Professional Documents
Culture Documents
Remote Attestation of Attribute Updates and Information Flows in A UCON System
Remote Attestation of Attribute Updates and Information Flows in A UCON System
11/04/2021
Outline
≈ (Some) Background
≈ Existing remote attestation techniques
≈ Dynamics of behavior
≈ UCON and attestation
» Attribute updates
» Information flows
≈ The problem
http://serg.imsciences.edu.pk 2
Background
≈ The target is to attest a remote application
≈ Existing solutions:
» IMA
» Property-based Attestation
» PRIMA
» Program Execution
» LKIM
≈ Limitations
» Binary only – behavior
» No benchmarks – what is right?
» Infeasible – scalability
» Target a platform – privacy
http://serg.imsciences.edu.pk 3
UCON
≈ The need for attestation
» A resource is released to a remote platform
» There needs to be a way of ensuring proper use
≈ Usage CONtrol (UCON)
» Concerned with usage of objects
» Continuity of Access Decisions
» Mutability of Attributes
» Best suited for specifying policies to be enforced at
remote platforms
http://serg.imsciences.edu.pk 4
Grounding Policies
≈ UCON policies can be very complex (leading to
undecidability of the safety problem)
≈ We need a way of restricting the model
≈ By limiting the domain of the attributes, the policies
can be ground
≈ These ground policies are then finite and can be
used feasibly
http://serg.imsciences.edu.pk 5
Grounding Policies (contd.)
(contd.)
http://serg.imsciences.edu.pk 6
Behavioral Attestation of UCON
http://serg.imsciences.edu.pk 7
Behavioral Attestation of UCON (contd.)
(contd.)
≈ Attribute Updates
» Measurement (Attribute Flow Graph)
» Verification (ground policies)
≈ Information Flows
» Measurement (Access Rights Graph)
» Verification (information flow check)
http://serg.imsciences.edu.pk 8
Attribute Updates
Attribute Flow Graph (AFG)
http://serg.imsciences.edu.pk 9
Attribute Updates (contd.)
(contd.)
» AND …
» The hash of the procedure performing the updates must
be trusted
http://serg.imsciences.edu.pk 10
Information Flows
Access Rights Graph (ARG)
http://serg.imsciences.edu.pk 11
Information Flows (contd.)
(contd.)
http://serg.imsciences.edu.pk 12
Information Flows (contd.)
(contd.)
http://serg.imsciences.edu.pk 13
In Summary …
≈ We have described how policies can be used as
benchmarks
≈ We target the application, not the whole platform
≈ Only two behaviors studied in our work
≈ There are many more
≈ They can all add to the level of trust
≈ But…
http://serg.imsciences.edu.pk 14
The Problem
≈ We’re depending on a Behavior Monitor for
reporting the behavior of the rest of the application
≈ Currently behavior of the BM is assured by:
» Binary attestation
» Formal verification
≈ This is a chicken-and-egg problem. How do we trust
the BM if we don’t trust the app
≈ This is the core question that needs to be answered
if we want to measure the dynamics of behavior
http://serg.imsciences.edu.pk 15
Comments, Criticism and Questions
http://serg.imsciences.edu.pk 16