Remote Attestation of Attribute

Updates and Information Flows in a

UCON System
Mohammad Nauman1 (nauman@imsciences.edu.pk),
Masoom Alam1, Xinwen Zhang2 and Tamleek Ali1

1 Security Engineering Research Group (SERG)

Institute of Management Sciences
http://serg.imsciences.edu.pk
2 Samsung Information Systems America (SISA)
http://sisa.samsung.com

11/04/2021
Outline
≈ (Some) Background
≈ Existing remote attestation techniques
≈ Dynamics of behavior
≈ UCON and attestation
» Attribute updates
» Information flows
≈ The problem

http://serg.imsciences.edu.pk 2
 Background
≈ The target is to attest a remote application
≈ Existing solutions:
» IMA
» Property-based Attestation
» PRIMA
» Program Execution
» LKIM
≈ Limitations
» Binary only – behavior
» No benchmarks – what is right?
» Infeasible – scalability
» Target a platform – privacy
http://serg.imsciences.edu.pk 3
UCON
≈ The need for attestation
» A resource is released to a remote platform
» There needs to be a way of ensuring proper use
≈ Usage CONtrol (UCON)
» Concerned with usage of objects
» Continuity of Access Decisions
» Mutability of Attributes
» Best suited for specifying policies to be enforced at
remote platforms

http://serg.imsciences.edu.pk 4
Grounding Policies
≈ UCON policies can be very complex (leading to
undecidability of the safety problem)
≈ We need a way of restricting the model
≈ By limiting the domain of the attributes, the policies
can be ground
≈ These ground policies are then finite and can be
used feasibly

http://serg.imsciences.edu.pk 5
Grounding Policies (contd.)
(contd.)

http://serg.imsciences.edu.pk 6
Behavioral Attestation of UCON

http://serg.imsciences.edu.pk 7
Behavioral Attestation of UCON (contd.)
(contd.)

≈ Two target behaviors

≈ Attribute Updates
» Measurement (Attribute Flow Graph)
» Verification (ground policies)

≈ Information Flows
» Measurement (Access Rights Graph)
» Verification (information flow check)

http://serg.imsciences.edu.pk 8
Attribute Updates
Attribute Flow Graph (AFG)

http://serg.imsciences.edu.pk 9
Attribute Updates (contd.)
(contd.)

≈ For each attribute update:

» there must exist a ground policy which updates the target
(object, attribute) pair
» using the source (object, attribute) pair in the AFG.
» (Attribute updates involving constants are verified against the CONST node)

» AND …
» The hash of the procedure performing the updates must
be trusted

http://serg.imsciences.edu.pk 10
Information Flows
Access Rights Graph (ARG)

http://serg.imsciences.edu.pk 11
Information Flows (contd.)
(contd.)

≈ All operations mapped to read-like and write-like

operations
≈ Then an information flow graph is created

http://serg.imsciences.edu.pk 12
Information Flows (contd.)
(contd.)

≈ Information flow check algorithm

≈ Checks if:
» the information flow caused by the read-like and write-
like operations is permitted by the set of ground policies

http://serg.imsciences.edu.pk 13
In Summary …
≈ We have described how policies can be used as
benchmarks
≈ We target the application, not the whole platform
≈ Only two behaviors studied in our work
≈ There are many more
≈ They can all add to the level of trust
≈ But…

http://serg.imsciences.edu.pk 14
The Problem
≈ We’re depending on a Behavior Monitor for
reporting the behavior of the rest of the application
≈ Currently behavior of the BM is assured by:
» Binary attestation
» Formal verification
≈ This is a chicken-and-egg problem. How do we trust
the BM if we don’t trust the app
≈ This is the core question that needs to be answered
if we want to measure the dynamics of behavior

http://serg.imsciences.edu.pk 15
Comments, Criticism and Questions

Thank you for your attention.

(nauman@imsciences.edu.pk)

http://serg.imsciences.edu.pk 16