autonomictrustmanagementforapervasivesystemzheng yan 1 autonomic trust management for a pervasive...
Post on 18-Dec-2015
213 views
TRANSCRIPT
AutonomicTrustManagementforaPervasiveSystem Zheng Yan1
Autonomic Trust Management for a Pervasive SystemZheng Yan
Nokia Research Center, Helsinki, Finland
Secrypt’08, July 27, 2008, Porto, Portugal
AutonomicTrustManagementforaPervasiveSystem Zheng Yan2
Outline
• Introduction and motivation
• Related work
• Fundamental technologies
• Solution: autonomic trust management
• An example application
• Further discussion
• Conclusions and future work
AutonomicTrustManagementforaPervasiveSystem Zheng Yan3
Introduction & motivation
• Pervasive systems• Allow seamless interactions among various portable and networked
processing devices, distributed at all scales throughout everyday routine life
• Decentralized, distributed, open, dynamic
• Communications depend on trust among devices: classical, centralized security-managing mechanisms unusable
• Trust becomes a crucial issue to ensure effective collaborations among various devices for expected services
• A holistic notion of trust• Include several properties, such as security, availability and reliability,
depending on the requirements of a trustor.
• The assessment of a trustor on how well the observed behavior that can be measured through a number of quality attributes of a trustee meets the trustor’s own standards for an intended purpose
AutonomicTrustManagementforaPervasiveSystem Zheng Yan4
Related work
• Xu, Xin, and Lu (2007): a hybrid model encompassing a trust model, a security model and a risk model for pervasive computing
• Shand, Dimmock, and Bacon (2004): a trust and risk framework to facilitate secure collaboration
• Claycomb and Shin (2006): a visual framework for securing impromptu collaboration • Yin, Ray, and Ray (2006): a trust model for pervasive computing applications and
strategies for establishing trust between entities to support dynamic of trust• Spanoudakis (2007): a platform for dynamic trust assessment of software services • Wolfe, Ahamed, and Zulkernine (2006): trust management based on a scheme for
categorizing devices, calculating trust, and facilitating trust-related communications• Remarks
• Mainly on establishing distinct trust models based on different theories or methods in terms of various scenes and motivations.
• Apply trust, reputation and/or risk analysis mechanism based on fuzzy logic, probabilistic theory, cloud theory, traditional authentication and cryptography methods and so on to manage trust
• Did not support autonomic control of trust for the fulfillment of an intended service. • Influence the effectiveness of trust management since trust is both subjective and dynamic.
AutonomicTrustManagementforaPervasiveSystem Zheng Yan5
Main idea of our paper
• An autonomic trust management solution for the pervasive system• Based on a trusted computing platform
• Support autonomic trust control on the trustee device based on the trustor device’s specification
• An adaptive trust control model. • Assume several trust control modes, each of which contains a number of control
mechanisms or operations• Ensure a suitable set of control modes are applied
• A Fuzzy Cognitive Map to model the factors related to trust for control mode prediction and selection
• Use runtime trust assessment result as a feedback to autonomously adapt weights in the adaptive trust control model in order to find a suitable set of control modes in a specific pervasive computing context.
AutonomicTrustManagementforaPervasiveSystem Zheng Yan6
Fundamental technologies (1): a mechanism to sustain trust • Trust form
• Trustor A trusts trustee B for purpose P under condition C based on root trust R
• Root trust (RT) module• Hardware-based security module
• Register, protect and manage the conditions for trust sustaining and self-regulating
• Monitor any computing platform’s change including any alteration or operation on hardware, software and their configurations.
• Check changes and restrict them based on the trust conditions, as well as notifying the trustor accordingly.
• Approaches to notify changes• active method and passive method
conditions for trust
sustaining and self-
regulating
Root Trust Module
Secure Registers
Reporter
Monitor Controller
Hardware and Software
signal of distrust
monitor & notify control
register report
Platform trusted booting record
register
AutonomicTrustManagementforaPervasiveSystem Zheng Yan7
A mechanism to sustain trust: protocol
• Root trust challenge and attestation to ensure the trustor’s basic trust dependence at the trustee in steps 1-2;
• Trust establishment by specifying the trust conditions and registering them at the trustee’s RT module for trust sustaining in steps 3-6;
• Sustaining the trust relationship through the monitor and control by the RT module in steps 7-8;
• Re-challenge the trust relationship if necessary when any changes against trust conditions are reported.
Trustor A Trustee B
Device A Device B
1. Root trust challenge from A
2. Evidence of root trust from Bevidence verification
fail
Root Trust Module of Device B
3. Trust relationship establishment request from A
4. Confirmation from B
5. Trust relationship conditions C conditions verification & registration
6. Confirmation of conditions from B
7. Transaction and cooperation between A and B local environment
change against conditions
8.2 Notification of distrust to A (optional)take corresponding
action
re-challenge needed
8.1 Restrictions on changes
AutonomicTrustManagementforaPervasiveSystem Zheng Yan8
Fundamental technologies (2): an adaptive trust control model• Considering the trustworthiness is
influenced by a number of quality attributes .
• These quality attributes are ensured or controlled through a number of control modes.
• A control mode contains a number of control mechanism or operations.
• A weight is used to indicate the importance rate of the quality attribute
• An influence factor of control mode is set based on impact of the control mode to the quality attributes
• We also apply a selection factor of control mode to indicate which control mode is actually applied in the system
inessTrustworth
1QA 2QA nQA
1C 2C mC
T
1QAV 2QAV
nQAV
1CV
2CV
mCV
1w 2w nw
11cw
21cw
22cw 12cw 2mcw
mncw
1CB
2CB
mCB
oldn
iQAi TVwfT
i1
m
j
oldiQAjCjCjiiQA VBVcwfV
1
oldCCC jjjVBTfV
AutonomicTrustManagementforaPervasiveSystem Zheng Yan9
Autonomic trust management: a system definition• User
• Pervasive system• Pervasive computing
devices• Trusted computing
platform• Root Trust module
• Autonomic trust management framework (ATMF)
• Operating System (OS)• A performance
observer
• Services
Pervasive System
Trusted Computing Platform
Device
Autonomic Trust Management framework
includes
includes
Service
offers
manages
Root Trust Module
contains
supports
has
OS, Performance Observer
includes
Useruses
uses
Runs & monitors
protects
AutonomicTrustManagementforaPervasiveSystem Zheng Yan10
Autonomic Trust Management Framework (ATMF) • Responsibility: Manage the
trustworthiness of a trustee service • Configure its trust properties• Switch on/off the trust control
mechanisms, i.e. selecting a suitable set of control modes
• Secure storages• Experience base• Policy base• Mechanism base
• ATMF secure access to the RT module
• Extract the policies into the policy base for trust assessment if necessary
• An evaluation, decision and selection engine (EDS engine)
• Trust assessment• Make trust decision• Select suitable trust control modes
Root Trust Module
Operating System with Performance Observer
Service 1 Service 2 Service n…...
Trusted Computing Platform
secure access
Autonomic Trust management Framework
Policy BaseExperience Base Mechanism Base
Evaluation, Decision and Selection (EDS) Engine
AutonomicTrustManagementforaPervasiveSystem Zheng Yan11
Autonomic trust management procedure• Remote service
collaboration check• Yes, trust sustaining
mechanism• Embed device trust
conditions (including trust policies) into RT
• Extract trust policies, save into policy base
• Trustworthiness and trust control mode prediction, selection
• Monitor performance and behavior
• Adjust trust control model
Trustworthiness and trust control mode prediction
Trust control mode selection
Adaptive trust control model adjustment
Is trust assessment on trustee positive?
Yes
No
Are suitable modes found?
Apply selected control modes
Yes
Raise warning or optimize trust control mode
configurations
No
Monitor the behavior of trustee service at runtime
Root trust challenge and attestation on the device of trustee service
Service collaboration starts
Is it local service collaboration?
Specify the trust conditions and registering them at the trustee device RT module
Extract trust policies for trust assessment from the trust conditions
Input trust policies into the policy base of the trustee device’s ATMF
Yes
No
No
AutonomicTrustManagementforaPervasiveSystem Zheng Yan12
Algorithms
• Trust assessment• Trust value generator:
• Weighted summation:
• Control mode prediction and selection• Anticipate the performance or feasibility of all possibly applied trust
control modes.
• Select a set of suitable trust control modes based on the control mode prediction results.
• Adaptive Trust Control Model Adjustment • Adjust the influence factors of the trust control model in order to make it
reflect the real system situation or context
1),/( rrnpp
iiT ir
AutonomicTrustManagementforaPervasiveSystem Zheng Yan13
Trust Control Mode Prediction and Selection• The control modes are predicted
through evaluating all possible modes and their compositions based on the adaptive trust control model
• The prediction algorithm • ,
while , do
• The control modes are selected based on the control mode prediction results
• The selection algorithm• Calculate selection threshold
;
• - Compare and of to , set selection factor if ; set if ;
• - For , calculate the distance of and to as ; For , calculate the distance of and to as only when and ;
• - If , select the best winner with the biggest ; else , select the best loser with the smallest .
),...,1( KkSk oldkkk TTT
oldkCkCkkC jjj
VBTfV ,,,
m
j
oldkQAkCkCjikQA jjji
VBVcwfV1
,,,,
oldk
n
ikQAik TVwfT
i1
,
K
Ttr
K
kk
1
kQAiV , kT tr
1kS
SF trTtrV kkQAi ,
1kS
SF trV kQAi , trTk
1kS
SF kQAiV ,
kT tr },min{ , trTtrVd kkQAk i
1kS
SF kQAiV ,
kT tr },max{ , trTtrVd kkQAk i
trV kQAi, trTk
1kS
SF
kd 1kS
SF
kd
kS
kS
AutonomicTrustManagementforaPervasiveSystem Zheng Yan14
Adaptive Trust Control Model Adjustment • Subjective & dynamic support
• Context-aware trust model adjustment• The influencing factors of each control mode
should be context-aware.
• The trust control model should be dynamically maintained and optimized in order to reflect the real system situation.
• Observation based trust assessment plays as the feedback for adaptive model adjustment.
• Two schemes• Equal adjustment scheme: each control mode
has the same impact on the deviation between
and
• Unequal adjustment scheme: the control mode with the biggest absolute influencing factor always impacts more on the deviation between
and
• The equal adjustment scheme• While , do
• a) If , for ,
, if ;
• Else, for ,
, if
• b) Run the control mode prediction function
• The unequal adjustment scheme• While , do
• a) If , for ,
, if ;
• Else,
, if
• b) Run the control mode prediction function
monitorViQA _
monitorViQA _ predictV
iQA _
predictViQA _
predictVmonitorVii QAQA __
predictVmonitorVii QAQA __ jicw
jiji cwcw 1,1 jiji cwcw
jicw
jiji cwcw 1,1 jiji cwcw
predictVmonitorVii QAQA __
predictVmonitorVii QAQA __ )max( jicw
jiji cwcw 1,1 jiji cwcw
jiji cwcw 1,1 jiji cwcw
AutonomicTrustManagementforaPervasiveSystem Zheng Yan15
An application example: mobile healthcare • System devices
• A potable mobile device• a health sensor: monitor a user’s health status;• a healthcare client service: provide multiple ways to transfer health data to other devices and receive
health guidelines. • A healthcare centre
• A healthcare consultant service: provide health guidelines to the user according to the health data reported, inform a hospital service at a hospital server if necessary.
• A hospital server• A hospital service
• Trust requirements• Each device and service’s trustworthiness• Trustworthy cooperation of all related devices and services
• Satisfy trust requirements with each other and its user’s• Examples
• Confidentiality: the healthcare client service provides a secure network connection and communication; • Availability: respond to the request from the health sensor within expected time;• Reliability: perform reliably without any break in case of an urgent health information transmission.
• Example application scenario: the user’s health is monitored by the mobile device which reports his/her health data to the healthcare centre in a secure and efficient way. In this case, the hospital service should be informed since the user’s health needs to be treated by the hospital immediately. Meanwhile, the consultant service also provides essential health guidelines to the user.
AutonomicTrustManagementforaPervasiveSystem Zheng Yan16
Autonomic trust management for a healthcare application
AutonomicTrustManagementforaPervasiveSystem Zheng Yan17
Discussion
• Two-level autonomic trust management• Autonomic trust management among different system devices (hard trust solution)
• Apply the mechanism to sustain trust, embed trust policies for remote trusted service collaboration
• Autonomic trust management on pervasive services for their trustworthy collaboration (soft trust solution)
• Both levels of autonomic trust management can cooperate to ensure the trustworthiness of the entire pervasive system.
• Standardized devices (supported by TCG compatible devices)• Implementation of the RT module and Autonomic Trust Management Framework
• Designed and implemented inside a secure main chip in the mobile computing platform• The RT module functionalities and the ATMF functionalities can be implemented by a number of
protected applications. • Small applications dedicated to performing security critical operations inside a secure environment.• Strict size limitations and resemble function libraries. • Access any resource in the secure environment. • Communicate with normal applications in order to offer security services. • New protected applications can be added to the system at any time, Signature based protection.
• Onboard Credential based implementation for the secure register of the RT module, the policy base, the execution base and the mechanism base
• A flexible and light secure storage mechanism supported by the trusted computing platform
AutonomicTrustManagementforaPervasiveSystem Zheng Yan18
Conclusions and future work
• Presented our arguments for autonomic trust management in the pervasive system.
• Proposed an autonomic trust management solution based on the trust sustaining mechanism and the adaptive trust control model.
• Main contribution: • Support two levels of autonomic trust management: between devices as
well as between services offered by the devices.
• Effectively avoid or reduce risk by stopping or restricting any potential risky activities based on the trustor’s specification
• Demonstrated the effectiveness of our solution by applying it into an example pervasive system
• Discussed the advantages of and implementation strategies for the solution.
• Future work: study the performance through a prototype implementation on the basis of a mobile trusted computing platform
AutonomicTrustManagementforaPervasiveSystem Zheng Yan19
Thank You!
Questions and Comments!