mariano ceccato - unitrentore-trust.dit.unitn.it › files › 20090319doc ›...
TRANSCRIPT
![Page 1: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/1.jpg)
Possible directions for a follow
up of the project
Mariano Ceccato
Adolfo Villafiorita
![Page 2: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/2.jpg)
Outline of the Talk
• Summary of some techniques
• Information about call 5
• Some scenarios
• Next steps
![Page 3: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/3.jpg)
Un-trusted clientUn-trusted client
Un-trusted client
Un-trusted client
Un-trusted client Trusted server
• Remote software authentication: ensuring a (server) that an un-trusted host (client) is running a “healthy” version of a program (code integrity)
• Before delivering any service the server wants to know that the client is executing according to its expectations
Remote software trusting
![Page 4: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/4.jpg)
Attacker goal
• Goal: to tamper with the application code without being detected by the server
– Substantial program understanding effort
by a human to understand the inner logic
to attack
Client ServerNetwork
![Page 5: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/5.jpg)
Barrier slicing
Trusted hostUn-trusted host
Network
![Page 6: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/6.jpg)
Open problems in barrier slicing
• It does not exactly fit the reference architecture
• Distributed network of trust based on code splitting
• An attack is successful in more than N hosts collude to mount an attack
H6H2
H5
H8
H1
H4
H7 H3
![Page 7: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/7.jpg)
Orthogonal replacement
repeat
CPi = RendomTransform (CP)
CP = CPi
(Ci, Si) = MoveCompToServer(CPi, C1,…,Ci-1)
until (Ci┴ C1) Λ … Λ (Ci┴ Ci-1)
Server
CP0
Client
CP1
CP2
CP3
CP
CP0
Network
![Page 8: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/8.jpg)
Open problems inorthogonal replacement
• Extending the notion of code orthogonality to
– Internal data structures
– Network messages
• More robust check for orthogonality (e.g., semantic check?)
![Page 9: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/9.jpg)
![Page 10: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/10.jpg)
Open problems on continuous replacement
• Measuring the level of tamper-proofing
• Engineering how to generate new blocks
• Clarify how attackable / protected are newly generated blocks
![Page 11: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/11.jpg)
Hardware assistance
Un-trusted host Trusted hostNetwork
Card ReaderVirtual secure channel
![Page 12: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/12.jpg)
Other approaches
• White Box Remote Procedure Execution
• Crypto guards
• TPM tick stamping
• White box cryptography
![Page 13: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/13.jpg)
Information about the Call
• ICT Challenge 1, Call 5, Objective 1.4
• Pervasive and Trustworthy Network and Service Infrastructure
• Trustworthy ICT
![Page 14: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/14.jpg)
Information about the Call
• Publication Date: ~ 31/07/2009
• Closure Date: 03/11/2009
• Budget: 80M (IP, STREP) + 10M (NoE, CSA)
• Budget allocation IP >= 40M; STREP >= 26M
• About 15-20 STREP projects (?)
• Event planned on the 18th of June 2009 in Brussels (“presentation of the call and opportunities to present ideas in two/three slides”)
![Page 15: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/15.jpg)
Call Details
• Four main target outcomes:
– Trustworthy Network Infrastructure (IP)
– Trustworthy Service Infrastructure (IP)
– Technology and Tools for Trustworthy ICT
(call for small or medium-scale focused research actions STREP)
– Networking Coordination and Support (Noe
and CSA)
![Page 16: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/16.jpg)
• Technology and Tools for Trustworthy ICT
– In highly distributed networked process control systems and in
networks of very high number of things. Understanding threat
patterns for pro-active protection.
– For user-centric and privacy preserving identity management,
including for management of risks and policy compliance verification.
– For management and assurance of security, integrity and availability,
also at very long term, of data and knowledge in business processes
and services.
– For assurance and assessment of the trustworthiness of
complex and continuously evolving software systems and
services.
– In enabling technologies for trustworthy ICT. This includes
cryptography, biometrics; trustworthy communication; virtualisation;
and certification methodologies.
![Page 17: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/17.jpg)
• For all projects:
– Improved European industrial competitiveness in markets of trustworthy ICT, by: facilitating economic conditions for wide take-up of results; offering clear business opportunities and consumer choice in usable innovative technologies; and increased awareness of the potential and relevance of trustworthy ICT.
– Adequate support to users to make informed decisions on the trustworthiness of ICT. Increased trust in the use of ICT by EU citizens and businesses. Increased societal acceptance of ICT through understanding of legal and societal consequences.
![Page 18: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/18.jpg)
Application scenarios: gaming
• Avoid players to cheat and gain unfair advantages
• Lot of software development in this field
• Maybe not strategic for EU
![Page 19: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/19.jpg)
Application scenarios: Web 2.0
• Rich web applications are more and more common (e.g. Google office)
• Code is most of the time in clear (JavaScript/ajax)
• Vulnerable to phishing, spyware, …
![Page 20: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/20.jpg)
Application scenarios: cloud computing
• A computation intensive problem (e.g. genomics) is delivered, no idea what host will run it
• Business model: pay-per-computation
• Problem: ensuring that the result is the correct one
![Page 21: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/21.jpg)
Application scenarios:pay-per-use licenses
• Instead of buying software forever, pay it only when you need it
– Under development countries
– Small companies that requires very
expensive tools
• Problem: enforcing that the software is executed no more times (or no longer) than allowed
![Page 22: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/22.jpg)
Application scenarios:e-voting
![Page 23: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/23.jpg)
eVoting• DRE with VVPAT
• External signaling system
• Smart-card for operating the machine
• Java + (Custom) Linux
• Voting application about ~11K SLOC
• Core logic formally verified
• Machine life-cycle
![Page 24: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/24.jpg)
Formal Procedural Security Analysis
• eVoting: a lot more than just the machine:
– digital and physical assets
– asset mobility and evolution change the risks
associated to breaches
– security depends upon procedures performed
by various actors over which there is limited or
no control
• Approach: Methodology and analysis to verify
critical procedures
![Page 25: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/25.jpg)
The Methodology
• Based on the concept of threat-injection: capabilities attackers have in “modifying”behaviors
• Works well for both errors and malicious attacks
• Based on formal verification
• Complexity is an issue
![Page 26: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/26.jpg)
Voting and Remote Entrusting
• In Internet Voting: obvious!
• Even in the scenario depicted above:
– Trusting the machines: OS is critical as
the software and is left in a potentially
non-controlled environment (Mutual
entrusting/Remote entrusting)
– Trusting the server: when tabulated data
is sent for polling stations to
![Page 27: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/27.jpg)
Proposal
• Driven by the application scenario(s)
• Centered on the development of a tool (or procedures) to make remote entrusting applicable
• It includes activities related to consolidating the theoretical framework and, possibly, experimentations to validate the theoretical framework
![Page 28: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/28.jpg)
Next Steps
• Consolidate idea and consortium
• Prepare for the June event with a clear vision
• Consolidate technical idea, plan and budget before the Summer
• Finalize (and possibly adjust) work after release of official proposal
![Page 29: Mariano Ceccato - UniTrentore-trust.dit.unitn.it › files › 20090319Doc › Ceccato_Villafiorita-ReTrust… · • Remote software authentication : ensuring a (server) that an](https://reader036.vdocument.in/reader036/viewer/2022081406/5f0f5a327e708231d443bbe3/html5/thumbnails/29.jpg)
Next Steps
Questions?
Considerations?!
Call for contribution!