage policies

♦ UCLinux allows adding such controls without modifying existing applications (e.g., OpenOffice, xpdf)

♦ UCLinux’s interfaces for posting and downloading files with usage policies are usable by untrained users

♦ Insignificant impact on task accuracy or completion

time