Trust Management for the World Wide Web

1
Trust Management for the World Wide Web

• Yang-hua Chu
• Supervisor
• Jim Miller, MIT/W3C
• Joan Feigenbaum, ATT Labs
• Master of Engineering Thesis Presentation
• April 28, 1997

2
Outline

• Problem statement
• Trust management
• REFEREE trust management system
• REFEREE reference implementation demo
• Conclusion

3
Example code signing

• Away from shrink-wrapped model
• Toward code distribution through network

4
Trust FAQ

• Has X been tampered with during transmission?
  integrity
• Does X contain a virus that will erase my HD?
  security
• Does X secretly collect information without my
  knowledge? privacy
• Will X run on my 386? capability
• Is X fun to play? content
• Who wrote X? authentication
• Should I trust Y who vouches for X delegation?

5
Current Technology

• Sandbox (Java Virtual Machine)
• Code Signing
• Microsoft Authenticode (for ActiveX)
• Proof Carrying Code

6
Current technology is not enough why should I
trust those bits?

• Digital Signature (RSA, DSA)
• How many bits of signature is trustworthy?
• What does the signature mean PICS?
• How do I get the right public key to verify the
  signature?
• Public Key Infrastructure (X.509, PGP, SDSI)
• How do I get the CAs public key?
• What is this certificate authorized to do?
• Whom do I trust to vouch for X?
• Xgive me public key of person Y, sign code,
  authenticate document, make this assertion, etc.

7
Trust management

• Decentralized Trust Management BFL96
• Probes the question
• Does this requested action, supported by
  credentials, conform to my policy?
• PolicyMaker
• certificates are programs

8
Trust management in code signing

• Requested action download and run this code.
• Security policy download the code only if signed
  by two entities that MIT endorses, and both
  entities must state in the signature that X is
  safe according to MITs code safety practice.
• Security credentials relevant PICS labels and
  certificates.

9
Other trust management applications in WWW

• document authentication and integrity
• access control
• on-line negotiation
• electronic commerce
• privacy protection
• intellectual property rights
• more

10
REFEREE

• Rule-controlled Environment For Evaluation of
  Rules and Everything Else
• Joint effort by researchers from ATT Labs and
  W3C
• Goal create a general-purpose trust management
  system for Web applications

11
REFEREE design principle

• A policy is a program
• has a fixed language syntax and semantics
• may call another policy
• Policy controls everything
• order of execution under policy control
• credential fetching under policy control
• departure from PolicyMakerBFL96 approach

12
REFEREE API

• a sub-system embedded inside a Web application
• can be in a browser, a proxy, or a server

Application
Dispatch
REFEREE
Input API request with arguments Output API
answer with justification
13
REFEREE Primitive Data Types

• tri-values
• TRUE, FALSE, UNKNOWN
• statements and statement-lists
• each statement is an s-expression
• a pair of (ltcontextgt, ltcontentgt), both are also
  s-expressions

( code-signing, ((virus-checked 1)
(network-access 0) ) )
14
REFEREE Primitive Data Types (continued)

• policy
• a triplet (ltpolicy-namegt, ltpolicy descriptiongt,
  ltlanguage-namegt)
• (code-signing, ..., code-signing-language)
• (code-signing, ltJava-codegt, Java)
• interpreter
• a pair (ltlanguage-namegt, ltinterpretergt)
• (code-signing-language, ltJava-codegt)

15
Bootstrapping REFEREE

• The host application loads REFEREE initial
  setting
• trust assertions
• a database of policies
• a database of interpreters
• all bootstrapping information is unconditionally
  trusted

16
Invoking REFEREE

• input a requested action and additional arguments
• REFEREE gets the corresponding policy for that
  action
• REFEREE executes the policy with the additional
  arguments
• output a tri-value and a list of statements

17
REFEREE Demo

• in English I only execute code if PCWeek says
  OK according to MIT code safety practice.

(invoke "load-label" STATEMENT-LIST URL
"http//web.mit.edu/safety"
("http//labels.com/")) (invoke "check-hash"
STATEMENT-LIST) (false-if-unknown
(match (("check-hash" )
( ((version "PICS-1.1")
(service "http//web.mit.edu/safety")
(by "mailtorater_at_pcweek
.com") (ratings
(RESTRICT gt overall 8) ))))
STATEMENT-LIST))
18
Components of the REFEREE
Calling Module
2
bootstrap
invoke
1
6
REFEREE
Profiles-0.92
Check-hash
5
Label-loader
3
4
Fetcher
19
Sample Query

• application calls REFEREE
• (code-signing, http//foo/bar.class)
• line 1 gets the PICS label from the label bureau
  http//label-bureau

(PICS-1.1 "http//web.mit.edu/safety"
labels by "mailtorater_at_pcweek.com"
md5 "7A2B1a2bA72BxyzyplehJQ" ratings
(crash 2 overall 10 virus 0))
20
Sample Query (Continued)

• line 2 authenticates the signature and checks
  the source integrity
• line 3 checks the confidence level gt 8
• return TRUE (10 gt 8)

21
Recap of major REFEREE design principles

• Local policy controls everything
• Separate security policy specification from
  policy evaluation
• policies are programs
• Profiles-0.92 vs. PICS RULZ
• Systematic, consistent, and modular management of
  trust

22
Conclusion Now and Future

• Trust management is an important component for
  Web applications
• REFEREE is our initial attempt to tackle the
  problem in the context of the WWW and it provides
  insight for future research and development.

23
Take It With You!

• Trust ! Cryptography

24
Reference

• REFEREE Website
• http//www.w3.org/pub/WWW/PICS/TrustMgt
• link to the REFEREE demo
• link to BFL96 paper
• M. Blaze, J. Feigenbaum, J. Lacy, Decentralized
  Trust Management, in Proceedings of the 1996
  Symposium on Security and Privacy, pp. 164-173
• Friday, 4/11, 4pm-530pm
• trust management for Electronic Commerce