Security Privacy - Silver Linings in the Cloud: 25th IFIP TC 11 International Information Security Conference, SEC 2010, Held as Part of WCC 2010, Brisbane, ... in Information and Communication Technology)

IFIP Advances in Information and Communication Technology

330

Editor-in-Chief A. Joe Turner, Seneca, SC, USA

Editorial Board Foundations of Computer Science Mike Hinchey, Lero, Limerick, Ireland Software: Theory and Practice Bertrand Meyer, ETH Zurich, Switzerland Education Bernard Cornu, CNED-EIFAD, Poitiers, France Information Technology Applications Ronald Waxman, EDA Standards Consulting, Beachwood, OH, USA Communication Systems Guy Leduc, Université de Liège, Belgium System Modeling and Optimization Jacques Henry, Université de Bordeaux, France Information Systems Barbara Pernici, Politecnico di Milano, Italy Relationship between Computers and Society Chrisanthi Avgerou, London School of Economics, UK Computer Systems Technology Paolo Prinetto, Politecnico di Torino, Italy Security and Privacy Protection in Information Processing Systems Kai Rannenberg, Goethe University Frankfurt, Germany Artificial Intelligence Max A. Bramer, University of Portsmouth, UK Human-Computer Interaction Annelise Mark Pejtersen, Center of Cognitive Systems Engineering, Denmark Entertainment Computing Ryohei Nakatsu, National University of Singapore

IFIP – The International Federation for Information Processing IFIP was founded in 1960 under the auspices of UNESCO, following the First World Computer Congress held in Paris the previous year. An umbrella organization for societies working in information processing, IFIP’s aim is two-fold: to support information processing within its member countries and to encourage technology transfer to developing nations. As its mission statement clearly states, IFIP’s mission is to be the leading, truly international, apolitical organization which encourages and assists in the development, exploitation and application of information technology for the benefit of all people. IFIP is a non-profitmaking organization, run almost solely by 2500 volunteers. It operates through a number of technical committees, which organize events and publications. IFIP’s events range from an international congress to local seminars, but the most important are: • The IFIP World Computer Congress, held every second year; • Open conferences; • Working conferences. The flagship event is the IFIP World Computer Congress, at which both invited and contributed papers are presented. Contributed papers are rigorously refereed and the rejection rate is high. As with the Congress, participation in the open conferences is open to all and papers may be invited or submitted. Again, submitted papers are stringently refereed. The working conferences are structured differently. They are usually run by a working group and attendance is small and by invitation only. Their purpose is to create an atmosphere conducive to innovation and development. Refereeing is less rigorous and papers are subjected to extensive group discussion. Publications arising from IFIP events vary. The papers presented at the IFIP World Computer Congress and at open conferences are published as conference proceedings, while the results of the working conferences are often published as collections of selected and edited papers. Any national society whose primary activity is in information may apply to become a full member of IFIP, although full membership is restricted to one society per country. Full members are entitled to vote at the annual General Assembly, National societies preferring a less committed involvement may apply for associate or corresponding membership. Associate members enjoy the same benefits as full members, but without voting rights. Corresponding members are not represented in IFIP bodies. Affiliated membership is open to non-national societies, and individual and honorary membership schemes are also offered.

Kai Rannenberg Vijay Varadharajan Christian Weber (Eds.)

Security and Privacy – Silver Linings in the Cloud 25th IFIP TC 11 International Information Security Conference, SEC 2010 Held as Part of WCC 2010 Brisbane, Australia, September 20-23, 2010 Proceedings

13

Volume Editors Kai Rannenberg Johann Wolfgang Goethe University Frankfurt T-Mobile Chair of Mobile Business and Multilateral Security Grüneburgplatz 1, 60629 Frankfurt, Germany E-mail: [email protected] Vijay Varadharajan Macquarie University, Faculty of Science, Department of Computing Science and Technology Building, E6A, Sydney 2109, Australia E-mail: [email protected] Christian Weber Johann Wolfgang Goethe University Frankfurt T-Mobile Chair of Mobile Business and Multilateral Security Grüneburgplatz 1, 60629 Frankfurt, Germany E-mail: [email protected]

Library of Congress Control Number: 2010932410 CR Subject Classification (1998): C.2, K.6.5, D.4.6, E.3, H.4, J.1 ISSN ISBN-10 ISBN-13

1868-4238 3-642-15256-2 Springer Berlin Heidelberg New York 978-3-642-15256-6 Springer Berlin Heidelberg New York

This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in its current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. springer.com © International Federation for Information Processing 2010 Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper 06/3180

IFIP World Computer Congress 2010 (WCC 2010) Message from the Chairs Every two years, the International Federation for Information Processing (IFIP) hosts a major event which showcases the scientific endeavors of its over one hundred technical committees and working groups. On the occasion of IFIP’s 50th anniversary, 2010 saw the 21st IFIP World Computer Congress (WCC 2010) take place in Australia for the third time, at the Brisbane Convention and Exhibition Centre, Brisbane, Queensland, September 20–23, 2010. The congress was hosted by the Australian Computer Society, ACS. It was run as a federation of co-located conferences offered by the different IFIP technical committees, working groups and special interest groups, under the coordination of the International Program Committee. The event was larger than ever before, consisting of 17 parallel conferences, focusing on topics ranging from artificial intelligence to entertainment computing, human choice and computers, security, networks of the future and theoretical computer science. The conference History of Computing was a valuable contribution to IFIPs 50th anniversary, as it specifically addressed IT developments during those years. The conference e-Health was organized jointly with the International Medical Informatics Association (IMIA), which evolved from IFIP Technical Committee TC-4 “Medical Informatics”. Some of these were established conferences that run at regular intervals, e.g., annually, and some represented new, groundbreaking areas of computing. Each conference had a call for papers, an International Program Committee of experts and a thorough peer reviewing process of full papers. The congress received 642 papers for the 17 conferences, and selected 319 from those, representing an acceptance rate of 49.69% (averaged over all conferences). To support interoperation between events, conferences were grouped into 8 areas: Deliver IT, Govern IT, Learn IT, Play IT, Sustain IT, Treat IT, Trust IT, and Value IT. This volume is one of 13 volumes associated with the 17 scientific conferences. Each volume covers a specific topic and separately or together they form a valuable record of the state of computing research in the world in 2010. Each volume was prepared for publication in the Springer IFIP Advances in Information and Communication Technology series by the conference’s volume editors. The overall Publications Chair for all volumes published for this congress is Mike Hinchey. For full details of the World Computer Congress, please refer to the webpage at http://www.ifip.org. June 2010

Augusto Casaca, Portugal, Chair, International Program Committee Phillip Nyssen, Australia, Co-chair, International Program Committee Nick Tate, Australia, Chair, Organizing Committee Mike Hinchey, Ireland, Publications Chair Klaus Brunnstein, Germany, General Congress Chair

Preface

These proceedings contain the papers of IFIP/SEC 2010. It was a special honour and privilege to chair the Program Committee and prepare the proceedings for this conference, which is the 25th in a series of well-established international conferences on security and privacy organized annually by Technical Committee 11 (TC-11) of IFIP. Moreover, in 2010 it is part of the IFIP World Computer Congress 2010 celebrating both the Golden Jubilee of IFIP (founded in 1960) and the Silver Jubilee of the SEC conference in the exciting city of Brisbane, Australia, during September 20–23. The call for papers went out with the challenging motto of “Security & Privacy − Silver Linings in the Cloud” building a bridge between the long standing issues of security and privacy and the most recent developments in information and communication technology. It attracted 102 submissions. All of them were evaluated on the basis of their significance, novelty, and technical quality by at least five member of the Program Committee. The Program Committee meeting was held electronically over a period of a week. Of the papers submitted, 25 were selected for presentation at the conference; the acceptance rate was therefore as low as 24.5% making SEC 2010 a highly competitive forum. One of those 25 submissions could unfortunately not be included in the proceedings, as none of its authors registered in time to present the paper at the conference. In addition to sessions on important and timely subjects such as Security Management, Security Governance, Privacy, Network Security, Authentication, Intrusion Detection, Trust Management, Models, Software Security, Assurance, and Access Control SEC 2010 features a panel “Research Methodologies in Information Security Research: The Road Ahead”, whose introduction is also included in these proceedings. SEC 2010 would not have been possible without the commitment of many people around the globe volunteering their competence and time. We would therefore like to express our sincere thanks to the members of the Program Committee (and especially to those who carried out shepherding tasks in a very competitive process), to the additional reviewers and last but not least to the authors who entrusted us with their works. Many thanks also go to all conference attendees, who are honouring the work of the authors and presenters. Special thanks go to our distinguished keynote speaker Sebastiaan H. “Basie” von Solms, Academy for Information Technology, University of Johannesburg, South Africa, who is to receive the Kristian Beckman Award of IFIP TC-11 to honour his never tiring work towards broadening the meaning of Information Security in various aspects, e.g., by adding management aspects to the academic perception of information security and by creating the field of Security Governance. It is also to honour his work as Chair of TC-11, when he strongly demonstrated the importance of information security within IFIP and the entire field of information processing, and his various achievements in the area of IT Security Education on all levels.

VIII

Preface

We would also like to thank Nick Tate, Chair of the International Organising Committee and Deputy Chair of the IFIP International Program Committee, as well as Mike Hinchey, WCC 2010 Publications Chair, for their great support. These thanks include Klaus Brunnstein, General Chair of WCC 2010, and Augusto Casaca, Chair of the IFIP International Program Committee, but we especially thank Klaus and Augusto for entrusting us with the Chairship of SEC 2010. These proceedings are dedicated to Mats Ohlin (Sweden), Member of the SEC 2010 Program Committee, who sadly passed away during the preparation of this conference. His wise comments and contributions have helped many TC-11 events and include inspiration for the development of SEC 2010’s motto. Mats will be greatly missed.

June 2010

Kai Rannenberg, Co-chair PC, Goethe University Frankfurt, Germany Vijay Varadharajan, Co-chair PC, Macquarie University Sydney, Australia Christian Weber, Publication Chair, Goethe University Frankfurt, Germany

Organization

Program Committee Chairs Kai Rannenberg Vijay Varadharajan

Goethe University Frankfurt, Germany Macquarie University, Australia

Publication Chair Christian Weber

Goethe University Frankfurt, Germany

Program Committee Members Alessandro Aldini Colin Armstrong Vijay Atluri Tuomas Aura Miguel Bañón Richard Baskerville Josh Benaloh Christoph Benzmüller Joachim Biskup Reinhardt Botha Laurent Bussard Jan Camenisch Kim Cameron Liqun Chen Mihai Christodorescu Roger Clarke Richard Clayton Cas Cremers Malcolm Crompton Nora Cuppens-Boulahia Ed Dawson Sabrina De Capitani di Vimercati

University of Urbino, Italy Curtin University, Australia Rutgers University, USA Microsoft Research, UK Epoche & Espri, Spain Georgia State University, USA Microsoft Research, USA Articulate Software, CA, USA T.U. Dortmund, Germany NMMU, South Africa Microsoft EMIC, Germany IBM Research, Switzerland Microsoft, France Hewlett-Packard Labs, UK IBM T.J. Watson Research Center, USA Xamax Consultancy Pty Ltd, Australia University of Cambridge, UK ETH Zurich, Switzerland Information Integrity Solutions Pty Ltd, Australia TELECOM Bretagne, France QUT, Australia Università degli Studi di Milano, Italy

X

Organization

Bart de Decker Marijke de Soete Yves Deswarte Gurpreet Dhillon Theo Dimitrakos Ronald Dodge Jan Eloff Alberto Escudero-Pascual Hannes Federrath Stefan Fischer Simone Fischer-Hübner Ulrich Flegel Simon Foley Felix Freiling Andreas Fuchsberger Walter Fumy Steven Furnell Mark Gasson Virgil Gligor Dieter Gollmann Rüdiger Grimm Dimitris Gritzalis Marit Hansen Hans Hedbom Maritta Heisel Udo Helmbrecht Peter Herrmann Alejandro Hevia Marko Hoelbl Jaap-Henk Hoepman Edward Humphreys Jakob Illeborg Pagter Cynthia Irvine Sushil Jajodia Lech Janczewski

K.U. Leuven, Belgium Security4Biz, Belgium LAAS-CNRS, France Virginia Commonwealth University, USA BT Innovate & Design, UK U.S. Military Academy, USA University of Pretoria & SAP, South Africa it46.se, Sweden University of Regensburg, Germany University of Lübeck, Germany Karlstad University, Sweden SAP AG, Germany University College Cork, Ireland University of Mannheim, Germany Microsoft Corp, Germany Bundesdruckerei GmbH, Germany University of Plymouth, UK University of Reading, UK Carnegie Mellon University, USA Hamburg University of Technology, Germany University of Koblenz, Germany Athens University of Economics and Business, Greece Independent Centre for Privacy Protection Schleswig-Holstein, Germany Karlstad Universitet, Sweden University of Duisburg-Essen, Germany ENISA, Greece NTNU, Norway Universidad de Chile, Chile University of Maribor, Slovenia TNO and Radboud University Nijmegen, The Netherlands XISEC, UK Alexandra Instituttet, Denmark Naval Postgraduate School, USA George Mason University, USA University of Auckland, New Zealand

Organization

David-Olivier Jaquet-Chiffelle Willem Jonker Audun Jøsang Meng-Chow Kang Sokratis Katsikas Dogan Kesdogan Hiroaki Kikuchi Valentin Kisimov Svein Knapskog Klaus-Peter Kossakowski Ulrich Kühn Klaus Kursawe Brian LaMacchia Carl Landwehr Pil Joong Lee Ronald Leenes Herbert Leitold Albert Levi Timothy Levin Kerry Long Javier Lopez Volkmar Lotz Norbert Luttenberger Pedro Manuel Barbosa Veiga Michael Marhöfer Stephen Marsh Fabio Martinelli Vaclav Matyas Sjouke Mauw Carlos Maziero Catherine Meadows Martin Meints Natalia G. Miloslavskaya Chris Mitchell Refik Molva

Bern University of Applied Sciences and University of Lausanne, Switzerland Philips Research and Twente University, The Netherlands University of Oslo, Norway ISO/IEC JTC 1/SC 27/WG 4 University of Piraeus, Greece University of Siegen, Germany Tokai University, Japan University for World and National Economics, Bulgaria NTNU/Q2S, Norway PRESECURE Consulting GmbH, Germany DZ BANK AG, Germany Philips Research, The Netherlands Microsoft Research, USA University of Maryland, USA POSTECH, South Korea Tilburg University, The Netherlands A-SIT, Austria Sabanci University, Turkey Naval Postgraduate School, USA US Army Research Laboratory, USA University of Malaga, Spain SAP Research, France Kiel University, Germany Universidade de Lisboa, Portugal Nokia Siemens Networks, Germany Communications Research Centre, Canada National Research Council, Italy Masaryk University Brno, Czech Republic University of Luxembourg, Luxembourg PUCPR, Brazil Naval Research Laboratory, USA Dataport, Germany National Research Nuclear University MEPhI, Russia Royal Holloway, University of London, UK EURECOM, France

XI

XII

Organization

Günter Müller Yuko Murayama Mats Ohlin († in memoriam) Eiji Okamoto Rolf Oppliger Charles Palmer Aljosa Pasic Philippos Peleties Günther Pernul Gilbert Peterson Milan Petkovic Andreas Pfitzmann Ulrich Pinsdorf Hartmut Pohl Mark Pollitt Reinhard Posch Joachim Posegga Bart Preneel Geraint Price Christian Probst Sihan Qing Martin Reichenbach Carlos Rieder Michel Riguidel Yves Roudier Pierangela Samarati Amardeo Sarma Ryoichi Sasaki Damien Sauveron Ingrid Schaumüller-Bichl Annikken Bonnevie Seip Sujeet Shenoi Einar Snekkenes Rossouw von Solms

Freiburg University, Germany Iwate Prefectural University, Japan FMV, Sweden University of Tsukuba, Japan eSECURITY Technologies, Switzerland IBM Research; Dartmouth College, USA ATOS Origin, Spain USB BANK PLC, Cyprus University of Regensburg, Germany Air Force Institute of Technology, USA Philips Research / Eindhoven University of Technology, The Netherlands Dresden University of Technology, Germany Microsoft EMIC, Germany University of Applied Sciences Bonn-Rhein-Sieg, Germany University of Central Florida, USA TU Graz, Austria University of Passau, Germany K. U. Leuven, Belgium Royal Holloway, University of London, UK Technical University of Denmark, Denmark Chinese Academy of Sciences, China Commerzbank, Germany Lucerne University of Applied Sciences and Arts, Switzerland ENST, France EURECOM, France Università degli Studi di Milano, Italy NEC Laboratories Europe, Germany Dendai University, Japan University of Limoges, France Upper Austria University of Applied Sciences, Austria Finanstilsynet - The Financial Supervisory Authority of Norway, Norway University of Tulsa, USA Gjøvik University College, Norway NMMU, South Africa

Organization

Hans von Sommerfeld Frank Stajano Sandra Steinbrecher Rama Subramaniam Morton Swimmer Paul Syverson Kazuo Takaragi Stephanie Teufel Markus Ullmann

Rohde & Schwarz SIT GmbH, Germany University of Cambridge, UK Dresden University of Technology, Germany Valiant Technologies, India Trend Micro, USA Naval Research Laboratory, USA Hitachi, Japan University of Fribourg, Switzerland BSI & University of Applied Sciences Bonn-Rhein-Sieg, Germany Helsinki University of Technology, Finland Intel, UK VaF, Slovakia IBM, USA Department of Internal Affairs, New Zealand INFODAS GmbH, Germany Sensaco, Switzerland KPMG AG Wirtschaftspruefungsgesellschaft, Germany University of Maribor, Slovenia University of Applied Sciences Dresden, Germany National Institute of Informatics, Japan Royal Holloway, University of London, UK I2R, Singapore Munich University of Applied Sciences, Germany

Teemupekka Virtanen Claire Vishik Jozef Vyskoc Michael Waidner Colin Wallis Gerhard Weck Nathalie Weiler Stefan Weiss Tatjana Welzer Andreas Westfeld Sven Wohlgemuth Stephen Wolthusen Jianying Zhou Alf Zugenmaier

Chair International Organizing Committee Chair Nick Tate

Queensland University of Technology and Australian Research Collaboration Service (ARCS), Australia

Additional Reviewers Farid Ahmed Jonathan Anderson Muhammad Asim Ulrich Bayer

XIII

Markus Karwe Woo Chun Kim Yeonkyu Kim Matthias Kirchner

XIV

Organization

Claudia Becker Jens-Matthias Bohli Mohamed Bourimi Bastian Braun Ralph Breithaupt Timm Busshaus Sebastian Clauss Janus DamNielsen Van Hai Dang Danny DeCock Aubrey Derrick-Schmidt Claudia Diaz Jaromir Dobias Stelios Dritsas Stefan Dürbeck Manuel Egele Markus Engelberth Sungwook Eom Pooya Farshim William Fitzgerald Ludwig Fuchs Daniel Gille Jan Göbel Christian Gorecki Sebastiaan Indesteege Thomas Jakobsen Aaron Johnson

Jan Kolter Stefan Köpsell Jiri Kur Martin Mink Vinh Pham Jason Reid Konrad Rieck Peter Rothenpieler Winfried Schoech Bernhard Sick Koen Simoens Yannis Soupionis Mark Stegelmann Andriy Stetsko Ben Stock Petr Svenda Wen TaoZhu Marianthi Theoharidou Philipp Trinius Carmela Troncoso Bill Tsoumas Pavel Tucek Li Weng Benedikt Westermann Christian Wieschebrink Ge Zhang

Table of Contents

Kristian Beckman Award Awardee Keynote The 5 Waves of Information Security – From Kristian Beckman to the Present . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S.H. (Basie) von Solms

1

Security Management A Business Continuity Management Simulator . . . . . . . . . . . . . . . . . . . . . . . William J. Caelli, Lam-For Kwok, and Dennis Longley

9

Mining Business-Relevant RBAC States through Decomposition . . . . . . . Alessandro Colantonio, Roberto Di Pietro, Alberto Ocello, and Nino Vincenzo Verde

19

Group Dynamics in a Security Risk Management Team Context: A Teaching Case Study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rostyslav Barabanov and Stewart Kowalski

31

Security Management & Governance Using Actor Network Theory to Understand Information Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Karin Hedstr¨ om, Gurpreet Dhillon, and Fredrik Karlsson

43

Information Security Governance: When Compliance Becomes More Important than Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Terence C.C. Tan, Anthonie B. Ruighaver, and Atif Ahmad

55

Network Security & Authentication Understanding Domain Registration Abuses . . . . . . . . . . . . . . . . . . . . . . . . . Scott E. Coull, Andrew M. White, Ting-Fang Yen, Fabian Monrose, and Michael K. Reiter

68

Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks on Social Networking Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Markus Huber, Martin Mulazzani, and Edgar Weippl

80

Authentic Refinement of Semantically Enhanced Policies in Pervasive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Julian Sch¨ utte, Nicolai Kuntze, Andreas Fuchs, and Atta Badii

90

XVI

Table of Contents

Qualified Mobile Server Signature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clemens Orthacker, Martin Centner, and Christian Kittl

103

Intrusion Detection, Trust Management, and Models Fraud Detection in ERP Systems Using Scenario Matching . . . . . . . . . . . . Asadul Khandoker Islam, Malcom Corney, George Mohay, Andrew Clark, Shane Bracher, Tobias Raub, and Ulrich Flegel

112

Use of IP Addresses for High Rate Flooding Attack Detection . . . . . . . . . Ejaz Ahmed, George Mohay, Alan Tickle, and Sajal Bhatia

124

Augmenting Reputation-Based Trust Metrics with Rumor-Like Dissemination of Reputation Information . . . . . . . . . . . . . . . . . . . . . . . . . . . Sascha Hauke, Martin Pyka, Markus Borschbach, and Dominik Heider Ex-SDF: An Extended Service Dependency Framework for Intrusion Impact Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Nizar Kheir, Nora Cuppens-Boulahia, Fr´ed´eric Cuppens, and Herv´e Debar

136

148

Software Security and Assurance A Dynamic and Ubiquitous Smart Card Security Assurance and Validation Mechanism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Raja Naeem Akram, Konstantinos Markantonakis, and Keith Mayes On-the-fly Inlining of Dynamic Security Monitors . . . . . . . . . . . . . . . . . . . . Jonas Magazinius, Alejandro Russo, and Andrei Sabelfeld

161 173

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gideon Myles and Hongxia Jin

187

Evaluation of the Offensive Approach in Information Security Education . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Martin Mink and Rainer Greifeneder

203

Panel Research Methodologies in Information Security Research: The Road Ahead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Johan F. van Niekerk and Rossouw von Solms

215

Table of Contents

XVII

Access Control and Privacy Purpose-Based Access Control Policies and Conflicting Analysis . . . . . . . Hua Wang, Lili Sun, and Vijay Varadharajan

217

Delegation in Predicate Encryption Supporting Disjunctive Queries . . . . Dongdong Sun, Colin Boyd, and Juan Manuel Gonz´ alez Nieto

229

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Sven Wohlgemuth, Isao Echizen, Noboru Sonehara, and G¨ unter M¨ uller k-Shares: A Privacy Preserving Reputation Protocol for Decentralized Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Omar Hasan, Lionel Brunie, and Elisa Bertino

241

253

Privacy Towards Fair Indictment for Data Collection with Self-Enforcing Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mark Stegelmann

265

How to Enhance Privacy and Identity Management for Mobile Communities: Approach and User Driven Concepts of the PICOS Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Christian Kahl, Katja B¨ ottcher, Markus Tschersich, Stephan Heim, and Kai Rannenberg

277

Performance Analysis of Accumulator-Based Revocation Mechanisms . . . Jorn Lapon, Markulf Kohlweiss, Bart De Decker, and Vincent Naessens

289

Appendix IFIP Technical Committee 11 Security and Privacy Protection in Information Processing Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Kai Rannenberg, S.H. (Basie) von Solms, and Leon Strous

302

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

311

The 5 Waves of Information Security – From Kristian Beckman to the Present S.H. (Basie) von Solms Academy for Information Technology, University of Johannesburg, South Africa [email protected]

Abstract. This paper gives an overview of the development of Information Security from the early 1980s up to the present time. The paper makes use of two papers by the author, Information Security – the Third Wave (von Solms, 2000) and Information Security – the Fourth Wave (von Solms, 2006), as well as a paper in preparation, Information Security – The Fifth Wave (von Solms, 2010). In the paper in 2000, the First Wave of Information Security was defined as lasting up to the early 1980s. In May 1983 the First International Conference on Information Security (IFIP/Sec 83) took place in Sweden, and was organized by Kristian Beckman. Kristian Beckman was subsequently elected as the first Chairperson of the newly created Technical Committee 11 of IFIP. He died in 1984. Kristian Beckman can therefore be seen to have lived during the First Wave of Information Security, which provides the motivation for the sub title of this paper. Keywords: Information Security, Kristian Beckman.

1 Introduction This paper discusses the development of Information Security in terms of 5 Waves. The First Wave was up to the early 1980s, and is called the Technical Wave. The second Wave was from the early 1980s up to the middle 1990s, and is called the Management Wave. The Third Wave was from the middle 1990s up to about 2005, and is called the Institutional Wave. These 3 Waves are defined and discussed in von Solms (2000). The Fourth Wave started about 2005 and is called the Information Security Governance Wave. This Wave is discussed in von Solms (2006). The Fifth Wave, which is called the Cyber Security Wave, started in about 2006, and is discussed in von Solms (2010). Of course, it must be understood that these 5 Waves are not ‘blocks’ which started and then ended at a specific point in time – rather they represent new developments which started in a certain period and placed new emphasis on aspects related to Information Security during the last 30 to 40 years, and should therefore be seen as existing in parallel with each other. This paper will discuss each of these Waves, some in more detail than others, and will then try to draw some conclusions about the future of Information Security. K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 1–8, 2010. © IFIP International Federation for Information Processing 2010

2

S.H. von Solms

Paragraphs 2 to 5 will review the first 4 Waves, which will use von Solms (2000 and 2006) as references, with Paragraph 6 briefly evaluating these first 4 Waves, Paragraph 7 will introduce the Fifth Wave, based on von Solms (2010) - a paper in preparation. Paragraph 8 to 10 will provide some discussion about the future, specifically addressing to the concept of professionalism in Information Security, with a short summary in Paragraph 11.

2 The First Wave - Technical The First Wave of Information Security was basically totally dedicated to the mainframe environment, with dumb terminals and totally centralized processing. Information Security was limited to simple forms of Identification and Authentication for logging onto the mainframe system, and maybe some crude form of Authorization or Logical Access Control. Most of these functions were handled by the mainframe operating system, which was basically only understood by the technical people, and handled by them. Aspects like policies, procedures awareness etc were not high on the agenda. As stated above, the realization that the First Wave was not sufficient as far as Information Security is concerned started dawning in the early 1980s. This realization clearly also dawned on Kristian Beckman, which prompted him to organize the First International Conference on Information Security (IFIP/Sec 83), and to suggest to IFIP (www.ifip.org), then 23 years old, to establish a Technical Committee on Information Security related aspects. As he died in 1984, Kristian Beckman can therefore be seen as living during the First Wave, but with the vision to realize that much more is, and will be needed.

3 The Second Wave – Management The development of distributed computing, and maybe specifically the personal computer, demanded a lot of other inputs into the Information Security field. The fact that information was not stored on one central well protected computer, but distributed to lots of desk top computers connected by networks, created serious security risks which had to be addressed. Information Security became a matter which got the attention of Management, and Information Security Managers were appointed. They started creating Information Security Policies and procedures, and organizational structures were created to house Information Security departments. Reporting about the status of Information Security in the company also became a challenge. These developments of course improved Information Security in general, and emphasized the important aspect that Information Security has a very strong Management Dimension which must be leveraged fully to create a secure environment. Because of these developments during the Second Wave, companies started investigating aspects related to best practices and standardization in Information

The 5 Waves of Information Security – From Kristian Beckman to the Present

3

Security. Many companies wanted to know what the basic aspects of a good Information Security plan are. Questions asked included: ─ How do we compare security wise to our competitors? ─ What should be in an Information Security Policy? ─ How could they get some form of formal certification for the Information Security status of the company? Furthermore, the role of the employee as an end user of the system came under the spotlight, and the importance of the Human Dimension was accepted. This lead to the Third Wave, called the Institutionalization Wave, which became apparent from about the middle 1990s.

4 The Third Wave – Institutionalization As stated above, the fact that Information Security had a lot more dimensions than just a Technical Dimension, and that Information Security is crucial to the health and strategic future of a company, lead to new efforts to institutionalize Information Security is a company – i.e. to make it part of the culture and way of thinking in a company. One driver at this point was the idea of international best practices for Information Security, and the arrival of BS 7799 Parts 1 and 2. Part 1 was the first really widely accepted document specifying what aspects related to Information Security should be addressed as a sort of baseline. Part 2 provided the platform to get some international certification against Part 1. Another driver was the growing emphasis on Information Security Awareness, and the risk that ignorant employees can compromise Information Security measures. Extensive Awareness courses were developed, and employees were drilled to make Information Security part of their, and the company’s culture. During this stage, companies also started to create techniques to measure the status and level of their Information Security compliance, and to report such status to top Management. During the beginning of the present decade, the importance of good Corporate Governance, and the role that Information Security plays in good Corporate Governance became big news. Furthermore legal and regulatory requirements and the consequences of negligence related to good Information Security, specifically as far as privacy of data and information is concerned, really hit the agendas of Board meetings. This basically led to the Fourth Wave which can be characterized as Information Security Governance.

5 The Fourth Wave – Information Security Governance As mentioned, the importance of this Wave became clear during the beginning of the present decade. Several international best practices for good Corporate Governance appeared, and the role of Information Technology Risk Management and Information Technology

4

S.H. von Solms

Governance were highlighted in many of them. Good Information Technology Governance of course included good Information Security implementations. Financial information of the company was stored and processed on computers, and if the storage and processing of such information were not properly secured and protected, serious compromises could result. The risk of committing fraud and misusing financial resources by manipulating the company’s electronic data stored on its IT systems in an unauthorized way became very clear – and also that top Management is in the last instance accountable. This growing importance of, and emphasis on Information Security, resulted in the emergence of the concept of Information Security Governance. The fact that ‘Information Security Governance is an integral part of Corporate Governance’ became well accepted.

6 Evaluation of Waves 1 to 4 Before we discuss the Fifth Wave, let us briefly reflect on Waves 1 to 4. Two aspects are important up to this point. Firstly, it is apparent that all 4 these Waves basically ‘point inwards’, i.e. they have to do with securing the data and information of the company. The responsibility lies with the company and its employees, and all measures are implemented to this end. The main purpose is to ensure that the confidentiality and integrity of the data and information of the company are maintained at all times – from the company’s side. This resulted in companies rolling out very good security measures, making it very difficult for the criminal elements who wanted access to such data and information, to do so – in many cases a company’s IT infrastructure became a well-protected fort. Secondly, companies rolled out more and more systems based on the Internet and the World Wide Web, making it possible for millions of clients and customers to use such systems – enter the Cyber age! The direct result of these two aspects was that criminals now moved their attention to the end user. Using the Internet as access medium, with millions of end users with low levels of Information Security awareness and knowledge, the criminal side started having a field day using a wide range of attack mechanisms directed towards the end user – mechanisms mainly based on social engineering. Their motto became: Do not try to hack into the company’s IT systems; it may be very difficult – go for the naïve end user! This led to the Fifth Wave of Information Security – ensuring Information Security in Cyber space. Let’s call that, for lack of a better name, Cyber security.

7 The Fifth Wave – Cyber Security The Internet is debatably one of the greatest inventions ever developed by mankind, but it has brought with it extremely serious risks. Implementing any Internet-based system means announcing yourself to the rest of the world, thereby providing an opportunity for cyber criminals to attack the system. Cyber criminals are leveraging the growing use of the Internet by companies to deliver services to their clients to

The 5 Waves of Information Security – From Kristian Beckman to the Present

5

commit crime of immense proportions. Malware, phishing, spoofing and other techniques used by such criminals are making the life for any Internet user extremely risky. The Internet has handed the criminal side an extremely useful way of committing their crimes, and to us as Information Security specialists our greatest challenge – to ensure that such crimes are prevented from happening. Let us briefly review some recent cyber crime statistics. 7.1 The Sophos Security Threat Report – 2009 (Sophos, 2009) 23 500 infected websites are discovered every day. That’s one every 3.6 seconds – four times worse than the same period in 2008 7.2 The CISCO White Paper (CISCO, 2009) The White paper states that ‘Internet users are under attack. Organized criminals methodically and invisibly exploit vulnerabilities in websites and browsers and infect computers, stealing valuable information (login credentials, credit card numbers and intellectual property) and turning both corporate and consumer networks into unwilling participants in propagating spam and malware; 7.3 The UK Cybercrime Report 2009 (UK Cybercrime, 2009) The report indicate that during 2008, ‘cyber criminals committed over 3.6 million criminal acts online (that one every 10 seconds)’. 7.4 The Washington Post (Washington Post, 2009) ‘Law enforcement agencies worldwide are losing the battle against cyber crime’. 7.5 ‘The Internet Has Become a Fundamental Business Tool, Yet Browsing the Web Has Never Been More Dangerous’ (Symantec, 2010) Surely the Fifth Wave of Information Security is challenging us to provide efficient cyber security. How should we as Information Security specialists treat this Fifth Wave? This author claims that ─ Some Internet-based systems are Information Security wise ‘so close to the edge’ that they should rather not be developed ─ We have reached the stage where it is impossible to properly secure and protect some Internet-based systems ─ Information Security specialists in most cases are not really professionals This Wave challenges us as Information Security specialists to reconsider our role, and to ensure that we act as Information Security Professionals and not as Information Security Practitioners. This means that we should be more vocal in expressing our concerns about the security of many Internet-based systems.

6

S.H. von Solms

8 Information Security Professionals (ACISP, 2009) Are we really professionals, as the term is understood in other circles like medicine, engineering etc? Do we belong to a professional body which has a defined Body of Knowledge, an Ethics Code or a Disciplinary Code? Can we be held accountable for the advice we give about Information Security aspects? Do we have a ‘true’ Information Security Profession which is acknowledged internationally? The answer must be ‘NO” at this stage! There are some bodies which do ‘certify’ people as Information Security Professionals, and that is already a step in the right direction. However, it does not go far enough, and do not create ‘true’ Information Security Professionals or a ‘true’ Information Security Profession. Other initiatives are developing to create a ‘true’ Information Technology Profession, but that is wider than Information Security. No comprehensive project is presently active to create a true Information Security Professional. Lacking such formal status, we as Information Security practitioners (not yet Information Security professionals) should act extremely responsible in our advice roles as demanded by the Fifth Wave. We can find a good example in the way David Parnas acted in the early 1980s.

9 The Strategic Defense Initiative (SDI) and David Parnas (ACISP, 2009) ‘The Strategic Defense Initiative (SDI), commonly called Star Wars after the popular science fiction series, was a system proposed by U.S. President Ronald Reagan on March 23, 1983 to use space-based systems to protect the United States from attack by strategic nuclear missiles. It was never implemented and research in the field tailed off after the end of the Cold War.’ (Wikipedia) Prof David Parnas, one of the pioneers in the development of Computer Science and Software Engineering, was at that time a consultant to the Office of Naval Research in Washington, and was one of nine scientists asked by the Strategic Defense Initiative Office to serve on the "panel on computing in support of battle management". Parnas resigned from this advisory panel on antimissile defense, asserting that it will never be possible to program a vast complex of battle management computers reliably or to assume they will work when confronted with a salvo of nuclear missiles. In his letter of resignation he said that it would never be possible to test realistically the large array of computers that would link and control a system of sensors, antimissile weapons, guidance and aiming devices, and battle management stations. Nor, he protested, would it be possible to follow orthodox computer program-writing practices in which errors and "bugs" are detected and eliminated in prolonged everyday use.

The 5 Waves of Information Security – From Kristian Beckman to the Present

7

“I believe,” Professor Parnas said, “that it is our duty, as scientists and engineers, to reply that we have no technological magic that will accomplish that. The President and the public should know that.” (The Risk Digest, 1985). Although Parnas’s stand was related to nuclear warfare, which may not be so relevant today anymore, the morale of this story is still the same. Parnas highlighted the reliability issues of the use of computers, because they were important issues concerning the man in the street. It is important to note that Parnas did not say that all computer systems are unreliable – he just said that this specific initiative was dangerous. The reader may now say that the SDI issues were related to the reliability of nuclear computer systems, and not to the Information Security of commercial systems. My answer to such a reaction is: ‘Is the Information Security of general IT systems today, even though they are now much more business focused, less important, or less complicated?’ Just have a look at paragraph 7 above, or ask a person who lost all his/her money through fraud committed using IT systems whether he sees it as a serious issue or not? Following Parnas’s quote above, I want to state: ‘it is our duty, as Information Security specialists (professionals??) to make it heard from all platforms that IT systems are becoming so complex that we doubt whether they can still be properly protected in all cases. The public should know that’ Maybe TC 11 should take a stance on this issue and make a public statement.

10 The Challenge of the Fifth Wave of Information Security The challenge of the Fifth Wave of Information Security to all of us as Information Security Practitioners/Professionals is to act professionally at all times, meaning that we should not be afraid to warn against the insecurity of many Internet-based systems – that’s the challenge of the Fifth Wave of Information Security.

Summary In this paper we reviewed the 5 Waves of Information Security and highlighted the fact that the Fifth Wave is the one which will really challenge Information Security specialist to start acting as Information Security Professionals.

References 1. ACISP 2009, Proceedings of ACISP 2009, Brisbane, Australia (July 2009) 2. CISCO 2009, A Comprehensive Proactive Approach to Web based Threats (2009), http://www.ironport.com/pdf/ironport_web_reputation_whitepap er.pdf (accessed May 2010) 3. Sophos 2009, The Sophos Security Threat Report (2009), http://www.sophos.com/sophos/.../sophos-security-threatreport-jan-2009-na.pdf (accessed May 2010)

8

S.H. von Solms

4. Symantec 2010, The Wild, Wild West Web, Symantec (2010), http://www.computerworld.com/pdfs/Messagelabs_Wild_Wild_Web. pdf (accessed June 2010) 5. The Risk Digest 1(1) (1985), http://catless.ncl.ac.uk/Risks/1.01.html (accessed April 2009) 6. UK Cybercrime 2009, The UK Cybercrime Report (2009), https://www.garlik.com/cybercrime_report.php (accessed March 2010) 7. von Solms, B.: Information Security – The Third Wave? Computers and Security 9, 615–620 (2000) 8. von Solms, B.: Information Security – The Fourth Wave. Computers and Security 25, 165–168 (2006) 9. von Solms, B.: Information Security – The Fifth Wave. In preparation – to be submitted to Computers and Security (2010) 10. Washington Post, Cybercrime is winning the battle over Cyberlaw (2008), http://voices.washingtonpost.com/securityfix/2008/12/report_ cybercrime_is_winning_t.html (accessed June 2010) 11. Wikipedia, http://en.wikipedia.org/wiki/Strategic_Defense_Initiative, (accessed April 2009)

A Business Continuity Management Simulator William J. Caelli1, Lam-For Kwok2, and Dennis Longley3 1

Information Security Institute, Queensland University of Technology, Brisbane 2 City University of Hong Kong 3 International Information Security Consultants Pty Ltd.

Abstract. Comprehensive BCM plan testing for complex information systems is difficult and expensive, if not infeasible. This paper suggests that a simulator could be employed to ameliorate these problems. A general model for such a BCM simulator is presented, and the implementation of a prototype simulator is described. The simulator reacts to system disturbances by seeking alternative configurations provided within the BCM plan, reporting the resource availabilities in the updated system and identifying any failure to meet the requirements placed on the system. The simulator then explores any changes in data security introduced by the proposed post disturbance configuration and reports any enhanced risk. Keywords: BCM planning, simulator.

1 Business Continuity Planning In a survey of 94 Australian organizations in 1999-2000 [1, 2] the majority of organizations stated that the longest time they could be out of action was less than 24 hours. Moreover 30% of these organizations said that their longest out-of–service time was less than 8 hours. It is perhaps sobering to reflect that in the subsequent 9 years the world has experienced major terrorist attacks in capital cities, invasion of Iraq, two tsunamis, the worst Chinese earthquake in a decade and devastating weather events worldwide all having implications for BCM. Given society’s increasing dependency on distributed, complex information systems it might appear the risks associated with loss of availability in such systems have both enhanced consequences and likelihood. Traditionally organizations developed Disaster Recovery Plans to ensure that alternative facilities were available if some major event impacted upon their mainframe computer systems. The development of complex, distributed systems combined with organizational reliance upon on-line operations emphasized the importance of business continuity management which seeks to minimize the likelihood and magnitude of potential business interruptions, and encompasses Disaster Recovery Plans to guard against the major loss of IT services at any level in a system hierarchy. The Australian National Audit Office guide on Business Continuity Management states the objective of business continuity management is to ensure uninterrupted availability of all key business resources required to support essential or critical business activities. One may query if this is a sufficiently comprehensive definition of the objective since there is no mention of continued compliance to required governance K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 9–18, 2010. © IFIP International Federation for Information Processing 2010

10

W.J. Caelli, L.-F. Kwok, and D. Longley

and security policy. Presumably a bank would not be satisfied with a business continuity plan that left a security loophole for major fraud in its fall back procedures. Australian Standards HB292-200 [3] provides comprehensive guidance to practitioners on the establishment of effective business continuity management within organizations. The guide emphasizes the close relationship between risk management and business continuity planning. In particular risk management assists in the identification of cost effective controls to minimize the likelihood of a business interruption, whilst business continuity plans will, inter alia, addresses the actions required to deal with significant disruptive events. The guide does not however appear to address the problem of risk analysis for the systems in the post disruption phase and again there is no mention of the requirement for continuous conformance to security / governance policy. This paper thus addresses two issues of BCM planning: availability testing, and identifying enhanced risks following a disturbance. Simulators are commonly employed for training on complex systems in situations where real experimentation would be hazardous or infeasible, and would therefore appear to be of value in testing defenses against critical, complex information system downtimes. A proposed model applicable to BCM planning in a variety of systems is introduced, and the implementation of such a simulator developed for information systems is described. The simulator reacts to system disturbances by seeking, where necessary, alternative configurations provided within the BCM plan, reporting the resource availabilities in the updated system and identifying any failure to meet the requirements placed on the system. The simulator then explores any changes in data security introduced by the proposed post disturbance configuration and reports any enhanced risk.

2 BCM Simulator Design 2.1 Overview The BCM problem is illustrated in Fig 1. The system under review receives resources from external sources and in turn provides a set of resources for the external world, a subset of these resources are deemed essential in all circumstances. An interruption in the supply of external resources, and/ or some internal disturbance to the system, will have an impact upon the system’s ability to supply the requisite resources. BCM planning will provide some inbuilt defences against such external disturbances; however the system is dynamic and will therefore exhibit a transient response to the disturbances. The BCM Planner may be called upon to report upon the response to specified disturbances in terms of: • • • •

time duration of transient response; system output during the transient response; system output in the subsequent steady state; effectiveness of security systems in the transient and steady state.

At this stage the simulator deals only with steady states, i.e. it does not deal with any potential delays in providing alternative sources or in any race conditions that may arise in (say) invoking load sharing algorithms.

A Business Continuity Management Simulator

11

When a disturbance causes a source to fail, and one or more alternative sources are provided by the BCM plan, the simulator incorporates these backup sources in preference order. Any shortfall in these alternative sources will have consequential effects on the system’s ability to supply essential resources and these consequential effects are also reported. The simulator then explores potential changes in the data security scenario of the post disturbance configuration and reports any risk changes. 2.2 Model Overview. A top down view of BCM suggests that the system under review is in effect a resource transformer subject to disturbances. The system imports resources from the outside world and converts them into exported resources. A subset of these exported resources is deemed essential and must be maintained in spite of interruptions to imported resources or disturbances to the system. This is the conventional view of BCM but with current complex information systems we should also add the requirement that the system should maintain the specified system security policy under all circumstances. Drilling down into the system will reveal some network of resource interconnected subsystems. The original set of imported and exported resources will be enhanced by internal resources generated by the subsystems. Looking in more detail at the operation of the subsystems we may further specify the subsystem as a collection of sink/source units. Each such sink/source unit provides a source for a particular resource type, e.g. bank transactions; a collection of sinks associated with the source specifies the imported resources, in type and quantity, required to guarantee the supply from the associated source. In a BCM model the nature of the subsystem transformer actions is not relevant to the study. The essential point is that the sources require certain satisfied sinks to ensure their continued operation. Some subsystems may be considered from the system viewpoint to be pure sources or sinks, e.g. the system imported resources are derived from pure sources and the exported resources are collected by pure sinks (See Fig 1). The BCM plan is concerned with the operation of the system following an interruption to an imported resource or a disturbance. In the terms of the model as described above external resource interruptions are modelled as a disabling of external sources, and disturbances similarly disable internal sources. From a BCM viewpoint there are two significant facets of this situation: • •

the alternative supplies to internal sinks, i.e. backup sources, to ensure that external sinks deemed essential continue to be supplied; the relationship between a disturbance and the failed internal source.

A system with no source redundancy would fail to export one or more resources in the case of any external source interruption or system disturbance. BCM plans therefore incorporate source redundancies to maintain the export of essential resources. This redundancy implies that some sinks are connected to multiple sources with various preference levels (See dotted link in Fig 1). At this stage the model relates to any definable system and the simulator was developed to be context independent as far as possible. However in order to move to a prototype stage it was decided to concentrate initially on information systems so that ideas could be tested. Having described the system in terms of subsystems the next

12

W.J. Caelli, L.-F. Kwok, and D. Longley

stage was to represent subsystems as interconnected components, or entities. In information systems these entities comprise: • • • • •

computers: servers, gateways, workstation clusters; locations: sites, buildings, floors, rooms; services: power supplies, cabling; switches: for physical resources, e.g. power, human resources; data networks.

Fig. 1. BCM Model Subsystems are interconnected by resources and comprise sinks and sources. Some sinks may be supplied by two sources with different preference levels.

With this component definition the relationship between a disturbance and the failed internal source can now be addressed. Fig 1 illustrates subsystem with apparently isolated sinks and sources. The simulator entities have a more structured set of sinks and sources: • •

•

an entity can have multiple sources, each for a unique resource, e.g. a server can be a source of multiple data items; a source produces the result of a transformation of other imported resources, the nature of the transformation is irrelevant in BCM terms and can simply be formulated as a set of sinks feeding each source. the entity is a physical reality and the functioning of that entity is dependent on certain physical resources, e.g. a server’s continued operation depends upon the supply of electrical power, manual operators, maintenance technicians etc. Any significant interruption to these resources will result in the disabling of all other sources in that entity, i.e. a server will not export files if it has lost power.

If an entity does not receive the set of resources necessary for its physical operation, then all the logical sources in that entity will fail. This situation is represented in the simulator model with an artificial source, termed an entitysource which supplies each entity source with an artificial resource termed an entityresource. The entitysource has

A Business Continuity Management Simulator

13

a sink for each imported resource required for the physical operation of the entity, and each entity source has a sink for such an entityresource. Hence the relationship between a disturbance and internal sources can be formulated: • a disturbance inhibits the flow of resources to entitysource sinks; • the entitysource with at least one unsatisfied sink is disabled; • the remaining entity sources now have their entityresource sink unsatisfied and are themselves disabled (See Fig 2).

Fig. 2. Sources and Sinks in an Entity. If entitySource fails, due to loss of any physical resource, then all other sources within the entity are deprived of the entityresource, and fail.

2.3 Simulator Resources, Entities and Interconnections Resources. The simulator is designed to demonstrate the flow and interaction of resources through the system after various types of disturbances. The nature of these resources significantly influences the design of the simulator model and in the context of an information system the resources were categorised as physical or data. Each resource is described in terms of type and quantity, but there are major differences between the roles of quantity in each category. Physical resources are heavily quantity dependent, e.g. a power resource may be described as electrical power 240V AC (type), and a numerical value for wattage (qty). Similarly a server operator resource may be specified as Operator Grade_1 (type) and a number of full time hours (qty). If the quantity demand for a resource exceeds the maximum available quantity supply then the supplying source will be overloaded and some sinks become unsatisfied. If a physical resource sink is unsatisfied then the simulator seeks an alternative source, if no such alternative is found the consequent effects of the unsatisfied sink are explored, e.g. sources in the same entity are disabled producing consequential unsatisfied sinks elsewhere. Data resources are similarly specified via both type and quantity, but data sources are not so susceptible to overload. An excessive demand for bytes from a server, or

14

W.J. Caelli, L.-F. Kwok, and D. Longley

excessive traffic on a network will involve performance issues, and are reported by the simulator, but they will not lead to a source overload and disablement, with consequential unsatisfied sinks. The originating source also plays different roles in the two categories of resources. A physical source takes the view that any power supply is a compatible supply. However a data resource sink will specify both the resource type and the source for a data resource, i.e. a user will connect to a specific server in order to download a file with a given name. An information system will commonly have a vast multitude of data resources but from a BCM viewpoint they may be aggregated. For example if a server normally collects data from one other server, but has backup servers each supporting part of that total data set, then the data resources may simply comprise the aggregated data sets from each of the backup servers. Entities. All entities contain an entitysource (See Fig 2) and one or more other source/sink units, but the nature of these sources and sinks varies with their category. Computers. Computers in their various roles have an entitysource with physical resource sinks, e.g. electrical power, plus one or more source/sink unit importing data resources and exporting some transformation of the input data. Location. From a general BCM viewpoint sites and buildings serve as potential sources of access control, protection for equipment against severe weather events etc. From the BCM simulator model viewpoint the hierarchy from sites to rooms, cupboards etc., also provides a potential conduit for physical and data resources. A server located in a room may be deemed to be served by the resources available on that site: power, trained staff etc. This conduit concept reduces the impact of a major problem for BCM simulator users, i.e. specifying the multifarious interconnections between sources and sinks. For many resources, location entities may be considered as special types of switches (See Switches below).Once a server is allocated to a room (See Relationships) the BCM simulator software can automatically create the links between the server sinks and the room switch sources. Switches. A cabling system is a typical switch, receiving power from some preferred supply source and delivering it to various computers etc. The source /sink unit differs from that of a computer source/sink inasmuch as the source resource has the same type and quantity as that of its single sink. If the switch has a number of alternative supply sources this sink will be connected to each in a specified preference order. The source also has an attribute indicating the maximum safe loading. Data Networks. Data networks serve as switches for data resources and differ substantially from the switches described above (See Fig 3). In the BCM model a data network provides proxy sink/source units for each data resource transmitted through the data network. These proxy units also contain the name of the entity that hosted the original source for the data. As discussed in Locations above the BCM simulator software develops the source – sink links from originating source to destination sink. Networks are similar to switches inasmuch as an excessive volume of traffic may affect performance, since there are multiple data sources the congestion level is an attribute of the network entityresource.

A Business Continuity Management Simulator

15

Fig. 3. Network serving Server_1 and Server_2 and source-sink interconnections. The network includes proxy sources corresponding to those of both servers.

Interconnections. The source-sink links are so numerous, for even simple systems, that the software was designed to minimize the manual effort of link specification. A source sink interconnection in the BCM model is normally specified by a relationship linking the host entities, internal entity source – sink links are automatically inserted by the software. The relationship specified by the model builder contains sufficient information for the software to identify the particular source and sink in the host entities, and the preference level of the link. Relationships for entity – data network connections, can be supplied with details of the desired data source, and preference levels if more than one such source is specified. Similarly if a data network is to be connected to one or many other networks, the preference levels are specified. 2.4 Simulator Operation Overview. The BCM simulator is designed to provide the user with various system scenarios following specified single or simultaneous multiple disturbances. The simulator seeks to mitigate the effects of the disturbances by seeking alternatives for any sources disabled by the disturbances, and then displays the post disturbance scenarios. The simulator also provides information on any additional risks in this post disturbance scenario. The simulator operates in two phases: setup and interaction. The setup phase itself has three stages. First the simulator employs all the user specified data and constructs the model, much of this construction activity is devoted to establishing the multifarious source-sink connections throughout the system. The second stage then checks for any sources providing no resources, and for any subsequent unsatisfied sinks. When the most preferred source for a sink is unable to supply the required sink resource quantity, alternative sources are sought according to specified preferences. If these attempts fail,

16

W.J. Caelli, L.-F. Kwok, and D. Longley

then the unsatisfied sinks cause the associated sources to be disabled and the simulator explores and attempts to rectify these consequential resource shortfalls. Finally, in the third stage, the simulator checks and reports the risk levels of all entities. In the interaction phase the user can explore the effect of specified disturbances and observe graphs of resource flows through the system. Enhanced risks for entities are colour coded in these graphs. Responding to Loss of Availability. If the total load required by sinks from a source exceeds the quantity available at that source then alternative sources are sought according to the sink preference levels. The source overload could be addressed with load sharing, i.e. switching some sinks to alternative sources until the source load is reduced to its available capacity. The simulator currently employs no such load sharing algorithms. If a source is overloaded it reacts like a cut-out in an electrical system and is disabled. The full load demanded from that source is then directed to the specified alternative sources. The simulator in effect warns the user of source overloads, but any load sharing must be performed manually, i.e. the user recommences system setup with changes in some sink preferences effectively diverting the load to other sources. Risk reporting. In highly complex information systems employing inbuilt safeguards against various loss/denial of services, there are two post disturbance considerations: • is the set of safeguards sufficient to guarantee essential services following one or more particular disturbances? • is the system security policy maintained in the new system configuration? The previous sections have dealt with the first issue. In this section any enhanced risk associated the post disturbance system configuration is discussed. Risk reporting differs from problems associated with availability levels in that there is greater uncertainty associated with the consequential effects of the new risk. If a building suffers physical damage a server located in a room of that building may or may not continue to function. The simulator thus restricts itself to reporting the potential spread of such risk but it does not invoke a search for alternative less risky configurations. Data security is complex and may well be impacted by configuration changes following a disturbance. For example, a VPN network fails and sensitive traffic is switched to a network vulnerable to data eavesdropping. Encryption itself can be a source of risk if alternative sources are switched in, e.g. if a sink is setup to check data integrity it will reject data from an alternative source that provides no such integrity field. The BCM simulator checks data security risk over the data path from source, through any intervening networks, to sink and reports on the risk associated with the path, e.g. • data passing though a congested network; • unencrypted data in a network with a disclosure hazard; • any encryption incompatibilities encountered in the path. A number of physical risks may also be reported, for example if the total quantity supplied from a switch source exceeds the switch safety rating, then this risk is reported. The risk reported is not a probability – consequence measure but simply indicates a situation has arisen that will be of interest to the user.

A Business Continuity Management Simulator

17

Fig. 4. BCM Simulator Graph. Path of Profit_Loss_File from Acct_File_Server to Exec_File_Server. Org_WAN is down and traffic is diverted to Pub_WAN that has a disclosure risk reflected in risk at two servers.

The risk is currently coded as low, moderate or extreme, An extreme risk is associated with loss of availability of an entity, risk relating to a resource, e.g. data resource transiting a congested network, is classed as moderate. The risk reporting involves colour coding the appropriate entity on the graph (See Fig 4).

3 BCM Simulator Implementation The simulator was implemented as an extension of the ISM (Information Security Model) software described in previous papers [4, 5]. As such it demonstrated the value of security documentation developed in a database form and used to support various security management tasks, such as risk assessment, compliance audits, BCM, etc. The model entities correspond to the ISM entities and the BCM data was simply added to the entity data. The graph facilities for illustrating threat networks were adapted to the demonstration of resource paths (See Fig 4). The simulator software as described above was then included in the ISM package.

4 Conclusion This paper describes the experience gained in the development of a prototype business continuity management simulator. The simulator software was an extension of a package originally developed for risk studies and automated compliance testing. The business continuity management simulator software relied heavily on the facilities provided by the earlier package to search for system entities in a tree hierarchy to represent ad hoc relationships between such entities, to specify complex attributes and to provide graphical representations of system behavior. This justified earlier confidence in the versatility of the ISM package.

18

W.J. Caelli, L.-F. Kwok, and D. Longley

This study has demonstrated the feasibility of developing a simulator which can bridge the gap between paper/team based and live scenario exercises in business continuity management training and planning. Acknowledgments. This project employed an ISM software package developed in a resource project undertaken by the Information Security Institute, Queensland University of Technology funded by the Australian Commonwealth Government Defense Signals Directorate.

References 1. Musson, D., Jordan, E.: Managing for Failure – The Macquarie University Survey of Business and Computer Contingency Planning in Australia, Macquarie Graduate School of Management, Australia (2002) 2. Australian National Audit Office: Business Continuity Management (August 2000) 3. Australian Standards HB292-200: A Practitioner’s Guide to Business Continuity Management (January 2006) 4. Kwok, L., Longley, D.: Security Modeling for Risk Analysis. In: Proc. 18th IFIP World Computer Congress, IFIP 2004, Toulouse, France, August 22-27, pp. 29–45 (2004) 5. Branagan, M., Caelli, W.J., Lam-for Kwok, Longley, D.: Feasibility of Automated Information Security Compliance Auditing. In: Proc. IFIP TC 11 23rd Int. Information Security Conf., Milan Italy, September 2008, pp. 493–507 (2008)

Mining Business-Relevant RBAC States through Decomposition Alessandro Colantonio1,2, Roberto Di Pietro2 , Alberto Ocello1 , and Nino Vincenzo Verde2 1

Engiweb Security, Roma, Italy {alessandro.colantonio,alberto.ocello}@eng.it 2 Università di Roma Tre, Roma, Italy {colanton,dipietro,nverde}@mat.uniroma3.it

Abstract. Role-based access control is widely accepted as a best practice to effectively limit system access to authorized users only. To enhance benefits, the role definition process must count on business requirements. Role mining represents an essential tool for role engineers, but most of the existing techniques cannot elicit roles with an associated clear business meaning. To this end, we propose a methodology where the dataset is decomposed into smaller subsets that are homogeneous from a business perspective. We introduce the entrustability index that provides, for a given partition, the expected uncertainty in locating homogeneous set of users and permissions that are manageable with the same role. Therefore, by choosing the decomposition with the highest entrustability value, we most likely identify roles with a clear business meaning. The proposed methodology is rooted on information theory, and experiments on real enterprise data support its effectiveness.

1 Introduction Among access control models proposed in the literature, Role-Based Access Control (RBAC) [1] is presumably the most adopted by large-size organizations. Within an organization, roles are created for various job functions. Permissions to perform certain operations are assigned to specific roles. Members or other system users are assigned particular roles, and through those role assignments acquire the permissions to perform particular system functions. The main benefit of adopting such a model is a simplification of the security policy definition task by business users who have no knowledge of IT systems. Further, use of roles minimizes system administration effort due to the reduced number of relationships required to relate users to permissions [4]. Despite the benefits derived from deploying role-based access control systems, many organizations are reluctant to adopt them, since there are still some important issues that need to be addressed. In particular, roles must be customized to capture the needs and functions of the organization. For this reason, the role engineering discipline [9] has been introduced. However, choosing the best way to design a proper set of roles is an open problem. Various approaches to role engineering have been proposed, which are usually classified as: top-down and bottom-up. The former requires a deep analysis of business processes to identify which access permissions are necessary to carry out K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 19–30, 2010. c IFIP International Federation for Information Processing 2010 

20

A. Colantonio et al.

specific tasks. The latter seeks to identify de facto roles embedded in existing access control information. Indeed, companies which plan to go for RBAC usually find themselves with a collection of several legacy and standard security systems on different platforms that provide “conventional” access control [13]. The bottom-up approach has attracted the attention of many researchers, since it can be easily automated [15]. Data mining technology is typically used to discover roles within access control data. For this reason, the term role mining is often used as a synonym of bottom-up. However, the slavish application of standard data mining approaches to role engineering might yield roles that are merely a set of permissions, namely with no connection to the business practices. Indeed, organizations are unwilling to deploy roles they cannot bind to a business meaning [4]. For this reason, bottom-up should be used in conjunction with top-down, leading to an hybrid approach. Only few recent works value business requirements in role mining [4,2,11,14]. Their main limitation is to propose theoretical frameworks that are difficult to apply in real cases. For instance, [4,2,14] require analysts to define a measure for the business meaning of roles. However, selecting the measure that fits the needs of an organization is not trivial, and no best practices exist to define it. In [11] the authors offer a probabilistic model: to find a set of roles that approximates the role mining problem (by considering potentially exceptional user-permission assignments); and, to contextually propose roles that likely are meaningful (by taking into account the relevance of each business attribute). However, there is no guarantee that the introduced approximation is licit. In any case, to our knowledge there is no proposal in the current literature to leverage business-related information in existing role mining algorithms. To this end, a possible viable solution may be to restrict the analysis to sets of data that are homogeneous from an enterprise perspective. The key observation is that users sharing the same business attributes will essentially perform the same task within the organization. Suppose we know, from a partial or coarse-grained top-down analysis, that a certain set of users perform the same tasks, but the analysis lacks information about which permissions are required to execute these tasks. In this scenario, restricting role mining techniques to these users only—instead of analyzing the organization as a whole—, will ensure that elicited roles are only related to such tasks. Consequently, it will be easier for an analyst to assign a business meaning to the roles suggested by the bottom-up approach. Moreover, elicitation of roles with no business meaning can be avoided by grouping users that perform similar tasks together first, and then analyzing each group separately. Indeed, investigating analogies among groups of users that perform completely different tasks is far from being a good role mining strategy [4]. Partitioning data also introduces benefits in terms of execution time of role mining algorithms. Indeed, most role mining algorithms have a complexity that is not linear compared to the number of users or permissions to analyze [2,20,10]. To apply this divide-and-conquer strategy, a lot of enterprise information can be used. Business processes, workflow tasks, and organization unit trees are just a few examples of business elements that can be leveraged. Notice that very often such information is already available in most companies before starting the role engineering task—for instance within HR systems. When dealing with information from several sources, the main problem is thus ascertaining which information induces the partition that improves the role engineering task the most.

Mining Business-Relevant RBAC States through Decomposition

21

To address all the abovementioned issues, this paper proposes a methodology that helps role engineers to leverage business information during the role mining process. In particular, we propose to divide the access data into smaller subsets that are homogeneous according to a business perspective, instead of performing a single bottom-up analysis on the entire organization. This eases the attribution of business meaning to roles elicited by any existing role mining algorithm and reduces the problem complexity. To select the business information that induces the most suitable partition, an index referred to as “entrustability” (entropy-based role usefulness predictability) is identified. Rooted on information theory, this index measures the expected uncertainty in locating a homogeneous set of users and permissions that can be managed as a whole by a single role. The decomposition with the highest entrustability value is the one that most likely leads to roles with a clear business meaning. Several examples illustrate the practical implications of the proposed methodology and related tools, which have also been applied on real enterprise data. Results support the quality and viability of the proposal. The remainder of the paper is organized as follows: Section 2 reports on related work, while Section 3 introduces the background required to formally describe the proposed tools. The entrustability index and the proposed methodology are introduced and discussed in Section 4, while their viability is demonstrated in Section 5 by testing on real data. Finally, Section 6 provides concluding remarks.

2 Related Work Role engineering was first illustrated by Coyne [9] from a top-down perspective. Many other authors sought to leverage business information to design roles by adopting a topdown approach such as [17, 16]. These works represent pure top-down approaches— they do not consider existing access permissions. Hence, they do not take into account how the organization actually works. As for the bottom-up approach, Kuhlmann et al. [13] first introduced the term “role mining”, trying to apply existing data mining techniques to elicit roles from existing access data. After that, several algorithms explicitly designed for role engineering were proposed [18,20,10,21,11]. Several works prove that the role mining problem is reducible to many other well-known NP-hard problems, such as clique partition, binary matrix factorization, bi-clustering, graph vertex coloring [6] to cite a few. The main limitation of these works is that they do not always lead to meaningful roles from a business perspective. Colantonio et al. [2] first presented an approach to discover roles with business meanings through a role mining algorithm. A cost function is introduced as a metric for evaluating a “good” collection of roles. By minimizing the cost function it is possible to elicit roles that contextually minimize the overall administration effort and fit the needs of an organization from a business perspective. Further improvements of this approach are [4, 3]. A similar approach is provided by Molloy et al. [14], that employs user attributes to provide a measurement of the RBAC state complexity. Frank et al. [11] proposed a probabilistic model to find a set of roles that contextually approximate the role mining problem and that are likely meaningful. However, as stated in the previous section, all these methods are difficult to apply in real cases.

22

A. Colantonio et al.

A tool that is widely used in information theory, and employed in this paper, is entropy. In data mining, recent works seek to apply the entropy concept to find all subsets of attributes that have low complexity. Heikinheimo et al. [12] proposed to find lowentropy itemsets from binary data in lieu of frequent itemsets. However, this model is not suitable for the role mining problem, since low-entropy sets are symmetric compared to ‘0’ (missing user-permission assignment) and ‘1’ (existing assignment), while roles can be seen as patterns only made up of 1’s. Tatti [19] considered the problem of defining the significance of an itemset in terms of the expected frequency. The main goal is to discover different types of biclusters in the presence of noise. Finally, Frank et al. [11] is the only work that seeks to apply the entropy concept to role mining. In particular, they measure the missing information on whether a given permission is granted to a user. In turn, this information is used to extend their probabilistic model to role mining. However, the authors only provide a way to evaluate each business information against single permissions, and the proposed model is not applicable to other role mining algorithms.

3 Background Before introducing the required formalism used to describe role engineering, we first review some concepts of the ANSI/INCITS RBAC standard [1] needed for the present analysis. For the sake of simplicity, we do not consider sessions, role hierarchies or separation of duties constraints in this paper. In particular, we are only interested in the following entities: – PERMS , USERS , and ROLES are the sets of all access permissions, users, and roles, respectively; – UA ⊆ USERS × ROLES , is the set of all role-user relationships; – PA ⊆ PERMS × ROLES , is the set of all role-permission relationships. The following functions are also provided: – ass_users : ROLES → 2USERS to identify users assigned to a role. We consider it as derived from UA , that is ass_users (r) = {u ∈ USERS | u, r ∈ UA }. – ass_perms : ROLES → 2PERMS to identify permissions assigned to a role. We consider it as derived from PA , that is ass_perms(r) = {p ∈ PERMS | p, r ∈ PA }. In addition to RBAC concepts, this paper introduces other entities required to formally describe the proposed approach. In particular, we define: – UP ⊆ USERS × PERMS , the existing user-permission assignments to analyze; – perms : USERS → 2PERMS , the function that identifies permissions assigned to a user. Given u ∈ USERS , it is defined as perms(u) = {p ∈ PERMS | u, p ∈ UP }. – users : PERMS → 2USERS , the function that identifies users that have been granted a given permission. Given p ∈ PERMS , it is defined as users (p) = {u ∈ USERS | u, p ∈ UP }.

Mining Business-Relevant RBAC States through Decomposition

23

Having introduced these entities, it is now possible to formally define the main objective of role engineering: given UP , PERMS , and USERS , we are interested in determining the best setting for ROLES , PA , and UA that covers all possible combinations of permissions possessed by users. In this context “best” means that the proposed roles should maximize the advantages offered by adopting RBAC, that is, to simplify access governance, to mitigate the risk of unauthorized access, and to ensure that roles reflect business requirements throughout the enterprise. This can be seen as a multiobjective optimization problem [4, 6]. As for the coverage, there is a need that for each u, p ∈ UP at least one role r ∈ ROLES should exist such that u ∈ ass_users (r) and p ∈ ass_perms(r).

4 A Divide-and-Conquer Approach In this section we describe how to condition existing role mining algorithms to craft roles with business meaning and to downsize the problem complexity. By leveraging the observations of Section 1, it is possible to exploit available business information, or top-down analysis results, in order to drive a bottom-up approach. In particular, a business attribute (e.g., organizational units, job titles, applications, tasks, etc.) naturally induces a partition of the user-permission assignment set UP to analyze, where each subset is made up of all the assignments that share the same attribute values. When several business attributes are at our disposal, the difficulty arises in the selection of the one that induces a partition for UP that simplifies the subsequent mining steps. To this end, for each business information we calculate an index referred to as entrustability (entropy-based role usefulness predictability), which measures the uncertainty in identifying homogeneous sets of users and permissions that can be managed through a single role. The decomposition with the highest entrustability value is the one that most likely leads to roles with a clear business meaning. In the following, we first introduce the pseudo-role concept (Section 4.1) as a means to identify sets of users and permissions that can be managed by the same role. In turn, we formally introduce the entrustability index (Section 4.2) to measure how much a partition reduces the uncertainty in locating such sets of users and permissions in each subset of the partition. 4.1 Pseudo-roles The following definition introduces an important concept of the proposed methodology: Definition 1. Given a user-permission assignment u, p ∈ UP , the pseudo-role generated by u, p is a role made up of users users(p) and permissions perms(u). Pseudo-roles have been introduced for the first time in [5], with the alternative name of “pseudo-biclusters”. Moreover, in [6] we discussed pseudo-roles from a graph theory perspective. In particular, in we proposed a mapping between binary matrices and undirected graphs where a pseudo-role represent all the neighbors of a given node. In [6] we also provided efficient algorithms for viable computation of pseudo-roles. In this paper, pseudo-roles will be employed to identify those user-permission assignments that

24

A. Colantonio et al.

can be managed together with a given assignment through a single role. Notice that all users users (p) should not necessarily be granted all permissions perms(u)—this is the reason for the “pseudo” prefix. Since a pseudo-role rˆ is not an actual role, with abuse of notation we refer to its users as ass_users(ˆr) and to its permissions as ass_perms(ˆr). Several user-permission assignments can generate the same pseudo-role. In particular: Definition 2. The percentage of user-permission assignments of UP that generates a pseudo-roles rˆ is referred to as its frequency, defined as:  1  {u, p ∈ UP | ass_users (ˆr) = users (p) ∧ ass_perms(ˆr) = perms(u)} . ϕ(ˆr) := |UP | The introduction of the pseudo-roles concept is supported by the following theorem: Theorem 1. Given a user-permission assignment u, p ∈ UP , let rˆ be the pseudo-role generated by u, p. Then   UPrˆ := ass_users (ˆr) × ass_perms(ˆr) ∩ UP is the set of all possible user-assignment relationships that can be covered by any role to which u, p belongs to. Hence, for each possible RBAC state ROLES , UA , PA  that covers the assignments in UP the following holds: ∀r ∈ ROLES : u ∈ ass_users(r), p ∈ ass_perms(r) =⇒ ass_users(r) × ass_perms(r) ⊆ UPrˆ . Proof. First, we prove that any assignment that can be managed together with u, p must be within UPrˆ . Let u , p  ∈ UP be an assignment outside the pseudo-role rˆ, namely u , p   UPrˆ . If, by contradiction, u, p and u , p  can be managed through the same role r , then by definition all the users ass_users (r ) must have permissions ass_perms(r ) granted. Hence, both the assignments u , p and u, p  must exist in UP . But, according to Definition 1, u ∈ ass_users (ˆr) = users(p) and p ∈ ass_perms(ˆr) = perms(u), that is a contradiction. Now we prove that any assignment within UPrˆ can be managed together with u, p via a single role. Given u , p  ∈ UPrˆ , Definition 1 yields u ∈ ass_users (ˆr) = users (p) and p ∈ ass_perms(ˆr) = perms(u). Thus, both the assignments u , p and u, p  exist in UP , completing the proof. 

According to the previous theorem, a pseudo-role groups all user-permission assignments that are manageable through any of the roles that also covers the pseudo-role generators. The pseudo-role frequency indicates the minimum number of assignments covered by the pseudo-role (i.e., the generators) that are manageable through the same role. Consequently, the higher the frequency of a pseudo-role is, the more pseudo-role assignments can be managed by one role. Similarly, the lower the frequency is, the more likely it is that the assignments covered by a pseudo-role cannot be managed by a single role. Therefore, the ideal situation is when pseudo-role frequencies are either close to 1 or close to 0: frequent pseudo-roles circumscribe a portion of assignments that are worth investigating since they likely contain a role for managing most of the assignments; conversely, unfrequent pseudo-roles identify assignment sets that are not worth analyzing.

Mining Business-Relevant RBAC States through Decomposition

25

4.2 Entrustability Based on the previous observations, we are interested in finding the decomposition that produces pseudo-roles with frequencies either close to 1 or to 0. In the following we show that the entropy concept [8] is a natural way to capture these circumstances. Let A be the set of all values assumed by a given business information—for instance, A can represent the “job title” information, and one of the actual values a ∈ A can be “accountant”. Let P := {UPa1 , . . . , UPan } be a n-partition of UP induced by the business information A such that the number of subsets are n = |A|, each subset is such that UPai ⊆ UP , the subset indices are ∀i ∈ 1, . . . , n : ai ∈ A, and the subset  are such that UP = a∈A UPa . UPa indicates all assignments that “satisfy” the attribute value a (e.g., if A represents the “job title” information, all the assignments where users are “accountant” are one subset). Notice that, according to the previous partition definition, subsets can overlap, namely |UPa ∩ UPa | ≥ 0 when users or permissions can be associated to more than one attribute value. Let Ra be the set of all pseudo-roles that  can be generated within the subset UP a , and R := a∈A Ra ∪R∗ where R∗ represents the pseudo-roles belonging to UP before decomposing it. Notice that the same pseudo-role might belong to both R∗ and another set Ra , namely |R∗ ∩ Ra | ≥ 0, but not necessarily with the same frequencies. Let A ∈ A be the random variable that corresponds to a value of the given business attribute, while the random variable R ∈ R denotes a pseudo-role generated by a generic user-permission assignment. Let Pr(ˆr) be the empirical probability of a pseudo-role rˆ ∈ R being generated by an unspecified user-permission assignment. More specifically, Pr(ˆr) := where

1  g(ω, rˆ) |UP | ω∈UP

⎧ ⎪ ⎪ ⎨1, ω generates rˆ in UP ; g(ω, rˆ) := ⎪ ⎪ ⎩0, otherwise.

Similarly, the empirical probability of a pseudo-role being generated by an unspecified user-permission assignment that “satisfies” the business attribute a is Pr(ˆr | A = a) :=

1  ga (ω, rˆ) |UPa | ω∈UP a

where

⎧ ⎪ ⎪ ⎨1, ga (ω, rˆ) := ⎪ ⎪ ⎩0,

ω generates rˆ in UPa ; otherwise.

Notice that, for each attribute value a, when rˆ ∈ Ra , then Pr(ˆr) corresponds to the frequency definition. Conversely, if rˆ ∈ R \ Ra , then Pr(ˆr) = 0. As stated before, the natural measure for the information of the random variable R is its entropy H(R). The binary entropy, defined as  H(R) := − Pr(ˆr) log2 Pr(ˆr) rˆ∈R

26

A. Colantonio et al.

quantifies the missing information on whether the pseudo-role rˆ is generated from some unspecified user-permission assignment when considering the set UP as a whole. By convention, 0 × log2 0 = 0. The conditional entropy is defined as   Pr(a) Pr(ˆr | A = a) log2 Pr(ˆr | A = a) , H(R | A) := − a∈A



xˆr∈R

where Pr(a) := |UPa | / a∈A |UPa | measures the empirical probability of choosing an assignment that satisfies a. H(R | A) quantifies the missing information on whether the pseudo-role rˆ is generated from some unspecified user-permission assignment when A is known. The mutual information I(R; A) := H(R) − H(R | A) measures how much the knowledge of A changes the information on R. Hence, I(R; A) measures how much the knowledge of the business information A helps us to predict the set of users and permissions that are manageable by the same role within each subset. Since I(R; A) is an absolute measure of the entropy variation, we introduce the following measure for the fraction of missing information removed by the knowledge of A with respect to the entropy H(R) before partition: entrustability(A) :=

I(R; A) H(R | A) =1− . H(R) H(R)

By selecting the decomposition with the highest entrustability value, we choose the decomposition that simplifies the subsequent role mining analysis most. Notice that the previous equations consider one business attribute at a time. Given  business information A1 , . . . , A , it is simple to extend the definition of the entrustability index by partitioning UP in subsets of assignments that contextually satisfies all business information which has been provided.

5 Results and Discussion To demonstrate the usefulness of the proposed approach, we show an application to a real case. Our case study has been carried out on a large private organization. Due to space limitation, we only report on a representative organization branch that contained 50 users with 31 granted permissions, resulting in a total of 512 user-permission assignments. We adopted several user and permission attributes at our disposal. In order to protect organization privacy, some names reported in this paper for business attributes are different from the original ones. According to the proposed approach, we computed the entrustability index for each available business information. To further demonstrate the reliability of the methodology, we introduced a control test. That is, we try to categorize users according to the first character of their surname. Since this categorization does not reflect any access control logic, our methodology reveals that—as expected—partitioning by surname does not help the mining phase. Table 1 reports on the outcome of the analysis—it also specifies whether the attributes were used to partition user-permission assignments by users or

Mining Business-Relevant RBAC States through Decomposition

27

Table 1. entrustability values of the analyzed business information Attribute Job Title Unit Cost Center Organizational Unit Building Application Division Surname

User

Perm

entrustability 1.00 0.93 0.85 0.82 0.58 0.49 0.46 0.02

by permissions. According to the reported values, the “Job Title” information induces the most suitable partition for the attribution of business meaning to roles. As a matter of fact, when entrustability equals 1, each subset can be managed by just one role. Unsurprisingly, the categorization by surname leads to an entrustability index that is very close to 0, indicating that the role engineering task does not substantially change its complexity after decomposition. To better understand the meaning of the entrustability values obtained from our analysis, Figure 1 depicts user-permission relationships involved with subsets for each partition. In particular, we report on the attribute values that identify each subset, the entropy value H(R) computed for each subset, and a matrix representation of userpermission assignments, where each black cell indicates a user (row) that has a certain permission (column) granted. Figure 1(a) visually demonstrates why the Job Title information leads to a value for entrustability that equals 1. Indeed, in this case all users sharing the same job title always share the same permission set. Therefore, by creating one role for each subset, we provide roles that can straightforwardly be associated with users whenever they join the organization (and get their job title for the first time) or change their business functions (and thus likely change their job title). Another piece of information that induces a good partition is Unit. As is noted from Figure 1(b), almost all users within each group share the same permission sets. For example, within the unit “Personal Communication Unit” there is one user (the first one) that has an additional permission granted compared to other users of the same unit. For this reason, the identification of roles needed to manage these users requires a little more investigation—hence, leading to a non-zero entropy value, that is, H(R) = 0.98. This example also raises another important point: even though the entrustability value for Job Title is higher than for Unit, the Unit information induces fewer and larger subsets, hence allowing to cover all user-permission relationships with fewer roles. In general, the smaller the subsets, the more likely it is that the entrustability index is high. However, small subsets reduce the benefits introduced by RBAC in terms of administration effort, due to the limited number of user-permission relationships that can be managed via a single role. Hence, a trade-off should be reached between entrustability value and subset dimensions. An alternative approach could be to further partition those subsets that have high entropy values by introducing other pieces of business information. In

28

A. Colantonio et al.

Consultant Category Manager Product Manager Customer Services Assistant Senior Product Manager CS Tech.Spec.–VPN Vice President Partnership CS Tech.Supp.Admin.–VPN CS Tech.Supp.Admin.–Res. Senior Category Manager

Temporary Assistant Member of Fraud Analysis Team Senior Marketing Project Manager

H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00

CS Consultant Revenue Assurance Specialist

H(R) = 0.00 H(R) = 0.00

Fraud Analysis Specialist Assistant CS Tech.Spec.–Res. Junior Fraud Analysis Specialist Inform. & Knowledge Base Manager

H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00

(a) Job Title Sales Unit

H(R) = 0.00

Fraud Management Unit Preproducts Unit Revenue Assurance & Billing Unit N/A Marketing Projects Management Unit Personal Communication Unit

H(R) = 0.00 H(R) = 1.26 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00 H(R) = 0.98

CS Operations Unit Terminal Management Unit

H(R) = 0.00 H(R) = 0.00

CS Operations Unit II

H(R) = 1.62

Technical, Data & Multimedia Support H(R) = 0.00 Information & Knowledge Base Unit H(R) = 0.00

(b) Unit Customer Service 78300 H(R) = 0.00 59000 H(R) = 0.00 63002 H(R) = 0.00

H(R) = 0.00 Alabama

H(R) = 1.76

Alaska

H(R) = 3.48

Arizona Arkansas

H(R) = 3.69 H(R) = 0.00 H(R) = 0.00 H(R) = 0.00

External Customers H(R) = 1.86 Internal Customers H(R) = 1.95

49000 H(R) = 1.65 71800 H(R) = 0.00 52000 H(R) = 1.83 72400 H(R) = 0.00 72100 H(R) = 1.62

(c) Cost Center

Technical Rep. Sales

H(R) = 0.00 H(R) = 0.00

Finance Marketing Product Division Customer Service II

H(R) = 1.65 H(R) = 1.07 H(R) = 0.00 H(R) = 1.23

California Colorado

Connecticut H(R) = 1.92

(e) Building

(d) Organizational Unit

Marketing H(R) = 2.33 Sales H(R) = 0.00 A-M

H(R) = 5.68 Cust.Serv. H(R) = 3.80 App1 App2 App3 App4 App5 Finance H(R) = 3.96 H(R) = 2.89 H(R) = 0.68 H(R) = 0.00 H(R) = 3.68

(f) Application

H(R) = 1.65

(g) Division

N-Z

H(R) = 5.32

(h) Surname Fig. 1. Graphical representation of user-permission relationships involved with subsets of each partition and corresponding entropy values

Mining Business-Relevant RBAC States through Decomposition

(a) ϕ = 32/70

(b) ϕ = 24/70

(c) ϕ = 8/70

(d) ϕ = 3/70

(e) ϕ = 2/70

29

(f) ϕ = 1/70

Fig. 2. Pseudo-roles (top figures, highlighted in red) and corresponding user-permission assignment generators (bottom figures, highlighted in yellow)

the previous case, the subset identified by the unit named “CS Operations Unit II” (see Figure 1(b)) involves users with two job titles: if we recursively apply our methodology and divide the unit “CS Operations Unit II” according to the Job Unit information, we will obtain an entrustability value that equals 1. Hence, obtaining larger roles when compared to the partition by Job Title only. Figure 1(g) also demonstrates that not every bit of business information improves the role finding task. Although analyzing the data as a whole is obviously more difficult than analyzing smaller subsets, in this case there are still uncertainties regarding the identification of roles. For instance, it is not trivial to assign a meaning to possible roles—without any further information—within the division “Cust.Serv.”, namely the division with the highest entropy value. Finally, Figure 1(h) clearly shows that surname information is completely useless. In fact, if we compute the entropy of the entire userpermission assignment, we obtain the value H(R) = 5.69. In this case, the entropy values for users “A-M” and “N-Z” are almost the same as before the decomposition. To conclude, Figure 2 depicts all the pseudo-roles that can be identified in a simple case represented by the cost center named “52000” (from Figure 1(c)), which numbers 8 users, 11 permissions, and 70 user-permission assignments. Each figure from Figure 2(a) to Figure 2(f) shows a different pseudo-role. At the top of each figure, a binary matrix shows all the user-permission assignments covered by the pseudo-role (dark red cells are existing assignments covered by the pseudo-role, light red are nonexisting assignments). At the bottom, another matrix shows the assignments that generate the pseudo-role (highlighted in yellow). Notice that when the pseudo-role frequency is high (e.g., Figure 2(a) and Figure 2(b)), it likely contains a role for managing most of the assignments. Conversely, unfrequent pseudo-roles (e.g., Figure 2(e) and Figure 2(f)) identify assignment sets that are not worth investigating due to the reduced number of assignments that can be managed by a single role.

6 Concluding Remarks This paper describes a methodology that helps role engineers to leverage business information during the role mining process. In particular, we demonstrate that by dividing data into smaller, more homogeneous subsets, it practically leads to the discovery of more meaningful roles from a business perspective, decreasing the risk factor of making errors in managing them. To drive this process, the entrustability index has been introduced to measure the expected uncertainty in locating homogeneous set of users and permissions that can be managed by a single role. Leveraging this index allows to

30

A. Colantonio et al.

identify the decomposition that increases business meaning in elicited roles in subsequent role mining steps, thus simplifying the analysis. The quality of the index is also guaranteed by analysis. Several examples, developed on real data, illustrate how to apply the tools that implement the proposed methodology, as well as its practical implications. Those results support both the quality and the practicality of the proposal.

References 1. ANSI/INCITS 359-2004, Information Technology – Role Based Access Control (2004) 2. Colantonio, A., Di Pietro, R., Ocello, A.: A cost-driven approach to role engineering. In: Proc. ACM SAC, pp. 2129–2136 (2008) 3. Colantonio, A., Di Pietro, R., Ocello, A.: Leveraging lattices to improve role mining. In: Proc. IFIP SEC, pp. 333–347 (2008) 4. Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: A formal framework to elicit roles with business meaning in RBAC systems. In: Proc. ACM SACMAT, pp. 85–94 (2009) 5. Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: ABBA: Adaptive bicluster-based approach to impute missing values in binary matrices. In: Proc. ACM SAC, pp. 1027–1034 (2010) 6. Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Taming role mining complexity in RBAC. Computers & Security. In: Challenges for Security, Privacy & Trust (2010) 7. Colantonio, A., Di Pietro, R., Ocello, A., Verde, N.V.: Taming role mining complexity in RBAC. Computers & Security. Challenges for Security, Privacy & Trust (2010) 8. Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley-Interscience, Hoboken (2006) 9. Coyne, E.J.: Role-engineering. In: Proc. ACM RBAC, pp. 15–16 (1995) 10. Ene, A., Horne, W., Milosavljevic, N., Rao, P., Schreiber, R., Tarjan, R.E.: Fast exact and heuristic methods for role minimization problems. In: Proc. ACM SACMAT, pp. 1–10 (2008) 11. Frank, M., Streich, A.P., Basin, D., Buhmann, J.M.: A probabilistic approach to hybrid role mining. In: Proc. ACM CCS, pp. 101–111 (2009) 12. Heikinheimo, H., Vreeken, J., Siebes, A., Mannila, H.: Low-entropy set selection. In: Proc. SIAM SDM, pp. 569–580 (2009) 13. Kuhlmann, M., Shohat, D., Schimpf, G.: Role mining – revealing business roles for security administration using data mining technology. In: Proc. ACM SACMAT, pp. 179–186 (2003) 14. Molloy, I., Chen, H., Li, T., Wang, Q., Li, N., Bertino, E., Calo, S., Lobo, J.: Mining roles with semantic meanings. In: Proc. ACM SACMAT, pp. 21–30 (2008) 15. Molloy, I., Li, N., Li, T., Mao, Z., Wang, Q., Lobo, J.: Evaluating role mining algorithms. In: Proc. ACM SACMAT, pp. 95–104 (2009) 16. Neumann, G., Strembeck, M.: A scenario-driven role engineering process for functional RBAC roles. In: Proc. ACM SACMAT, pp. 33–42 (2002) 17. Röckle, H., Schimpf, G., Weidinger, R.: Process-oriented approach for role-finding to implement role-based security administration in a large industrial organization. In: Proc. ACM RBAC, vol. 3, pp. 103–110 (2000) 18. Schlegelmilch, J., Steffens, U.: Role mining with ORCA. In: Proc. ACM SACMAT, pp. 168–176 (2005) 19. Tatti, N.: Maximum entropy based significance of itemsets. Knowledge and Information Systems 17(1), 57–77 (2008) 20. Vaidya, J., Atluri, V., Warner, J.: RoleMiner: mining roles using subset enumeration. In: Proc. ACM CCS, pp. 144–153 (2006) 21. Zhang, D., Ramamohanarao, K., Ebringer, T.: Role engineering using graph optimisation. In: Proc. ACM SACMAT, pp. 139–144 (2007)

Group Dynamics in a Security Risk Management Team Context: A Teaching Case Study Rostyslav Barabanov and Stewart Kowalski Department of Computer and Systems Sciences, Stockholm University, Isafjordsgatan 39, 164 40 Kista, Stockholm, Sweden [email protected], [email protected]

Abstract. This paper discusses the results of a correlation study performed at Stockholm University, which investigated the possible connection between the make-up of security risk management teams and their performance. Three different models were used to construct team composition profiles and were (separately) tested as the seven participating teams completed two practical security risk management tasks. The study has shown that there is a possible correlation between the teams’ diversity in terms of the combinations of work related preferences and tendencies (including both risk management specific ones, and non-specific to the risk management context) of their members and the teams' performance. Keywords: Group Dynamics, Security Management, Risk Management, Work Teams.

1 Introduction Risk management research is often based on the assumption that individuals make rational choices without considering how social group dynamics are involved. This paper examines some of the group dynamics factors that can affect teams and individuals in the risk management process. More specifically, the central area under discussion in this paper will be the work related preferences and tendencies of the individuals that make up a security risk management team and their ability to perform effectively. The study discussed in this paper was carried out at the Department of Computer and Systems Sciences at Stockholm University as part of a Master Thesis project. Space does not allow cover the same scope and level of details in this paper as presented in the original thesis1. The paper is divided into five main sections. Following this short introduction, the motivation for the study will be outlined in brief in section two. Sections three and four describe how the study was set up and carried out and the results it produced respectively. Section five, which is the concluding part of this paper, reflects on the study's findings. 1

A full copy of the thesis, which provides more in-depth information about the study, can be requested by sending an e-mail to the authors.

K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 31–42, 2010. © IFIP International Federation for Information Processing 2010

32

R. Barabanov and S. Kowalski

2 Brief Background Teams are widely employed in decision-making activities today [1]. This is not at all surprising bearing in mind that teams not only potentially provide an assortment of complementing abilities that any single individual cannot hope to possess and can additionally offer a set of unique perspectives, which may be instrumental in reaching objective decisions. A number of studies show that there is a clear connection between the various kinds of diversity of the teams’ compositions and team performance [2] [3], greater diversity generally being associated with greater effectiveness, particularly when it comes to creative cognitive tasks. There can be different kinds of diversity in regards to the composition of teams (e.g. cultural predisposition, skill sets, personality traits or types, ages and gender, etc.). Is a well known practice in security management that diversity is important and can provide the team with an array of complementary abilities and viewpoints [4]. One established and fairly widespread way of modelling team composition in order to better understand and shape team performance is in terms of team roles. A team role can be defined as the teamwork related function a member performs in the team. There are numerous team roles theories (models) in existence; perhaps, the two most widely recognized are Belbin’s [5] and Margerison-McCann’s [6]; and these models do indeed suggest that the team’s diversity (in terms of the team roles typologies put forward in the models) is directly related to the team’s performance. These models, however, are not designed to accommodate any specific occupational contexts (e.g. those of security and risk management), raising the question of how (to what extent) universally applicable they are, whether there is a way to complement them in the specific field of interest (security risk management, in this given case), or whether a model that incorporates more context specific factors for profiling teams could be of greater use. This, in essence, introduces the basic premise for the study to be discussed in the paper. The intention of the study in question was to examine the fairly unexplored connection between the team members’ preferences and tendencies that have a conceptually, explicit relation to risk management (e.g. perceptions of risk) and team’s effectiveness in that context; and also to put it in contrast with one common and established way to model team composition, in terms of the members’ preferences towards certain work functions within the team (i.e. team roles). The study was built on the notion that greater diversity of these work related preferences and tendencies in team composition is beneficial to team performance. It was also though that the concept of diversity alone may not be sufficiently descriptive of the more and less preferred team member distributions in some cases. Consider a task that may require a combination of diverse viewpoints in order to be completed effectively. In this case certain viewpoints being significantly predominant in the team could potentially defeat the purpose of diversity by suppressing the less represented ones instead of factoring them into the decisions. Thus, it was thought that a certain degree of balance may be necessary in addition to the diversity and so further attention was given to how even the preferences/tendencies were distributed among the team members.

Group Dynamics in a Security Risk Management Team Context: A Teaching Case Study

33

3 Design of the Study This section consists of three parts. The first part provides an overview of the study; while the second and third parts offer an explanation of how the two main facets of the study, creation of team profiles using different models and theories and testing the performance of the participating teams so that any correlation with the former facet could be examined, were set up and carried out and some of the reasoning that lay behind them. 3.1 Study Outline In order to attain its goals, the study made use of an existing Master level academic course in (corporate) security management. The figure below attempts to illustrate the connection between the said course and the study by means of a simple Input – Process – Output model.

Fig. 1. The variables in the study contrasted by the variables in the course

As can be construed from the above figure, the course provided both the context (i.e. security risk management) and the sample for the experiment, as well as the means for quantifying the sample’s performance in that context. While the study itself focused on testing the sample population in order to create team composition profiles with respect to the individual team members’ inclinations within the typologies of the chosen models, and quantitatively examining the correlation between the teams’ compositions and their performance. It can also be deduced from the figure that the Inputs (the risk management assignments and the tests) were the independent variables in the study and the Outputs (the teams’ ranked performance results and their correlation, if any, with the teams’ composition) were the dependent variables. 3.2 Team Modelling In total, three different tests were used to create profiles for the teams in terms of their composition. The Cognitive Reflection and Team Roles tests are existing tests that have simply been adopted for the purpose and context of this study; whereas the

34

R. Barabanov and S. Kowalski

Myths of Nature test has been devised specifically for this study, but using existing theories related to perception of risk. The Team Roles Test was presented in electronic form and completed by the participants online, while the other tests were presented in paper based form. Cognitive Reflection Test (CRT). This test was formulated by Shane Frederick at the Massachusetts Institute of Technology [7]. The test consists of three seemingly simple questions as shown below: 1) A bat and a ball cost $1.10 in total. The bat costs a dollar more than the ball. How much does the ball cost? __________cents 2) If it takes 5 machines 5 minutes to make 5 widgets, how long would it take 100 machines to make 100 widgets? __________minutes 3) In a lake, there is a patch of lily pads. Every day, the patch doubles in size. If it takes 48 days for the patch to cover the entire lake, how long would it take for the patch to cover half of the lake? __________days The objective of the CRT, as the name implies, is to measure how predisposed the respondents are towards reflecting on the decisions they make before finalizing them. More formally, it can be said that this test measures the respondents’ tendency to involve either System 1 or System 2, as they are called by Stanovich and West, cognitive processes in the decision making [8]. System 1 processes being the more quick, unconscious, and intuitive. System 2 processes being the more slow, conscious, and reflective. In order to demonstrate how this test accomplishes its objective, one of the questions can be used as an example. After examining the first question (“a bat and a ball”), for most individuals the intuitive answer “10 cents” springs to mind, which happens to be incorrect; upon further consideration (reflection), the individual can arrive at the right answer, which is “5 cents”. Likewise, the second and third questions have the intuitive answers “100 minutes” and “24 days”, often given, or at least temporarily considered, instead of the correct answers [7], which are “5 minutes” and “47 days” respectively. On close examination, the mathematical problems posed in the questions appear to be very simple, considering the expected target audience for the test. Thus, the outcome of this test is greatly dependent on the respondent’s propensity to either rely on the System 1 cognitive processes (settling on the more intuitive, but incorrect solutions) or the System 2 cognitive processes (further reflecting on the problem until the correct solution is found) when attempting to solve the problems, and not so much on their cognitive ability. The above have direct implications on how individuals perceive and act towards risk. Research shows that the persons who score high (give more accurate answers) on this test tend to have higher risk appetite when dealing with prospective gains and, conversely, lesser risk appetite when dealing with prospective losses in relation to the persons who score low. [7] Hence, the behaviour of the persons scoring low on the test is consistent with the reflection effect suggested by the Prospect Theory [9] and the high scoring persons seem to be inclined towards the contrary. As could be expected from their tendency to favour System 2 over System 1 processes when making decisions [10], it was also found that the respondents getting

Group Dynamics in a Security Risk Management Team Context: A Teaching Case Study

35

higher scores on this test are generally more prone to recognize and factor in the longterm implications of their choices, usually preferring the more delayed and larger rewards over the more immediate but smaller ones; and the opposite being true for persons who score low on the test [7]. The test was scored by the number of correct solutions (0 to 3). The team profile based on the results of this test thus consisted of the combination of the members' scores on the test. Myths of Nature Test (MNT). The concepts and theories on which the MNT is based on originated in Holling’s and Timmerman’s research into managed ecosystems [11] [12], where they noted that different managers can adopt different strategies under apparently similar circumstances and that this variance in decision making is associated with their perception of nature and assumptions about how it behaves. The various types of perception encountered were generalized into four “myths of nature”.

Fig. 2. Graphical representation of the four myths of nature

The four myths of nature were conceptualized in the shape of a ball on different types of landscape as shown on the figure above. The conceptualization can be understood when picturing the consequences of a force being applied to the ball (in undefined trajectory). In Nature Capricious the ball can move in any direction, making this nature unpredictable and any attempts to anticipate or plan for changes in its state futile. Nature Benign suggest that nature is highly predictable, with the ball always ending up at the bottom of the basin, and also very robust since, regardless of the amount of force applied, equilibrium will be restored; thus, although future events can

36

R. Barabanov and S. Kowalski

be predicted, there is little (if any) need for them to be managed. In the case of Nature Ephemeral, nature is deemed fragile and unsecure, with a careless act potentially having disastrous consequences (balance can be easily lost resulting in the ball falling off), implying extreme care must be taken in managing the nature. The remaining nature, Nature Perverse/Tolerant, assumes that there are limitations to the nature’s robustness and predictability, suggesting that discernment of those limits and appropriate regulation are required to maintain stability (prevent the ball from getting knocked over the rim). Since the perception of nature in this context can be associated with the perception of and, consequently, approach to uncertainty, it is also related to the perception of, and approach to unknown risk thus each myth of nature can be connected to a distinct managerial style being applicable to the domain of risk management. The myths have been linked to the four types of social relationships identified in the Cultural Theory of risk [13] [14]. Nature Capricious subscribers being the Fatalists, Nature Benign – Individualists, Nature Ephemeral – Egalitarians, and Nature Perverse/Tolerant being the Hierarchists. One can also deduce that the “natures” assume different risk appetites, Capricious – Risk Neutral, Benign – Risk Seeking, Ephemeral – Risk Averse, and Perverse/Tolerant – tolerant of some risks but not all. The study participants were presented with both the graphical representation and a textual explanation of the Natures. An attempt was made to make the description of the Myths concise and non-suggestive (and the names of the Myths were replaced with numbers 1 through 4). The textual description of the Myths given to the study participants (but with numbers instead of the original names) was the following: • Capricious – largely unpredictable; an action could have completely unforeseen results. It’s impossible to tell how the situation will play out in the long run. • Perverse/Tolerant – robust and predictable within certain limitations; forcing the nature beyond those limitations could have severe consequences. • Benign – largely robust; it tends to reinstate equilibrium over time by itself. Actions have consequences but in the long run the balance is maintained. • Ephemeral – largely fragile; it must be treated with care because an action could easily upset the balance and have severe consequences. The study participants were asked to write down which one of the four Myths they thought to be the most agreeable. Thus, the team profile based on the results of this test consisted of the combination of the members' Myths preferences. Team Roles Test (TRT). The Team Roles model used in this study was developed by Psychtests, a subsidiary of Plumeus Inc., which is a high-tech company based in Montreal, Canada, that specializes in psychological test development and related products and services. Further information about the company can be obtained from their website (http://www.psychtests.com). A statement of compliance with the APA (American Psychological Association) standards for educational and psychological testing is likewise available on Psychtests’s website [15]. Similarly to other existing Team Roles models, (e.g. Belbin’s [5] or MargerisonMcCann’s [6]) the TRT used in the study suggests that the ways in which persons generally contribute to the team or the roles that they tend to assume in a team, can be

Group Dynamics in a Security Risk Management Team Context: A Teaching Case Study

37

categorized into certain types. In the case of this particular test, it is suggested that there are ten distinct team role types, which are as follows: • Brainstormer – Imaginative and ambitious, they are excellent at generating ideas (although, they often do not consider practicality thereof). • Cheerleader – Strive for collaboration and agreement in the team and tend to be keen on motivating team members and keeping the morale up. • Coordinator – Good organizers; they have a propensity to keep track of resources (human, physical, temporal, etc.), prioritize, and distribute them appropriately. • Go Getter – Highly motivated and guided by strong personal values, they are very enthusiastic about achieving set goals and inspiring others towards that end. • Networker – Above all, these individuals contribute to the work by gathering and dispersing useful information through social means in and outside the team. • Peacemaker – Good at preventing and resolving conflict, they strive for harmony and facilitate continuation of synergy in the team. • Questioner – Objective, sceptical and insightful, they are rather inquisitive about reasoning behind decisions and are good at providing an alternative viewpoint. • Team Worker – Ideal team players; they are team oriented and well motivated to do their part and help their team mates to theirs. • Thinker – Good at analysis and planning, Thinkers often contribute to the team by devising practical solutions out of good but indistinct ideas. • Verifier – Mainly distinguished by their upmost attention to detail and tendency to maintain proper procedures, they provide quality control for the team. Team Roles theories are generally based on Jung’s theory of Psychological Types [16]. Team roles characterize behaviour, while personality traits and types can influence behaviour but are not types of behaviour themselves. Another notable distinction between team roles and personality traits and types is that team roles are subject to change due to both internal (e.g. a person’s preferences can change over time) and external (e.g. expectations and requirements of a certain work assignment, rather than personal preferences, may dictate which functions need to be filled) factors, while personality traits/types are known to be largely stable. TRT was presented to the study participants in electronic form, consisting of 40 multiple choice questions. Scoring was automatic and was provided by Psychtests. The test measures the person’s affinity for each role type on a scale of 1 to 100; the higher the score, the higher the affinity. Therefore, the role type for which the highest score is attained is the one that the person is best suited for and most likely to take on (given the choice). However, Team Roles theories generally state that people can and will assume different team roles as may be required by the circumstances. Based on the size of the teams in the study and the number of team role types in the selected typology, it was decided to take into account each respondent's three highest test scores when creating team profiles; however, the person was assumed to only be able to take on 2 out of the 3 team roles, their absolute highest score and one of the other two, at one given time (as to avoid scenarios where one team member could be potentially undertaking three roles and another one potentially taking on only one).

38

R. Barabanov and S. Kowalski

3.3 Team Performance Testing The sample in the study consisted of seven groups. The groups were arranged in a semi-random fashion, before the participants took any of the tests featured in the study. The groups were originally comprised of 7 to 8 members each but, due to drop outs, came to be more varied in size (5 to 8 members), which was not damaging to the purpose of this study. Participants were dominantly male, in their mid twenties. Given the fact that the course was open to international/exchange students, the cultural variation was high. Leadership positions were assigned to certain group members, however, the groups were allowed to later rearrange their "administrative structure" by consensus of the members (allowing members the freedom to assume the roles according to their preferences and inclinations). A large part of the course this study was connected to encompassed an introduction of the participants to The OCTAVE Approach [4], which they were then instructed to use as the framework for completion of the assignments. Ranking criteria used for evaluating team performance was defined prior to the completion of assignments and the actual ranking was carried out by the teacher on the course. The two practical assignments given to the participants on the course were devised in collaboration with representatives from the global information security company Integralis and the power company Vattenfall, their brief description follows: • Assignment 1 – The CISO of Vattenfall, subsequently to having been contacted by Integralis regarding the possibility of outsourcing MSS to them, requests a 15 to 20 pages long written report and an up to 2 pages long executive summary explaining why IS/IT Security is important to the company’s core business, what is the reason and what are the implications of outsourcing it, and what would have to be done at Vattenfall in order to outsource. • Assignment 2 – The CEO of Integralis requests the CISO of Integralis to prepare a qualitative risk analysis and a mitigation plan regarding the MSS business area and is expecting a 10 to 15 pages long written report and an up to 2 pages long executive summary on the subject.

4 Outcome of the Study The team performance results were generally consistent between the two assignments with two apparent differences. One out of the seven teams did perform notably better on the second assignment while another team's performance slightly decreased in the long run. Although statistics are always subject to some variation and a number of various extraneous variables could have instigated the discrepancies, some of the possible explanations appeared to be more likely based on informal interviews and observations of the participants. The team that did better on the second assignment may have been hindered by inadequate ability of the leadership to coordinate their efforts in the early stages of group development [17]. The team that did worse may have had difficulty resolving internal conflict, reducing the team's productivity over time [18].

Group Dynamics in a Security Risk Management Team Context: A Teaching Case Study

39

Below are the outcomes of the analysis of the team performance in correlation with the team profiles that were created with the results of each of the featured tests and across all the tests. 4.1 Cognitive Reflection Test This test produced inconclusive results, mainly because the team that achieved best ranking on both assignments produced extraneous results. If we remove this team, the remaining teams did end up more or less where their profiles suggested that they would. The two most diverse teams being placed 2d and 3rd, and the less diverse teams falling behind in comparison. Relatively high amount of highly reflective people (i.e. those who provide more accurate answers on the test) also seemed to correlate with superior performance of the team, which is not altogether surprising considering that, due to their expected time preferences, respondents who score high on the CRT are relatively more apt to planning, an essential aspect of risk management. 4.2 Myths of Nature Test Many of the teams appeared to have comparable profiles in terms of diversity and balance based on the results of this test, making the test unable to explain the teams' ranking order in good detail. However, the only two teams that had full coverage of Myths preferences (i.e. 4 out of 4 possible preferences were present in these teams; most other teams had the coverage of 3/4, and one team profile covering 2/4) did in fact come 1st and 2nd respectively on both of the assignments. That is, this test was able to predict/explain the positions of the two leading teams in the study with their success being attributed to their superior diversity. 4.3 Team Roles Test Diversity appeared to be a factor in the team’s success, with higher being better; but also that certain functions in the team work can possibly have especial influence on the team’s performance and neither a relative diversity nor good implementation of those functions may alone be enough to assure superior team performance, but a combination of both is required. This was not unanticipated, however. Greater diversity is an asset when there are means to adequately coordinate it, in other cases it may actually become a liability. Belbin [5], for instance, stresses the importance of a good Coordinator in a successful team. Another team role that his research has shown to have special significance can be said to be analogous to the Brainstormer found in the typology employed in this study. Indeed, when these two team roles were regarded as having elevated importance compared to the other ones, this test's results were able to explain the exact order of all the teams on the ranking list with reasonable (given that statistics are not an exact science) accuracy and in more detail than the other two tests used in the study.

40

R. Barabanov and S. Kowalski

4.4 Across the Tests Curiously, despite having quite different frames of reference, the three tests generally did not disagree in their prognoses, with the one notable exception being the leading team's expected level of performance on the CRT as opposed by the other two tests. Although the results were not entirely conclusive, greater diversity of the teams did generally correlate with greater performance. The notion that a team should benefit from its composition being more balanced additionally to being more diverse could not be substantiated, however, due to the lack of evidence both for and against it. The results of one team in particular stood out from the rest across all tests if one considers the context of this study. The team appeared to include fairly likeminded individuals who arguably possessed very favourable qualities for someone in a risk management position. More specifically, the members’ answers on the CRT were, overall, very accurate, suggesting that they are not prone to making hasty decisions without first looking for possible errors in judgement and, due to the expected time preferences, are inclined towards planning. All but one of the team members chose Nature Perverse/Tolerant on the MNT, suggesting that they view nature as more or less predictable, and therefore consider that any changes in its state can (and as it is not entirely unbreakable, possibly should) be planned for. The TRT results are also the least diverse of all the teams, centring around the Thinker role (one half of the members have it as their highest score and the other half have it among their three highest ones), which specializes in analysis and planning, arguably the fundamental activities of risk management. This team has only achieved mediocre performance results on both assignments, further supporting the notion that the team's diversity may be instrumental in the team's success.

5 Discussion on Implications of the Findings Looking back at the study's results, it is prudent to acknowledge certain limitations that it was subject to. One such limitation were the effects of individual qualities that could not be directly deduced from the results of the tests utilized (e.g. participants’ relative dominance, cognitive ability, etc) on the team performance that were treated as extraneous variables in the experiment, which was done not by choice but rather due to limited availability of (human) resources and certain ethical issues (that, for instance, could arise if the participants’ cognitive abilities were measured and then compared). Another evident limitation is, of course, the size of the sample, which is too small for any generalizations to be possible. One may, naturally, question how these limitations effect the accuracy and usefulness of the study results. A simple answer is that the intention behind this study was not to provide an allinclusive investigation into the area in question in itself, but to determine whether such investigation would indeed be prudent and, if so, instigate further research into the subject matter. This moreover corresponds with the methodology selected for the study, which is essentially top-down, or deductive rather than inductive, allowing for potential research that builds on the study to add to the details. For a more elaborate answer, the application of the results of this study must be considered. From a purely academic perspective of (social) science, the more inclusive the approach the higher

Group Dynamics in a Security Risk Management Team Context: A Teaching Case Study

41

its value; however, from the standpoint of practicality and economic feasibility of real-world applications (including but not limited to the fields of security and risk management), there is always a matter of trade-off between the said feasibility and usability of the approach, and its complexity and comprehensiveness. Bearing the above in mind, the implementation of the Team Roles model in this study was based on a reasonably simple hypothesis and yet has shown promising results. In addition, the Myths of Nature Test, while even simpler, has exhibited good potential in determining the leading teams in this study; if the test can be shown to produce such results consistently on a larger scale, it could be refined into a useful and practical (as well as cost-effective) tool devoid of unnecessary complexity. The two above mentioned tests can also be said to complement one another based on the study's outcome, which may create another possible dimension to their application. The Cognitive Reflection Test has produced inconclusive results, though, it may be too early to dismiss its usefulness in this context entirely for the same reason that it may be too early to draw any definitive conclusions about the other two tests based solely on the outcome of this study.

References 1. Foote, N., Matson, E., Weiss, L., Wenger, E.: Leveraging Group Knowledge for HighPerformance Decision-Making. Organizational Dynamics 31(3), 280–295 (2002) 2. Jackson, S.E., Joshi, A., Erhardt, N.L.: Recent Research on Team and Organizational Diversity: SWOT Analysis and Implications. Journal of Management 29(6), 801–830 (2003) 3. van Knippenberg, D., De Dreu, C.K.W., Homan, A.C.: Work Group Diversity and Group Performance: An Integrative Model and Research Agenda. Journal of Applied Psychology 89(6), 1008–1022 (2004) 4. Alberts, C.J., Dorofee, A.J.: Managing Information Security Risks: The OCTAVE Approach. Pearson Education, Boston (2003) 5. Belbin, R.M.: Management Teams: Why They Succeed or Fail, 2nd edn. Elsevier, Oxford (2004) 6. Margerison, C.J., McCann, D.J.: Team Management: Practical New Approaches. Management Books 2000, London (1995) 7. Frederick, S.: Cognitive Reflection and Decision Making. Journal of Economic Perspectives 19(4), 24–42 (2005) 8. Stanovich, K.E., West, R.F.: Individual Differences in Reasoning: Implications for the Rationality Debate? Behavioral and Brain Sciences 23(5), 645–726 (2000) 9. Kahneman, D., Tversky, A.: Prospect Theory: An Analysis of Decision Under Risk. Econometrica 47(2), 263–291 (1979) 10. McClure, S.M., Laibson, D.I., Loewenstein, G., Cohen, J.: Separate Neural Systems Value Immediate and Delayed Monetary Rewards. Science 306, 503–550 (2004) 11. Holling, C.S.: The Resilience of Terrestrial Ecosystems. In: Clark, C., Munn, R. (eds.) Sustainable Development of the Biosphere, pp. 292–317. Cambridge University Press, Cambridge (1986) 12. Timmerman, P.: Mythology and Surprise in the Sustainable Development of the Biosphere. In: Clark, C., Munn, R. (eds.) Sustainable Development of the Biosphere, pp. 436–453. Cambridge University Press, Cambridge (1986)

42

R. Barabanov and S. Kowalski

13. Schwarz, M., Thompson, M.: Divided We Stand: Redefining Politics, Technology and Social Choice. Harvester Wheatsheaf, New York (1990) 14. Thompson, M., Ellis, R.J., Wildavsky, A.B.: Cultural Theory. Westview Press, Boulder (1990) 15. Plumeus: Compliance with APA’s Standards for Psychological and Educational Testing (2006), http://www.psychtests.com/pdf/APA_Standards_Plumeus.pdf 16. Jung, C.G.: Psychological Types. In: Collected Works of C. G. Jung, 3rd edn., vol. 6, Princeton University Press, Princeton (1971) (Original work published 1921) 17. Wheelan, S.A.: Group Processes: A Developmental Perspective. Allyn & Bacon, Boston (1994) 18. Hackman, J.R.: The Design of Work Teams. In: Lorsch, J. (ed.) Handbook of Organizational Behavior, pp. 315–342. Prentice-Hall, Englewood Cliffs (1987)

Using Actor Network Theory to Understand Information Security Management Karin Hedström1 , Gurpreet Dhillon2 , and Fredrik Karlsson1 1

Örebro University, Fakultetsgatan 1, SE-701 82 Örebro, Sweden {karin.hedstrom,fredrik.karlsson}@oru.se 2 School of Business, Virginia Commonwealth University, 301 W. Main Street Richmond, VA 23220, USA [email protected]

Abstract. This paper presents an Actor Network Theory (ANT) analysis of a computer hack at a large university. Computer hacks are usually addressed through technical means thus ensuring that perpetrators are unable to exploit system vulnerabilities. We however argue that a computer hack is a result of different events in a heterogeneous network embodying human and non-human actors. Hence a secure organizational environment is one that is characterized by ‘stability’ and ‘social order’, which is a result of negotiations and alignment of interests among different actants. The argument is conducted through a case study. Our findings reveal not only the usefulness of ANT in developing an understanding of the (in)security environment at the case study organization, but also the ability of ANT to identify differences in interests among actants. At a practical level, our analysis suggests three principles that management needs to pay attention to in order to prevent future security breaches. Keywords: Information security, Computer hack, Actor network theory, IS security.

1

Introduction

There appears to be at least two schools of information security (IS) that largely pursue their own agendas without many cross-references. On the one hand there is the technical school [1,2] that has to a large extent focused on how technical solutions can prevent IS occurrences, such as computer hacks. However as technologies evolve, a technical fix may not help sustain the solution over a period of time. On the other hand, there is the socio-behavioural IS research [3] that concentrates specifically on understanding managerial and employee attributes that contribute to IS. But, just as technical fixes may not help sustain the solution nor can we rely on administrative procedures alone. Hence, it is prudent to understand IS occurrences, such as hacking, from a socio-technical point of view. Hacking is not only an effect of insufficient technical measures, nor the sole result from bad decisions. In this paper we argue that IS occurrences are best K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 43–54, 2010. c IFIP International Federation for Information Processing 2010 

44

K. Hedström, G. Dhillon, and F. Karlsson

viewed as socio-technical problems including human as well as non-human actors [4,5]. By viewing a computer hack as a result of events [6] within a heterogeneous network we will better understand the interplay between the social and the technical, thus increase our possibility to improve the computer security. The purpose of this paper is to illustrate the usefulness of Actor Network Theory (ANT) for understanding computer security management within an organization. In this paper we argue that security breaches and possible negative events are results of a lack of understanding of the complex inter-relationship between different actors. Such actors may be technological or human. While using the case of a computer hack in a public institution, we illustrate the inherent complexities in the interplay between the technical and the social. In a final synthesis the paper proposes that a socio-technical orientation in addressing IS would have helped in understanding the situation and in better managing the sequence of events at Stellar University. The paper proceeds as follows. Section 2 contains a discussion about the two schools of IS: technical and socio-behavioural. Section 3 describes our use of ANT as research method. Following this, Section 4 provides a short introduction to the hacker case at Stellar University. Section 5.1 reports on our analysis and with this basis we discuss our key findings in Section 6. Finally, the paper ends with a concluding discussion in Section 7.

2

From Technical to Socio-technical IS Research

IS research can broadly be classified into two categories - technical and sociobehavioural. The technical research has largely been focused on designing sophisticated devices and algorithms to protect the information resources. The socio-behavioural research on the other hand has devoted its interested to the understanding managerial and employee issues related to IS. While both categories of research have merit and over the past several years have made significant contribution to the body of knowledge, there are some fundamental limitations. Technically oriented IS research has a narrow design focus. The emphasis has been on creating sophisticated artifacts that help in protecting the information resources. Occasionally the technical IS research has made calls for considering the more organizational aspects of IS. For instance Thomas et al. [7] make a call for conceptualizing task based authorizations and Burns et al. [8] in discussing the meaning of security and safety. However, such calls have been rather limited. More often the technical IS community has aspired to develop security mechanisms with little relation to the context of use. This does not mean that technical IS researchers have not undertaken pertinent research. In fact the converse may be true. For instance, the importance of confidentiality as a requirement has always been highlighted and various privacy preserving mechanisms have been developed. In recent years technical IS researchers have had a renewed interest in the confidentiality requirements, particularly because of corresponding advances in computing. Along similar lines, Al-Muhtadi et al. [9] propose an authentication framework in the context of ‘active information spaces.’, and Myles et al.

Using ANT to Understand Information Security Management

45

[10] proposes a system that allows users to control their location information, thus helping preserve privacy in pervasive computing environments. While these, among others, may be important discoveries, they are limited in terms of the extent to which the social environment is understood. It is only when a given technology routine gets disturbed that a plethora of problems emerge. Technology routines get disturbed in different ways. At a simplest level, technology can be used to circumvent trust in interactions, causing disturbance in a routine. In August 2009 three individuals were apprehended by the police for gaining access to private details of another individual seeking massage services on Craigslist (www.craiglist.org). Following solicitation, the victim shared all his private details with the accused and ended up getting robbed. A more complex form of technology routine disturbance is when the rule inscribed in a computer based system fails to match those in the organization or the context. Any discordance in these results and security gets compromised. Dhillon et al. [11] illustrate such an occurrence in the case of a malaria research center computer crime situation. Therefore, while it may be prudent to design technical security mechanisms in response to what the context may demand, it is equally important to understand the natural setting in which various actors act. Problems emerge when the rather stable network of actors get disturbed, usually following some negative event. In an aspiration to grow and have a widespread appeal, Facebook allowed third party vendors to design widgets and applications. Such applications accessed more personal information about users than was necessary. It resulted in Californian and Canadian law suits on the grounds that Facebook was harvesting personal information of users. This lead to Facebook being forced to redefine its authentication and identification policies [12]. The intricate relationships between technology and actors have always been at the center of important discussions. In the context of IS, negotiation between authentication, identification and ownership of data has been identified [13]. This together with an inability to balance the needs and wants of various actors causes potential security breaches [14] and discussion on tensions between technology, security and privacy. Angell [15] has illustrated the notion of negotiation between different actors in terms of technical security access and individual rights. Some early research in the IS community [16], helped in bringing sociotechnical issues to the fore. Further evidence of the importance of human factors was rendered by Segev et al. [17], where aspects of internet security are discussed. While this marked the beginning of an appreciation for considering issues that went beyond the strict confines of technical IS concerns, there has been limited guidance in terms of identifying and articulating socio-technical IS. We believe that ANT [18,19], is one way forward in dealing with this.

3

Actor Network Theory

ANT has its roots in the field of sociology of science and technology [18,19], where researchers see knowledge as products of ‘network of heterogeneous

46

K. Hedström, G. Dhillon, and F. Karlsson

materials’ [4,5]. ANT is thus a social theory with the aim to understand the construction and transformation of heterogeneous networks including the social as well as the technical. Using this theory as a frame of reference also makes it suitable as a method for analysis [20]. ANT has successfully been used in the information systems field to examine, for example, the development of information infrastructure [21], the standardization process [22] or for understanding IT development within healthcare [23]. Using ANT makes us view the circumstances around a security breach as a heterogeneous network embodying human as well as non-human actors (or actants) [24]. Furthermore, it also forces us to ‘follow the actors’ [24] and to identify the associations that link the different actors together forming the network. Stability and social order is the product of a process of negotiation, aligning, or translating, different actants’ interests in the network [21] - an actor-network where everything runs smoothly. A working computer systems security solution is, in ANT, a product of negotiation. Different views are translated, and inscribed, into the solution. If or when stability occurs the actants see the network as a whole, forgetting about its parts (i.e., black-boxing). It is not until something happens that forces us to question its workings that we open up the black-box and start investigating the parts. ANT is a process oriented theory following the constructions of associations within the network. One common approach in ANT research is thus to align a series of events as a timeline [25,26], using critical events as a way to structure the material and guide the analysis (cf. [6]). A critical event is in our analysis an action that has transformed the actor-network and resulted in, or failed to result in, an inscription that has had import for explaining the events at our case at Stellar University. ANT includes a number of theoretical concepts that can be used to guide the analysis. We will not use all the concepts in our analysis, but rather a sub-set illustrating how ANT can help us disclose the interest and actions of the different actants in the case of Stellar University. By doing this we will better understand why it was possible to hack the computer systems at Stellar University. Table 1 contains a compilation of the concepts that we use during the analysis. One key feature of ANT is that it does not contain any a priori distinction between human and non-human actors. Both are viewed as active makers of actor networks and are included in the unifying actant concept. Furthermore, networks are changed through translation. A translation is the establishment of a new or changed relation between actants, and can be described as coexisting in a network to achieve a common goal. An example from the IS field is when policy makers agree to include a section on confidentiality in the organization’s IS policy, maybe in alignment with the ISO-standard. The translation model refers to the prioritization of interests, which means that things (artfacts, orders, goods) are ‘in the hands of people; each of these people may act in many different ways, letting the token drop, or modifying it, or deflecting it, or betraying it, or appropriating it. [. . . ] Each of the people in the chain is [. . . ] doing something essential for the existence and maintenance of the token [. . . ] and since the token is in everyone’s hands in turn, everyone shapes it according to their different projects.’ [27]

Using ANT to Understand Information Security Management

47

Table 1. Key concepts in the ANT framework used in this study Concept

Interpretation of the Concept

Actant

An actant is a human or non-human actor that takes the shape they do by their relations to other actants, such as a policy maker, a user and an information system. Actor Network A heterogeneous collection of aligned interest, including for example, policy makers, users and computer systems. Event An action that has transformed the actor-network and resulted in, or failed to result in, inscriptions that had import for explaining the analyzed situation. Interest What an actant wants to achieve with an action, for example what a policy maker wants to achieve with including a section on confidentiality in the IS policy. Enrollment When an actant seeks to influence another actant to act in a particular manner. For example, when a policy maker provides arguments to include a specific rule in the IS policy. Translation The creation of an alliance concerning a specific issue between human actors and non-human actors, for example, an agreement to include a section on confidentiality in the IS policy. Inscription A frozen organizational discourse. For example, the materialization of interests in an IS policy that includes a section on confidentiality.

Often such a translation requires enrollment where an actant seeks to influence how another actant should take its shape, or act, in the network. An example of enrollment in IS is when a security manager tries to influence a user to logout from the computer when leaving the room - because it is important to keep the information confidential. Enrollment and translation can result in inscriptions, where interests are inscribed into written material or technical systems. If we continue our example above, a policy maker and a system administrator can decide to use password protection as a way to implement confidentiality which is stated in the IS policy. Considering the purpose of the paper, to illustrate the usefulness of ANT for understanding computer security, we will not cover the complete Stellar University case. We have chosen to analyze the translation process from introducing a specific server until the computer system at Stellar University was hacked. Hence, we focus on the different actants and nine events that formed the computer systems security network at Stellar University. We believe this is the most interesting aspect of this case, since it shows how ANT can be used to analyze current computer systems security solutions and reduce the risk of black-boxing such solutions. Empirical work for the case was undertaken over a period of 8 months. The purpose of the case study was to understand the intricate relationship between the technology and the human actants. We went into the case considering that the hack occurred largely because of a technical failure, but soon to realize that

48

K. Hedström, G. Dhillon, and F. Karlsson

there were a range of behavioral and process related issues. In a final synthesis, the researchers however began appreciating the intricacies of technology and human actor dependence. All major stakeholders were interviewed, particularly guided by a socio-technical perspective. In all some 32 hrs of relevant interviewing was undertaken.

4

Case Description: Hack Discovered at Stellar University

This case study is based on a series of events, which occurred over a period of two years at the Stellar University. Stellar University is a public educational institution, which contains a diverse range of technologies. In this open and diverse environment, security is maintained at the highest overall level possible. Many of the systems are administered by personnel who have other primary responsibilities, or do not have adequate time, resources or training. For example, if the system is not reported as a server to the network group, no firewall or port restrictions are put into place. This creates an open, vulnerable internal network, as it enables a weakly secured system to act as a portal from the outside environment to the more secured part of the internal network. Some departments work cooperatively, sharing information, workload, standards and other important criteria freely with peers. Other areas are ‘towers of power’ that prefer no interaction of any kind outside the group. This creates a lack of standards and an emphasis on finger pointing and blame assignment instead of an integrated team approach. During the time that we followed this case a number of organizational changes took place. A shift in management focus to group roles and responsibilities, as well as a departmental reorganization caused several of the ‘towers of power’ to be restructured. These intentional changes were combined with the financial difficulties of the province and its resulting decrease in contributions to public educational institutions. The university was forced to deal with severe budgetary constraints and cutbacks. In this paper we focus on a specific server (which we call server_1). It was running Windows NT 4.0 with Service Pack 5 and Internet Explorer 4. It functioned as the domain Primary Domain Controller (PDC), Windows Internet Naming Service (WINS) server, and primary file and print server for several departments. On a Monday morning in February, the system administrator noticed a new folder on the desktop, and called the operating system administrator at the computer center. Upon signing on locally with a unique domain administrator level user ID and password, there were several suspicious activities that occurred. Multiple DOS windows popped up in succession. The suspicious folder was recreated and the processor usage spiked higher than normal. Antivirus definitions and the antivirus scan engine on the system were current; however the real-time protection process to examine open files was disabled. The assumption was that this may be the first action a hacker took so that the antivirus product did not interfere with the malware application installation. All of these circumstances added up to one immediate conclusion: that the system had most likely been compromised.

Using ANT to Understand Information Security Management

5

49

Actor Network Analysis of ‘The Computer Hack Case’

The understanding of why it was possible to hack the computer systems at Stellar University is illustrated through the negotiation process between key actants. We investigate the translation, or inscription, of their interests through different security measures, into the computer systems. In the analysis we show how actants fail to follow decisions or implement negotiated security measures, as they have other, more prioritized, interests. We also illustrate how the analysis reveals different inscriptions. Section 5.1 contains nine critical events that have in some way disturbed the actor-network or been important for its stabilization. This is in line with the event-based approach to ANT [6], where events are used as a way to structure the analysis, and synthesize key findings. The section below summarizes the analysis from the viewpoint of the events that have resulted in the possibility of hacking into the system. Each event is identified by a unique number. To each event we associate the actant carrying out the action and the the interests that guide them. In addition, we discuss the inscriptions, i.e., the materialization of the involved actants’ interests in the computer system, that the events have resulted in. We illustrate the case as a process from the point where the naming of server_1 created problems until the hacker got into the computer system forcing the systems administrator to open up the black box of server_1. 5.1

Negotiating Information Security

As the corporate culture at Stellar University is as heterogeneous as the network itself, together with a lack of standards, there are a lot of opportunities for different actants to create whatever level of security they prefer. The naming of the server_1, which we identified as the first event (‘E1’) is one example. This name was inscribed into the computer systems as the result of the action of the system administrator. He included an underscore in the system name (i.e., server_1) per his interpretation of the network suggestion. An older version of UNIX bind was utilized for the primary static DNS server by the networking group at Stellar University; hence the underscore was unsupported. There were possible modifications and updates that would allow an underscore to be supported, but these were rejected by the networking group. We identify this reject as the event ‘E2’. At the same time we conclude that this technical information was not clearly communicated between the two groups. The third event (E3) we identified is the networking group’s efforts to standardize the server names to include dashes. Nevertheless, the name ‘server_1’ became irreversible as the system administrator decided it was too much work to change the naming to ‘server-1’. A name change required reinstallations of a database manager and reconfigurations of all the computer systems in the domain. His priority was to ‘fire fight’ and keep everything running. After this event the University management decided to implement a new organization (E4). They had determined that all servers in the department should be located at

50

K. Hedström, G. Dhillon, and F. Karlsson

the computer center. This aligned with the roles and responsibilities of the computer center to provide an appropriate environment for the servers and employ qualified technical personnel to provide operating system support. Other groups (i.e., application development, database administration, client support) were to concentrate on their appropriate roles, which were much different than server administration. There were attempts to enroll the old systems administrators to support centralization of servers and technical personnel in order to ensure a secure computer system. This was, however, not very successful, as they continued to monitor and administrate the computer systems remotely. Server_1 was anyhow transferred to the computer center with new system administrators. Minimal system documentation and history were included, and since the new system administrators had not built the systems, reverse engineering was necessary to determine installed software and how the hardware and software were configured (E5). In order to stabilize server_1 the new system administrators scheduled a maintenance window to install Service Pack 6a (E6). However, this attempt was quite disastrous. Windows NT 4.0 Service Pack 6a would not apply and had to be aborted. The system administrators received error message of ‘could not find setup.log file in repair directory.’ The critical application that used SQL would not launch when signed on locally to the server as an administrator, and had an error. Due to the minimal system documentation the new systems administrator lacked the knowledge to solve the problem. As a result, no inscription was made in the actor network. From a security perspective it meant that the computer system was vulnerable to execution of remote code since the Microsoft Security Bulletin MS04-007 was never installed. Before next maintenance window research was accomplished to determine how to correct the error messages. Microsoft knowledge base article 175960 had a suggested corrective action for the ‘could not find setup.log file’ error. Further off-hours attempts finally allowed all service packs and security patches to be applied. This Successful installation is our seventh event (E7). The new systems administrators wanted to make modifications of the servers to bring them up-todate and more in line with current standards. A joint decision was made between the groups to replace the legacy hardware and restructure the environment in a more stable fashion, which was supposed to result in decreased the vulnerability of server_1 (E8). Several replacement servers were agreed upon, and a ‘best practices’ approach was determined. At that point, lack of manpower, new priorities, resistance to change and reluctance to modify what currently functioned caused a delay of several months. Hence, no inscription was done at that time. The final and ninth event is when the ‘Ken’ is granted access to server_1. This happens before that Monday morning in February. The DameWare trojan program DNTUS26, had managed to cause unwanted changes in the computer system. Netcat (nc.exe) was an active process, which may have been used to open a backdoor and gain access to the system due to the late inscription of Service Pack 6a and the delayed modifications of the servers (E6 and E7). Additionally, a key was added to the Windows Registry that would reinstall the malware if it was located and removed by a system administrator. Since the primary domain

Using ANT to Understand Information Security Management

51

controller was hacked and all of the domain security information was amassed in a hacker-created directory, it was assumed that the entire domain had been compromised. By implementing and running the Trojan program, ‘Ken’, a hybrid of the trojan software and the human hacker, acted as a delegate for the hacker, and actually managed to disturb the running of server_1. It is evident from the analysis why it was possible to hack server_1. It was a result of not enough negotiations between different actants, especially the lack of negotiation between the key players within systems administration: old and new systems administrators, the networking group and server_1. There was not enough willingness to discuss and collaborate. The associations between the different groups then became weak, thus making the actor-network vulnerable and instable. Another reason why it was possible to hack server_1 was due to the irreversibility of the computer system. Modifications, for instance changing the server name, were hard to make, and required many resources. This made server_1 an ‘immutabile mobile’, resistant to change. The hacking, however, forced everyone to open up the black-box of the university computer system and scrutinize its different parts.

6

Discussion of Key Findings

As has been discussed in Section 3, an actor-network is ideally a stable environment. If there is integrity among actions, interests and inscriptions, i.e., there is ongoing negotiation, then the chances of disturbances in the homogeneous network are minimal. The homogeneity of the actor network is in a sense a perfection in the socio-technical design. However this ideal stage is typically hard to maintain. Problems occur and can largely be linked to the manner in which inscription [28] occurred or translation [24] took place. In the computer hack case, we observed issues both in inscription and translation. While Latour [24] does not specifically differentiate between the process of inscription and translation, for one informs the other, conceptually however we can think of the two separately. 6.1

Inscription, Translation, and Socio-technical Design

Based on our analysis of the computer hack case and the process of inscription and translation, we can identify the following socio-technical issues and the related principles. The system administrator had the implicit assumption that technology could survive on its own. Attempts to fix the problem were simply ignored. System administrators are typically constrained by their thinking, relying heavily on quick technical fixes. Principle 1: The implicit theories of human actors tend to rely extensively on the non-human actors, ignoring the importance of the negotiation process between the actants, this resulting in severe security flaws. The networking group rejected the approach that the system administrator took in ensuring that the ‘server_1’ naming remained supported. This happened

52

K. Hedström, G. Dhillon, and F. Karlsson

without any effort in understanding the intentions or interests of the system administrator. When the new organization was implemented, there was not enough information to negotiate inscriptions. Principle 2: Preponderance of a non-systemic approach, because of limited conceptualization of actant behavior and interests, leads to misinterpretation of actions and to serious IS problems. Stellar University as an actant took a rather static view of the computer networks. They considered the various actants - networking group, system administrators, server_1 as static entities. The human actors at Stellar University firmly believed that changing one may not necessarily impact others. This resulted in not considering the socio-technical interactions and the related errors in design. All these were then inscribed into a ‘black-box’. Principle 3: A static view of the actants ignores interactions and the related negotiations, which results in highly vulnerable environments. 6.2

Interest, Enrollment, and Socio-technical Information Security

A key process by which the interest and integrity of actor networks are maintained is enrollment. As Walsham [20] notes, ‘successful networks of aligned interests are created through the enrollment of a sufficient body of allies, and the translation of their interests so that they are willing to participate in particular ways of thinking and acting which maintain the network.’ This means that alignment of divergent interests is dependent of enrollment of different actors into the network. Failure to do so results in a ‘broken’ actor-network. Central to the enrollment process is also the associated changes by way of which institutionalization occurs. In the case of Stellar University the discourses underway between the networking group, the system administrator and the technology (server_1) are examples of enrollment. How successful such an enrollment might be is totally a different matter. Clearly in the case of Stellar University, alignment of interest did not occur. As McLoughlin [29] would have argued, the ‘entrepreneurial political activity in enrolling human and non-human actor into the actor-network’ was unsuccessful. As is obvious from the Stellar University case, lack of alignment of interest and adequate enrollment of different stakeholders prevented the formation of a stable actor-network. This had serious consequences, which surfaced when a hacker was able to exploit the server. This means that in order for changes - structural or process - to be successful, all interests need to be aligned, failure to do so results in opening opportunities for abuse. Successful IS related socio-technical change can only be brought about if the new technological form includes stakeholder groups so as to align their interests with technology. Inability to do so results in potential security compromises. Tensions between different actants need to be resolved for successful organizational change. One way of doing this is to bring technology as well as human actors into the same frame of reference, thus ensuring integrity in the process.

Using ANT to Understand Information Security Management

7

53

Conclusion

Management of information security (IS) is a socio-technical activity. And any change related to IS gets translated as socio-technical change, which needs to be understood both in terms of social and material artifacts. In this paper we have illustrated the use of Actor Network Theory in developing an understanding of the socio-technical changes and the emergent IS problems. Results presented in this paper home in on the core concepts of inscription, translation and enrollment, resulting in three principles that are important for management to have in mind: (P1) the implicit theories of human actors tend to rely extensively on the non-human actors, (P2) preponderance of a non-systemic approach leads to misinterpretation of actions and to serious IS problems, and (P3) a static view of the actants ignores interactions and the related negotiations. These principles illustrate the importance of viewing IS as including the technical as well as the social, within a complex heterogeneous network. While our findings cannot be generalized to all IS situations, they do frame management of IS as a socio-technical problem.

References 1. Denning, P.J.: Passwords. American Scientist 80, 117–120 (1992) 2. Dymond, P., Jenkin, M.: WWW distribution of private information with watermarking. In: The 32nd Annual Hawaii International Conference on Systems Sciences (HICSS-32), Maui, HI, USA (1999) 3. Sipponen, M., Wilson, R.: Baskerville. R.: Power and Practice in Information Systems Security Research. In: International Conference on Information Systems 2008, ICIS 2008 (2008) 4. Latour, B.: Technology is society made durable. In: Law, J. (ed.) A sociology of monsters: essays on power, technology and domination, pp. 103–131. Routledge & Kegan Paul, London (1991) 5. Law, J., Bijker, W.: Postscript: Technology, stability, and social theory. In: Bijker, W., Law, J. (eds.) Shaping technology/building society: Studies in sociotechnical change, pp. 290–308. MIT Press, Cambridge (1992) 6. Cho, S., Mathiassen, L., Nilsson, A.: Contextual dynamics during health information systems implementation: an event-based actor-network approach. European Journal of Information Systems 17, 614–630 (2008) 7. Thomas, R.K., Sandhu, E.S., Ravi, S.S., Hu, Y.: Conceptual foundations for a model of task-based authorizations. In: 7th IEEE computer security foundations workshop (1994) 8. Burns, A., McDermid, J., Dobson, J.: On the meaning of safety and security. The Computer Journal 35(1), 3–15 (1992) 9. Al-Muhtadi, J., Ranganathan, A., Campbell, R., Mickunas, M.D.: A flexible, privacy-preserving authentication framework for ubiquitous computing environments. In: Proceedings of 22nd International Conference on Distributed Computing Systems Workshops. IEEE, Los Alamitos (2002) 10. Myles, G., Friday, A., Davies, N.: Preserving Privacy in Environments with Location-Based Applications. IEEE Pervasive Computing 2(1), 56–64 (2003)

54

K. Hedström, G. Dhillon, and F. Karlsson

11. Dhillon, G., Silva, L., Backhouse, J.: Computer crime at CEFORMA: a case study. International Journal of Information Management 24(6), 551–561 (2004) 12. Fowler, G.A., Lavalee, A.: Facebook alters privacy controls amid probe. Wall Street Journal. Dow Jones & Company, New York (2009) 13. Backhouse, J., Dhillon, G.: Structures of responsibility and security of information systems. European Journal of Information Systems 5(1), 2–9 (1996) 14. Halperin, R., Backhouse, J.: A roadmap for research on identity in the information society. Identity in the Information Society 1(1) (2008) 15. Angell, I.: As I see it: enclosing identity. Identity in the Information Society 1(1) (2008) 16. Dhillon, G.: Managing information system security. Macmillan, London (1997) 17. Segev, A., Porra, J., Roldan, M.: Internet security and the case of Bank of America. Communications of the ACM 41(10), 81–87 (1998) 18. Bloor, D.: Knowledge and social imagery. University of Chicago Press, Chicago (1991) 19. Hughes, T.P.: The Seamless Web: Technology, Science, Etcetera, Etcetera. Social Studies of Science 16, 281–292 (1986) 20. Walsham, G.: Actor-Network Theory and IS research: Current status and future prospects. In: Lee, A.S., Liebenau, J., DeGross, J.I. (eds.) Information systems and qualitative research, pp. 466–480. Chapman and Hall, London (1997) 21. Monteiro, E., Hanseth, O.: Social Shaping of Information Infrastructure: On Being Specific about Technology. In: Orlikowski, W.J., Walsham, G., Jones, M.R., DeGross, J.I. (eds.) Information Technology and Changes in Organisational Work, pp. 325–343. Chapman & Hall, London (1995) 22. Hanseth, O., Jacucci, E., Grisot, M., Aanestad, M.: Reflexive standardization: side effects and complexity in standard making. MIS Quarterly 30, 563–581 (2006) 23. Bloomfield, B.P., Vurdubakis, T.: Boundary Disputes. Negotiating the Boundary between the Technical and the Social in the Development of IT Systems. Information Technology & People 7, 9–24 (1994) 24. Latour, B.: Science in action: how to follow scientists and engineers through society. Harvard University Press, Cambridge (1987) 25. Hedström, K.: The Values of IT in Elderly Care Information Technology & People 20(1), 72–84 (2007) 26. Vidgen, R., McMaster, T.: Black boxes, non-human stakeholders and the translation of IT through mediation. In: Orlikowski, W.J., Walsham, G., Jones, M., DeGross, J.I. (eds.) Information technology and changes in organizational work, pp. 250–271. Chapman and Hall, London (1996) 27. Latour, B.: The powers of association. In: Law, J. (ed.) Power, Action and Belief, pp. 264–280. Routledge, London (1986) 28. Akrich, M., Latour, B.: A summary of a convenient vocabulary for the semiotics of human and nonhuman assemblies. In: Bijker, W.E., Law, J. (eds.) Shaping technology/ building society, pp. 259–264. MIT Press, Cambridge (1992) 29. McLoughlin, I.: Creative technological change: the shaping of technology and organizations. Routledge, London (1999)

Information Security Governance: When Compliance Becomes More Important than Security Terence C.C. Tan 1, Anthonie B. Ruighaver2, and Atif Ahmad1 1

Department of Information Systems, The University of Melbourne, Melbourne, Australia 2 School of Information Systems, Deakin University, Melbourne, Australia [email protected], [email protected], [email protected]

Abstract. Current security governance is often based on a centralized decision making model and still uses an ineffective 20th century risk management approach to security. This approach is relatively simple to manage since it needs almost no security governance below the top enterprise level where most decisions are made. However, while there is a role for more corporate governance, new regulations, and improved codes of best practice to address current weak organizational security practices, this may not be sufficient in the current dynamic security environment. Organizational information security must adapt to changing conditions by extending security governance to middle management as well as system/network administrators. Unfortunately the lack of clear business security objectives and strategies at the business unit level is likely to result in a compliance culture, where those responsible for implementing information security are more interested in complying with organizational standards and policies than improving security itself. Keywords: Security culture, decentralized decision making, security strategic context, business security strategies.

1 Introduction In the current dynamic information security environment, simply implementing controls and state-of-the-art security is no longer adequate. Many organizations are still basing their information security on the old ISO 17799 security standard and as a result they are often struggling to cope with the increase in threats and vulnerabilities. The question is whether new security standards introduced over the past decade are likely to change this situation. While the new 27000 series of standards [1] have introduced a lifecycle model to security management, the emphasis is still on the controls needed in information security. Little information is given about security objectives or on potential strategies to implement these objectives. Neither are there any suggestions, outside of a mention of risk analysis, on how organizations should develop security objectives and strategies as part of their security governance process. While this emphasis on K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 55–67, 2010. © IFIP International Federation for Information Processing 2010

56

T.C.C. Tan, A.B. Ruighaver, and A. Ahmad

controls worked well before in a reasonably static security environment, in today’s ever changing security environment, organizations will need to encourage and promote innovation in their approach to security management – going beyond what is prescribed in the current standards [2]. Corporate security governance has primarily to do with how the board of directors and executives address security management issues such as “setting the responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise's resources are used responsibly” [3]. Understanding how certain aspects or characteristics of security governance at the enterprise level and below influence the quality of strategic decision making in information security is an essential step to ensuring that investments in security are not wasted. The ability to make well-informed decisions about the many important components of governing for enterprise security, such as adjusting organizational structure, designating roles and responsibilities, allocating resources, managing risks, measuring results, and gauging the adequacy of security audits and reviews is crucial. Our research [4], [5] indicates that efforts to improve decision making in these areas currently is mostly focused on corporate security governance. Unfortunately, this current emphasis fails to effectively address the need to ensure that decision making at the lower levels of the enterprise is improved, i.e. the need to establish security governance at the business unit level and below. From this point, we will refer to this level of governance as enterprise-wide security governance, or just security governance, whilst referring to corporate security governance when discussing issues related to board level governance issues. Hence, while there is some evidence of reasonable efforts to develop corporate security governance guidelines and frameworks, at the moment, there is little known about enterprise-wide security governance. In particular, about how organizations develop their security strategic context, how they decide on security objectives and strategies and how they use these to develop their policies and security infrastructures [6]. The current emphasis at the coal face on implementing policies, without any guidance on what objectives these policies aim to achieve or what strategies the organization aims to implement, means that most organizations are continuing to struggle in their security efforts. Considering this lack of guidance for the key people who have to ensure that the organization’s information assets are adequately secured, it is not surprising that our studies have found they will often be more concerned with compliance than with information security itself. This paper reports on one of several case studies conducted in the area of enterprise-wide security governance. This specific case examines the information security function in a business unit of a large organization with centralized security management - which prescribes what security policies and controls will need to be implemented at the coalface. This paper will discuss several of the major issues related to ‘enterprise wide security governance’ that we discovered in our in-depth case studies as well as how these issues affect the security strategic context for this particular organization.

Information Security Governance

57

2 Historical Background As the environment an organization operates in changes continuously, threats are changing too. Organizations today face more sophisticated attacks than in the past, both internally and externally. Defenses against such attacks are the bread and butter of security professionals. And yet, high-profile security breaches continue to take place [7], [8]. Experts agree one cause is narrow thinking on the part of security executives [9], [10], [11]. For example, in mid June (2006), New York based AIG acknowledged the theft of the personal data of almost a million people. Firewalls and intrusion detection technology were not the deficiency – thieves simply broke into a regional office and physically carried off a server, along with a laptop. Previous studies [3], [12] indicate that organizations are now beginning to realize the importance of having to prepare for these increased security risks in an appropriate and effective manner. An interesting discovery from these studies was that despite this renewed emphasis on strategic security planning, the majority of organizations nevertheless are continuing to simply do “what everyone else is doing” [13], [14]. We believe this approach is indicative of a severe problem with an organization’s strategic security planning. 2.1 Corporate Governance The purpose of corporate governance to achieve sustained financial results [15], has been predominantly achieved by means of a focus on financial management, so much so that corporate governance was virtually synonymous with the measuring, monitoring and reporting of the financial condition of the enterprise [16]. However, the landscape upon which business is conducted has changed significantly. Traditionally, corporate governance was the responsibility of the board. In today’s complex organizations, where the corporation’s “value constellation” is made up of a constantly changing set of entities, governance activities must be extended both down into and outside of the organization to include an expanded role for internal staff at all levels. External entities [15], [17]. IT and security auditors must also be added to the pool of interested parties. Literatures on Security Governance advocate the idea of incorporating Security Governance as a subset of Corporate Governance. An example is laid out by the Corporate Governance Task Force in their 2004 report entitled “Information Security Governance – A Call To Action”: “…the private sector should incorporate information security into its corporate governance efforts.” [18]. And again from a statement by eSecure: “(IT) Security is part of the business and it is imperative to assign responsibility for managing information security to the Board level as information is a valuable and critical corporate asset.” [19]. The report further argues that if organizations are serious in their efforts to secure their information assets, then “executives must make information security an integral part of core business operations.” The report suggests the best way to accomplish this goal is to highlight it as part of the existing internal controls and policies that constitute Corporate Governance. Furthermore, the report provides a number of recommendations and even what they have termed, an “Information Security

58

T.C.C. Tan, A.B. Ruighaver, and A. Ahmad

Governance Framework,” to assist organizations in incorporating Information Security (InfoSec) into their Corporate Governance processes. From these discussions, two possibilities are revealed. Firstly, what has been done is still not enough to protect organizations. There has been much literature written and much research done on implementing Information Security Policies (ISPs), on cultivating a security culture within organizations, on putting in place technical deterrents and counter measures such as firewalls, password protection and so on. However, these approaches still appear to be insufficient in protecting organizations. Secondly, organizations may have reached a stalemate when considering security and they are simply doing “what everyone else is doing.” Organizations are thus baffled, and faced with the question “what must we now do to protect ourselves?

3 Enterprise-Wide Security Governance The field of InfoSec is a complex and critical component to an organization’s success. A strategic approach to InfoSec aims to transform the IT security function from a set of ad-hoc activities with an emphasis on technology to a coordinated approach of principles, behaviors, and adaptive solutions that map to business requirements [20]. As such, those responsible are not just senior management but also middle management and others involved with the implementation of security strategies (those at the coalface), and they will need a governance framework for making informed decisions about Information Security. As the practices and methodologies behind Corporate Governance and IT Governance are somewhat reliable and time tested and seen to be successful in dealing with various organizational issues, it is plausible to suggest that improving Security Governance throughout the enterprise may be the key to improving the level of security in organizations. 3.1 Frameworks This study focuses on enterprise-wide security governance to improve decision making at the ‘coal face’. It is concerned with the people that implement security and about how they go about making decisions with or without guidance from the organization. In order for decision makers to make quality decisions, appropriate guidance must be effectively communicated to them in the form of the organization’s security strategic context [6], that is through mission statements, objectives, strategies, tactics and so on. Trying to quantify what a good security strategic context is and how one can improve it is a complex problem that cannot be adequately answered in a single study. Importantly, however, Peterson et. al. [21], [22], argued that good security strategic context “requires active participation and a shared understanding among stakeholders if they are to coordinate activities and adapt to changing circumstances” Developing security strategic context exclusively at the top management level is likely to result in a lack of diversity across the security strategic context. Good security strategic context needs to be developed by different people/committees at different levels of the organization, similar to the development of IT strategic context [23], [24].

Information Security Governance

59

To ensure a comprehensive study of security governance, the authors first developed and tested a security governance research “framework” that identifies five major aspects of security governance, namely, decision making rights, input rights, experience and culture, accountability, and strategic context [12]. Experience & Culture Strategic Context

Decision Making/Rights

Security Governance

Input Rights

Accountability Infrastructures

Fig. 1. Security Governance Framework

Exploring each of these aspects of governance in depth is an enormous task therefore a decision was made to focus our research particularly on one aspect of security governance - security strategic context. Strategic context was identified as a key component of successful IT governance [25], thus a decision maker at the coal face is not likely to make good decisions about security without a decent knowledge of the organization’s security strategic context either. To guide our research on how organizations develop their security strategic context we adopted a strategic context model from IT governance [26], [27] and expanded that model into a two-dimensional ‘Scope of security strategic context’ framework that covers both depth and coverage of the security strategic context. Dimension 1 – Depth of Security Strategic Context This dimension aims to clarify how extensive the organization’s strategic context is in terms of strategic, tactical and operational aspects by adapting the 5 domains from Broadbent and Weill’s [26] original IT strategic context model. •

• • •

Security Objectives (mission statements) – High-level statements that inform the organization about how security will be used to create business value and how to protect it. Objectives clarify focus and provide a frame of reference for every important aspect of security activity, from incident handling to disaster recovery, information protection to user functionality. Security infrastructure – Strategies employed to build shared and standardized security services/beliefs/ideals across the organization (Strategic Security Policies, etc) and the operationalization (implementation) of those strategies. Security architecture – Choices that guide the organization in satisfying security needs (decision/input rights) Security application needs – Applications that need to be acquired or built. For example, VPNs, firewalls, etc.

60

T.C.C. Tan, A.B. Ruighaver, and A. Ahmad

•

Security investment and prioritization – Regulates the process of security investment, that is, where it should be focused, the procedures for progressing initiatives, their justification, approval and accountability.

Dimension 2 – Coverage of Security Strategic Context This dimension was added to the original one-dimensional IT model. It covers how ‘broadly defined’ an organization’s security strategic context is with regard to the different aspects of security. In constructing this second dimension, an extensive examination of the general literature on Information Security (InfoSec) was performed [5]. This included a review of international standards and guidelines such as the OECD, COSO, ITIL, ISO and COBIT. The resulting security areas currently included in our framework are: • •

• • •

•

Network Security – This refers to the controls/actions that secure the corporate network, prevent unauthorized access to systems and data, and ensure data integrity and availability over the network. Systems and Data Security – Is about the protection of the information (availability, integrity, confidentiality, authenticity and validity) and handling of information. Includes user account management, monitoring and revocation processes, etc. Physical Security – This concerns the protection against human intrusions and natural disasters such as fire, water leakage and other environmental failures. Personnel Security – Includes such aspects as hiring policies, termination practices and access controls. Operations Security – Is concerned with business continuity, ensuring the integrity and availability of crucial data after a disaster or other disruptions. For example, protecting stored financial reporting data so that business transactions that continue during downtime are properly accounted for. Miscellaneous Security aspects. – Acknowledging that there most likely will be other areas organizations will focus their security on that don’t fall within the 5 aspects of security above (Eg. a focus on eCrime, and incident handling).

4 The Case Study The case study reported in this paper took place in an Asian subsidiary of a large international corporation I.T US Inc. For this paper we will call this subsidiary ITUM. I.T US Inc. (ITU) is a world player in Information Technology. Worldwide ITU operates in over 150 countries. Being part of a large multinational, ITUM’s ‘security’ benefits from high availability of resources and separate funding. As is not unusual in large international organizations, ITU maintains a separate and independent corporate security department. This corporate security department, having been delegated the responsibility of security for ITU and its world wide units, is staffed by “security specialists”. Their job is to maintain, develop and distribute security policies, procedures, standards and guidelines for the entire ITU organization.

Information Security Governance

61

The main participants involved in the ITUM study were Mr. A the IT Manager, Mr. B the Security Manager and Ms. C the IT Specialist. From a security perspective, all three participants agree that security is key in ITUM’s operations. “Security? Definitely, definitely important.” (Mr. A, IT Manager) “…you must have security in place to protect your interest….” (Mr. B, Security Manager) “Security is a mandatory thing...” (Ms. C, IT Specialist) Overall, Mr. A is responsible for ensuring that the organization’s IT unit operates smoothly. Since ITUM relies heavily on IT for many of its business functions, this puts additional pressures on Mr. A to ensure that the organization’s systems, networks and so on, are available (up-time of the server), consistent and reliable (integrity). This is how Mr. A describes his responsibilities: “…you know how critical information is to us…we have that network connection and it is crucial that it works.” Their operational perspectives reflect an emphasis on compliance, from ensuring that corporate guidelines are followed to compliance with both formal and corporate security standards (mandated from the corporate security department). Mr. A feels that the organization is secure, and he is only concerned about ensuring that his systems, networks and infrastructures meet the required standards set down by Corporate. For Mr. B, the Security Manager, his portfolios include site security (internal and external security), Occupational Health and Safety (OHS) and Program Security. This makes him responsible for implementing security strategies and tactics within ITUM which includes, “…counseling the management, to help them, to advice them with respect to the company’s security policies”. Essentially, security awareness and security education. As Mr. B describes it, his security/awareness programs are to make sure that the security risk for ITUM is manageable and “…to avoid any untoward situations.” “I do presentations or at times I will send a memo across the organization about security, about things that happen, about security tips, prevention…” Mr. B too has a high reliance and confidence in ITUM’s corporate security standards and guidelines. His main role is to implement security policies funneled down to him from corporate – a bias for compliance. Because of ITUM’s governance approach, Mr. B has limited involvement in the development of high level security strategies and policies. His exact involvement is confined only to checking that the corporate security policies are valid for the local circumstances and ensuring that ITUM is compliant to the Corporate standards. Hence his understanding of the security strategic context is sorely limited. Ms. C has an IT background and is involved in project management, asset management and process architecture. On the process side, Ms. C plans, develops and implements IT security processes in ITUM. Similar to Mr. A and Mr. B, she believes that ITUM’s security is pretty good.

62

T.C.C. Tan, A.B. Ruighaver, and A. Ahmad

Although not directly involved with the corporate security group, as a process architect, Ms. C will “design IT security processes,” following those corporate guidelines, like Mr. B. It is here that she has picked up her awareness about security. Ms. C’s ability to understand and comprehend the security strategic context is limited too. Her focus is primarily and strictly on adhering to the specified corporate standards, guidelines and policies (i.e. compliance). When asked her thoughts on abiding by standards/audits, Ms. C replied: “We cannot afford to fail in any audit. Passing the audit is mandatory for us. Compliance is a very, very high focus for us…all I know is we do adhere to standards”

5 Case Analysis and Discussion Using the strategic frameworks discussed, an empirical study was conducted investigating Enterprise-wide Security Governance in both large and medium sized organizations. In order to analyze this ITUM case a general discussion of our findings across all participating organizations is needed. The design of the studies involved multiple sources of evidence, collected in a structured manner. With the Security Governance and Security Strategic Context research frameworks verified for its comprehensiveness in previous studies [4], our current case studies concentrated on Security Governance at the coalface. A number of interesting lessons were learnt and briefly they are:1.

2.

3.

Diversity of decision-making is often lacking. Decision makers were found to be making decisions on their own without inputs from others within or from other business units. For some organizations, even with other inputs, as their governance structure did not encourage it, advice given was never taken on. Corporate (Executive) Level mission statements are vague and provide little guidance for those responsible for security at the enterprise wide level. This is particularly evident in ITUM where corporate level guidance did not encourage any understanding of objectives or strategies but unconditional ‘replication’ of standards – leading to a culture of compliance and limited depth and understanding of security strategic context. However, in another organization, the lack of corporate level mission statements led to good depth in security but limited to only the areas that those responsible for security were familiar with and experienced in. This ‘silo effect’ resulted in the organization’s security context being narrow and lacking coverage. Security Governance and IT Governance although closely related, are separate entities. Security Governance is found to be an add-on to the business and follows an IT Governance approach, that is, a bottoms up approach to security. Instead, it should be a driver.

These three themes will now be discussed independently in detail for ITUM.

Information Security Governance

63

5.1 Limited Diversity in Decision Making At ITUM, almost all decisions about the security strategic context have been decided upon by the corporate security department at the executive level. “We have globally this dedicated security team who just focuses on doing policies and standards.” (Ms. C, IT Specialist) The decisions of ITU corporate security are communicated to the enterprise level via policies, procedures and standards, not objectives or strategies. As Mr. B, describes, “Throughout the whole ITU organization, in every country, we follow the same template, the same procedures, and the same policies.” This idea of security being a ‘template’ (i.e. a standardized prescription) that is applied to any and all situations with only slight modifications allowed is likely to cause those involved to perceive security as an A-Z checklist of things that need to be done. As was noticeable during the analysis, very little thought or innovativeness is evident for security at the enterprise wide level. Any decision-making regarding security made at this level are low-level simplistic decisions that revolve predominantly around compliance, controls and passing audits. “Our audits as well help us make sure people are making the right decisions.” (Mr. A, IT Manager) Although the strategic decisions are being made at high levels with very little to no communication with other functional levels of the organization, it was hoped that these decisions are made with inputs from various people from affected units of the organization. Unfortunately, this was not the case at ITUM, with all strategic decisions being made by the “dedicated security team…they’re very specialized” (Ms. C, IT Specialist). “I get guidelines. I get standards. It’s all been prepared by HQ. We get statements from the business to tell us what we should and should not do.” (Mr. A, IT Manager) At ITUM this situation has led to isolation of the decision makers and therefore reflects a lack of diversity in their decisions. 5.2 Corporate Level Security Mission Statements Provide Little Guidance It is evident that good coverage of security exists at ITUM (e.g. all areas identified by the ISO Standard are covered). Unfortunately, we found a limited depth in security strategic context in each of these areas Exploring deeper, we see that most security related activities at ITUM are performed at the ‘Security Architecture’ and ‘Security Application(s) Needed’ level with only a few activities being performed at the ‘Security Strategies & Infrastructure’ level. For instance, at the ‘Security Architecture’ level, authentication and control of user access, identification and verification of users, monitoring of access control are all performed; security perimeters are defined; user responsibilities are clearly outlined; segregation of duties and routine backup checks are performed;

64

T.C.C. Tan, A.B. Ruighaver, and A. Ahmad

and so on. At the ‘Security Application(s) Needed’ level, a diverse range of hardware, software and policies exists such as firewalls, proxy, monitoring software, anti-virus, acceptable use policies, education and training, and so on. These results are indicative of extremely good coverage of security across the board but have limited depth particularly in the areas of ‘Network Security’, ‘Systems Security’ and ‘Physical & Environmental Security’. It is also noted that while some ‘Security Objectives’ are obvious or known to participants many others are not. However, the objectives known by participants such as “protection from virus attacks” and “protect assets & information in those assets” are of such simplicity and generality in nature that you have to question the quality of those objectives to function as high-level statements that inform the organization about how security will be used to create business value and to protect it. Furthermore, it is not clear whether those objectives mentioned by the participants were communicated to them by higher management, or just reflect what they believe they are doing. Security Objectives are meant to clarify focus and provide a frame of reference for every important aspect of security activity. It is not clear whether this has been done. From the participant’s point of view, when asked the question, “Does your organization have mission statements in place with regards to security?” their responses were: “Yes we do, I have seen them, I cannot tell you exactly what they are…we do have a mission, I’ve seen that but I don’t really know what they are.” (Ms. C, IT Specialist) “I believe the Security (dept) at the head office do have mission statements but I’m not aware of that right now but I believe that they have.” (Mr. A, IT Manager) 5.3 A Bottoms Up Approach to Security Strategic Context Development. Many organizations see Security Governance as just a small part of Corporate Governance. While IT Governance has become a recognized focus area in larger organizations, these organizations often won't give Security Governance the same attention. Hence, organizations still need to realize that just like IT, the field of Information Security is a complex and critical component to their organization’s success. As such, those responsible for security are not just senior management but also middle management and others involved with the implementation of security strategies (those at the coalface), and they will similarly need a governance framework for making informed decisions about Information Security. At ITUM, apart from the approach of implementing the given standards and requiring business units to ‘pass’ audits, security is an add-on action, and not a driver at all. As Mr. A the IT Manager describes, “If I’m putting in any new IT infrastructure I just have to make sure the IT security piece of it is adhered to…” As ITUM did not receive any information on the organization’s security strategies it used a bottoms up approach to develop its own objectives and strategies based on compliance.

Information Security Governance

65

This bottoms-up approach in the development of business strategies is common in IT governance where applications needs and the IT architectures necessary to support these applications will lead to the development of objectives and businesses strategies at executive levels to support these lower levels of the IT strategic context. The question arises if a similar bottoms-up approach is really the way to develop a strategic context in security governance. On the other hand, research on possible topdown approaches to develop a security strategic context is still scarce, but an attempt to develop a strategic context from the top-down is described in a recent paper on Ubiquitous security [2].

6 Conclusions The case study discussed in this paper has revealed a number of interesting and valuable lessons about security governance. In our experience these findings can be generalized to many other large organizations that have a centralized security function. Most current information and academic papers on security governance at the enterprise wide level unfortunately promote a centralized decision making model based on, in our experience, an ineffective and old-fashioned risk management approach to security. The old-fashioned centralized approach is relatively simple to manage: It needs almost no security governance enterprise wide (business unit or coalface levels) as most decisions are made at the corporate level. In the current dynamic security environment, this centralized approach does have a major drawback. Centralized decision-making will reduce the flexibility and adaptability of an organization’s security posture, making it difficult for the organization to respond quickly/timely to changes in its security environment. Further, the lack of input from people at the coalface in the predominantly centralized security-planning ethos has stifled innovation in security. More significantly, with the centralized security philosophy, the same employees or committee(s) that decide on security infrastructure and applications also decide on (business) objectives and security strategies. Hence the rationale is that there is no need to communicate those objectives and strategies to the rest of the organization. While it may be unintentional, the organization’s security culture now has evolved towards a compliance culture where compliance to corporate guidelines has become more important than improving security. To create a dynamic, flexible and agile security posture, a more decentralized approach to security decision-making is needed. A decentralized approach will need good security governance at all levels. To attain this, it is important that the necessary enterprise-wide security governance structures and processes are developed and put in place. This ensures that adequate security objectives and security strategies are developed and effectively communicated to the decision makers. This, in itself, is expected to promote innovation.

66

T.C.C. Tan, A.B. Ruighaver, and A. Ahmad

References 1. Humphreys, T.: How to implement an ISO/IEC 27001 information security management system. ISO Management Systems, 40–44 (2006), http://www.iso.org 2. Ruighaver, A.B.: Organisational Security Requirements: An agile approach to Ubiquitous Information Security. In: Proceedings of the 6th Australian Security management Conference, Australia (2008) 3. IT Governance Institute: Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd edn. (2006), http://www.itgi.org 4. Tan, T.C.C., Ruighaver, A.B., Ahmad, A.: Incident Handling: Where the Need for Planning is often not Recognised. In: Proceedings of the 1st Australian Computer Network, Information & Forensics Conference, Australia (2003) 5. Tan, T.C.C., Ruighaver, A.B.: Understanding the Scope of Strategic Context in Security Governance, In: Proceedings of the 2005 IT Governance Int. Conf., New Zealand (2005) 6. Tan, T.C.C., Ruighaver, A.B.: A Framework for investigating the development of Security Strategic Context in Organisations. In: Proceedings of the 6th Aus Information Warfare & Security Conference: Protecting the Australian Homeland, Australia, pp. 216–226 (2005) 7. Computer Security Institute and FBI Survey, Results of CSI/FBI Computer Crime and Security Survey (2003), http://www.gocsi.com 8. AusCERT, Australian High Tech Crime Centre, AFP, NSW Police, NT Police, Queensland Police, SA Police, Tas Police, Vic Police, WA Police: 2004 Australian Computer Crime and Security Survey. Australian Computer Emergency Response Team (2004) 9. Wright, P.D., Liberatore, M.J., Nydick, R.L.: A survey of operations research models and applications in Homeland Security. Interfaces 36(6), 514–529 (2006) 10. Theunissen, D.: Corporate Incident Handling Guidelines. The SANS Institute (2001), http://rr.sans.org/incident/corp_guide.php 11. Pasikowski, G.T.: Prosecution: A subset of Incident Response Procedures. The SANS Institute (2001), http://rr.sans.org/incident/prosecution.php 12. Tan, T.C.C., Ruighaver, A.B.: Developing a framework for understanding Security Governance. In: Proceedings of the 2nd Australian Information Security Management Conference, Australia (2004) 13. D’Amico, E.: Cyber Crime is on the rise, but let’s keep it quiet. Chemical Week 164(17), 24–27 (2002) 14. Braid, M.: Collecting Electronic Evidence after a System Compromise. In: Australian Computer Emergency Response Team, AusCert (2001), http://www.auscert.org.au 15. Pultorak, D: IT Governance: Toward a Unified Framework Linked to and Driven by Corporate Governance. CIO Wisdom II, Prentice Hall Ptr. (2005) 16. Kaplan, R.S., Norton, D.P.: The Balanced Scorecard: Translating Strategy Into Action. Harvard Business School Press (1996) 17. McLane, G: IT Governance and its Impact on IT Mngt. MA dissertation, Sydney (2003) 18. Corporate Governance Task Force: Information Security Governance – A Call to Action. National Cyber Security Summit Task Force, USA (2004) 19. eSecure: Time to elevate IT Security to the Boardroom, South Africa (2000) 20. Proctor, P.: Sarbanes-Oxley security and risk controls: When is enough enough? Infusion: Security & Risk Strategies (2004), http://www.metagroup.com

Information Security Governance

67

21. Peterson, R., O’Callaghan, R., Ribbers, P.M.A.: Information Technology Governance by Design: Investigating Hybrid Configurations and Integration Mechanisms. In: Proceedings of the 20th International Conference on Information Systems, Australia (2000) 22. Ribbers, P.M.A., Peterson, R.R., Marylin, M.P.: Designing Information Technology governance processes: Diagnosing contemporary practices and competing theories. In: Proceedings of the 35th Hawaii International Conference on System Sciences, pp. 1–12. IEEE Computer Society, Los Alamitos (2002) 23. Weill, P., Woodham, R.: Don’t Just Lead, Govern: Implementing Effective IT Governance, Massachusetts Institute of Technology, Cambridge, Massachusetts (2002) 24. Vitale, M.: The dot.com Legacy: Governing IT on Internet Time. Information Systems Research Center, University of Houston (2001) 25. Weill, P., Ross, J.W.: IT Governance: How Top Performers Manage IT Decision Rights for Superior Results. Harvard Business School Press, Boston 26. Broadbent, M., Weill, P.: Management by Maxim: Creating Business Driven Information Technology Infrastructures. Melbourne Business School, University of Melbourne (1996) 27. Broadbent, M.: CIO Futures – Lead With Effective Governance. ICA 36th Conference, Singapore (2002)

Understanding Domain Registration Abuses Scott E. Coull1 , Andrew M. White1 , Ting-Fang Yen2 , Fabian Monrose1 , and Michael K. Reiter1 1 University of North Carolina {coulls,amw,fabian,reiter}@cs.unc.edu 2 Carnegie Mellon University [email protected]

Abstract. The ability to monetize domain names through resale or serving ad content has contributed to the rise of questionable practices in acquiring them, including domain-name speculation, tasting, and front running. In this paper, we perform one of the first comprehensive studies of these domain registration practices. In order to characterize the prevalence of domain-name speculation, we derive rules describing “hot” topics from popular Google search queries and apply these rules to a dataset containing all .com registrations for an eight-month period in 2008. We also study the extent of domain tasting throughout this time period and analyze the efficacy of ICANN policies intended to limit tasting activity. Finally, we automatically generate high-quality domain names related to current events in order to measure domain front running by registrars. The results of our experiments shed light on the methods and motivations behind these domain registration practices and in some cases underscore the difficulty in definitively measuring these questionable behaviors.

1

Introduction

Domain names have become an integral component of modern web browsing by allowing users to navigate to web sites using memorable phrases and keywords. In fact, many users will often assume that domain names based on intuitive keywords will direct them to the desired web site, which is known as type-in navigation. For this reason, domain names have become quite valuable, and has lead to a variety of practices in which domain names are opportunistically registered simply to profit from them. One such dubious domain registration practice is domain speculation, where a domain name is registered with the intention of reselling it for a profit at a later date or generating ad revenue from type-in navigation traffic [5]. Though speculation is technically allowed by Internet Corporation for Assigned Names and Numbers (ICANN) rules, it has led to more abusive behaviors by registrars and speculators. For instance, domain tasting allows a speculator to register large numbers of domains at no cost for a short grace period during which she can assess the potential value of the domain. Another example is domain front running, where domain registrars use queries about domain availability made by their users to preemptively register domains then subsequently resell them to those same users for a profit. The K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 68–79, 2010. c IFIP International Federation for Information Processing 2010 

Understanding Domain Registration Abuses

69

security problem underlying these behaviors is not unlike that presented by spam during its emergence, in that both activities take advantage of loopholes in existing policy to profit from unintended uses of the systems they abuse. While the security and legal communities have identified certain behaviors as clear abuses of the registration process, the practices and impact of domain speculation, tasting, and front running are still not well-understood. In this paper, we perform the first in-depth study of questionable domain name registration activity, including a characterization of domain speculation, an analysis of the prevalence of domain tasting, an investigation of the possibility of domain front running by popular domain registrars, and an analysis of the impact of ICANN policies on these abusive behaviors. Specifically, we use popular search terms provided by Google to develop association rules that describe keywords that are likely to occur together in domain names related to current events and “hot” topics. These association rules are then used to generate regular expressions that allow us to search over all .com registrations collected by VeriSign over an eight-month period for evidence of domain speculation. They also allow us to automatically generate quality domain names when measuring domain front-running activities. Our results shed light on the motivations underlying abusive registration practices and the difficulties faced in accurately measuring their prevalence.

2

Related Work

The inherent importance of the Domain Name Service (DNS) in enabling navigation of the web makes it a natural target for attackers seeking to misdirect users to malicious web sites. Due to their prevalence and potential impact on users, these misdirection attacks have been widely studied. For example, a handful of recent studies have focused on measuring the prevalence of typosquatting, [8,3,6] and homograph [4] attacks, which take advantage of the user’s inability to differentiate the intended domain name from what appears on the screen. Unfortunately, studies of the less malicious, yet still questionable, domain registration activities that we examine in this paper appear to be limited primarily to a series of status reports by ICANN1 . Their analysis of domain tasting examines the use of the five-day add grace period between June 2008 and August 2009. Overall, they observed a significant decrease in tasting activity after a temporary provision was instituted in July 2008 that limited registrars to a relatively small number of no-cost registration deletions. Similarly, their preliminary statement on domain front running activities based on user complaints found that the majority of claims were due to user error or oversights during the registration process. A follow up ICANN report using a study of 100 randomly generated domains found no evidence of front-running activity by registrars. The obvious limitations of that investigation are its relatively small scale and the use of randomly generated names that were easy to identify and ignore. 1

c.f., https://st.icann.org/reg-abuse-wg/

70

S.E. Coull et al.

3

Preliminaries

To successfully achieve our goals we need to overcome two challenges. The first lies in decomposing Google search queries about a given topic into combinations of keywords that are likely to appear in domain names related to that topic. Broadly speaking, we assume that the searches that users make on Google about an event or topic are closely related to the domain names they would navigate to using type-in navigation. These type-in navigation domains are prime targets of domain squatters and front runners, and therefore the focus of our investigation. The second challenge lies in developing a method for determining which domains are pertinent to our study. Before proceeding further, we describe the data sources and methods used to address these challenges. Data Sources. For our study, we make use of a variety of data sources, including both historical domain name registration data and longitudinal information on Google search query popularity. Our historical analysis of domain name registrations is based on data obtained from VeriSign containing 62,605,314 distinct .com domain registration events from March 7, 2008 to October 31, 2008. The VeriSign data contains domain names, their associated name servers, and the date of each registration event. The data also contains information about deregistration events, which we use in our analysis of domain tasting behaviors. For the remainder of the paper, we refer to the set of all domain name registrations contained in the VeriSign data set as the background set. Furthermore, in order to gain a sense of the popularity of various topics or events, we make use of data provided by Google via its Insights for Search and Trends services. These services rank the top searches made by users over a given time frame, and provide up to ten related searches for each. Our methods assume that these queries adequately represent the hot topics that caused their increase in popularity in the Google search engine, and that this increase in search popularity is an indicator of the desirability of domains related to the hot topic. In our study, we use the Insights for Search service to derive rules used to search for domains in our VeriSign data, while the Trends service provides realtime search rankings that are used to generate high-quality domains names to be used in our domain front-running experiment. A topic in our study is defined to be a top ranked search, along with its ten related searches. Association Rule Mining. To decompose each search query into combinations of keywords that best represent the topics associated with them, we apply association rule mining techniques [1]. These techniques consider an itemset I = {i1 , . . . , im } containing all items that can be found in a transaction, and a transaction set T = {t1 , . . . , tn }, where tα is a set containing the items associated with the αth transaction. The support of a set of items X is defined as supp(X) = nX /n, where nX is the number of transactions containing all items in X. An implication between sets of items X and Y , denoted as X ⇒ Y , indicates that the presence of the items in X implies items in Y will also be present. The confidence of an implication X ⇒ Y is defined as

Understanding Domain Registration Abuses

71

conf (X ⇒ Y ) = supp(X ∪ Y )/supp(X). An implication is considered to be a rule if the sets have a sufficient level of support and confidence. For our purposes, we use the notions of support and confidence defined above to decompose each Google query into groups of keywords that are specific to the topic at hand. To do so, we consider each of the n searches for a given topic to be transactions with each keyword in the search acting as an item in the transaction’s set. We then decompose those searches into sets of co-occurring keywords based on the confidence of the keywords’ pairwise implications. Specifically, we first examine each ordered pair of keywords in the search query to discover all of the bidirectional rules (i.e., implications where the confidence in both directions is above our threshold), and merge them together by assuming transitivity among the implications. These bidirectional rules describe the groups of keywords that must appear together in order to be meaningful to the given topic. Next, we augment the rule set by examining unidirectional implications, which indicate that the antecedent of the implication should only be present where the consequent also exists. As before, we assume transitivity among the rules to merge them appropriately. If a keyword is not the antecedent in any rules, we add it as a singleton set. The algorithm returns the union of the rule sets for each of the search queries, which contain all of the groups of keywords that represent the topic associated with those searches. Due to the inherently noisy nature of the data used in our study, it is important to carefully set thresholds used in our rule mining and other selection procedures. The threshold selection methodology is complicated by the fact that our data provides no notion of what values might be related to a given topic and what is not (i.e., the data is unlabeled). Therefore, we make use of cluster analysis techniques to automatically set the thresholds used in our study, rather than appealing to manually derived thresholds. Specifically, we make the observation that we need only separate two classes of unlabeled values: those that are interesting with respect to our analysis and those that are not. Thus, to determine a threshold we first use the k-means++ algorithm [2] with k = 2 to partition the unlabeled values into the sets S1 and S2 (i.e., interesting and uninteresting), and set the threshold as the midpoint between these two clusters.

4

Domain Name Speculation

Our first objective is to examine the relationship between new registrations and so-called hot topics in an effort to gain a better understanding of domain speculation. To do so, we follow an iterative process that consists of: (i) generating rules that are specific to the topic at hand, (ii) converting those rules into regular expression to select domains, and (iii) pruning and verifying the set of selected domains to ensure they are, in fact, related to the topic. First, we gather Google Insights data for each month in 2008, and treat the set of searches related to the topics as transactions, which are used in our association rule mining algorithm to generate rules. Recall that a threshold confidence value dictates which implications in our set of transactions should be considered rules.

72

S.E. Coull et al. Table 1. Decomposition of a Google query into rules and regular expressions Google Query

Association Rule

Regular Expression (.*obama.*) or clinton vs obama vs ⇒ clinton ⇒ obama (.*clinton.*) & (.*obama.*) or (.*clinton.*) & (.*obama.*) & (.*vs.*)

To determine this threshold, we calculate the confidence between all pairs of keywords within a topic and use the threshold selection method discussed in Section 3 on these values to set the appropriate threshold. The resulting set of rules are further pruned to ensure that non-specific rules are discarded. To do so,  we score each rule ri for a topic as S(ri ) = k∈ri supp(k) × |k|, where ri is a rule for the current topic (represented as a set of keywords), supp(k) is the support of keyword k, and |k| denotes the string length of the keyword k. Intuitively, this procedure produces rules for a topic that contain predominately long, important keywords, and removes those rules that may introduce irrelevant domains due to more general or shorter keywords. Again, we use the threshold selection method to set a threshold score for the rules associated with a topic, where all rules above that threshold are retained. Given the high-quality rules generated for each topic, we convert them to regular expressions by requiring all keywords in a rule to be found as a substring of the domain, and that keywords in bidirectional implications appear in their original ordering. To add a level of flexibility to our regular expressions, we also allow any number of characters to be inserted between keywords. The domains selected by the regular expressions for a given topic undergo one more round of pruning wherein the domain is assigned a score equal to the sum of the scores for each of the rules that matched it. These domain scores are given as input to the threshold selection algorithm, and any domains with scores above the threshold are manually verified to be related to the associated topic. These related domains are herein referred to as the relevant set. Table 1 shows an example of the conversion process from search query, to rule sets, and finally to regular expressions used to search our domain registration data. Results. Our search methodology selected 21,103 distinct domain names related to 116 of the 120 hot topics from the VeriSign dataset. Of these, 15,954 domains in 113 topics were verified to be directly related to the topic at hand (i.e., the relevant set). The percentage of relevant domains per topic, averaged over all topics, is 91%. Overall, these results indicate that the majority of our rules select high-quality domain names, with a small number of topics producing very general rules; often because of unrelated or non-specific Google search queries. In order to discover the unique properties of the potentially speculated domains that our methodology selected, we examine several features and compare them to those of the background set of domains. First, we look at the distribution of registrations among the name servers and registrars within the background

Understanding Domain Registration Abuses

73

Fig. 1. Name servers in the background set

Fig. 2. Name servers in the relevant set

and relevant sets, respectively. In Figure 1, we show a log-scale plot comparing the background and relevant domain registrations associated with the top fifteen name servers in the background set. For clarity, we also provide the distribution of the top name servers in the relevant domain set in Figure 2. Clearly, the distribution of registrations over these two sets is significantly different as evidenced by the ranking of name servers and the comparison plot in Figure 1. In fact, when we take a closer look at the name servers, we find that the majority of those found in the relevant set are associated with domain parking services, whereas the background set contains a much smaller fraction. Similarly, we compared the top registrars from the background distribution to those from the relevant set. To characterize the distribution of registrars for background domains, we use the VeriSign monthly reports for the .com top-level domain (TLD) to derive the number of domains registered by the top fifteen registrars over the eight-month period examined in our study. Our analyses reveal that some registrars, such as GoDaddy and eNom, West, maintain their popularity as registrars in both sets. However, there are also some very significant differences. For example, Network Solutions drops precipitously to a rank of ten in the relevant set, and several registrars are found exclusively in the relevant set. These findings indicate that some registrars are clearly preferred by speculators, just as the name servers above were, albeit to a lesser extent.

74

S.E. Coull et al.

Fig. 3. Registrars in the relevant set

Fig. 4. Name servers in the relevant set

5

Domain Tasting

The second form of questionable domain registration behavior that we study is domain tasting, where a registrar is allowed to delete a domain within five days of the initial registration at no cost, also known as the add grace period. This policy can be easily abused by registrars and registrants alike in order to gain information about the value of a domain via traffic statistics taken during the grace period. To study the prevalence of domain tasting, we select all domain names from the background set of domains that were registered and then deleted within five days, which we refer to as the tasting set. Results. From the full VeriSign dataset, we identified 47,763,141 (76%) distinct registrations as the result of domain tasting, with 10,576 (66%) of those occurring in our relevant set of potentially speculated domains. On average, these tasting domains were registered for 3.4 days before being deleted under the no-cost grace period policy. Figures 3 and 4 shows the comparison of registrars and name servers between all relevant domains and those relevant domains involved in tasting activity. The graphs clearly illustrate that these relevant tasting domains are not strongly connected with particular registrars. However, there appear to be clear preferences for certain name servers by the tasters; in some cases representing all registrations for that server!

Understanding Domain Registration Abuses

75

(a) Registrar rank in the relevant set.

(b) Name server rank in the relevant set. Fig. 5. Changes in rank for name servers and registrars in the relevant domain set

In June 2008, ICANN made changes to their policies in order to limit the practice of domain tasting. These changes took effect on July 1st, 2008, which positions us perfectly to provide an independent analysis of the impact of this policy change on the tasting of .com domains. For our purposes, we split the dataset into a pre-reform period and a post-reform period. From our background data, we find 42,467,156 pre-reform tasting registrations with an average duration of 3.4 days, while the post-reform data shows 6,290,177 registrations with an average duration of 3.8 days. For our relevant domains, we have a similar proportion of tasting registrations with 9,270 pre-reform registrations and 1,433 post-reform registrations. These relevant tasting domains were registered for an average of 2.8 and 3.7 days, respectively. In both the background and relevant tasting domains, there is a clear trend toward longer registration periods after the enactment of tasting reform. To examine the impact of the reform on the top fifty registrars and name servers in the background and relevant domain sets, we examine their change in rank after implementation of the new tasting policies. Figure 5 shows the change for names servers and registrars associated with the relevant set. Notice the substantial drops in rank for those name servers and registrars occupying the

76

S.E. Coull et al. Table 2. Decomposition of a Google query into rules and domains Google Query

Association Rule

Domain Name worldseries.com, phillies world series phillies ⇒ (world ⇔ series) philliesworldseries.com, worldseriesblog.com

middle ranks (i.e., positions 10-40 in the pre-reform data). Although several of the top-ranked name servers in both the background and relevant sets were predominantly associated with tasting domains, they are able to maintain – or even improve – their rank despite the drop in tasting registrations (e.g., trellian.com).

6

Domain Front Running

Finally, we explore the extent of domain front-running activities among the top domain registrars. To do this successfully, we need to generate relevant (and presumably desirable) domain names for very timely topics, then query domain registrars for the availability of those domains in a manner that simulates widespread interest. Our approach for generating domain names is similar to that of the rule generation procedure described earlier. We begin by gathering search queries from the top two popularity classifications (i.e., “volcanic” and “on fire”) for the current day from Google Trends, and use those searches as transactions in our rule mining process. As before, we set confidence and pruning thresholds for the rule generation for each topic separately using the threshold selection procedure described in Section 3. At the conclusion of this process we have a set of rules for each hot topic for the day. For each association rule, we create domain names containing the keywords in the bidirectional implications of the rule in the order in which they appear in their original Google search. We then augment this domain name to generate additional names by creating all permutations of it with the keywords in the unidirectional implications. For singleton rules, we use the keyword by itself as the domain name string. Additional domains are generated by appending popular suffixes to the initial domains (e.g., “2009,” “blog,” “online”). Table 2 provides a concrete example of the domain names generated by our methodology. The generated domains are divided among the registrars in our study such that no two registrars receive the same domain name. The domains for each registrar are further divided into queried and held-out sets. This division of domains allows us to examine the increase in the rate of registration for those domains that were sent to registrars over those that were not, and pinpoint the increase in registration rate for certain domains to a particular registrar. Furthermore, in order to ensure that our queries appear to emanate from a diverse set of locations, we make use of the PlanetLab infrastructure to distribute domains for each topic to between two and four randomly selected nodes, which then query

Understanding Domain Registration Abuses

77

the registrars for availability of these domains via the registrars’ web site. Lastly, each day we check Whois records to determine if any of our queried domains were subsequently registered. In this experiment, we assume that a statistically significant increase in registration rate between queried and held-back domains by a particular registrar is related to front-running activities. Results. In our study, we issued queries as described above to the nineteen most widely used registrars, accounting for over 80% of the market share according to RegistrarStats.com. Over the period spanning December 1st 2009 to February 1st 2010, we generated 73,149 unique domains, of which 60,264 (82%) were available at the time of generation. Of those available at the time of generation, 16,635 were selected for querying and distributed to the PlanetLab nodes, leaving 43,629 domains in the held-back set. A total of 23 of the queried and 50 of the held-back domains were registered during this period. To examine the significance of our results, we perform statistical hypothesis tests for each of the registrars in isolation. Specifically, we model the rate of registration in both the queried and held-back case as a binomial distribution with probability of success equal to the unknown rate of registration. The Fisher-Irwin exact test is applied instead of the standard z-test since it avoids approximation by a normal distribution and explicitly calculates the probabilities for the two binomials given the numbers of queried and held-out domains. Our analysis indicates that none of the registrars are associated with a statistically significant (p < 0.05) increase in the registration rate of queried domain names.

7

Summary

In what follows, we discuss the implications from our empirical analyses, and examine the relationship among tasting, front-running, and speculation activities. On the Quality of the Generated Rules. Based on the results of our speculation and front-running experiments, we argue that the rule mining and threshold selection methodologies worked surprisingly well given such noisy data. For our speculation experiments, we found that an average of 91% of the selected domains were related to their respective popular topics, and many of our automatically generated domains were indeed registered. For those rules that generated non-relevant domains, the primary cause can be attributed to incoherence in the related search terms provided by Google. Nonetheless, we believe that our techniques show significant promise in taking unstructured keywords and returning general rules that can be applied to a variety of problems. Incentives for Misbehavior. A natural question that arises when considering these abusive domain registration behaviors is: what are the incentives that drive them? To begin to answer this question, we performed a cursory analysis of the contents of potentially speculated domains selected by our methodology, along with an examination of potential ad and resale revenue associated with the topics in our study. Most of the domains that we examined contained significant pay-per-click ad content, and our analysis showed that many of these sites were

78

S.E. Coull et al.

hosted by known domain parking firms. Based on data gathered from Google’s AdWords Traffic Estimator, we found that the average cost-per-click for the topics in our study was $0.76 per click, and many of these topics have expected click rates in the 300-400 clicks per day range. Beyond ad revenue, some domain names associated with the topics we studied were resold for an average price of $1,832, with the largest of these being $15,500 for obama.net. Clearly, there is significant financial incentive to both resell popular domains and to use parking services to generate advertising revenue. In fact, as long as the average revenue among the domains owned by the speculator exceeds the hosting and registrations costs, the speculator is better off retaining as many domains as possible and only serving ad content. As a concrete example, we note that the keywords associated with the automatically generated domains from our front-running study would have produced revenue in excess of $400 per day, while domain parking services can be purchased for as little as $3.99 per domain each month. This represents a net profit of approximately $11,700 per month from ad revenue alone for the 73 registered domains in our frontrunning study! Furthermore, the strong connection between domain popularity and revenue provides insights into the use of tasting and front-running behaviors as a mechanism for determining the true market value for domains without having to invest capital. Difficulty of Measurement. Another surprising lesson learned from our study is that many of these questionable registration behaviors are particularly difficult to definitively measure. In the case of speculation, we attempted to use several metrics to distinguish those domains registered due to speculation from those registered for legitimate use, including the length of registration, the timeliness of the registration after the increase in search popularity, the rate at which hosting changes, and manual inspection of web page content. Of these, only inspection of the content yielded any significant results, and even in this case there were several instances where it was difficult to identify the true purpose of the page (i.e., to deliver legitimate content, or to serve ads). In our cursory examination, 60% of sites redirected users to parking web pages that contain only ad content, while in the remaining cases the pages contained a non-trivial number of ads in addition to seemingly legitimate content. In regard to front-running, while we found no statistically significant evidence of misbehavior by registrars, during the course of this study we uncovered the fact that many registrars have several subsidiaries that also performed registration duties on their behalf. The connections among these entities are exceedingly difficult to discover and, unfortunately, little information exists in the public domain that can be used to confirm them. Therefore, if some registrars were involved in front-running behaviors, it is entirely possible that they could hide questionable activities by routing registrations through subsidiaries or partners. As a whole, these results call into question overhasty statements by ICANN that front running is not occurring. Moreover, from what we can tell, these relationships frequently change, underscoring the difficulty in detecting misbehavior by dishonest registrars.

Understanding Domain Registration Abuses

79

Regarding ICANN Policy. While it is clear that policy changes instituted by ICANN have had an appreciable impact on the practice of domain tasting, reforms aimed at curtailing speculation and front-running appear to be nonexistent. One obvious, if drastic, solution would be to eliminate the conflict of interest that arises when registrars are allowed to sell domain names. Other potentially effective approaches, including offline domain availability checks, have also been put forth. However, these approaches have all been rejected outright by ICANN, even after seemingly acknowledging the threat of domain speculation as the reason for postponing any new applications for generic top-level domains (gTLDs) [7]. At the very least, we hope that our results shed light on the challenges inherent in detecting such malfeasance, and that they will spur constructive dialog on relevant public policy. Acknowledgements. This work was supported in part by the U.S. Department of Homeland Security under Contract No. FA8750-08-2-0147, and the National Science Foundation under award numbers 0831245 and 0937060.

References 1. Agrawal, R., Imieli´ nski, T., Swami, A.: Mining Association Rules Between Sets of Items in Large Databases. In: Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, May 1993, pp. 207–216 (1993) 2. Arthur, D., Vassilvitskii, S.: k-Means++: The Advantages of Careful Seeding. In: Proceedings of the 18th Annual ACM-SIAM Symposium on Discrete Algorithms, January 2007, pp. 1027–1035 (2007) 3. Banerjee, A., Barman, D., Faloutsos, M., Bhuyan, L.N.: Cyber-Fraud is One Typo Away. In: Proceedings of the 27th Conference on Computer Communications, pp. 1939–1947 (2008) 4. Holgers, T., Watson, D.E., Gribble, S.D.: Cutting Through the Confusion: A Measurement Study of Homograph Attacks. In: Proceedings of the 24th Annual USENIX Technical Conference, pp. 261–266 (2006) 5. Kesmodel, D.: The Domain Game: How People Get Rich From Internet Domain Names. Xlibris Corporation (2008) 6. Moore, T., Edelman, B.: Measuring the Perpetrators and Funders of Typosquatting. In: Proceedings of Financial Cryptography and Data Security (2010) 7. Palage, M.: New gTLDs: Let the Gaming Begin. Part I: TLD Front Running. In: The Progress & Freedom Foundation, August 2009, vol. 16 (2009) 8. Wang, Y., Beck, D., Wang, J., Verbowski, C., Daniels, B.: Strider Typo-Patrol: Discovery and Analysis of Systematic Typo-Squatting. In: Proceedings of USENIX SRUTI, pp. 31–36 (2006)

Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks on Social Networking Sites Markus Huber, Martin Mulazzani, and Edgar Weippl SBA Research Sommerpalais Harrach, Favoritenstrasse 16, 2. Stock, AT-1040 Vienna, Austria {mhuber,mmulazzani,eweippl}@sba-research.org

Abstract. Within this paper we present our novel friend injection attack which exploits the fact that the great majority of social networking sites fail to protect the communication between its users and their services. In a practical evaluation, on the basis of public wireless access points, we furthermore demonstrate the feasibility of our attack. The friend injection attack enables a stealth infiltration of social networks and thus outlines the devastating consequences of active eavesdropping attacks against social networking sites. Keywords: social networks, privacy, infiltration.

1 Introduction In this paper we present a novel attack to infiltrate social networking sites (SNSs) by exploiting a communication weakness of social networking platforms. Our results suggest that today’s most popular SNSs including Facebook, Friendster, hi5, Tagged.com as well as orkut are vulnerable to our friend injection attack. Within an experiment we evaluated the feasibility of our friend injection attack on basis of Facebook. Gaining access to the pool of personal information stored in SNSs and the infiltration of social networks poses a non-trivial challenge as SNSs providers start to devote more resources to the protection of their information assets. Our friend injection attack depicts a new method to circumvent state-of-the-art protection mechanisms of social networking services. We created a proof-of-concept application named ”FriendInjector“ which injects friend requests into unencrypted social networking sessions. We were able to perform our attack at a rate of one injection every 1.8 minutes via wireless access points. Even though our evaluation was based on a relative small number of users, our attack can be carried out easily on a large scale by motivated attackers. Given the vast number of SNSs users (e.g. Facebook claims to have more than 350 million active users [1]) this could have devastating consequences. The major contributions of our work are: – Our friend injection attack, a novel attack on social networks which enables the retrieval of protected profile content. K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 80–89, 2010. c IFIP International Federation for Information Processing 2010 

Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks

81

– An evaluation on the feasibility of our friend injection attack on basis of public wireless access points. – A discussion on protection measures against our friend injection attack. The rest of the paper is organised as follows: section 2 introduces SNSs and recent attacks on users privacy. Section 3 outlines our main contribution, the novel friend injection attack. In the following, the archetype of our friend injection attack, the “FriendInjector” application is described in section 4 and the findings of friend injection experiments are discussed in section 5. In section 6 we finally draw conclusions from our findings.

2 Background and Underlying Concepts Within this section we first summarise related work in the area of social networking related privacy threats. In the following we discuss social networking sites which are vulnerable to our friend injection attack. 2.1 Related Work Gross and Acquisti [2] as well as Jones and Soltren [3] were amongst the first researchers to raise awareness for information extraction vulnerabilities of SNSs. While their techniques were rather straightforward (automated scripts which retrieve web pages), their results eventually led to security improvements of social networking services. Recent publications devoted to information extraction from SNSs introduced elaborated methods such as the inference of a user’s social graph from their public listings [4] or cross-profile cloning attacks [5]. Information harvesting from social networking sites thus became a non-trivial problem. The leakage of personal information from these platforms creates a remarkable dilemma as this information forms the ideal base for further attacks. Jagatic [6] showed that they could increase the success rate of phishing attacks from 16 to 72 per cent using ”social data“. The findings of [6] have furthermore been confirmed by the experiments of [7]. Social engineering is yet another attack where information on a future target forms the starting point for attackers and because of the emerging SNSs usage the whole attack might eventually be automated [8]. Existing attempts to extract information from SNSs focus on the application layer and can thus be mitigated by adapting a specific social networks’ application logic. Our friend injection attack, in contrast, is carried out on the network layer, which the great majority of SNSs providers fail to secure. 2.2 Vulnerable Social Networking Sites Social Networking Sites. Follow to some degree the same business paradigm as other successful commercial web services whereas the service itself is free of charge and profit is made by selling online advertising services to third parties. Hence the number of users and signups are critical for the commercial success of SNSs. SNS providers

82

M. Huber, M. Mulazzani, and E. Weippl

therefore design their services so as to increase the number of new signups. Because the majority of SNSs are free of charge these services depend on selling advertising. The more comprehensive the socio-demographic datapool they offer, the more of interest these services become to online-advertisers. Hence SNSs implemented a range of tools to further expand their growth, e.g. the ability to import email addresses from one’s email account or the possibility to send email invitations to possible future friends. Social Networking and SSL/TLS. While the adoption of the HTTPS protocol is considered trivial from a technical standpoint, popular SNSs like Facebook only support the unencrypted HTTP protocol for data transmission. We hypothesize that today’s SNSs providers prefer HTTP over HTTPS for performance reasons (compare with [9]) in order to minimize their hardware and connectivity costs. Authoritatively signed certificates would furthermore result in additional costs for SNSs providers. Our proof-ofconcept friend injection attack, which is outlined in section 4, exploits the unencrypted communication by abusing the ”invitation form“ that many social networking sites offer. As a first step we aggregated a list of possible targets for our friend injection attack. Table 1 shows the most popular SNSs (based on the size of their user base), the availability of an invitation form, and furthermore if the service provides HTTPS access. No reliable sources for the actual number of users within different SNSs exist as these numbers are not publicly available but rather claimed by SNSs providers. A Wikipedia article [10] aggregated a list of popular SNSs and their self-claimed number of users, which offers a valuable starting point. Based on their claimed number of users, MySpace, Qzone, Windows Live Spaces, and Habbo would have been listed within the Top five social networking sites as well. We decided however not to include them as their users often do not represent their real-world personas (e.g. Facebook vs. MySpace [11]), which renders their stored information less attractive for social phishing and data harvesting attacks. Table 1. Top five social networking sites and their support for HTTPS

Social Networking Site Name Facebook Friendster hi5 Tagged.com Orkut

Claimed user base Invitation Form HTTPS 350 × 106 90 × 106 80 × 106 70 × 106 67 × 106

yes yes yes yes yes

Login only No No Login only Login only

Within our top five social networking services, three out of five make use of HTTPS, but only use it to protect login credentials. The rest of the communication happens unencrypted and visible to everyone along the communication path. All five SNSs offer an invitation form, which can be exploited by our friend injection attack. Furthermore the great majority of SNSs is vulnerable to our attack.

Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks

83

3 Friend Injection Attack Our novel attack on user privacy within social networks is based on the fact that all communication between clients and SNSs is unencrypted. The only exception is the authentication process, which is encrypted using TLS in some cases (compare with section 2.2). The HTTP protocol, which is used for communication between web services and web browser, is stateless. HTTP cookies are thus used for client tracking, personalisation and most importantly for session management. They were introduced by Netscape in 1995 in order to provide state-fullness for the HTTP protocol and therefore provide a better user experience for web services. In case of SNSs, after a user authenticates herself, a cookie is used to keep track of her session, including a hashed, shared secret between client and server. As this cookie is transmitted unencrypted over the network, the communication is vulnerable to cookie hijacking. Hence, by tapping network traffic it becomes possible to extract authentication cookies and to submit requests on behalf of the victim. While HTTP session hijack attacks are well known, we argue that these attacks enable a wide range of novel attacks specific to SNSs. In case of social networking sites, the ability to inject requests into an active session, has drastic consequences. On one hand sensitive information can be extracted and on the other hand malicious attacks can be carried out via innocent users. 3.1 Spoofed Friend Invites (Friend Injection) A friend request can be sent to another account, which is under the control of an attacker. An attacker might for example create a fake account for ”Mr. Cypher” and then inject requests that seem like the victim added the attacker as a friend. In our proof-of-concept implementation in section 4, we exploit the friend invitation form that the majority of SNSs offer (see subsection 2.2). As most SNSs show different degrees of information details, depending on whether the viewer is a friend or not, this could be used to retrieve user details that are not publicly available. Another possibility is to easily retrieve the circle of friends of the victim which would be time consuming otherwise [4]. Fig. 1 is an example for the default access control settings of Facebook at the time of writing. Friends can access sensitive information such as email addresses and phone numbers, while e.g., photos are made available to friends of friends as well. 3.2 Further Attack Scenarios The majority of SNSs providers offer a developer API for third-party applications. APIs offer a new way to tap the pool of personal information stored within social networking sites. Once a user adds a certain third-party application it is automatically granted access to this user’s personal information. According to [13] the context-information given to third-party applications is usually not anonymized, even though most applications would be able to function on anonymized profiles. Hence, an attacker could add a custom third-party application on behalf of a user in order to retrieve all personal information of him/her in an automated way. In the case of Facebook applications the access to information is not only limited to the application user, but also the personal information of the complete set of this user’s friends can be retrieved. As outlined

84

M. Huber, M. Mulazzani, and E. Weippl

Fig. 1. Facebook default privacy settings as of Dec. 2009 [12]

in [6], phishing attacks that appear to be legitimate messages sent by a friend are more likely to succeed in their evil intention. Sending messages to all the victim’s friends or writing on publicly accessible places like the Facebook Wall (either the victims’ or those of friends) on behalf of another user could lure victims into opening malicious files or links. More sophisticated attacks could use the information gathered through an injected application for spear phishing of selected targets.

4 Proof of Concept: FriendInjector Application Because social networking sites account to today’s most popular web services, we hypothesized that it would be relativly easy to find active social networking session within different networks (LAN, WLAN, gateways, etc.). At the time of writing, Alexa’s site info statistics [14] suggest that Facebook accounts to 30 per cent of the worldwide Internet traffic. We thus decided to implement our friendInjector application on basis of Facebook, as active Facebook sessions seem to be the most prevalent type of social networking sessions on the Internet. 4.1 FriendInjector Application We used the Python scripting language to create our “FriendInjector” application. Fig. 2 summarises the different steps that are involved in our novel attack. (1) In a first step we use the dpkt library [15] to tap into network traffic and parse received packets. Once a legitimate Facebook session has been found, the FriendInjector application clones the complete HTTP header of the retrieved packet, including: the user agent string, session

Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks

85

SNS provider

1

Snif f ac tive

SNS user

ses sion

Social networking session

FriendInjector

es Requ

3

ation

t invit

it fr Subm

form

2 4

st reque iend

$WWDFNHU·VDFFRXQW

Fig. 2. Outline of our proof-of-concept friend injection attack

cookies, and accepted file formats and languages. (2) The cloned HTTP header is then used to request the URI containing the invitation form of Facebook. This second step is necessary in order to retrieve the specific form ID which is different for every user to mitigate cross-site scripting attacks. (3) Once both a valid HTTP header and the specific invitation form ID have been collected, the FriendInjector application sends a spoofed friend invitation request via the mechanize library [16] to Facebook using a predefined Email address. (4) In case the attack has been successful, Facebook sends a friendship request on behalf of the victim to the attacker’s Email account. The email notification in step four is used to verify if the attack has been successful. Multiple transmissions of the same session cookie are detected over time (every time a user clicks a link or posts content within the session with Facebook), this gets detected and no friend injection occurs. 4.2 Evaluation on the Feasibility of Friend Injection Attacks We decided to evaluate our FriendInjector application on the basis of unencrypted WLAN traffic, as it is rather straightforward to monitor, only requires physical proximity, and most importantly does not require an active attack against the networked infrastructure (such as ARP poisoning or DNS highjacking). However, our proof-ofconcept application would have worked equally effective on Internet gateways, LANs or deployed on single computers. The goal of our evaluation was to verify if our FriendInjector application gets detected and at which rate friend requests can be injected: 1. Stealthiness (a) Targeted user Facebook does not offer a list of pending friend requests to its users. The only way to search for pending friends requests is offered through the friendslist whereas injected friends would have been marked with a ”pending friend request” status. However, in our attack setup we deactivated our test Facebook account beforehand and our friend requests therefore do not show up in the friends listing. Hence, our attack is completely stealth and undetectable to targeted Facebook user.

86

M. Huber, M. Mulazzani, and E. Weippl

(b) Facebook platform Because our application uses a cloned HTTP header of a legitimate request to Facebook, we hypothesized that our injections will not get detected by Facebook. Furthermore of interest was the question if Facebook would compare the network location of a user’s session with the location of our forged friend request. 2. Injection rate Once a friend request from Facebook is received, the friend injection attack was considered successful. The invitation could be used for further attacks like sending phishing messages or data harvesting. However, this was not the goal of our evaluation and we used the friend requests to measure at which rate friend injections have been possible. 4.3 Methodology and Ethics We chose the library of a big Austrian university as our experiment location. The university’s library was selected because of two reasons: SNSs are very popular amongst students, and secondly this particular library offers both secure and insecure (unencrypted) Internet access via WLAN. The university’s wireless LAN is operated on three channels: 1, 6, and 11. To capture all three channels we equipped a laptop with three WLAN USB sticks with an instance of FriendInjector attached to each of the three channels. In a first experiment we performed the friend injection attack over the period of one and a half hours and used the libraries Internet connection to perform the injections. In the second experiment we performed the evaluation for seven hours and used a separate HSDPA connection to inject the friend requests. During our experiments we took special care that the privacy of user data was not put at risk. We did not collect or store any personal data of test subjects, neither private nor public, and did not reply to the injected friend requests. The only information used for confirming the successful friend injection were the friend requests sent by Facebook, which have been deleted as soon as we received them.

5 Results and Discussion Fig. 3 as well as Fig. 4 illustrate the results of our two experiments. In the following, our results are further explained as well as mitigation strategies against our novel friend injection attack are briefly discussed. 5.1 Experiment Results Within our first experiment we performed the friend injection attack for a period of 1.5 hours during the peak time of the university’s library, where we expected most of the students would use the library’s wireless access points. As previously stated we used the library’s Internet connection to perform the friend injections. On average the FriendInjector application performed a successful injection every 1.8 minutes. The second experiment was carried out during an average day in the university’s library were

Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks

87

60

Number of injections

50 40

channel 1 channel 6 channel 11 All channels Trend (csplines)

30 20 10 0 -10 00:00:00

00:15:00

00:30:00

00:45:00

01:00:00

01:15:00

01:30:00

Elapsed time Fig. 3. The result of our first friend injection experiment with an average of one injection every 1.8 minutes as measured during peak time of Internet usage

70

Number of injections

60 50 40

channel 1/1 channel 6/1 channel 11/1 channel 1/2 channel 6/2 channel 11/2 All channels Trend (csplines)

30 20 10 0 00:00:00 01:00:00 02:00:00 03:00:00 04:00:00 05:00:00 06:00:00 07:00:00 Elapsed time

Fig. 4. The result of our second friend injection experiment with about one injection every 7 minutes as measured during an average day of Internet usage

88

M. Huber, M. Mulazzani, and E. Weippl

less students were using the Internet. During a period of seven hours we were able to inject 60 friend requests which corresponds to one successful injection every seven minutes. Even though the network connection used by the FriendInjector application (HSDPA) was different from the one used by our test subjects (library WLAN) and thus using a totally different IP adress block, our spoofed requests did not get blocked by Facebook. 5.2 Mitigation Strategies The attack surface of our evaluation had been unencrypted WLAN traffic, hence, the answer seems straightforward: users need to ensure that they only use secure wireless access points. This however is not always possible and many WLAN access points at airports, hotels, or conference rooms remain to offer insecure network access only. End users could also protect themselves against our friend injection attack by using an additional VPN gateway to tunnel their communication in a secure way, given they have the technical expertise. Adida [17] on the other hand proposed a method where cookies can be protected against eavesdropping which could easily be adapted by SNSs. This method protects however only against passive attacks. In order to effectively mitigate friend injection and similar attacks, SNSs providers have to ensure that all communication between their users and their platform is done over HTTPS. At the time of writing only XING[18] offers HTTPS while the biggest SNSs fail to support secure access to their services. Thus, the only mitigation strategy available to the average user seems to be browser extensions such as ForceHTTPS [19], which attempt to force HTTPS for requests that would have been normally transferred over HTTP.

6 Conclusion We introduce a new attack on social networking sites, our novel friend injection attack. It can be used for automated social phishing, data harvesting, or sophisticated social engineering attacks. The attack is based on the network layer and is completely undetectable to the victims, and as our results suggest even to social networking providers. Within a practical evaluation we furthermore showed the feasibility of our novel attack on basis of public WLAN access points. Given the sensitive personal information that social networking services contain, a large scale friend injection attack would have devastating consequences. In order to mitigate friend injection attacks social networking providers ultimately have to fully support HTTPS. At the time of writing however, the great majority of services fail to protect their users against malicious eavesdroppers and injection attacks.

References 1. Facebook. Facebook statistics (2010), http://www.facebook.com/press/info.php? statistics (Online; accessed 5-January-2010) 2. Gross, R., Acquisti, A.: Information revelation and privacy in online social networks (the Facebook case). In: Proceedings of the 2005 ACM workshop on Privacy in the electronic society, pp. 71–80 (2005)

Who on Earth Is “Mr. Cypher”: Automated Friend Injection Attacks

89

3. Jones, H., Soltren, J.H.: Facebook: Threats to Privacy. Project MAC: MIT Project on Mathematics and Computing (2005) 4. Bonneau, J., Anderson, J., Anderson, R., Stajano, F.: Eight friends are enough: social graph approximation via public listings. In: Proceedings of the Second ACM EuroSys Workshop on Social Network Systems, pp. 13–18. ACM, New York (2009) 5. Bilge, L., Strufe, T., Balzarotti, D., Kirda, E.: All your contacts are belong to us: Automated identity theft attacks on social networks. In: 18th International World Wide Web Conference (April 2009) 6. Jagatic, T.N., Johnson, N.A., Jakobsson, M., Menczer, F.: Social phishing. Communications of the ACM 50(10), 94–100 (2007) 7. Brown, G., Howe, T., Ihbe, M., Prakash, A., Borders, K.: Social networks and context-aware spam. In: Proceedings of the ACM 2008 conference on Computer supported cooperative work, pp. 403–412. ACM, New York (2008) 8. Huber, M., Kowalski, S., Nohlberg, M., Tjoa, S.: Towards automating social engineering using social networking sites. In: IEEE International Conference on Computational Science and Engineering, vol. 3, pp. 117–124 (2009) 9. He, X.: A Performance Analysis of Secure HTTP Protocol. STAR Lab Technical Report, Department of Electrical and Computer Engineering, Tennessee Tech University (2003) 10. Wikipedia. List of social networking websites — Wikipedia, The Free Encyclopedia (2009), http://en.wikipedia.org/wiki/List_of_social_networking_websites 11. Dwyer, C., Hiltz, S.R., Passerini, K.: Trust and privacy concern within social networking sites: A comparison of Facebook and MySpace. In: Americas Conference on Information Systems (AMCIS), Keystone, Colorado, USA (2007) 12. Facebook. Facebook asks more than 350 million users around the world to personalize their privacy (2009), http://www.facebook.com/press/releases.php?p=133917 (Online accessed March 4, 2010) 13. Felt, A., Evans, D.: Privacy protection for social networking APIs. In: 2008 Web 2.0 Security and Privacy, W2SP 2008 (2008) 14. Alexa. Site info: Facebook (2010), http://www.alexa.com/siteinfo/facebook.com# trafficstats (Online accessed January 20, 2010) 15. dpkt - python packet creation/parsing library, http://code.google.com/p/dpkt/ 16. Python mechanize library, http://wwwsearch.sourceforge.net/mechanize/ 17. Adida, B.: Sessionlock: securing web sessions against eavesdropping. In: Proceeding of the 17th international conference on World Wide Web, pp. 517–524. ACM, New York (2008) 18. Xing business network - social network for business professionals, https://www.xing. com/ 19. Jackson, C., Barth, A.: ForceHTTPS: Protecting high-security web sites from network attacks. In: Proceeding of the 17th international conference on World Wide Web, pp. 525–534. ACM, New York (2008)

Authentic Refinement of Semantically Enhanced Policies in Pervasive Systems Julian Schütte1 , Nicolai Kuntze1 , Andreas Fuchs1 , and Atta Badii2 1

Fraunhofer Institute for Secure Information Technology SIT 2 IMSS, University of Reading

Abstract. Pervasive systems are characterised by networked heterogeneous devices. To fulfill the security requirements of an application, these devices have to abide by certain policies. However, as the contingent interaction between devices in all possible contexts within evolving pervasive systems devices cannot be known at development time, policies cannot be dedicated to concrete security mechanisms which might later not be supported by the devices present in the network. Therefore, policies need to be expressed at a more abstract level and refined appropriately to suit applicable mechanisms at run time. In this paper we describe how security policies can be combined with ontologies to support such an automated policy refinement. As thereby policy decisions depend on semantic descriptions, the correctness of these descriptions must be verifiable at a later time for policy decisions to be evidential. We therefore propose Trusted Computing-based approaches on generating proofs of correctness of semantic descriptions deployed in policies.

1

Introduction

Pervasive systems are dynamic infrastructures with heterogeneous devices unpredictably joining and leaving the network. Due to their complexity and heterogeneity, traditional access-control techniques and hard-coded mechanisms for communication protection come to their limits. Policies as a form of restricted high-level programming have been used for decades to regulate access to resources and have also been adapted for use with pervasive systems. Considering the great variety of platforms present in a pervasive system, the aspect of dynamic policy refinement gains more and more importance. Policy refinement denotes the process of deviating concrete applicable mechanisms from an abstract, high-level policy definition. Only if the level at which policies are specified is sufficiently abstract, will it be possible to adapt devices and services in a way to match the policy by finding a set of rules that is tailored to the capabilities of the platform. Such a set of rules is called a refinement of a high-level policy if its effect is an instance of the high-level policy effect. The integration of Semantic Web Technology (SWT) and policies is a promising approach in order to achieve a greater degree of abstraction, thereby facilitating the specification of policies and decoupling them from the actual enforcing platform. However, it must be considered that as soon as policies rely on external knowledge bases, K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 90–102, 2010. c IFIP International Federation for Information Processing 2010 

Authentic Refinement of Semantically Enhanced Policies

91

all information contained in the knowledge bases becomes security critical and thus its correctness must be verifiable. A way to provide proof of semantic device descriptions stated in ontologies is to let devices attest their semantic descriptions. Attestation in this context provides a verifiable reporting of a platform configuration that is based on an authenticated root of trust. In this paper we propose combining semantic knowledge with policies to build a security policy architecture for pervasive systems. We further present an approach to apply attestation of properties for generating evidence of the information stored in knowledge bases in such a way that participants are able to verify the policy decision process and the semantic knowledge used in it. The paper is structured as follows: in section 2 reviews work related to ours. In section 3 we then introduce an example scenario to motivate our approach. In section 4 we give an overview of the main building blocks of our approach. Then, in section 5 we introduce the policy model used and present the integration of semantic knowledge. In section 6 we explain how the correctness of semantic knowledge can be guaranteed and section 7 concludes the paper and outlines future work.

2

Related Work

Work related to ours is concerned with the integration of SWT into policies as well as refinement of high-level policies. The integration of semantic knowledge and security policies has been recognised as a promising approach for de-coupling the implementation from the actual behavior of a system. It has been shown that semantic information can be integrated into existing policy languages like XACML and WS-Policy [3,19]. Yet, these approaches do not propose using complex class expressions as policy elements and thus do not achieve the level of flexibility as provided by our proposed approach. Examples for policy frameworks based on semantic policy representation are KAoS [18] and Rein(n) [7,5]. Rein(n) is based on rules written in the RDF-based rule language Notation3 1 and has been used in [11] to implement a policy-controlled pervasive system. KAoS represents even the policy structure itself in description logic (i. e. in DAML, the antecedent of OWL) and makes use of the Java Theorem Prover2 in order to integrate rules and variables which are not supported by plain DAML / OWL. In [16], an overview of these two approaches, as well as the policy framework Ponder2 is given. Ponder2 proposes a dedicated policy framework for pervasive systems [17,2] but does not integrate semantic knowledge. In contrast to that, the context-aware policy framework Proteus [15] features OWL for modeling context conditions which provide the basis for access control decisions. However, Proteus does not take refinements and negotiation of obligations into account. Refinement of semantic policies is considered in [6] where an approach on refining high-level policies is presented,yet, without integrating negotiation between 1 2

http://www.w3.org/DesignIssues/Notation3 http://ksl.stanford.edu/software/JTP/

92

J. Schütte et al.

multiple parties. Also, the authors focus on finding suitable web service compositions, in contrast to our approach which aims at finding appropriate security mechanisms. The aspect of policy negotiation is discussed in [8] where the authors propose a preferences model based on utility functions and description logics for agreeing on the most preferred setting. Although the authors do not consider the refinement process and focus on a slightly different setting than we do (e.g., different capabilties of endpoints are not discussed) the approach of negotiations based on individual preferences is promising and could be added as an extension to our solution. In previous work [21] we already showed how global preferences for certain policies can be used to optimize the overall system behavior in terms of security or performance.

3

Scenario

In order to illustrate the challenges we addressed we introduce the following example: imagine that Alice joins an intelligent office environment with her mobile phone A. She wants to use some of the resources provided by the environment, for example she needs to print a document using the printer in the hall. As Alice does not want anybody to intercept the document data while it is being sent to the spooler, she has set up a high-level policy polA stating that all communication to printing devices must be confidential. While most traditional policy languages would require Alice to specify which concrete actions should be taken (such as executing a certain encryption protocol), this is not possible in dynamic scenarios where at design time it is not known which actions are supported by the communication partners. Bob, the developer of the intelligent office, whishes to ensure that misuse of the printer B can be traced at a later time, so he wants clients to provide an identification that can be logged. Further, A and B have capabilities which are described in an ontology: capability cA states that A runs an OSGi platform (and is thus able to dynamically load remote software modules). Capability cB describes that the printer B is able to run a lightweight encryption protocol. In order to realize this scenario, it is necessary to integrate semantic descriptions into policies and to use them for refining the high-level policies of Alice and Bob. The refinement has to state concrete security mechanisms which can be applied to both endpoints and fulfill the constraints set by capabilities cA , cB and policies polA , polB . Additionally, in some cases it might be required to verify the correctness of the semantic annotations of A and B. As the policy refinement and therewith the resulting security mechanisms depend on the constraints set by cA and cB , Alice must be able to verify that this description is truthful as otherwise semantic descriptions that have been tampered with will lead to an incorrect refinement of the high-level policies and thus to a possibly faulty policy decision. Here, the result of the policy refinement could be an obligation instructing the phone to load a module that implements a lightweight encryption protocol and can be executed by the printer, along with an identification

Authentic Refinement of Semantically Enhanced Policies

93

protocol based on the IMEI of the phone. Although these mechanisms fulfil the requirements for confidentiality and identification, they are not the most secure solution but are rather a trade-off between the device capabilities and the security requirements. Finding this trade-off and verifying the correctness of the limiting device capabilities is the subject of our approach.

4

Building Blocks

In this section, we describe how information will be processed and which building blocks are involved. 4.1

Required Components

At first we assume devices come with a Trust Anchor (TA). The TA is a module that has the ability to attest the integrity and the state of the software running on the device by means of cryptographic signatures. It therefore measures the current platform configuration as a set of hash values of the currently running software modules and creates a blinded signature of it, called Commitment. As the integrity of the TA itself cannot be proven it has to be constructed in a way that other parties can trust its integrity, for example as a (Mobile) Trusted Platform Module (MTM, TPM), or as part of a virtualization container (i. e. integrated into a hypervisor kernel). Second, devices must further be able to communicate via the built-in TA with a Security Service. The Security Service acts as a client to the TA and will create an attestation of the properties based on the previously generated commitment that can be considered as a confirmation which guarantees that the device runs a platform that has certain properties (called capabilities in this paper) but does not reveal the exact platform configuration (c.f. mapping dev in the next subsection). Further, we assume the existence of a common knowledge base (KB) providing semantic information about devices and their capabilities as well as about security mechanisms and their properties (c.f. mapping sec in the next subsection). Although information about security mechanisms is pre-defined and does not necessarily change while the system runs, information about devices is gained from semantic annotations of the services provided by devices (e. g. by means of SAWSDL [1]) and may thus be updated or changed during run time. The policy infrastructure is based on the usual components Policy Decision Points (PDP) and Policy Enforcement Points (PEP), as described by PCIM and COPS. A PDP is a service that receives policy decision requests sent by PEPs, makes a decision about the request based on the policies stored within and sends back a policy decision. PEPs are attached to the services provided by devices and are mainly responsible for intercepting incoming and outgoing requests, sending policy decision requests to the PDP and enforcing the received policy decision using different plug-ins (Enforcement Modules). These main building blocks are connected to each other as depicted in Figure 1.

94

J. Schütte et al.

    




  

  



 

   



  



Fig. 1. High-level building blocks

4.2

Information Sources and Mappings

After having introduced the main building blocks, we now describe how information is processed by them. Knowledge Base. The knowledge base (KB) takes the form of several ontologies, among them the Device Ontology (cf. Section 5.2) and the Security Ontology (cf. Section 5.2). Besides other information, KB provides the mapping sec which assigns concrete security mechanisms s ∈ S to the security properties p ∈ P they achieve and the platform capabilities cap ∈ Cap which are required to execute them. {P : pi , Cap : capj } ← sec (S : s) Device Annotations. Other parts of the ontology, such as device-specific information, are provided at run time by the devices themselves in form of semantic annotations. These automatically generated facts must be verifiable at a later time as policy decisions depend on them. The mapping dev from a platform configuration c to the corresponding capabilities cap is denoted as {Cap : capi } ← dev (C : c) Security Policies. The security policies in our approach regulate access requests to services depending on the requesting subject, the requested service (resource) and further conditions such as current context values, where subjects, resources and conditions can be specified based on facts from the ontology. The result of a policy decision will be a binary decision (deny/permit) and a set of requirements, stating security properties pi which have to be fulfilled before the decision is enforced. A policy decision process pol can thus be denoted as the following operation pol: ([deny, permit] , {P : pi }) ← pol (subject, resource, cond) Refinement Process. Based on the mappings sec and pol we define a refinement process ref of finding a security mechanism which matches device capabilities

Authentic Refinement of Semantically Enhanced Policies

95

  




    
   











  

    

Fig. 2. Refinement and verification process

and security requirements stated by policies. The refinement process can also be formulated as a catenation of sec and pol, as shown in Figure 2: ({S : sk }) ← ref ({Cap : capi } , (subject, resource, cond)) ref = sec−1 ({Cap : capi } , pol(subject, resource, cond)) Trusted Verification. In addition to the policy refinement process, a verification process ver is needed, which allows a verifier to ensure that the semantic information used in the policy process is truthful, i. e. that the mapping dev is correct. That is, ver shall verify that a device fulfills the capabilities stated by its semantic annotation (i.e. verify an instance of dev). The verification process can be formulated as follows, where Cˆ denotes the set of attested platform configurations:   [true, f alse] ← ver Cˆ : c, {Cap : capi | 0 ≤ i ≤ m}

5

Semantic Access-Control Policies

In this chapter, we introduce the policy model that our approach relies on, provide a brief overview of the two most important ontologies of our knowledge base and describe the knowledge base is integrated into the policy decision process. 5.1

Policy Model and Decision Process

The authorisation policy model that we use is depicted by Figure 3. It is a simplification of the XACML policy model, so we were able to represent our policies in XACML syntax and use an existing policy decision engine3 (with significant modifications, though) during the prototype implementation: an AuthorisationPolicy consists of a MetaPolicy (according to XACML’s rule combining algorithm for resolving comflicts between positive and negative decisions) and a number of AuthorisationRules. Each AuthorisationRule consists of a Subject that requests access of a certain type (AccessType) to a Resource (similar to the 3

SunXACML, http://sunxacml.sourceforge.net/

96

J. Schütte et al.

    












   

   

 





 

  









  

  




Fig. 3. Model of authorisation policies

XACML target element). Although the model is not limited to any resource or access type, for the sake of clarity in this paper we limit the usage of the resource field to identify services and the access type field to four different phases of a service invocation (incoming / outgoing and request / response). Further, an authorization rule contains a condition that must be true for the rule to be applicable and an obligation that must be fulfilled before the Effect of the rule is enforced. The condition refers to context information which can be used to describe the current situation and the obligation defines actions which can be carried out by different enforcement modules. Effects supported by the policy model are either permit or deny, so that it is possible to specify positive as well as negative authorizations. By combining outgoing requests with negative authorizations, the policy model further covers refrain policies, i. e. policies that prevent a subject from sending out potentially harmful requests, for example, in order to protect it from revealing critical information to outsiders. In order to integrate semantic information into policies, we represent Subjects and Resources in Description Logic (DL) using complex class expressions formulated in OWL Manchester syntax [4]. A complex class expression is a combination of OWL classes, properties, set operators and cardinality restrictions. So, referring to the example above, Alice’s policy could describe the printer service by the complex class expression (Subject AND Printer) THAT supportsSecurityMechanism SOME SecurityMechanism THAT supportsProtectionGoal VALUE confidentiality. When a device requests to access another device, the policy decision process is as depicted in Figure 4. The request from device A to B is intercepted by A’s PEP, forwarded to its PDP where it is annotated with A’s capabilities capA , an attestation ATA of them and high-level requirements (e.g., confidentiality, in the example) and then sent to B where it is again intercepted and forwarded to B’s PDP where the following refinement process takes place: 1. Given the subject (A), the access type (call), resource (B) and further context values, the PDP retrieves B’s high-level requirements in form of security properties p from the policy. 2. P DPB extracts A’s capabilities cap from the annotated request. 3. P DPB retrieves ATA from the annotated request and verifies it as described in section 6.

Authentic Refinement of Semantically Enhanced Policies

97




.
  /    -

*
 +, -






   


  !   !"#$  $"# 
    

&
    

'
  #   (
  

%
 "#$"#  !"#






 /  ! 0  1
 /    


   
  

(
  ) 
 $ 


  

Fig. 4. Collaboration of components for policy decision process

4. Assuming the policy evaluates to permit in step (1), P DPB finds an obligation obl defining a security mechanism which refines req and cap from A and B s.t. O = SecurityP rotocol  ∃.hasObjectiveStrengthRel (i (pi ) ,  ε) 5. P DPB returns the policy decision (permit ), the obligation obl and its own attestation of properties ATB to the PEP which then sends ATB , capB and pB to A for later verification and enforces the obligation. After this process, A and B are in possession of the following values: ATA , ATB , capA , capB , pA , pB and obl. The obligation obl will be sent to and enforced by the PEP that initially triggered the policy decision. The obligation obl is a result of the constraints set by the requirements and capabilities provided by the devices. It would thus be possible for a device to announce wrong capabilities in order to manipulate the refinement process in a way that weaker, possibly vulnerable, security mechanisms are chosen as obl, for example. Therefore, it must be possible at a later time to verify the correctness of device requirements and capabilities. By using attestation certificates ATA and ATB and mapping dev provided by KB, a verifier can validate that, at the time of the policy decision, device A and B have run a platform configuration that actually provides the announced requirements and capabilities. The next section describes how these attestations can be generated. 5.2

Knowledge Model

The policy refinement process makes use of semantic information which is represented in ontologies. Ontologies model knowledge in terms of classes which are abstract descriptions of entities (e. g., SecurityProtocol ), relations beween them (e. g., X supportsProtectionGoal Y ) and individuals which instantiate these classes (e. g., OpenSSLv1 ). The ontologies in our approach include the mappings sec, defined by a Security Ontology and dev, defined by device annotations and a Device Ontology. Besides these mappings, the Security- and Device Ontologies provide further information which can be used when specifying subjects,

98

J. Schütte et al.

resources or conditions. For example, in our prototype we integrated the Pellet 2.1 reasoner in order to check whether subjects and resources contained in an access request are instance of the DL class expression stated in the policy. Device Ontology. In order to model the mapping dev we make use of the Device Ontology from the Hydra project4 which is originally based on the FIPA device ontology5 and the W3C DeliveryContext ontology6 but has been largely extended to cover the needs of pervasive systems, such as modeling energy efficiency criteria, supported software libraries, etc. Further ontologies have been created and attached to the Device Ontology, including models of QoS parameters, services descriptions and possible malfunctions. The relations and concepts and some individuals of the Device Ontology are pre-defined and fixed. Yet, as devices which are not known at design time need to be integrated into the knowledge base at run time, they provide descriptions of themselves in form of semantic annotations. The semantic annotation of a device comprises at least one individual of the main HydraDevice concept, possibly along with further properties. These semantic annotations are provided by a special service on the device and are retrieved and integrated into the knowledge base as the device joins the network. Referring to the example from section 3, the smart phone could be described by the following annotation (In Notation3. Namespaces have been omitted): : A l i c e P h o n e a : Smartphone ; : deviceId "1234"; : hasHardware [ a : D e v i c e H a r d war e ; : availableMemory 2 0 4 8 ; ] ; : hasSoftware [ a : softwarePlatform ; : h a s V i r t u a l M a c h i n e SUN Java CDC; : h a s M o d u l a r i s a t i o n FelixOSGi ; ] ; : info [ a : InfoDescription ; : friendlyName " AlicePhone " ; : m o d e l D e sc r "G1DevPhone1 . 4 " ; ] .

Security Ontology. Information about security mechanisms is represented in the Security Ontology. Its main purpose is to provide the mapping sec from high-level security properties (e. g. protection goals) to specific security mechanisms in the form of implementation modules that can be applied at run time. It further provides additional information about these modules such as CPU and memory requirements and information about assurances of their security level, as provided by third parties such as FIPS [10] or Common Criteria. The concept SecurityProtocol denotes specific software modules that can be installed and started at run time. An estimation of their resource consumption is given by the two relations requiresComputingPower and requiresMemory and their security properties are modeled by the SecurityObjective concept which describes protection goals such as authentication, confidentiality or integrity. By the ObjectiveStrengthRelation each module is assigned a protection goal and a strength 4 5 6

http://hydramiddleware.eu http://www.fipa.org/specs/fipa00091/PC00091A.html http://www.w3.org/TR/dcontology/

Authentic Refinement of Semantically Enhanced Policies

99

to which it supports this goal. That way, it can be expressed that a module is suited to achieve “high” confidentiality while it supports only “low” authenticity, for example.

6

Attestation of Properties

During the policy decision process a device claims to comply with certain properties. Each property claimed by the device refers to information in the ontologies which is the basis for policy decisions. It is therefore a requirement to authenticate devices with respect to their claimed properties in order to avoid that devices induce wrong policy decisions by claiming false properties. This section introduces different methods to ensure that devices align with the information stated about them in the ontologies, i.e. that the device annotation mapping dev is correct. As introduced, we assume that devices contain a Trusted Computing Base (TCB) that consists of a Trust Anchor (TA) and the platform on which the TA is integrated. To create an authentic statement on the trustworthiness of the particular device and the provided properties the TCB can either monitor the behavior of the system that is running in an untrusted area or provide a proof of the state of the whole device. The former requires attestation limited to a trusted part and assumes certain trust boundaries, the latter requires proof on every piece of software running on the device. The local monitoring approach assumes that a device consists of two different trusted domains. The TCB as a trusted domain must be enforced by means of, for example,a secure firmware or hardware rooted trust reporting as defined by the Trusted Computing Group (TCG) as explained below. This domain consists of the necessary infrastructure in order to monitor loading and execution of software component of the untrusted domain. Such monitoring may be implemented by several means, such as load time certificates, proof carrying code or inline monitoring. An example for load time certificate validation is Reference Integrity Metrics (RIM) certificates as defined for Mobile Trust Modules [9]. In this concept, each software component is delivered with an appropriate certificate by a trusted party that attests the integrity of the software component. A software component may therefore only be loaded into the memory of the untrusted domain, if the provided certificate refers to the code to be executed and can be verified. An extension to this concept is the provision of properties of those software components instead of a general guarantee of trustworthiness, such that a PDP may check its policies accordingly. An alternative concept that does not require data other than the software itself is provided by inline monitoring of software properties. This however requires the PDP to transform its policies into a set of enforceable properties against the actual code that introduce checking of certain constraints during runtime, e.g. by means of aspect oriented programming. The concept of the TCG, that is also required for the trusted domain of the monitoring approach, can be extended to the software component to be loaded itself. Based on a hardware root of trust, that is usually implemented within

100

J. Schütte et al.

the pre-loader of the BIOS, every program code loaded into memory is hashed and stored to a Trusted Platform Module (TPM) before execution. Accordingly, the TPM holds the complete executional sequence of the platform from boot to present. This information can be reported to other parties, providing authentic evidence of the platform configuration and hence trustworthiness. These reports have been investigated widely in the scientific community lately [13]. Also the challenges of scalability [14] and reduction of processing overhead [20] have been targeted. However, especially the challenge of protecting the privacy in terms of user identification and device fingerprinting remain open, though WSAttestation [20] and Property-Based Attestation (PBA) [12] may be utilized in that perspective and will be considered as part of our future work.

7

Conclusion

In this paper, we have presented an approach for resolving abstract security policies of multiple domains with the help of semantic knowledge. This policy refinement process finds a set of applicable security mechanisms which matches the abstract security requirements stated by a developer and at the same time complies with the capabilities and restrictions stated by devices. We have presented the structure of the ontologies used to describe devices and security mechanisms, and explained the policy resolution process. In order to verify the correctness of the device descriptions used in the policy resolution process, we have proposed using different assurance techniques based on TPM attestations. While some approaches have been proposed previously on the integration of semantic knowledge and policies, we describe an architecture that integrates access-control and communication policies within a coherent protocol. In addition we consider validating the correctness of semantic knowledge used for policy decisions by means of trusted computing functions. A software architecture realizing the solution presented in this paper has been designed and a prototype including the semantic policy model has been implemented as part of the Hydra middleware. As part of our future work we intend to extend the protocol proposed herein towards a negotiation of quality-of-service parameters based on individual preferences, building the basis for a “self-protecting” system. Further, we will consider techniques for generating proofs of the correctness of semantic information based on Property-Based Attestation. Acknowledgements. The research reported in this paper has been supported by the Hydra EU project (IST-2005-034891).

References 1. Semantic Annotations for WSDL and XML Schema. W3C Recommendation (August 2007) 2. Damianou, N., Dulay, N., Lupu, E., Sloman, M.: The ponder policy specification language. In: Sloman, M., Lobo, J., Lupu, E.C. (eds.) POLICY 2001. LNCS, vol. 1995, pp. 18–39. Springer, Heidelberg (2001)

Authentic Refinement of Semantically Enhanced Policies

101

3. Ferrini, R., Bertino, E.: Supporting RBAC with XACML+OWL. In: 14th ACM symposium on Access control models and technologies (SACMAT), pp. 145–154 (2009) 4. Horridge, M., Drummond, N., Goodwin, J., Rector, A.L., Stevens, R., Wang, H.: The manchester owl syntax. In: CEUR Workshop Proceedings. OWLED, vol. 216 (2006) 5. Kagal, L., Berners-Lee, T., Connolly, D., Weitzner, D.: Using semantic web technologies for policy management on the web. In: National Conference on Artificial Intelligence, AAAI (July 2006) 6. Klie, T., Ernst, B., Wolf, L.: Automatic policy refinement using owl-s and semantic infrastructure information. In: Proc. 2nd IEEE Int. Workshop on Modelling Autonomic Communications Environments (MACE), San Jose, US (October 2007) 7. Kagal, L.: The rein policy framework for the semantic web (2006), http://dig.csail.mit.edu/2006/06/rein/ 8. Lamparter, S., Agarwal, S.: Specification of policies for automatic negotiations of web services. In: Kagal, L., Finin, T., Hendler, J. (eds.) Semantic Web and Policy Workshop, Galway, Ireland, November 2005, pp. 99–109 (2005) 9. TCG MPWG. The TCG mobile trusted module specification. TCG specification version 0.9 revision, 1 10. National Institute of Standards and Technology. Security Requirements for Cryptographic Modules. Federal Information Processing Standards Publication 140-2 (2002) 11. Patwardhan, A., Korolev, V., Kagal, L., Joshi, A.: Enforcing Policies in Pervasive Environments. In: International Conference on Mobile and Ubiquitous Systems: Networking and Services (August 2004) 12. Sadeghi, A.R., Stüble, C.: Property-based attestation for computing platforms: caring about properties, not mechanisms. In: Workshop on New security paradigms, pp. 67–77 (2004) 13. Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a TCG-based Integrity Measurement Architecture. In: Proc. of the 13th USENIX Security Symposium, pp. 223–238 (2004) 14. Stumpf, F., Fuchs, A., Katzenbeisser, S., Eckert, C.: Improving the scalability of platform attestation. In: Workshop on Scalable Trusted Computing (ACM STC 2008), Fairfax, USA, October 31, pp. 1–10. ACM Press, New York (2008) 15. Toninelli, A., Montanari, R., Kagal, L., Lassila, O.: Proteus: A semantic contextaware adaptive policy model. In: IEEE 2007 International Workshop on Policies for Distributed Systems and Networks (POLICY), Bologna, Italy, June 2007. IEEE Computer Society Press, Los Alamitos (2007) 16. Tonti, G., Bradshaw, J.M., Jeffers, R., Montanari, R., Suri, N., Uszok, A.: Semantic Web Languages for Policy Representation and Reasoning: A Comparison of KAoS, Rei, and Ponder. In: Fensel, D., Sycara, K., Mylopoulos, J. (eds.) ISWC 2003. LNCS, vol. 2870, pp. 419–437. Springer, Heidelberg (2003) 17. Twidle, K., Dulay, N., Lupu, E., Sloman, M.: Ponder2: A Policy System for Autonomous Pervasive Environments. In: The Fifth International Conference on Autonomic and Autonomous Systems, ICAS 2009 (April 2009) 18. Uszok, A., Bradshaw, J.: Kaos policies for web services. In: W3C Workshop on Constraints and Capabilities for Web Services (October 2004)

102

J. Schütte et al.

19. Verma, K., Akkiraju, R., Goodwin, R.: Semantic matching of web service policies. In: Proceedings of the Second Workshop on SDWP (2005) 20. Yoshihama, S., Ebringer, T., Nakamura, M., Munetoh, S., Maruyama, H.: WSattestation: efficient and fine-grained remote attestation on Web services. In: International Conference on Web Services (ICWS 2005), p. 750 (2005) 21. Zhang, W., Schütte, J., Ingstrup, M., Hansen, K.M.: A Genetic Algorithms-based approach for Optimized Self-protection in a Pervasive Service Middleware. In: Baresi, L., Chi, C.-H., Suzuki, J. (eds.) ICSOC-ServiceWave 2009. LNCS, vol. 5900, pp. 404–419. Springer, Heidelberg (2009)

Qualified Mobile Server Signature Clemens Orthacker1, Martin Centner1 , and Christian Kittl2 1

Institute for Applied Information Processing and Communications (IAIK) {clemens.orthacker,martin.centner}@iaik.tugraz.at 2 Graz University of Technology 3 evolaris next level GmbH, Hugo-Wolf-Gasse 8/8a A-8010 Graz [email protected]

Abstract. A legal basis for the use of electronic signatures exists since the introduction of qualified electronic signatures in EU Directive 1999/ 93/EC. Although considered as key enablers for e-Government and e-Commerce, qualified electronic signatures are still not widely used. Introducing a mobile component addresses most of the shortcomings of existing qualified signature approaches but poses certain difficulties in the security reasoning. The proposed server based mobile signature approach authenticates the signatory over trusted channels and assists the protection of the signature-creation data with organizational measures. As with traditional qualified signature approaches, strong authentication of the signatory to the system is ensured by two factors. Knowledge of a PIN and possession of a valid subscriber identity module card is verified over two separate communication channels. The qualified mobil server signature fulfills the requirements on secure signature-creation devices defined by the EU directive and in particular its Austrian implementation. Keywords: qualified signature, mobile signature, signature legislation.

1

Introduction

Advanced electronic signatures based on a qualified certificate and created by a secure signature-creation device, as defined in EU Directive 1999/93/EC on electronic signatures (see [1]) and referred to as qualified signatures in the following, are considered as key enablers in e-Government and e-Commerce. They provide a legal basis for transactions in online processes, while recognized standards for electronic signature formats ensure their seamless integration. However, qualified electronic signatures still lack wide-spread use in online applications and acceptance by citizens and customers. Three main factors for the low market penetration of qualified signatures have been identified in [14]: 1. Low dissemination of signature-creation devices 2. Lack of applications for electronic signatures 3. Shortfalls in existing business models We propose a server-signature concept with the signature creation being triggered via the user’s mobile phone. This mobile approach addresses the low dissemination of signature-creation devices since no costly smartcard readers are K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 103–111, 2010. c IFIP International Federation for Information Processing 2010 

104

C. Orthacker, M. Centner, and C. Kittl

required. Even if in many EU member states qualified signatures on identity- or health insurance cards are available to a large public, the lack of card readers prevents them from being used as signature-creation devices. Further, introducing mobility addresses the lack of applications identified in [14] by opening up a new field for applications of electronic signatures. Finally, insufficient business models, mainly because of too high costs for the user, are not an issue if qualified certificates can be obtained free of charge. Conformity of the proposed mobile server-signature concept with the requirements on secure signature-creation devices laid down in the EU directive on electronic signatures has been positively assessed in Austria. Signatures created in this way meet the requirements for qualified signatures as specified in the Austrian implementation [2] (SigG) and [5] (SigV) of the directive. Our proposal considers the Austrian signature legislation and does not necessarily translate directly to other national implementations of the directive. A prototype of the proposed concept has been implemented by the authors. A further implementation has been provided and operated by an Austrian certification-service provider and is available to citizens for use in e-Government applications. We conclude that the Qualified Mobile Server Signature might be a valuable enabler for qualified signatures. Signature services triggered via mobile devices have already been proposed in [12], but have so far not provided qualified signatures. Section 2 defines qualified signatures and introduces smart card based signatures as a traditional approach to qualified signatures. The combination of qualified signatures with mobile technologies is presented in Section 3 and Section 3.1 describes the proposed qualified mobile server signature scheme.

2 2.1

Motivation Qualified Signature

Article 5, 1 of EU Directive 1999/93/EC [1] implicitly defines qualified electronic signatures as advanced electronic signatures based on a qualified certificate that are created by a secure signature-creation device and comply with the requirements in Annex I, II and III of the directive. Such signatures in relation to electronic data are considered legally equivalent to handwritten signatures on paper-based data. Moreover, they are admissible as evidence in legal proceedings. Almost all EU Member States have adopted this directive, the Austrian implementation comprises the signature law [2] (SigG) and the signature ordinance [5] (SigV). Within the context of server signatures, the following parts of the directive are of special interest. The definition of advanced electronic signatures states in Article 2, 2(c) that advanced electronic signatures must be created using means that the signatory can maintain under his sole control.

Qualified Mobile Server Signature

105

Further, Annex III 1(c) requires secure signature-creation devices to ensure by appropriate technical and procedural means that the signature-creation data used for signature generation can be reliably protected by the legitimate signatory against the use of others. The Austrian signature law contains the sole-control requirement of Article 2, 2(c) literally in [2, §2 3.(c)]. Reliable protection of the signature-creation data of Annex III corresponds to the requirement on technical components to reliably prevent the unauthorized use of the signature-creation-data in [2, §18 (1)]. Apart from that, the Austrian signature law demands the signatory in [2, §21] to carefully keep the signature-creation-data. The definition of advanced electronic signatures to be created using means the signatory can keep under his sole control, does not imply the use of special hardware as signature-creation device. Appropriate access control to the signature-creation data is sufficient, whereas Annex III in general requires the use of special hardware. Further, the requirements on cryptographic algorithms used for advanced electronic signatures are in general weaker than those derived from Annex III (see [3]). In this context, it seems therefore appropriate to focus on the fulfillment of the – harder – requirements of Annex III. 2.2

Traditional Qualified Signature Approaches

According to [1, Art.3.4] of the directive, a secure signature-creation device’s conformity with Annex III shall be determined by appropriate public or private bodies designated by the Member States. To support these bodies, the Commission publishes reference numbers of recognized standards for electronic-signature products. Secure signature-creation devices are considered to conform with Annex III if they comply with one of these standards, which is however not a mandatory prerequisite. So far, the only published standard defining requirements for secure signature-creation devices in accordance with the directive is [8]. Many EU member states have already rolled out signature cards providing citizens with qualified signatures. These smartcards conform to the requirements of Annex III of the directive, in some cases due to their compliance with [8]. Usually, signature generation on such cards is protected by a personal (something the signatory knows) and a technical (something the signatory possesses) factor. In particular,the signatory has physical control over the card and can keep the signature creation PIN secret. Further, the signature-creation data is stored on the smart card only and it is technically assured that it cannot be read from the card’s chip. Reliable protection of the signature-creation data also involves protection of the data used to authenticate the signatory to the signature-creation device. For signature card approaches, [8] demands a trusted channel from the human interface for pin-entry up to the device itself. Many SSCD implementations map this requirement on their environment to the responsibility of the user to utilize the signature card in a trusted environment only. Card readers with a pinpad

106

C. Orthacker, M. Centner, and C. Kittl

help in assuring that the signature creation PIN is not intercepted by malicious software, but they cause significantly higher costs for the user and their use is not mandatory in many member states. A major requirement for electronic signatures in e-Government is their seamless integration in online processes. Different approaches are employed to make card based qualified signatures available to (web) applications. A common solution is to provide users with a middleware for smart card access and abstraction. Applications communicate with this middleware via a defined high-level interface. Austria defines a webservice-like interface to a technology neutral signaturecreation device ([10]). Other conceivable implementations of secure signature-creation devices involve signature creation on mobile phones and server-signature services. Until now, there is however no published standard available to indicate conformity of such a solution to the requirements of the directive. [7], providing explanatory support for [8] however explicitly mentions the possibility to implement server signature or mobile phone based SSCDs.

3

Mobile Qualified Signatures

Combining qualified signatures with mobile technologies might open new fields of application for electronic signatures. Mobile signatures thus address the lack of applications identified in [14] as one of the reasons for the low usage for qualified signatures. For example, bank transactions effected on mobile devices with mobile TAN schemes are already widely adopted. Authorizing these transactions with qualified signatures would provide a better legal basis while providing a similarly high level of usability. The low dissemination of signature-creation devices, another major reason for the low market penetration of qualified signatures identified in [14], is not valid for mobile qualified signatures, neither. Mobile signatures designate electronic signatures where at least the signatory employs a mobile device and at least part of the signature- or certification services is provided over a mobile carrier network (see [13]). The actual signature creation does not necessarily have to take place on the signatories handset. In general, client- and server based mobile signatures are distinguished, depending on where the signature is created. Qualified signature creation on mobile devices requires dedicated cryptographic functionality and secure storage of the key on the subscriber identity module (SIM) card or a designated second card holding the signature-creation device. A software signature-creation application running on a mobile device does not fulfill the requirements of Annex III of the directive since (according to [7, Section 6.2.1]) at least part of the secure signature-creation device must reside in hardware in order to account for all possible threats on the signature-creation data. Embedding the signature-creation device on the SIM card requires integration of certification provider services within the mobile carrier’s infrastructure. This has significant drawbacks for the user and yields organizational difficulties that mobile carriers are unlikely to be willing to take (see [14]). Dual slot

Qualified Mobile Server Signature

107

devices on the other hand allow the separation of certification service provider and mobile carrier but are unfortunately not widely used. Server based signatures are in general considered not to fulfill the requirements of Article 2, 2(c) of the directive. Advanced electronic signatures are required to be created by means the signatory can maintain under his sole control but with server based signatures, it is often claimed, the signatory obviously gives away control over the signature-creation data (see [13], [9]). Note however that the requirement for sole control does not imply the use of special hardware as signature-creation device (see [3]). Further, the authors of [4] argue that a suitable security concept and corresponding system configuration may allow the user of a server based signature service to maintain control over his key. In order to decide whether the security measures taken by such a service are sufficient, the signatory has to have access to a comprehensible version of the employed security concept and confidence that the service provider sticks to that security concept. The latter may be supported by a trusted auditor or supervisory authority. The requirement of Annex III, 1(c) on secure signature-creation devices to reliably protect the signature-creation data implies a sufficiently strong authentication mechanism and the protection of the authentication data from the user interface to the signature-creation device (see [4]). Still, [7] states that the directive does not explicitly prohibit a server based signature-creation device. The protection profile defined in [8] however does not cover all relevant issues such as user authorization, user intentions and message display in such a system appropriately. In particular, trusted paths between the user interface, the signature-creation application and the signature-creation device have to be assured. Accordingly, the Austrian signature law (SigG) lays down security requirements on technical components and processes where it requires the reliable prevention of unauthorized use of the signature-creation data ([2, §18 (1)]). The Austrian signature ordinance, governing the implementation of the Austrian signature law, however states in [5, §6 (3)] that in controlled surroundings, the security requirements on technical components and processes may be accomplished with organizational measures by using qualified and trustworthy personnel and by adopting adequate access control measures. Designated bodies must confirm the fulfillment of these security requirements. Thus, organizational measures may assist in the fulfillment of the requirements of Annex III on secure signature-creation devices. 3.1

Mobile Server Signature

A SigG-compliant server signature may rely on organizational measures in combination with appropriate user authentication over trusted channels to meet requirements on advanced electronic signatures of Article 2, 2(c) and on secure signature-creation devices of Annex III, 1(c). We propose a server-signature concept, in the following referred to as Mobile Citizen-Card, that protects the signature-creation data by two factors. Similar

108

C. Orthacker, M. Centner, and C. Kittl

to smart card based signatures, these comprise knowledge of a PIN. Unlike traditional qualified signature approaches, however, the technical factor possession of a signature-card is replaced by the possession of a registered subscriber identity module (SIM) card. The requirements on the signatory’s local environment therefore reduce to a web browser for the communication with the server-signature application and an intact second communications channel via a mobile carrier network. There is no card reader or dedicated software needed on the client side. The proposed server-signature concept relocates the secure signature-creation device from the signatories local environment to a server-side hardware security module (HSM). To compensate for this increased physical distance, the serversignature relies on two separate communication channels for performing the authentication of the signatory. The factor possession is ensured by relying on the mobile carrier network’s ability to securely address a subscriber identity module. 3.2

Signature Creation

The server-side secure signature-creation device holds the signing keys of all registered users. Upon receipt of a signature creation request, the user is first prompted for a decryption-PIN to unlock the signature-creation data. At this stage the signature-creation data is still protected by the secure signature-creation devices’s master key. A text message containing an authorization code is sent to the user’s mobile phone. Only after the user has entered this authorization code on the server signature’s web interface, the requested signature is created. Given that hardware security modules are in general not able to securely store a large number of secret keys, the signing keys are protected as follows. A user’s priv private signing key Ksig is created onboard a hardware security module (HSM) and secured with a key-wrap algorithm using the system’s AES master key M K. Since the master key is securely stored on the HSM and the key wrapping is performed on the HSM, the signing key never leaves the HSM unencrypted. It pub is further encrypted with a public key Kuser registered for the user within the system. priv EKsig = encryptKuser pub (wrapMK (K (1) sig )) priv pub , corresponding to Kuser is secured using AES in counter The private key Kuser with CBC-MAC (CCM) mode (see [16]) with a decryption key derived (see [11]) from the decryption PIN, known only to the user. sym Kpin = derive(P IN )

EKuser =

priv sym (K encryptKpin user )

(2) (3)

pub EKsig , EKuser and Kuser are stored within the system’s database and retrieved sym with the user’s registered mobile phone number. The decryption key Kpin is again derived from the user’s pin-entry and used to decrypt the user’s private user key Kpriv . Since this is done in CCM mode, the user key’s authenticity and therefore the correctness of the PIN entered can be verified. Finally the wrapped signing key EKsig,MK can be retrieved and passed to the HSM for decryption and signature generation.

Qualified Mobile Server Signature

3.3

109

Security Considerations

The proposed server signature introduces TLS-secured trusted channels from the user interface to the signature-creation application and from the signaturecreation device to the mobile carriers interface for sending text messages. The publicly available signature service introduces appropriate measures to avoid brute-force attacks on user’s PIN, such as introducing delays or blocking the PIN. The signature-creation application and the signature-creation device are operated within a controlled environment and appropriate organizational measures are being taken to ensure a trusted environment for these parts of the server signature system. In particular, it is not possible for an attacker to obtain the decrypted (but still wrapped) key, pass it to the signature-creation device and sniff the generated authentication code. When transmitted to the signatory, the authentication code is protected by GSM security measures and returned back to the service via a TLS connection. GSM text message security constitutes probably the weakest link in the protection of the authentication data; several attacks on GSM encryption are known. Note that for the proposed server signature scheme, caller-Id spoofing is not an issue since the user does not actively send text messages. In order to ensure the data to be signed (DTBS) is not altered after being transmitted to the signature-creation application, the digest value is sent to the user along with the authentication code and may be compared with the digest value displayed by the service. More powerful mobile devices may even calculate the digest value themselves from the DTBS obtained from the (authenticated) service. It is within the responsibility of the user to verify the authenticity of the service’s certificate in order to prevent an attacker from intercepting the authentication data and avoid man-in-the-middle attacks. Further, the signatory must carefully compare the digest values to prevent an attacker from altering the to be signed data. A comprehensible security concept of the server signature must be available to the signatory and confidence in the service operator must be established by an independent audit. Compared to the responsibility of the signatory to ensure a trusted local environment (free of malicious software) for smart card based qualified signatures these requirements do not seem too difficult to accomplish.

4

Conclusions

The proposed server-signature scheme fulfills the requirements laid down by [1] on qualified signatures and provides mobile signature experience by using mobile one-time codes for authorizing the signature creation. The signature service relies on a combination of technical and organizational measures to accomplish the security requirements on technical components and processes, and the signaturecreation data in particular. While storage and application of the signaturecreation data is secured by technical means, the signature service partly relies on organizational measures to authorize access to components. These measures assure that the signature-creation data can be reliably protected by the legitimate signatory against the use of others.

110

C. Orthacker, M. Centner, and C. Kittl

Similar to card based qualified signatures, the signature creation is protected by knowledge of a PIN and possession of a physical token. The signature-creation data stored on the server is secured with a decryption PIN, known to the signatory only, and the system’s master key, both of which can be reliably protected by organizational measures. Unlocking of the master key requires the signatory to prove possession of his subscriber identity module (SIM) card. This involves a second communications channel, which compensates for the physical distance of the secure signature-creation device residing on the server part and the user interface on the client side. A proof-of-concept prototype of the proposed server-signature concept has been implemented by the authors, based on the signature-creation middleware project MOCCA ([6]). Pursuing the proposed concept, a second implementation has been developed by an Austrian certification service provider and is being operated since November 2009. The service is publicly accessible for registration1 and test requests submission2 . This server based signature service has been determined by the Austrian assessment body A-SIT to be compliant with the requirements on secure signature-creation devices of Annex III. The results of this assessment are publicly available at [15]. Therefore, according to Article 3, 4 of the EU directive, the conformance of the proposed solution with Annex III has to be recognized by all EU Member States. Since the service is operated by the only Austrian certification service provider issuing qualified certificates, no additional measures need to be taken to strengthen users’ confidence that the operator sticks to the security concept (as requested in [3]). Qualified certificates for use with this server signature are provided free of charge and the the signatory is not charged for mobile carrier services for the authorization text messages. The third major reason for the low market penetration of qualified electronic signatures, weak business models, therefore is not valid for this signature service. The mobile server signature approach accounts for all major shortcomings of qualified signature schemes identified in [14].

References 1. Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures (December 13, 1999), http://eur-lex. europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:013:0012:0020:EN:PDF 2. Bundesgesetz u ¨ber elektronische Signaturen (Signaturgesetz - SigG), StF: BGBl. I Nr. 190/1999 (1999), http://ris.bka.gv.at:80/GeltendeFassung.wxe?Abfrage=Bundesnormen& Gesetzesnummer=10003685 (NR: GP XX RV 1999 AB 2065 S. 180.BR: AB 6065 S. 657.) 3. Working Paper on Advanced Electronic Signatures (2004), http://www.fesa.eu/public-documents/ WorkingPaper-AdvancedSignature-20041012.pdf 1 2

https://www.a-trust.at/mobile/ https://www.a-trust.at/mobile/https-security-layer-request/test.aspx

Qualified Mobile Server Signature

111

4. Public Statement on Server Based Signature Services (2005), http://www.fesa.eu/public-documents/ PublicStatement-ServerBasedSignatureServices-20051027.pdf 5. Verordnung des Bundeskanzlers u ¨ber elektronische Signaturen (Signaturverordnung 2008 SigV 2008), StF: BGBl. II Nr. 3/2008 (2008), http://ris.bka.gv.at: 80/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=20005618 6. Centner, M., Orthacker, C., Bauer, W.: Minimal-Footprint Middleware for the Creation of Qualified Signatures. In: Proceedings of the 6th International Conference on Web Information Systems and Technologies, pp. 64–69 (2010) 7. Comit´ee Europ´een de Normalisation (CEN): Guidelines for the implementation of Secure Signature-Creation Devices (June 2002), ftp://ftp.cenorm.be/PUBLIC/ CWAs/e-Europe/eSign/cwa14355-00-2004-Mar.pdf 8. Comit´ee Europ´een de Normalisation (CEN): Secure Signature-Creation Devices ”EAL 4+” (2004), ftp://ftp.cenorm.be/PUBLIC/CWAs/e-Europe/eSign/ cwa14169-00-2004-Mar.pdf 9. Fritsch, L., Ranke, J., Rossnagel, H.: Qualified mobile electronic signatures: Possible, but worth a try? In: Proceedings of Information Security Solutions Europe (ISSE) 2003 Conference. Vieweg Verlag, Vienna (2003) 10. Hollosi, A., Karlinger, G.: The Austrian Citizen Card, http://www.buergerkarte. at/konzept/securitylayer/spezifikation/20040514/introduction/ Introduction.en.html 11. Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898 (Informational) (September 2000), http://tools.ietf.org/html/rfc2898 12. Mobilkom Austria AG & Co KG: Certificate Policy f¨ ur A1 SIGNATUR Zertifikate f¨ ur Verwaltungssignaturen nach E-Government- Gesetz, E-GovG (2004), http://www.signatur.rtr.at/repository/ csp-mobilkom-cp-a1signatur-13-20040423-de.pdf 13. Ranke, J., Fritsch, L., Roßnagel, H.: M-Signaturen aus rechtlicher Sicht (2003) 14. Roßnagel, H.: Mobile qualifizierte elektronische Signaturen. PhD thesis, GoetheUniversit¨ at Frankfurt a.M (2008) 15. Secure Information Technology Center Austria (A-SIT): Sichere Signaturerstellungseinheit der A-Trust f¨ ur die mobile Signatur bestehend aus HSM und HSM Server (2009), http://www.a-sit.at/pdfs/bescheinigungen_sig/1087_ bescheinigung_mobile_signatur_final_S_S.pdf 16. Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). RFC 3610 (Informational) (September 2003), http://tools.ietf.org/html/rfc3610

Fraud Detection in ERP Systems Using Scenario Matching Asadul Khandoker Islam1, Malcom Corney1, George Mohay1, Andrew Clark1, Shane Bracher2, Tobias Raub2, and Ulrich Flegel2 1

Queensland University of Technology, Australia {a.islam,m.corney,g.mohay,a.clark}@qut.edu.au 2 SAP Research {shane.bracher,t.raub,ulrich.flegel}@sap.com

Abstract. ERP systems generally implement controls to prevent certain common kinds of fraud. In addition however, there is an imperative need for detection of more sophisticated patterns of fraudulent activity as evidenced by the legal requirement for company audits and the common incidence of fraud. This paper describes the design and implementation of a framework for detecting patterns of fraudulent activity in ERP systems. We include the description of six fraud scenarios and the process of specifying and detecting the occurrence of those scenarios in ERP user log data using the prototype software which we have developed. The test results for detecting these scenarios in log data have been verified and confirm the success of our approach which can be generalized to ERP systems in general. Keywords: Fraud Detection, Enterprise Resource Planning, ERP Systems, Signature Matching.

1 Introduction Enterprise resource planning (ERP) systems provide complete automation of the business processes of an organization. Users within the organization operate the system to carry out day-to-day transactions such as financial, HR, and inventory transactions. Although ERP systems invariably provide controls, such as Segregation of Duties (SoD) to prevent different kinds of fraud, these are insufficient, and it is necessary also to deploy detection mechanisms. The two major reasons for this are, firstly, that organizations may not switch on the controls, and secondly constant monitoring is required for occurrences of fraudulent activities for which controls are not provided. Indeed, in the case of SMEs (Small and Medium Enterprises), this is in many cases a deliberate decision since the size of the enterprise makes it impossible to assign different conflicting duties to different people. While auditors examine transaction log files of ERP systems for the detection of any suspicious user activities, the fact is that ERP systems generate millions of transaction records making it impossible to guarantee the detection of all suspicious behavior, and certainly not in a timely manner. K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 112–123, 2010. © IFIP International Federation for Information Processing 2010

Fraud Detection in ERP Systems Using Scenario Matching

113

A fraud scenario can be defined as a set of user activities that indicates the possible occurrence of fraud. The objective of the research work described in this paper is to design and develop a framework that enables us to define fraud scenarios and then to test for the existence of such scenarios in ERP system transaction logs. We describe the fraud scenario specification language and the detection framework and its evaluation. Our prototype system provides a user-friendly tool for defining fraud scenarios and searching for those scenarios. Although the design is applicable to transaction log files generated from any ERP systems, throughout our research we use transaction log files from SAP systems.

2 Related Work In the field of Intrusion detection, one of the two fundamental strategies used to detect malicious computer activity is misuse detection, also known as signature matching. Misuse detection searches for patterns of computer activity (‘signatures’) in network and/or audit data which are known to signify security violations. The signatures in an intrusion detection system (IDS) are similar in concept to what we are structuring here - fraud scenario specifications. Our goal is to search for known fraud scenarios in the transaction logs of ERP systems. This is in contrast to statistical analysis techniques, techniques such as regression analysis, correlation analysis, dispersion analysis and use of Benford’s Law to mention a few, which identify irregular or statistically inconsistent data ([1], [2]). Some notable works for structuring signatures for IDS are: [3,4,5,6]. We note also the description of a semantic model for signatures or event patterns [7]. Most of the proposed signature specification languages try to make the language as comprehensive as possible. From careful examination, it can be observed that every language has been built with a specific problem domain in mind. Among the popular signature languages, STAT [3], USTAT [8], and NetSTAT [9] are based on a state transition model whereas EMERALD [10], CAML [11], and CARDS [12] are based on an event-based model. Both types of model have been commonly used for proposals to represent and detect multi-step attacks. Most have not been implemented in a form which makes them generally useful. Even when implemented, such languages are typically underspecified and difficult to use, and have been tested with test scripts and experimental programs for experimental research outcomes only. The very few, including the improved STATL [13] and CAML [11], for which the authors claim language completeness, are complicated to work with and not generalizable so as to be applicable to a different domain e.g. fraud detection. Specifically, the enhanced version of STATL [13] adds flexibility to the original STATL design but, at the same time, adds more complexity for writing signatures. Signature writers must have an intimate understanding of system states and transitions, and carefully choose appropriate system transitions when specifying the components of a signature. A similar situation prevails for the few other languages which might at first sight be considered to be candidates for generalizing to the domain of fraud detection. In addition, language specific compilers are required in each case and these are again not readily available.

114

A.K. Islam et al.

More importantly, while there are similarities between fraud scenario detection and intrusion signature detection, there are also important differences. Fraud activity scenarios are concerned with the high-level interactions of a user with financial data rather than with the low-level events or states of the computer system itself. There is a corresponding greater degree of system independence in the case of fraud detection, and this can in turn be exploited by more easily separating out abstract or semantic aspects of fraud signatures from configuration aspects such as, for example, event timeout thresholds. For instance, stateful network IDS signatures may take into account system aspects such as network bandwidth or hardware sensor type, but such basic parameters have no part to play in the case of fraud detection. One of our objectives is to give the auditor a simple, user-friendly interface and tool for writing new fraud scenarios as well as changing existing ones. Auditors can select the scenario to search for in the log, and if not satisfied with the result they can change the scenario specification and criteria to examine more specific results. This highlights another difference from signature detection in IDS: our fraud detection system is able to exploit the benefits of post-hoc (non-realtime) investigation. As a result of the above, we have developed a fraud scenario specification language specific to our requirements for fraud detection which provides the necessary features.

3 Signature Language, Scenarios and Scenario Detection In this section we describe how our signature specification language relates to work in intrusion detection, provide examples of some of the fraud scenarios used to test and evaluate both the language and the scenario detection mechanism we have developed, and describe some of the detailed semantics of our language. Our language generally follows the criteria for attack signature languages described in [7] and in [14, 15, 16], but it is specialized for fraud detection. The following section provides details of the language and compares the structure of the proposed scenario specification language with the signature requirements described by Meier [7]. The requirements are described in [17]. Note that in terms of the analogy between IDS misuse languages and fraud scenario languages, the term event in IDS corresponds to the term activity, transaction or component (we use these terms interchangeably) in fraud scenarios. In Meier's paper, the author describes a list of semantic requirements for modeling misuse scenarios. Our requirements to model fraud scenarios are not exactly the same as needed for misuse signatures, but similar in concept. Meier defines the requirements for ad-hoc investigation. However, in our case we consider the post-hoc investigation on transaction log data. We compare the semantics of our fraud scenario language with Meier’s requirements for modeling misuse scenarios. Meier’s work [7] adopts Zimmer’s model [18]. By comparing with that model, the requirements of “sequence” and “disjunction” have been fulfilled by the “Ordered” attribute of our proposed signature specification. Simultaneous activities imply components with identical occurrence time. The proposed language supports “simultaneous” activities. When two activities happen at the same time, the process considers them in random order. The process examines one transaction log data file, but it is possible to generate

Fraud Detection in ERP Systems Using Scenario Matching

115

the log data from multiple sources. In that case, time stamp is used to maintain the “simultaneous” feature. The “continuity” semantics of a misuse model define, whether between three consecutive steps of the event types A, B, and C an event c is allowed to occur between events a and b, and if event a may occur between b and c. This semantics is supported in the proposed scenario language and specified using the “Ordered” attribute. Also “repetition”, “context conditions”, “step instance selection” and “step instance consumption” are well supported in our scenario language. 3.1 Composition and Fraud Scenarios – An Example In our model, “composition” is considered as a basic building block and theoretically an unlimited level of composition is allowed. Composition is a fundamental requirement, of the language, a static feature which is needed in order to easily represent the hierarchical nature of activity. For example, the scenario ‘Redirected Payment’ or 'S01' described in Table 1 and Fig. 1 uses two scenarios 'Change_Vendor_Bank' and 'Pay_Vendor' with a few additional parameters to specify the 'sequence' requirement and 'interval' requirements. In this scenario, 'Change_Vendor_Bank' and 'Pay_Vendor', are the components of the scenario 'S01'. Table 1. Sample Scenario 'S01': Redirected Payment Description. The intention of this fraudulent behavior is to make a payment in such a way so that the payment goes not to the vendor's actual account but to a re-directed account. The scenario involves making payments to a vendor account after changing the bank account details of the vendor to a different account, and then after payment changing the bank details back. Details. For ‘changing of vendor's bank details’ we found three transaction codes (‘FK02, 'FI01', 'FI02') are used for this activity. The scenario, which we call ‘Change_Vendor_Bank’, will be the existence of any of these transaction codes in the log. Similarly, another scenario, ‘make payments to vendor’ is the existence of any of the four transaction codes ('F-40', 'F-44', 'F-48', ‘F-53’) found in the transaction log, and we call this ‘Pay_Vendor’.

Change_Vendor_Bank

FK02

FI01

FI02

Pay_Vendor

F-40

F-44

F-53

S01: Redirected Payment

F-48

Change_Vendor_Bank

Pay_Vendor

Change_Vendor_Bank

Fig. 1. Structure of the fraud scenario 'S01'

3.2 Scenario Specification and Semantics We use XML to specify and store scenario definitions in a file referred to as the “Scenario Definition File” (SDF). XML is used because it is a simple text format file which supports hierarchical structure for storing complex data and there are built-in engines/libraries for XML in most of the popular development tools. Our fraud scenario specification language takes many ideas from [10]. Broadly, the structure of a fraud scenario consists of: Name and Description, list of Components,

116

A.K. Islam et al.

Attributes and Scenario rules. Name is unique for each scenario. A scenario used as a component in another scenario is referred to by its name. Each scenario consists of a collection of components. A component is a transaction (extracted from a transaction log) or any already defined scenario. Each component has component level attributes such as “Order” to maintain sequence of components and “Name” to specify the name of the scenario. There are other optional attributes such as “Timeout” to specify the time the component will be active to take part in the scenario, “Required” to make the component mandatory or optional, and “TimeMin” to specify the minimum time required for the component to be active. Scenario attributes hold the values required to specify other aspects of the scenario which defines the behavior and characteristics of the scenario. The minimum or maximum intervals allowed between components are defined in three levels: default, scenario and component level. Component level attribute values override default and scenario level attribute values. Default values are used when there is no value specified in the definition. The scenario level interval value applies between all components and the component level value applies between two specific components. “Duration” applies as a condition for maximum time for the whole scenario to complete. Intervals and durations have an optional attribute “Tolerance” which can be used for flexibility. “Required_Components” is the minimum number of components required from the component collection to match the activity pattern of the fraud scenario. “Ordered” is used to specify whether the components should be present sequentially or not. “Maximum Repetition” is used to specify the maximum number of repetitions allowed and “Minimum Repetition” is to specify the minimum number of repetitions required within the time specified in “Duration”. The repetition is not for individual components rather it is for the pattern. Additional conditions may be necessary for defining a scenario. For example, a scenario may need to be defined as the event sequences performed by the same user. In that case, a “same user” condition can be added to the definition. These types of condition are defined using “Match” in the scenario structure. If there are multiple scenario rules present, optional match operators are used to define which operator, “AND” or “OR”, will be used between them. 3.3 Fraud Scenarios We have described scenario ‘S01’ in Section 3.1 and we now describe other fraud scenarios. This section describes scenarios ‘S02’ and ‘S03’ in the same format used for scenario ‘S01’. We do not describe scenarios ‘S04’, ‘S05’ and ‘S06’ in the same detail because scenarios ‘S01’, ‘S02’ and ‘S03’ cover all the features of the model. It should be noted that occurrences of these scenarios do not always confirm fraud; rather they identify the possible occurrence of fraud and raise a red flag. Sample Scenario ‘S02’. False Invoice Payment (Invoices created, approved and payment; any two of these activities performed by the same user). Description. The intention of this fraud is to make a false payment for one’s own benefit. This can happen when there is lack of segregation of duties. In this scenario, we specify three activities; create an invoice, approve that invoice and make the

Fraud Detection in ERP Systems Using Scenario Matching

117

payment. If any two activities have been done by the same user on a specific invoice, we consider that a possible fraud. Details. We build the ‘Create_Invoice’ scenario by defining the presence of either of two transaction codes, ‘FB60’ or ‘’MIRO’, in the transaction log which are indicative of the ‘create invoice’ activity. The second activity ‘approve invoice’, is indicated by transaction code ‘MRBR’ and we will use this transaction code without building a separate scenario for it. For the third step ‘make payment’, we have already defined the scenario ‘Pay_Vendor’ as part of scenario ‘S01’. Sample Scenario ‘S03’. Misappropriation (Purchase order and purchase approval by the same user) Description. This fraud scenario also arises because the failure to implement segregation of duties correctly. The fraud is the result of misappropriation of company capital. When a user is allowed to make purchase orders and also has the privileges to approve them, there is a possibility of making the purchase of private possessions. Details. For the first activity we found five transaction codes (‘ME21N’, ’ME25’, ‘ME58’, ’ME59N’, ‘ME22N’) all referring to the same activity. We build a scenario ‘Create_PO’ which is the existence of any one of these transaction codes in the log. For the second activity we found two transaction codes (‘ME29N’, ‘ME28’) and we build a scenario ‘PO_Approval’ for this activity. The fraud scenario ‘S03’ is the sequence of these two scenarios on the same purchase order by the same user. Sample Scenario ‘S04’. Non-purchase Payment (Purchase order or good received; any one of these activities and creating invoice by the same user). Sample Scenario ‘S05’. Anonymous Vendor Payment (Create or modify vendor master and create invoices to that vendor by the same user). Sample Scenario ‘S06’. Anonymous Customer Payment (Create or modify customer records and grant credit to that customer by the same user). 3.4 Scenario Detection In summary, the scenario detection process finds the definition of known fraud scenarios from the Scenario Definition File and searches for the existence of this scenario in the transaction log of the ERP system. To make the detection process independent and applicable to the different transaction log structures of different ERP systems, before feeding the log into the process a tool named “Anonymizer tool” is used to convert the data into a pre-defined format and to anonymize sensitive information with a consistent one-way hash function to maintain privacy requirements. The process imports the formatted data to a database against which it can run SQL queries. We use the MySQL database for this purpose. Fig. 2 shows the workflow of the detection process. The Scenario Detection process has five distinctive tools. “Scenario tools” extracts the scenario definition from the SD file, takes the default values and other

118

A.K. Islam et al.

configuration information from “Configuration tools”, and generates output as a “Scenario Definition Object”. “SQL generator” generates the SQL query from the “Scenario Definition Object”. “Query resultset” tool sends the SQL query to the database and gets the result. “Configuration tools” is for communicating with the configuration files which store application related information, database connection parameters and scenario default values.

Fig. 2. Workflow of the detection process

The result-set contains a set of matched scenario patterns from the transaction log. Each set or row contains the identification of each component in the search pattern. From that identification, it is possible to locate them in the actual transaction log. The “Analysis Tool” acts as a reporting service and is used to generate summary reports from the result-set.

4 Implementation The fraud detection process includes generation of fraud scenario definitions and the detection of fraudulent activities by matching the transactions recorded in transaction logs. Our prototype software allows users to generate and edit scenarios, and to parse, anonymize and import transaction log data into a database. The software generates SQL queries from scenario definitions and then sends the query to the database. In this section, we describe the process of extracting transaction log data from an SAP system and the process of scenario detection using the prototype software on that data. 4.1 Data Preparation We extract application log data from SAP system logs. There are some common fields extracted for every activity, e.g. date and time, user etc. as well as some fields extracted only for specific activities, e.g., for the ‘change vendor bank details’ activity we extract the vendor identification number or VendorID. From the various log data, we build the combined log table, described in Table 2, which holds data for all activities. The fieldset of the table described is the combination of fields required for all scenarios and the RowIdentity field, which holds a serial number to uniquely identify each record. We cannot use the timestamp values for this purpose as multiple transaction records may exist in the log for one user activity meaning it is possible to have multiple records with the same timestamp value.

Fraud Detection in ERP Systems Using Scenario Matching

119

Table 2. Fieldset of final transaction log table

1 2 3 4 5 6 7 8 9 10

Field Name RowIdentity DateTime Transaction Code User Terminal VendorID InvoiceNo PRNumber PONumber CustomerID

Description Row identification number. The timestamp value when the activity occurred. This is code identifies user activity. There could be multiple codes for a single activity. User name or identification who performed the activity. Terminal identification from which the user performed the activity. Vendor identification number. When activity related to Vendor. Invoice number when the activity is related to any payment. Purchase requisition number for purchasing activity. Purchase order number for purchasing activity. Customer identification for customer related activity.

4.2 Data Sources The information in Table 2 is readily obtained and we illustrate this below with examples. In SAP systems payment information is stored in the table BKPF: Accounting Document Header and BSEG: Accounting Document Segment. BSEG has the corresponding Accounting document number as in BKPF, and Account number of the vendor. From these two tables we can extract the transaction data necessary for the activity described above as ‘payment to vendor’. The Security Audit log in SAP systems logs each user’s activity. By matching user name, transaction code and time with activities in the BKPF table and Security Audit log it is possible to extract the terminal information. Fig. 3 describes the transaction data extracted from these two tables for vendor payment activity. In SAP systems, all vendor master record information is stored in three tables: LFA1, LFB1 and LFBK. The change logs for the master records are stored in two tables – CDHDR: Change Document Headers and CDPOS: Change Document Items. These tables record the changed values and the user name of the person responsible for changing the document, along with the date and time of the change and the transaction code used to make the change. The table LFBK holds banking details for vendors so using CDPOS and CDHDR we can extract transactions made when vendor bank details are changed. Fig. 3 explains the process of extracting the activity ‘change vendor bank details’ from these two tables.

5 Testing The fraud detection system - architecture and software - that we have designed and developed comprises several different components as illustrated in Fig. 2. To verify that our software framework generated the correct SQL queries, we hand coded SQL queries for all the scenarios described previously and matched them against those generated by the software.

120

A.K. Islam et al.

BKPF MANDT: Client BUKRS: Company Code BELNR: Accounting Document Number CPUDT: Entry Date CPUTM: Entry Time TCODE: Transaction Code USNAM: User Name Join with: BELNR, MANDT, BUKRS BSEG MANDT: Client BUKRS: Company Code BELNR: Accounting Document Number LIFNR: Account Number of Vendor Join with: CPUDT/Date, CPUTM/Time, USNAM/User and TCODE/ Transaction Code

x x x x x

DateTime TransCode User VendorID Terminal

Security Audit Log Date Time User Transaction Code Terminal

CDHDR MANDANT: Client UDATE: Creation date of the change document UTIME: Time changed TCODE: Transaction in which a change was made USERNAME: User Name of the person responsible CHANGE_IND: Application object change type (U, I, E, D) OBJECTCLAS: Object class OBJECTID: Object value Join with: BELNR, OBJECTCLAS, OBJECTID When TABNAME = ‘LFBK’ and OBJECTCLAS = ‘KRED’ Join with: UDATE/Date, UTIME/Time, USERNAME/User and TCODE/ Transaction Code

CDPOS MANDANT: Client OBJECTCLAS: Object class OBJECTID: Object value TABNAME: Table Name TABKEY: Change table record key FNAME: Field Name

Fig. 3. Data extraction for activities from SAP System

The prototype system runs the SQL statements generated by our software on the combined log table described earlier. Unfortunately it has been difficult to obtain real data for reasons to do with confidentiality and privacy, although we are currently discussing such possibilities with one large international company. For some of our testing we have used data from QUT’s student SAP system which is implemented for teaching purposes but the data in this system while generated through real activities, is somewhat limited. As a result, we have adopted an approach utilizing synthetically generated data for our evaluation. This is described below. 5.1 Generating Test Data One possible approach to the use of synthetically generated test data for evaluation is to generate clean data containing no fraudulent activity and then to insert fraudulent activity. We have adopted a slight variation of this approach which to some extent deflects the criticism that it is naturally easy to detect what has been deliberately inserted for the purpose of detection. Our approach is based on generating transactions at random with random timestamps, within some specified window of time, and storing the generated transactions in the combined log table. Lundin et al. [19] describe an interesting technique for generating synthetic data based on authentic background data merged with data representing fraudulent activity. Generating synthetic data in this way is complex and we believe provides no advantage in our context. If the essential individual components of the scenario are not present in the generated data then no match will be found. Likewise if they are present but in the wrong temporal order or if they don’t meet the timeout conditions. If however, the individual components are present in the correct order and their timestamps meet timeout conditions, then a match should be found. The generator tool uses unique user names and unique terminal names and selects from these lists at random. The value of several of the fields in a transaction record depends on the transaction code and this is accommodated by grouping related transaction codes and having a separate list of values for the special fields of each group. When a transaction code is selected from the list, values for the special fields are also generated depending on which group it is

Fraud Detection in ERP Systems Using Scenario Matching

121

in. For example, if the transaction code is in Group 1 (creating vendor records), it generates a new value for the VendorID field and stores it in the VendorID list. For implementation and testing purposes we generated 100,000 records using a list of 100 users and 100 terminals. Before running the synthetic data generator the process was provided with a list of VendorIDs, InvoiceNos, Purchase Order Numbers and CustomerIDs. This data was then uploaded to the MySQL database. 5.2 Scenario Testing We have used the above synthetic data and three of the previously described scenarios to evaluate our system. These three scenarios contain all the features in our fraud scenario detection model. We have in each case examined the output result-set of the SQL queries and verified that the output is correct. We have in addition, as a secondary check in each case, added and deleted records, and then re-run the scenario detection. This enabled us to verify that adding relevant transactions has the expected effect of producing a match where none existed previously, and that deleting records has the effect of producing no match where one did exist previously. We ran all user activities used in the described fraud scenarios. Table 3 contains the number of activities or scenarios found in the randomly generated data. Table 3. Number of different activities in log Scenario Name Change_Vendor_Bank Pay_Vendor Create_Invoice Approve_Invoice Create_PO

Match returns 2867 12347 6721 3215 15507

Scenario Name PO_Approval Good_Receipt Create_Vendor Create_Customer Credit_to_customer

Match returns 6561 19775 20567 6558 5882

The scenario ‘Change_Vendor_Bank’ returned 2867 matching records and the scenario ‘Pay_Vendor’ returned 12347 matching records. We ran the scenario ‘S01’ to determine if any sequence of ‘Change_Vendor_Bank’, ‘Pay_Vendor’ and ‘Change_Vendor_Bank’ happened for the same Vendor when the maximum interval between any two activities was 2 days and the overall duration was within 3 days. Extra conditions were users or terminal must be the same. This process returned 20 matching scenarios which took 119 seconds to run on a Pentium 4 machine with 2GB RAM running Microsoft Windows XP Professional. The first two matches are shown in Table 4 and Table 5. The process returned one record for each match, but for clarity we show one match displayed across three rows. To narrow the result further, we changed the maximum interval between activities to 1 day from 2 days. With this changed scenario specification, the process returned 6 matches and took 119 seconds. We ran scenario ‘S02’ requiring matches for the same User, the same Terminal and the same Invoice. The process returned 702 matches in 91 seconds. To narrow the result we changed the overall duration of the scenario to 1 day. This gave us 80 matches. We ran ‘S03’ with a requirement that the same User and same Purchase Order Number were detected. It returned 468 records in 26 seconds. We changed the scenario by adding a requirement for the Terminal to match and it returned 4 matches.

122

A.K. Islam et al. Table 4. One matching result of Scenario ‘S01’ where Terminal is same

RowIdentity 910 4197 5664

DateTime 2007-02-01 05:33:07 2007-02-02 01:07:38 2007-02-02 07:09:45

TransCode FK02 F-40 FK02

User USR013 USR030 USR071

Terminal TRM43 TRM43 TRM43

VendorID VID00004 VID00004 VID00004

Table 5. One matching result of Scenario ‘S01’ where User is same RowIdentity 2722 9105 12313

DateTime 2007-02-01 05:3:07 2007-02-03 03:38:32 2007-02-03 04:46:23

TransCode FK02 F-48 FK02

User USR013 USR013 USR013

Terminal TRM43 TRM23 TRM18

VendorID VID000017 VID000017 VID000017

We also tested the other fraud scenarios, checked the results and verified the correctness of the detection process.

6 Conclusion A fraud scenario definition structure has been created for the purpose of defining fraudulent activity in ERP systems. The semantics of the structure have been developed and tested for common fraud scenarios in ERP systems. The scenario definition specification considers only the required fields for the described scenarios. We have described the process of defining common fraud scenarios, the process of extracting transaction log data from SAP systems, and the process of detecting scenarios from the transaction logs. Using the developed prototype software we successfully tested the detection of all scenarios described in this paper on synthetically generated transaction log data. We are hopeful of getting the opportunity to test the fraud scenario detection prototype on real SAP system data. Acknowledgment. We gratefully acknowledge the support of SAP Research. The research is supported in part by an ARC Linkage grant.

References 1. Mohay, G., Anderson, A., Collie, B., De Vel, O., McKemmish, R.: Computer and Intrusion Forensics. Artech House (2003) 2. Coderre, D.G.: Fraud Detection: Using Data Analysis Techniques to Detect Fraud. Global Audit Publications, Canada (1999) 3. Porras, P.A., Kemmerer, R.A.: Penetration State Transition Analysis: A Rule-Based Intrusion Detection Approach. In: Computer Security Applications Conference (1992) 4. Michel, C., Mé, L.: ADeLe: an Attack Description Language for Knowledge-Based Intrusion Detection. In: ICIS, pp. 353–368. Kluwer, Dordrecht (2001) 5. Cuppens, F., Ortalo, R.: LAMBDA: A Language to Model a Database for Detection of Attacks. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 197–216. Springer, Heidelberg (2000)

Fraud Detection in ERP Systems Using Scenario Matching

123

6. Pouzol, J., Ducasé, M.: From Declarative Signatures to Misuse IDS. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 1–21. Springer, Heidelberg (2001) 7. Meier, M.: A Model for the Semantics of Attack Signatures in Misuse Detection Systems. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 158–169. Springer, Heidelberg (2004) 8. Ilgun, K.: USTAT: A Real-time Intrusion Detection System for UNIX. In: IEEE Symposium on Security and Privacy, p. 16. IEEE Computer Society, Washington (1993) 9. Vigna, G., Kemmerer, R.A.: NetSTAT: A Network-Based Intrusion Detection Approach. In: 14th ACSAC, p. 25. IEEE Computer Society, Washington (1998) 10. Porras, P.A., Neumann, P.G.: EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances. In: National Information Systems Security Conference, NIST/National Computer Security Center, pp. 353–365 (1997) 11. Cheung, S., Lindqvist, U., Fong, M.W.: Modeling Multistep Cyber Attacks for Scenario Recognition. In: DARPA Information Survivability Conference and Exposition (DISCEX III), pp. 284–292 (2003) 12. Yang, J., Ning, P., Wang, X.S., Jajodia, S.: CARDS: A Distributed System for Detecting Coordinated Attacks. In: IFIP TC11 16th Annual Working Conference on Information Security, pp. 171–180 (2000) 13. Eckmann, S.T., Vigna, G., Kemmerer, R.A.: STATL: An Attack language for State-based Intrusion Detection. In: ACM Workshop on Intrusion Detection Systems (2000) 14. Meier, M., Schmerl, S., Koenig, H.: Improving the Efficiency of Misuse Detection. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 188–205. Springer, Heidelberg (2005) 15. Schmerl, S., Koenig, H., Flegel, U., Meier, M.: Simplifying Signature Engineering by Reuse. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 436–450. Springer, Heidelberg (2006) 16. Abbott, J., Bell, J., Clark, A., de Vel, O., Mohay, G.: Automated Recognition of Event Scenarios for Digital Forensics. In: ACM Symposium on Applied Computing, pp. 293–300. ACM, New York (2006) 17. Flegel, U.: Privacy-Respecting Intrusion Detection. In: Advances in Information Security, vol. 35, p. 307. Springer, Heidelberg (2007) 18. Zimmer, D.: A Meta-Model for the Definition of the Semantics of Complex Events in Active Database Management Systems. PhD Thesis, University of Paderborn (1998) 19. Lundin, E., Kvarnstrom, H., Jonsson, E.: A synthetic fraud data generation methodology. In: Deng, R.H., Qing, S., Bao, F., Zhou, J. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 265–277. Springer, Heidelberg (2002)

Use of IP Addresses for High Rate Flooding Attack Detection Ejaz Ahmed, George Mohay, Alan Tickle, and Sajal Bhatia Queensland University of Technology, GPO Box 2434 Brisbane, QLD 4001, Australia {e.ahmed,g.mohay,ab.tickle,s.bhatia}@qut.edu.au

Abstract. High-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) continue to constitute a pernicious threat within the Internet domain. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. Using a proof of concept implementation we have shown how pre-onset IP addresses can be efficiently represented using a bit vector and used to modify a “white list” filter in a firewall as part of the mitigation strategy. Keywords: IP addresses, bit vector, bloom filter, cumulative sum.

1 Introduction It is now almost ten years since the first full-scale high-rate flooding attacks were unleashed on the Internet community [1]. The vector for those attacks was a set of compromised computer systems aka “zombies” that directed a high-volume stream of packets towards the target hosts. Ten years on, and notwithstanding their conceptual simplicity, high-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) using the same basic modus operandi still constitute an extremely pernicious threat within the Internet domain [2]. They also remain an unsolved problem. Consequently techniques and processes that detect and mitigate the impact of this form of attack continue to be an important and active area of research and development [3]. They also form the basis for a joint research project currently being undertaken under the auspices of the Australian and Indian Governments as part of the Australia-India Strategic Research Fund (AISRF). A key deliverable of this project is a DDoS Mitigation Module (DMM) i.e. a “network flooding attack mitigation tool” which integrates the detection and mitigation capability into a single device. Two of the key challenges in implementing a workable solution to the DDoS problem are to operate the detection process at so-called “wire speed” i.e. speeds of at least 10Gbps [2, 4] and be able to activate a response in real-time to mitigate the impact of the attack in order to protect some downstream target which may be an application server or security device or a complete subnet. One important line of K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 124–135, 2010. © IFIP International Federation for Information Processing 2010

Use of IP Addresses for High Rate Flooding Attack Detection

125

research is to utilize IP-address related features as the primary means of detecting an attack [5-10]. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. We also show how this information about potentially anomalous IP addresses could be used to modify a “white list” filter within a firewall dynamically as part of the mitigation strategy. We intend in future work to deploy and evaluate the approach with respect to protecting a security device, specifically an application firewall, ModSecurity. The remainder of the paper is structured as follows. Section 2 reviews previous work on using features and characteristics of IP-addresses in detecting high-rate flooding attacks. Section 3 introduces the proposed DDoS Mitigation Module (DMM). It discusses the overall architecture of the DMM. Section 4 provides a detailed description of the NSP algorithm which classifies IP addresses based on their previous association with the host site and which is a core component in the DMM. Because performance of the NSP algorithm is crucial to its successful deployment actual operational networks, this section also shows a possible implementation based on a Bit-Vector approach. Section 5 shows the results of the experiments to test the “proof-of-concept” of the key ideas. Finally Section 6 summarizes the paper and outlines the future work.

2 Related Work IP addresses play a pivotal role in identifying the communicating parties within the TCP/ IP suite of protocols. Consequently there is now a distinct body of knowledge surrounding the use of source IP address monitoring for detecting high-rate flooding attacks [6, 8-14] and in particular those in which the source IP-address had been “spoofed” [9]. Moreover such techniques are also capable of distinguishing anomalous network traffic (e.g. a DDoS attack) from a legitimate network event such as a so-called Flash Event [9, 11]. In addition IP address monitoring is able to detect attacks where each compromised host in the so-called “botnet herd” mimics the behavior of a legitimate user thereby making it difficult to distinguish between the normal network traffic and the attack traffic [3, 8, 10]. Central to any detection process is the requirement to identify a feature or set of features that appear more frequently in the target class but are less prominent in normal traffic and which capture the inherent features of an attack [3]. Also, in light of the adaptive behavior of the botnet masters, it is important to use features that are difficult or impossible for an attacker to change [3]. Over time various IP-address related features have been used in the detection process including basic features such as the traffic volume per IP address [12]. Other features include the change in the number of network flows (i.e. distinct source/ destination IP address and port pairs) [11] as well as a change in the number of clients and in the pattern or distribution of clients across ISPs and networks [9]. The proportion of new source IP addresses seen by the target [3, 6, 8] have also been used along with features such as evidence of abrupt changes in

126

E. Ahmed et al.

traffic volume, flow dissymmetry as well as changes in the distribution of source IP addresses and the level of concentration of target IP addresses. Two key issues in effectively utilizing IP address information in the detection process are the impracticality of storing statistical data for each of the 232 elements in the IPv4 address space and the need accommodate a sharp increase in the rate of arrival of new source IP addresses during a DDoS attack [3]. This necessitates minimizing the number of IP addresses being tracked and optimizing the way in which information about IP addresses is stored. For example Gil and Poletto [12] used a dynamic 4-level 256-ary tree (MULTOPS) to collect traffic date for each IP address. However Peng et al. note that such a structure could itself succumb to a memory exhausting attack. Hence Peng et al. and Takada et al. [3, 6, 13] only store information on IP addresses that complete the TCP connect sequence correctly or send more than a threshold minimum number of packets. Peng et al. [8] also use a data structure comprising 210 counters to (partially) aggregate the information about distinct IP addresses. Similarly Cheng et al. [10] isolate those IP addresses that are “new” and which are concentrated on a particular target IP address. Other authors have sought to exploit any inherent clustering of IP addresses. For example, Le [14] aggregated IP addresses using various subnet masks on the premise that in a Flash crowd most of the source IP addresses are close to each other whilst in a DDoS attack the sources are assumed to be more widely distributed. Finally, there is also a scalability issue for solutions in the IPv6 address space where the number of addresses is 2128. Once the feature vector has been created the remaining problem is to decide on a suitable algorithm that can use this information for detecting a DDoS attack. For example Cheng et al. [10] use a Support Vector Machine (SVM) classifier whilst Peng et al. [6] used the Cumulative Sum (CUSUM) algorithm and a computation involving a simplified Mahalanobis distance [8] to detect any abrupt change in the fraction of new IP addresses (on the basis that an abrupt change of the proportion of new source IP addresses is a strong indication of a DDoS attack). Takada et al. [13] also used the CSUM algorithm whereas Le et al. [14] used filtering techniques from the area of signal processing. One of the earliest attempts at constructing a real-time adaptive system conceptually similar to the proposed DMM can be found in the work of Lee et al.[15-17]. Whilst their focus was on building an Intrusion Detection System, they demonstrated the importance of carefully segmenting and parallelizing the individual tasks to be performed in order to have a device that is capable of being scaled to operate in realtime (or close to real-time) on high-speed, high-volume network traffic. They also addressed the problem of updating the device’s internal knowledge base once it has identified that a new attack has occurred. The basic idea used by Lee et al. is that of incremental learning i.e. adding to the existing knowledge base without having to completely retrain the underlying classifiers. Another example of previous work on adaptive IDS and one that appears to be more closely related to the objectives of this project is that of the Cannady [18]. In particular Cannady examined the specific problem of adapting an IDS in dealing with DoS attacks. He also utilized feedback from the protected system in the form of system state variables such as CPU load, available memory, etc.

Use of IP Addresses for High Rate Flooding Attack Detection

127

More recent work on adaptive IDS can be found in Xu [19] and Moosa et al. [20] (who specifically focused on adaptive application aware firewalls). All extend the range of algorithms that could potentially be used as classifiers within the proposed DMM (e.g. Fuzzy Logic, Support Vector Machines, etc.). Notwithstanding the many variations on the theme, it would appear that the basic incremental learning architecture proposed by Lee et al. [15-17] together with the ideas of Cannady [18] offer a good starting point for building the proposed DMM.

3 Detection Architecture The design goal is for the DMM to have the capability to protect two “common monitoring environments” (i.e. security devices) viz. an application-aware firewall and a network-based intrusion detection system (IDS), from high-rate network flooding attacks. This includes protecting the devices under the so-called zero-day attack scenario i.e. a pattern of attack that has not previously appeared. Figure 1 shows a schematic of a version of the proposed DMM that would operate in real-time but off-line with the task of protecting an application-aware firewall (or an Intrusion Prevention System).

Fig. 1. Schematic of the proposed DMM protecting an application-aware firewall (or a Intrusion Prevention System)

The key functions of the proposed DDoS Mitigation Module (DMM) are to detect the onset of a DDoS attack, use “state information” about the set of devices to be protected by the DMM to predict if any of them are at imminent risk of failing, and formulate and then direct a set of “control commands” to the devices “at risk” to enable them to manage (or “shape”) the network traffic situation (e.g. jettisoning anomalous network packets). Since the intention is to develop a prototype DMM that can be deployed on existing networks, one of the initial design decisions is use COTS (Commercial off-the-shelf) offerings for components such as the designated “application-aware firewall” shown in Fig 1. As such, the designated “control

128

E. Ahmed et al.

commands” would then be rules expressed in the formats used internally in such devices. For example, one potential candidate “router/ firewall” device (at least for the purposes of the initial prototype) is a platform supporting the Open BSD Packet Filter (PF) [21]. (One of the key attractions of PF is that the filtering mechanism is externally configurable [22, 23].) In this case, the format of the designated “control commands” would be rules that conform to the PF syntax. Similarly the (Open Source Web) Application firewall ModSecurity [24, 25] is a potential candidate application firewall. (As with Packet Filter (PF) discussed above, ModSecurity has the underlying framework to deal with DoS attacks as well as an Automated Rule Update Capability.) As was the case with PF, the function of the DMM would be to generate rules in a format compatible with the ModSecurity rule set. A review of the literature highlights a degree of overlap between the core ideas of the proposed DMM and both current and previous work in constructing Intrusion Detection Systems that are adaptive (i.e. the ability to update the system rule set dynamically) and proactive (i.e. the ability to discern that an intrusion attack is in progress and react before it actually reaches its final stage) [26]. In fact, building an IDS with the capabilities to be adaptive and/ or proactive has been the subject of research in various guises for almost twenty years so there is a significant body of work from which it may be possible to draw a number of ideas as to how to approach the problem of building the required DMM.

4 Detection Algorithm The basis of our algorithm is essentially that we expect to be able to detect whether currently incoming network traffic represents an attack on our system or not. We represent the two system states: NA (not under attack) and A (under attack) respectively. The algorithm is based on two top level functions, ipac and ddos. The ddos function (described below) analyses the rate of arrival of packets from previously unseen IP addresses and on that basis assigns the system state to A or NA. It is invoked at regular intervals, and based on the rate of arrival of packets from previously unseen IP addresses determines a state change form NA to A, or vice versa, from A to NA. The ipac address classification function examines the IP addresses of incoming network traffic. It extracts the source IP address of each incoming packet and determines if the IP address is new or not seen previously - NSP. To do so, ipac maintains two data structures which represent the IP addresses of incoming packets: W for ‘Whitelist’, and R for ‘Recent’. The data structure W is initialized with the source IP addresses of a known attackfree traffic sample, the data structure R is initialized to empty at system start-up. The point of R is that as packets arrive from new IP addresses, we need to note those IP addresses in a temporary location – the structure R. Only once the ddos function has determined that the system is not under attack can those addresses be copied to the whitelist – the structure W. This avoids polluting the whitelist W. If on the other hand, the ddos function determines that the system is under attack, then R is discarded. The system starts in state NA.

Use of IP Addresses for High Rate Flooding Attack Detection

129

The ipac(ip) function examines the source address ip of an incoming packet and if the IP address has not been seen previously, updates the structure R: if NOT ((ip IN W) OR (ip IN R)) then INC(newIP) add ip to R The ddos function is invoked at regular intervals, intervals of the order of 1 to 10 seconds. It has a simple purpose: it analyses the recent change in arrival rate of packets from NSP IP addresses. It uses the function StateChange which in turn uses a cumulative sum algorithm (CUSUM) to detect abrupt changes in that rate of arrival and determines system state changes. The ddos function does as follows: if (in state NA) then if NOT (StateChange(NA)) then //no state change add R to W else //state change to A state = A communicate W to the protected security device to use as a white list R= empty if ((in state A) then if (StateChange(A)) then //state change to NA state = NA communicate to the protected security device to stop using the white list. There are also two obvious limitations in the above algorithm. The first is that when the system is deemed to be under attack, that new IP addresses are treated as malicious – this can give rise to false positives. Further work will extend the basis for rejection of packets beyond the simple property of NSP. The further work will attempt to identify malicious traffic using other features also, to be used in tandem with NSP, features like subnet source addresses, IP distribution, traffic volume, traffic volume per IP address, etc. The second limitation concerns what to do about the interval of time during which ipac and ddos functions are executing. We hope to keep these functions very small and efficient, so this may not be a problem. It will however pose the problem of incoming packets not being properly processed if the functions are indeed too slow. We now discuss the implementation of the above NSP algorithm using bit vectors. 4.1 Bit Vector Implementation For IPv4, a bit vector can be used for the implementation of W and R in the above algorithm. Using a bit vector, requires 0.5 GB to represent the 232 address space of IPv4. (In contrast, an IPv6 bit vector needs to represent 2128 addresses. We are currently investigating the use of Bloom filters for IPv6). Implementation via bit vectors allows for a number of optimizations to the algorithm. The step ‘add R to W’ in the ddos function can be optimized by modifying the ipac function so that when setting the appropriate bit in R, it keeps a temporary

130

E. Ahmed et al.

copy of the ip value, or better still, a copy of the address of the bit being set. This optimization allows the ‘add R to W’ step to be implemented as a series of set bit operations rather than having to OR the entire bit vector R into W. The second optimization relates to the step ‘R = empty’. This step is optimized in a similar fashion, by unsetting the relevant bits rather than zeroising the entire bit vector. 4.2 Change Detection On the onset of malicious activity, it is expected that the statistical properties of the traffic parameters no longer remain constant, resulting in an abrupt change. These change points can be detected using sequential analysis methods such as the cumulative sum (CUSUM) change point detection algorithm. CUSUM is a sequential analysis technique which assumes that the mean value of the (suitably transformed) parameter under observation will change from negative to positive in the event of a change in its statistical properties. Detecting this requires knowledge of the data distribution both before and after a malicious event. In real time network traffic analysis, estimating traffic distribution both before and after a malicious event is rather a difficult task if not impossible due to the lack of a complete model. In change detection, this problem can be solved using a nonparametric CUSUM method as described by Blazek et al.[27]. In this paper we have adopted a non-parametric sliding window CUSUM change detection technique proposed by Ahmed et.al. [28, 29] for the analysis of source IP addresses. For the detailed description of the CUSUM technique, the interested readers are referred to [28, 29]. We use the CUSUM technique to detect changes in the number of new source IP addresses being observed in the network traffic during a measurement interval.

5 Experimentation In order to establish the use of source IP address as a key feature to detect flooding attack, a comparative analysis of two different traffic traces has been conducted. In one analysis Peng et. al. [7] compared daily Auckland data trace [30] with the previous two week’s data traces to observe the persistence of the source IP addresses. We have carried out a similar analysis using network traffic collected from a dedicated block of unused IP addresses (commonly known as a Darknet) and Auckland traffic trace has been carried out. In contrast to used address spaces where there are production hosts connected to the Internet, unused address spaces are routable Internet addresses which do not have any production host connected to Internet. Due to the absence of any production host the traffic observed on a darknet is by definition unsolicited and likely to be either opportunistic or malicious. Table 1 provides the comparative analysis of the percentage of source IP addresses appearing in the fortnight previous to the listed dates for both Auckland and darknet network traffic traces. From Table 1, it can be observed that high percentage of source IP addresses appear in the last fortnight in Auckland traffic, a normal behavior in network traffic. In contrast, very low percentages of source IP’s reappear during malicious network traffic such as the one collected from the darknet.

Use of IP Addresses for High Rate Flooding Attack Detection

131

Table 1. Persistance of source IP addresses

Auckland Trace Date Percentage 2001-Mar-26 88.7% 2001-Mar-27 90.3% 2001-Mar-28 89.1% 2001-Mar-29 89.2% 2001-Mar-30 90.2% 2001-Mar-31 89.9% 2001-Apr-01 88.1%

Darknet Trace Date Percentage 2009-Dec-25 1.25% 2009-Dec-26 1.05% 2009-Dec-27 1.03% 2009-Dec-28 0.91% 2009-Dec-29 0.94% 2009-Dec-30 1.07% 2009-Dec-31 7.99%

In order to evaluate the performance of the proposed NSP algorithm described in Section 4, the test bed shown in Figure 2 was being used.

Switch Attack Traffic (fudp)

Normal Traffic (tcpreplay)

Victim

Fig. 2. The test bed architecture

The normal network trace used in the experiment is the a real network traffic taken from the University of Auckland [30] known as Auckland VIII dataset. The IP addresses in the traffic trace have been mapped into 10.*.*.* using one to one hash mapping for privacy. The dataset is first analyzed to remove the SYN attacks which constitute the majority of the attacks [31]. In this regard TCP flows with less than 3 packets are treated as malicious packets and are being ignored. The cleaned data is then reproduced over the test bed using TCPREPLAY1 utility. The traffic is replayed at the rate of around 300 packets per seconds. For attack traffic, fudp2 utility was used to flood the victim machine with UDP packets with varying number of spoofed source IP addresses. The average attack traffic rate is set to around 3000 packets per second (10 times the normal background traffic). Table 2 provides the statistics of the attack traffic being used in the experimentation.

1 2

TCPReplay web page, http://tcpreplay.synfin.net/ Fudp download page, http://linux.softpedia.com/get/Security/ fudp-35626.shtm

132

E. Ahmed et al. Table 2. Statistics of the attack traffic

Unique Source IP 35 40 45 50 100 150

Number of Packets 342141 328579 321433 313747 237831 201020

Duration (seconds) 134.38 129.35 129.29 123.23 93.49 86.83

Traffic Rate(Mbps) 1.01 1.01 1.01 1.01 1.01 1.01

5.1 Performance Evaluation In order to evaluate the performance of the proposed algorithm, the UDP flooding attack with varying number of source IP addresses has been embedded in the network traffic. UDP flooding with constant packet rate and constant set of source IP addresses has been generated, see Table 2 for detail. Due to space limitations, Figure 3 shows the result of UDP flood only for the case of 35 unique source IP addresses.

Fig. 3. UDP flooding attack with 35 source IP addresses

In Figure 3 the horizontal axis represents the observation period in 10 second bins, the left vertical axis represents total number of new source IP addresses in the measurement interval and the right axis represents the CUSUM decision function with 1 being attack and 0 being no attack. The number of new source IP addresses in the 10 second measurement interval is calculated using the proposed algorithm described in Section 4. The UDP flooding attack was started at measurement interval 260 and ended at 280 and is detected by the CUSUM technique. The large increase in the new IP addresses at the start in Figure 3 is due to the fact that the bit vector W is empty at the start of the analysis. The subsequent inclusion of the source IP addresses in the bit vector W results in the constant decrease of new IP address counter. The CUSUM change detection technique is not applied during the training period, which is up to measurement interval 230, which enables the sliding window to learn the normal network traffic behavior. A manual analysis of the generated white list was performed post attack to check for the presence of any attack sources in the list. No attacking

Use of IP Addresses for High Rate Flooding Attack Detection

133

source IP addresses were found in the white list (for all the UDP attacks). The detection delay is bound by the measurement interval which is selected as 10 seconds in this paper. All the attacks listed in Table 2 have been detected in less than 10 seconds which can further be reduced using smaller measurement intervals.

6 Conclusion and Future Directions In this paper, we have proposed a technique for detecting high rate flooding attacks. A proof of concept implementation of the proposed technique using bit vectors is provided in this paper. We have shown how a simple traffic feature such as source IP addresses can be used to effectively detect flooding attacks. Our ongoing work focuses on implementing the algorithm using bloom filter in order to compare the results with the bit vector implementation and to enable us to extend the approach to IPv6 with its much bigger IP address space. In addition we seek to investigate the performance of both bit vectors and bloom filters under high speed network flooding attack in both IPv4 and IPv6 networks. Moreover the analysis of algorithm under different and diverse flooding attacks needs to be investigated. We expect also in further work to extend the basis for rejection of packets beyond the simple property of IPs Not Seen Previously. The further work will attempt to identify malicious traffic using other features also, to be used in tandem with NSP, features like subnet source addresses, IP distribution, traffic volume, traffic volume per IP address, packet inter-arrival time etc.

Acknowledgement This work was supported by the Australia-India Strategic Research Fund 2008-2011.

References 1. Garber, L.: Denial-of-Service Attacks Rip the Internet. Computer 33(4), 12–17 (2000) 2. Nazario, J.: Political DDoS: Estonia and Beyond (Invited Talk). In: 17th USENIX Security Symposium, San Jose, CA, USA (2008) 3. Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39(1), 3 (2007) 4. Miercom, Enterprise Firewall: Lab Test Summary Report (2008) 5. Peng, T., Leckie, C., Ramamohanarao, K.: Information sharing for distributed intrusion detection systems. J. Netw. Comput. Appl. 30(3), 877–899 (2007) 6. Peng, T., Leckie, C., Ramamohanarao, K.: Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. In: NETWORKING 2004, Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications, pp. 771–782 (2004) 7. Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. In: Proceeding of the 38th IEEE International Conference on Communications (ICC 2003), Anchorage, Alaska (2003)

134

E. Ahmed et al.

8. Peng, T., Leckie, C., Ramamohanarao, K.: System and Process For Detecting Anomalous Network Traffic, W.I.P. Organisation, Editor (2008) 9. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In: Proceeding of 11th World Wide Web Conference, Honolulu, Hawaii, USA (2002) 10. Cheng, J., et al.: DDoS Attack Detection Algorithm Using IP Address Features. In: Frontiers in Algorithmics, pp. 207–215. Springer, Heidelberg (2009) 11. Barford, P., Plonka, D.: Characteristics of Network Traffic Flow Anomalies. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop (2001) 12. Gil, T.M., Poletto, M.: MULTOPS: A data-structure for bandwidth attack detection. In: Proceedings of 10th Usenix Security Symposium (2001) 13. Takada, H.H., Anzaloni, A.: Protecting servers against DDoS attacks with improved source IP address monitoring scheme. In: 2nd Conference on Next Generation Internet Design and Engineering ( NGI ’06) (2006) 14. Le, Q., Zhanikeev, M., Tanaka, Y.: Methods of Distinguishing Flash Crowds from Spoofed DoS Attacks. In: 3rd EuroNGI Conference on Next Generation Internet Networks (2007) 15. Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive Intrusion Detection: A Data Mining Approach. Artificial Intelligence Review 14(6), 533–567 (2000) 16. Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur. 3(4), 227–261 (2000) 17. Lee, W., et al.: Real time data mining-based intrusion detection. In: DARPA Information Survivability Conference & Exposition II, DISCEX ’01, Anaheim, CA, USA (2001) 18. Cannady, J.: Next Generation Intrusion Detection: Autonomous Reinforcement Learning of Network Attacks. In: Proceedings of The 23rd National Information Systems Security Conference, NISSC 2000 (2000) 19. Xu, X.: Adaptive Intrusion Detection Based on Machine Learning: Feature Extraction, Classifier Construction and Sequential Pattern Prediction. International Journal of Web Services Practices 2(1-2), 49–58 (2006) 20. Moosa, A., Alsaffar, E.M.: Proposing a hybrid-intelligent framework to secure egovernment web applications. In: Proceedings of the 2nd International Conference on Theory and Practice of Electronic Governance. ACM, Cairo (2008) 21. OpenBSD. PF: The OpenBSD Packet Filter (2009), http://www.openbsd.org/faq/pf/ (cited November 11, 2009) 22. OpenBSD. OpenBSD Programmer’s Manual: ioctl - control device (2009), http://www.openbsd.org/cgibin/man.cgi?query=ioctl&sektion=2&arch=&apropos=0&manpath= OpenBSD+4.6 23. OpenBSD. OpenBSD System Manager’s Manual: pfctl - control the packet filter (PF) device (2009), http://www.openbsd.org/cgi-bin/man.cgi?query= pfctl&sektion=8&arch=&apropos=0&manpath=OpenBSD+4.6. (cited November 11, 2009) 24. Barnett, R.: ModSecurity Core Rule Set (CRS) v2.0 (2009), http://www.owasp.org/index.php/File:OWASP_ModSecurity_Core_R ule_Set.ppt 25. ModSecurity. ModSecurity Open Source Web Application Firewall (2009), http://www.modsecurity.org/index.html

Use of IP Addresses for High Rate Flooding Attack Detection

135

26. Kabiri, P., Ghorbani, A.A.: Research on Intrusion Detection and Response: A Survey. International Journal of Network Security 1(2), 84–102 (2005) 27. Tartakovsky, A.G., et al.: A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Transactions on Signal Processing 54, 3372–3382 (2006) 28. Ahmed, E., Clark, A., Mohay, G.: Change Detection in Large Repositories of Unsolicited Traffic. In: Proceedings of The Fourth International Conference on Internet Monitoring and Protection (ICIMP 2009), Venice, Italy (2009) 29. Ahmed, E., Clark, A., Mohay, G.: A Novel Sliding Window Based Change Detection Algorithm for Asymmetric Traffic. In: Proceedings of the IFIP International Conference on Network and Parallel Computing (NPC 2008), pp. 168–175, Shanghai, China (2008) 30. Waikato Applied Network Dynamic Research Group, http://wand.cs.waikato.ac.nz/ 31. Mirkovic, J., et al.: DDoS Benchmarks and Experimenter’s Workbench for the DETER Testbed. In: 3rd International Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities, TridentCom 2007 (2007)

Augmenting Reputation-Based Trust Metrics with Rumor-Like Dissemination of Reputation Information Sascha Hauke1,2 , Martin Pyka3 , Markus Borschbach1, and Dominik Heider4 1

4

Fachhochschule der Wirtschaft in Bergisch Gladbach, Hauptstr. 2, 51465 Bergisch Gladbach, Germany {sascha.hauke,markus.borschbach}@fhdw.de 2 Institute of Computer Science, University of Münster, Einsteinstr. 62, 48149 Münster, Germany 3 Department of Psychiatry, University of Marburg, Rudolf-Bultmann-Str. 8, 35039 Marburg, Germany [email protected] Center for Medical Biotechnology, University of Duisburg-Essen, Universitätsstr. 1–5, 45117 Essen, Germany [email protected]

Abstract. Trust is an important and frequently studied concept in personal interactions and business ventures. As such, it has been examined by multitude of scientists in diverse disciplines of study. Over the past years, proposals have been made to model trust relations computationally, either to assist users or for modeling purposes in multi-agent systems. These models rely implicitly on the social networks established by participating entities (be they autonomous agents or internet users). At the same time, research in complex networks has revealed mechanisms of information diffusion, such as the spread of rumors in a population. By adapting rumor-spreading processes to reputation dissemination in multi-agent systems, this paper shows the benefit of augmenting an existing trust model with pro-actively, socially filtered trust information. Keywords: Trust and Reputation, Rumor-spreading, Trust Model.

1

Introduction

This paper represents part of our work directed at developing a distributed recommendation system of (semi-) autonomous agents, aiding users in determining trustworthy service partners. We envision this system to operate on existing social structures, as, for instance, computationally represented in online social communities. Leveraging reputation-based computational trust and real-world derived social connections as a soft security mechanism, we aim at increasing overall (system) reliability in computer-mediated human interactions within cybercommunities. In the course of this paper, we will focus on aspects of reputation-based computational trust. In recent literature, two principal views of computational trust K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 136–147, 2010. c IFIP International Federation for Information Processing 2010 

Rumor-Like Dissemination of Reputation Information

137

can be distinguished – a cognitive [3,4] and a probabilistic interpretation. Due to the complexity of accurately representing an entity’s mental state in computational adaptations, computational realizations of cognitive trust are difficult to model. The probabilistic view of trust, held, among others, by [1,14,29], relies on observable data for deriving an, albeit subjective [10,20], probability with which some entity will perform a particular action in order to establish a trust rating. By employing observed information from the past to predict behavior in the future, trust establishment thus becomes a data driven process. It is well-suited to computational modeling. Recently proposed computational trust models (for reviews see [17,24]) typically adopt this approach. As our focus is on agent-based models that may operate on social network structures, we consider systems such as ReGreT [23], which features a social dimension, or FIRE [14], itself based on the referral system for multi-agents presented in [29], to be the most related. Deriving trust is thus based on reliable information about the actions expected to be performed by the trusted party. In society, this information is usually procured in two different ways: Either through personal experience derived from prior direct interactions with another entity or via the reputation of an entity as reported by other members of the society (for the time being, we will not consider notions such as role-based or institutional trust). In models, the former is normally classified as direct experience, the latter as witness information. To an entity, its direct experiences are the most reliably assessed source of reputation information, yet, it is also the scarcest. Witness information is more abundant, yet its reliability is difficult to assess for an entity. In trust models, witness information is typically communicated in the form of recommendations, involving at least three separate entities: A recommender, a recommendee (whose trustworthiness is to be evaluated) and the evaluating entity, receiving the recommendation. Assessing the reliability of a recommendation involves evaluating how much trust one can put in the recommender making an accurate recommendation. Trust is a uni-directional, dyadic, non-transitive relation between entities [1]. Thus, an entity’s certainty in the correctness of a recommendation decays rapidly once made by a non-neighboring recommender. Relying only on direct recommendations from trusted neighbors has advantages regarding the reliability of the reputation information. However, this forgoes a potential wealth of additional information. Mui [22] has proposed the establishment of (parallel) recommendation chains between non-neighboring entities. This process, however, suffers from distance effects for long chains and problems when determining the reliability of a particular chain (particularly when determining weighing factors). Bayesian aggregation is also unfit for establishing the reputation of remote agents [22].

2

Approach

In recent publications [11,12], we have proposed a rudimentary mechanism designed to better leverage the information diffusion qualities of social networks

138

S. Hauke et al.

in order to spread reputation information. Aside from increasing the speed of information dissemination [11], the active propagation of reputation information can also serve as a social filter, making it easier to evaluate the validity of the propagated data. 2.1

Direct Witness Information

Witness information in typical multi-agent trust frameworks [22,23,28] is normally gathered on demand by an entity. When the need for information about a potential interactor arises, a request for reputation information is issued by the requesting entity (requestor ) to trusted neighbors. If a neighbor holds an opinion on the potential interactor and wishes to share that information, it will return a recommendation to the requestor. Regarding their reliability, recommendations from trusted neighbors can be assessed by evaluating the trust the requestor has in the recommending neighbor. The direct neighborhood the requestor and the recommender affects not only the reliability of a recommendation, as perceived by the requestor, but also implies short achievable response times and low number of exchanged messages. These factors result in relatively hard information, suited to by-request communication. Due to the structure of social acquaintance networks underlying and formed by the trust relations involved in recommending, it is also reasonable to consider one-hop referral recommendations to be hard. One quality of social networks is community structure, expressed through a high average clustering coefficient [16,26]. The clustering coefficient is a measure of the percentage of transitive triplets present in a network [15,25]. For the sake of illustration, consider three network nodes i, j and k. i is connected to j, j in turn is connected to k. A transitive triplet is present if i is also connected to k. The clustering coefficient is the fraction of transitive triplets to all possible connections that occur throughout the network. The average clustering coefficient [15,26] is a variation of this measure commonly used in empirical studies. High average clustering signifies community structure in networks. Within such a community, the likelihood that two entities share common neighbors is higher than in corresponding random graphs [16]. Thus, in a highly clustered network, establishing a 1-hop recommendation chain between an entity a and a non-neighboring entity c, facilitated by intermediary entity b, which is neighboring both a and c, has a higher chance of being duplicated via another intermediary entity d. By establishing multiple parallel recommendation chains of a very short path length, the evaluating entity a gains the ability to assess the reliability of the remote recommender d by starting reputation gathering on d. Due to the distance limitation of 1 hop and high clustering, pertinent information on d can be gathered from nodes neighboring a, with the limitation that clustering allows for the establishment of parallel 1-hop chains between a and c. While the overhead is considerably higher than 0-hop recommendations (cf. fig. 1), involving a separate trust establishment process for each referral, establishing the reliability of such a recommendation does not suffer from long-distance effects, remains localized close to and is mediated by entities directly known to the requestor.

Rumor-Like Dissemination of Reputation Information

139




       

   

b

b

 

a

c 

  

d










a


   

     

   



(a)







   

c

d (b)

Fig. 1. Initial message exchange and referred recommendation, on-request opinion provisioning

Furthermore, in case of an inaccurately referred recommendation, both the referring neighbors and the remote recommender can be held directly responsible by reducing their trust value held by the requestor. This also provides an incentive to the referrer to refer only trusted and good-quality recommenders. We propose to categorize these kinds of witness information as direct witness information. It is comparatively easy to assess in terms of reliability and the originating entity of a recommendation is easily identifiable. Furthermore, the amount of communication overhead required for obtaining the information warrants its use in on-demand reputation provisioning. Together with prior direct experiences made by the requesting entity, it forms the basis upon which the strong reputation [11,12] of a potential interactor is computed. 2.2

Remote Witness Information

Even when including direct witness information, the amount of information available to an entity attempting to make a trust decision may be scarce. In far-flung social networks, exhaustive breadth-first search for more information is prohibitively expensive time-wise, particularly if the required data cannot be located in the requestor’s intermediate neighborhood. Depth-first search leads to quickly deteriorating reliability of gathered information. In order to alleviate the problems with time-criticalness of the reputation information gathering process and rapid decay of reliability, we propose a two-pronged approach. Firstly, make the information widely available and at the same time decouple the provisioning process from the commonly used on-request mechanism. Secondly, harness the size and structure of the social recommendation network to aid entities in assessing the quality, reliability and relevance of remotely issued reputation information. 2.3

Decoupling the Provisioning Process

On-request provisioning of reputation information guarantees that an entity receives the most current information available on a potential interactor. For this

140

S. Hauke et al.

mechanism, however, the cost in time and communication overhead are inversely proportionate to the reliability of the information, as determinable by the requestor. An increasing complexity is associated with a decrease in the quality of the acquired data. Figure 1 shows standard witness information gathering and 1-hop recommendation referral. Therefore, we propose a pro-active propagation of reputation information that mimics the spread of rumors through social networks. Because information that originates beyond the direct neighborhood of an entity is difficult to verify by the entity, it factors less prominently in the trust establishment process in conventional trust models than direct witness information (e.g. [14,22]); this leads to a diminishing gain in additional information. Consequently, less relevant information, which is thereby less important for trust establishment, may be relegated to a secondary dissemination mechanism that operates on a different time scale than the on-request method. Fundamentally, the secondary mechanism adapts epidemiological and rumor spreading models operating on complex networks. Various such models have been proposed and investigated, mainly in the fields of sociology [7,19] and statistical physics [5]. Following established terminology [6], each network element in rumor spreading models is a member of one of three classes, corresponding to ignorant, stifler and spreader nodes. Ignorants are nodes that have not been exposed to a particular rumor and are still susceptible to the information. Spreaders are those that have been exposed to a rumor and are actively propagating the information, while stiflers are privy to a rumor but have ceased spreading it. When a spreader meets an ignorant, the latter turns into a spreader with probability λ. When a spreader meets another spreader or stifler, it turns into a stifler with probability α. Moreno et al. [21] provide an analysis of rumor mongering in complex networks, presenting time profiles for the propagation process. The dynamics of rumor spreading in networks, as reported, for instance, by [2,8,21], suggest sufficient diffusive quality to warrant their application to reputation-based trust metrics. The basis of our pro-active dissemination mechanism is formed by entities publishing opinions to the network, rather than only providing recommendations to requestors. In order to maintain the added value of those opinions and to avoid overwhelming communication channels, they should be issued only in exceptional circumstances. Such circumstances are constituted, for instance, by an interaction experience significantly deviating from the expected mean, prolonged above (or below) average performance or highly varying, erratic behavior on the part of an interactor. A published opinion includes an assertion about another entity, y (a former interactor), time-stamped and signed by the publishing entity x (the originator). The assertion bundles information regarding the interactor, its trust rating and perceived reliability of that rating, along with situational data, with situationdependence denoted by parameter β. x proceeds by communicating its published opinion on y to its neighbors. Each publishing entity can only have one published

Rumor-Like Dissemination of Reputation Information

141

opinion per subject and situation, although the entity can issue a replacement opinion. P ubOpβ (x, y) = {Sigx(Assertβ (x, y), timestamp)} (1) A receiving entity r confirms reception to the sending entity (either the publishing entity or an intermediate spreader), informing the sender whether or not r was ignorant to the particular published opinion. If r does not hold a positive opinion of the sender, it immediately stifles further propagation; otherwise, it evaluates the message, determining whether becoming a spreader or a stifler. During reception of a particular published opinion, the decision to propagate is primarily dependent on four factors: The prior experience of r with the sending entity, the difference of the published opinion from the opinion r has of y, temporal decay, and the general community agreement regarding P ubOpβ (x, y). According to these parameters, the receiving entity decides, following a rule-based approach, if and with what priority to spread the published opinion. While the first three factors are common values found in trust metrics, we will describe an approach for determining agreement in the following. 2.4

Establishing Reliability through Community Agreement

In order to assign a reliability value to any one published opinion, it is not sufficient for an evaluating entity to just know the reliability of the published opinion’s latest propagator, because, generally, that propagator is not the originator of the published opinion. Due to the difficulties in assessing the reliability of a remote originator, as outlined above, we will focus instead on determining the reliability of the content of the published opinion based on a voting process. Whenever an entity receives and evaluates a published opinion for the first time, it adds a signed token to the assertion included in the message. In this token, the entity includes a vote, denoting whether it agrees, disagrees or has no opinion of its own on the data contained within the assertion. In order to assess the reliability, we propose the use of Krippendorff’s αcoefficient, a standard reliability measure that can be used regardless of the number of observers, levels of measurement, sample sizes, and presence or absence of missing data [13]. In order to include the total number of informative, i.e. actively agreeing or disagreeing, votes N , we multiply α by a monotonously growing scaling functionf : N → [0, 1], accounting for an agent’s need to require a certain number of votes on which the reliability measure is based.  f (N ) · α if # agreeing > # disagreeing Rel(Assertβ (x, y)) = (2) −1 · f (N ) · α else 2.5

Transition from Spreader to Stifler State

In classical rumor spreading models [7], transition from spreader to stifler occurs probabilistically once a spreader encounters another spreader or stifler. For our mechanism, we propose the following procedure: When an entity p propagates

142

S. Hauke et al.

a published opinion, the receiver r responds by returning its current status as ignorant or non-ignorant. If its status is non-ignorant, i.e. it is a spreader or stifler, it returns the version of the relevant published opinion it is privy to. From this answer, the propagator determines the Δp,r Rel(Assertβ (x, y)) by first compositing the propagated assertion and the response, followed by calculating the difference in reliability. Compositing is achieved by forming the union of the sets of signed, informative voting tokens contained in the assertions. Rel((Assertβ (x, y))p∪r ) = Rel((Assertβ (x, y))p ∪ (Assertβ (x, y))r )

(3)

(4) Δp,r Rel(Assertβ (x, y)) = p∪r p Rel((Assertβ (x, y)) ) − Rel((Assertβ (x, y)) ) If |Δp,r Rel(Assertβ (x, y))| is smaller than some threshold parameter TΔRel (meaning that the data provided by p to r has little to no effect on the reliability of the published opinion already known to receiver r) p will in the future stop propagating P ubOpβ (x, y) to r. Furthermore, it will probabilistically transfer into the stifler state with probability pstif le . 2.6

Evaluating and Integrating Remote Witness Information

For harnessing the social control mechanism in community agreement, the information has still to be integrated into the trust establishment protocol. Most trust models, e.g. [14,22,23,28], already provide compositing mechanisms when dealing with different types of reputation information, such as direct experience, witness reputation or role-based trust. Prototypically choosing the FIRE trust model [14], rumor-like information can be easily integrated into the trust model. FIRE relies on a generic trust formula to calculate a trust value for each of its components:  r ∈R (a,b,c) ωK (ri ) · vi TK (a, b, c) = i K (5) ri ∈RK (a,b,c) ωK (ri ) A trust value is thus calculated as the sum of all available ratings weighted by the rating relevance and normalized to [−1, 1]. Adaptation of remote witness information, spread in a rumor-like manner, is achieved as follows: RK is the set of all published opinions on the entity to be evaluated – here called b – under a term c. a represents the evaluating entity, c a term, under which the evaluation takes place, represented by β in eq. 1. Let vi be the rating of a subject entity (b) contained in Assertβ (a, b) and ωK (ri ) be Rel(Assertβ (a, b)), multiplied by a temporal decay function τ (Δt). In the following section,we will show the benefit of augmenting a trust model with such a mechanism by presenting simulation results.

3

Simulation

For simulations, we have chosen to extend the trust model FIRE [14]. This particular model was chosen for its extensible nature, compatibility with the proposed

Rumor-Like Dissemination of Reputation Information

143

testing scenario and relative recency. Particularly its decentralized nature made it well-suited to our overall goal of mimicking the dynamics of reputation spreading in complex social networks. 3.1

Scenario

In order to assess the value of adding rumor-spreading mechanisms to trust models, we will evaluate the potential average gain an entity can expect when using a trust model with rumor-like information dissemination (FIRE w/ RumorSpreading), a non-augmented trust model (FIRE w/o Rumor-Spreading) and no trust model at all. For this, we will generally follow the methodology put forth in [14], with some changes to the scenario in order to better fit assumptions, for instance regarding trust dissemination [11]. An agent population consisting of consumer and provider agents is seeded in a spherical environment [14]. However, differing from the FIRE standard test methodology, the placement of consumer agents is influenced by an underlying complex social network [11], either a random graph [9] or a highly clustered acquaintance network [16]. Long-range connections between consumer agents that could not be placed together spatially are maintained in order to simulate the small-world effects of social networks [26]. During the simulation, recommendations and published opinions are communicated harnessing the underlying social network. Provider discovery and service delivery is handled in accordance with the neighborhood-based search employed in [14]. Provider selection, from a set of discovered providers, is also handled in accordance with the proposal from the FIRE testbed, using a standard Boltzman exploration strategy [18] in order to address the exploration-vs-exploitation dilemma. Additionally, the testing methodology for assessing the advantage of agents equipped with a trust model and those without has largely been adopted from [14], as well. After selecting and interacting with a provider, the consumer gains or loses utility, dependent on the performance of the provider. Regarding this performance, the provider population is divided into three distinct sub-populations of consistent providers (good, ordinary and bad ), as well as one of intermittent providers. Actual performance of providers is represented by a random variable, computed according to the sub-population a provider belongs to (for bad : μ ∈ [−1, 0], σ = .2, for ordinary: μ ∈ [0, .5], σ = .2, for good : μ ∈ [.5, 1], σ = .1, according to a normal distribution; for intermittent : uniformly distributed in [−1, 1]). A provider’s expected performance μ is set at creation, its actual performance is determined per interaction. Time is measured in rounds, with events taking place during the same round occurring simultaneously. During each round, each agent chooses probabilistically, according to an individual activity level, whether it interacts with a provider. The utility score of every interaction is recorded by each agent, in order to assess the average utility gained or lost each round. Default experimental variable values were retained from the standard FIRE testbed. This includes: number of simulation rounds N = 500, number of provider agents NP = 100 (subdivided into good NP G = 10, ordinary NP O = 40,

144

S. Hauke et al.

bad NP B = 45 and intermittent NP I = 5), number of consumer agents per test group NC = 500. Further default parameters, such as component coefficients and reliability function parameters were also retained, with the exception of the referral length threshold nRL , which was set to permit only 1-hop referrals, as per the rationale in section 2.1. The component coefficient for the proposed rumor-spreading component was set to WRS = .5, identical to that of the component measuring direct witness information. As scaling function f , a generalized logistic function was applied, if the total number of informative votes on a published opinion was below 12, else it was set to 1. The temporal decay function was set to τ (Δt) = exp(−1 · Δt/(−10/ln(0.5))), TΔRel = .1 and pstif le = .33. Published opinions on providers were issued probabilistically (p = .75) if an agent gained utility in the top ten percentile range, has had five consistent interactions with a provider in the top twenty percentile range, or has lost utility from an interaction. Agents did not issue replacement opinions, unless the behavior of an agent was intermittent or decreased significantly. Furthermore, for rumor-like propagation, each agent received a send queue, into which the agent prioritized incoming published opinions for further propagation in future rounds, according to the following order: age, trust in the latest propagator and reliability of the message. Propagation was limited to 5 published opinions per round per propagating agent. 3.2

Results

In order to assess the benefit of augmenting a trust model with rumor-spreading, we investigated the average utility received per agent and round for three groups of agents. Agents choosing providers randomly, without support of any trust model, form the baseline for comparison. Against this baseline, two identical implementations of the FIRE trust model [14] were tested, one of these augmented with rumor-spreading. Simulations were run under both stable conditions and dynamic conditions, which included both provider and consumer population fluctuations, provider performance improvement/deterioration, and agent mobility, under the testbed default dynamic parameters presented in [14].

(a) Stable, Random Graph

(b) Dynamic, Random Graph

Fig. 2. Average utility gain under stable and dynamic conditions

Rumor-Like Dissemination of Reputation Information

(a) Stable, High Clustering

145

(b) Malicious Tagging

Fig. 3. Average utility gain under stable conditions in a highly clustered acquaintance network. Response to maliciously tagging agents.

Trust-equipped agents consistently outperformed the no-trust group by a considerable margin. Under stable conditions, the agents augmented with a rumorspreading component in turn outperformed the population equipped with a standard FIRE implementation by a margin of ≈ .06, once a stable level of average utility was achieved after the first few interactions (cf. Fig. 2(a),3(a)). When comparing differently clustered social network structures used to communicate recommendations and published opinions, overall average utility changes were small (random graph (low clustering): ≈ .63 for rumor-spreading FIRE vs. ≈ .57 non-rumor-spreading FIRE; acquaintance graph (high clustering): ≈ .61 rumor-spreading FIRE vs. ≈ .55 non-rumor-spreading FIRE). High significance (p < 2.2e−16 ) was established by a signed-rank test [27]. However, in the highly clustered network, the number of initial rounds before a relatively constant utility level was reached, was almost double that of the random graph network. This behavior is congruent with findings regarding diffusion speed in [11]. In a simulation in which dynamic conditions introduce noise to the environment, the overall performance of FIRE, both with and without rumor-spreading augmentation, is lower than under stable conditions (cf. Fig. 2(b)). Agents with the additional component still maintain an advantage over agents equipped with pure FIRE, while both populations continue to perform considerably better than the no-trust population. Besides a slightly better performance, the rumorspreading component can be seen to induce a stabilizing effect on the trust model. While performance of regular FIRE is subject to fluctuation, the change in average utility for the augmented model is much smoother. In addition to being effective in reputation information dissemination, the proposed mechanism is also resilient to malicious tagging. This resilience can be attributed to the conservative reliability measure, based upon pairwise agreement computation, as well as its adaptability to the standard FIRE recommendation feedback mechanism, that effectively excludes unreliable recommenders from the recommendation process. Figure 3(b) displays the response to malicious tagging, as per the malicious tagging procedures described in [14]. Specifically, average

146

S. Hauke et al.

utility gain over 200 time steps within the recommender population is plotted against the percentage of maliciously tagging recommenders. These agents either exaggerate or diminish a recommendee’s reputation by adding or subtracting a uniformly distributed random variable in [0.01, 0.2] to the utility gain they expect from the recommendee. An augmented trust framework can be clearly seen to result in higher average utility for those agents using it, as compared to agents equipped with a non-augmented implementation of the same framework.

4

Conclusions and Future Work

Simulation results indicate that augmenting trust models, as prototypically shown for the FIRE model [14], is beneficial to agent performance. The augmented model performed consistently better than the standard model by harnessing socially-filtered rumor-like information. The associated communication overhead for propagating rumor-like information can be partially mitigated by decoupling the provisioning process from the on-request model typically used in trust establishment. The voting mechanism, employing a standardized measure, displayed sufficient power to guarantee the reliability of the propagated published opinions. In the presented form, privacy issues of the protocol, which relies on agents issuing and forwarding published opinions but does not mandate them to do so, can be met through pseudonymization services and group key schemes. In order to harden the protocol against collusion attacks by malicious agent, tracking mechanisms and heuristics can be employed, for which a more sophisticated privacy protection mechanism would be required. Both the exact structure of human acquaintance and trust networks in computational contexts, as well as the way that reputation information is communicated over them still leave considerable room for future investigations. Modeling these networks and applying computational procedures to them can not only serve to better understand human action, but also to assists online users, for instance by offering an automated, distributed (p2p) recommendation network. With the persistent popularity of social networking sites, the integration of socially augmented information systems is a logical next step in assuring reliable service in internet commerce.

References 1. Abdul-Rahman, A., Hailes, S.: A distributed trust model. New Security Paradigms 97 (1997) 2. Agliari, E., Burioni, R., Cassi, D., Neri, F.M.: Efficiency of information spreading in a population of diffusing agents. Phys. Rev. E 73, 46138 (2006) 3. Castelfranchi, C., Falcone, R.: Principles of trust for mas: cognitive anatomy, social importance, and quantification. In: Proceedings of the Third International Conference on Multi-Agent Systems (1998) 4. Castelfranchi, C., Falcone, R.: Social Trust: A cognitive approach. In: Trust and Deception in Virtual Societies, pp. 55–90. Kluwer Academic Publishers, Dordrecht (2001) 5. Castellano, C., Fortunato, S., Loreto, V.: Statistical physics of social dynamics. Reviews of Modern Physics 81, 591–646 (2009)

Rumor-Like Dissemination of Reputation Information

147

6. Daley, D.J., Gani, J.: Epidemic Modeling. Cambridge University Press, Cambridge (2000) 7. Daley, D.J., Kendal, D.G.: Epidemics and rumors. Nature 204, 1118 (1964) 8. Dodds, P.S., Watts, D.J.: Universal behavior in a generalized model of contagion. Physical Review Letters 92(21), 218701 (2004) 9. Erdős, P., Rényi, A.: On the evolution of random graphs. Publications of the Mathematical Institut of the Hungarian Academy of Sciences 5, 17–61 (1960) 10. Gambetta, D.: Can we trust trust? In: Trust: Making and Breaking Cooperative Relations. Basil Blackwell, Malden (1988) 11. Hauke, S., Pyka, M., Borschbach, M., Heider, D.: Reputation-based Trust Diffusion in Complex Socio-Economic Networks. In: Information Retrieval and Mining in Distributed Environments. Springer, Heidelberg (in press, 2010) 12. Hauke, S., Pyka, M., Heider, D., Borschbach, M.: A reputation-based trust framework leveraging the dynamics of complex socio-economic networks for information dissemination. Communications of SIWN 7, 54–59 (2009) 13. Hayes, A.F., Krippendorff, K.: Answering the call for a standard reliability measure for coding data. Communication Methods and Measures 1(1), 77–89 (2007) 14. Huynh, T.D.: Trust and Reputation in Open Multi-Agent Systems. PhD thesis, University of Southampton (2006) 15. Jackson, M.O., Rogers, B.W.: Search in the formation of large networks: How random are socially generated networks? Tech. Rep. 0503005, EconWPA (2005) 16. Jin, E.M., Girvan, M., Newman, M.E.J.: Structure of growing social networks. Phys. Rev. E 64, 46132 (2001) 17. Jøsang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decision Support Systems 43(2), 618–644 (2007) 18. Kaelbling, L.P., Littman, M.L., Moore, A.W.: Reinforcement learning: A survey. Journal of Artificial Intelligence Research 4, 237–285 (1996) 19. Maki, D.P., Thompson, M.: Mathematical Models and Applications, With Emphasis on the Social, Life and Management Sciences. Prentice-Hall, Englewood Cliffs (1973) 20. Marsh, S.: Formalising Trust as a Computational Concept. PhD thesis, Department of Computing Science and Mathematics, University of Stirling (1994) 21. Moreno, Y., Nekovee, M., Pacheco, A.: Dynamics of rumor spreading in complex networks. Phys. Rev. E 69, 66130 (2004) 22. Mui, L., Mohtashemi, M., Halberstadt, A.: A computational model of trust and reputation. In: Proceedings of the 35th Hawaii International Conference on System Science, pp. 280–287 (2002) 23. Sabater, J.: Trust and Reputation for Agent Societies. PhD thesis, Universitat Autonoma de Barcelona (2003) 24. Sabater, J., Sierra, C.: Review on computational trust and reputation models. Artificial Intelligence Review 24, 33–60 (2005) 25. Wasserman, S., Faust, K.: Social Network Analysis: Methods and Applications. Cambridge University Press, Cambridge (1994) 26. Watts, D.: Small Worlds. Princeton University Press, Princeton (1999) 27. Wilcoxon, F.: Individual comparisons by ranking methods. Biometrics 1, 80–83 (1945) 28. Yu, B., Singh, M.: Towards a probabilistic model of distributed reputation. In: Proceedings of the Fourth Workshop on Deception, Fraud and Trust in Agent Societies, Montreal (2001) 29. Yu, B., Singh, M.: Distributed reputation management for electronic commerce. Computational Intelligence 18(4), 535–549 (2002)

Ex-SDF: An Extended Service Dependency Framework for Intrusion Impact Assessment Nizar Kheir1,2 , Nora Cuppens-Boulahia1 , Fr´ed´eric Cuppens1 , and Herv´e Debar3 1

T´el´ecom Bretagne, 2 rue de la Chataigneraie, 35512 Cesson S´evign´e, France {nora,frederic}[email protected] 2 France T´el´ecom R&D, 42 rue des Coutures, 14066 Caen, France [email protected] 3 T´el´ecom SudParis, 9 rue Charles Fourier, 91011 Evry, France [email protected]

Abstract. Information systems are increasingly dependent on highly distributed architectures that include multiple dependencies. Even basic attacks like script-kiddies have drastic effects on target systems as they easily spread through existing dependencies. Unless intrusion effects are accurately assessed, response systems will still be blinded when selecting optimal responses. In fact, using only response costs as a basis to select responses is still meaningless if not compared to intrusion costs. While conventional responses provoke mostly availability impacts, intrusions affect confidentiality, integrity and availability. This paper develops an approach to assess intrusion impacts on IT systems. It uses service dependencies as frames for propagating impacts. It goes beyond existing methods which mostly use dependability analysis techniques. It explores service privileges as being the main targets for attackers, and the tunable parameters for intrusion response. The approach presented in this paper is implemented as a simulation-based framework and demonstrated for the example of a vehicle reservation service.

1

Introduction

Despite the efforts to improve their security, IT systems continue to provide large incentives to attackers because of the benefits that can be realized by compromising those systems. Even the most robust systems can be brought to their knees within a short time by the so-called script-kiddies, which are easily accessible through the Internet. In such circumstances, automated response has proven to be essential, and especially cost-sensitive response [4,18]. As in [14], informing the response process starts by assessing intrusion impacts. While attack graphs trace dependencies between elementary steps constituting an exploit plan, each step is only assigned an abstract cost, without providing formal evaluation methods [16,13]. It has been shown that service dependencies enable to reason about intrusion impacts [1,6,10,19]. However, service dependency models, by using tree- [19] or graph- [1,6,10] based structures, are unable K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 148–160, 2010. c IFIP International Federation for Information Processing 2010 

Ex-SDF: An Extended Service Dependency Framework

149

to catch the way intrusion impacts spread in the system. They only evaluate availability impacts, but not confidentiality nor integrity. In service oriented architectures, an intruder uses the privileges obtained on the target service in order to increase his benefits [3]. An intrusion impact propagates through some dependencies to the target service, but not all dependencies. Existing tree or graph-based service dependency models do not represent conditional impact propagations because they do not implement attacker privileges. This paper formally represents service dependencies. It enables the inline evaluation of intrusion costs using both the privileges realized on the target service and its dependencies. The notion of privilege enables the distinction of availability impacts from those of confidentiality and integrity. In the former, the attacker revokes some privileges to legitimate users. In the latter, the attacker acquires illicit privileges, and thus to have fraudulent access to some assets. In [9], a service dependency framework is presented. It provides a platform which models a service workflow and the topology of its dependencies. Dependencies are modeled as connections which share data access between inter-dependent services. The framework in [9] is used for exploring possible applications of an intrusion response, but it does not include attributes for assessing response impacts. In fact, it does not include the privileges which apply to the data shared through service dependencies. This paper extends the framework in [9]. It introduces the notion of privilege, and thus extends the representation of services as black boxes. Services are modeled as components which are granted privileges over some assets. An intrusion impact covers the privileges realized on the target service and the services which use the target service. We note a main difference between the purpose of this paper, which is to evaluate the impact of elementary intrusions, and the prediction of attacker objectives as used in exploit graphs [8]. Exploit graphs often assign static damage costs to each elementary node within these graphs [17]. These costs are statically set, informally defined and do not consider the dynamic aspect of service dependencies. This paper will be structured as follows: Section 2 extends the service definition in [9] by adding the notion of privilege. Section 3 defines service dependencies, models attacks and specifies the conditions for attack impact propagation using first-order logic predicates. Section 4 implements the service dependency model, and describes a simulation platform using Colored-Petri Nets. Section 5 demonstrates the use of our approach using a web service example. Finally section 6 summarizes related work and section 7 concludes.

2

Privilege: An Extension to the Service Model

This paper uses the service representation in [9] where a service is modeled as an entity which handles access to some assets. A service implements interfaces which share access to these assets with users. An access is studied in [9] as a whole, and the authorizations granted on a given asset do not figure in the model. This is a major limitation when dealing with intrusion impacts. This paper extends the definition in [9] by adding the following specifications: (1) the privileges granted to the service, (2) the credentials accredited to this

150

N. Kheir et al.

service and (3) the trust it has regarding other privileges or credentials. A service is defined as S = (PrS , T rS , CrS ), where PrS , T rS and CrS respectively represent the privileges, trust relationships and credentials implemented by service S. These implementations specify permissions granted to a service and configure the way it interacts with other services through service dependencies. This section defines the notions of privilege, credential and trust. Further we use these definitions to propose a representation of service dependencies. 2.1

Privilege Specification and Assignment

We define an authorization as a logical right that applies to some assets. An authorization may be granted to a subject. We introduce the notion of privilege to model the grant of a permission to a subject. A privilege is specified as follows: permission(Subj, Act, Obj) ← privilege(P riv), subject(P riv, Subj), authorization(P riv, Auth), action(Auth, Act), object(Auth, Obj). A privilege specifies a subject and an appropriate authorization. The latter includes an action which applies to an object. We represent a privilege P riv detained by a subject Subj with the notation Subj.P riv. It is interpreted as: Subj.P riv ⇔ privilege(P riv), subject(P riv, Subj). We use privileges in order to define security objectives in terms of confidentiality (C), integrity (I) and availability (A). We argue that the assignment of CIA cost vectors to critical assets does not provide enough expressiveness. As discussed in [6], A is not managed the same way as for C and I. C and I are appropriate to the asset to which they apply, but A is related to the asset and the entity which uses this asset. We specify security objectives in terms of C and I as cost metrics assigned to their appropriate assets. They are defined as square cost vectors (Ci , Ii ) which apply to asset ai . The metric Ci (resp. Ii ) is assigned a higher value when the compromise of the C (resp. I) of ai provokes higher losses to the system. The resulting cost for illicitly acquiring an authorization α which applies to an asset ai is evaluated to max(cα × Ci , iα × Ii ). cα (resp. iα ) is a boolean variable that is set to null when α does not disclose (resp. alter) the C (resp. I) of ai . We specify security objectives in terms of A by assigning cost scalars to privileges rather than objects. Some privilege S.P riv is critical if the unavailability of P riv to the subject S (i.e. user) provokes high system losses. While C and I impacts are evaluated according to the authorizations illicitly acquired by an attacker, A impacts are evaluated according to the privileges which are revoked to their appropriate users. We thus have more granularity to evaluate availability failure costs because some privileges may be denied to certain, but not all, users. 2.2

Privilege Sharing: Credential and Trust

We define a credential as an ‘entitlement to privilege’ [12]. It is not coupled to an object, but to an entity that trusts this credential and shares in counterpart some privilege. A credential enables an entity which is not assigned some

Ex-SDF: An Extended Service Dependency Framework

151

privilege, to share this privilege with other entities. We introduce credentials with the predicate credential, as follows: credential(Cr) ⇔ ∃(Subj1 , Subj2 ) : owner(Cr, Subj1 ), authority(Cr, Subj2 ). It means the credential Cr is granted to subject Subj1 , and trusted by subject Subj2 . We use the notation Subj.Cr to represent a credential Cr owned by a subject Subj, and we write Subj.Cr ⇔ credential(Cr), owner(Cr, Subj). We define trust as an association of a privilege to be shared in counterpart to some credentials and/or privileges. Trust relationships are implemented as part of an authorization scheme by which we may specify the way privileges may be shared between the different subjects of a system. We introduce the predicate trust as follows: trust(tr) ⇔ ∃(subj, inp, out) : subject(tr, subj), grantee(tr, out), privilege(out), trustee(tr, inp), credential(inp) ∨ privilege(inp). In other terms, the subject subj implements a trust relationship by which it shares the privilege out in counterpart to the trusted credential or privilege inp. The satisfaction of a trust relationship results in additional authorizations granted to the trusted subject (i.e. the subject which has the trusted credentials or privileges). The satisfaction of a trust relationship is formalized as follows: Subj2 .out ← trust(tr), subject(tr, subj), trustee(tr, inp), grantee(tr, out), subject(out, subj), [privilege(inp), subject(inp, Subj2)] ∨ [credential(inp), owner(inp, Subj2 ), authority(inp, subj)] Trust relationships configure access through service dependencies. The satisfaction of a dependency is constrained by the implementation of appropriate trust relationships. These are often bypassed by intruders, as described in section 3.

3

Dependencies and Impact Propagation

Service dependencies express the need for dependent services to access antecedent services. A dependent service requires some privileges not assigned to this service. It accesses an antecedent service in order to obtain the required privileges. We represent service dependencies using the RT D framework in [12]. RT D introduces the concept of request which is represented by a delegation credential that delegates from the requester to the request. For example, that Ea requests an authorization which belongs to the role Rb from Eb with its capacity of being Ea as Ra

empowered in the role Ra is represented by: Ea −−−−−−→ Eb.Rb. We use the same delegation concept, but replacing roles with privileges. This is motivated by the fact that the role concept in role-based management languages is treated as a collection of authorizations [15], which makes it compatible with the privilege concept for service dependencies. We represent the dependency for a service A towards a service B as follows: (A.Cr, A.Pr)

A −−−−−−−−→ B.R. It states that service A, in its faculty of having the credential (Cr) and/or the privilege (P r), requests the privilege R from the antecedent

152

N. Kheir et al.

service B. The dependent service, after it satisfies its dependency, acquires additional privileges granted by the antecedent service. The satisfaction of the dependency implies the sharing of the privilege R between the dependent and the antecedent services. We use the definitions of a service dependency and trust in order to specifiy the condition for a dependency to be satisfied. It is written as: A.Cr,A.Pr

(A −−−−−−−→ B.R ⇒ A.R) ⇔ ∀tr : (trust(tr), subject(tr, B), grantee(tr, R)), [(trustee(tr, Cr), owner(Cr, A)) ∨ (trustee(tr, P r), subject(P r, A))]. Dependencies are satisfied only when dependent services use credentials and privileges which apply to trust relationships implemented by antecedent services. 3.1

Modeling Attacks in the Framework

As discussed in section 2.1, a privilege is affected when it is illicitly acquired by an attacker or denied to legitimate users. We introduce an intrusion as a way by which an intruder alters privilege assignments, either by denying access to legitimate users or providing illegitimate access to the intruder. We define infected privileges as privileges that are illegally acquired by an attacker, and revoked privileges as those which are illegally revoked to a target service. We use exploited vulnerabilities to represent attack impacts on target services. We define a vulnerability using the same pre/post-condition model as in [2]. We introduce for this purpose the following attributes: (1) target to represent the vulnerable service, (2) access to represent the vulnerability access vector (i.e. the privileges which must be satisfied by the attacker before he could access the vulnerability), (3) infects to represent privileges for the target service that are infected by the intruder and (4) revokes to represent privileges which are revoked to the target service after the vulnerability is exploited. We model an attack using the same request statement as for service dependencies. An attacker, with his faculty of having some privileges (i.e. vulnerability access vector), exploits a vulnerability on a target service in order to increase his benefits and thus to acquire additional privileges and/or deny other privileges to the target service. The attack success condition is extended in order to include information about the exploited vulnerability. We introduce attack impact as follows: Att.P r

[Att −−−−−→ B.R ⇒ Att.R] ⇔ [∃v : vulnerability(v), target(v, B), inf ects(v, R), access(v, P r), subject(P r, Att)]. Att.P r

[Att −−−−−→ B.R ⇒ ¬(B.R)] ⇔ [∃v : vulnerability(v), target(v, B), revokes(v, R), access(v, P r), subject(P r, Att)]. We introduce the predicate inf ected(B.R) to represent the outcome of the first attack, and the predicate revoked(B.R) to represent the outcome of the second. We may also explore the correlation of attacks by comparing the outcome of one

Ex-SDF: An Extended Service Dependency Framework

153

attack to the access vector of the second, as in [2]. Attack correlation combines elementary impacts with the level of expertise required for succeeding an attack and the prediction of intrusion objectives in order to foresee additional impacts. This is a subject of interest which must be detailed in a future extension to this study. This paper thus evaluates impacts of elementary (i.e. separated) attacks. 3.2

Attack Impact Propagation

The impact of an attack propagates when components other than the target component are affected by this attack. The attacker acquires (resp. revokes) privileges granted to components other than his target component. He bypasses the trust relations already configured for service dependencies, by using the privileges he already acquired, in order to increase his gain (i.e. system loss). We infer, using the definitions of attacks, dependencies and trust relationships, the conditions for attack impact propagation which are summarized in listing 1.1. Listing 1.1. Attack impact: propagation of infections and revocations A.R

Statement 1 : inf ected (A.R) ∧ ∃ (B, Q) : A −−−−→ B.Q ⇒ inf ected (A.Q) A.Q

Statement 2 : revoked (B.R) ∧ ∃ (A, Q) : A −−−−→ B.R ⇒ revoked (A.R) A.R

Statement 3 : revoked (A.R) ∧ ∃ (B, Q) : A −−−−→ B.Q ⇒ revoked (A.Q) A.Q

Statement 4 : inf ected (B.R) ∧ ∃ (A, Q) : A −−−→ B.R ⇒ inf ected (A.R)

Statement 1 characterizes an opportunistic attacker who accesses an antecedent service after his attack against a dependent service. The attacker illicitly acquires from the dependent service some credentials and/or privileges which are trusted by the antecedent service. The attacker benefits are thus extended to include all the privileges granted by the antecedent service. Statement 2 illustrates availability propagation. The revocation of some privileges to an antecedent service makes them unavailable for its dependent services. In statement 3, some credentials and/or privileges that satisfy some access to an antecedent service are revoked to the target service. As a consequence, the privileges shared by the antecedent service are also revoked to this service, and subsequently to all its users. Statement 4 characterizes an undisciplined attacker who uses the infected privileges in order to access any dependency and thus to increase his gain. Impacts iteratively propagate through service dependencies. The resulting impact corresponds to all infected (∀(u, P r) : inf ected(u.P r)) and revoked (∀(u, P r) : revoked(u.P r)) privileges. Our model also evaluates the conjunction of multiple attacks. By separately infecting more privileges, more dependencies could be infected, and so more damages could be inflicted to the system. In the following section, we develop a simulation platform which implements this model. It simulates impacts inline by mapping attacks onto our model and propagating impacts as in listing 1.1 in order to assess intrusion damages.

154

4

N. Kheir et al.

Implementation as Colored Petri Nets

4.1

Use of Colored Petri Nets (CPNs)

A straightforward approach to implement our model is to use a datalog inference engine. Meanwhile, we discarded this approach for two reasons. Firstly, the tracking of impact propagations may require interleaving with the inference steps, which is, to the best of our knowledge, hard to integrate in a datalog engine. Secondly, the size and complexity of datalog inference engines restrain their use for large systems. They do not guarantee the process termination in presence of cyclic dependencies. On the other hand, our model includes several characteristics. Firstly, it uses privileges which travel through specific dependencies. The satisfaction of a dependency adds new privileges to some dependent component. Secondly, we include attackers who modify the system status by infecting or revoking privileges. They use those privileges to extend the impact of their attacks, and thus to modify the system state. Thirdly, attack impacts propagate iteratively. Attacker gain is revaluated in a recursive way each time he acquires new privileges. A simulation framework thus better fits to our model. CPNs [11] are an appropriate tool to implement our model. Firstly, CPNs enable token classification into different types. We model privileges as tokens and services as places. A dependency transfers some tokens from an antecedent place to a dependent place. We use the concept of token exchange to model privilege exchange in our model. Secondly, users and attackers are differently represented in our model. Users may access only public service interfaces. They are assigned explicit places which are initialized with default user privileges. Attackers use any interface and may spoof any service or user place. They are not assigned explicit places. We introduce the concept of infected tokens to represent attacker gain. Thirdly, the use of CPNs enable the iterative simulation of our model. A single transition is activated at a given time. It initiates a system state transition. The new state is characterized with new privileges acquired by a dependent component (either a user, service or attacker). Attacker benefits are obtained after the CPN reaches a state where no more transitions are enabled. 4.2

Building the Simulation Platform

AADL Extensions and CPN Conversion. Service privileges extend the dependency model in [9], which is implemented using the architecture analysis and design language1 (AADL). AADL is standardized by the society of automotive engineers and used to describe real-time systems. A dependency is modeled in [9] with the white components in Fig.1. We add the properties in gray brackets to this dependency. A dependency is represented with a connection through which a dependent service requires data access from an antecedent service. We extend the data access concept by adding three properties to represent the trust relationship. The first property (Reqs) applies to the requires interface of the dependent 1

http://www.aadl.info/

Ex-SDF: An Extended Service Dependency Framework

Trust=>[&iTri]* Shgs=>[&i Pri ]* provides data access requires data access

155

system DpS −−Dependent s e r v i c e −− If ace : r eq u i r es data a cces s D T ype { Reqs => a cces s [&i [P ri ∨ Cri ]]∗ ; } ; system AtS −−Ant e c e d e nt s e r v i c e −− If ace : provides data a cces s D T ype{ Tr u st => a cces s [&i T ri ]∗ ; Shgs => a cces s [&i P ri ]∗ ; } ; system d e p e n d e n c y M o d e l connections −− Toplogy d e s c r i p t i o n −− data a cces s AtS . If ace−>DpS . If ace ;

Antecedent service Data Dependent service

Reqs=>[&i[Pri v Cr i]]*

Fig. 1. Dependency representation in AADL

service. It specifies the credentials and/or privileges delegated by this service. The two last properties apply to the provides interface of the antecedent service. The T rust property specifies the trust relationships which must be satisfied by the dependent service. The Shgs (i.e. privilege sharings) property specifies the privileges shared with the dependent service after the dependency is satisfied. The listing in Fig.1 illustrates the resulting AADL textual representation. Dependent Resource {Reqs}

Y {Shgs, Trust}

1

AADL service Dependency model

{Shgs} V tr in {Trust} (r in {Reqs}, p in {Shgs}): p.Match(tr, r)

Antecedent Resource

Fig. 2. CPN dep

CPN static transformation

XSLT aaxl->CPNTools

Alert Reports Response decision

2

CPN tools simulator

XSLT set_Initial_Marking

3 CPN dynamic

transformation

Fig. 3. Framework architecture

We transform the AADL dependency into the CPN transition in Fig.2. This transition is activated only when the trust relationships implemented by the antecedent service apply to the credentials and/or privileges delegated by the dependent service. This is implemented through the activation constraint added to the CPN transition. The dependency, when enabled, shares the privileges ‘Shgs’ between the dependent and the antecedent services. Replacing all AADL dependencies provides a CPN representation of the dependency model. Attacks, Infection and Propagation. The simulation of the CPN model illustrates the normal system behavior in absence of threats. Intrusions modify the state of the system by modifying the initial marking of the CPN model. The simulation of the modified (i.e. dynamic) CPN model traces the system behavior in the presence of users and attackers. We model privilege revocation by omitting the revoked tokens from the initial marking of the CPN model. Transitions that use these tokens are disabled, which consequently implements statements 2 and 3 in listing 1.1. We also define tokens as data structures to which we add

156

N. Kheir et al.

a boolean variable. It is set to true when the appropriate privilege is infected by an intrusion. The infection propagates through a service dependency when the privileges and/or credentials delegated by the dependent service are all infected. The resulting effect is the infection of the privileges yet shared with the dependent service. We add to each CPN transition an action which is executed by the CPNTools simulator [11] after the dependency is enabled. It updates the infection status of the ‘Shgs’ tokens, and thus implements statements 1 and 4. The framework in Fig.3 summarizes the impact assessment process. It uses the extended AADL model and intrusion alerts. We rely on existing correlation techniques [5] and these are out of the scope of this paper. The XSLTs transform the AADL model into a dynamic CPN model. The dynamic CPN model is simulated using the CPNTools simulator. The use of datalog formalism guarantees the simulation to converge in a polynomial time. The final marking of the CPN model characterizes the attack impact. All infected tokens (boolean attribute set to true) are aggregated to obtain attacker privileges. Tokens no longer held by user places are aggregated to obtain availability impacts. The final measures are used by the response module in order to decide about response selection.

5

Use-Case and Simulation Results

This section implements our proposal using the example of a vehicle reservation service. It describes the service platform and shows its appropriate CPN representation. Later it proposes some attack samples and demonstrates the use of our approach in order to assess the impact of these attacks. 5.1

Use-Case Architecture: Modeling Normal Behavior

The vehicle reservation service is accessible for registered users who authenticate through a front-end application. User authentication is centralized using an Intranet directory service. The Pool application uses a database which contains information about the stock of vehicles. It also sends confirmation emails using a webmail application. The use case also includes intranet and extranet email users. Intranet users use POP and IMAP protocols, and extranet users use the webmail application. The webmail service is configured as in [9]. The SMTP service is configured for IMAP authentication before SMTP access. Figure 4a shows the appropriate network configuration and user requirements. The CPN provided by the XSLT is shown in Fig.4c (please refer to [9] for details about the AADL model). Privileges, Credentials and trust relations are also summarized in Fig.4c. Due to space limitations, we demonstrate the implementation of only the IMAP-LDAP dependency (T il). Other examples are easily verifiable in Fig.4c. LDAP authentication requires the IMAP service to have acquired valid user credentials (P u1 ). The IMAP service also needs a valid LDAP account (P i1 ) to search user accounts. This account must be trusted by the LDAP service, and granted the suitable authorizations. This is specified in the slapd.conf file for the LDAP service and modeled by the token P l2 . This dependency shares the search right on user

Ex-SDF: An Extended Service Dependency Framework

157

DMZ

Internet User

Mailbox access infection

Conf. and Integ. Availability

Reserve vehicle Confirm reserv.

Auth. appli. Webmail

Database

Pool appli.

Intranet

Revocation of reservation confirmation capability Access to the DMZ

Send Mail Check Mail

User

IMAP Proxy

SMTP

POP

IMAP

LDAP

Step 1 Step 2 Current attack step

NFS

(a) Use-case network architecture [Pi1]

Pu1

Step 3

(b) Simulation measures

Pl3

Pl2,Pl3

Auth. Pu1,Pi1 Pl3

[Pu1]

Pu1

Pool user

Pu1

Pl3 Pl3 Ps2

Pu1 Ps2

Pu3

Pu1

Pn1

[Ptk] Tpp

Ps2

[Pd1,Pd2] Pool DB

Ptk Pool

[Pw1]

Pd1

Web

Pd1,Pd2

Privileges: Pl3 = ("Search user accounts"); Pn1 = ("MailBox access"); Pw1 = ("Intranet connection"); Ps2 = ("Send mail permission"); Pm1 = ("Trusted IMAP address"); Pd1 = ("vehicle reserv. permission"); Pu3 = ("reserv. confirmation capability");

Twi Pn1

Pw1,Pu1

Ps2

Credentials: Pi1 = ("LDAP account"); Pp2 = ("POP server certificate"); Pi2 = ("IMAP server certificate"); Ps1 = ("SMTP server certificate"); Pu1 = ("user mail account"); Ptk = ("Pool account"); Trust relationships: Pl2 = ("search LDAP account", Pi1); Pn2 = ("NFS trusted access",Pp2,Pi2,Ps1); Pd2 = ("DB write permission",Ptk);

[Pu1, Pw1]

Pl3

Imap

Til

Pn1

Pi2 Tin

Pu1,Pw1

Pw1

Pn1

Tis

Pl3 Pu1

Pn1

Pw1,Pu1

Ps2 Ptk

[Pi1,Pi2]

Pm1

Pn1

Pl3

Pu1,Pi1

Pu1 Pu1

Ps2

Pd1

Pn1,Pl3

Pm1

Pn1

Pu1

Pd1 Pl3

Pn1

Imap proxy

[Pm1]

Extranet user

Pu1

[Pu1]

Pl2,Pl3

Pn1,Pn2 [Pl2,Pl3]

Ps2

[Pn1,Pn2]

Pu1,Pw1

Intranet user

Ldap

Pn1,Pn2 Pu1

Pn1

Ps2

Pl2,Pl3

Pn1 Pp2

Pn1,Pl3

Pw1

Nfs

Pl3

Pop

[Pp2,Pi1]

Pu1,Pi1

Pn1,Pn2

Ps1

Ps2,Pl3

Smtp [Ps1]

Ps2

(c) Use-case CPN representation Fig. 4. Use-case presentation

accounts (P l3 ) between the two services. It enables the IMAP service to authenticate users. The simulation of the CPN model shows the privilege sharing through service dependencies until users are granted appropriate privileges. 5.2

Attack Injection and Impact Assessment

We demonstrate the use of our framework using the following attack scenario. The first attack is a BoF which enables an attacker to execute arbitrary code on the web server. The second attack uses the web server as a stepping stone to forge a crafted command to crash the courier-authlib, providing restricted shell on the IMAP server. The third attack enables the attacker, through a BoF, to have root shell on the IMAP server. The diagram in Fig.4b illustrates the inline tracking of intrusion impacts. The first attack enables the attacker to acquire the privilege P w1 . The impact does not propagate elsewhere because the transition T wi for the Webmail-IMAP dependency also requires the credential P u1 to be infected in order to propagate the infection. The second attack causes the courier-authlib to

158

N. Kheir et al.

crash. It denies access to the credential P i1 for the IMAP server. The transition T il for the IMAP-LDAP dependency is disabled, and consequently the transition T is for the IMAP-SMTP dependency. The transition disabling propagates until the final user transition T pp is disabled, thus denying the privilege P u3 for pool users. The impact of this attack is considerable since P u3 corresponds to a high security objective (Pool users can no longer confirm their reservations). The third attack enables the attacker to access the IMAP server certificate for the NFS server. P i2 is infected, which causes the infection to propagate through the transition T in for the IMAP-NFS dependency. The privilege P n1 is thus infected. It is a critical security objective because the attacker accesses user mailboxes.

6

Related Work

Impact assessment techniques for intrusion response may be classified into reactive and pre-emptive approaches. Studies in the first category use service dependency trees or graphs to propagate impacts. For instance, [1] models host-based systems as dependency graphs where nodes are components and edges are dependencies. This approach lacks the formalism required to model different intrusive states for a component. The failure of a component thus provokes the failure of all its dependent components. A similar approach in [19] applies to network intrusion response. It uses dependency trees and defines a capability function to propagate impacts. This approach does not compare response impacts to those of intrusions. It does not model scenarios where the best response option is not to respond. [6] extends the approach in [19] by using dependency graphs. It uses dependability analysis techniques, and thus only considers availability impacts. [10] also uses dependency graphs. It weighs dependencies by matrices rather than scalars, and thus models the interference between different impact propagations. Meanwhile, it lacks the ability to constrain impact propagations to some intrusive states for an antecedent component. The approach in this paper provides a solution to this problem using privileges, thus propagating impacts only when infected privileges enable such propagations. Pre-emptive response draws dependencies between elementary exploits [8,17] or vulnerabilities [3,7] rather than services. It provides techniques to evaluate attacker intentions and to adjust cost measures accordingly. It assigns costs metrics to each node in the exploit or vulnerability graphs, but only relies on expert knowledge to implement those metrics because these graphs do not model service operational dependencies.

7

Conclusion

This paper provided a systematic approach to assess intrusion impacts. It formally defines service dependencies which are further used as frames to propagate intrusion impacts. It overcomes the limitations of using dependability analysis techniques by adding privileges to the dependency model. It proves that adding privileges to the dependency model enables the evaluation of confidentiality and

Ex-SDF: An Extended Service Dependency Framework

159

integrity impact propagations in addition to availability. Privileges also constrain the occurrence of some impact propagations to the satisfaction of multiple conditions such as attacker privileges and service configurations. The approach in this paper is implemented as a simulation framework using colored petri nets. Future work will extend the approach in this paper by adding the reaction dimension. A response either revokes or assigns some privileges. It is analyzed according to its effects on attackers (hampering infection propagations) and legitimate users (privilege revocations). Attack correlation is also possible using our model. An intrusion impact would not be restrained to the direct effects in terms of privilege infection and revocation. It will be analyzed according to the new attack steps which are made possible by the current intrusion success.

References 1. Balepin, I., Maltsev, S., Rowe, J., Levitt, K.: Using specification-based intrusion detection for automated response. In: Vigna, G., Jonsson, E., Krugel, C. (eds.) RAID 2003. LNCS, vol. 2820, pp. 136–154. Springer, Heidelberg (2003) 2. Cuppens, F., Autrel, F., Yacine Bouzida, J.G., Gombault, S., Sans, T.: Anticorrelation as a criterion to select appropriate counter-measures in an intrusion detection framework. Annals of Telecom 61, 197–217 (2006) 3. Dacier, M., Deswarte, Y., Kaˆ aniche, M.: Quantitative assessment of operational security: Models and tools. LAAS Research Report 96493 (1996) 4. Debar, H., Thomas, Y., Cuppens, F., Cuppens-Boulahia, N.: Enabling automated threat response through the use of a dynamic security policy. Journal in Computer Virology 3 (2007) 5. Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., M´e, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001) 6. Jahnke, M., Thul, C., Martini, P.: Graph based metrics for intrusion response measures in computer networks. In: 32nd IEEE Conf. LCN (2007) 7. Jajodia, S., Noel, S.: Topological vulnerability analysis: A powerful new approach for network attack prevention, detection, and response. In: Algorithms, Architectures, and Information Systems Security (2007) 8. Kanoun, W., Cuppens-Boulahia, N., Cuppens, F., Dubus, S., Martin, A.: Success likelihood of ongoing attacks for intrusion detection and response systems. In: Inter’l Conf. on Computational Science and Engineering (2009) 9. Kheir, N., Debar, H., Cuppens, F., Cuppens-Boulahia, N., Viinikka, J.: A service dependency modeling framework for policy-based response enforcement. In: Flegel, U., Bruschi, D. (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 176–195. Springer, Heidelberg (2009) 10. Kheir, N., Debar, H., Cuppens-Boulahia, N., Cuppens, F., Viinikka, J.: Cost assessment for intrusion response using dependency graphs. In: Proc. IFIP Inter’l Conf. on Network and Service Security (2009) 11. Kristensen, L.M., Christensen, S., Jensen, K.: Practitioner’s guide to colored petri nets. Inter’l Journal on Software Tools for Technology Transfer (1998) 12. Li, N., Mitchell, J., Winsborough, W.: Design of a role-based trust-management framework. In: Proc. IEEE Symp. Security and Privacy, p. 114 (2002) 13. Noel, S., Jajodia, S., O’Berry, B., Jacobs, M.: Efficient minimum-cost network hardening via exploit dependency graphs. In: Proc. 19th Conf. ACSAC (2003)

160

N. Kheir et al.

14. Papadaki, M., Furnell, S.: Informing the decision process in an automated intrusion response system. Information security Tech. Report, pp. 150–161 (2005) 15. Sandhu, R.S., Coynek, E.J., Feinsteink, H.L., Youmank, C.E.: Role-based access control models. IEEE Computer 29, 38–47 (1996) 16. Sheyner, O., Wing, J.: Tools for generating and analyzing attack graphs. In: Proc. Wkshp on Formal Methods for Components and Objects (2004) 17. Stakhanova, N., Basu, S., Wong, J.: A cost-sensitive model for preemptive intrusion response systems. In: Proc. 21st Inter’l Conf. AINA, pp. 428–435 18. Stakhanova, N., Basu, S., Wong, J.: A taxonomy of intrusion response systems. Inter’l Journal information and computer security, 169–184 (2007) 19. Toth, T., Kruegel, C.: Evaluating the impact of automated intrusion response mechanisms. In: Proc. 18th Conf. ACSAC (2002)

A Dynamic and Ubiquitous Smart Card Security Assurance and Validation Mechanism Raja Naeem Akram, Konstantinos Markantonakis, and Keith Mayes Information Security Group Smart card Centre, Royal Holloway, University of London Egham, Surrey, United Kingdom {R.N.Akram,K.Markantonakis,Keith.Mayes}@rhul.ac.uk

Abstract. Smart cards have been deployed as trusted components in a wide range of industries. The basis of the trust on a smart card platform and applications is static and evaluated before the card issuance to cardholders. A dynamic and post-issuance security assurance and validation mechanism can be useful, but it is not considered necessary in the Issuer Centric Smart Card Ownership Model. However, in an open and dynamic smart card environment like the User Centric Smart Card Ownership Model, it is essential to have a mechanism that on request could provide assurance and validation of the implemented and evaluated security mechanisms. Such a framework is the focus of this paper.

1

Introduction

Multi-application smart cards enable a secure and flexible execution environment for a diverse range of applications with their individual requirements [1]. Since the inception of the smart card technology, the main driving force in its adoption has been the Issuer Centric Smart Card Ownership Model (ICOM) [2], in which smart cards are in control of the issuing authority and cardholders (end-user) can only use sanctioned privileges. In this model, issuers either evaluate themselves or accept the third party evaluation of the security mechanisms. The most prominent evaluation scheme in the smart card industry has been the Common Criteria (CC) [3]. Card issuers or card manufacturers initiate the evaluations process and the result of the evaluation is communicated to initiators, stakeholders, standardisation or government organisations. Smart cards do not carry any evaluation certificate or validation mechanism, so end-users cannot verify the their security conformance. It would be useful to have such a mechanism but it is not necessarily implemented in the ICOM. However, for the User Centric Smart Card Ownership Model (UCOM), such a mechanism is essential. The UCOM enables a cardholder to choose an application they require on his or her card [4], that is managed by an open and dynamic mechanism of application installation, and deletion [5]. To ensure that the UCOM is a reliable, secure and efficient model, it is necessary that smart cards and their applications should provide assurance along with validation of the implemented security mechanisms K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 161–172, 2010. c IFIP International Federation for Information Processing 2010 

162

R.N. Akram, K. Markantonakis, and K. Mayes

to the requesting entities. Similar mechanisms are mentioned in literature [6–8], but their focus is on the ICOM. Although, the primary focus of this paper is on a framework that satisfies the UCOM requirements, we consider that the framework could be equally valid in the ICOM environment. In section two, we begin with a short discussion on the rationale behind the paper and requirements for the proposed framework. Section three discusses essential components of the CC scheme and why it is a suitable choice. Details of the framework are described in section four and the structure of the proposed CC certificate is briefly discussed in section five. Section six discusses the future research directions and finally section seven provides the concluding remarks.

2

Security Assurance and Validation Mechanism

In this section, a brief description of the rationale and requirements for the proposed model is provided. 2.1

Motivation for Security Assurance and Validation Mechanism

In the ICOM, smart cards are under control of their respective card issuers, and they define the security requirements [4]. Depending upon the card issuer, if it is a large scale organisation then they may require the card manufacturer to meet their requirements. If it is a medium or a small-scale organisation, they can choose a product that suits their requirements [4]. In these cases, the security assurance may be evaluated under a globally acceptable standard, most notably CC [3] (ISO/IEC 15408 [9]). The card manufacturer will provide a certification report issued by the CC Certification Body (CB) [3] to card issuers. The CC might also provide assurance against the possible negligence, malicious intention and distribution problem (in theory) [8] by defining the delivery procedures and audit of production sites. Therefore, card issuers do not require dynamic and ubiquitous security assurance mechanism. In addition, if card issuers decide to install an application (from an application provider) onto their smart cards, they can verify the compatibility, and security assurance of the application before installing it. Furthermore, prior agreements and trust relationship between card issuers and application providers, and tight application installation controls prevent any malicious application to be downloaded onto smart cards. In the UCOM, an SP may not necessarily have a prior trust relationship or agreement, with the card manufacturer or other SPs. In such a situation, how the SP will establish trust in the platform on which their application is going to be installed. Similarly, how a platform will trust the SP’s application that it will not harm the platform [4]. During the installation process, both the SP and the platform would verify each other’s security assurance certificates and provide their validations. Therefore, the UCOM requires a mechanism that supports a dynamic and ubiquitous security assurance and validation process.

A Dynamic and Ubiquitous Smart Card Security Assurance

163

The proposed process would be optional, and it would depend upon the security policy of the requesting entities. It could be the case that the application being installed does not have high security requirements. For example, an application that only has the unique student ID that a student presents to an access control device along with the Personal Identification Number (PIN). The security of the application is based on the PIN not on the student ID as it might easily be discovered from the student records (e.g. email directory, class enrollment). 2.2

Requirements for Security Assurance and Validation Mechanism

Requirements for a security assurance and validation mechanism are listed below. 1. 2. 3. 4. 5.

3

It should be automated and require minimum user (cardholder) interaction. Base on well established globally acceptable security evaluation criteria. No extensive modification to the existing infrastructure(s). Provide effective protection against entity masquerading. Protect the privacy of each of the entities involved in the process. For example, the card manufacturer should not be able to find out the individual card (it might be able to identify the card batch but not the individual cardholder or card itself). Similarly, an SP should not be able to find out about other applications installed on the smart card [10].

Common Criteria Scheme

In this section, a short description of the CC scheme is provided with its essential components. 3.1

Brief Introduction

In the security arena, the most sought-after concept is “trust" in ones capability and protection mechanisms. In a small, localised and restricted group, establishing trust is relatively easy as it can be accomplished individually. However, when you have no offline trust relationship with another organisation, it becomes difficult to trust their products. Third party evaluations were proposed to deal with such issues. Initially, under the guideline of Trusted Computing Security Evaluation Criteria (TCSEC) also known as Orange Book whose focus was on USA government sector’s security requirements, where across the pacific, UK proposed the UK Confidence Levels [11]. In early 1990s, UK scheme was combined with Germany and French criteria to give way for Information Technology Security Evaluation Criteria (ITSEC) [8]. In 1996, CC was released, which was later adopted as ISO/IEC standard (ISO/IEC 15408 [9]), that is internationally accepted under the Common Criteria Recognition Agreement (CCRA) [3].

164

R.N. Akram, K. Markantonakis, and K. Mayes

The CC scheme defines the methodology for expressing the security requirements, conformance claims, evaluations process and finally certification of the product. The security requirements for a product at an abstract level are stipulated by the Protection Profile (PP). The Security Target (ST) details these security requirements and makes the conformance claim for a product or its subcomponent, generally referred as Target of Evaluation (TOE). The evaluation methodology defines the procedure that an evaluator should follow when processing the conformance claims regarding at a TOE and are published in the Common Methodology for Information Technology Security Evaluation (CEM) [12]. Protection Profile. An implementation independent document that states the security requirements at an abstract level. In practice, it generally deals with the customer’s requirement and product designers try to get their product evaluated to a customer’s PP. A PP can be inherited from another PP, forming a hierarchical structure of PPs where each sub-branch augmenting its parent PPs. Security Target. An implementation independent document that describes the assets of a TOE and possible threats posed to its security. It also details the counter measures to protect against the posed threats along with the demonstration that they are fit for purpose. An ST may be in conformance of one or more PPs. Organisations evaluating smart card products to integrate them with their services will look into its ST to verify whether it satisfies their PP(s). If they satisfy then the given product can be considered secure for their application. Evaluation Assurance Level (EAL). These are predefined assurance packages, with set of security requirements that ranges from 1 to 7, where the level seven being the strictest assurance package. These packages are described in the CEM [12]. A package can be used to construct more packages, PPs and STs. 3.2

Why Common Criteria?

Some reservations are expressed in the literature regarding the validity and the process efficiency of the CC [7, 12, 13]. However, the CC has taken a strong hold in the smart card industry, especially in high security smart cards like banking and IDS/passports etc, as a security evaluation-standard of choice. It has a well established security requirement specification [3] and evaluation methodology [12], along with application providers (or SPs) and smart card manufacturers have extensive experience of the CC evaluation scheme. It is preferable to include the CC scheme in the proposed framework, with slight modification to the evaluation certificates that are discussed in section 5.

4

Proposed Assurance and Validation Mechanism

In this section, the proposed framework for the security assurance and validation mechanism is provided.

A Dynamic and Ubiquitous Smart Card Security Assurance

4.1

165

Overview of the Framework

In the security assurance mechanism, an SP creates a PP, gets it certified from a CB and makes it public. A card manufacturers could develop a UCOM compatible smart card that satisfies the certified PP and get it evaluated. After which the manufacturer gets the evaluation certificate that could be presented to requesting entities. In the validation mechanism, an entity would challenge the certificate bearer to provide the proof that the state at which the certificate was issued is still valid. A similar line of reasoning is also applicable in the SP to smart card security assurance and validation mechanism. An overview of the mechanism is provided in the figure 1, and discussed as below. 6) Evaluation Certificate 5) Request Certificate for Target of Evaluation

3) Protection Profile

Smart Card Manufacturer

4) Request Security Target Evaluation

n atio valu E e l fi file Pro Pro ion e ion tect t o c r e icat t P ertif Pro est u C d q e n e at atio 1) R valu valu 2) E eE h t erify 9) V

Commercial Licensed Evaluation Facility

8) Request Application (Evaluation Certification) Service Provider 7) Smart Card with Evaluation Certificate

10) Request Validation Smart Card

Fig. 1. Illustration of Security Assurance and Validation Mechanism

An SP would create (or reuse) a PP and requests the CC Commercial Licensed Evaluation Facility (CLEF) to evaluate the PP and after evaluation the CB will certify it. A smart card manufacturer creates an ST that conforms to the SP’s PP and gets it evaluated by the CLEF. Then smart card (TOE) being evaluated and certified to the respective ST. After evaluation, the national CB would make the TOE (and related ST) public along with issuing an evaluation certificate that the card manufacturer would place on their respective smart cards. A cardholder could request and receives a UCOM compatible smart card from the manufacturer that he or she could use to request the SP’s application and in this request the card provides the evaluation certificate to the SP that verifies whether the certification conforms to its PP or not. If successful, the SP would request the validation of the current state of the platform. The smart card provides the validation proof, if acceptable to the SP then it can lease its application. Similarly, the smart card could also evaluate and validate the

166

R.N. Akram, K. Markantonakis, and K. Mayes

SP’s application. The framework can be divided into two phases; evaluation and assurance phase that are described in the subsequent sections. 4.2

Evaluation Phase

This section describes the pre-issuance security evaluation that is divided into two subsections; smart cards evaluation and application evaluation process. Smart Card Evaluation Phase. In this phase, the card manufacturer would get their smart cards being evaluated to the defined ST or PPs. If the evaluation of the smart card is successful, the CB would issue a cryptographic certificate [13], referred as Common Criteria Platform Assurance Certificate (CC-PAC). The structure of the certificate is discussed in detail in section 5. However, the main component of the certificate includes an unique reference to the product (TOE), ST, PP, hardware test results and hash (using SHA family algorithms) [13] of the immutable part of the Smart Card Operating System (SCOS). The hardware test results can only ascertain the assurance against the invasive attacks, where in case of side channel attacks; it is difficult to determine their effectiveness remotely. A SCOS can be divided into mutable and immutable components. The mutable components can change (e.g. data variables) while the immutable components are less likely to be changed (e.g. program code). Therefore, the CC-PAC would only generate the hash of the program code. Smart cards could be subjected to extensive evaluation either by the manufacturer, evaluation labs or academic community even after their issuance; therefore, if such evaluations discover vulnerabilities in a particular batch, SPs can immediately disable their application leases to them. The CC may degrade their CC-PAC assurance level or include it to the certification revocation list, prohibiting smart cards from downloading applications in the future. Application Evaluation Phase. An SP would create an ST according to its security requirements and get it evaluated by the CLEF. If successful, the CB would issue a cryptographically signed Common Criteria Application Assurance Certificate (CC-AAC) that would contain the unique reference to the ST and the hash of immutable application code. 4.3

Assurance Phase

This phase deals with the process that requests, verifies and validates the CC-PAC and CC-ACC. In the UCOM, it would be the part of the application installation mechanism [5]. There are subtle differences between the assurance mechanisms between card platforms to SPs and vice versa, so we discuss them separately in the subsequent sections. Furthermore, each of these sub-sections discusses two possible way of establishing the assurance depending upon the requesting entity’s security policy. These mechanisms are static and dynamic assurance. In the static assurance only the CC certificate is verified, while in the dynamic assurance the requesting entity requests for the validation of the claim that the current state of the entity

A Dynamic and Ubiquitous Smart Card Security Assurance

167

in question is in conformance with the CC certificate. It is correct that effective tamper-resistant mechanisms can avoid any possible modification/changes to certified component of the device, thus removing any requirement for the dynamic assurance. However, the mechanism is included to provide assurance against the replay attack on the validation message and possible future vulnerabilities that effectively overcome the hardware protection mechanisms. The proposed mechanism only provides protection against the modification or alteration of the component that has been evaluated by the certification authority (CLEF). Smart Card to Service Provider. In this process an SP requests a smart card to provide the security assurance and validation of its current state. Figure 2 illustrates the process that is described as below: Service Provider

Smart Card

Common Criteria

Smart Card Manufacturer

CC-PAC RequestST-PP(Unique Reference) ResponseST-PP(Unique Reference Document ) Verify CC-PAC Request Validation Response Validation

Run Self Test

Static Assurance

Request Validation Claim Verify the Claim Validation Claim Response

Dynamic Assurance

Request Validation Claim from the Smart Card Validation Claim Response

Verify the Claim

Verify the Claim Lease Application

Fig. 2. Illustration of Smart Card to Service Provider Process

A card requests for the application lease from an SP. This message has the CC-PAC that contains the unique reference to the PP/ST, for which the smart card is being evaluated. The SP would request the unique PP/ST from the CC authority and compares it with their security requirements (PP). If successful, the SP would have the assurance that the card is in conformance with their requirements. Subsequently, the SP could either opt for the static or the dynamic assurance, depending upon their security policy. In case of the static assurance, the card would initiate the self-test mechanism that would perform the hardware and SCOS tests. The test results are communicated to the SP that can compare them with the CC-PAC. If both match then the current state of the smart card can be assumed to be similar to the time of the evaluation. In the dynamic assurance, the SP would generate a random number [13] and send it to both the smart card and its manufacturer. That would set the random number as their basis for the generation of the hash value for the

168

R.N. Akram, K. Markantonakis, and K. Mayes

SCOS (Hash(Random Number | SCOS)). The results would then be sent to the SP that compares them. If it is successful then the card would have proven the present state to be the one that was evaluated by the CLEF. The generation of hash with the initial value being the SP’s random number would avoid any possible rogue entity from replaying the validation message. Furthermore, it protects against a rogue manufacturer that places the CC certificate of a genuine manufacturer on their non-certified smart cards, along with the associated correct response for the requesting entity. 4.4

Service Provider to Smart Card

In this process, an SP’s application(s) provides assurance of the conformance to a card’s security policy, illustrated in the figure 4 and described as below: Service Provider

Smart Card 1) CC-AAC

Common Criteria 2) RequestST-PP(Unique Reference) 3) ResponseST-PP(Document)

Verify CC-PAC 4) Start Application Download

C ompute Downloaded Application’s MAC and Compare it with CC-AAC

Static Assurance

D1) Request Claim Validation Generate Claim Proof

Generate Claim Evidence

D2) Claim Validation Response

Dynamic Assurance

Compare Generated Values

5) Request Application Personalisation

Fig. 3. Illustration of Service Provider to Smart Card Process

A smart card requests for the application lease from an SP, and in response the SP would send the CC-AAC that has a unique reference to the ST/PP to which the application is evaluated. The card then verifies whether it satisfies its security policy or not. If successful, the card could start the download of the application after which it can either opt for the static or the dynamic assurance. In the static assurance process, the smart card would calculate the hash of the downloaded application and compare it with the CC-AAC. If successful, the smart card could assume that the state of the application is similar to the time it was evaluated. If the dynamic assurance process is selected, the smart card would generate a random number and sends it to the SP. Both, the smart card and SP would generate the hash of the application by taking the random number as the starting point (Hash(Random Number | Application)). The SP sends the results back to the smart card that would compare it with its calculation. If successful, the application has proved its state to be similar to the time of evaluation.

A Dynamic and Ubiquitous Smart Card Security Assurance

5

169

Common Criteria Certificate

In this section, the structure of the CC certificates issued to smart cards and applications, and the process to verify/validating them, are discussed. 5.1

Common Criteria Platform Assurance Certificate (CC-PAC)

The main components of the CC-PAC are; Manufacturer’s ID, Evaluator’s (CLEF) ID, Reference to the evaluation target documents (PPs and ST), Digest of immutable SCOS program code, Hardware test results and acceptable ranges, Manufacturer’s signature verification key [13], and Validity Period. The manufacturer’s ID uniquely identifies the smart card manufacturer, and similarly the CLEF ID identifies the evaluation body that has carried out the TOE evaluation. The next field has the unique reference to the PPs and ST, and they are already in use in the CC documentation [3]. The reference has to be unique, so the requesting entity could easily locate the related documents to verify the conformance with their security policy. Next the CLEF would generate a digest of the immutable section (code space) of the evaluated SCOS. As every SCOS has some data fields that can change with time, including them to the digest would make it difficult to verify it later in the assurance and validation process. The results with an acceptable range of deviation of the hardware’s self-test mechanism would also be included in the certificate. The mechanism for the hardware’s self-text mechanism and how we can be assured of its operations is beyond the scope of the paper. Finally, the certificate would contain the manufacturer’s signature verification key that it would use to issue certificates to the individual smart cards of the batch. These certificates are valid for a limited time as listed in the validity period. 5.2

Common Criteria Application Assurance Certificate (CC-AAC)

The structure of the CC-AAC is similar to the CC-PAC, except for few changes. Those components that are common in both the CC-AAC and CC-PAC are not explained in this section. Details of data fields included in the CC-AAC are; SP’s ID, Evaluator’s (CLEF) ID, Reference to the evaluation target documents (PPs and ST), Digest of immutable (pre-personalisation) application program code, and Validity Period. The CC-AAC would contain the SP’s identity and digest of immutable application program code. Smart card applications have several life-cycle stages and one of them is personalisation stage. Prior to personalisation stage applications are not customised for individual users; therefore, all application instances on different smart cards are identical. After personalisation of an application, it differs from the other instances. Therefore, for assurance and validation purposes it is logical to generate the digest of the application in pre-personalisation stage.

170

5.3

R.N. Akram, K. Markantonakis, and K. Mayes

Framework for Verification of Common Criteria Certificate

The subtle details of the certificate verification mechanism would be different from the SPs and smart cards perspective. However, we can draw a generic representation of the steps each of these entities performs in the verification process, and it is illustrated in the flowchart shown in figure 5.

Local CB

No

Travers Foreign CB

Verify Certificate

Yes

Fetch the evaluation Document (PPs and ST)

Start

Degrade the Evaluation Level (if necessary)

Yes

Yes Check Revocation Lists

No

Check for Compilance

Yes

Validation Process

No Yes

Terminated

No

Fig. 4. Illustration of Certificate Verification Process

To verify whether the certificate is issued by the local CB or not. The local CB would be the certification authority that has also issued the assurance certificate to the verifying entity. For example, if CBA has issued CC certificates to an SP’s application AppA and a smart card SCA then if AppA presents the CC-AAC to the smart card SCA, it would be considered to be issued by the local CB. So if the certificate was not from the local CB, then the verifying entity would check for the foreign CB and evaluate any possible degradation necessary for the evaluation certificate. The rationale behind the degradation is in the international recognition agreement (CCRA) regarding the CC that only accepts certificates of to a certain assurance level (e.g. EAL), that are mutually acceptable across different countries. In the subsequent step, the verifying entity would check the revocation list(s) of the CC certificates. This is the list with details of the CC certificates that are no longer valid, may be because of the discovery of new vulnerabilities that can compromise the security of the related TOEs. After checking the revocation list, the verifying entity would check the certificate. Then it can use the unique reference to the evaluation documents in the certificate to locate the ST and PPs. The verifying entity would then check for the conformance of the ST and PPs with their security requirements. If successful, the requesting entity could then initiate the validation process. The discovery and verification of the certificate are comparatively easy for the SPs as they have more computational power than a resource restricted smart card. To perform such tasks, a smart card would request the SP to provide the communication facility to communicate directly with the CC authority (even if required to discover foreign CBs and degrade the evaluation level).

A Dynamic and Ubiquitous Smart Card Security Assurance

171

Similarly, for a smart card it is comparatively difficult to validate the conformance of the CC-PAC evaluation documents with its security policy. Such a process is beyond the scope of this paper. However, a solution can be possible by designing the security policy of the smart card in the PP style along with a mechanism that registers all PPs into a tree like data structure. From this structure, the smart card can calculate the proximity of its PP with the PP(s) listed in the CC-PAC.

6

Future Work

In this section we discuss the future research directions to make this proposal a practical solution. – Geographical issues: Whether the concept of the local CB should be related with the geographical location from where the verification is initiated or to the individual evaluation body. Consider a user that purchases a smart card from France (certified by the French CB), but the user requests an application while visiting UK. Should the French CB be considered as the local CB or the British CB? While investigating it we should consider possible pros and cons in each scheme and how they would affect the overall performance. – Hardware self-test mechanism: In this paper, we did not divulge into the specificities of the mechanism that can be implemented to check any possible modification because of the invasive attacks on the smart card hardware. Further research is required to implement such mechanisms that can remotely validate the security of the hardware.

7

Conclusion

In this paper, we proposed a framework for provide security assurance and validation to a requesting entity based on the Common Criteria scheme. Although the focus of the paper is the UCOM but the proposal tends to be the ownership model neutral and can be adaptable for the ICOM environment if necessary. The paper provides a short introduction to the UCOM and how it is different from the ICOM in terms of requirements for the security assurance and validation mechanism. The rationale in the UCOM to have such a mechanism was detailed along with the requirements for such a mechanism. A brief discussion of the Common Criteria scheme was provided and the proposal based on the Common Criteria was described. The structure of the Common Criteria certificates that applications and smart cards can have with them in a digital form was examined. The proposal in the paper is by no means a complete solution and there are several issues that need to be resolved. However, in this paper we demonstrated that such a mechanism can be useful and in both the ICOM and the UCOM environments the stakeholders can benefit from it.

172

R.N. Akram, K. Markantonakis, and K. Mayes

References 1. Markantonakis, K.: The case for a secure multi-application smart card operating system. In: Okamoto, E. (ed.) ISW 1997. LNCS, vol. 1396, pp. 188–197. Springer, Heidelberg (1998) 2. Sauveron, D.: Multiapplication Smart Card: Towards an Open Smart Card?. Inf. Secur. Tech. Rep. 14(2), 70–78 (2009) 3. Common Criteria for Information Technology Security Evaluation; Part 1: Introduction and General Model, Part 2: Functional Security Components, Part 3: Assurance Security Components, Std. Version 3.1, Rev. 3 (July 2009), http://www.commoncriteriaportal.org/thecc.html 4. Akram, R.N., Markantonakis, K., Mayes, K.: A Paradigm Shift in Smart Card Ownership Model. In: Apduhan, B.O., Gervasi, O., Iglesias, A., Taniar, D., Gavrilova, M. (eds.) Proceedings of the 2010 International Conference on Computational Science and Its Applications (ICCSA 2010), March 2010, pp. 191–200. IEEE Computer Society Press, Fukuoka (2010) 5. Akram, R.N., Markantonakis, K., Mayes, K.: Application Management Framework in User Centric Smart Card Ownership Model. In: Youm, H.Y., Yung, M. (eds.) WISA 2009. LNCS, vol. 5932, pp. 20–35. Springer, Heidelberg (2009) 6. Karger, P.A., Austel, V.R., Toll, D.C.: A New Mandatory Secruity Policy Combining Secrecy and Integrity. IBM Thomas J. Watson Research Center, Yorktown Heights, NY, Tech. Rep. RC 21717(97406) (March 2000) 7. Toll, D.C., Karger, P.A., Palmer, E.R., McIntosh, S.K., Weber, S.: The Caernarvon Secure Embedded Operating System. SIGOPS Oper. Syst. Rev. 42(1), 32–39 (2008) 8. Sauveron, D., Dusart, P.: Which Trust Can Be Expected of the Common Criteria Certification at End-User Level?. In: FGCN ’07: Proceedings of the Future Generation Communication and Networking, pp. 423–428. IEEE Computer Society Press, Washington (2007) 9. ISO/IEC 15408 Standard. Common Criteria for Information Technology Security Evaluation, Std. Version 2.2, Rev. 256 (2004) 10. Akram, R.N., Markantonakis, K., Mayes, K.: Firewall Mechanism in a User Centric Smart Card Ownership Model. In: Gollmann, D., Lanet, J.-L., Iguchi-Cartigny, J. (eds.) CARDIS 2010. LNCS, vol. 6035, pp. 118–132. Springer, Heidelberg (2010) 11. Mayes, K., Markantonakis, K. (eds.): Smart Cards, Tokens, Security and Applications. Springer, Heidelberg (2008) 12. Common Methodology for Information Technology Security Evaluation; Evaluation Methodology. Tech. Rep. Version 3.1 (July 2009), http://www.commoncriteriaportal.org/thecc.html 13. Schneier, B.: Applied cryptography: protocols, algorithms, and source code in C, 2nd edn. John Wiley & Sons, Inc., New York (1995)

On-the-fly Inlining of Dynamic Security Monitors Jonas Magazinius, Alejandro Russo, and Andrei Sabelfeld Dept. of Computer Science and Engineering, Chalmers University of Technology 412 96 Gothenburg, Sweden, Fax: +46 31 772 3663

Abstract. Language-based information-flow security considers programs that manipulate pieces of data at different sensitivity levels. Securing information flow in such programs remains an open challenge. Recently, considerable progress has been made on understanding dynamic monitoring for secure information flow. This paper presents a framework for inlining dynamic information-flow monitors. A novel feature of our framework is the ability to perform inlining on the fly. We consider a source language that includes dynamic code evaluation of strings whose content might not be known until runtime. To secure this construct, our inlining is done on the fly, at the string evaluation time, and, just like conventional offline inlining, requires no modification of the hosting runtime environment. We present a formalization for a simple language to show that the inlined code is secure: it satisfies a noninterference property. We also discuss practical considerations and preliminary experimental results.

1 Introduction Language-based approach to security gains increasing popularity [16, 36, 45, 33, 19, 27, 7, 11] because it provides natural means for specifying and enforcing application and language-level security policies. Popular highlights include Java stack inspection [45], to enforce stack-based access control, Java bytecode verification [19], to verify bytecode type safety, and web language-based mechanisms such as Caja [27], ADsafe [7], and FBJS [11], to enforce sandboxing and separation by program transformation and language subsets. Language-based information-flow security [33] considers programs that manipulate pieces of data at different sensitivity levels. For example, a web application might operate on sensitive (secret) data such as credit card numbers and health records and at the same time on insensitive (public) data such as third-party images and statistics. A key challenge is to secure information flow in such programs, i.e., to ensure that information does not flow from secret inputs to public outputs. There has been much progress on tracking information flow in languages of increasing complexity [33], and, consequently, information-flow security tools for languages such as Java, ML, and Ada have emerged [28, 38, 39]. While the above tools are mostly based on static analysis, considerable progress has been also made on understanding monitoring for secure information flow [12,43,41,18, 17, 37, 25, 34, 2, 1]. Mozilla’s ongoing project FlowSafe [9] aims at empowering Firefox with runtime information-flow tracking, where dynamic information-flow reference monitoring [2, 3] lies at its core. The driving force for using the dynamic techniques is K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 173–186, 2010. c IFIP International Federation for Information Processing 2010 

174

J. Magazinius, A. Russo, and A. Sabelfeld

expressiveness: as more information is available at runtime, it is possible to use it and accept secure runs of programs that might be otherwise rejected by static analysis. Dynamic techniques are particularly appropriate to handle the dynamics of web applications. Modern web application provide a high degree of dynamism, responding to user-generated events such as mouse clicks and key strokes in a fine-grained fashion. One popular feature is auto-completion, where each new character provided by the user is communicated to the server so that the latter can supply an appropriate completion list. Features like this rely on scripts in browsers that are written in a reactive style. In addition, scripts often utilize dynamic code evaluation to provide even more dynamism: a given string is parsed and evaluated at runtime. With a long-term motivation of securing a scripting language with dynamic code evaluation (such as JavaScript) in a browser environment without modifying the browser, the paper turns attention to the problem of inlining information security monitors. Inlined reference monitors [10] are realized by modifying the underlying application with inlined security checks. Inlining security checks are attractive because the resulting code requires no modification of the hosting runtime environment. In a web setting, we envisage that the kind of inlining transformation we develop can be performed by the server or a proxy so that the client environment does not have to be modified. We present a framework for inlining dynamic information-flow monitors. For each variable in the source program, we deploy a shadow variable (auxiliary variable that is not visible to the source code) to keep track of its security level. Additionally, there is a special shadow variable program counter pc to keep track of the security context, i.e., the least upper bound of security levels of all guards for conditionals and loops that embody the current program point. The pc variable helps tracking implicit flows [8] via control-flow constructs. A novel feature of our framework is the ability to perform inlining on the fly. We consider a source language that includes dynamic code evaluation (popular in languages as JavaScript, PHP, Perl, and Python). To secure dynamic code evaluation, our inlining is performed on the fly, at the string evaluation time, and, just like conventional offline inlining, requires no modification of the hosting runtime environment. The key element of the inlining is providing a small library packaged in the inlined code, which implements the actual inlining. Our approach stays clear of the pitfalls of dynamic information-flow enforcement. Indeed, dynamic information-flow tracking is challenging because the source of insecurity may be the fact that a certain event has not occurred in a monitored execution. However, we draw on recent results on dynamic information-flow monitoring [34, 2] that show that security can be enforced purely dynamically. The key is that the execution of a program that attempts to leak a secret either explicitly, by an assignment, or implicitly, by public side effects once inside a conditional or loop that branches on secret data, is simply blocked by the monitor. This gives us a great advantage for treating dynamic code evaluation: the inlined monitor needs to perform no static analysis for the dynamically evaluated code. We present a formalization for a simple language to show that the result of the inlining is secure: it satisfies the baseline policy of termination-insensitive noninterference [6, 13, 44, 33]: whenever two runs of a program that agree on the public part of the

On-the-fly Inlining of Dynamic Security Monitors

P ::=(def f (x) = e; )∗ c

175

e ::= s |  | x | e ⊕ e | f (e) | case e of (e : e)+

c ::=skip | x := e | c; c | if e then c else c | while e do c | let x = e in c | eval(e) | stop Fig. 1. Language

initial memory terminate, then the final memories must also agree on the public part. We conclude by discussing practical considerations and preliminary yet encouraging experimental results. We remark that it is known that noninterference is not a safety property [26, 40]. Precise characterizations of what can be enforced by monitoring have been studied in the literature (e.g., [35, 14]), where noninterference is discussed as an example of a policy that cannot be enforced precisely by dynamic mechanisms. However, the focus of this paper is on enforcing permissive yet safe approximations of noninterference. The exact policies that are enforced might just as well be safety properties (or not), but, importantly, they must guarantee noninterference.

2 Inlining Transformation We present an inlining method for a simple imperative language with dynamic code evaluation. The inlined security analysis has a form of flow sensitivity, i.e., confidentiality levels of variables can be sometimes relabeled during program execution. Our source-to-source transformation injects purely dynamic security checks. Language. Figure 1 presents a simple imperative language enriched with e | m, Σ ⇓ s parse(s) = c functions, local variables, and dyeval(e) | m, Σ → c | m, Σ namic code evaluation. A program P is a possibly empty sequence of Fig. 2. Semantics for dynamic code evaluation function definitions (def f (x) = e) followed by a command c. Function bodies are restricted to using the formal parameter variable only (FV(e) ⊆ {x}, where FV(e) denotes the free variables that occur in e). Expressions e consist of strings s, security levels , variables x, composite expressions e ⊕ e (where ⊕ is a binary operation), function calls f (e), and non-empty case analysis (case e of (e : e)+ ). We omit explanations for the standard imperative instructions appearing in the language [46]. Command stop signifies termination. Command let x = e in c binds the value of e to the local read-only variable x, which is only visible in c. Command eval(e) takes a string e, which represents a program, and runs it. E VAL

Semantics. A program P , memory m, and function environment Σ form a program configuration P | m, Σ. A memory m is a mapping from global program variables Vars to values Vals. A function environment Σ consists of a list of definitions of the form def f (x) = e. A small semantic step has the form P | m, Σ → P  | m , Σ   and possibly updates the command, memory, and function environment. The semantics for

176

J. Magazinius, A. Russo, and A. Sabelfeld

trans (y) = case y of ”skip” : ”skip” ”x := e” : ”let ex = ” ++ vars(”e”) ++ ” in if pc  x then x := lev (ex )  pc; x := e else loop” ”c1 ; c2 ” : trans(c1 ) ++ ”; ” ++trans(c2 ) ”if e then c1 else c2 ” : ”let ex = ” ++ vars (”e”) ++ ” in let pc  = pc in pc := pc  lev (ex ); if e then {” ++ trans (c1 ) ++”} else {” ++trans(c2 ) ++”}; pc := pc  ” ”while e do c” : ”let ex = ” ++ vars(”e”) ++ ”let pc  = pc in pc := pc  lev (ex ); while e do {” ++trans(c) ++ ”}; pc := pc  ” ”let x = e in c” : ”let ex = ” ++ vars (”e”) ++ ”let x = lev (ex )  pc in let x = e in ” ++trans(c) ”eval(e)” : ”let ex = ” ++ vars(”e”) ++ ”let pc  = pc in pc := pc  lev (ex ); eval(trans (e)); pc := pc  ” Fig. 3. Inlining transformation ex , pc, pc  , x1 , . . . , xn ∈ Fresh (c) Γ  def f1 (x) = e1 ; . . . ; def fk (x) = ek ; c ; def f1 (x) = e1 ; . . . ; def fk (x) = ek ; def vars (y) = . . . ; def lev (y) = . . . ; def trans (y) = . . . ; pc := L; x1 := Γ (x1 ); . . . ; xn := Γ (xn ); eval(trans (c)) Fig. 4. Top-level transformation

dynamic code evaluation is shown in Figure 2. Dynamic code evaluation occurs when expression e evaluates, under the current memory and function environment, to a string s (e | m, Σ ⇓ s), and that string is successfully parsed to a command (parse(s) = c). For simplicity, we assume that executions of programs get stuck when failing to parse. In a realistic programming language, however, failing to parse would result in a runtime error. Semantics rules for the other commands are standard [46] and thus we omit them. Inlining transformation. Figure 3 contains the transformation for inlining. At the core of the monitor is a combination of the no sensitive upgrade discipline by Austin and Flanagan [2] and a treatment of dynamic code evaluation from a flow-insensitive monitor by Askarov and Sabelfeld [1]. String constants are enclosed by double-quote characters (e.g., ”text”). Operator + + concatenates strings (e.g., ”conc” ++”atenation” results in ”concatenation”). Since trans only works on strings that represent programs, we consider programs and strings as interchangeable terms. In order for the transformation to work, variables x (for any global variable x), as well as ex , pc  , and pc must not occur in the string received as argument. The selection of names for these variables must avoid collisions with the source program variables, which is particularly important in the presence of dynamic code evaluation. In an implementation, this can be accomplished by generating random variable names for auxiliary variables. We differ this discussion until Section 4.

On-the-fly Inlining of Dynamic Security Monitors

177

Before explaining how the transformation works, we state our assumptions regarding the security model. For convenience, we only consider the security levels L (low) and H (high) as elements of a security lattice, where L  H and H  L. Security levels L and H identify public and secret data, respectively. We assume that the attacker can only observe public data, i.e., data at security level L. The lattice join operator returns the least upper bound over two given levels. We now explain our inlining technique in detail. Given the source code src (as a string) and a mapping Γ (called security environment) that maps global variables to security levels, the inlining of the program is performed by the top-level rule in Figure 4. The rule has the form Γ  src ; trg, where, under the initial security environment Γ , the source code src is transformed into the target code trg. This rule defines three auxiliary functions vars(·), lev (·), and trans(·) for extracting the variables in a given string, for computing the least upper bound on the security level of a given string, and for on-the-fly transformation of a given string, respectively. We discuss the definition of these functions below. The top-level rule also introduces an auxiliary shadow variable pc, setting it to L, and a shadow variable x for each source program global variable x, setting it to the initial security level, as specified by the security environment Γ . This is done to keep track of the current security levels of the context and of the global variables (as detailed below). The shadow variables are fresh, i.e., their set is disjoint from the variables that may occur in the configuration during the execution of the source program. We denote by x ∈ Fresh(c), whenever variable x never occurs in the configuration during the execution of program c. With these definitions in place, the inlined version of src is simply eval(trans(src)), which has the effect of on-the-fly application of function trans to the string src at runtime. On-the-fly inlining. We now describe the definition of function trans(y) according to the cases on y. Since functions are side-effect free, the inlining of function declarations is straightforward: they are simply propagated to the result of the transformation. The inlining of command skip requires no action. As foreshadowed above, special shadow variable pc is used to keep track of the security context, i.e., the join of security levels of all guards for conditionals and loops that embody the current program point. The pc variable helps to detect implicit flows [8] of the form if h then l := 0 else l := 1, where h and l are secret and public variables, respectively. In addition, Austin and Flanagan [2] use pc to restrict updates of variables’ security levels: changes of variables’ security levels are not allowed when the security context (pc) is set to H . This restriction helps to prevent attackers from turning flow sensitivity into a channel for laundering secrets [34, 31]. With this in mind, the inlining of x := e demands that pc  x before updating x . In this manner, public variables (x = L) cannot change their security level in high security contexts (pc = H ). The security level of x is updated to the join of pc and the security level of variables appearing in e. Function lev (s) returns the least upper bound of the security levels of variables encountered in the string s. The formal specification of lev (s) is given as x ∈FV(s) x . Observe that directly calling lev (e) does not necessarily returns the confidentiality level of e because the argument passed to lev is the result of evaluating e, which is a constant string. To illustrate this point, consider w = ”text”, w = H , and e = w. In this case, calling lev (e) evaluates to lev (”text”), which is defined to be L since

178

J. Magazinius, A. Russo, and A. Sabelfeld

”text” does not involve any variable. Clearly, setting lev (”text”) = L is not acceptable since the string is formed from a secret variable. Instead, the transformation uses function vars to create a string that involves all the variables appearing in an expression e (vars(”e”)). Observe that such string is not created at runtime, but when inlining commands. Function vars returns a string with the shadow variables of the variables appearing in the argument string. For instance, assuming that e = ”text” ++ w ++ y, we have that vars(”e”) = ”w ++ y  ”. Shadow variable x is then properly updated to pc lev (ex ), where ex = vars(”e”). When pc  x , the transformation forces the program to diverge (loop) in order to preserve confidentiality. We define loop as simply while 1 do skip. This is the only case in the monitor where the execution of the program might be interrupted due to a possible insecurity. The inlining for sequential composition c1 ; c2 is the concatenation of transformed versions of c1 and c2 . The inlining of if e then c1 else c2 produces a conditional, where their branches are transformed. The current value of pc is stored in the local variable pc  , to be restored after the execution of the branch (pc := pc  ). This manner to manipulate the pc, similar to traditional security type systems [44], avoids over-restrictive enforcement. The inlining of while e do c is similar to the one for conditionals. The inlining of let x = e in c determines the security level of the new local variable x (x = lev (ex ) pc) and transforms the body of the let (trans(c)). The inlining of dynamic code evaluation is the most interesting feature of the transformation. Similarly to conditionals, the inlining of eval(e) saves the value of pc (pc  = pc) before updating it. Observe that the execution of commands depends on the confidentiality level of e as well as the current value of pc (pc := pc lev (ex )). The value of pc is then restored by using pc  after the execution of eval (pc := pc  ). In the transformed code, the transformation wires itself before executing calls to eval (eval(trans(e))). As a consequence, the transformation performs inlining on-the-fly, i.e., at the application time of the eval.

3 Formal Results This section presents the formal results. We prove the soundness of the transformation. Soundness shows that transformed programs respect a policy of termination-insensitive noninterference [6, 13, 44, 33]. Informally, the policy demands that whenever two runs of a program that agree on the public part of the initial memory terminate, then the final memories must also agree on the public part. Two memories m1 and m2 are Γ -equal (written m1 =Γ m2 ) if they agree on the variables whole level is L according to Γ def (m1 =Γ m2 = ∀x ∈ Vars. Γ (x) = L =⇒ m1 (x) = m2 (x)). The formal statement of noninterference is as follows. Definition 1. For initial and final security environments Γ and Γ  , respectively, a program P satisfies noninterference (written |= {Γ } c {Γ  }) if and only if whenever m1 =Γ m2 , P | m1 , ·−→∗ stop | m1 , Σ1 , and P | m2 , ·−→∗ stop | m2 , Σ2 , then m1 =Γ  m2 . We sketch three lemmas that lead to the proof of noninterference. We start by showing that the transformation only introduces shadow and local variables.

On-the-fly Inlining of Dynamic Security Monitors

179

Lemma 1. Given a string e and a variable x, if x ∈ FV(e), then x ∈ FV(trans(e)). Similarly to Γ -equality, we define indistinguishability by a set of variables. Two memories are indistinguishable by a set of variables V if and only if the memories agree on def the variables appearing in V . Formally, m1 =V m2 = ∀x ∈ V · m1 (x) = m2 (x). Given a memory m, we define L(m) to be the set of variables whose shadow variables are set to L. Formally, L(m) = { x | x ∈ m, x ∈ m, x = L}. In the following lemmas, let function environment Σ contain the definitions of vars, lev , and trans as described in the previous section. The next lemma shows that there are no changes in the content and set of public variables when pc is set to H . Lemma 2. Given a memory m and a string s representing a command c such that m(pc) = H and eval(trans(s)) | m, Σ−→∗ stop | m , Σ  , we have L(m) = L(m ) and m =L(m) m . The next lemma shows that neither the set of shadow variables set to L nor the contents of public variables depend on secrets. More specifically, the lemma establishes that two terminating runs of a transformed command c, under memories that agree on public data, always produce the same public results and set of shadow variables assigned to L. Lemma 3. Given memories m1 , m2 and a string s representing a command c, if L(m1 ) = L(m2 ), m1 =L(m1 ) m2 , and we have that eval(trans(s)) | m1 , Σi −→∗ stop | m1 , Σ1 , and eval(trans(e)) | m2 , Σi −→∗ stop | m2 , Σ2 , then it holds that L(m1 ) = L(m2 ) and m1 =L(m1 ) m2 . To prove this lemma, we apply Lemma 2 when the program hits a branching instruction with secrets on its guard. The lemmas lead to a theorem that guarantees the soundness of the inlining, i.e., that transformed code satisfies noninterference. Formally: Theorem 1 (Soundness). For an environment Γ and a program P , we have Γ  P ; P  =⇒ |= {Γ } P  {Γ  }, where Γ  can be extracted from the shadow variables of any run that succeeds to terminate, i.e., the above is true for any Γ  such that if P | m, ·−→∗ stop | m , Σ then Γ  (x) = L for all variables from L(m ) and Γ  (x) = H , otherwise. The theorem above is proved by evaluating the program P  until reaching function trans and then applying Lemma 3.

4 Experiments With JavaScript as our target language, we have manually translated code according to the transformation rules described in Section 2. In a fully-fledged implementation, the transformation function can be implemented either as a set of regular expressions that parse the supplied string and inline the monitor code or using a full JavaScript parser. Although the parsing by the transformation function may not be generally equivalent to the parsing by the browser, this does not affect the security of the resulting program.

180

J. Magazinius, A. Russo, and A. Sabelfeld

var h = true; var l = false; if (h) { l = true; }

var l = true; var h = false; if (l) { h = true; }

var h = true; var l = false; if (h) { eval(’l=true’); }

var l = true; var h = false; if (l) { eval(’h=true’); }

Listing 1.1. Insecure code

Listing 1.2. Secure code

Listing 1.3. Insecure code with eval

Listing 1.4. Secure code with eval

var h = true; var l = false; let (pc = pc || shadow[’h’]) { if (h) { if (!pc || shadow[’l’]) { shadow[’l’] = false || pc; l = true; } else throw new Error; } }

Listing 1.5. Listing 1.1 transformed

var h = true; var l = false; let (pc = pc || shadow[’h’]) { if (h) { let (pc = pc || false) { eval(trans(’l=true’)); } } else { throw new Error; } }

Listing 1.6. Listing 1.3 transformed

Manual inlining. The design of the monitor affects its performance in comparison to the unmonitored code. Our analysis of the performance of the monitor shows that using the let statement (which is readily available in, e.g., Firefox) has minimal impact on the performance. Consider the sample programs in Listings 1.1–1.4. Listing 1.1 is an example of an implicit flow that is insecure: whether a low variable is assigned depends on the value of a high variable in the guard. Listing 1.2 is a dual example that is secure. Listings 1.3 and 1.4 are versions of the same program with an eval. For simplicity, the code includes the initialization of variables (both high, h, and low, l, ) with constants. Listings 1.5 and 1.6 display the results of transformations for Listings 1.1 and 1.3 (with some obvious optimizations). Tables 1 and 2 present the average performance of our sample programs as well as their respective transformations. The performance is measured as the number of milliseconds to execute the specified number of iterations of a loop that contains a given piece of code. Our experiments were performed on a Dell Precision M2400 PC running Firefox version 3.5.7 on the Windows XP Professional SP3 operating system. We have not included other browsers in our performance test since Firefox is the only browser yet to support the let let-statement. The next section discuss alternatives to using let and their impact on performance. As can be seen from these results, the inlined monitor either entirely removes (when an insecurity is suspected) or adds an overhead of about 2–3 times the execution time of the untransformed code. The source code for these performance tests is available via [24]. The experiment with the manual inlining shows that the overhead is not unreasonable but it has to be taken seriously for the transformation to scale. Thus, a fully-fledged implementation needs to critically rely on optimizations. We briefly discuss possibilities for optimizations in Section 6.

On-the-fly Inlining of Dynamic Security Monitors

181

Table 1. Browser performance comparison for simple code Iterations Listing 1.1 Listing 1.5 (Listing 1.1 transformed) Listing 1.2 Listing 1.2 transformed 106 11 0 11 29 107 107 0 99 176 108 379 0 336 890 109 2696 0 2677 8194 Table 2. Browser performance comparison for code with eval Iterations Listing 1.3 Listing 1.6 (Listing 1.3 transformed) Listing 1.4 Listing 1.4 transformed 103 37 0 38 58 104 172 0 196 262 105 1179 0 1219 1898 106 13567 0 13675 18654

Alternatives to let. We briefly discuss alternatives to the let-based implementation. A naive way of implementing this equivalent structure in JavaScript would be to surround the code block with a with statement. The with statement appends an object to the scope chain, much like the let statement, so that its properties are directly accessible as variables, effectively masking existing variables with the same name until the end of the block. For example, in var x = { pc: true }; with(x){ pc }, the pc inside the with block refers to x.pc. This implementation would however be disastrous for the monitor because the dynamic creation of new objects and manipulation of the scope chain gave high resource demands, making it more than 1000 times slower than the original code. A more efficient alternative to to let can be implemented by defining the pc as an array. When entering a new block of code, the current index i of the pc is incremented and pc[i] is set to the new value, e.g., pc[++i] = pc[i -1] || shadow[’h’]. Secure inlining. In a fully-fledged implementation, a secure monitor requires a method of storing and accessing the shadow variables in a manner which prevents accidental or deliberate access from the code being monitored and ensure their integrity. By creating a separate name space for shadow variables, inaccessible to the monitored code, we can prevent them from being accessed or overwritten. In JavaScript, this can be achieved by creating an object with a name unique to the monitored code and defining the shadow variables as properties of this object with names reflecting the variable names found in the code. Reuse of names makes conversion between variables in the code and their shadow counterparts simple and efficient. However, the transformation must ensure that the aforementioned object is not accessed within the code being monitored. The ability of code to affect the monitor is crucial for the monitor to be secure. JavaScript, however, provides multiple ways of affecting its runtime environment. Even if the code is parsed to remove all direct references to the monitor state variables, like pc, indirect access as in x = ’pc’; this[x] provides another alternative. Not only is the integrity of the auxiliary variables important, but also the integrity of

182

J. Magazinius, A. Russo, and A. Sabelfeld

the transformation function. Monitored code can attempt to replace the transformation function with, e.g., the identity function, i.e., this[’trans’] = function(s){ return s }. We envisage a combination of our monitor with safe language subset and reference monitoring technology [27, 7, 11, 22, 21] to prevent operations that compromise the integrity of the monitor. Scaling up. Although these results are based on a subset of JavaScript, they scale to a more significant subset. We expect the handling of objects to be straightforward, as fields can be treated similarly to variables. Compared to static approaches, there is no need to restrict aliasing since the actual alias are available at runtime. In order to prevent implicit flows through exceptions, the transformation can be extended to extract control flow information from try/catch statements and use it for controlling side effects. In order to address interaction between JavaScript and the Document Object Model, we rely on previous results on tracking information flow in dynamic tree structures [32] and on monitoring timeout primitives [30].

5 Related Work Language-based information-flow security encompasses a large body of work, see an overview [33]. We briefly discuss inlining, followed by a consideration of most related work: on formalizations of purely dynamic and hybrid monitors for information flow. Inlining. Inlined reference monitoring [10] is a mainstream technique for enforcing safety properties. A prominent example in the context of the web is BrowserShield [29] that instruments scripts with checks for known vulnerabilities. The focus of this paper is on inlining for information-flow security. Information flow is not a safety property [26], but can be approximated by safety properties (e.g., [4,34,2]), just like it is approximated in this paper (see the remark at the end of Section 1). Most recently, and independently of this work, Chudnov and Naumann [5] have investigated an inlining approach to monitoring information flow. They inline a flowsensitive hybrid monitor by Russo and Sabelfeld [31]. The soundness of the inlined monitor is ensured by bisimulation of the inlined monitor and the original monitor. Dynamic information-flow enforcement. Fenton [12] discusses purely dynamic monitoring for information flow but does not prove noninterference-like statements. Volpano [43] considers a purely dynamic monitor to prevent explicit flows. Implicit flows are allowed, and so the monitor does not enforce noninterference. In a flow-insensitive setting, Sabelfeld and Russo [34] show that a purely dynamic information-flow monitor is more permissive than a Denning-style static information-flow analysis, while both the monitor and the static analysis guarantee termination-insensitive noninterference. Askarov and Sabelfeld [1] investigate dynamic tracking of policies for information release, or declassification, for a language with dynamic code evaluation and communication primitives. Russo and Sabelfeld [30] show how to secure programs with timeout instructions using execution monitoring. Russo et al. [32] investigate monitoring information flow in dynamic tree structures.

On-the-fly Inlining of Dynamic Security Monitors

183

Austin and Flanagan [2, 3] suggest a purely dynamic monitor for information flow with a limited form of flow sensitivity. They discuss two disciplines: no sensitiveupgrade, where the execution gets stuck on an attempt to assign to a public variable in secret context, and permissive-upgrade, where on an attempt to assign to a public variable in secret context, the public variable is marked as one that cannot be branched on later in the execution. Our inlining transformation draws on the no sensitive-upgrade discipline extended with the treatment of dynamic code evaluation. Hybrid information-flow enforcement Mechanisms by Venkatakrishnan et al. [41], Le Guernic et al. [18, 17], and Shroff et al. [37] combine dynamic and static checks. The mechanisms by Le Guernic et al. for sequential [18] and concurrent [17] programs are flow-sensitive. Russo and Sabelfeld [31] show formal underpinnings of the tradeoff between dynamism and permissiveness of flow-sensitive monitors. They also present a general framework for hybrid monitors that is parametric in the monitor’s enforcement actions (blocking, outputting default values, and suppressing events). The monitor by Le Guernic et al. [18] can be seen as an instance of this framework. Ligatti et al. [20] present a general framework for security policies that can be enforced by monitoring and modifying programs at runtime. They introduce edit automata that enable monitors to stop, suppress, and modify the behavior of programs. Tracking information flow in web applications is becoming increasingly important (e.g., a server-side mechanism by Huang et al. [15] and a client-side mechanism for JavaScript by Vogt et al. [42], although, like a number of related approaches, they do not discuss soundness). Dynamism of web applications puts higher demands on the permissiveness of the security mechanism: hence the importance of dynamic analysis.

6 Conclusions To the best of our knowledge, the paper is the first to consider on-the-fly inlining for information-flow monitors. On-the-fly inlining is a distinguished feature of our approach: the security checks are injected as the computation goes along. Despite the highly dynamic nature the problem, we manage to avoid the caveats that are inherent with dynamic enforcement of information-flow security. We show that the result of the inlining is secure. We are encouraged by our preliminary experimental results that show that the transformation is light on both performance overhead and on the difficulty of implementation. Future work is centered along the practical considerations and experiments reported in Section 4. As the experiments suggest, optimizing the transformation is crucial for its scalability. The relevant optimizations are both JavaScript- and security-specific optimizations. For an example of the latter, let injection is unnecessary when the guard of a conditional is low. Our larger research program pursues putting into practice modular information-flow enforcement for languages with dynamic code evaluation [1], timeout [30], tree manipulation [32], and communication primitives [1]. A particularly attractive application scenario with nontrivial information sharing is web mashups [23].

184

J. Magazinius, A. Russo, and A. Sabelfeld

Acknowledgments. Thanks are due to David Naumann for interesting comments. This work was funded by the Swedish research agencies SSF and VR.

References 1. Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: Proc. IEEE Computer Security Foundations Symposium (July 2009) 2. Austin, T.H., Flanagan, C.: Efficient purely-dynamic information flow analysis. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2009) 3. Austin, T.H., Flanagan, C.: Permissive dynamic information flow analysis. In: Proc. ACM Workshop on Programming Languages and Analysis for Security (PLAS) (June 2010) 4. Boudol, G.: Secure information flow as a safety property. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 20–34. Springer, Heidelberg (2009) 5. Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Proc. IEEE Computer Security Foundations Symposium (July 2010) 6. Cohen, E.S.: Information transmission in sequential programs. In: DeMillo, R.A., Dobkin, D.P., Jones, A.K., Lipton, R.J. (eds.) Foundations of Secure Computation, pp. 297–335. Academic Press, London (1978) 7. Crockford, D.: Making javascript safe for advertising (2009), adsafe.org 8. Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977) 9. Eich, B.: Flowsafe: Information flow security for the browser (October 2009), https://wiki.mozilla.org/FlowSafe 10. Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University, Ithaca, NY, USA (2004) 11. Facebook. FBJS (2009), http://wiki.developers.facebook.com/index.php/FBJS 12. Fenton, J.S.: Memoryless subsystems. Computing J 17(2), 143–147 (1974) 13. Goguen, J.A., Meseguer, J.: Security policies and security models. In: Proc. IEEE Symp. on Security and Privacy, April 1982, pp. 11–20 (1982) 14. Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM TOPLAS 28(1), 175–205 (2006) 15. Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., Kuo, S.-Y.: Securing web application code by static analysis and runtime protection. In: Proc. International Conference on World Wide Web, May 2004, pp. 40–52 (2004) 16. Kozen, D.: Language-based security. In: Kutyłowski, M., Wierzbicki, T., Pacholski, L. (eds.) MFCS 1999. LNCS, vol. 1672, pp. 284–298. Springer, Heidelberg (1999) 17. Le Guernic, G.: Automaton-based confidentiality monitoring of concurrent programs. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 218–232 (2007) 18. Le Guernic, G., Banerjee, A., Jensen, T., Schmidt, D.: Automata-based confidentiality monitoring. In: Okada, M., Satoh, I. (eds.) ASIAN 2006. LNCS, vol. 4435. Springer, Heidelberg (2008) 19. Leroy, X.: Java bytecode verification: algorithms and formalizations. J. Automated Reasoning 30(3–4), 235–269 (2003) 20. Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4, 2–16 (2005) 21. Maffeis, S., Mitchell, J., Taly, A.: Isolating javaScript with filters, rewriting, and wrappers. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 505–522. Springer, Heidelberg (2009)

On-the-fly Inlining of Dynamic Security Monitors

185

22. Maffeis, S., Taly, A.: Language-based isolation of untrusted Javascript. In: Proc. of CSF’09. IEEE, Los Alamitos (2009), See also: Dep. of Computing, Imperial College London, Technical Report DTR09-3 (2009) 23. Magazinius, J., Askarov, A., Sabelfeld, A.: A lattice-based approach to mashup security. In: Proc. ACM Symposium on Information, Computer and Communications Security (ASIACCS) (April 2010) 24. Magazinius, J., Russo, A., Sabelfeld, A.: Inlined security monitor performance test (2010), http://www.cse.chalmers.se/˜d02pulse/inlining/ 25. McCamant, S., Ernst, M.D.: Quantitative information flow as network flow capacity. In: Proc. ACM SIGPLAN Conference on Programming language Design and Implementation, pp. 193–205 (2008) 26. McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proc. IEEE Symp. on Security and Privacy, May 1994, pp. 79–93 (1994) 27. Miller, M., Samuel, M., Laurie, B., Awad, I., Stay, M.: Caja: Safe active content in sanitized javascript (2008) 28. Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: Jif: Java information flow. Software release (July 2001), http://www.cs.cornell.edu/jif 29. Reis, C., Dunagan, J., Wang, H.J., Dubrovsky, O., Esmeir, S.: Browsershield: Vulnerabilitydriven filtering of dynamic html. ACM Trans. Web 1(3), 11 (2007) 30. Russo, A., Sabelfeld, A.: Securing timeout instructions in web applications. In: Proc. IEEE Computer Security Foundations Symposium (July 2009) 31. Russo, A., Sabelfeld, A.: Dynamic vs. static flow-sensitive security analysis. In: Proc. IEEE Computer Security Foundations Symposium (July 2010) 32. Russo, A., Sabelfeld, A., Chudnov, A.: Tracking information flow in dynamic tree structures. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 86–103. Springer, Heidelberg (2009) 33. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003) 34. Sabelfeld, A., Russo, A.: From dynamic to static and back: Riding the roller coaster of information-flow control research. In: Proc. Andrei Ershov International Conference on Perspectives of System Informatics. LNCS. Springer, Heidelberg (2009) 35. Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000) 36. Schneider, F.B., Morrisett, G., Harper, R.: A language-based approach to security. In: Wilhelm, R. (ed.) Informatics: 10 Years Back, 10 Years Ahead. LNCS, vol. 2000, pp. 86–101. Springer, Heidelberg (2001) 37. Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proc. IEEE Computer Security Foundations Symposium, July 2007, pp. 203–217 (2007) 38. Simonet, V.: The Flow Caml system. Software release (July 2003), http://cristal.inria.fr/˜simonet/soft/flowcaml 39. P.H.I. Systems: Sparkada examinar. Software release, http://www.praxis-his.com/sparkada/ 40. Terauchi, T., Aiken, A.: Secure information flow as a safety problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005) 41. Venkatakrishnan, V.N., Xu, W., DuVarney, D.C., Sekar, R.: Provably correct runtime enforcement of non-interference properties. In: Ning, P., Qing, S., Li, N. (eds.) ICICS 2006. LNCS, vol. 4307, pp. 332–351. Springer, Heidelberg (2006) 42. Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G.: Cross-site scripting prevention with dynamic data tainting and static analysis. In: Proc. Network and Distributed System Security Symposium (February 2007)

186

J. Magazinius, A. Russo, and A. Sabelfeld

43. Volpano, D.: Safety versus secrecy. In: Cortesi, A., Fil´e, G. (eds.) SAS 1999. LNCS, vol. 1694, pp. 303–311. Springer, Heidelberg (1999) 44. Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167–187 (1996) 45. Wallach, D.S., Appel, A.W., Felten, E.W.: The security architecture formerly known as stack inspection: A security mechanism for language-based systems. ACM Transactions on Software Engineering and Methodology 9(4), 341–378 (2000) 46. Winskel, G.: The Formal Semantics of Programming Languages: An Introduction. MIT Press, Cambridge (1993)

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems Gideon Myles1, and Hongxia Jin2 1 2

Novak Druce + Quigg LLP, San Francisco, CA IBM Almaden Research Center, San Jose, CA

Abstract. The increase use of software tamper resistance techniques to protect software against undesired attacks comes an increased need to understand more about the strength of these tamper resistance techniques. Currently the understanding is rather general. In this paper we propose a new software tamper resistance evaluation technique. Our main contribution is to identify a set of issues that a tamper resistant system must deal with and show why these issues must be dealt with in order to secure a software system. Using the identified issues as criteria, we can measure the actual protection capability of a TRS system implementation and provide guidance on potential improvements on the implementation. We can also enable developers to compare the protection strength between differently implemented tamper resistance systems. While the set of criteria we identified in this paper is by no means complete, our framework allows easy extension of adding new criteria in future. Keywords: Software Tamper Resistance, Evaluation, Metrics.

1

Introduction

Tamper resistant software system is increasingly needed to protect copyrighted materials. Software tamper resistance technique usually consists of two components: tamper detection and tamper response. The first component, tamper detection, is responsible for detecting undesired changes to the program or environment. For example, an adversary may actually alter bytes in the program to circumvent a license check or he may run the program under a debugger to observe how a protection mechanism works. In response to a tamper event, the tamper response component takes action. This can range from fixing the altered code or degrading the performance of the program to causing the program to terminate. This is also commonly referred to as software tamper proofing. A variety of tamper resistance techniques have been proposed. One of the first publications in this area was by Aucsmith [2], which provides protection by using the idea of interlocking trust. This is accomplished by verifying the sum of the hashes of all previously executed blocks to ensure they were executed correctly and in the proper order. Another technique was proposed by Chang 

This work was done when the author was at IBM Almaden Research Center.

K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 187–202, 2010. c IFIP International Federation for Information Processing 2010 

188

G. Myles and H. Jin

and Atallah [3] and establishes a check and guard system through a network of guards. Each guard is responsible for monitoring or repairing a section of code. Horne et al. [6] proposed a similar technique based on testers and correctors. A third approach to tamper resistance, oblivious hashing, was proposed by Chen et al. [4]. With oblivious hashing it is possible to compute the hash value of the actual execution instead of just static code. Additional tamper resistance techniques have been proposed by Mambo et al. [8], Jin et al. [7], and Dedic et al. [5]. In this paper we use the term software tamper resistance to encompass a broader range of software protection techniques. We are interested in those techniques that inhibit an adversary’s ability to understand and alter the program. As can be seen, quite a bit of work has been done in the software tamper resistance space; however, there is little work done on evaluating their strength. No quantitative method currently exists that makes it possible to really say something meaningful about the strength of a tamper resistance algorithm, let alone the strength of a particular implementation of that algorithm. Indeed, it is very difficult to make comparisons between two proposed algorithms. In this paper we propose a TRS system evaluation method which begins to address these important issues. The evaluation method provides developers with a way to quantitatively evaluate the strength of a particular implementation of their TRS system through the use of one or more numeric ratings. In general, the technique works by breaking the desired rating down into a set of metrics that are relevant to the specific measurement. For each metric, we calculate a score. Optionally these metric scores can also be combined into an overall score for the rating. The calculation of a score gives the developer a concrete idea as to the strength of his implementation. Furthermore it provides a common base to compare the strength of different TRS systems.

2

Metric-Based Evaluation

Whether a developer is consciously aware of it or not, he most likely has a set of questions in mind that guide the development and implementation of the TRS system. These are questions like “Is essential functionality and data protected,” “Is the detection code stealthy,” and “Can we detect different types of debuggers.” By asking these questions the developer is attempting to “evaluate” the protection capabilities of the TRS system. While the developer’s evaluation in this scenario is rather informal, we can use the same type of questions to formalize a quantitative evaluation method. In general, the TRS system evaluation is comprised of three steps. First, we break the desired rating down into a set of metrics that are relevant to the specific measurement. Then for each metric we calculate a score. Finally, we can derive a overall score for the rating by combining the individual metric scores or simply using the minimum of each individual score. One of the unique aspects of this process is that we use questions to guide the evaluation process. In essence each metric is based on a guiding question like “is essential data and functionality protected.” We phrase each question such

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems

189

that for the ideal TRS system the answer would be “yes.” To answer the question and assign a quantitative value to the metric we construct an appropriate model of the protection system. For example, we may be able to answer the question “is essential data and functionality protected,” by building a graphical representation of the relationship between the functions in the program. Using the metric-based TRS system evaluation method, we have devised four categories of TRS system evaluation ratings: protection coverage rating, system complexity rating, auxiliary protection rating, and overall system protection rating. We believe that these ratings provide a more comprehensive evaluation method for tamper resistant implementations than any of the previous work in this space. 2.1

Protection Coverage Rating

The protection coverage rating (PCR) evaluates the degree to which the program is covered by the protection mechanism(s). It is important to note that the PCR does not (and should not) say anything about the quality of the protection or how easily it can be subverted. The idea is to convey a sense of the distribution of the protection mechanisms and how they overlap. To illustrate how the protection coverage rating is calculated we will rely on a running example in which the factorial program shown below is protected using a very simple implementation of the Branch-Based tamper resistance technique [7]. void main(int argc, char *argv[]){ int x = atoi(argv[1]); printf("%d! = %d\n", x, factorial(x)); } int factorial(int x){ if(x == 1) return x; return(x * factorial(x-1)); }

The Branch-Based tamper resistance technique converts branch instructions to calls to a branch function. The branch function then performs an integrity check of the program and calculates the proper branch target instruction. Below illustrates what the factorial program could look like after the Branch-Based tamper resistance protection has been applied. long key = seed; void main(int argc, char *argv[]){ int x = branchFunction1(argv[1]); branchFunction2("%d! = %d\n", x, branchFunction3(x)); } int factorial(int x){ if(x == 1) return x; return(x * factorial(x-1)); }

190

G. Myles and H. Jin

void branchFunction1(void *x){ //perform anti-debugging check //evolve the key //compute return address return; } void branchFunction2(void *x){ //compute checksum over main and factorial //evolve the key //compute return address return; } void branchFunction3(void *x){ //compute checksum over factorial //evolve the key //compute return address return; }

main

branchFunction1

branchFunction2

Level 1

branchFunction3

factorial

Level 2

Fig. 1. The function-instance graph for the factorial program

Protection Coverage Model. In order to calculate a protection coverage rating we need a method of modeling the protection capabilities of the TRS system. We do this by building two different graphs both of which are based on the call graph for the program. The first graph we construct is the functioninstance graph. Using a depth first traversal we transform the call graph into the function-instance graph. This construction is illustrated in Figure 1 for our protected program. The second graph is the protection coverage graph. Construction of this graph requires that we first augment the call graph by adding a block for each element of the program that requires protection but is not a function, for instance a memory segment or a secret key. Then to represent protection mechanisms like obfuscation or encryption we insert another place holder block. When multiple obfuscation techniques are used, we insert multiple place holder blocks. Finally, we add a directed edge between two blocks A and B when A provides protection for B. Following this procedure, we arrive at the protection coverage graph in Figure 2. Protection Coverage Metrics. The protection coverage metrics are guided by questions that reveal the full scope of the TRS system’s defense network. We have identified six questions that we feel provide a comprehensive view of the system. Using the protection coverage model we are able to develop a metric and calculate a score for each of the questions below. (Notation used in the metrics can be seen in Table 1.) Below we will show the six criteria together with the rationale behind choosing that criteria.

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems

main

obfuscation

branchFunction1

branchFunction2

branchFunction3

key

factorial

191

Essential block Place holder protection block Protection edge Call edge

Fig. 2. The protection coverage graph for the factorial program

– Is essential functionality and data protected? The Essential Coverage Metric (ECM) indicates to the developer whether all of the critical, must be protected elements have in fact been protected. This is a very important measurement for any TRS system. |B | • ECM = |Bep e| – Do anti-debugging checks occur throughout the entire execution of the program? The Anti-Debugging Metric (ADM) gives the developer a sense of how successful the TRS system would be at preventing the execution of the program under a debugger. This criteria is important because a low score indicates that at least part of the program can be executed and observed by an attacker, which could result in the attacker discovering secret information. 

|outcp (l)|

|outc (l)| • ADM = l∈L |L| – Is each integrity verification method invoked at multiple places throughout the program? Suppose the TRS system has an integrity check which performs a checksum of the program, but that integrity check is only invoked a single time when the program starts. Once the program has started executing, the attacker can make any changes he wishes and they will not be detected. It is important to measure the degree to which the program is vulnerable to scenarios like this. This degree can be measured using the Multiple Invocation Metric (MIM).



|inc (b)|

|Ec | iv • M IM = b∈B|B iv | – Is there cross-checking of integrity verification methods? That is, are the integrity verification methods themselves protected? The Cross-Check Metric (CCM) is important because if the integrity verification methods are left vulnerable then an attacker can remove them and the remainder of the program is left vulnerable.  |in (b)| b∈B

p |E |

p iv • CCM = |Biv | – Are the protection methods overlapping? When a sensitive section of code is protected using only one means of protection all the attacker has to do is defeat that one mechanism. By increasing the protection on that section, the amount of work the attacker has to do is also increased. So this measurement

192

G. Myles and H. Jin

is also important to the security of a TRS system. The Protection Overlap Metric (POM) lets the developer know whether more layers of protection need to be added.  |in (b)| b∈B

p |E |

p f • P OM = |Bf | – Are there multiple methods of protecting the integrity of the program? Again suppose the TRS system has an integrity check which performs a checksum over the program. If this is the only integrity check used to verify the integrity of the program, the attacker only has one protection mechanism to analyze. Obviously, by increasing the number of protection mechanisms, we increase the amount of work the attacker has to do thereby strengthening the TRS system. The Multiple Protection Metric (MPM) indicates to the developer if greater diversity is need. |B | • M P M = |B|p

Table 1. The notation used in the protection coverage metrics

B Be Bep Ec Ep Bp Biv Bad Bpp Bf inc (b) inp (b)

Protection Coverage Graph Notation set of all blocks. set of essential blocks. set of essential blocks which are protected. set of call edges in the graph. set of protection edges in the graph. set of all protection blocks. set of integrity verification protection blocks. set of anti-debug protection blocks. set of place holder protection blocks. set of blocks which are not protection blocks. incoming call edges for block b. incoming protection edges for block b.

Function-Instance Graph Notation L set of levels in the function-instance graph. outc (l) out going call edges for the block(s) on level l. outcp (l) out going call edges for the block(s) on level l whose sink is a protection block.

To construct the overall protection coverage rating (PCR) we combine the individual metric scores by multiplying each component by a constant representing that ratings importance and adding the values together. The sum of the constants is 1. – P CR = (a)ECM + (b)ADM + (c)M IM + (d)CCM + (e)P OM + (f )M P M where a + ... + f = 1 For example, in general ECM (Essential Coverage Metric) and POM (Protection Overlapping Metric) seem to be relatively more important than other

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems

193

metrics. Therefore it makes sense to give more weights on these two metrics than others. However, for different purposed TRS system, it is possible that different weights may need to be assigned for the same metric. Another more general option to obtain the overall rating is to simply choose the minimum value among the set of metrics. When we apply the metrics to our example we get: ECM = ADM =

2 31

= .67

0 3+1

2

=

1 1 1 4+4+4

1 6

= M IM = 3 CCM = 02 2 0 + + P OM = 4 34 4 = M P M = 47 = .57

= .17 1 4

= .25

1 3

= .33

Note that regardless of the overall rating value and how one calculates the overall rating, each metric alone provides some value in the evaluation. For example, two TRS systems can be evaluated against each of these metrics to see which one is stronger for the protection. Moreover, those metrics can help guide developers improve the security of their software. In the above example, based on the calculated results, a developer could see that there are aspects of the protection coverage that need further improvement. First, a cross-check metric score of zero reveals that the TRS system’s integrity verification methods are completely vulnerable to attack. Second, the anti-debugging check metric score is very low which indicates the anti-debug checks are not very well distributed in the program. This means that certain portions of the program could be executed under a debugger without being detected which could ultimately lead to the attacker discovering sensitive information. On the other hand, for a same-functional software, if the developers come up with another design of the system, they can similarly use these metrics to see the protection capability for that system. Our evaluation method enables the developers to compare the strength of the differently implemented systems and then make design choice accordingly. It is also worthy mention that because our evaluation method is based on sets of metrics, it is easily extensible. As protection mechanisms evolve and new evaluation method are developed they can easily be incorporated into the list. 2.2

System Complexity Rating

The system complexity rating (SCR) is used to evaluate the level of difficulty associated with understanding and disabling the protection mechanisms. The focus of this rating is on the topological configuration of the system and the strength of the atomic protection mechanisms that make up the system. The rating is calculated by first recursively breaking down the TRS system’s compound protection mechanisms until the atomic protection mechanisms are isolated. The atomic protection mechanisms are then evaluated using the various metrics and the calculated scores are plugged into the graphical model and combined based on the topological configuration.

194

G. Myles and H. Jin

System Complexity Model. Part of being able to properly evaluate a TRS system is being able to properly model its behavior. The modeling approach we use is partially driven by an important system complexity question: “Is it impossible to disable the TRS system in stages?” This is motivated by the belief that a tightly linked set of protection mechanisms is harder to disable than a set of disjoint mechanisms because more analysis required. The system complexity model enables us to answer this question by transforming the tamper resistance capabilities into a graph. We accomplish this as follows: 1. Each code block in the program becomes a node in our graph. A code block can have any level of granularity and the particular composition of a code block will depend of the tamper resistance algorithm. 2. If a code block ci provides integrity verification for another code block cj , a directed edge is added from ci to cj . 3. If a code block ci triggers the anti-debugging protection provided by code block cj , a directed edged is added from cj to ci . 4. If a code block ci repairs another code block cj , a directed edge is added from ci to cj . 5. If a code block ci contains concealment protection, a new block representing the protection mechanism is added to the graph and a directed edged from the new block to ci is added. 6. If a code block ci provides protection for more than one block, a super block is added encompassing the protected blocks. A directed edge is then added from ci to the super block. Figure 3 illustrates the graphical model of the protected factorial program that is constructed by following these steps. bf 2 (civ) obfuscation

main

bf 1 (a−d)

factorial

bf 3 (civ)

Fig. 3. Graphical model used to calculate the complexity rating for the factorial program protected using the Branch-Based Tamper Resistance technique

The graph topology model enables us to analyze and evaluate the way tamper resistance is incorporated into the existing software, while providing a common base for comparing tamper resistance algorithms. The main advantage of this model is that we can break the TRS system down into its atomic protection mechanisms and then associate a complexity score indicating how difficult it would be to defeat that particular mechanism. Based on the topology of the graph we can combine the atomic protection scores to determine the overall system complexity rating for the TRS system.

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems

195

Protection Mechanism Metrics. Calculating the complexity metric score of an atomic protection mechanism is still a rather open question. In this section we propose a variety of metrics which begin to address the question, but that by no means provide the complete answer. Our goal is to lay a foundation of metrics that can be built upon as protection mechanisms evolve. Under our method, the evaluation of protection mechanisms is first based on the particular type of the mechanism. It is then guided by type specific questions. We focus on three categories of protection mechanisms: detection, response, and concealment. Each of these categories have unique characteristics that require evaluation metrics specific to the category. Like the protection coverage metrics these metrics are guided by questions. In this case, the questions reveal the level of difficulty an attacker will have in identifying and understanding the protection mechanisms. Tamper Detection Metrics. A tamper detection mechanism is any section of code which was designed to detect changes in the program or environment. This could be a change in the actual instruction sequence or a change in the execution environment such as the use of a debugger. Below are some questions that should definitely be considered when calculating the complexity rating of a tamper detection mechanism, however, it is possible that other questions and therefore metrics could also be incorporated. – Is the detection code stealthy? Ideally the detection code would be similar to the code around it. One possible way to measure this is to consider the instruction sequences in the original program, the tamper detection mechanism, and the tamper resistant version of the program.  seq ∈DM but ∈P | 1, if |inst|inst <δ seq ∈P | T RS

0, otherwise – Is detection widely separated from response in space? This could be measured by counting the number of instructions between the detection and response mechanisms.  1, if |insts between detection and response| > δ 0, otherwise – Is detection separated in time from a response which induces program failure? There are a couple different ways this could be measured. One would be to measure the number of seconds between detection and response.  1, if |secs between detection and response| > δ 0, otherwise Another would be to use a call graph to model the time between detection and response.  1, if |calls between detection and response| > δ 0, otherwise

196

G. Myles and H. Jin

Tamper Response Metrics. A tamper response mechanism is any section of code which has been designed to respond to an attack on the program. The response could be triggered by a change in the instruction sequence or the detection that the program is being run in a debugger. The response action taken can vary. The mechanism could alter some portion of the program which eventually leads to program failure or it could repair a section of code which has been altered. Below are some questions that should be considered when calculating the complexity rating of a response mechanism. As with the tamper detection complexity, this is not an exhaustive list, these are simply the questions that are common to all tamper response mechanisms. – Is the response code stealthy? Ideally the response code is similar to the code around it. Response code will often rely on self-modifying code to either cause program failure or to repair a section of code. This type of code is not routinely used in programs, so it is crucial this code is not easily detected by the attacker.  |inst seq ∈RM but ∈P | 1, if <δ |inst seq that occur in P | T RS

0, otherwise – Does a program that has been tampered with eventually fail or repair itself ? In the event of tampering, it is critical that some type of response occurs. One way to evaluate this is to use the program control flow graph to determine if the failure inducing or repair code is on a possible execution path.  1, if code is on possible future path 0, otherwise – Does a program that has been tampered with, initially proceed seemingly normally so as to hide the location of the response mechanism? This is of particular concern for failure inducing response mechanisms. If the failure occurs immediately after the response, it will be very easy for an attacker to identify the response mechanism.  1, if |secs between response and failure| > δ 0, otherwise Concealment Metrics A concealment mechanism is any protection technique which is used to disguise the true purpose of a section of code. This could come in the form of code obfuscation or even encryption. – Is the concealment code stealthy? Ideally even if a technique like obfuscation is used, the obfuscated code should still blend in the with code around it. That is, we do not want to alert the attacker to the fact that we used obfuscation because it indicates that the section of code is important.  |inst seq ∈CM but ∈P | 1, if <δ |inst seq that occur in PT RS | 0, otherwise

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems

197

– Can the protection thwart static disassembly or decompilation of the operational code and its basic structure? By preventing proper disassembly or decompilation the attacker is forced to revert to the often more difficult dynamic analysis techniques. A possible method of evaluating this protection is to compare the disassembly code of the original program and the protected program. Additionally, it is often obvious when a program has been disassembled incorrectly because of the instruction sequences generated.  1, if sim(dis(P ), dis(PT RS )) < δ 0, otherwise – If encryption is used, are any decryption keys hidden? When encryption is used to protect all or part of the program, the code has to be decrypted in order to be executed. This decryption requires a key that is often hidden directly in the software. It has been suggested that the strength of concealment mechanisms could be evaluated using software complexity metrics [1]. Such evaluation metrics would fit nicely within our framework and further expand the evaluation capabilities. System Complexity Rating Calculation. Using the system complexity model and the system complexity metrics for the atomic protection mechanisms we are able to develop an overall score for the system complexity rating. One of the advantages of the system complexity rating is that even without a complete understanding of the strength of the individual protection mechanisms, through the complexity model we are still able to provide the developer with valuable feedback. As we will see, the topological configuration of the protection mechanisms say a lot about the strength of the TRS system. There are a variety of different topological arrangements that can be used in designing the TRS system. To illustrate how the system complexity rating can be calculated we investigate three configurations: redundancy, hierarchy, and cluster. In reality a TRS system will be a combination of these configurations, in which case a score for each sub-configuration can be calculated and then combined to form the rating score. As we mentioned, one of the motivating questions in the system complexity rating is “Is it possible to disable the protection mechanisms in stages?” Because of this we are interested in two different scores: the per-stage complexity rating (PCR) and the total complexity rating (TCR). The PCR is associated with subverting a subset of the protection mechanisms without triggering any detection mechanism. The TCR is the complexity rating associated with disabling the entire TRS system. Redundancy Model. In the redundancy configuration tamper resistance mechanisms are incorporated throughout the program without dependencies between the different mechanisms. Figure 4(a) illustrates a possible configuration using redundancy. In this case the TRS system can be subverted in stages. If one of the protection mechanisms is disabled, it will not be detected by any of the others.

198

G. Myles and H. Jin

TR

C

TR

TR

(a) Redundancy. C

TR

TR

TR

(b) Hierarchy. TR

C

TR

TR

(c) Cluster. Fig. 4. Possible TRS system complexity model configurations

In the ideal situation the total complexity rating for a redundancy based TRS system would n be the sum of the complexity ratings for the atomic protection mechanisms, i=1 CR(T Ri ). However, there is at least one factor that can decrease the overall effectiveness of a TRS system. This factor relates to the similarity of the protection mechanisms used. In the general sense, we have three similarity categories for protection mechanisms: duplicated, derived, and unique. In the duplicated scenario, one protection mechanism is used in multiple places. While this does make it possible to protect different parts of the program, the extra work required to disable more than one of these mechanisms is negligible. This leads to the per-stage and total complexity ratings being equal: – PCR = TCR = CR(T R). A derived classification occurs when one or more protection mechanisms is a derivative of another mechanism in the TRS system. Because the mechanisms are similar, information learned from attacking one can be used to defeat the others. This has the effect of increasing the total complexity rating over the duplicated scenario, but the complexity level is still sub-optimal for the given configuration. – PCR = max{CR(T Ri )|i ∈ n} n – TCR = max{CR(T Ri )|i ∈ n} + (j=1)\i CR(T Rj )[1 − sim(T Ri , T Rj )] where sim(T Ri , T Rj ) ∈ [0, 1]

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems

199

A variety of different methods have been developed to measure the similarity between sections of code or programs [9]. The similarity measure could be based on one of these ideas or a new measure could be developed specifically for tamper resistance protection mechanisms. The maximum complexity is achieved when the tamper resistance mechanisms are classified as unique and defeating one does not aid an attacker in defeating any of the others. In this case we achieve the following complexity ratings: – PCR = max{CR(T Ri )|i ∈ n} n – TCR = i=1 CR(T Ri ) Of course, the TRS system could be comprised of a mixture of these three categories. Hierarchy Model. The hierarchy configuration consists of n layered protection mechanisms. Each layer provides tamper resistance protection for the mechanism in the lower layer. The innermost layer protects the code block. Figure 4(b) illustrates this configuration. As with the redundancy configuration, a TRS system configured as a hierarchy can be subverted in stages by starting with the outermost tamper resistance mechanism. Theoretically, this configuration is marginally stronger than the redundancy configuration since an attacker has to identify the outermost layer. The hierarchy configuration can also be classified by duplicated, derived, and unique protection mechanisms. Using these categories we obtain the following complexity ratings: – Duplicated • PCR = CR(T R)+(cost to find outermost) • TCR = CR(T R)+(cost to order units) – Derived • PCR = CR(outermost T R)+(cost  to find outermost) • TCR = CR(outermost T R)+ nj=2 CR(T Rj )[1−sim(T Ri, T Rj )]+(cost to order units) – Unique • PCR = CR(outermost T R)+(cost to find outermost) n • TCR = i=1 CR(T Ri )+(cost to order units) Cluster Model. In the cluster configuration the tamper resistance mechanisms are arranged in a strongly connected digraph topology with some degree of incidence d. The degree of incidence is the in-degree of any particular code block in the graph. It measures the number of protection mechanisms protecting a particular code block. The degree of incidence for the cluster is the minimum degree of incidence within the cluster. Theoretically, the cluster configuration provides the highest level of protection. In this configuration, subverting any of the tamper resistance mechanisms within the cluster requires subverting all of the mechanisms in the cluster simultaneously. Figure 4(c) illustrates a trivial cluster based TRS system which has a degree of incidence d = 1. In order to disable the entire cluster each protection mechanism along with its parent(s) must be subverted prior to a parent mechanism detecting an incidence

200

G. Myles and H. Jin

of tampering. For single threaded programs, it may still be possible to identify a sequence in which a cluster with a degree of incidence d = 1 can be subverted. However, identifying this order is more difficult than in the hierarchy configuration. For programs in which code blocks can be executed in parallel, identifying the necessary sequence is even more challenging. Furthermore, as the degree of incidence increases, disabling a single protection mechanism will be detected by several other mechanisms, thus increasing the number of mechanisms that must be subverted simultaneously. Like the previous two configurations, the cluster configuration can be classified by duplicated, derived, and unique protection mechanisms. Using these classifications we have the following complexity ratings: – Duplicated • PCR = TCR = (2 − 1d )(CR(T R))+(cost to identify all units in cluster) – Derived n • PCR = TCR = (2 − d1 )[max{CR(T Ri )|i ∈ n} + (j=1)\1 CR(T Rj )(1 − sim(T Ri , T Rj ))]+(cost to identify all units in cluster) – Unique n • PCR = TCR = (2 − 1d )[ i=1 CR(T Ri )]+(cost to identify all units in cluster) 2.3

Auxiliary Protection Ratings

The auxiliary protection (AP) rating evaluates the degree to which additional efforts have been made to aid the embedded protection mechanisms. Generally, the protection mechanisms alone are not sufficient to protect a program. This is because there are many aspects of a system which can leak information. For example, strings in a program can often provide an attacker with insight about functionality. Additionally, the protection mechanisms, due to unusual behavior8 like self-modifying code, can reveal themselves to attackers thus requiring the TRS system to disguise the mechanisms or employ misleading code which draws attention away from the real protection code. Again we will use question-guided approaches to obtain the metrics. Below we show two sample measurements only to illustrate the idea. – Are common or well-known code sequences avoided? Many protection systems will leverage off the self cryptographic implementations. Strong attackers will be able to easily recognize the common code sequences without much analysis, thus reducing the effort required to attack the TRS system.  0, if |known code sequence ∈ PT RS | > δ 1, otherwise – Are revealing names, strings, constants, etc. avoided? Constant values in a program decrease the amount of analysis required by an attacker by providing insight regarding functionality.  0, if |revealing value ∈ PT RS | > δ 1, otherwise

A Metric-Based Scheme for Evaluating Tamper Resistant Software Systems

2.4

201

Overall System Protection Rating

The overall system protection rating (OSP) is used to evaluate the overall strength of the entire TRS system. This rating can be used to calculate two different values. The first we call the probability of subversion which indicates how likely it is that an attacker will be able to circumvent the TRS system. The second value is the difficulty of subversion. This value does not tell the developer how much it will cost an attacker to circumvent the system in time, money, or resources, but instead indicates a level of difficulty. The rating score is still driven by a set of questions: 1. Is the entire software system protected? 2. Is it hard to understand and disable the embedded protection mechanisms? 3. Are additional protection efforts being made to aid the embedded protection mechanisms? Question 1 corresponds to the protection coverage rating, Question 2 to the system complexity rating, and Question 3 to the auxiliary protection rating. Then to derive the OSP rating we combine the sub-rating scores. The manner in which we combine the sub-ratings determines whether we calculate the probability of subversion or the cost of subversion. In either case, the sub-rating score is multiplied by a constant representing the rating’s importance. If we then use multiplication in combining the values we will get the probability of subversion. Using addition will yield the difficulty of subversion. As one of our future work direction, we would like to expand the OSP evaluation so that it can tell how much it costs to circumvent the system in time, money, or resources. In order to do this, we need to take into consideration what kind of attackers we are dealing with. we would like to be able to identify classes of attackers, based on resources, skills, and attack types, and then map the classes to difficulty levels. This will tell a developer that if they have a TRS system with a certain difficulty of subversion then it can protect against attackers below the corresponding class. This will also tell how many men time it takes to circumvent the system for different classes of attackers. The attacker class may also make the probability of subversion evaluation more accurate, because the probability of subversion can be different for different class of attackers.

3

Conclusion

In this paper we presented a metric-based evaluation method for tamper resistant software system implementations. Our work makes several important contributions. First, it provides what we believe to be the first comprehensive, quantitative method for evaluating the strength of TRS system implementations. Second, the quantitative score not only provides the developer with insight as to the strength of the implementation, it can provide a common base to compare the strength of different TRS systems. Note that it is not critical to verify the validity of each score we obtain in the evaluation. But comparing two scores

202

G. Myles and H. Jin

is sufficient to tell which TRS system is stronger protected. This is especially advantageous for standards-based content protection systems were a guaranteed level of robustness is required. Because most companies are reluctant to release their software to an outside evaluation team for fear of leaking their intellectual property, the robustness guarantee is achieved through the manufacturer’s selfcertification. This self-certification holds the manufacturer liable in the event of an attack, but it does nothing to truly guarantee the robustness of the system. Our evaluation method could be used to address this issue. A tool based on this method would produce a report that can be publicly shared without leaking the confidential information contained in the software. Finally, because the evaluation method is based on sets of metrics, it is easily extensible. As protection mechanisms evolve and new evaluation method are developed they can easily be incorporated. There are several directions we want to research further and deeper as future work. Are the metrics sufficiently mature in the sense that they capture the key issues relevant to tamper resistance? What if some of the metrics are contradicting with each other or related to each other? Are there techniques/practices that can result in high ratings of our metrics? This would lead to best practices.

References 1. Anckaert, B., Madou, M., Sutter, B.D., Bus, B.D., Bosschere, K.D., Preneel, B.: Program obfuscation: A quantitative approach. In: Proceedings of 3rd ACM Workshop on Quality of Protection (2007) 2. Aucsmith, D.: Tamper resistant software: An implementation. In: Furon, T., Cayre, F., Do¨err, G., Bas, P. (eds.) IH 2007. LNCS, vol. 4567, pp. 317–333. Springer, Heidelberg (2008) 3. Chang, H., Atallah, M.: Protecting software code by guards. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 160–175. Springer, Heidelberg (2002) 4. Chen, Y., Venkatesan, R., Cary, M., Pang, R., Sinha, S., Jakubowski, M.H.: Oblivious hashing: A stealthy software integrity verification primitive. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 400–414. Springer, Heidelberg (2003) 5. Dedic, N., Jakubowski, M., Venkatesan, R.: A graph game model for software tamper protection. In: Proceedings of 9th Information Hiding Workshop (2007) 6. Horne, B., Matheson, L.R., Sheehan, C., Tarjan, R.E.: Dynamic self-checking techniques for improved tamper resistance. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 141–159. Springer, Heidelberg (2002) 7. Jin, H., Myles, G., Lotspiech, J.: Towards better software tamper resistance. In: Zhou, J., L´ opez, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 417–430. Springer, Heidelberg (2005) 8. Mambo, M., Murayama, T., Okamoto, E.: A tentative approach to constructing tamper-resistant software. In: Proceedings of 1997 New Security Paradigms Workshop, pp. 23–33. ACM Press, New York (1998) 9. Myles, G., Collberg, C.: K-gram based software birthmarks. In: Proceedings of ACM Symposium on Applied Computing, pp. 314–318 (2005)

Evaluation of the Offensive Approach in Information Security Education Martin Mink1 and Rainer Greifeneder2 1

Technical University of Darmstadt, Germany 2 University of Mannheim, Germany

Abstract. There is a tendency in information security education at universities to not only teach protection measures but also attack techniques. Increasingly more universities offer hands-on labs, where students can experience both the attackers’ and the administrators’ view. Getting to know the attackers’ view is thought to lead to a better understanding of information security and its problems compared to teaching only strategies for defense. This paper analyzes the situation of information security education at German and international universities. We present a method to measure knowledge in information security and – using this method in an empirical study – evaluate the offensive teaching approach. Analysis of the empirical data gathered in the study shows a tendency in favor of the offensive approach compared to the classic defensive security education.

1

Introduction

The field of academic security education today is dominated by defensive techniques like cryptography, firewalls, access control, and intrusion detection. But since some years we are observing a trend toward more offensive methods [19,16]. In the academic literature, offensive techniques are also gaining widespread approval [2,8,1]. The ACM even devoted an entire special issue of their flagship publication Communications to the topic of “Hacking and Innovation” [6]. Why is this so? In his article [5], Conti argues that security academics can learn a lot from the security approach of hackers by visiting their gatherings (like DEF CON [7] or Black Hat [3]). This corresponds to the professional trend toward more offensive methods of security testing and its most prominent variant of penetration testing. This involves the use of hacking tools like network sniffers, password crackers and disassemblers as well as active penetrations of corporate networks in real time. Looking at these indications, there seems to be a substantial benefit from thinking security in an offensive way. But is there really a benefit? And if yes, can it in some way be quantified? In this paper we show a way how to answer this question. We present an experimental setup to evaluate the offensive approach in information security education. The basic idea of the approach used in this paper has already been introduced in [14]. We conduct an empirical study that compares the offensive with the classic defensive approach in information security education. As part K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 203–214, 2010. c IFIP International Federation for Information Processing 2010 

204

M. Mink and R. Greifeneder

of the study we designed two courses on information security. The study will show, that there is some advantage of the offensive approach but that the result is not significant. Before, we’ll take a closer look on offensive education at the university degree level and give an overview of teaching methods for offensive education. The next section introduces background knowledge: a classification of information security courses, a definition of offensive methods, an introduction into empirical research, and related work. Section 3 presents the conducted empirical study, and Sec. 4 the results of the study. We conclude in Sec. 5.

2

Background

This section introduces knowledge that is needed for this paper. 2.1

Classification of Information Security Courses

In a study, introductory courses on information security at German and international universities were analyzed and classified by their content [12]. The classification yielded three clusters: one large and two small ones. One of the small clusters contains courses that focus on teaching cryptography and thus was called the “conservative” cluster. The other small cluster focuses on teaching current topics of information security, thus called the “innovative” cluster. In the large cluster most topics of the two other clusters are taught in a balanced mixture, the “balanced” cluster. 2.2

The Offensive Approach in Information Security Education

What is an “offensive” method? In general, a method that is used by an attacker. But this would not be enough to differentiate between offensive and defensive techniques, since some are used both by attackers and by administrators (as network sniffing and password cracking). Therefore the results of the before mentioned classification of information security courses was used as an enumerating definition: the innovative cluster was identified with the offensive approach and the conservative cluster with the defensive approach. This way the topics of each cluster were associated with the method of the respective approach. Types of Offensive Education. Information security labs give students the chance to gain hands-on experience in information security. So called Wargames and Capture-the-Flag contests offer a game-like approach. These will be presented in more detail in the following paragraphs. Several universities run a security lab, where students can experience both aspects of IT security and can get hands-on experience. In Germany, the computer science department of Darmstadt University of Technology pioneered in 1999 with the so-called Hacker Contest [16]. In military education, one can find similar examples of offensive lectures, for example [20].

Evaluation of the Offensive Approach in Information Security Education

205

Wargames have a long tradition among security enthusiasts. In Wargames the organizer creates a set of challenging scenarios of increasing difficulty which have to be solved by the participants [18,9]. Challenges usually are modeled somewhat after the problems an attacker faces when attempting a system penetration. More competitive than Wargames are Capture-the-Flag (CTF) contests, where teams battle against each other over the control of a network. In those contests, 20 to 40 teams of educational institutions spread across the world battle against each other over the course of several hours [4,10]. Criticism. It is often criticized that offensive methods should not be taught to students since this only increases the population of “malicious hackers” which will not raise but rather decrease the overall level of security in the Internet. We feel that this line of argument is flawed. Any security technique can be simultaneously used and abused. The trend toward penetration testing in corporate businesses shows that offensive techniques can be used to increase the level of security of an enterprise. So students trained in offensive techniques must not necessarily become black hats (jargon for malicious hackers, the “bad guys”), but rather can also become white hats (the good guys). However, we agree that offensive techniques should not be taught in a standalone fashion. As with defensive techniques, every course in information security should be accompanied by a basic discussion of legal implications and ethics. 2.3

Empirical Methods

To have a common basis and for those not familiar with empirical research, we present a short overview of the methods used in empirical studies relevant for this case. A study starts with a hypothesis which expresses what lies in the interest of the researcher. The hypothesis can be a one-tailed (or directional ) hypothesis, i.e. the direction of a possible difference is specified, or two-tailed, i.e. direction is not specified. In either case it suspects a link between at least two variables, which can be expressed as “if . . . , then . . . ”. A variable in a study is any characteristic that can assume multiple values or can vary in participants (e.g. variable gender = {male, f emale}). A hypothesis expresses the assumption that an independent variable (IV) affects a dependent variable (DV). Two concepts are critical to evaluate empirical research: internal validity and the external validity: a study has a high internal validity, if the variable the researcher intended to study is indeed the one affecting the results and not some other, unwanted variables. External validity refers to the extent to which the results of a study can be generalized or extended to others. Both concepts strongly depend on whether the investigation is conducted as a field versus laboratory experiment, and with a true experimental vs. quasi-experimental design. A field experiment is an experiment that is conducted in a natural environment, while a laboratory experiment is conducted in an environment that offers control over unwanted influences. In general, a field experiment has a lower internal validity than a laboratory experiment (since it is difficult to control confounding variables that can substantially affect the result) but a higher external validity (since it normally

206

M. Mink and R. Greifeneder

is closer to real life). A study is quasi-experimental when study groups are determined based on a pre-existing characterisitc (e.g., gender, assignment to one or the other school class, etc.). In contrast, a study is experimental when participants are randomly assigned to study groups. See the book [17] for detailed information on the subject. 2.4

Related Work

N¨af and Basin [15] compare two approaches for information security labs: the conflict-based and the observation-based approach as they call it. But they only do it on a conceptual level. Vigna [19] reports on his experiences with courses where students gain handson experience with attack and defense. Students first work in two teams: red team (the attacker) and blue team (the defender). Next, both teams attack and defend, and in the last part both teams work in rivalry to suceed in a targeted attack first. In 1997 Jonsson and Olovsson [11] conducted an experiment to evaluate the actions of an attacker trying to compromise a system. A number of independent teams of students worked as attackers and their actions were logged to evaluate – among other – the time that passed between two attacks, time that was spend preparing and the time spend on the attack. Although these studies deal with attacking techniques, none of them actually assesses the value of the offensive approach in information security education.

3 3.1

Methods Design of the Empirical Study

To evaluate the benefits of offensive techniques it’s better to not take a one shot case study, where just the effect of this course is measured, since this offers only low internal validity. Instead, we compare the treatment to a group who received a classic defensive education in information security. We therefore postulate: Students who received offensive information security education have a better understanding of IT security than those who received defensive education. This hypothesis is a difference hypothesis and implies two treatment groups: one with offensive education, the other with defensive education, thus leading to a two-group design. The independent variable is the type of education” (“offensive” or defensive”), as dependent variable we assess “understanding of IT security”. To ensure a high level of internal validity, participants in the present empirical study were randomly assigned to experimental groups in a controlled two-group treatment design.

Evaluation of the Offensive Approach in Information Security Education

207

A second independent variable was added to the study to find out if the prior knowledge in information security of the subjects is relevant. This second independent variable was chosen to be two-leveled (“high prior knowledge” and “low prior knowledge”). The result is a 2x2 factorial design, leading to four sample groups. To select the subjects according to prior knowledge, a knowledge test is used (see next section). Tests. For the study three tests were designed: 1. a test to assess the knowledge of information security at the end of the courses and that is used as the main measuring instrument, 2. a knowledge test and 3. an awareness test. Test no. 1 is used for measuring the main dependent variable (DV) by confronting the students with a computer system that is configured with a number of security holes and vulnerabilities. They are each asked to identify and fix the vulnerabilities and to configure the system in a secure way. To assess their understanding of information security, the number of vulnerabilities found, the time used (relative to the result achieved), and the strategy used are measured (see Fig. 1). The test is identical for both groups and does not test for offensive/defensive knowledge but for the understanding of system security. insecure

secure Criteria:

defensive

- time

PC offensive

- skills

PC

- result - strategy

Fig. 1. Experimental setup

Tests no. 2 and 3 are paper-pencil-questionnaires and applied at different time points during the course. The purpose of the knowledge test is to measure the increase in knowledge as a function of the two treatment groups. The items (questions) of the test were chosen to cover a wide range of aspects of IT security so as to get a representative cross section of the field. Based on individual results in the knowledge test, participants were divided into two groups: those with high prior knowledge and those with low prior knowledge. The awareness test was included for a purpose unrelated to the present hypothesis. Both tests were tested on sample groups.

208

3.2

M. Mink and R. Greifeneder

Design of the Information Security Courses

For the empirical study two courses were designed: one offensive, and one defensive. To increase experimental control and reduce common threats to internal validity, three day crash courses –instead of semester long courses – were chosen. The courses were designed to have nine modules (three each day), each lasting two hours. In order to have a common basis, the first module is an introduction into programming, networks and system administration. The last module is the test for the evaluation of the offensive approach. For the remaining seven modules we chose the topics as shown in Table 1. Table 1. Overview of the course Day 1 1. Introduction Ethics Working with Linux Programming in C Networks 2. Unix security Password security Access control Detecting intrusions 3. Software security Buffer Overflows Format Strings Race Conditions

Day 2 Day 3 4. Network security 1 7. Web security Network sniffing SQL injection Port scanning XSS Vulnerabilities 5. Network security 2 8. Malware Spoofing Viruses TCP Hijacking Worms DoS attacks Trojan horses SSH Rootkits 6. Firewalls Test Concept Architecture Configuration

Each module consists of an introduction into the topic by means of a presentation lasting around 30 minutes, followed by about 60 minutes of hands-on work using exercises on a hand-out sheet. Each module ends with a plenary discussion of the exercises. The distincion between the offensive and the defensive approach is only made in the practial part, the theoretical part is identical for both groups. For the exercises Linux is used since it is freeley available, is well documented and offers the possibility to configure the system and software using configuration files (i.e. without the need to use graphical interfaces). The last point is a basic concept of the course and thought to lead to a better understanding – and also independent of the Linux distribution resp. OS used. Each module will be presented in more detail in the following sections. Module 1: Introduction. The introduction presents working with the Linux operating system, basics of networks and programming in C. In the practical part no difference is made between the offensive and the defensive course.

Evaluation of the Offensive Approach in Information Security Education

209

Module 2: OS Security. This module deals with security relevant aspects of UNIX systems. It is about the problems of passwords (and what secure passwords are), about access control, including the problem of SUID root executables, and about detecting signs of intrusions. The offensive group concentrates on working with password cracking tools and how to conver tracks of an intrusions while the defensive group deals with password policies, how to create a password that is difficult to break and the search for signs of intrusions. Module 3: Software Security. After an introduction into the relevant parts of memory management and layout of processes on Intel architecture, the most common security problems in software are presented: buffer overflows, format strings and race conditions. In the exercises these problems can be experienced, the offensive group concentration on detecting vulnerabilities and exploiting them, the defensive group detecting and fixing them. Module 4: Network Security 1. This first part of network security introduces network sniffing and port and vulnerability scanning. Students learn about sniffing protocols of the TCP/IP stack with and without encryption as well as the basics about port scanning. The offensive group learns that sniffing is also possible in switched networks by means of ARP spoofing whereras the defensive groups learns how to detect an active sniffer in a network. Module 5: Network Security 2. The second part of network security deals with spoofing (ARP, IP, Mail, DNS), with configuring an SSH server, and denialof-service (DoS) attacks. In the hands-on part the offensive group learns about MAC and ARP spoofing and advanced forms of sniffing and scanning. The defensive group configures an SSH server, applies the vulnerability scanner Nessus and configures an e-mail client to send encrypted e-mails. Module 6: Firewalls. In the module firewalls, the different types of firewall architectures are presented. By example of the packet filter firewall iptables the participants learn how to configure a personal firewall for a given scenario. The defensive group tests the firewall and the offensive group tries to evade the firewall. Module 7: Web Security. The participants are introduced to a selection of common attacks on web applications (e.g. SQL injection, XSS, path traversal). In the practical part both goups work on exploiting a sample web application. Module 8: Malware. This module deals with the different types of malware (virus, worm, trojan horse) and a detailed look on rootkits. The exercise is differentiated by the offensive group taking a closer look on the workings of rootkits and the defensive group searching for the presence of rootkits. Module 9: Test. The last module of the courses was the main measuring instrument of the study. It was designed as a practical test and as an application of what the subjects had learned during the course. The same Linux system as

210

M. Mink and R. Greifeneder

the one used in the first eight modules was set up with (1) ten security holes and misconfigurations. Additionally, the subjects were asked to work on (2) two tasks. (1) The security holes and misconfigurations were as follows (from now on called “vulnerabilities”): 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

A rootkit, that has to be identified as a fake An additional root user Unwanted entries in the sudo configuration file Security relevant SUID root executables (the text editor nano and the command chmod ) World readable and writeable log file and root user directories (/etc/logs and /root) Weak passwords and password policy More active services than allowed An active network sniffer Network interface in promiscuous mode Errors in the firewall configuration

(2) The tasks were as follows: 1. Configuration of SSH server (public key authentication) 2. Configure sudo for a user Differentiation. In some modules it was rather difficult to make a distinction between the offensive and the defensive course since a lot of methods are applied by both an attacker and an administrator (e.g. password cracking). The definition for “offensive method” derived by the study presented in Sec. 2 in some cases was not fine-grained enough to allow a distinction. In the second run of the study we made some changes to achieve a better differentiation between offensive and defensive, e.g. password cracking only in the offensive course. Still, not in all cases we were able to make a clear distinction. 3.3

Conducting the Empirical Study

The study was conducted at two German universities: in 2007 at RWTH Aachen University and in 2008 at RWTH Aachen and at University of Mannheim. In 2008 69 subjects were included for analysis (out of about 80 registered for the courses) and 39 subjects in 2007. This paper will focus on and present the results of the 2008 study; see the PhD thesis by Mink [13] for the 2007 study. The courses were anounced on a web page of the university and on mailing lists. To register for the courses, students were asked to online create an account on a web application by entering their data (including name, age, semester, and a statement of motivation). The same system and account was to be used by the participants during the course to access the course ressources (i.e. downand upload of material). The number of participants was limited by the size of

Evaluation of the Offensive Approach in Information Security Education

211

the room used for the couses. Registrations were admitted until the maximum number of 24 per course was reached. Since the director of the study and the instructor of the crash courses were the same person there is the danger of the so called Rosenthal effect. This effect describes the influence a biased director of studies might have on the way he conducts the study. But since the instructor actively only gave the theoretical part of the courses – which was identical for both groups – this effect should be negligible. Knowledge and Awareness Test. These two test were conducted in the form of an online questionnaire at the beginning and at the end of the course. About six weeks later the subjects were contacted by e-mail to fill in the questionnaire again (a so called retest). Because we wanted to link tests of three different time points while preventing social-desirable (instead of honest) responses, participants were asked to code each questionnaire with the same unique code. Main Dependent Variable Test. A maximum of 60 points were possible; for each vulnerability and task five points for an accurate solution, down to one for a less accurate one and zero for none at all. The participants were given 45 minutes for the test. They received an instruction sheet explaining that they were taking over the administration of a computer in an enterprise with only some knowledge about its configuration. To complete the test they were allowed to use the course material and the WWW. Logging. Different methods were used to log data for tracing the actions of the subjects: the content of the system logs (logged via network), screen capturing, contents of the /etc and the user directory, changes to files (using an automated script) and the command history.

4

Results

The empirical data gathered in the tests was analyzed using mainly SPSS. First, we present the results of the main DV test – the main measuring instrument of the study – and then the results of the knowledge and awareness tests. 4.1

Main Dependent Variable Test

Based on the logged protocols, we determined for each subject what was found analyzing the system and how the situation was solved. Two primary measures were assessed: the number of vulnerabilities found (see Fig. 2) and the overall score achieved (including the tasks, see Fig. 3). The diagrams show that the participants of the offensive courses on average both found more vulnerabilities and achieved a better score than the participants of the defensive courses. Since the significance score in the ANOVA (analysis of variance) with a value of 0.03 is below 0.05 the result is significant. The error bars in the diagram show the intervals in which the result lies with a probability of 95% (confidence intervals). Although in both diagrams the error bars overlap, the result is still significant, since with 95 CI, error bars may overlap up to one fourth.

212

M. Mink and R. Greifeneder

Fig. 2. Number of vulnerabilities found Fig. 3. Number of points in main DV test

Fig. 4. Knowledge test at the beginning

Fig. 5. Knowledge test at the end

Evaluation of the Offensive Approach in Information Security Education

4.2

213

Knowledge Test

Fig. 4 shows the result of the knowledge test at the beginning of the courses. Since the distribution of the subjects to the two groups was random, the score differs slightly between the offensive and the defensive group. The result of the knowledge test at the end of the courses is depicted by Fig. 5 (the result of the retest is not shown here). As can be observed, in both cases the defensive group achieves a slightly higher score than the offensive group, both in the low and in the high prior knowledge subgroup. This is a surprising result, because it contrasts to the hypthesis, but it is not significant. Since it also does not match prior results, most probably it is an effect at the chance level.

5

Conclusion

In this paper we presented an experimental setup to assess different approaches of information security education at the university degree level. The setup was used to evaluate the offensive approach by comparing it to the classic, defensive approach. To this end, two courses in information security were designed and an empirical study was conducted. While the results of the knowledge test do not support the hypothesis, they show that the design is not flawed, since the subgroups with higher prior knowledge achieve a higher score – something to be expected. The results of the main measuring instrument, the main DV test, show an advantage of the offensive group over the defensive group that is significant. The advantages of the offensive over the defensive approach are, that it leads to a better understanding of information security and that it is more motivating. It is more motivation, because of its game-like approach (a higher fun factor), and because it is easier to discover a vulnerability than to prove that there are no vulnerabilities at all. As a consequence, information security courses should teach offensive aspects. The results of the classification of information security courses at universities (see Sec. 2.1) illustrate, that this is already a trend at universities, because the majority of the reviewed courses includes offensive techniques. The presented setup can be used to repeat the study to gather more empirical data. In reruns of the study more subjects should be used. A still better separation of defensive and offensive methods in the crash courses might be achieved. One way could be to incorporate cryptography as a topic into the courses. The main DV test as it is designed now is restricted to system administrator tasks and could be expanded to also include other – security relevant – topics. The offensive approach presents itself as a valuable method in information security education. And there will always be a need for at least a small amount of experts with offensive experience, e.g. for AV industry, intelligence or law enforcement.

214

M. Mink and R. Greifeneder

References 1. Arce, I., McGraw, G.: Why attacking systems is a good idea (Guest Editors’ introduction). IEEE Security & Privacy 2(4), 17–19 (2004) 2. Arnett, K.P., Schmidt, M.B.: Busting the ghost in the machine. Communications of the ACM 48(8), 92–95 (2005) 3. Black Hat briefings, training and consulting, http://www.blackhat.com 4. Homepage CIPHER CTF, http://www.cipher-ctf.org/ 5. Conti, G.: Why computer scientists should attend hacker conferences. Communications of the ACM 48(3), 23–24 (2005) 6. Conti, G.: Hacking and innovation (Guest Editors’ introduction). Communications of the ACM 49(6), 33–36 (2006) 7. DEF CON Hacking Event, http://www.defcon.org 8. Farmer, D., Venema, W.: Improving the security of your site by breaking into it. Usenet Posting to comp.security.unix, 3 (December 1993) 9. Homepage Hack This Site, http://www.hackthissite.org/missions/ 10. Homepage International Capture The Flag, http://ictf.cs.ucsb.edu/ 11. Jonsson, E., Olovsson, T.: A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior. Transactions on Software Engineering 23, 235–245 (1997) ¨ 12. Mertens, C.: Wie lehrt man IT-Sicherheit am Besten – Ubersicht, Klassifikation und Basismodule. Master’s thesis, RWTH Aachen (2007) 13. Mink, M.: Vergleich von Lehrans¨ atzen f¨ ur die Ausbildung in IT-Sicherheit. PhD thesis, University of Mannheim (2009) 14. Mink, M., Freiling, F.C.: Is Attack Better Than Defense? Teaching Information Security the Right Way. In: Proceedings of the Conference on Information Security Curriculum Development (InfoSecCD), pp. 44–48. ACM Press, New York (2006) 15. N¨ af, M., Basin, D.: Conflict or review – two approaches to an information security laboratory. Communications of the ACM 51(12), 138–142 (2008) 16. Schumacher, M., Moschgath, M.-L., Roedig, U.: Angewandte Informationssicherheit: Ein Hacker-Praktikum an Universit¨ aten. Informatik Spektrum 6(23) (June 2000) 17. Shadish, W.R., Cook, T.D., Campbell, D.T.: Experimental and QuasiExperimental Designs for Generalized Causal Inference. Cengage Learning (2001) 18. Starfleet academy hackits, http://isatcis.com/ 19. Vigna, G.: Red team/blue team, capture the flag, and treasure hunt: Teaching network security through live exercises. In: World Conference on Information Security Education, pp. 3–18 (2003) 20. White, G., Nordstrom, G.: Security across the curriculum: Using computer security to teach computer science principles. In: Proceedings of the 19th International Information Systems Security Conference, pp. 519–525 (1998)

Research Methodologies in Information Security Research: The Road Ahead Johan F. van Niekerk and Rossouw von Solms Institute for Information and Communication Technology Advancement, Nelson Mandela Metropolitan University

Abstract. This panel discussion will examine the methodological traditions currently existing amongst the fraternity of information security researchers. Information security researchers commonly engage in research activities ranging from the highly technical, to the “softer” human orientated. As such, researchers engaged in the field of information security could potentially make use of research philosophies, paradigms, and methodologies ranging from the quantitative/positivist to the interpretive/qualitative. This panel discussion will examine current trends in the selection and use of research methodologies amongst researchers from the information security fraternity and will attempt to address issues relating to such choices. Finally the possible impact of methodological traditions from the human and social sciences on future information security research activities will be discussed.

1

Introduction

The field of information security encompasses a wide range of interests and activities. As such, research activities in information security could include elements ranging from technical fields, such as engineering, mathematics, or application development, to fields that are normally classified as forming part of the human and social sciences, such as, management, law, psychology, or education. Therefor, unlike many other fields of study, information security has no single specific methodological tradition that is commonly accepted by the entire fraternity of information security researchers. This wide range of methodological choices available to information security researchers could potentially have an impact on how “usable” the results of any specific information security publication is to other information security researchers. Research methodologies play a very important role in ensuring both the quality of research and in determining whether or not the results of one study could be meaningfully integrated with the results of another. Without a clear and rigorous methodology it becomes difficult for the reader to assess the validity and trustworthiness of the publication’s research results. The methodology itself does not necessarily validate the research, it does however convey to the reader how formalisms apply to the published work. As stated by Marcus and Lee [1], “Methodologies in themselves, like algebraic symbols, are formalisms, devoid of empirical content. Shared examples of the empirical application of methods are K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 215–216, 2010. c IFIP International Federation for Information Processing 2010 

216

J.F. van Niekerk and R. von Solms

essential for establishing how the formalisms (whether intensive or extensive, positivist or interpretive) apply”. All researchers are to varying degrees dependent on the work done by other researchers before them. Sir Isaac Newton, one of the foremost scientists of the last few centuries, is often quoted as having said: “If I have seen further it is only by standing on the shoulders of giants”. This is true of most research. A researcher’s work is often judged by the credibility of his/her argument, which is based on a specific philosophical stance and which is supported by the arguments of earlier researchers (included as citations in his/her work). Even the best research results might be discredited if it was based on prior research of doubtful integrity, or if it was based on prior work from an incompatible philosophical stance. Due to the wide range of possible philosophical stances, paradigms, or research methodologies that could be chosen by information security researchers, it could be argued that issues relating to the compatibility of prior research are even more important in information security studies than in other “more unified” fields. It is therefor imperative, in order to ensure the continued trustworthiness of published information security research, for the information security research fraternity to engage in reflexive discussion regarding the methodological traditions in the field of information security. This panel discussion will examine issues relating to current trends in the selection and usage of research methodologies amongst information security researchers and the possible impact of such trends on future information security research. The purpose of this panel discussion is to encourage healthy debate regarding the current and future use of various methodological traditions amongst the information security research fraternity. The panel will specifically focus on the “borrowing” of qualitative methods for use in information security research. There have been calls in the past for information security researchers to pay more attention to theories from the human and social sciences when dealing with the human aspects of information security. Should information security researchers who “adopts” qualitative methodologies from the human and social sciences also adhere to the traditions ensuring research rigor amongst researchers in the human or social sciences? Or will the information security research fraternity eventually “evolve” its own methodological traditions relating to the use of these “borrowed” methodologies?

References 1. Marcus, M.L., Lee, A.S.: Special issue on intensive research in information systems: Using qualitative, interpretive, and case methods to study information technology: Foreward. MIS Quarterly 23(1), 35–38 (1999)

Purpose-Based Access Control Policies and Conflicting Analysis Hua Wang1 , Lili Sun1 , and Vijay Varadharajan2 1

Department of Maths and Computing, University of Southern Queensland {wang,sun}@usq.edu.au 2 Department of Computing, Faculty of Science Macquarie University, Australia [email protected]

Abstract. This paper proposes a purpose-based framework for supporting privacy preserving access control policies and mechanisms. The mechanism enforces access policy to data containing personally identifiable information. The key component of the framework is purpose involved access control models (PAC) that provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and conditions. A policy refers to an access right that a subject can have on an object, based on attribute predicates, obligation actions, and system conditions. Policy conflicting problems may arise when new access policies are generated. The structure of purpose involved access control policy is studied, and efficient conflict-checking algorithms are developed. Finally a discussion of our work in comparison with other access control and frameworks such as EPAL is presented. Keywords: Purpose, Privacy, Access Control, Conflicts.

1

Introduction

Privacy is increasing in importance since it becomes a major concern for both customers and enterprises in today’s corporate marketing strategies. This raises challenging questions and problems regarding the use and protection of private messages. One principle of protecting private information is based on who is allowed to access private information and for what purpose [Agrawal et al. 2002]. For example, personal information provided by patients to hospitals may only be used with record purpose, not for advertising purpose. There must be purposes for data collection and data access. The motivations for adopting purpose based approach are 1) the fundamental policies for private information concern with which data object is used for what purposes [Byun and Li 2008] (for example, customers’ age and email address are used for the purpose of marketing analysis), and 2) customers agreed data usage varies from individual to individual. Information technology provides the capability to store various types of users’ information required during their business activities. Indeed, Pitofsky K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 217–228, 2010. c IFIP International Federation for Information Processing 2010 

218

H. Wang, L. Sun, and V. Varadharajan

[2000] showed that 97 percent of web sites were collecting at least one type of identifying information such as name, e-mail address, or postal address of consumers. The fact that the personal information is collected and can be used without any consent or awareness violates privacy for many people. This paper analyses purpose based methods to secure private information. Data privacy is defined by policies describing to whom the data may be disclosed and what are the purposes of using the data [Abiteboul et al. 2005]. For example, a policy may specify that price of an air ticket from an agent may be disclosed, but only with “opted-in” customers, or that the price will be disclosed unless the agent has specifically “opted-out” of this default. While there is recent work on defining languages for specifying privacy policies [Schunter et al. 2003, Cranor et al. 2006], access control mechanisms for enforcing such policies have not been investigated [LeFevre et al. 2004]. Ni et al. [2007] analyzed a conditional privacy management with role based access control, which supports expressive condition languages and flexible relations among permission assignments for complex privacy policies. But many interested problems remain, for example, developing a formal method to describe and manage purposes and to automatically detect possible conflicts between access policies. As stated by Adams and Sasse (2001): “Most invasions of privacy are not intentional but due to designers’ inability to anticipate how this data could be used, by whom, and how this might affect users”? The remainder of this paper is organized as follows: Section 2 presents the motivations behind our work in this paper. Section 3 proposes a purpose based access framework which includes detailed information of purposes and access control evaluation. Section 4 provides access control policy structure and authorization models as well as illustrates the impact of generating a new access policy through examples. Section 5 describes conflict problems in access purposes and policies, and develops algorithms for detecting conflicts between purposes.. Section 6 compares the work in this paper and related previous work, the comparisons demonstrate the significance of the work in this paper. Finally, the conclusion of the paper and further work are given in Section 7.

2

Motivations

The important techniques for private information occur in distributed systems specifically tailored to support privacy policies, such as the well known P3P standard [Cranor 2006]. In particular, Agrawal et al. [2002] introduced the concept of Hippocratic databases, incorporating privacy protection in relational database systems. An important feature of their work is that it uses some privacy metadata, consisting of privacy policies and privacy authorizations stored in privacy-policies tables and privacy-authorizations tables respectively. However, they neither discussed the concepts of purpose with hierarchy structure, nor the prohibition of purpose and association of purposes and data elements. LeFevre, et al. [2004] presented an approach to enforce privacy policy in database systems. They introduced two models of cell level limited disclosure enforcement, namely

Purpose-Based Access Control Policies and Conflicting Analysis

219

table semantics and query semantics, but did not consider access control management. Ni et al. [2007] analyzed a role-based access model for purpose-based privacy protection, but their work did not consider usage access management and the conflicts between purposes in policies. The development of access technology entails addressing many challenging issues, ranging from modelling to architectures, and may lead to the next-generation of access management. This paper develops purpose based access technology for privacy violation challenges including complex policy structured models with access control. Secure private information cannot be easily achieved by traditional access management systems because traditional access management systems focus on which user is performing what action on which data object [Wang et al. 2008b], and privacy policies are concerned with which data object is used for what purpose(s). For example, a common privacy agreement between a data collector and customers is “we use customer information for marketing purposes and to enable help us to resolve problems with services” that does not specify who can access the customer information, but only states that the information can be accessed for the purposes of marketing and customer service. Another challenge in access control policies is the conflict problem when generating new policies. For example, assume three access control policies and no conflicts between two access control policies; however it may lead to conflicts when three access policies are executed. This paper focuses exclusively on how to specify and enforce policies for authorizing purpose-based access management using a rule-based language. We propose a comprehensive framework for purpose and data management where purposes are organized in a hierarchy. In our approach each data element is associated with a set of purposes, as opposed to a single security level in traditional secure applications. Also, the purposes form a hierarchy and can vary dynamically. These requirements are more complex than those concerning traditional secure applications. To provide sufficient functions with the framework, this paper analyses the explicit prohibition of purpose and the association of a set of purposes with access control policies. Furthermore, we discuss the conflict problems with multiple access control policies and develop algorithms for detecting and resolving conflicts. This kind of analysis for purpose-based usage control for privacy preserving has not been studied.

3

Purpose Involved Access Control Framework

This section develops a purpose based access control framework called PACF. PACF includes extended access control models and supports purpose hierarchy by introducing the intended and access purposes, and purpose associated data models. It is supposed authorization approaches in access control models to be applied for access purpose determination in database systems. Purpose. A purpose describes the reason(s) for data collection and data access [Ni et al. 2007]. A set of purposes P, is organized in a tree structure, referred to as a Purpose Tree PT, where each node represents a purpose in P and each edge

220

H. Wang, L. Sun, and V. Varadharajan General Purpose

Admin

Order

Purchase

Audit

Complaint

Others

Advertising Record Direct−Use

D−Address Problems

Billing

Marketing

D−Phone

Third Party−Use

T−Address T−Email

Promotion Shipping

Fig. 1. Example of purpose structure

represents a hierarchical relation (i.e., specialization and generalization) between two purposes. Figure 1 gives an example of a purpose tree. Let Pi and Pj be two purposes in a purpose tree. Pi is senior to Pj (or Pj is junior to Pi ) if there exists a downward path from Pi to Pj in the tree. Based on the tree structure of purposes, the partial relationships between purposes are existed. Suppose PT is a purpose tree and P is a set of purposes in PT. P u ∈ P is a purpose, the senior purposes of P u, denoted by Senior(P u), is the set of all nodes that are senior to P u. For example, Senior(Record) = {Admin, General Purpose } in Figure 1. The junior purposes of P u, denoted by Junior(P u), is the set of all nodes that are junior to P u. For instance, Junior(Admin)= {Advertise, Record}.

4

Access Control Policies

We introduce the structure of access control policy after introducing the basic concepts of purposes[Byun et al. 2005]. Let us assume a generic computer system that possesses data or resources that need to be protected from unauthorized accesses. Policies are defined to apply to this system. Definition 4.1. An access control policy (rule) is a tuple of the form (Subjects, Action, Resources, P urpose, Condition, Obligation) The subjects terms identifies a user or a group who requests an action onto the resources. The action is any operation (e.g. deleting a file) to a resource in the access application. The resources term identifies a subset of objects which are normally private information that access to the objects is restricted. The purpose is selected pre-defined set of purposes that is reasons subjects intend to execute an action. The condition is a Boolean expression (i.e. a predicate) and “Obligations” are requirements that have to be followed by the subject for having access to resources. For instance, users are asked to agree to a privacy

Purpose-Based Access Control Policies and Conflicting Analysis

221

policy when installing Skype software; otherwise, the software cannot be used. We do not discuss conditions in this paper due to limited space available in this paper. Subjects, action, and resources are the same concepts in traditional access control policies that specify who can access what with action. Purposes are applied to achieve fine-grained polices. The purpose checks for properties of the context with no intended side effects. If a side effect exists we need to consider other arguments like obligations and conditions in authorization process. We briefly discuss obligations in this paper but the detailed analysis for obligations is omitted. As we mentioned in the first section, the purpose is the reason to collect the resources and is indispensable to private access policies. The following two examples are positive and negative authorizations, respectively. The security policy example includes two rules. Example 2: “Hua can access purchase information for marketing purpose during working hours”; In the first rule S = Hua, A = read, R = purchase information, P= marketing, C= 8:00am-6:00pm. There is no obligations in the examples. 4.1

Authorization Models

Definition 4.2. The PAC model is composed of the following components: 1. A set S of Subjects, a set D of Data, a set P u = AIP, P IP  of purposes (detailed AIP and P IP are in [Byun and Li, 2008]), a set A of actions, a set of O for obligations and a set of C for conditions. 2. A set of data access right DA = {(d, a) | a ∈ A, d ∈ D}, 3. A set of private data access right P DR = {(da, a, pu, c, o) | da ∈ DA, pu ∈ P u, c ∈ C, o ∈ O, a ∈ A}, 4. Private data subject assignment P DS ⊆ S × P DR is a many-to-many relation that decides what subjects with which access purposes can access the private information based on authorizations. We illustrate through an example a privacy preserving expressed with PAC model. Suppose that Food and Drug Administration (http://www.fda.gov/) is a web site aiming at audience that deploys its privacy policies with the purpose tree in Figure 1: 1, “Hua can read customers’ PostAddress for shipping purpose”. 2, “Tony can only read customers’ Email address for purchase purpose if they allow to do so”. These policies are expressed as follows in PAC model: P1: (Hua, (PostAdd, Read), Shipping, N/A, φ) ) P2: (Tony, (EmailAdd, Read), Purchase, OwnerConsent=‘Yes’, φ) 4.2

Policy Operations

This section analyses the impact of generating new policies to an existing PAC model. It may have unforeseen problems while a new policy for privacy protection

222

H. Wang, L. Sun, and V. Varadharajan

is raised. For example, when Tony moves to the complaint department, a new policy is defined: 5. “Tony can only read Email address of customers, for complaint purpose if they allow to do so” The corresponding expression in PAC is: P5: (Tony, (EmailAdd, Read), Complaint, OwnerConsent=‘Yes’, φ). Comparing to P2, these are two policies for Tony to access Email address for different purposes. What is the results of these two policies if combine them together? Normally, we should apply P2 for Tony to access email address for Purchase purpose and, apply P5 to access email address for Complaint purpose. The differences in these two policies are the purposes where one is Purchase purpose while the other one is Complaint purpose. How the system will verify? Should the system verify Complaint for the access to email addresses with consent conditions? PAC achieves that by considering different access policies as linked by a conjunction. That is, if a user U wants to access right a on data d for purpose P u, all access polices of U related to ((d, a), P u) must be checked. U can read the d if there exists at least one policy and U can satisfy all purposes in all policies. If a new access policy is related to the same user, same data, same right and same conditions of some existed private policies, it is not used to relax the access situations but to make the access stricter. If privacy officers want to relax the access environments, they can do so by revising the existed access policies instead of creating a new one. Suppose two private access policies in PAC: (u1 , (d1 , r1 ), pu1 , c1 , φ) and (u1 , (d1 , r1 ), pu2 , c1 , φ), can we simply replace them with a new one as (u1 , (r1 , d1 ), pu1 ∧ pu2 , c1 , φ)? Consider P 2 and P 5, we have the following policy: P6: (Tony, (EmailAdd, Read), Complaint ∧ Purchase, OwnerConsent = ‘Yes’, φ).

From the purpose hierarchy structure in Figure 1, Complaint ∧ P urchase = Complaint since Complaint is junior to purpose Purchase. Translating P 6 into plain English, we obtain “Tony can read customers’ Email address for Complaint purpose if the customers agree to do so”. The translating is not correct since something is lost. Tony cannot access email addresses, for purposes of Problem solving and Other purchase purposes which are not included. The reason for this is the context variable purchase purpose in P5. The variable purchase purpose separates the values of order into three disjoint sets: Complaint, Problem solving and Others not included in the first two purposes. P2 thus applies to all three kinds of customers, while P5 only applies to email addresses for Complaint purpose. Simply combining purposes in P2 with purposes in P5 actually removes all purposes except Complaint purpose for access email addresses. The notion of splitting context variables is required to analyse this problem [Ni, et al. 2007]. Definition 4.3. A splitting context variable (SCV ) is a context variable that satisfies the following conditions. 1. A SCV is related to purpose information. 2. The values of an SCV partition purposes into disjoint sets.

Purpose-Based Access Control Policies and Conflicting Analysis

223

3. A SCV is not used to represent information about consent. Based on the SCV definition, Order is SCV, whereas Admin and Direct-Use are not since the joint sets of Advertising and Record, D-Address and D-Phone are not empty. The notion of SCV is important and is used in the analysis of the paper. We are now able to give an answer to the aforementioned question: only if both pu1 and pu2 do not involve SCV, or the SCV that they involve have the same values, they could be safely rewritten into pu1 ∧ pu2 . Consider the following two access policies: P7: (Tony, (EmailAdd, Read), Complaint, OwnerConsent=‘Yes’, φ) P8: (Tony, (EmailAdd, Read), N/A, OwnerConsent=‘Yes’, φ). P 7 and P 8 can be revised as: P9: (Tony, (EmailAdd, Read), Complaint, OwnerConsent=‘Yes’, φ). Similarly, the following two access policies: P10: (Tony, (EmailAdd, Read), Shipping, OwnerAge ≤ 13, φ) P11: (Tony, (EmailAdd, Read), Record, OwnerAge ≤ 13 φ) P12: (Tony, (EmailAdd, Read), Shipping ∧ Record , OwnerAge ≤ 13, φ) P12 is equivalent to P 10 and P 11. We now rewrite P 2 and P 5 as following policies: P13: (Tony, (EmailAdd, Read), Shipping ∪ Billing ∪ Problemsolving ∪ Promotion, OwnerConsent=‘Yes’, φ) P14: (Tony, (EmailAdd, Read), Complaint, OwnerConsent=‘Yes’, φ) It is easy to understand P13 and P14 rather than P2 and P5. ∪ means “or” in the example. We do not have obligations in the discussion above. What may happen if there are obligations? Consider the following example: P15: (Tony, (EmailAdd, Read), Complaint, OwnerConsent=‘Yes’, NotifybyPhone) P16: (Tony, (EmailAdd, Read), Purchase, OwnerConsent=‘Yes’, NotifybyEmail)

Intuitively, P15 is fine for Tony reading customers’ email address for Complaint purpose. This means that the phone activity should be invoked for Complaint purpose when accessing customers’ data for Purchase purpose by notified by Email. Therefore, their equivalent forms are: P17: (Tony, (EmailAdd, Read), Complaint, OwnerConsent=‘Yes’, NotifybyPhone and NotifybyEmail) P18: (Tony, (EmailAdd, Read), Shipping ∪ Billing ∪ Problemsolving ∪ Promotion, OwnerConsent=‘Yes’, NotifybyEmail) In summary, a private data access request related to user u, data d, access right a, purpose P u is authorized only if all access policies related to (u, (r, d), P u) are satisfied. If so, obligations in all applicable policies are invoked after the access request.

5

Conflicting Algorithms

In the section, we discuss the various cases of conflicting policies in PAC model. It is not easy to comply with complex security and privacy policies, especially in large enterprises. The more complex a security policy is, the larger is the probability that such policy contains inconsistent and conflicting parts.

224

H. Wang, L. Sun, and V. Varadharajan

Consider the following policies: P19: (Christine, (Read, OrderInfor), Shipping, Time=5PM-11PM, φ) P20: (Christine, (Read, OrderInfor), Problem solving, Time=5PM-11PM, φ) These two policies do not conflict with each other because P19 and P20 actually work on different purposes. The SCV Order used in these two policies as purposes with different values. It is called incomparable policies because they have incomparable purposes, that is, a SCV exists which has two disjoint value sets in the two purposes. Definition 5.1. Let pui and puj be two purposes in two access control policies. We say that pui and puj are incomparable purposes if there exists a common SCV that has disjoint value sets in purposes pui and pui . Otherwise, we say that pui and puj are comparable purposes, written as pui ≈ puj . Consider the following two permission assignments which include comparable purposes: P21: (Christine, (Read, OrderInfor), Purchase, Time = 9AM-5PM, φ) P22: (Christine, (Read, OrderInfor), Billing, Time = 9AM-5PM, φ) Because P21 allows data access during 9AM - 5PM with Purchase purpose and P22 allows data access during in the same time with Billing purpose, a data request occurs during 9AM - 5 PM with Billing purpose could be authorized. These two policies are compatible because they have compatible purposes: the intersection of value sets of context variable Order in different access policies is not empty. Besides compatible purposes, we may have conflicting purposes. P23: (Christine, (Read, OrderInfor), purchase, Time = 5PM-11PM,φ) P24: (Christine, (Read, OrderInfor), audit, Time = 5PM-11PM, φ). P23 specifies that Christine is authorized to access order information for Purchase during 5PM-11PM, whereas P24 allows partners’ access with Audit during 5PM-11PM. Hence, when data access request is issued, the access purpose could not be both purchase and audit. Therefore, any data request will be denied according to these two access policies. These two permission assignments conflict with each other because they have conflicting purposes, that is, no value of the context variable Order could satisfy both purposes. Definition 5.2. Let pui and puj be two comparable purposes in two access policies. We say that pui and puj are conflicting purposes if there exists at least one common context variable in pui and puj that has disjoint value sets, written as pui puj . Otherwise, we say that pui and puj are compatible purposes. Consider the following access policies which include conflicting obligations: P25: (Christine, (Read, OrderInfor), purchase, N/A, Notify()) P26: (Christine, (Read, OrderInfor), purchase, N/A, Notify(Opt-out))

Once a data request is authorized, the system does not know which obligation should be executed (either Notify or Notify with Opt-out); therefore P25 conflicts with P26. We denote the fact that two obligations oi and oj conflict as oi oj . Based on aforementioned definitions and examples, we give the definition of conflicting access policies.

Purpose-Based Access Control Policies and Conflicting Analysis

225

Definition 5.3. Let P i = (ui, (ri, di), pui, ci, oi) and P j = (uj, (rj, dj), puj, cj, oj) be two privacy-sensitive data access policies. We say that P i and P j are conflicting if one of the following two conditions holds: (ui = uj) ∧ (ri = rj) ∧ (di = dj) ∧ (ci = cj) ∧ (pui puj) (ui = uj) ∧ (ri = rj) ∧ (di = dj) ∧ (ci = cj) ∧ (pui ≈ puj) ∧ (oi oj) In PAC, conflicting access policies should be detected and one of them should be removed to prevent ambiguities when enforcing access policies. 5.1

Detecting Algorithms

Conflicting policies detection is important in order to guarantee the consistency of access control policy. In this section, we present algorithms to detect conflicts between purposes and to check conflicts in access control policies. The key point of the algorithm is that we first sort context variables used in conditions according to their name, then make a disjoint test for the value sets for a variable in the various conditions. Algorithm 1. Purpose-Conflict(pu1, pu2) Require: pu1 and pu2 are two purposes applied in two access control policies Outcomes: True //Purposes have conflicts False //Otherwise 1: pul1 : Sort context variables used in pu1 according to their name 2: pul2 : Sort context variables used in pu2 according to their name 3: for(integer i = 1 to |pul1 |) 4: { for(integer j = 1 to |pul2 |) 5: { if pul1 [i].name = pul2 [j].name // Common context variable 6: then 7: { if pul1 [i].SCV = T rue // pul1 [i] is a SCV 8: {if disjointTest(pul1 [i].value, pul2 [j].value) = ‘False’ // pul1 [i].value and 9:

//pul2 [j].value have joint value sets, no conflicts between pul1 [i] and pul2 [j]

10: then j++ //check the next purpose in pu2 11: else 12: Return True //Conflict purposes } 13: else j++ //check the next purpose in pu2 } 14: else j++ } 15: i++ //check the next purpose in pu1 16: Return result Based on the Purpose-Conflict algorithm, the access control policy detection algorithm is given below. Algorithm 2. Policy-Conflict(po1, po2) Require: po1 and po2 are two access control policies Outcomes: True //Policies have conflicts

226

H. Wang, L. Sun, and V. Varadharajan

False //Otherwise 1: if po1 .s = po2 .s or po1 .d = po2 .d or po1 .r = po2 .r or po1 .c = po2 .c or po1 .o = po2 .o, then 2: return False 3: end if 4: { if Purpose-Conflict(po1 .pu, po2 .pu) = True 5: //Checking conflicts between two purposes in two policies 7: return True // policies conflict 8: else // po1 .pu ≈ po2 .pu 9: {if { SCV-Disjoint(po1 .o, po2 .o) = True //obligations are comparable 10: then 11: {if Obligation-Conflict(po1 .o, po2 .o)= True 12: return True // Obligations conflicts 13: else return False //no conficts in policies } 14: else // SCV-Disjoint(po1 .o, po2 .o) = False, Obligation incomparable 15: return False // No conflicts in policies} 16: } Based on Algorithm 1, 2 and the structure of access purpose and policy, we can further develop algorithms with SQL to support the purpose and policy management approach presented in this paper. The detailed methods with SQL are omitted due to the length of the paper.

6

Comparisons

We present a brief comparison of the purpose involved access model PACagainst other related work. The closely related works to this paper are privacy-aware role-based access control [Ni et al. 2007] and the enterprise privacy authorization language (EPAL)[Schunter, et al. 2003]. Ni et al [2007] introduced a family of models that extend the well known RBAC model in order to provide full support for expressing highly complex privacy-related policies, taking into account features like purposes and obligations. The models include the Core P-RBAC model, Hierarchical P-RBAC model, Conditional P-RBAC and Universal P-RBAC. Their work is different from ours in three aspects. First, their paper is focused on the conditions and their relationships in role-based access control. By contrast, our work has analyzed the purpose hierarchy structure in access control policies in usage access control model. Second, the conflicts between two P-RBAC permission assignments discussed in their paper are based on conditions. They neither analyze the access purpose structure nor the impact of adding a new access policy with different purposes. By contrast, our work has analyzed purpose hierarchical structure and the impact of adding new access control policies, specially the conflicting problem between three purposes. EPAL [Schunter, et al. 2003] is a formal language for writing enterprise privacy policies to govern data handling practices in IT systems according to fine-grained

Purpose-Based Access Control Policies and Conflicting Analysis

227

positive and negative authorization rights. It concentrates on the core privacy authorization while abstracting data models and user-authentication from all deployment details such as data model or user-authentication. An EPAL policy defines lists of hierarchies of data-categories, user-categories, and purposes, and sets of (privacy) actions, obligations, and conditions. Purposes model the intended service for which data is used (e.g., processing a travel expense reimbursement or auditing purposes). Compared to EPAL, PAC has the following major differences. First, one of the important design criteria of PAC is to unify privacy policy enforcement and access control policy enforcement into one access control model. By contrast, EPAL is designed independently from any access control model. Second, the conflicting policies problem was not introduced and analyzed in EPAL; hence shortcoming exists during answering data access request [Barth et al. 2004], but PAC supports conflict detection to guarantee that no conflicts arise in the procedures of generating new policies, thus preventing the disclosure of private information. Third, the basic ideas of purpose in PAC are borrowed from EPAL, the purposes in EPAL represent reasons of data collection without further discussion such as conflicts from a privacy perspective; by contrast purposes in PAC have rich analysis and conflict algorithms.

7

Conclusions and Future Work

This paper has discussed purpose-based access control policies with conditions and obligations. We have studied the access control framework but also the structure of access policies including subjects, access actions, resources, purposes and obligations. We have also analyzed the impact of adding new policies and the conflicts that they can lead to. Algorithms have been developed to help a system to detect and solve the problems. The work in this paper has extended previous work significantly in several aspects, for example, purpose involved access control, access control policies and generating a new access policy without conflicts. The research for purpose involved access control policies is still in its infancy and much further work remains to be done. There could exist redundant access policies in PAC. For instance, P7 is redundant with respect to P8. Formal definitions of the redundancy need to be developed and solutions for addressing them are possible avenues for our future work.

References 1. Abiteboul, S., Agrawal, R.: The Lowell database research self-assessment. Communications of the ACM 48(5), 111–118 (2005) 2. Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic databases. In: Proc. 28th Int’l Conf. on Very Large Data Bases. Hong Kong, China, pp. 143–154 (2002) 3. Adams, A., Sasse, A.: Privacy in Multimedia Communications: protecting users, not just data. In: People and Computers XV - Interaction Without Frontiers, Joint Proceedings of HCI 2001 and ICM 2001, pp. 49–64 (2001)

228

H. Wang, L. Sun, and V. Varadharajan

4. Barth, A., Mitchell, J.C., Rosenstein, J.: Conflict and combination in privacy policy languages. In: Proceedings of the ACM workshop on Privacy in the electronic society, pp. 45–46 (2004) 5. Bertino, E., Samarati, P., Jajodia, S.: An Extended Authorization Model for Relational Databases. TKDE 9(1), 85–101 (1997) 6. Bertino, E., Byun, J.-W., Li, N.: Privacy-preserving database systems. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol. 3655, pp. 178–206. Springer, Heidelberg (2005) 7. Bonatti, P., Damiani, E., de Capitani, S., Samarati, P.: A Component-Based Architecture for Secure Data Publication. In: Proceedings of the 17th Annual Computer Security Applications Conference, p. 309. IEEE Computer Society, Los Alamitos (2001) 8. Bonatti, P., Damiani, E., De Capitani di Vimercati, S., Samarati, P.: An access control model for data archives. In: Proceedings of the 16th international Conference on information Security: Trusted information: the New Decade Challenge, Norwell, MA, pp. 261–276. Kluwer Academic Publishers, Norwell (2001) 9. Byun, J.-W., Bertino, E., Li, N.: Purpose based access control of complex data for privacy protection. In: Proceedings of the 10th ACM Symposium on Access Control Models and Technologies, NY, USA, pp. 102–110 (2005) 10. Byun, J., Li, N.: Purpose based access control for privacy protection in relational database systems. The VLDB Journal 17(4), 603–619 (2008) 11. Clifton, C.: Using sample size to limit exposure to data mining. Journal of Computer Security 8(4), 281–307 (2000) 12. Cranor, L., et al.: The platform for privacy preferences 1.1 (P3P) specification. W3C Working Group (2006) 13. LeFevre, K., Agrawal, R., Ercegovac, V., Ramakrishnan, R., Xu, Y., DeWitt, D.: Limiting disclosure in hippocratic databases. In: Proceedings of the 13th VLDB Conferenc, pp. 108–119 (2004) 14. Ni, Q., Lin, D., Bertino, E., Lobo, J.: Conditional privacy-aware role based access control. In: ESORICS, pp. 72–89 (2007) 15. Ni, Q., Trombetta, A., Bertino, E., Lobo, J.: Privacy-aware role based access control. In: Proceedings of the 12th ACM Symposium on Access Control Models and Technologies, France, pp. 41–50 (2007) 16. Li, M., Sun, X., Wang, H., Zhang, Y.: Optimal Privacy-aware Path in Hippocratic Databases. In: Zhou, X., Yokota, H., Deng, K., Liu, Q. (eds.) DASFAA 2009. LNCS, vol. 5463, pp. 441–455. Springer, Heidelberg (2009) 17. Li, N., Yu, T., Anton, A.: A semantics-based approach to privacy languages. Technical Report, TR 2003-28 (November 2003) 18. Pitofsky, R., et al.: Privacy online: Fair information practices in the electronic marketplace, a report to congress. Federal Trade Commission (2000) 19. Schunter, M., et al.: The enterprise privacy authorization language (epal 1.1). W3C Working Group (2003) 20. Sweeney, L.: Achieving k-anonymity privacy protection using generalization and suppression. Int. J. Uncertain. Fuzziness Knowl.-Based Syst. 10(5), 571–588 (2002b) 21. Wang, H., Cao, J., Zhang, Y.: Access control management for ubiquitous computing. Future Generation Computer Systems Journal 24, 870–878 (2008b) 22. Zhu, H., Lu, K.: Fine-Grained Access Control for Database Management Systems. Data Management. Data, Data Everywhere, 215–223 (2007)

Delegation in Predicate Encryption Supporting Disjunctive Queries Dongdong Sun, Colin Boyd, and Juan Manuel Gonz´ alez Nieto Information Security Institute, Queensland University of Technology, GPO Box 2434, Brisbane QLD 4001, Australia {dongdong.sun,c.boyd,j.gonzaleznieto}@qut.edu.au

Abstract. Predicate encryption has an advantage over traditional publickey or identity-based encryption, since predicate encryption systems provide more flexible control over access to encrypted data. We focus on delegation capabilities in predicate systems. More specifically, we investigate delegatable encryption systems supporting disjunctive predicate evaluations. We present formal security definitions of delegatable predicate encryption and provide the first delegatable predicate encryption scheme which supports disjunctive predicate evaluations in the publickey setting. We analyze the security of the proposed system and give a security proof. Keywords: Predicate Encryption, Delegation, Disjunction.

1

Introduction

Traditional public-key encryption systems have been used and investigated for decades. In those systems, a user creates a public and private key pair, and the message can be encrypted with the public key and recovered with the corresponding private key. This is sufficient for many applications, where a user knows the identity of the recipient in advance. However, in other applications, a user may require more flexible control over the access to the encrypted data. Predicate encryption is a new primitive which can achieve such flexibility. In predicate-based encryption, private keys are associated with predicates f and ciphertexts are bound to attributes I. A ciphertext corresponding to I can be decrypted by a private key corresponding to f if and only if f (I) = 1. There are a number of contributions to predicate encryption in the literature [1–5]. Those systems can evaluate various predicates over the ciphertext. The most expressive one is the KSW [4] construction, which can support a wide class of predicates including disjunctive predicate evaluations. The system is well suited for many applications. For example, in a bank, for the sake of security, each internal file is labeled with an attribute and both file and attribute are encrypted with the system public key. We assume that the general manager, who is the top authority, holds the master secret key. He can issue a secret key associated with a predicate, the disjunctive predicate in our case. Staffs have different privileges to access files. People in IT department are allowed to read technical K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 229–240, 2010. c IFIP International Federation for Information Processing 2010 

230

D. Sun, C. Boyd, and J.M. Gonz´ alez Nieto

files, and those in customer service department are allowed to read all customer related files. On top of that, there are some files which the general manager wants to make ensure that everyone should read (e.g., bank policy). For each staff, the general manager will encode the predicate, which is associated with attributes in disjunctive form. For example, an IT staff member may receive a key corresponding to predicate (x = “Bank Policy”) ∨ (x = “Tech Manual A”) ∨ (x = “Tech Manual B”), so he can decrypt the files whenever the attribute in the file matches any one of three attributes in the predicate. Moreover, a crucial property of the disjunctive predicate, namely predicate indistinguishability, is applicable to our specific application. The predicate indistinguishability means if an attribute in the ciphertext matches the disjunctive predicate, it is computationally infeasible to find the position of a match, only the existence of a match in at least one position is known [4]. For example, each profile of a customer is encrypted with the customer’s account number (i.e., the attribute). The profile includes the general information about the customer, e.g., name, address, deposit amount, recent transactions. Now the general manager needs some statistics on those profiles. He computes a secret key associated with the predicate (x = “CustomerA’s Account Number”) ∨ (x = “CustomerB’s Account Number”) ∨ (x = “CustomerC’s Account Number”) ∨ (x = “CustomerD’s Account Number”), and sends the key to the staff who is responsible for doing statistics. With that key, the staff can decrypt all profiles related to the predicate. We assume that he knows the predicate, since in the public-key settings, secret keys may reveal some information about the encoded predicate. However, upon decryption, he cannot tell which customer’s account number is related to the decrypted profile due to the property of predicate indistinguishability. For the security consideration, the property is certainly desirable if the staff is not deem to be able to identify the relationship between the account number and the profile. The above-mentioned scenario is sufficient for a small company. If there are hundreds of thousands of staffs, it is not efficient to let only one authority (i.e., the general manager) to compute all keys. Delegation is an attractive solution to the issue. Generally speaking, this mechanism can spread the computational tasks to other entities. We stick with our bank example. Now, instead of computing all secret keys the general manager delegates the tasks to his subordinates, i.e., managers. More specifically, the general manager first computes a key associated with a predicate, e.g., (x = “Bank Policy” ∨ ? ∨ ?), where ? is a delegatable field. He sends this key to one of the managers, e.g., a technical manager. The technical manager then creates a key for the predicate (x = “Bank Policy”) ∨ (x = “Tech Manual A”) ∨ (x = “Tech Manual B”) and gives it to one of the staffs in his department. In this scenario, we have some restrictions. Only the general manager holds the master secret key so that he can initialize the key with some attributes and ensure no managers can modify those fixed attributes (the managers can only fill in the delegatable fields). We also assume the general manager and other managers are authorities who can access any files. The staffs on the lowest level can only obtain keys without delegatable fields.

Delegation in Predicate Encryption Supporting Disjunctive Queries

231

The managers must ensure they give the non-delegatable keys to the staffs. One may argue that we can give the master secret key to all managers, because they have right to decrypt any files. However, as mentioned before, the general manager wants to ensure that some files (e.g., bank policies) should be decrypted by anyone in the bank. By holding the master key, he can always initialize the key with some attributes, e.g., (x = “Bank Policy” ∨ ? ∨ ?), which ensures that anyone can access the “Bank Policy”. Now, all keys can be computed in an efficient way with the help of the managers. We will present a security system which can handle the above mentioned situations in this paper. 1.1

Our Results

In this paper, we present formal security definitions of delegatable predicate encryption supporting disjunctive predicate evaluations. We also present a delegatable predicate encryption scheme in the public-key setting. Our scheme is based on the KSW [4] construction but, unlike their scheme, we achieve delegation. A formal security proof of our scheme is also provided. The required security assumptions have all been introduced in prior works. Our systems are based on a group whose order is the product of four primes. 1.2

Related Work

Identity-Based Encryption and Attribute-Based Encryption. To address the issue of certificate overhead in the PKI system, Shamir [6] introduced the notion of identity-based cryptography. The first practical ID-based encryption (IBE) was proposed by Boneh et al [7]. Thereafter, many efficient ID-based schemes have been proposed [8–10]. Because of the efficiency of the system, ID-based cryptography is now flourishing in the cryptographic community. In attribute-based encryption (ABE) [11–13], a user can receive a secret key associated with an access control policy over the attributes of an encrypted data. Predicate-Based Encryption. Recently, Boneh and Waters [3] proposed the first encryption system possessing the properties of conjunctive, subset and range queries in the public-key setting. Concurrent work by Shi et al. [1] also achieves a similar function. However, they achieve match-revealing instead of matchconcealing. How to construct a system supporting disjunctive predicate was left as an open problem until the work by Katz et al [4]. The KSW system can be regarded as a significant improvement in the theory of predicate-based encryptions. Their work also implies all the results of the BW construction [3]. Based on the KSW system, Shen et al [5] proposed a similar system in the symmetrickey setting. Their system achieves predicate privacy as well as data privacy. Delegation in Predicate Encryption. The notion of delegation was first introduced in this context by Horwitz and Lynn [14]. Subsequently, a number of works address delegation issues in Hierarchical Identity-Based Encryption (HIBE) [15, 16]. The most related context of delegation in predicate encryption appeared in the work of Shi and Waters [2]. They constructed a delegatable

232

D. Sun, C. Boyd, and J.M. Gonz´ alez Nieto

predicate encryption supporting conjunctive queries. However, to construct a system supporting disjunctive queries was left as an open problem, which motivates us to investigate the new system in this paper.

2

Definitions

We describe definitions in our specific settings, where the class of predicates is P = {ORx1 ,...,xl (x)|(x1 , . . . , xl ) ∈ ZlN } such that ORx1 ,...,xl (x) = 1 iff x = x1 or x = x2 or . . . or x = xl . The above-mentioned disjunctive predicate evaluation is based on inner product predicate evaluation which was specified in the work of Katz et al [4]. When we have a message M for the attribute w ∈ ZN to encrypt, we set w := (wl mod N, . . . , w0 mod N ) ∈ ZnN , where n = l + 1, then encrypt w with M . To compute  a secret key for predicate ORx1 ,...,xl (x), we compute a polynomial p(x) = i∈[l] (x − xi ) mod N and set p := (al , ..., a0 ), where al , . . . , a0 are the coefficients of p(x). We then compute the secret key on p. The actual evaluation is based on the class of predicates F = {fx |x ∈ ZnN }, where fx (y) = 1 iff x, y = 0 mod N . As shown by Katz et al [4], ORx1 ,...,xl (w) = 1 iff fp (w) = 1, which forms the bases for our systems. In all our definitions, we let Ω denote a finite set of ZN and Ω? = Ω ∪ {?}, where ? is a delegatable field. Definition 1. A Delegatable Predicate Encryption Scheme comprises of the following algorithms: Setup(1λ ). The Setup algorithm takes as input a security parameter 1λ and outputs a public key P K and a master secret key MSK . Encrypt(P K, w, M ). The Encrypt algorithm takes as input a public key P K, an attribute w ∈ Ω, and a message M in some associated message space. It outputs a ciphertext C. GenKey(MSK , X). The GenKey algorithm takes as input a master secret key MSK and an attribute vector X = (x1 , . . . , xl ) ∈ Ω?l (l is fixed in the system), which corresponds to predicate ORX (x). It outputs a secret key SKX for evaluating ORX (x) over a ciphertext C. Delegate(SKX , x ˆ). The Delegate algorithm takes as input a secret key SKX for ORX (x) and an attribute x ˆ. It outputs a delegated secret key SKX  for the predicate ORX  (x), where X  is obtained by fixing one of the delegatable fields of X with the attribute x ˆ. Query (SKX , C). The Query algorithm takes as input a secret key SKX and a ciphertext C. It outputs either a message M or the distinguished symbol ⊥. Correctness. We require the following correctness property. For all λ, all R R (w, M ) ∈ Ω × M, and all ORX ∈ P , let (P K, MSK ) ← Setup(1λ ), C ← R Encrypt(P K, w, M ), and SKX ← GenKey(MSK , X). – If ORX (w) = 1 then Query(SKX , C) = M . – If ORX (w) = 0 then Query(SKX , C) =⊥ with all but negligible probability. The same property holds, if SKX is computed from Delegate algorithm.

Delegation in Predicate Encryption Supporting Disjunctive Queries

233

Selective Security. We will prove the selective security of our scheme. Our security definition is similar to that of KSW [4], except that there are extra create delegated secret key queries. The formal definition of selective security is provided below. Definition 2. A delegatable predicate encryption scheme is selective secure if for all PPT adversaries A, the advantage AdvA of A in the following game is a negligible function of security parameter λ: Setup(1λ ). A challenger C runs the Setup algorithm to generate public key P K and master secret key MSK , a public key value N is given to A. Init. A outputs vectors a, b ∈ Ω n , which correspond to attributes A, B ∈ Ω, and is then given P K. Query phase 1. A adaptively makes a polynomial number of the following queries: – Create secret key. A requests a secret key for a vector p ∈ Ω n corresponding to predicate ORX (x), where X = (x1 , . . . , xl ) ∈ Ω l . C creates the secret key and gives it to A. – Create delegated secret key. A requests a secret key for a vector p ∈ Ω n corresponding to predicate ORX (x), where X = (x1 , . . . , xl ) ∈ Ω l . C chooses a random number i, where 1 ≤ i ≤ l and creates the secret key for ORXi (x), where Xi = (x1 , . . . , xi ). Using that key as the parent key, C creates the key for ORX (x) in delegatable way. Any key revealed to A are subject to the restriction such that ORX (A) = ORX (B), which is equivalent to fp (a) = fp (b). Challenge. A outputs two equal-length messages M0 and M1 . If there is any ORX (A) = ORX (B) = 1, then it is required that M0 = M1 . C flips a random coin b. If b = 0 then A is given C = Encrypt(Mb , A) and if b = 1 then A is given C = Encrypt(Mb , B). Query phase 2. Repeat the Query phase 1 subject to the restrictions as before. Guess. A outputs a guess b of b, and succeeds if b = b. The advantage of A is defined to be AdvA = |P r[b = b ] − 1/2|.

3

Background on Pairings and Complexity Assumptions

We review the notions about groups of composite order and bilinear maps. Let G be an algorithm that takes as input a security parameter 1λ and outputs a tuple (p, q, r, s, G, GT , e) where p, q, r, s are distinct primes, G and GT are two cyclic groups of order N = pqrs, and e is a non-degenerate bilinear map e : G × G → GT satisfying the following properties: 1. Bilinearity: ∀u, v ∈ G, ∀a, b ∈ Z, e(ua , v b ) = e(u, v)ab . 2. Non-degeneracy: if g generates G then e(g, g) generates GT

234

D. Sun, C. Boyd, and J.M. Gonz´ alez Nieto

We assume the group computation in G and GT , as well as the bilinear map e, are all computable in time polynomial in λ. Furthermore, we assume that the description of G and GT includes generators of G and GT respectively. We will use the notation Gp , Gq , Gr , Gs to denote the respective subgroups of order p, order q, order r and order s of G and we will use the notation GT,p , GT,q , GT,r , GT,s to denote the respective subgroups of order p, order q, order r and order s of GT . There is a crucial property in composite order bilinear map: if hp ∈ Gp and hq ∈ Gq , then e(hp , hq ) = 1. This property holds whenever e is applied to elements in any two distinct subgroups. 3.1

The Composite 3-Party Diffie-Hellman Assumption

The composite 3-party Diffie-Hellman assumption (C3DH) was first introduced by Boneh and Waters [3]. For a given generator G define the following distribution P (1λ ): R

R

R

R

R

(p, q, r, s, G, GT , e) ← G(1λ ), N ← pqrs, gp ← Gp , gq ← Gq , gr ← Gr , gs ← Gs R

R

R1 , R2 , R3 ← Gq , a, b, c ← ZN Z¯ ← ((N, G, GT , e), gq , gp , gr , gs , gpa , gpb , gpab R1 , gpabc R2 ), T ← gpc R3 ¯ T) Output(Z, For an algorithm A, define A’s advantage in solving the composite 3-party Diffie-Hellman problem for G as: ¯ T ) = 1] − P r[A(Z, ¯ R) = 1]| C3DHAdvG,A (1λ ) := |P r[A(Z, R R ¯ T) ← P (1λ ) and R ← Gpq . where (Z,

Definition 3. We say that G satisfies the composite 3-party Diffie-Hellman assumption (C3DH) if for any polynomial time algorithm A, and its advantage C3DHAdvG,A (1λ ) is negligible in the security parameter λ. The assumption is formed around the intuition that it is hard to test for DiffieHellman tuples in the subgroup Gp if the elements have a random Gq subgroup component. 3.2

Other Assumptions

Assumption 1. For a given generator G define the following distribution P (1λ ): R

R

R

R

R

(p, q, r, s, G, GT , e) ← G(1λ ), N ← pqrs, gp ← Gp , gq ← Gq , gr ← Gr , gs ← Gs R

R

R

Q1 , Q2 ← Gq , R1 , R2 , R3 ← Gr , a, b, c ← Zp 2 Z¯ ← ((N, G, GT , e), gp , gr , gs , gq R1 , gpb , gpb , gpa gq , gpab Q1 , gpc , gpbc Q2 R2 ) R

2

β ← Zq , T ← gpb c gqβ R3 ¯ T) Output(Z,

Delegation in Predicate Encryption Supporting Disjunctive Queries

235

For an algorithm A, define A’s advantage in the above experiment for G as: ¯ g b2 c R3 ) = 1] − P r[A(Z, ¯ g b2 c g β R3 ) = 1]| A1AdvG,A (1λ ) := |P r[A(Z, p p q Definition 4. We say that G satisfies the assumption 1 if for any polynomial time algorithm A, its advantage A1AdvG,A (1λ ) is negligible in the security parameter λ. Assumption 2. For a given generator G define the following distribution P (1λ ): R

R

R

R

R

(p, q, r, s, G, GT , e) ← G(1λ ), N ← pqrs, gp ← Gp , gq ← Gq , gr ← Gr , gs ← Gs R

R

R

h ← Gp , Q1 , Q2 ← Gq , c, γ ← Zq Z¯ ← ((N, G, GT , e), gp , gq , gr , gs , h, gpc , hc Q1 , gpγ Q2 , e(gp , h)γ ), T ← e(gp , h)γc ¯ T) Output(Z, For an algorithm A, define A’s advantage in the above experiment for G as: ¯ T ) = 1] − P r[A(Z, ¯ R) = 1]| A2AdvG,A (1λ ) := |P r[A(Z, R R ¯ T) ← P (1λ ) and R ← GT . where (Z,

Definition 5. We say that G satisfies the assumption 2 if for any polynomial time algorithm A, its advantage A2AdvG,A (1λ ) is negligible in the security parameter λ. The above two assumptions imply the hardness of finding any non-trivial factor of N . They are proven to hold in the generic group by Katz et al [4].

4

Our Scheme

We construct our delegatable predicate encryption scheme by extending the KSW system [4]. Our scheme possesses all the properties of the KSW system. In our construction, we require that the fixed attributes associated with the disjunctive predicate cannot be modified by anyone. Only the delegatable fields can be filled in. More specifically, it is hard to obtain the parent key by carrying out computations on the child keys. On the technical level, our construction is based on the following observations. Assume that we have a key for the predicate ((x = a) ∨ (x = b) ∨ ? ), where ? is a delegatable field. The predicate can be rewritten in polynomial equation p(x) = (x − a) · (x − b). If we fill in x = c in the third field, then the equation is p (x) = (x − a) · (x − b) · (x − c) = p(x) · x + p(x) · (−c). As specified in Section 2, we know that the coefficients of the above polynomials will be encoded into secret keys. Our secret key SK consists of two components, a decryption key component DK and a delegation component DL. Assume coefficients of p(x) is encoded in secret key SKZ . We can shift elements in DKZ to obtain the elements associated with p(x) · x and raise elements in DLZ to the power of (−c) to obtain the elements associated with p(x) · (−c). We combine DLZ and DKZ to obtain keys corresponding to p (x). More details can be found in the following scheme.

236

D. Sun, C. Boyd, and J.M. Gonz´ alez Nieto

Setup(1λ ). The setup algorithm first picks random large primes p, q, r, s and creates groups G and GT of composite order N = pqrs. It then computes gp , gq , gr and gs as generators of group Gp , Gq , Gr and Gs , respectively. Next, it randomly chooses R1,i , R2,i ∈ Gr and h1 , h2 ∈ Gp , where i = 1 to n. It also chooses R0 ∈ Gr , γ ∈ Zp and h ∈ Gp at random, and sets l = n − 1, which is the size of the attribute vector. It publishes (N = pqrs, G, GT ) and the values P K = ( gp , gr , gs , Q = gq ·R0 , P = e(gp , h)γ , l, {H1,i = h1 ·R1,i , H2,i = h2 ·R2,i }ni=1 ). The master secret key MSK is (p, q, r, s, gq , h−γ , h1 , h2 ). Encrypt(P K, w ∈ Ω, M ∈ M ⊆ GT ). Assume that Ω ⊆ ZN . M is some efficiently-recognizable subgroup of GT . To encrypt a message M for the attribute w, the algorithm computes (w1 = w0 mod N, . . . , wn = wn−1 mod N ). Then, it chooses random δ, α, β ∈ ZN and R3,i , R4,i ∈ Gr for i = 1 to n. The ciphertext is   δ δ C = C  = M ·P δ , C0 = gpδ , {C1,i = H1,i ·Qα·wi ·R3,i , C2,i = H2,i ·Qβ·wi ·R4,i }n i=1 .

GenKey(MSK , X ∈ Ω?l ). Assume Ω? = Ω ∪ {?}, where ? is a delegatable field. Let X = (x1 , . . . , xl ) ∈ Ω?l . I(X) denotes the set of all indices u where xu ∈ Ω. This algorithm encodes X as a univariate polynomial p(x) =  u∈I(X) (x − xu ) mod N , and then extends the equation to obtain p(x) = aI+1 xI + · · · + a1 x0 mod N , where aI+1 , . . . , a1 are the coefficients of the resulting polynomial and I is the number of all fixed fields. We set ai = 0 for i > I + 1. The secret key for X consists of two parts: a decryption key component DK and a delegation component DL. – DK: Choose random r1,i , r2,i ∈ Zp and Y, Y1,i , Y2,i ∈ Gs for i = 1 to n (n = l + 1), random R5 ∈ Gr , random f1 , f2 ∈ Zq and random Q6 ∈ Gq . The decryption key is   n −r −r K = R5 · Q6 · h−γ · i=1 h1 1,i · h2 2,i · Y, DK = r r {K1,i = gp1,i · gqf1 ·ai · Y1,i , K2,i = gp2,i · gqf2 ·ai · Y2,i }ni=1 – DL: Let w denotes the number of delegatable fields. The algorithm computes w parallel components. They have similar structures with the decryption key component. The main difference is that only the decryption key component contains the master secret h−γ . Let W = {1, . . . , w}. For each v ∈ W, for i = 1 to n, choose random r1,i,v , r2,i,v ∈ Zp and Y1,i,v , Y2,i,v ∈ Gs . For each v ∈ W, choose random R5,v ∈ Gr , random Yv ∈ Gs and random Q6,v ∈ Gq . The delegation component is   n −r −r Lv = R5,v · Q6,v · i=1 h1 1,i,v · h2 2,i,v · Yv , DLv = r r {L1,i,v = gp1,i,v · gqf1 ·ai · Y1,i,v , L2,i,v = gp2,i,v · gqf2 ·ai · Y2,i,v }ni=1 where v ∈ W.

Delegation in Predicate Encryption Supporting Disjunctive Queries

237

Delegate(SKX∈Ω?l , x ˆ ∈ Ω). Given a secret key for X and an attribute x ˆ, this algorithm fixes one of the delegatable fields of X with x ˆ to obtain X  , and computes the secret key for X  . Clearly, if we can perform delegation on one field, then we can perform delegation on multiple fields. If there is no delegatable field, the algorithm simply aborts. Step 1: Let (DK, DL) denote the secret key for X with w delegatable fields. Pick a random μ ∈ ZN and rerandomize the wth delegation component DLw by raising every element in DLw to μ:   ˆ 1,i = Lμ , L ˆ 2,i = Lμ }ni=1 ˆ = L ˆ = Lμw , {L DL 1,i,w 2,i,w ˆ Step 2: Multiply the decryption key component DK by DL:   ˆ 1,i , K ˆ 2,i = K2,i · L ˆ 2,i }n ˆ = K ˆ = K · L, ˆ {K ˆ 1,i = K1,i · L DK i=1 ˆ for all v ∈ W  , Step 3: Multiply the delegation component DLv by DL   where W = {1, . . . , w − 1}. For all v ∈ W , we compute following:   ˆ v = Lv · L, ˆ {L ˆ 1,i,v = L1,i,v · L ˆ 1,i , L ˆ 2,i,v = L2,i,v · L ˆ 2,i }ni=1 ˆ v= L DL Step 4: Perform a circular shift on the randomized decryption key compoˆ nent DK:   ˆ 1,n , pK2,1 = K ˆ 2,n , ˆ pK1,1 = K pK = K, pDK = ˆ 1,i−1 , pK2,i = K ˆ 2,i−1 }n {pK1,i = K i=2 Step 5: Compute decryption key component DK  for X  . DK  is computed from two components: 1) pDK, the shifted decryption key component of ˆ 1 , the randomized delegation component for X. secret key for X. 2) DL   First randomly select Y  , Y1,i , Y2,i ∈ Gs for i = 1 to n, then raise every ˆ 1 to −ˆ element in DL x, output the following DK  :

ˆ −ˆx · pK · Y  , K = L  1 DK =  ˆ −ˆx · pK1,i · Y  , K  = L ˆ −ˆx · pK2,i · Y  }n =L {K1,i 1,i 2,i 2,i i=1 1,i,1 2,i,1 Step 6: Compute delegation component DL of X  . DL is computed from ˆ v for all v ∈ W  , where W  = the randomized delegation component DL {1, . . . , w − 1}. Generally speaking, each time the algorithm performs ˆ v components to obtain a DL some computations on two of the DL  component. The resulting DL will consists of w − 1 components. For ˆ 1 and DL ˆ 2 to compute DL , then choose DL ˆ 2 and example, choose DL 1  ˆ DL3 to compute DL2 , etc. To compute the last component DLw−1 , ˆ w−1 and DL ˆ 1. choose DL

238

D. Sun, C. Boyd, and J.M. Gonz´ alez Nieto

ˆ v components to obtain Now we describe how to compute on two of DL  ˆ 1 and DL ˆ 2 . First a DL component. Assume two components are DL ˆ perform a circular shift on DL1 :

ˆ 1,n,1 , pL2,1,1 = L ˆ 2,n,1 pL1 = Lˆ1 , pL1,1,1 = L  pDL1 = n ˆ 1,i−1,1 , pL ˆ {pL1,i,1 = L 2,i,1 = L2,i−1,1 }i=2   Next, choose random Y  , Y1,i , Y2,i ∈ Gs for i = 1 to n, then raise every ˆ element in DL2 to −ˆ x and output the following DL1 :

−ˆ x    ˆ = L · pL · Y L 1 1 2 DL1 =     n ˆ −ˆx · pL ˆ −ˆx {L1,i,1 = L 1,i,1 · Y1,i , L2,i,1 = L2,i,2 · pL2,i,1 · Y2,i }i=1 1,i,2 In this way, we will be able to compute DLv for all v ∈ W  . NB: If there is only one delegatable field in X, we have one delegation component DL1 . In Step 1 – 3, we use DL1 to randomize DK and DL1 , all other computations are the same. Query(SKX , C). Given a ciphertext and a secret key for X, where X ∈ Ω?l , compute the following: C  · e(C0 , K) ·

n 

e(C1,i , K1,i )e(C2,i , K2,i )

i=1

It returns M , if M ∈ M. Otherwise, it returns an error. Correctness. To verify that the correctness holds for the scheme, we first show that the secret keys obtained by Delegate algorithm have the same structures as those created directly by GenKey algorithm. We focus on the decryption key component and the delegation component, respectively. The notation is the same as in the scheme. In the decryption components DK, for i = 1 to n, the substitutions:   r1,i = μ · r1,i,w + r1,i , r2,i = μ · r2,i,w + r2,i  f1 = μ · f1 + f1 , f2 = μ · f2 + f2 can be rewritten in the Delegate algorithm as

n −r  −r  K  = R5 · Q6 · h−γ · i=1 h1 1,i · h2 2,i · Y  ,  DK = r r f  ·a f  ·a     n = gp1,i · gq 1 i · Y1,i , K2,i = gp2,i · gq 2 i · Y2,i }i=1 {K1,i where ai , for i = 1 to n, are coefficients of polynomial after the delegating operations. It is not hard to see that the decryption key component is correctly distributed. Similarly, it can be shown that the delegation component DL is also correctly distributed. Hence, we establish that the secret keys computed from GenKey and Delegate have the correct distributions.

Delegation in Predicate Encryption Supporting Disjunctive Queries

239

Now we need to prove that the scheme is consistent with respect to the Encrypt, GenKey, Delegate and Query algorithms. Since we have already proven that the secret keys produced by GenKey and Delegate have the correct distributions, we will only consider GenKey for consistency. The rest of the proof is exactly the same argument shown in the work of Katz et al [4]. We omit it in here.

5

Proof of Security

Theorem 1. If G satisfies the composite 3-party Diffie-Hellman assumption, assumption 1 and 2, then the delegatable predicate encryption scheme is selectively secure. Our scheme is secure against adversaries, who are not allowed to perform delegation computation. In our security games, the adversaries can only request secret keys for full attribute vectors, in which there are no delegatable fields. The secret keys can be computed from either the GenKey or the Delegate algorithm. We note that delegated secret keys have some correlations with their parent secret keys. As a result, the distributions of delegated keys differ from freshly generated keys. Our proof is inspired by the technique used in Shi and Waters’ work [2], which is called “key indistinguishability”. Although delegated keys have correlations with their parent keys, they are computationally indistinguishable from freshly generated keys computed by the GenKey algorithm. This is a crucial step in our proof and simplifies our simulation. Now, instead of answering the adversary’s query honestly, the simulator can give a freshly generated key to the adversary whenever the adversary makes a fresh key query or a delegated key query. Intuitively, the notion of “key indistinguishability” relies on the C3DH assumption: if we use a random hiding factor from Gr to randomize each term in the key, then Decisional Diffie-Hellman problem is hard in the subgroup Gp . After “key indistinguishability” is established, the rest of the proof will be very similar to the proof in Katz’s work [4]. It is not hard to see that by “key indistinguishability”, we effectively reduce our security game to Katz’s original game, because the delegation key queries are treated as fresh key queries. We provide a proof in the full version of this paper.

6

Conclusion

In this paper, we study delegation techniques in predicate encryption systems, which support disjunctive predicate evaluation. We first provide security definitions for delegatable predicate encryption and then give a delegatable scheme in the public-key setting supporting disjunctive predicate evaluation. In the future, we will focus on delegatable predicate encryption supporting disjunctive and conjunctive normal form. Our aim is to find a delegatable system which can support arbitrary combinations of disjunctive and conjunctive predicate evaluations. The ultimate goal is to achieve delegation in all predicate systems.

240

D. Sun, C. Boyd, and J.M. Gonz´ alez Nieto

References 1. Shi, E., Bethencourt, J., Chan, H.T., Song, D., Perrig, A.: Multi-Dimensional Range Query over Encrypted Data. In: IEEE Symposium on Security and Privacy, pp. 350–364. IEEE Press, Los Alamitos (2007) 2. Shi, E., Waters, B.: Delegating Capability in Predicate Encryption Systems. In: Aceto, L., Damg˚ ard, I., Goldberg, L.A., Halld´ orsson, M.M., Ing´ olfsd´ ottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 560–578. Springer, Heidelberg (2008) 3. Boneh, D., Waters, B.: Conjunctive, Subset, and Range Queries on Encrypted Data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007) 4. Katz, J., Sahai, A., Waters, B.: Predicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008) 5. Shen, E., Shi, E., Waters, B.: Predicate Privacy in Encryption Systems. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 457–473. Springer, Heidelberg (2009) 6. Shamir, A.: Identity-Based Cryptosystems and Signature Schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) 7. Boneh, D., Franklin, M.: Identity-Based Encryption From the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) 8. Waters, B.: Efficient Identity-Based Encryption Without Random Oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) 9. Boneh, D., Boyen, X.: Efficient Selective-ID Secure Identity Based Encryption Without Random Oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) 10. Gentry, C.: Practical Identity-Based Encryption Without Random Oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) 11. Goyal, V., Pandey, O., Sahai, A., Waters, B.: Attribute-Based Encryption for Finegrained Access Control of Encrypted Data. In: ACM Conference on Computer and Communication Security 2006, pp. 89–98. ACM, New York (2006) 12. Bethencourt, J., Sahai, A., Waters, B.: Ciphertext-Policy Attribute-Based Encryption. In: 2007 IEEE Symposium on Security and Privacy, pp. 321–334. IEEE Press, Los Alamitos (2007) 13. Sahai, A., Waters, B.: Fuzzy Identity-Based Encryption. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 457–473. Springer, Heidelberg (2005) 14. Horwitz, J., Lynn, B.: Towards Hierarchical Identity-Based Encryption. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 466–481. Springer, Heidelberg (2002) 15. Boyen, X., Waters, B.: Anonymous Hierarchical Identity-Based Encryption (Without Random Oracles). In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290–307. Springer, Heidelberg (2006) 16. Boneh, D., Boyen, X., Goh, E.: Hierarchical Identity Based Encryption with Constant Size Ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy Sven Wohlgemuth1 , Isao Echizen1 , Noboru Sonehara1, and G¨ unter M¨ uller2 1

National Institute for Informatics 2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo 101-8430, Japan 2 Institute for Computer Science and Social Studies Friedrichstr. 50, 79098 Freiburg i.Br., Germany {wohlgemuth,iechizen,sonehara}@nii.ac.jp, [email protected]

Abstract. Privacy in cloud computing is at the moment simply a promise to be kept by the software service providers. Users are neither able to control the disclosure of personal data to third parties nor to check if the software service providers have followed the agreed-upon privacy policy. Therefore, disclosure of the users‘ data to the software service providers of the cloud raises privacy risks. In this article, we show a privacy risk by the example of using electronic health records abroad. As a countermeasure by an ex post enforcement of privacy policies, we propose to observe disclosures of personal data to third parties by using data provenance history and digital watermarking.

1

Introduction

Cloud computing is the modern version of the time-sharing computing model of 1960s, with the main differences being individuals and enterprises make use of services out of the cloud via a web browser and share computing power as well as data storage [14]. Disclosure of users‘ data to a cloud and at the same time the data federation at software service providers of the cloud facilitate the secondary use of personal data and digital content stored in this, on a massively shared scale, infrastructure, e.g. for data analysis by a third party. The advent of secondary use and disclosure of personal data to third parties have highlighted various problems with cloud computing [20]: – Legal regulations, such as data protection acts [7,8,11], may prohibit the use of clouds for some applications. For instance, the European Data Protection Directive 95/46/EC [7] limits cross-border disclosure of personal data to third countries. An approach is to apply the strictest rules which can restrict the opportunities of cloud computing and increase its costs. – Even though individuals and companies can protect their information systems by using firewalls and intrusion detection systems, they cannot protect their business processes and data from the software service providers of a cloud. A cloud is a black box: Security processes and data storage are hidden K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 241–252, 2010. c IFIP International Federation for Information Processing 2010 

242

S. Wohlgemuth et al.

by the abstraction of the cloud. Users have to trust that the software service providers will follow legal regulations and the agreed-upon policy when using personal data and digital content. We propose a usage control system for ex post enforcement of privacy policy rules regarding the disclosure of personal data to third parties. Since a cloud has the characteristics of a black box, we assume that personal data has been found at a non-authorized service provider, e.g. during an audit, and the auditor reconstructs the chain of disclosures of personal data in order to identify the party who has violated the obligation. We make use of data provenance [2] and digital watermarking [5] in order to link data provenance history to personal data. Higher cryptographic protocols realizing a traceable linkage of personal data with the data provenance history are our contribution. Section 2 presents some privacy risks in the case of disclosure of personal data to third parties. Section 3 introduces the concept of using data provenance for usage control. Section 4 presents our privacy preservation system called DETECTIVE and its higher cryptographic protocols. Section 5 reports on the evaluation of our protocols regarding completeness and soundness. Section 6 reports on related work. Section 7 gives an outlook on future work.

2

Privacy Risks by the Example of E-Health

In practice, service providers publish their privacy policy as part of their general terms and conditions. Users have to accept them and thereby give service providers full authority to process their personal data. For instance, a provider of an electronic health record (EHR) data center collects health data from their users (patients) for the purpose of sharing them among others with clinics, health insurance agencies, and pharmaceutical companies [10,15]. These systems comply with the US American Health Insurance Portability and Accountability Act (HIPAA) [11] by letting users decide on the usage and disclosure of their medical data d, e.g. x-ray images. However, they don’t offer mechanisms to enforce the privacy policy rules. We assume that a patient needs medical treatment abroad. A clinic in the homeland has shot an x-ray image of the patient and has disclosed it to a data center. Patients have shown their digital identity to the first service provider, i.e. the clinic in the homeland, and have agreed on obligations for disclosing their medical data d via a data center to a hospital and to a clinic abroad. Additional disclosures of d are not permitted. Figure 1 shows an exemplary disclosure of the patient‘s health data d and its modification d’ according to the model of [18]. The authorized disclosures are between the clinic in the homeland, a hospital and the clinic abroad via the data center provider. Figure 1 also shows two nonauthorized disclosures. The first violation stems from the data center provider; the second violation stems from the clinic abroad. Personal data d has been disclosed to a non-authorized pharmaceutical company. The aim is to identify the data providers who have violated the policy.

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy

243

Fig. 1. Some privacy risks in disclosing personal data d to third parties

3

Usage Control by Data Provenance

After a disclosure of personal data from the corresponding user, access rules to this data are not enforceable anymore by the user’s access control system. Usage control extends access control for this purpose by considering access control rules for disclosed data, so called obligations, and the enforcement of obligations [18]. Obligations can be enforced before access to data, e.g. by process re-writing so that violations are impossible, at the moment the data is accessed, e.g. by a monitor with a history of events and knowledge of the future probable process executions, and after an access by an audit [16]. We focus on ex post enforcement, since process re-writing and monitoring contradicts our assumption of a cloud computing information system being a black box. Since we want to re-construct the disclosure chain of given data, we make use of data provenance. The aim of data provenance is to identify “where a piece of data came from and the process by which it arrived in a database” [2]. We propose to tag every disclosure of data to a third party with its data provenance information. A sequence of tags for given personal data represents its data provenance history, which is an audit trail. Tagging gives data providers and consumers a proof to show that disclosure and receipt of personal data are done according to the obligations. The data provenance information for d consists of the data provider’s, data consumer’s identity, and the user’s identity as well as a pointer to the obligations. The obligations are indirectly part of a tag by a link to them, since they should be modifiable if the purpose of the data’s usage changes or the participating service providers change. The tag should stick to d, similar to [12], so that d∗ = (d, tag) can be disclosed while assuring the integrity of the relationship within d∗ . If d∗ is disclosed further in compliance with the obligations, the tag has to be updated by replacing the identity of the data provider with the identity of the previous data consumer and by adding the new data consumer’s identity. The sequence of tags for the same personal data thus constitutes a disclosure chain.

244

4

S. Wohlgemuth et al.

DETECTIVE: Data Provenance by Digital Watermarking

Regarding disclosure of personal data to third parties, the one software service provider acting as the data provider embeds data provenance information into the user’s personal data to be disclosed by the DETECTIVE Signaling Module. Afterwards the tagged data is disclosed to the service provider acting as the data consumer. If subsequent disclosures are allowed by the privacy policy, every software service provider in the disclosure chain should update the data provenance history with the successive data consumer. Regarding a check of the data provenance history, the user or an auditor has found the data. Afterwards, it starts the compliance check of the data’s disclosures with the agreed-upon obligations based on the embedded data provenance history. After extracting all digital watermarks of the personal data under investigation, the DETECTIVE Auditor Module requests and checks the service providers’ input to the data provenance history. The incentive of a service provider, who is acting as a data provider, to tag personal data with the data provenance history is to show his trustworthiness. In section 5 we show that the latest data provider will be identified by a verification of the embedded data provenance history. 4.1

DETECTIVE: The Protocols

DETECTIVE makes use of cryptographic commitments, digital signature, a symmetric digital watermarking algorithm, but without the need of a trustworthy data provider or a trusted third party (TTP) regarding the embedding and checking of data provenance information, and of a protocol for delegation of access rights [1]. The only TTP are the CA for certifying the identities and access rights of all participants and a data protection officer. Cryptographic commitments link the identities of the participating service providers in any disclosure of personal data. Digital signatures are used to establish accountability of the cryptographic commitments to software service providers without opening the commitments. Digital watermarking is used to tag the corresponding personal data with this linkage. Since users do not take part in the disclosures of personal data to third parties, they give their agreement in advance. Hereby, we make us of a delegation of rights protocol. Our scheme consists of the three protocols Init, Tag, and Verify. Assumptions. We assume that proving a digital identity is based on a publickey infrastructure (PKI). We abstract a PKI by making use of one certification authority (CA). This CA certifies the identities and access rights of all participants by issuing credentials. The identities of the user and the participating service providers are represented by their cryptographic secret keys kUser , kDP , or kDC , respectively. Concerning a disclosure of personal data, the participants have run a delegation of rights protocol. Accordingly, a data consumer has shown

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy

245

the delegated access rights, which he has got from the user, to the data provider by means of the credentialDC . If a data consumer gets access to the requested personal data (the x-ray image of the user in the example), the data provider will use this credential as the watermarking key. The participants have shown their identity, i.e. the ownership of the credential regarding to their identity. Users and service providers have also agreed on a privacy policy including obligations for the disclosure of personal data. Furthermore, the integrity of service providers’ systems is ensured by the use of Trusted Computing. The applied symmetric digital watermarking algorithm is robust against modifications of the (cover) data d. The Init Protocol generates a public key pkCOM , which is necessary for generating cryptographic commitments and running zero-knowledge proofs. We have chosen protocols based on the discrete logarithm, since we want to commit on strings, i.e. on the participants’ cryptographic secret keys, and not a single bit. Both protocols need a public key. This key pkCOM consists of two prime numbers p and q and two generators g and h for the group Gq,p : pkCOM := (p, q, g, h). The corresponding cryptographic key of a data provider is called pkDP COM . The Tag Protocol runs between a data provider and a data consumer. The aim is to link their identities as well as the obligations for this disclosure to the corresponding personal data d. This protocol consists of the following three phases: – Phase A: Blinded commitment to the data consumer’s identity kDC – Phase B: Blinded commitment to the data provider’s identity kDP – Phase C: Tagging personal data d with the data provenance information Figure 2 shows the messages of phase A. The first two steps are necessary for the data consumer to commit to kDC . The data consumer commits to his identity kDC by comDC (kDC ), whereas m is chosen at random out of the group Zq . We use comDC (kDC ) for linking it with the data provider’s identity. The constraint is that only the data consumer will get the resulting commitment to this disclosure of d. Hence, we later compute the product of two commitments and extract from this product a secret value of the data consumer. Therefore, we blind comDC (kDC ) with the blinding factor comDC (b). The result is comDC BLIN DED (kDC ). This blinding is similar to blind digital signature systems, e.g. as they are used for electronic coins [4]. The data consumer chooses the secret values b and l at random out of Zq . Next, the data consumer confirms the relationship of his inputs to him by digitally signing his identity comDC BLIN DED (kDC ) and the transcript of the protocol run for showing credentialDC . Afterwards, the data consumer sends the blinded commitment to kDC and this digital signature to the data provider. Phases B and C aim at linking the identities of the data consumer and provider to the user’s personal data d (cf. Figure 3). The data provider verifies

246

S. Wohlgemuth et al.

Fig. 2. Phase A of the DETECTIVE Tag protocol

comDC BLIN DED (kDC ) and the confirmation of the data consumer. Afterwards it computes comDP BLIN DED (kDP ) which represents the source of the data disclosure. The function f ingsym represents the call of the symmetric digital watermarking algorithm’s embedding function. The selection of the watermarking algorithm depends on the medium type of the personal data. The result of f ingsym is wm , the blinded data provenance information concerning this part of the disclosure chain of the user’s personal data d. Before sending wm to the data consumer though, the data provider confirms that he has used his master identity kDP by digitally signing it together with the transcript of the delegation of rights protocol run. The data consumer reveals the resulting digital watermark wm by extracting wm , checking the digital signature signatureDC of the data provider, removing his blinding factor comDC (b) from the data provenance information and embedding the resulting data provenance information dpi as the digital watermark wm, which is the unblinded wm , into d.1 The Verify Protocol aims at identifying the service provider who has done an unauthorized disclosure of the found user’s data. It works by checking the cryptographic commitments of the found data and the digital signature of the participating data provider and consumer. The participants of the protocol Verify are an auditor (data protection officer), the CA, a data consumer, and a data provider of the corresponding disclosure chain. The auditor runs this protocol, 1

The data consumer knows the watermarking key credentialDC from the delegation of rights protocol.

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy

247

Fig. 3. Phases B and C of the DETECTIVE Tag protocol

if he has found personal data at a service provider who is not authorized to get this data. The protocol Verify consists of the following three phases: – Phase D: Retrieving the used watermarking keys for the disclosure of the found user’s data d – Phase E: For each digital watermark of d: Checking the data provider’s cryptographic commitment for the resulting tag – Phase F: For each digital watermark of d: Checking the data consumers commitment The aim of phase D is to get the credentials of the authorized data consumers to extract all watermarks of the found data d. The cryptographic commitments are checked in phases E and F, as shown in Figure 4. In phase E, the auditor checks the commitment and digital signature of the data provider by re-calculating it. If the result equals comDP BLIN DED (kDP ), then it belongs to this service provider. Since the secret key kDP is blinded by the addition with the blinding factor a, the auditor will not know kDP : An addition modulo p is a one-time pad encryption which is information-theoretical secure if the encryption key in this case the attribute a is used only once. Phase F aims at determining recursive in the disclosure chain of d whether the last service provider acting as a data provider or the last service provider

248

S. Wohlgemuth et al.

Fig. 4. Phases E and F of the DETECTIVE Verify protocol

acting as a data consumer has further disclosed d. The auditor retrieves the data consumer’s commitment comDC BLIN DED (kDC ) by dividing the extracted cryptographic commitment with the blinded commitment of the data provider. Then the auditor checks the digital signature of the data consumer. If this digital signature is correct, then comDC BLIN DED (kDC ) belongs to this data consumer. To verify that this data consumer has used comDC BLIN DED (kDC ) in the Tag protocol, the auditor checks if it refers to comDC (kDC ) by requesting the blinding factor comDC (b) from the data consumer and re-calculating comDC (kDC ). Since the master identity of the data consumer should be kept confidential, the casual way of showing the correctness of a commitment simply by opening this commitment is not possible. Hence, the service provider shows its correctness by performing a zero-knowledge proof.

5

Properties of the DETECTIVE Protocols

Concerning the correctness of the DETECTIVE protocols, we have to show that they fulfill the properties of completeness and soundness as follows: – Completeness: A honest service provider acting as the data provider can convince a honest auditor that the service provider acting as the data consumer in the case of a non-authorized disclosure of d is dishonest.

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy

249

– Soundness: Dishonest service providers cannot convince a honest auditor that they have not disclosed personal data d to non-authorized service providers, if the auditor has found d at a non-authorized service provider. 5.1

Completeness

A dishonest service provider has disclosed the user’s personal data d further without adding the new data provenance information for the upcoming disclosure, i.e. this service provider has not run the Tag protocol. In figure 1, this could be the data center provider or the clinic abroad. Since the previous service provider, the homeland clinic, was authorized by the user to collect d, this service provider has an incentive to follow the Tag protocol. Hence, the homeland clinic has given correct values to the protocol and proven the correctness of the next data consumer’s digital signature regarding the data consumer’s comDC BLIN DED (kDC ). The auditor knows the identity of this data consumer due to the corresponding delegated access right of the user. If the data consumer’s digital signature is valid, the accountability of comDC BLIN DED (kDC ) is assured. Next the auditor checks the relationship of comDC BLIN DED (kDC ) to kDC . Because of the soundness property of zero-knowledge proofs, the proving party (data consumer) cannot cheat in a zero-knowledge proof [9]. If signatureDC and comDC (kDC ) are correct and comDC BLIN DED (kDC ) is part of the last digital watermark of d, then it is an evidence that the data provider has disclosed d to this nonauthorized data consumer. Otherwise the auditor runs the phases E and F of the Verify protocol for the previous digital watermark in this disclosure chain. If the next digital watermark is the last one concerning the disclosure chain of d and the attributes of the data provider and of the data consumer are correct, then the first data consumer has disclosed d to the non-authorized party. 5.2

Soundness

Both service providers involved in the disclosure of d have violated the obligations. They aim to conceal their identities as the data provider by either modifying the tag of the previous disclosure or by cheating in the Tag protocol. We consider the following attacks: (a) Removing the digital watermark of the previous disclosure of d (b) Further disclosure of d without adding the new digital watermark regarding this disclosure (c) Tagging of d with a cryptographic commitment to another value than kDC or kDP Service providers who participate in a disclosure of d know the watermarking key. Regarding the attack (a), if the data provider wants to conceal his violation, he could remove the tag of the previous disclosure. This is possible as long as the previous data provider is dishonest, too. Even though if this happens recursive in the disclosure chain until the first data consumer, an auditor detects the dishonest behavior of the first data consumer. The reason is that the auditor

250

S. Wohlgemuth et al.

has got the cryptographic commitment of this service provider’s identity kDC and his digital signature on the commitment and the protocol run of showing his rights to access d by his credential. Also, this service provider has proven to the first data provider that its commitment refers to kDC . This forces at least the first data provider to follow the Verify protocol. Regarding the attack (b), at least the second data consumer in a disclosure chain has disclosed d to a non-authorized participant. If the last data consumer in the disclosure chain has disclosed d, it will be identified as the dishonest service provider because of the completeness property of the DETECTIVE protocols. If it was the last data provider, then this participant will be identified as the violator due to the digital watermark for the disclosure of d from the previous data provider and the completeness property of the DETECTIVE protocols. Concerning the attack (c), since a commitment relates to another value than kDC or kDP , the cheating party either cannot convince an auditor in the opening protocol of the cryptographic commitment or in the zero-knowledge proof. If the data consumer has used an invalid commitment and the data provider has accepted it, then the auditor would identify the data provider as the violator since the data consumer cannot prove the knowledge of kDC to the commitment comDC (kDC ). If the digital signature of the data provider does not refer to the data providers commitment, then the data provider has not followed the Tag protocol. Even if the data provider has used a commitment different to kDP but it knows the committed value, then it can still show his role as the data provider. But if it has not used this commitment in the Tag protocol, then it is not part of the digital watermark and the auditor cannot extract the correct comDC (kDC ).

6

Related Work

Enforcement mechanisms for policies regarding information flows concentrate on formal methods [13] or on encryption [3]. Formal methods consider information flows via covert channels or an indirect path from a data provider to a data consumer. In addition, a corresponding verification of a system implies that this system doesn’t change afterwards. Otherwise, it has to be verified again. Combining personal data with obligations is the characteristic of a sticky policy [12]. An implementation of sticky policies for disclosure of personal data to third parties is the Adaptive PMS of Hewlett-Packard [3]. Sticky policies are linked to certain personal data at the time of their collection by an encryption scheme. A data consumer will get the decryption key from a TTP, if it is authorized by the sticky policy. However, data consumers can further disclose the decrypted personal data without any control by the user or the TTP. The main characteristic of the symmetric watermarking scheme is the use of a symmetric watermarking key in order to produce noise in which a digital watermark is to be embedded [5]. If one knows this key and the watermarking algorithm, he can embed, detect, and modify watermarks. If a symmetric digital watermarking scheme is applied to our scenario, both the data provider and consumer get the same digital watermark. This means that if one of them discloses

Tagging Disclosures of Personal Data to Third Parties to Preserve Privacy

251

this personal data to a third party, an auditor cannot decide whether the data provider or the data consumer has violated this obligation. Digital watermarking for tracing disclosure of health data has been used for medical images according to the DICOM standard [6]. The watermarking scheme uses a TTP for the generation and distribution of the personalized watermarking keys for each authorized consumer as well as for checking a digital watermark. By subtracting the personalized watermarking key of the recipient from the data center provider’s digital watermark, every authorized data consumer gets the same medical image with a personalized digital watermark. However it is assumed that every data consumer will subtract his watermarking key from the received image. If two or more data consumers won’t follow the subtraction rule, they would be indistinguishable since they have the same digital watermark. Asymmetric fingerprinting [17] solves this problem of indistinguishability in the context of DRM. In principle, it combines a symmetric watermarking scheme with cryptographic commitments and digital signature. Data providers embed the digital watermarks consisting of a random identity chosen by data consumers. The protocol of asymmetric fingerprinting assures, because of computing with cryptographic commitments, that only data consumers get the watermark. The obligations are signed by data consumers and sent to the data provider. However, asymmetric fingerprinting assumes conflicting interests of providers and consumers. This contradicts to our trust model. Service providers may hide the correct watermarking key, since they have an interest to collude.

7

Conclusion

Our proposal of usage control through data provenance enables users to check ex post whether software service providers are actually obeying and enforcing obligations. Therefore, we have presented a modified asymmetric fingerprinting scheme called DETECTIVE. In the future, we will evaluate the feasibility of our scheme by a proof-of-concept implementation for the case study “Telemedicine” in which personal data (x-ray images) are sent from a clinic in the homeland to a clinic abroad via a data center as a cloud service. The feasibility evaluation will show if the same number of digital watermarks as the number of disclosures of a disclosure chain can be embedded into an x-ray image while remaining the digital watermarks detectable and extractable for an auditor as well as remaining the x-ray image usable for the medical institutions. Also we will investigate whether a modification of personal data, e.g. updating an electronic health record, will modify the embedded data provenance history.

Acknowledgment This work was funded by the German Academic Exchange Service (DAAD) and is a result of the Memorandum of Understanding between the National Institute of Informatics (Japan) and the Albert-Ludwig University of Freiburg (Germany). We would like to thank J´er´emie Tharaud and the reviewers of IFIP SEC 2010 for their valuable comments.

252

S. Wohlgemuth et al.

References 1. Aura, T.: Distributed Access-Rights Managements with Delegations Certificates. In: Vitek, J. (ed.) Secure Internet Programming. LNCS, vol. 1603, pp. 211–235. Springer, Heidelberg (1999) 2. Buneman, P., Khanna, S., Tan, W.-C.: Why and Where: A Characterization of Data Provenance. In: Van den Bussche, J., Vianu, V. (eds.) ICDT 2001. LNCS, vol. 1973, pp. 316–330. Springer, Heidelberg (2000) 3. Casassa Mont, M., Pearson, S.: An Adaptive Privacy Management System for Data Repositories. In: Katsikas, S.K., L´ opez, J., Pernul, G. (eds.) TrustBus 2005. LNCS, vol. 3592, pp. 236–245. Springer, Heidelberg (2005) 4. Chaum, D.: Blind Signatures for Untraceable Payments. In: McCurley, K.S., Ziegler, C.D. (eds.) CRYPTO 1982. LNCS, vol. 1440, pp. 199–203. Springer, Heidelberg (1999) 5. Cox, I.J., Miller, M.L., Bloom, J.A., Fridrich, J., Kalker, T.: Digital Watermarking and Steganography. Morgan Kaufmann, San Francisco (2008) 6. Li, M., Poovendran, R., Narayanan, S.: Protecting patient privacy against unauthorized release of medical images in a group communication environment. In: Comp. Medical Imaging and Graphics, vol. 29, pp. 367–383. Elsevier, Amsterdam (2005) 7. European Commission, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities, L 281, 395L0046, pp. 31–50 (October 24, 1995) 8. Deutscher Bundestag. Gesetz zur Modernisierung der gesetzlichen Krankenversicherung. Bundesgesetzblatt Jahrgang 2003 Teil I Nr. 55 (2003) 9. Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Computation 18(1), 186–208 (1989) 10. Google, Health Privacy Policy (2010), http://www.google.com/health 11. U.S. Department of Health & Human Services, Health Insurance Portability and Accountability Act of 1996 Privacy Rule (1996), http://www.cms.hhs.gov/HIPAAGenInfo 12. Karjoth, G., Schunter, M., Waidner, M.: Privacy-enabled Services for Enterprises. In: 13th Int. Workshop on Database and Expert Systems Applications, pp. 483–487. IEEE Computer Society, Los Alamitos (2002) 13. Mantel, H.: Information Flow Control and Applications Bridging a Gap. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 153–172. Springer, Heidelberg (2001) 14. Mather, T., Kumaraswamy, S., Latif, S.: Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance. O’Reilly Media, Sebastopol (2009) 15. Microsoft, HealthVault Privacy Policy (2010), http://www.healthvault.com 16. M¨ uller, G., Accorsi, R., H¨ ohn, S., Sackmann, S.: Sichere Nutzungskontrolle f¨ ur mehr Transparenz in Finanzm¨ arkten. Informatik-Spektrum 33(1) (2010) 17. Pfitzmann, B., Schunter, M.: Asymmetric Fingerprinting. In: Maurer, U.M. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 84–95. Springer, Heidelberg (1996) 18. Pretschner, A., Hilty, M., Basin, D.: Distributed usage control. CACM 49(9), 39–44 (2006) 19. Sackmann, S., Str¨ uker, J., Accorsi, R.: Personalization in Privacy-Aware Highly Dynamic Systems. CACM 49(9), 32–38 (2006) 20. Sonehara, N., Echizen, I., Wohlgemuth, S., M¨ uller, G., Tjoa, A. (eds.): Int. Workshop ISSI 2009 National Center for Sciences (2009), http://www.nii.ac.jp/issi

k-Shares: A Privacy Preserving Reputation Protocol for Decentralized Environments Omar Hasan1 , Lionel Brunie1 , and Elisa Bertino2 1

INSA Lyon, France {omar.hasan,lionel.brunie}@insa-lyon.fr 2 Purdue University, IN, USA [email protected]

Abstract. A reputation protocol computes the reputation of an entity by aggregating the feedback provided by other entities in the system. Reputation makes entities accountable for their behavior. Honest feedback is clearly a pre-requisite for accurate reputation scores. However, it has been observed that entities often hesitate in providing honest feedback, mainly due to the fear of retaliation. We present a privacy preserving reputation protocol which enables entities to provide feedback in a private and thus uninhibited manner. The protocol, termed k-shares, is oriented for decentralized environments. The protocol has linear message complexity under the semi-honest adversarial model, which is an improvement over comparable reputation protocols.

1

Introduction

In recent years, reputation systems have gained popularity as a solution for securing distributed applications from misuse by dishonest entities. A reputation system computes the reputation scores of the entities in the system based on the feedback provided by fellow entities. A popular reputation system is the eBay reputation system (ebay.com), which is used to discourage fraudulent activities in e-commerce. Other well-known examples include the EigenTrust [1] reputation system and the Advogato.org reputation system [2]. An accurate reputation score is possible only if the feedbacks are accurate. However, it has been observed that the users of a reputation system may avoid providing honest feedback [3]. The reasons for such behavior include fear of retaliation from the target entity or mutual understanding that a feedback value would be reciprocated. A solution to the problem of lack of honest feedback is computing reputation scores in a privacy preserving manner. A privacy preserving protocol for computing reputation scores operates such that the individual feedback of any entity is not revealed. The implication of private feedback is that there are no consequences for the feedback provider and thus he is uninhibited to provide honest feedback. In this article, we are interested in developing a privacy preserving reputation protocol that is decentralized and efficient. Our motivation stems from the observation that there are currently few if any efficient privacy preserving reputation K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 253–264, 2010. c IFIP International Federation for Information Processing 2010 

254

O. Hasan, L. Brunie, and E. Bertino

protocols for decentralized environments, which include peer-to-peer networks, MANETs, and decentralized social networks, such as FOAF (foaf-project.org). The reader is referred to section 7 for related work. We propose the k-Shares protocol, which is decentralized as well as efficient (linear message complexity). The protocol is shown to be secure under the semihonest adversarial model. Extensions for security under the malicious model are also discussed.

2 2.1

General Framework Agents, Trust, and Reputation

We model our environment as a multi-agent environment. Set A is defined as the set of all agents in the environment. |A| = N . We subscribe to the definition of trust by sociologist Diego Gambetta [4], which is one of the most commonly accepted definitions of trust. Our formal definition captures the characteristics of trust identified in Gambetta’s definition, which include: 1) Binary-Relational and Directional, 2) Contextual, and 3) Quantifiable as Subjective Probability. Definition 1. Trust. Let the trust of a truster a in a trustee b be defined as the tuple: aT b, ψ, P (perf orm(a, b, ψ) = true). T is a binary relation on the set A. aT b implies that a has a trust relationship with b or simply that a trusts b. The binary relation T is non-reflexive, asymmetric, and non-transitive. The context of a truster a’s trust in a trustee b is an action ψ that the truster a anticipates the trustee b to perform. The set of all actions is given as Ψ . The subjective probability P (perf orm((a, b), ψ) = true) is the quantification of a truster a’s trust in a trustee b. perf orm((a, b), ψ) is a function, such that: perf orm : T × Ψ → {true, f alse}. perf orm outputs true if the trustee b does in fact perform the action anticipated by the truster a. On the contrary, if the trustee does not perform the anticipated action, the function outputs f alse. When the context ψ is clear, lab ≡ P (perf orm((a, b), ψ) = true). Some examples of actions: “prescribe correct medicine”, “repair car”, “deliver product sold online”, etc. Definition 2. Source Agent. An agent a is said to be a source agent of an agent b in the context of an action ψ if a has trust in b in context ψ. In other words, agent a is a source agent of agent b in context ψ if trust aT b, ψ, P (perf orm(a, b, ψ) = true) exists. The set of all source agents of an agent b in context ψ is given as Sb,ψ = {a | aT b, ψ, P (perf orm(a, b, ψ) = true) exists}. When the context is clear, the notation Sb may be used instead of Sb,ψ . The quantification of a source agent a’s trust in agent b is referred to as feedback. Definition 3. Reputation. Let St = {a1 . . . an } be the set of source agents of an agent t in context ψ. This implies that each agent a ∈ St has the trust aT t, ψ, P (perf orm(a, t, ψ) = true) in agent t. Then the reputation of agent t in context ψ is given as the function: rep(P (perf orm(a1 , t, ψ) = true), . . . ,

The k-Shares Privacy Preserving Reputation Protocol

255

P (perf orm(an , t, ψ) = true)), or in simpler notation: rep(la1 t , . . . , lan t ), such that: rep : [0, 1]1 × . . . × [0, 1]n → R. The reputation of an agent t is represented by the variable rt,ψ , or rt when the context is clear. Definition 4. Function rep⊕ . Let function rep⊕ be a realization of the function rep. rep⊕ : [0, 1]1 × . . . × [0, 1]n → [0, 1]. rep⊕ is implemented as follows l +...+l (l . . . lan t are feedback values in a context ψ): rep⊕ (la1 t . . . lan t ) = a1 t n an t = a1 t n i=1 lai t

n

.

We have defined the reputation of an agent as any function that aggregates the feedback of its source agents. The function rep⊕ implements the reputation of an agent t as the mean of the feedbacks of all its source agents. Our decision to define reputation in such simple but intuitive terms is influenced by the eBay reputation system (ebay.com). The eBay reputation system, which is one of the most successful reputation systems, represents reputation as the simple sum of all feedbacks. We go one step further and derive the average from the sum in order to normalize the reputation values. Please note that rep⊕ is a function constructed from summation. With summation, it is possible to model reputation as any function that can be approximated as a polynomial expression. Definition 5. Reputation Protocol. Let Π be a multi-party protocol. Then Π is a Reputation Protocol, if 1) the participants of the protocol include: a querying agent q, a target agent t and all n source agents of t in a context ψ, 2) the inputs include: the feedbacks of the source agents in context ψ, and 3) the output of the protocol is: agent q learns the reputation rt,ψ of agent t. 2.2

Adversary

We refer to the coalition of dishonest agents as the adversary. Adversarial models: Semi-Honest. In the semi-honest (honest-but-curious) model, the agents always execute the protocol according to specification. The adversary abstains from wiretapping and tampering of the communication channels. However, within these constraints, the adversary passively attempts to learn the inputs of honest agents by using intermediate information received during the protocol. Malicious. Malicious agents are not bound to conform to the protocol. They may attempt to learn private inputs as well as to disrupt the protocol for honest agents. The reasons for disrupting the protocol may range from gaining illegitimate advantage over honest agents to completely denying the service of the protocol to honest agents. In this paper, we propose a solution for the first model. Ideas for an efficient solution for the second model are discussed in section 5.

256

2.3

O. Hasan, L. Brunie, and E. Bertino

Privacy

Definition 6. Private Data. Let x be some data and an agent a be the owner of x. Then x is agent a’s private data if agent a desires that no other agent learns x. An exception is those agents to whom a reveals x herself. However, if a reveals x to an agent b, then a desires that b does not use x to infer more information. Moreover, a desires that b does not reveal x to any third party. Definition 7. Preserving Privacy (by an Agent). Let x be an agent a’s private data. Then an agent b is said to preserve the privacy of agent a, if 1) a reveals x to b, 2) b does not use x to infer more information, and 3) b does not reveal x to any third party. We define action ρ = “preserve privacy”. The action “preserve privacy” is synonymous with the action “be honest”, since an agent preserves privacy only if it is honest, and an honest agent always preserves privacy since it has no ulterior motives. Definition 8. Trusted Third Party (TTP). Let S ⊆ A be a set of n agents, and T T PS ∈ A be an agent. Then T T PS is a Trusted Third Party (TTP) for the set of agents S if for each a ∈ S, P (perf orm(a, T T PS , ρ) = true) = 1. We adopt the Ideal-Real approach [5] to formalize the privacy preservation property of a protocol. In this article we use the term high as a probability variable that may be realized to a specific value according to the security needs of an application. For example, in the experiments (section 6) on the Advogato.org web of trust, we consider high probability as 0.90. Consequently, low probability is the complement of high probability. Definition 9. Ideal Privacy Preserving Reputation Protocol. Let Π be a reputation protocol, which includes as participants: a querying agent q, a target agent t, and St = St,ψ , the set of all n source agents of t in context ψ. Then Π is an ideal privacy preserving reputation protocol under a given adversarial model, if: 1) the inputs of all n source agents of t are private; 2) T T PSt is also a participant; 3) m < n of the source agents (given as set M ) and agents q and t are considered to be dishonest, however, q wishes to learn the correct output; 4) agents St − M and T T PSt are honest; 5) as part of the protocol, T T PSt receives the private inputs from the source agents and outputs the reputation rt,ψ to agent q; and 6) over the course of the protocol, the private input of each agent a ∈ St − M is revealed only to T T PSt . In an ideal privacy preserving reputation protocol, it is assumed that for each agent a ∈ St − M , the adversary does not gain any more information about the private input of agent a from the protocol other than what it can deduce from what it knows before the execution of the protocol and the output, with probability P (perf orm(a, T T PSt , ρ) = true), under the given adversarial model. Definition 10. Real Privacy Preserving Reputation Protocol. Let I be an ideal privacy preserving reputation protocol. Then R is a real privacy preserving reputation protocol under a given adversarial model, if: 1) R has the same

The k-Shares Privacy Preserving Reputation Protocol

257

parameters (participants, private inputs, output, adversary, honest agents, setup, etc.) as I, except that there is no T T PSt as a participant; and 2) the adversary learns no more information about the private input of an agent a than it learns in protocol I, with high probability, when both protocols are operating under the given adversarial model.

3

Problem Definition

Definition 11. Problem Definition. Let St,ψ = {a1 . . . an } be the set of all source agents of agent t in the context of action ψ. Find a reputation protocol Π, which takes private input lat ≡ P (perf orm(a, t, ψ) = true) from each agent a ∈ St , and outputs the reputation rt,ψ of the target agent t to a querying agent q. Reputation is realized as rep⊕ . Agents q, t, and m < n of the source agents are considered to be dishonest, however, q wishes to learn the correct output. The reputation protocol Π is required to be decentralized and secure under the semi-honest model.

4

The k-Shares Reputation Protocol

In this section we present our k-shares protocol, which is a real privacy preserving reputation protocol under the semi-honest model. The k-shares protocol is inspired by a protocol in [6] (section 5.2). However, our protocol has a lower message complexity of only O(kn) as opposed to the complexity of O(n2 ) of the protocol in [6]. In the experiments we observe that k can be set as low as 2, while preserving the privacy of a high majority of agents. Moreover, the extended version of our protocol allows agents to abstain when their privacy is not assured. The important steps of the protocol are outlined below. 1. Initiate. The protocol is initiated by a querying agent q to determine the reputation rt,ψ of a target agent t. Agent q retrieves St ≡ St,ψ , the set of source agents of agent t in context ψ. Agent q then sends St to each agent a ∈ St . 2. Select Trustworthy Agents. Each agent a ∈ St selects upto k other agents in St . Let’s refer to these agents selected by a as the set Ua = {ua,1 . . . ua,ka }, where 1 ≤ ka ≤ k. Agent a selects these agents such that: P (perf orm(a, ua,1 , ρ) = f alse) × . . . × P (perf orm(a, ua,ka , ρ) = f alse) is low. That is, the probability that all of the selected agents will collude to break agent a’s privacy is low. 3. Prepare Shares. Agent a then prepares ka + 1 shares of its secret feedback value lat . The shares, given as: xa,1 . . . xa,ka +1 , are prepared as follows: The first ka shares are random numbers uniformly ka +1distributed over a large interval. The last share is selected such that: i=1 xa,i = lat . That is, the sum of the shares is equal to the feedback value. Since each of the ka + 1 shares is a number uniformly distributed over a large interval, no information about the secret can be learnt unless all of the shares are known.

258

O. Hasan, L. Brunie, and E. Bertino

4. Send Shares. Agent a sends the set Ua = {ua,1 . . . ua,ka } to agent q. Agent a sends xa,i to agent ua,i , where i ∈ {1 . . . ka }. 5. Receive Shares. Agent q receives Ua from each agent a ∈ St . Then for each agent a, agent q: 1) compiles the list of agents from whom a should expect to receive shares, and 2) sends this list to agent a. Agent a then proceeds to receive shares from the agents on the list provided by q. 6. Compute Sums. Agent a computes σa , the sum all shares received and its own final share xa,ka +1 . Agent a sends the sum σa to q. 7. Compute Reputation.  Agent q receives the sum σa from each agent a ∈ St . q computes rt,ψ = ( a∈St σa )/n. 4.1

Protocol Specification

The protocol is specified in Figure 1. The function set of trustworthy(a, S) returns a set of agents Ua = {ua,1 . . . ua,ka }, where 1 ≤ ka ≤ k, and Ua ⊆ S. The set Ua is selected such that: P (perf orm(a, ua,1 , ρ) = f alse) × . . . × P (perf orm(a, ua,ka , ρ) = f alse) is low, with the minimum possible ka . 4.2

Security Analysis

Correctness. Each agent a ∈ St prepares the shares xa,1 . . . xa,ka +1 of its ka +1 feedback value lat , such that: j=1 xa,j = lat . The sum of the feedback values n of all agents in St = {a1 . . . an } is given as: i=1 lai t . Thus, the sum of the n kai +1 xai ,j ). That feedback values of all agents in St can be stated as: i=1 ( j=1 is, the sum of all shares of all agents. Each agent a ∈ St provides agent q the set Ua , which is the set of agents whom a is going to send its shares. After q has received this set from all agents in St , it compiles and sends to each agent a, the set Ja , which is the set of agents who are in the process of sending a share to agent a. Thus, each agent a knows exactly which and how many agents, it will receive a share from. When agent a has received all of those shares, it sends σa , the sum of all shares received and its final share, to agent q. Previously, each agent a ∈ St sends each of his shares xa,1 . . . xa,ka , once to only one other agent, and adds the final share xa,ka +1 once to his own σa . It follows that the sums σa1 . . . σan include all shares of all agents and that they include each share only once. n n kai +1 The final value of r in the protocol is: r = i=1 σai = i=1 ( j=1 xai ,j ) = n l . Thus when q computes r = r/n, it is the correct reputation of agent a t t,ψ i i=1 t in context ψ (Definition 3). Privacy. Let’s consider an agent a ∈ St . Agent a prepares the shares xa,1 . . . xa,ka +1 of its secret feedback value lat . The first ka shares xa,1 . . . xa,ka are random numbers uniformly distributed over a large interval [−X, X]. The final ka share, xa,ka +1 = lat − i=1 xa,i , is also a number uniformly distributed over a large interval since it is a function of the first ka shares which are random numbers. Thus, individually each of the shares does not reveal any information

The k-Shares Privacy Preserving Reputation Protocol

259

Protocol: Semi-Honest-k-Shares Participants: Agents: q, t, St = St,ψ = {a1 . . . an }. Agents q, t, and a subset of St,ψ of size m < n are dishonest, however, q wishes to learn the correct output. Input: Each source agent a has a private input lat = P (perf orm(a, t, ψ) = true). Output: Agent q learns rt,ψ , the reputation of agent t in context ψ. Setup: Each agent a maintains Sa = Sa,ψ , the set of its source agents in context ψ. Events and Associated Actions (for an Agent a): need arises to determine rt,ψ  initiate query 1 send tuple (request for sources, ψ) to t 2 receive tuple (sources, ψ, St ) from t 3 for each agent v ∈ St 4 do Jv ← φ 5 St ← St 6 r←0 7 q←a 8 s ← timestamp() 9 send tuple (prep, q, t, s, St ) to each agent v ∈ St tuple (request for sources, ψ) received from agent q 1 send tuple (sources, ψ, Sa ) to q tuple (prep, q, t, s, St ) received from agent q 1 I ←φ 2 J ←φ 3 σa ← 0 4 Ua ← set of trustworthy(a, St − a) 5 ka ← |Ua | 6 for i ← 1 to ka 7 do xa,i ← random(−X, X)  a 8 xa,ka +1 ← lat − k i=1 xa,i 9 send tuple (recipients, q, t, s, Ua ) to agent q 10 for each agent ua,i ∈ Ua = {ua,1 . . . ua,ka } 11 do send tuple (share, q, t, s, xa,i ) to agent ua,i tuple (recipients, q, t, s, Uv ) received from an agent v ∈ St 1 for each agent u ∈ Uv 2 do Ju ← Ju ∪ v 3 St ← St − v  4 if St = φ 5 then St ← St 6 for each agent w ∈ St 7 do send tuple (senders, q, t, s, Jw ) to agent w tuple (share, q, t, s, xv ) received from an agent v ∈ St 1 I ← I ∪v 2 σa ← σa + xv 3 if I = J 4 then σa ← σa + xa,ka +1 5 send tuple (sum, q, t, s, σa ) to agent q tuple (senders, q, t, s, Ja ) received from agent q 1 J ← Ja 2 if I = J 3 then σa ← σa + xa,ka +1 4 send tuple (sum, q, t, s, σa ) to agent q tuple (sum, q, t, s, σv ) received from an agent v ∈ St 1 2 3 4

St ← St − v r ← r + σv if St = φ then rt,ψ ← r/n

Fig. 1. Protocol: Semi-Honest-k-Shares

260

O. Hasan, L. Brunie, and E. Bertino

about the secret feedback value lat . Moreover, no information is learnt about lat even if upto ka shares are known, since there sum would be some random number uniformly distributed over a large interval. The only case in which information ka +1 can be gained about lat is if all ka + 1 shares are known. Then, lat = i=1 xa,i . We now analyze if the ka +1 shares of an agent a can be learnt by the adversary from the protocol. Agent a sends each share xa,i only to agent ua,i , where i ∈ {1 . . . ka }. Each ua,i then computes σua,i , which is the sum of all shares that it receives and its own final share xua,i ,kua,i +1 . Even if agent a is the only agent to send agent ua,i a share, σua,i = xa,i + xua,i ,kua,i +1 . That is, the sum of agent a’s share and agent ua,i ’s final share. σua,i is a number uniformly distributed over a large interval. Thus, when agent ua,i sends this number to agent q, it is impossible for q to distinguish the individual shares from the number. Therefore, each share xa,i that agent a sends to agent ua,i will only be known to agent ua,i . Unless, agent ua,i is dishonest. The probability that agent ua,i is dishonest, that is, it will attempt to breach agent a’s privacy is given as: P (perf orm(a, ua,i , ρ) = f alse). To learn the first ka shares of agent a, all agents ua,1 . . . ua,ka would have to be dishonest. The probability of this scenario is given as: P (perf orm(a, ua,1 , ρ) = f alse) × . . . × P (perf orm(a, ua,ka , ρ) = f alse). Even in the above scenario, the adversary does not gain information about lat , without the knowledge  of agent a’s final share xa,ka +1 . However, agent  a has to send σa = xa,ka +1 + v∈Ja xv , and agent a has no control over the v∈Ja xv portion of the equation. Therefore, we assume that agent q learns the final share of agent a. Thus the probability that the protocol will not preserve agent a’s privacy can be stated as: P (perf orm(a, ua,1 , ρ) = f alse) × . . . × P (perf orm(a, ua,ka , ρ) = f alse). If we assume that the agents ua,1 . . . ua,ka are selected such that this probability is low, then with high probability, the adversary learns no more information about lat than it can learn in an ideal protocol with what it knows before the execution of the protocol and the outcome. The protocol Semi-Honest-k-Shares is a real privacy preserving reputation protocol (Definition 10) under the semi-honest model, since: 1) Semi-Honest-kShares has the same parameters as an ideal protocol (except the T T P ), and 2) the adversary learns no more information about the private input of an agent a in Semi-Honest-k-Shares than it learns in an ideal protocol, with high probability, under the semi-honest adversarial model. 4.3

An Extension

The privacy of the k-Shares protocol depends on the assumption that each agent a ∈ St will find trustworthy agents in St . However, the protocol may be extended such that agents are allowed to abstain when they don’t find trustworthy agents. In that case, an agent would generate two shares whose sum equals zero. One of the shares would be sent to a random source agent and the other to the querying agent along with any shares received added to it. In section 6.2, we

The k-Shares Privacy Preserving Reputation Protocol

261

observe that the protocol computes sufficiently accurate reputation scores even if a large number of agents abstain. 4.4

Complexity Analysis

The protocol requires 4n + O(kn) + 2 messages to be exchanged (complexity: O(n)). In terms of bandwidth used, the protocol requires transmission of the following amount of information: n2 +5n+O(n2)+O(3kn) agent IDs (complexity: O(n2 )), and n + O(kn) numbers (complexity: O(n)). The protocol requires 4n + O(kn) + 2 messages to be exchanged (complexity: O(n)). In terms of bandwidth used, the protocol requires transmission of the following amount of information: n2 +5n+O(n2)+O(3kn) agent IDs (complexity: O(n2 )), and n + O(kn) numbers (complexity: O(n)). 4.5

Discussion

We pose the following question: Why send shares of the secret feedback value to n − 1 potentially unknown agents when privacy can be assured by sending shares to only k < n − 1 trustworthy agents? In the k-Shares protocol, each agent a relies on at most k agents who are selected based on a’s knowledge of their trustworthiness in the context of preserving privacy. This is in contrast to the protocol in [6] which requires each agent to send shares to all other n − 1 source agents in the protocol. As we observe in section 6, the privacy of a high majority of agents can be assured with k as small as 2. Moreover, increasing k to values approaching n − 1 has no significant advantage.

5

Extensions for the Malicious Model – Future Work

Malicious agents may take the following additional actions: 1) drop messages, 2) add values that are out of range. The solution that we propose for the first problem is to extend the k-Shares protocol as follows: all messages are encrypted with an additive homomorphic cryptosystem, and relayed through the querying agent. Thus, the querying agent would know if an agent has dropped a message. The solution to the second problem is that along with its shares, each source agent provides a zero knowledge proof demonstrating that the sum of the shares lies in the correct range. Wiretapping and tampering may be prevented by securing communication channels with a protocol such as SSL or IPSec. These extensions would raise the computational complexity of the protocol, however the message complexity would remain as O(n). This is in contrast to the protocol for the malicious model in [6] which has a complexity of O(n3 ).

6 6.1

Experiments The Dataset: Advogato.org

We use the real web of trust of Advogato.org [2] as the dataset for our experiments. The members of Advogato rate each other in the context of being active

262

O. Hasan, L. Brunie, and E. Bertino

and responsible members of the open source software developer community. The choice of feedback values are master, journeyer, apprentice, and observer, with master being the highest level in that order. The result of these ratings is a rich web of trust, which comprises of 13, 904 users and 57, 114 trust ratings (November 20, 2009). The distribution of ratings is as follows: master : 31.7%, journeyer : 40.3%, apprentice: 18.7%, and observer : 9.3%. The members of Advogato are expected to not post spam, not attack the Advogato trust metric, etc. Thus we posit that on Advogato, the context “be a responsible member of the open source software developer community”, comprises of the context “be honest”. Since we quantify trust as probability, we substitute the four feedback values of Advogato as follows: master = 0.99, journeyer = 0.70, apprentice = 0.40, and observer = 0.10. These substitutions are made heuristically based on our experience with Advogato. For the experiments, we define the lowest acceptable probability that privacy will be preserved as 0.90. This means that a set of two trustworthy agents must include either one master rated agent or two journeyer rated agents for this threshold to be satisfied. 6.2

Experiment 1

Objective: In the protocol Semi-Honest-k-Shares, the following assumption must hold for an agent a’s privacy to be preserved: P (perf orm(a, ua,1 , ρ) = f alse) × . . . × P (perf orm(a, ua,ka , ρ) = f alse) is low. That is, the probability that the agents to whom agent a sends shares, are all dishonest must be low. We would like to know the percentage of instances of source agents for whom this assumption holds true. Algorithm: A randomly selected querying agent queries the reputation of every other agent who has at least min source agents. Over the course of all queries, we observe the probability P (perf orm(a, ua,1 , ρ) = f alse) × . . . × P (perf orm(a, ua,ka , ρ) = f alse), for each source agent a. The experiment is run for each value of min in {5, 10, 15, 20, 25, 50, 75, 100, 500}. Results: For min = 25, we observe that the assumption holds for 81.7% of instances of source agents. Additionally, 85.8% for min = 50, 87.0% for min = 75, 87.4% for min = 100, and 87.5% for min = 500. We note that the increase in the percentage is significant up to min = 100. This is due to the greater choice of trustworthy agents available for each agent when the protocol has more source agents. At min = 5, the percentage is 72.5%, which implies that approximately 30% of the source agents will have to abstain. However, in a separate experiment (full details not included due to space limitation), we observed that at min = 25, even if only around 40% of agents participate, over 95% of the computed reputation scores have an error of at most 0.1 compared to the true scores. Additionally, over 85% at min = 10, and over 90% at min = 15. Thus, even a significant portion of agents abstaining does not pose an issue.

The k-Shares Privacy Preserving Reputation Protocol

6.3

263

Experiment 2

Objective: We would like to know the effect of increasing k on the percentage of instances of source agents whose privacy is preserved in the protocol Semi-Honest-k-Shares. Algorithm: A randomly selected querying agent queries the reputation of every other agent who has at least min source agents. We vary k and observe the percentage of instances of source agents whose privacy is preserved. The set of experiments is run with min = 50. Results: For min = 50, and k = 1, we observe that the percentage is 75.4%, and at k = 2, the percentage is 85.8%. The jump is due to the possibility with k = 2 to rely on two journeyer agents. With k = 1, the only possibility is to rely on one master agent. However, increasing k over 2, even up to 500, does not result in a significant advantage (86.3% at k = 500). Thus, in this dataset, privacy can be preserved for a high percentage of source agents with k as small as 2. This results in a very efficient protocol. This is in contrast to the protocol presented in [6], which requires each agent to send shares to n − 1 agents, resulting in O(n2 ) message complexity.

7

Related Work

The inspiration for the k-Shares protocol comes from [6]. However, among other advantages (section 4.5), our protocol requires O(kn) messages as opposed to the O(n2 ) required by [6]. Additionally, we also evaluate our protocols on a large and real dataset. A number of privacy preserving reputation systems are based on the premise that a trusted hardware module is present at every agent. The systems that fall under this category include [7], [8], [9]. A system by Kinateder et al [10] avoids the hardware modules, however it requires anonymous routing infrastructure at the network level. These systems clearly differ from our approach, which does not mandate specialized platforms. Several privacy preserving reputation systems have the concept of e-cash as their basis. These systems include [11], [12], [13]. However, these systems either rely on TTPs or centralized constructs, such as the “bank” in [13]. In contrast, our reputation protocols are decentralized.

8

Conclusion

In this article we have presented the k-Shares privacy preserving reputation protocol. A defining characteristic of this protocol is that an agent a himself selects the agents that are critical for preserving its privacy. The selection is based on a’s knowledge of the trustworthiness of those agents in the context of preserving privacy, thus a is able to maximize the probability that its privacy will be preserved. The experiments conducted on the real and large dataset of Advogato.org yield favorable results. It is shown that the k-Shares protocol is able to assure

264

O. Hasan, L. Brunie, and E. Bertino

the privacy of a large majority of the source agents. The extended protocol allows agents to abstain from providing feedback when their privacy is at risk. As analyzed, the protocol has linear message complexity and is thus quite efficient. We designed the k-Shares protocol such that the number of trustworthy agents that each agent can send shares to is limited to k. This design choice is validated by the experiment results, which show that the privacy of a high majority of agents can be assured with k as small as 2. Moreover, increasing k to values approaching n − 1 has no significant advantage. In conclusion, the k-shares reputation protocol is decentralized, efficient, provides accurate results, and is either able to preserve the privacy of participants with high probability or otherwise allows them to abstain.

References 1. Kamvar, S.D., Schlosser, M.T., GarciaMolina, H.: The eigentrust algorithm for reputation management in p2p networks. In: Proc. of the 12th Intl. Conf. on World Wide Web, WWW 2003 (2003) 2. Levien, R.: Attack resistant trust metrics. University of California - Berkeley (2002) (manuscript), http://www.levien.com/thesis/compact.pdf 3. Resnick, P., Zeckhauser, R.: Trust among strangers in internet transactions. The Economics of the Internet and E-Commerce, Advances in Applied Microeconomics 11, 127–157 (2002) 4. Gambetta, D.: Can We Trust Trust? In: Trust: Making and Breaking Cooperative Relatioins. Department of Sociology, pp. 213–237. University of Oxford, Oxford (2000) 5. Goldreich, O.: The Foundations of Crypto., vol. 2. Cambridge Univ. Press, Cambridge (2004) 6. Pavlov, E., Rosenschein, J.S., Topol, Z.: Supporting privacy in decentralized additive reputation systems. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 108–119. Springer, Heidelberg (2004) 7. Kinateder, M., Pearson, S.: A privacy-enhanced peer-to-peer reputation system. In: Proc. of the 4th Intl. Conf. on E-Commerce and Web Techs. (2003) 8. Voss, M., Heinemann, A., Muhlhauser, M.: A privacy preserving reputation system for mobile info. dissemination networks. In: Proc. of the 1st Intl. Conf. on Security and Privacy for Emerging Areas in Comm. Networks, SECURECOMM (2005) 9. Bo, Y., Min, Z., Guohuan, L.: A reputation system with privacy and incentive. In: Proc. of the 8th ACIS Intl. Conf. on Soft. Eng., AI, Networking, and Parallel/Distributed Comp, SNPD’07 (2007) 10. Kinateder, M., Terdic, R., Rothermel, K.: Strong pseudonymous comm. for p2p reputation systems. In: Proc. of the 2005 ACM Symp. on Applied Comp. (2005) 11. Ismail, R., Boyd, C., Josang, A., Russell, S.: Strong privacy in reputation systems. In: Chae, K.-J., Yung, M. (eds.) WISA 2003. LNCS, vol. 2908. Springer, Heidelberg (2004) 12. Ismail, R., Boyd, C., Josang, A., Russell, S.: Private reputation schemes for p2p systems. In: Proc. of the 2nd Intl. Workshop on Security in Info. Systems (2004) 13. Androulaki, E., Choi, S.G., Bellovin, S.M., Malkin, T.: Reputation systems for anonymous networks. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 202–218. Springer, Heidelberg (2008)

Towards Fair Indictment for Data Collection with Self-Enforcing Privacy Mark Stegelmann Centre for Quantifiable Quality of Service in Communication Systems Norwegian University of Science and Technology, Trondheim, Norway [email protected]

Abstract. Recently, multiple cryptographic schemes for data collection with self-enforcing privacy were proposed by Golle et al. The schemes allow participants of electronic polls to prove a pollster’s guilt if he distributes responses. Introducing punitive damages for such misbehaviour creates incentives for a pollster to protect the respondents’ privacy. To achieve fairness, a proof must be feasible if and only if a pollster indeed leaked information. This paper analyses the scheme proposed for self-enforcing privacy with no release of data. Neither parameter publication nor cooperative indictment have been defined up to now. We show that both are of key importance to ensure fairness and describe potential attacks of a malicious pollster. After a detailed analysis, we propose two extensions preventing such actions. In addition, a possibility for the pollster to gain an unfair advantage in the basic scheme is identified and according checks put forward.

1

Introduction

When trying to conduct electronic polls about sensitive topics, pollsters face a specific challenge. Participants will be reluctant to provide accurate responses if they fear that the pollster might distribute their answers to other parties such as insurance companies or marketeers. Although some inaccurate answers are to be expected in polling scenarios, only a certain amount will be tolerable when looking at accumulated results. Since a pollster is interested in meaningful results, non-disclosure might be considered an implicit goal of him as well. However, it is usually not possible for respondents to conclusively assess a pollster’s trustworthiness. In other words, no trust between participants and pollster can be inferred. To the same extent, it is assumed to be infeasible to find a trusted third party that can be relied on by all respondents to sufficiently protect their privacy. In order to address this challenge, several cryptographic schemes for data collection with self-enforcing privacy have been proposed [1]. The remainder of this document is structured as follows. We continue this section by giving a short overview of data collection with self-enforcing privacy 

“Centre for Quantifiable Quality of Service in Communication Systems, Centre of Excellence” appointed by The Research Council of Norway, funded by the Research Council, NTNU and UNINETT. http://www.q2s.ntnu.no

K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 265–276, 2010. c IFIP International Federation for Information Processing 2010 

266

M. Stegelmann

and the scheme with no release of data as proposed by Golle et al. [2]. Section 2 provides our detailed analysis of the scheme’s fairness. We identify a way for pollsters to gain an unfair advantage in the scheme and put according checks forward. In addition, we examine the effects of parameter publication on the scheme’s fairness in Sect. 3. This leads to our proposal of two solutions in Sect. 4 and Sect. 5 respectively. In Sect. 6 we elaborate on the issue of cooperative indictment before concluding with Sect. 7 by pointing out future research directions. 1.1

Data Collection with Self-Enforcing Privacy

Data collection with self-enforcing privacy for electronic polls proposed by the authors of [1] is based on two key concepts. First, making privacy violations publicly provable and second, introducing consequences for such misbehaviour. In other words, the goal is to convincingly align the interests of a pollster with the respondents’ desire to keep their sensitive answers from being distributed. Incentives for a pollster to not disclose information may for instance be that he would have to forfeit a bounty or face legal consequences when proven to have revealed responses. However, a proof of a privacy violation must be feasible if and only if a pollster indeed was the source of the leaked information. That is to say, a sufficient level of fairness between the involved parties has to be achieved. The aspect of fairness can be seen as one of the key differences to for instance digital watermarking techniques such as those given in [3]. Although watermarking introduces additional information as well, it does not allow proofs on which party leaked information. Respondent Pi

Pollster P

...

...

...

1. setup ...

...

...

2. respond ...

3. leak ...

...

4. indict

encrypted bit

response bit

secret bit

re-encryption

encryption

correlation

Fig. 1. Basic SEP overview

Figure 1 shows a conceptual overview of the first scheme with no release of data [2] and its four key phases. We will refer to it as Basic SEP . Both the respondents and the pollster are depicted in the figure. The former are denoted

Fair Indictment for Data Collection with SEP

267

by Pi , the latter by P . Message flows between them are visualised by horizontally oriented arrows. Note that for comprehensibility reasons some protocol details have been omitted in this illustration. They will be described in detail during the analysis in Sect. 2. The scheme requires a homomorphic public-key cryptosystem that is semantically secure under re-encryption such as the ElGamal cryptosystem [4]. During Basic SEP’s setup phase the pollster generates a random secret, encrypts all bits of this secret individually with his public-key, and publishes the respective encryptions to the respondents. In addition, he puts a bounty on the successful recovery of the secret. Due to not knowing the pollster’s private key and the cryptographic security of the public-key cryptosystem, the respondents are unable to decrypt the secret. They can however in turn bitwise intertwine their answers, also encrypted with the pollster’s public-key, with re-encrypted parts of the secret. Since the cryptosystem is assumed to be semantically secure under re-encryption the pollster is unable to distinguish regular encrypted submission from re-encrypted special bits. As a result, the latter, so-called baits, will inevitably be decrypted by him when trying to recover respondents’ answers. If eventually sensitive, decrypted data consisting of real responses and secret bits are leaked by the pollster, respondents can indict him to claim the bounty. The prospect of a bounty may in addition create incentives for an opportunistic third party called bounty hunters to actively try to uncover privacy violations. Respondents may collaborate with each other or with one or several bounty hunters during indictment. Note that Basic SEP does not address the issue of how leaked information get known to respondents. Instead, it focuses on providing the necessary groundwork to allow fair proofs if this happens.

2

Security Analysis

We now describe our security analysis of Basic SEP. As explained in Sect. 1 a self-enforcing privacy data collection scheme needs to fulfil two key requirements. It needs to make privacy violations provable and to introduce consequences for such misbehaviour. All the while, fairness as defined in Sect. 1 has to be ensured. Although additional properties such as high poll accuracy or safe result publications can be desirable in some scenarios, we limit our analysis on the two basic properties. As mentioned before, Golle et al. assume a scenario with multiple respondents and a single pollster for their scheme [2]. No trust relationships between respondents and pollster and no trusted third party exists. The pollster is assumed to have published the public parameters for a homomorphic public-key cryptosystem that is semantically secure under re-encryption. For the ElGamal cryptosystem these public parameters are a group G and a generator g ∈ G of a multiplicative subgroup Gq of order q in which the Decisional Diffie-Hellmann problem is hard. With x being the private key the public-key is y = g x . We will denote encryptions (g r , my r ) of a message m shorthand by E(m), decryptions of such a ciphertext by D((K, M )) can then be calculated using M/K x .

268

M. Stegelmann

Note that re-encrypting a ciphertext (K, M ) = (g r , my r ) is possible with just the knowledge of the cryptosystem’s public parameters. The according re-encryption function R((g r , my r )) returns a ciphertext (g r+s , my r+s ) that decrypts to the initially encrypted m for some random s element of the subgroup of order q. Basic SEP also makes use of discrete logarithm proof systems and proofs of correct decryption [5,6]. We adopt the notation of P CD(E(m)  m) to refer to a protocol instance proving correct decryption of a ciphertext E(m) to m. The data submitted by respondents is assumed to be protected by a layer of symmetric-key encryption to protect against the used cryptosystem’s weakness regarding chosen-ciphertext attacks. 2.1

Property I: Provableness of Privacy Violations

In order to make privacy violations provable Golle et al. propose that the pollster publicly commits to some secret. He has to publish this commitment in such a way that parts of it can be—undetectably to him—introduced into the respondents’ regular submissions and thus will unknowingly be decrypted by him when trying to recover answers. All of the above has to be done in such a way so that the scheme’s fairness is not compromised. This means on the one hand that respondents must be able to verify the correct execution of all steps. On the other hand it means that they must not be able to wrongly indict the pollster. The setup, the submission, as well as the indictment phase are thus relevant for this property. Table 1 depicts the protocol flow of the setup phase which we derive from the textual description the authors give in [2]. It starts with the pollster randomly choosing a k-bit secret β with k being a security parameter determined by him. He publishes encryptions of the individual bits taken to the power of g and Table 1. Basic SEP setup phase Respondent Pi g, E

E(g b1 ),...,E(g bk )

←−−−−−−−−−−−

bi 0 bi 1 ∀k i=1 (P CD(E(g )g )∨P CD(E(g )g ))

Pollster P g, E, D β ← b1 . . . bk ∈R {0, 1}k

←−−−−−−−−−−−−−−−−−−−−−−−−−−−−− gβ

← − −

β

β

P CD(E(g )g )

E(g β ) ←

k i=1

i

(E(g bi ))2

←−−−−−−−−−−−

put bounty on recovery of β

← −−−−−−−−−−−−−−−−− −

proves with a disjunctive discrete logarithm proof system that  each encryption i decrypts to either g 0 or g 1 . After that he calculates E(g β ) = ki=1 (E(g bi ))2 , publishes g β , and proves with a proof of correct decryption that the encrypted value indeed decrypts to g β . In the last step of the setup phase, he puts a bounty on the recovery of β. Analysing the described steps reveals that they enable respondents to verify several things. First, they know that if they submit encrypted answers of the

Fair Indictment for Data Collection with SEP

269

form g b with b being a response bit then their submissions will decrypt to the same form as secret bits. Second, the respondents learn g β . Due to the assumed multiplicative homomorphism, respondents are able to calculate the encryption of g β without having to rely on the respective decryption. They can use the same equation as the pollster for this. The according proof of correct decryption assures them that the g β provided to them by the pollster is indeed the correct decryption of the sequential composition. This means that if they learn the individual bits of the secret, they can claim the bounty. However, if the pollster does not leak bits, neither information about the private key of the pollster nor the decryption of β is revealed. If we assume the respondents to be polynomial time bounded the computational complexity of recovering β without leaked bits is computationally hard since it would require solving the discrete logarithm problem. Thus, they are unable to decrypt secret bits and cannot leak information themselves to wrongly accuse a pollster afterwards. Observe that while the hiding property of the commitment is as just mentioned computational, the binding property is absolute. The goal of the submission phase in turn is for the respondents to be able to send indistinguishable encryptions of bits and baits to the pollster. This means that respondents can choose between two alternatives when asked to submit a response bit. As shown in Tab. 2 they can either opt to submit a real bit b by sending an encryption of g b or to send a bait. To do the latter, they let r be Table 2. Basic SEP submission (single bit) Pollster P g, E, D

Respondent Pi g, E, R, b submitting either bit b:

?

→ D(s) ∈ {g 0 , g 1 } s ← E(g b ) − s

b ← logg (D(s)) = b

or bait: r ∈R {1, . . . , k}

?

s ← R(  t )− → D(s) ∈ {g 0 , g 1 } E(g br ) b ← logg (D(s)) = br s

a random index for the secret β and submit a re-encryption of the bit at the respective position. Respondents cannot gain an unfair advantage by deviating from the described behaviour in this scheme. The reason for that is that the only way for them to get to know the decryptions is when a pollster leaks the data since no results are published. The pollster in turn will only accept responses that decrypt to the form g b with b ∈ {0, 1}. The used cryptosystem is semantically secure under re-encryption and submission bits are encoded in the same form as secret bits. Consequently, the pollster is unable to distinguish encrypted bits from re-encrypted baits by comparing them with encrypted baits or by looking at their form after decryption. However, the

270

M. Stegelmann

proposal by Golle et al. does not guarantee that bits are indistinguishable from baits to the pollster, as we will show now. A malicious pollster who wants to be able to distinguish bits from baits can choose β to only consists of 0s or 1s respectively. He does so instead of using random bits when setting up the poll parameters as shown in Tab. 1. Let us assume that he selects 0. When submitting a bait according to the protocol given in Tab. 2 respondents will as a result always re-encrypt values that decrypt to 0. A truthful answer bit in contrast may be either 0 or 1. Bits of value 0 will also result in encrypted values of 0. If respondents however answer with a 1 the pollster can identify a truthful response and be sure that it is not a bait. With prior knowledge of the to be expected distributions of answers and the ability to formulate the poll questions accordingly, the pollster can optimise the amount of learned bits. Note that this possibility to learn bits does not violate the property of semantic security under re-encryption of the chosen cryptosystem. The pollster is only able to distinguish bits from baits only after they have been decrypted. This behaviour can be detected by the respondents. It can even be observed before submitting any bit. What is required is the addition of tests for the two respective forms of β being either 0 or 2k after having received the poll parameters. However, a malicious pollster may in turn try to evade these checks by deviating from the two basic forms. He still can achieve a probabilistic chance of learning truthful answers. More certainty in this case however also means easier detection and thus an increased chance of having to forfeit the bounty. Thus participants need to check for those cases as well. Although the malicious behaviour can be detected, it needs to be actively checked for in addition to the original scheme’s protocol. Otherwise, the pollster may gain an unfair advantage. 2.2

Property II: Consequences for Misbehaviour

In order for Basic SEP to be self-enforcing it needs to provide reasons for abstaining from misbehaviour. The bounty and the chance of having to forfeit it when a privacy violation is proven create these incentives. This means that a pollster needs to put a bounty on the successful recovery of the secret and it needs to be possible to claim the bounty when a privacy violation is proven. Accordingly, the setup and the indictment phase are important for the analysis of this property. As shown in Tab. 2, the setup phase concludes with the pollster putting a bounty on the recovery of the bait. Golle et al. however neither specify how this step nor how the indictment phase is to be designed. It is clear that in this scheme the verification of an indictment’s validity does not need to rely on the cooperation of the pollster. If β is known, the verification can be done efficiently without the secret key. If this would not be the case, a pollster could refuse to partake in his own indictment as it is the case for another scheme [7]. The unspecified publication process of the scheme’s parameters during the setup phase is of central importance for the fairness of the scheme. To see that,

Fair Indictment for Data Collection with SEP

271

assume a pollster communicating different parameters to respondents. New respondents could always opt not to take part in polls if parameters get modified to intolerable values. Yet, a pollster could, e.g., choose a different secret for every participant. As a result, respondents would have difficulties indicting him. If they did not submit enough baits to do so alone it would be computationally infeasible to them as explained in Sect. 2.1. But even if the pollster did not change parameters, depending on the number of submitted bits and baits single respondents may not gain enough information to indict the pollster on their own. Because baits lower a poll’s accuracy neither should the scheme depend on nor should it give incentives to submitting large fractions of them. Thus, respondents should be able to collaborate with each other or with some bounty hunter in order to indict a malicious pollster. The challenge of implementing this cooperative indictment without endangering the scheme’s fairness is discussed in Sect. 6.

3

Fair Poll Parameter Publication

We focus on the issue of poll parameter publication first. The cryptosystem’s parameters, the commitment to the secret and according commitment parts, and the statement to forfeit a bounty need to be communicated to respondents in a way that does not imperil fairness. The latter statements to forfeit a bounty can be constructed in such a way that repudiation attempts are not possible. Requiring the statements to be digitally signed by the pollster while assuming a public-key infrastructure (PKI) to be in place would be one way. Yet, other parameter modifications can affect the scheme’s fairness. If a pollster can change the cryptosystem’s parameters or the secret, a justified indictment can be, as explained, rendered harder or even infeasible. By changing the secret the pollster can keep the amount of secret bits respondents can potentially learn from leaked responses below a defined threshold. Even if it is assumed that a pollster cannot alter published parameters at will, he may still publish different sets of parameters. The scheme proposed by Golle et al. provides no way to indict the pollster in case of either behaviour. Let us analyse the extent of this issue. Assume that the respondents are using the method of Pollard [8] when trying to recover the secret, as suggested in [2]. They then can find β in time 2(k−l)/2 with l < k, k being the security parameter, and l the amount of bits known to them. The pollster can calculate the number n of participants that can be given the same secret without risking the bounty. Let r be the number of response bits being requested from each participant. Then the statement 2(k−nr)/2 > 2x (1) expresses that the time required by respondents to recover the secret should exceed an amount of time 2x which is assumed to be unreasonable for them. Note that this is a worst case scenario calculation as depicted in Fig. 2. The pollster assumes that all participants of one group spend all their bits in a coordinated fashion meaning that l = nr. In other words, they try to uncover each

272

M. Stegelmann

P

Pi

...

...

r

... ...

}

} }

...

n

r

}

k

re-encrypted secret bit secret bit

re-encryption

Fig. 2. coordinated collaborative indictment

single bit of the secret only once. Although regular respondents are unlikely to submit baits in such a coordinated fashion, when assuming opportunistic bounty hunters a malicious pollster has to bear in mind this scenario. Equation (1) can be transformed to k − 2x n< (2) r as well, which allows the pollster to determine an upper bound for the number of participants he may give the same secret to. Consider a numerical example of k being 160 for a poll asking for r = 13 bits with x being 60. Then n needs to be less than 3. It is also possible to calculate the maximum number of responses a pollster can safely leak if he changes the secret for every respondent. If we let k and x be as defined before and n be equal to 1 then r has to be less than 40 bits. In general, a pollster can choose k and r in such a way that k/r > 1 + 2x in order to be able to publish data without risking his bounty. In addition, it is possible for him to hamper such a coordinated effort. First, he can introduce random noise into leaked responses to increase the number of required coordinated respondents. In presence of noise respondents need to rely on some technique such as a majority vote to find out the real values of secret bits. Second, he can try to detect such response sets by looking at the distribution of the bits. In contrast to regular responses, it is likely to be close to the one of the secret bits since participants cannot know which encrypted bits they re-encrypt. The important question to discuss thus is if detecting poll parameter modifications is a sensible approach. It is possible to check for polls querying similar questions. Such checks can however be evaded by adding superfluous questions, syntactically modifying them etc. Besides the challenge of objectively estimating poll similarity, there may be valid reasons to ask identical questions in different questionnaires. Basic information such as age or sex can be interesting for many polls. Therefore, in the following we examine possibilities of abstracting from polls and imposing limits on pollsters themselves.

Fair Indictment for Data Collection with SEP

4

273

Preventive Poll Parameter Limitation

We begin by describing our preventive approach. It relies on the existence of a third party T trusted to enforce a rate limiting mechanism and can be divided into the following two phases: 1. parameter publication: P requests poll parameter signature by T if rate limit for P not exceeded: T provides signed parameters to P 2. submission: P produces signed parameters to Pi if signature valid and parameters acceptable: Pi proceeds as in Tab. 2 The first step of poll parameter publication includes the protocol given in Tab. 1 with the exception of T taking the place of Pi . That means that P has to setup the poll with T which returns signed parameters if the protocol is successful and the rate limit was not exceeded. The rate limiting mechanism can be implemented to be explicit or implicit. An explicit limit can be placed on the number of poll parameter creations and modifications allowed for a pollster in a given time frame. An implicit limit can be realised by requiring, e.g., a fee from pollsters for the signing of parameters. Although theoretically possible, we do not distinguish between newly created and modified poll parameters because of the, as discussed, similar effects on fairness. The goal of both the explicit and implicit limit is to preserve the scheme’s fairness. Thus, their according parameters meaning number of changes and amount of money respectively have to be chosen accordingly. Equation (2) can help in determining these values for concrete instances. The implicit approach has two important advantages over the explicit one. First, it does not require the storage of any prior records. This also means that there is no need for synchronisation of any kind when extending the concept to allow multiple signing trusted third parties. Second, and more importantly, it is not necessary for T to be able to verify the identity of the pollster. Such a verification is needed for the explicit mechanism in order to prevent denial of service attacks against the pollster by malicious impersonators. Both of the described approaches are preventive. In other words, neither one establishes a new indictment process. When looking at the assumptions, a third party trusted in the above described way could be challenged to be a too strong and restrictive assumption, removing the benefits of the decentralised nature of the scheme. However, the overall goal of fairness must be guaranteed and a third party enforcing a rate limit is still a less strong requirement than the otherwise required party that needs to be trusted unconditionally to not compromise the respondents’ privacy. Checking the compliance of the signing party T is possible as well, since any signed poll parameter set can later be used to prove misbehaviour. For benevolent pollsters the step of getting parameters signed only creates a small, constant overhead since it only has to be done once for every poll. After that the parameters can be distributed to each respondent during the actual poll independent of the signing party.

274

5

M. Stegelmann

Self-Enforcing Poll Parameter Limitation

We now detail a second approach that follows the notion of self-enforcement. The basic idea is to allow proofs on the fact that a pollster has conducted more than a certain number of allowed polls in a given time frame. If such a proof is successful he has to forfeit a bounty. In order to address the first requirement, it needs to be possible to detect and prove that different polls were conducted by the same pollster. In addition, the pollster needs to put a bounty on a successful proof on him exceeding a given poll parameter limit for a specific period. Finally, the polls and a statement about some limit need to be relatable. This can be achieved by requiring pollsters to sign both poll parameter sets and according parameter limit statements with their respective public-key. We assume the existence of a PKI and require the pollster to use his certified public-key for this. To achieve fairness, both repudiation attempts by a malicious pollster and wrong accusations by respondents need to be prevented. Since poll participants need to be able to prove that a poll parameter set was valid at a certain point of time the parameters need not only to contain an upper bound for the number of polls but also a validity time frame. Both can be chosen freely by the pollster. However, before partaking in a poll respondents need to check several things. First, if parameters are still valid and if the to poll parameters and the statement were signed by the same entity. Moreover, if the values chosen by the pollster are acceptable. Time frames for poll parameter limits should typically be imposed on several months rather than days or even shorter periods of time. The number of polls needs to be chosen accordingly. Poll parameter limit statements are not bound to a specific poll and can thus also be supplied separately from specific polls to the respondents. If distinct commitments are made by the pollster he needs to adhere to the lowest bound committed to since each statement is valid independently of the others. Thus, a pollster cannot gain an advantage by issuing less restrictive statements over time. When defined in this way, the according indictment process exhibits some favourable properties. First, it can happen without the involvement of the pollster. In other words, it does not matter if he refuses to partake in his own indictment. Yet, it is not possible to gain an unfair advantage against the pollster since it is assumed that only he is in possession of his secret key. Second, no sensitive data of any respondent need to be revealed during the process as it can be the case during Basic SEP’s indictment phase (see Sect. 6). Respondents can indict the pollster by presenting a commitment that they claim is being violated and an according number of signed poll parameters. Note that since a way to uniquely identify a pollster is needed for indictment, assuming a PKI does not extend the scheme’s initial assumptions. Also noteworthy is that finding respondents and respective poll parameters can be done even if the participants did not coordinate from the beginning on. This is the case if one assumes that it is in the interest of a malicious pollster to form sets of information from multiple respondents and sell or disclose them

Fair Indictment for Data Collection with SEP

275

together. Every such relation introduced by a-posteriori groupings will eventually ease the indictment process.

6

Cooperative Indictment

As elaborated in Sect. 3, there exist cases in which single respondents are unable to gather enough information to recover the secret on their own, even if all of their data are leaked. This does not need to be the result of a pollster changing parameters. It can be avoided altogether, if poll parameters are chosen so that single respondents can indict the pollster or only few bounty hunters need to collaborate (see Eq. (2)). However, this usually is neither a viable nor a desirable solution since this leads to lowered poll accuracy. Thus, when analysing the fairness of Basic SEP cooperative indictment is another important aspect to look at. Golle et al. argue that respondents can either work together or help an untrusted third party such as bounty hunters to indict the pollster [2]. Yet, they do not elaborate on the respective indictment process. From a practical perspective respondents whose data have been leaked may be reluctant to give up the final element of uncertainty that protects their privacy. Only respondents can know which of their respective submissions were indeed real responses and which were baits. So, when asked to reveal to some other party which submissions are indeed baits they give up this security. In addition, the issue of determining the trustworthiness of the communication partner can lead to further issues. If a malicious pollster can pose as a bounty hunter or as a respondent and use the indictment process to get respondents to reveal baits the scheme’s fairness cannot be guaranteed. Worse yet, a pollster can inject fake profiles in the data collection of which he knows that they are to be ignored. Yet, when looking for collaborative indictment partners he will have the ability to hamper the indictment process by for instance revealing wrong baits. Thus, the issue of identity becomes an important aspect for the scheme’s fairness again.

7

Conclusions and Future Work

In this paper we have treated the scheme for data collection with self-enforcing privacy with no release of data. The effects of the until now undefined processes of parameter publication and cooperative indictment on the scheme’s fairness were discussed. A way for the pollster to gain an unfair advantage by using specially constructed secrets was identified and according checks were proposed. Two approaches for fair poll parameter publication were discussed — one of them preventive and one inspired by the concept of self-enforcement. Requirements and benefits of the respective approaches were examined. The discussed results’ applicability is not limited to the analysed scheme but applies to the remaining schemes by Golle et al. as well. However, for the initial security analysis we limited our scope to the above mentioned scheme. Thus, an in depth analysis of the remaining schemes remains an open issue.

276

M. Stegelmann

There exist questionnaire design techniques that intend to increase the confidence in the responses’ correctness by, e.g., reducing the effect of acquiescence response bias. It remains to be investigated how such methods can affect Basic SEP’s fairness. Last but not least, digital cash could be used for the construction of the secret. This would allow respondents to claim a bounty without involvement of the pollster. However, several details need to be investigated to see how a viable solution can be constructed. Acknowledgements. We would like to thank M. Eian for pointing out that specific secrets can be detected efficiently and Stig F. Mjølsnes for suggesting to investigate the use of digital cash.

References 1. Golle, P., McSherry, F., Mironov, I.: Data collection with self-enforcing privacy. In: CCS ’06: Proceedings of the 13th ACM Conference on Computer and Communications Security, pp. 69–78. ACM, New York (2006) 2. Golle, P., McSherry, F., Mironov, I.: Data collection with self-enforcing privacy. ACM Transactions on Information System Security (TISSEC) 12(2), 1–24 (2008) 3. Cox, I.J., Miller, M.L.: The First 50 Years of Electronic Watermarking. EURASIP Journal on Applied Signal Processing 2002(2), 126–132 (2002) 4. El Gamal, T.: A public key cryptosystem and a signature scheme based on discrete logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985) 5. Camenisch, J., Stadler, M.: Proof Systems for General Statements about Discrete Logarithms. Technical Report 260, Department of Computer Science, ETH Z¨ urich (2001) 6. Chaum, D., Pedersen, T.P.: Wallet Databases with Observers. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 89–105. Springer, Heidelberg (1993) 7. Bella, G., Librizzi, F., Riccobene, S.: Realistic threats to self-enforcing privacy. In: IAS ’08: Proceedings of the 4th International Conference on Information Assurance and Security, Washington, DC, USA, pp. 155–160. IEEE Computer Society, Los Alamitos (2008) 8. Pollard, J.M.: Monte Carlo methods for index computation (mod p). Mathematics of Computation 32(143), 918–924 (1978)

How to Enhance Privacy and Identity Management for Mobile Communities: Approach and User Driven Concepts of the PICOS Project Christian Kahl, Katja Böttcher, Markus Tschersich, Stephan Heim, and Kai Rannenberg Goethe University Frankfurt, Chair of Mobile Business & Multilateral Security Grüneburgplatz 1 60629 Frankfurt am Main, Germany {Christian.Kahl,Katja.Boettcher,Markus.Tschersich, Stephan.Heim,Kai.Rannenberg,picos}@m-chair.net

Abstract. Mobility allows social communities to become a ubiquitous part of our daily lives. However, as users in such communities share huge amounts of personal data and contents, new challenges emerge with regard to privacy and trust. In this paper we motivate the necessity of advanced privacy enhancing concepts, especially for mobile communities and outline the approach of the PICOS project in order to elaborate such concepts. We explicate how we collected mobile community requirements and elaborated adequate concepts to address them. Finally, we conclude with details on how the concepts were prototypically implemented to demonstrate their feasibility, what distinguishes them from existing work, and how we intend to transfer the concepts to practice. Keywords: Mobile Communities, Privacy, Trust, Identity Management.

1 Introduction Recent years have seen the emergence of services for professional and private on-line collaboration via the Internet. Nowadays, people spend increasing amounts of work and leisure time in on-line communities, such as online social networks (e.g. MySpace, Facebook, LinkedIn, etc.), that provide online communication services to support the activities of virtual or real world communities (cf. [1], [2], [3]). Moreover, communities based on mobile communication allow users to participate in their community not only from places where fixed-line communication is available. Mobile communication also allows the provision of services, which make use of context information (e.g., location, time), thereby enabling a deeper integration of people’s virtual (mobile) and real world communities (e.g., via Loopt, Junaio, match2blue) 1. However, when users participate in such communities, they leave private information traces they may not be aware of. The providers of community services 1

www.loopt.com, www.junaio.com, www.match2blue.com

K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 277–288, 2010. © IFIP International Federation for Information Processing 2010

278

C. Kahl et al.

need to handle trust and privacy in a manner that meets the participants’ needs as well as complies with regulation. On the other hand, to finance or co-finance such community services, the infrastructure often needs to be open for marketing activities of sponsors or advertisers [4]. Consequently, a new approach to identity management in community services is needed, in order to meet the stakeholders’ different needs for: • • • •

enablement of trust, by members of the community, in other members and in the service-provision infrastructure, privacy of community members’ personal information, control by members of the information they share, and interoperability of community-supporting services between communication service providers.

The project PICOS2 has the goal to develop such a new approach to identity management, for enhancing the trust, privacy and identity management aspects of community services and applications on the Internet and in mobile communication networks. The PICOS approach addresses the following four questions: 1. 2. 3. 4.

What are the trust, privacy and identity issues in new context-rich mobile communication services, especially community-supporting services? How can information flows and privacy requirements be balanced in complex distributed service architectures (e.g., mash-ups)? How can these issues be solved in an acceptable, trustworthy, open, scalable, manner? Which supporting services and infrastructures do the stakeholders need?

In a first step to address these questions, our approach foresaw an analysis of related contemporary research and investigated the context of communities (e.g., legal, technical and economic aspects). In a next step, we gathered requirements from exemplary mobile communities in a bottom-up approach and designed a community platform architecture including concepts to address the gathered requirements and enable open, privacy-respecting identity and trust management. The architecture and concepts were prototypically implemented in a community platform and community applications, which are being tested in user trials and evaluated concerning trust, privacy, usability, ergonomics and legal issues. This paper focuses on the process of gathering requirements (Section 2) and transforming them into adequate concepts and features for communities (Section 3), as well as on the implementation of these concepts as features in the aforementioned community platform and the first community application (Section 4). An analysis of the benefits for users and of related work follows in Section 5, a conclusion and an outlook in Section 6.

2 User-Group Driven Requirements of Mobile Communities The process of requirements gathering in PICOS was characterised by a strong user involvement and was conducted along several real-world application scenarios. The 2

The project PICOS is receiving funding from the European Community’s Seventh Framework Programme (FP7/2007-2011) under Grant Agreement n° 215056.

How to Enhance Privacy and Identity Management for Mobile Communities

279

resulting community specific requirements were then generalised, as described in the following sections. 2.1 Involvement of Users in System Development The involvement of users in the development life-cycle plays an important role for the success of ICT systems [5]. Comprehensive requirements engineering depends on appropriate interactions between end users and requirements analysts to obtain a properly functioning system that reflects users‘ preferences and needs. It is recommended, that end users are involved already at the very early stages of a project in order to acquire and consolidate requirements and domain knowledge as effectively as possible (cf. [6] and [7]). Certainly, continuous interactions with users also in later phases of development processes are needed to validate the realisation of those requirements in an ICT system. Following this approach, PICOS has a strong focus on users. Besides influencing the set of realised functionality, involving users right from the beginning has a positive effect on their attitude regarding ICT in the long run. Users also have to deal directly as well as indirectly with privacy and trust questions, which may raise their awareness in this domain. This further contributes to empowering users to handle and manage the disclosure of their personal data and the protection of their privacy – not only on a technical level but also with respect to conscious awareness. In addition, it is expected that a system, which is designed considering the advice of PICOS end users, will be accepted by comparable communities. 2.2 Requirements Gathering along Real-World Scenarios Today’s social communities, differ with respect to their structures, stakeholders, intentions, objectives and mobility. Accordingly, needs for trust, privacy and identity management vary between different categories of communities. For narrowing the scope of PICOS and for concretising the problem space, three exemplary focus communities, i.e., recreational angling communities, independent taxi drivers and online gamer communities have been selected to accompany the development of privacyenhancing identity management solutions for community services. The selected groups all represent communities which benefit from mobile community services and which share a general need for trust, privacy and identity management. At the same time the groups differ by their characteristics, purposes and goals, and the specific requirements of their stakeholders (cf. [3] for more detailed information). Recreational anglers, for example, which serve as our first focus community, are organised in various kinds of communities, e.g., angling clubs/associations, or networks of loose friends. The members of these real world communities interact in various ways, e.g., they arrange meetings, prepare angling trips, share information (e.g., pictures) about their last angling trip with friends, or just inform themselves on weather or environmental information when they are angling [8]. Within such community interactions they share more or less private information, wherefore they have an inherent need for privacy and trust.

280

C. Kahl et al.

2.3 An Approach Towards Community Generic Requirements Community-specific as well as general requirements with respect to trust, privacy and identity management have been identified by involving stakeholders of exemplary communities into the identification process. During the requirements gathering phase, the project team established close connections to representatives of the three focused communities. They were interviewed individually and in meetings to understand their attitudes and needs regarding trust, privacy, and identity management in the light of next generation community services. The complex feedback given by these community stakeholders has been categorised, explained, and backed by rationales for the stakeholders’ vital interest that the requirements they stated become addressed. These community-specific requirements are mainly based upon interviews with community experts and representatives, questionnaires and observations. The requirements address trust, privacy and identity management aspects that are significant in the particular domain. In a “top-down-bottom-up”-approach in analogy with general approaches for modelling enterprise data ([9], [10]), the PICOS consortium first designed (top-down) a high-level model identifying the core dimensions of requirements relevant for this problem space. Then the analysis of the three exemplary communities led (bottom-up) to domain-specific models of community-specific requirements. Certainly, the community-specific requirements do not reflect the full set of requirements necessary for successfully designing an architecture suitable for all kind of communities with a mobile background. Accordingly, the community specialists of the PICOS consortium generalised these community specific requirements by merging them. This process was driven by a high-level model and by the project consortium’s earlier experiences with other mobile and online communities and the respective observations. Finally, 74 generalised community requirements grouped into the five categories trust, privacy, identity management, platform and services have been identified [3]. This high number reflects the broad spectrum of current online communities that utilise mobile services to support their activities, their different use cases and the parties interacting with them. It has to be stated clearly that only summarising and elaborating on requirements that could be transferred one by one into technical implementations was not regarded as sufficient for the success of the PICOS project. We argue that including design principles and expectations of end users, community providers and other parties (e.g., advertisers), as additional requirements, is inevitable to implement and deliver suitable solutions. Hence, the set of requirements was extended and put in relation to the high-level model. In addition, business requirements for ensuring that PICOS could easily be included into existing business processes complete the set of nonfunctional requirements. Using the example of advertising, we analysed which requirements have to be met by a system assuring that a community member stays in control about her data flows and how revenues could be generated while respecting users’ privacy. Examples are determining and negotiating the right set of necessary personal information and transparency regarding stored and processed data. The requirements gathering process is highlighted in Figure 1.

How to Enhance Privacy and Identity Management for Mobile Communities

281

Architectural Requirements

r y ed itn iv uo r mP e m o cvi C er S

erd iv o rP ec iv re S

sr o ta re p O eil b o M

rs ed iv o rP m ro tfa lP

Legal Framework Assurance

General Requirements (extended & generalised requirements) – possibly contradictory & overlapping

Usability

Advertising

Generalised Requirements

Extension of Requirements

Community-specific Requirements wrt Trust, Privacy and IdM Æ Focus: Community Members

Trust

Requirements

Requirements

Requirements

Privacy IdM

Angling Community

Taxi Driver Community

Gaming Community

Categorisation

Categorisation

Categorisation

Fig. 1. Requirements gathering process

Finally, the gathered set of extended and generalised requirements was mapped to the community-specific requirements of our three exemplary communities where the specialists of the PICOS consortium together with the community representatives were able to identify that there exists a demand for the formulated requirements [3].

3 PICOS Concepts and Features Based on the requirements gathered the PICOS community platform architecture was developed: The elaborated concepts and derived technical features and components are described in the following. For illustration a subset of these requirements is listed in Table 1 together with architectural concepts to address these requirements. These concepts can be subsumed under three different categories, which are explained in the following subsections. While the underlying requirements were gathered from communities with a mobile focus (cf. 2.2), the developed concepts may be of use for other communities also. 3.1 Enhanced Identity Management To enhance the identity management in mobile communities and thereby address especially the requirements with regard to the disclosure of personal information and

282

C. Kahl et al. Table 1. Selected requirements and corresponding concepts (cf. [3])

Requirement (R1.1) (R2.1) (R2.3) (R2.7) (R2.8) (R2.9) (R2.10) (R2.11) (R2.12) (R3.4) (R3.5) (R4.4)

Name Personal Trust Data Minimisation Confidentiality Definition of Privacy Settings Visibility and Reachability of Users Default and Advanced Privacy Management Unlinkability Fine-grained Disclosure and Sharing of Data and Information Control over Data and Information Flows Partial Identities Subsequent Release of Identity Attributes Policy Definition and Enforcement

Addressed by Partial Identities Privacy Advisor Sub-Communities, Private Room Location Blurring, Policies Location Blurring, Policies Policies Partial Identities Sub-Communities, Location Blurring, Policies, Private Room Policies Partial Identities Partial Identities, Policies Policies

its accessibility for other users, a number of concepts were developed or further elaborated. Based on the concept of mobile identity management [11], such concepts can support users in managing the disclosure of their current position and mobile identity in communities. Sub-communities and Partial Identities are two concepts to help users in selectively sharing personal information with others. Sub-Communities By founding a Sub-Community, users can create a restricted area, which allows the sharing of personal information among a limited group of community members. Subcommunities can be public or private. In the latter case the founder is able to decide who is allowed to be a member of that group by selecting individual members or by filtering on a set of personal profile characteristics of other members (R2.11). Information published in that Sub-Community is only accessible by its members (R2.3). Users within such a private Sub-Community can trust that published information is only accessible by other authorised members of this Sub-Community. Therefore, a user who wants to share information or resources does not need to approve access of each single user. Partial Identities Identity management in PICOS was designed with the goal to enable users to manage their identity-related information in a convenient way. The concept of Partial Identities [12] in particular allows users to create different identities for the usage in different usage contexts and different purposes. With the help of Partial Identities users are enabled to have a set of several identities in one community to decide for each identity which of their personal information they want to disclose. Each Partial Identity of a user appears to other users as a unique, individual community member. To address requirement R2.10 the relation between the different Partial Identities is only visible for the user itself and the community operator. For instance, if a user participates in different sub-communities, Partial Identities support him in hiding and revealing relations between different elements of his personal information.

How to Enhance Privacy and Identity Management for Mobile Communities

283

Regarding the angling community example, a young unskilled angler could use one Partial Identity to be present in a Sub-Community for beginners in fly-fishing. At the same time he might express his interest in classic angling in a related Sub-Community with a 2nd Partial Identity, without the need to admit his beginners’ status. The Partial Identity manager allows users to create and administer Partial Identities and to set profile information for each of them (R3.5). Considering requirement R1.1 users are not allowed to have a different gender or age in their Partial Identities. An always visible pull-down menu supports switching between Partial Identities and chosing the most appropriate one for the respective situation. 3.2 User Controlled Information Flows As the user requirements show, a balance needs to be achieved between publishing personal information in order to use functionalities of the community and keeping a certain degree of privacy. The following PICOS concepts support users in keeping their privacy while being able to use the community according to their needs. Location Blurring In mobile environments, especially location information is of interest, e.g., for location based services (LBS). Such services are also of interest for mobile communities, to display friends on a map or to share information about interesting spots in close vicinity. However, usually there is only the option to either show or hide completely one’s own position, e.g., in the initially mentioned examples such as Loopt. The PICOS concept of Location Blurring is a concept which gives users the additional opportunity to hide their exact position without being completely invisible to others. It foresees the obfuscation of a user’s current position or a point of interest at various levels (R2.7, R2.11). The position is displayed as a circle of a defined radius (e.g., 1, 2 or 5 km) within which users are located. Moreover, the concept allows users to specify, which other users are able to see their exact position and their blurred position (R2.8). Making use of the policies concept described below users can also differentiate their blurring configurations considering which other users get the localisation information. In the case of the PICOS angling community a user can hide the position where he is angling currently and also the exact location of a fishing spot, when this is added into a database of fishing spots on the PICOS platform. Policies The PICOS community prototype enables users to selectively define Policies in order to control who is allowed to see certain personal information (R2.7, R2.12, R4.4). These user-centred policies are based on rules, which also take context information into consideration (e.g. the current location of the user). Based on these rules a user can determine which information is available to other users in a defined situation. This can be done individually for each Partial Identity (R2.9, R3.5). It is possible to define policies for a user’s presence, his location, and for selected profile information (R2.8). Thus, the PICOS policy editor enables users to manage their privacy in a very fine-grained manner (R2.11).

284

C. Kahl et al.

Private Room Private Rooms enable users to establish a personal area for managing their private information and content. They enhance users‘ privacy by enabling them to store and selectively publish their private information to a certain set of other users (R2.3). Users can publish their selected private information to another user, respectively a known Partial Identity, or to a group of users in a private Sub-Community (R2.11). In the scenario of the angling community users can manage pictures and catch diary entries in their individual private room by adding information, pictures etc. Finally, they can publish their diary entry by transferring it to a private Sub-Community, a public Sub-Community or the public community (Figure 2). Additionally, users are able to decide which of their Partial Identities will be shown as the author of their catch diary entries.

Fig. 2. Screenshots of Privacy Policies (left) and Private Room (right)

3.3 Privacy Awareness Support Managing privacy by means of Partial Identities on a mobile device might be too demanding for some users. Therefore, the concept of the Privacy Advisor was developed to provide guidance to users, e.g., regarding disclosure or sharing of location information. The Privacy Advisor is context sensitive and provides hints in specific situations when personal information of users is involved, e.g., registration or profile editing. It aims to warn a user in cases where the disclosure of information might be associated with risks for the user’s privacy (R2.1). Thereby the Privacy Advisor will help to create awareness of privacy related aspects within mobile communities and in specific usage situations, based on the user´s actual behaviour and context.

4 Implementation into Existing Community Platform The PICOS architecture, including the previously explicated concepts, can be divided into two main parts, namely the PICOS Community Platform and the PICOS Community Application (Figure 3). Both were prototypically implemented with a subset of the concepts and features the architecture contains, in order to evaluate the

How to Enhance Privacy and Identity Management for Mobile Communities

285

concepts and to demonstrate their benefits by means of our communities. In particular, we aimed to answer the question how far the concepts (Section 3) are able to address the gathered community requirements (Section 2).

Fig. 3. PICOS Implementation - Platform and Community Application

The platform is responsible for all community agnostic services, which are common for many communities, based on generalised requirements. The platform consists of a variety of components, each component with a dedicated set of features which address certain requirements directly or indirectly. For example, a Register component dealing with the registration process of new users, a Login component dealing with the session management, and a Partial Identity Management component. In order to avoid the re-development of basic community functionalities from scratch the platform is partially based on the OpenCall platform3, which provides functionalities for mobile community related communication services (e.g., chat/messaging, friend lists) and also uses elements of the open source framework ELGG4. The Community Application (Angler Application) is composed of a client side and a server side. The client side uses a Symbian platform5 mobile phone and the J2ME (Java 2 Mobile Edition) environment with an installed PICOS Angler Application. It is structured in different layers as shown in Figure 3. Its design follows the modelview-controller pattern, which separates the graphical user interface from the underlying business logic and data. The server side is composed of platform components, the Community Application server side and the RPC gateway, which acts as a proxy to provide a unified access to the PICOS server side. The PICOS implementation interfaces with 3rd party components in two different ways: The client application accesses the Fishbase database6 via the RPC Gateway to retrieve fish species related data, whereby Fishbase is integrated into the Community Application. The client side communicates with the server side and also with a 3rd 3

http://h20208.www2.hp.com/opencall/platforms/index.jsp http://elgg.org/ 5 www.symbian.org 6 www.fishbase.org/home.htm 4

286

C. Kahl et al.

party map service, in order to realise map and location features and demonstrate related PICOS features (e.g., Location Blurring). This also underlines the openness of the platform for the integration of external services.

5 Benefits and Related Work To be able to assess the relation to related work laid out in Subsection 5.2, first an analysis of the benefits of the PICOS work for end users is given in Subsection 5.1. 5.1 Benefits for PICOS Users With mobile communities, the work of PICOS addresses an almost unexplored domain in particular with regard to privacy, trust and identity management aspects. The PICOS concepts outlined aim to provide a significant improvement with regard to privacy, trust and identity management aspects. The PICOS users will benefit in particular from: 1. 2. 3. 4. 5.

Continuous user involvement and the consideration of user requirements throughout the whole research process, Innovative concepts, for improving users’ privacy and providing them with new identity management tools, Improvement of awareness in the public for the challenge of privacy respecting community services, Aimed integration into an existing community in order to transfer the concepts to practice, and Integration into an existing mobile community and communication platform.

The integrative approach, right from the start of the project is an essential and strong feature of PICOS. The PICOS platform incorporates community knowledge and delivers a technical system that can be used by network operators and application providers for application integration. Thus, it serves as a reference implementation of a state-of-the-art community supporting identity management system. 5.2 Related Work Although there is research in the domain of communities with regard to privacy, trust and identity management, there is little, significant work that addresses the four main questions for PICOS, as listed in the introduction. By answering those four main questions, PICOS advances state-of-the-art concepts and technology in the field of trust, privacy and identity management. In some of the areas work has already been done by projects such as PRIME7, PrimeLife8, PEPERS9 and DAIDALOS10. The work within PRIME was focused on privacy-respecting identity management, and part of this includes the enablement and 7

www.prime-project.eu www.primelife.eu 9 www.pepers.org 10 www.ist-daidalos.org 8

How to Enhance Privacy and Identity Management for Mobile Communities

287

management of trust, but it did not focus on (mobile) communities. PrimeLife is working on communities, but not with regard to really established communities and specific application domains. The objective of PEPERS was to research a mobile peer-to-peer security infrastructure with the focus on decentralised trust and identity management. In contrast to PICOS, PEPERS considers individual stakeholders (e.g., journalists) and centrally managed employees, their needs (e.g., for identity management capabilities, privacy, trust, etc.) and how to balance the tensions between them. DAIDALOS concentrates on ubiquitous services provided to mobile users in a secure and privacy-friendly manner but its focus lies on the single user and not on communities and their special needs and requirements. Besides the named research projects, the aspect of privacy in online communities is discussed intensively in the research area (cf. [13], [14], [15]), but with the focus on online communities usually not considering the special aspects of mobile communities.

6 Conclusion and Outlook This paper outlined why there is an increasing need for privacy and identity management related enhancements in mobile communities and motivated why research is necessary in this application area. We then described how we intend to achieve such enhancements and explained how user requirements were gathered. Some of the innovative concepts, which we developed, based on such requirements, have been introduced. Finally, we described how such concepts were prototypically implemented and how the integration with an existing community platform was realised. Each implementation of the PICOS community application prototypes is undergoing a trial with end-users of the exemplary communities. The 2nd cycle of PICOS benefits from the results of the first trials and the evaluation with anglers [17]. They will be used to improve the angler community application as well as to transfer the results to another type of community, an online gaming community. Online games represent large communities in which players interact and collaborate. Mobile communication allows them to stay in touch with their community from wherever they are and consequently on a more continuous basis. This also allows new opportunities, e.g. for advertisers and raises new challenges with regard to privacy and trust. As a part of PICOS’ second cycle especially the aspects of defining and managing policies, the Privacy Advisor and the economic potential of privacy in mobile communities will be further investigated. By this, existing privacy and identity management concepts will be enhanced and additional concepts based on the requirements of online gamers will be introduced. Finally, we will investigate how far the results from both cycles can be generalised for further (mobile) communities. The continuous involvement of users and especially the close contact to the focused communities provide a close feedback loop to check whether the requirements have been met. The integration of industrial partners, e.g., the developers of community platforms, raises the chances, that the elaborated concepts are finding their way into the market and to existing communities providing a sustainable benefit for the involved stakeholders.

288

C. Kahl et al.

Acknowledgments. The research leading to these results has received funding from the European Community’s Seventh Framework Programme (FP7/2007-2011) under Grant Agreement n° 215056. The authors would like to thank in particular André Deuker for editorial remarks.

References 1. Nielsen: Critical Mass - Worldwide State of the Mobile Web. Nielsen Mobile (2008) 2. Nielsen: Global Faces and Networked Places - A Nielsen report on Social Networking’s New Global Footprint. Nielsen (2009) 3. Liesebach, K., Scherner, T.: D2.4 Requirements. Public Deliverable of EU Project PICOS (2008), http://www.picos-project.eu/Public-Deliverables.29.0.html 4. Hoegg, R., et al.: Overview of business models for Web 2.0 communities. In: Proceedings of Workshop Gemeinschaften in Neuen Medien, pp. 33–49. TUD Press, Dresden (2006) 5. Clavedetscher, C.: Point: User Involvement Key to Success. IEEE Software 15(2), 30, 32 (1998) 6. Rumbaugh, J.: Getting Started: Using Use Cases To Capture Requirements. ObjectOriented Programming Journal 7(5), 8–12 (1994) 7. Holzblatt, K., Beyer, K.R.: Requirements gathering: the human factor. Communications of the ACM 38(5), 31–32 (1995) 8. Arlinghaus, R., Mehner, T., Cowx, I.G.: Reconciling traditional inland fisheries management and sustainability in industrialized countries, with emphasis on Europe. Fish and Fisheries 3(4), 261–316 (2002) 9. Pin/Shan Chen, P.: The Entity Relationship Model, Toward a unified View of Data. ACM Transactions on Database Systems 1(1), 9–36 (1976) 10. Vernadat, F.B.: Enterprise Modeling Languages. In: Proceedings of International Conference on Enterprise Integration Modeling Technology, Torino, Italy (1997) 11. Müller, G., Wohlgemuth, S.: Study on Mobile Identity Management, Public Deliverable of EU Project FIDIS (2005), http://www.fidis.net/fileadmin/fidis/deliverables/ fidis-wp3-del3.3.study_on_mobile_identity_management.pdf 12. Hansen, M., Berlich, P., Camenisch, J., Clauß, S., Pfitzmann, A., Waidner, M.: PrivacyEnhancing Identity Management. Information Security Technical Report 9(1), 35–44 (2004) 13. Chew, M., Balfanz, D., Laurie, B.: Undermining Privacy in Social Networks. In: Web 2.0 Security and Privacy (in conj. with IEEE Symposium on Security and Privacy) (2008) 14. Adu-Oppong, F., Gardiner, C.K., Kapadia, A., Tsang, P.P.: Social Circles: Tackling Privacy in Social Networks. In: Proceedings of the 4th Symposium on Usable Privacy and Security (SOUPS ’08), Pittsburgh, Pennsylvania, July 23-25 (2008) 15. Hiltz, S.R., Passerini, K.: Trust and Privacy Concern Within Social Networking Sites: A comparison of Facebook and MySpace. In: Proceedings of AMCIS 2007 (2007) 16. Boyd, D.M., Ellison, N.B.: Social Network Sites – Definition, History and Scholarship. Journal of Computer-Mediated Communication 13 (2008) 17. Ganglbauer, E., Döbelt, S., Ueberschär, B.: D7.2a First Community Prototype: Lab and Field Test Report. Public Deliverable of EU Project PICOS (2010), http://www.picos-project.eu/Public-Deliverables.29.0.html

Performance Analysis of Accumulator-Based Revocation Mechanisms Jorn Lapon1, Markulf Kohlweiss3 , Bart De Decker2 , and Vincent Naessens1 1

Katholieke Hogeschool Sint-Lieven, Industrial Engineering 2 Katholieke Universiteit Leuven, CS-DISTRINET 3 Katholieke Universiteit Leuven, ESAT-COSIC / IBBT

Abstract. Anonymous credentials are discussed as a privacy friendlier replacement for public key certificates. While such a transition would help to protect the privacy of digital citizens in the emerging information society, the wide scale deployment of anonymous credentials still poses many challenges. One of the open technical issues is the efficient revocation of anonymous credentials. Currently, accumulator based revocation is considered to be the most efficient and most privacy friendly mechanism for revoking anonymous credentials. This paper analyses the performance of three accumulator based credential revocation schemes. It identifies the bottlenecks of those implementations and presents guidelines to improve the efficiency in concrete applications. Keywords: Anonymous Credentials, Revocation, Accumulators.

1 Introduction In an increasing information-driven society, preserving privacy becomes essential. However, anonymity comes with a snag: it facilitates clandestine and illegal actions. Anonymous credentials, such as idemix[1] and U-Prove[2], promise a solution. They protect the user’s privacy, while ensuring accountability. Another emerging trend is the increasing amount of mobile applications and services. People use their mobile device to read mails, access social networks, order tickets, and much more. As these mobiles are easily lost or stolen, effective revocation mechanisms are essential. As anonymous transactions should still remain anonymous, this is not a trivial task. Efficient revocation mechanisms are crucial, especially if anonymous credentials are used in large scale settings such as electronic identity cards and e-passports. Currently, the most efficient solutions [3,4,5], among the privacy friendly ones, use cryptographic accumulators to support revocation. Verifier local revocation [6] is also efficient for some scenarios, but has other disadvantages. For instance, if a credential is ever revoked, signatures created with that credential before its revocation, become linkable. Accumulators have been used for a variety of applications such as time-stamping [7], fail-stop signatures [8], credential or membership revocation [3], and broadcast authentication [9,10]. Contrary to certificate revocation lists (CRL) in public-key infrastructures, that act as a blacklist of revoked certificates, accumulators are primarily used for white-list revocation mechanisms. The accumulator acts as a white-list representing the ‘identifiers’ of K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 289–301, 2010. c IFIP International Federation for Information Processing 2010 

290

J. Lapon et al.

valid credentials. Because of the compact representation and efficient proofs of membership used in such schemes, accumulators are more suitable for white-list revocation than CRL-based mechanisms. Accumulator schemes that could be used for black-list revocation exist in the literature [11,12]. Their non-membership proofs are, however, less efficient. Our Contribution. This paper evaluates and compares three accumulator schemes for the revocation of anonymous credentials based on white-listing: the scheme proposed by Camenisch and Lysyanskaya CL, [3]; the scheme due to Nguyen LN [4]; and the construction due to Camenisch, Kohlweiss and Soriente CKS [5]. We compare their computational and storage performance and evaluate their suitability for massive deployment (e.g. in a national eID infrastructure). Finally, relevant optimisation guidelines are proposed. The paper is structured as follows: Section 2 introduces some technologies used in this paper. Section 3 briefly describes the implemented accumulator schemes. Some implementation details and configuration settings are given in Section 4 followed by the results in Section 5. These results are further discussed in Section 6 and finally some conclusions are drawn.

2 Definitions Cryptographic Accumulators. A cryptographic accumulator, first introduced by Benaloh and de Mare [7], is a construction which allows the accumulation of a number of elements into one value. The size of this value is independent of the number of elements incorporated. For each accumulated element, there is a witness that allows to prove that the element is contained in the accumulator. It must be infeasible, for the adversary, to find a witness for an element that is not included in the accumulator. Camenisch and Lysyanskaya [3] further extended this notion into dynamic accumulators. In dynamic accumulators adding and removing values and updating individual witnesses can be done dynamically [1]. Anonymous Credentials. Anonymous credential systems [13,14,1,2] allow for anonymous yet accountable transactions between users and organisations. Moreover, selective disclosure allows the user to reveal only a subset of possible properties of the attributes embedded in the credential: e.g. a credential with the user’s date of birth as an attribute can be used to prove that the owner is over 18 without disclosing the exact date of birth or other attributes. The accumulator based revocation schemes are especially useful for anonymous credentials in which multiple shows are unlinkable [13,14,15]. All these schemes originate from existing group signatures and identity escrow schemes. To add support for accumulator-based revocation, the user needs to prove during the show of such a credential, that a hidden identifier bound to the credential is still contained in the accumulator. Bilinear maps. Let G1 , G2 and GT be (multiplicative) groups of prime order q. A bilinear map (also known as a pairing) from G1 × G2 to GT is a computable map e: G1 ×G2 → GT with the following properties:

Performance Analysis of Accumulator-Based Revocation Mechanisms

291

1. Bilinearity: for all u ∈ G1 , v ∈ G2 and a, b ∈ Z : e(ua , vb ) = e(u, v)ab 2. Non-degeneracy: for all generators g ∈ G1 , h ∈ G2 : e(g, h) generates GT . 3. Efficiency: there is an efficient algorithm BMGen(1k ) that outputs (q, G1 , G2 , GT , e, g, h) to generate the bilinear map (with k the security parameter and g and h generators) and an efficient algorithm to compute e(u, v) for any u ∈ G1 , v ∈ G2 As the protocols proposed in [3] and [4] are both constructed using symmetric pairings, only symmetric bilinear maps (G1 = G2 ) will be considered in this paper.

3 Accumulator Schemes This section briefly discusses the schemes in [3,4,5] (i.e. CL, LN and CKS) and summarizes their properties. We give a common interface for accumulator based revocation of anonymous credentials based on these systems. For a more detailed discussion, we refer to the original papers. The common interface defines the protocols required for processing anonymous credentials with accumulator-based revocation. The schemes under evaluation, all specify these protocols, hence, we did not modify the protocols in any major way. We do, however, implement a common book-keeping approach that deviates slightly from the one given in the referred papers. An archive table H records the history of the accumulator and allows to derive the list of added and revoked elements (Va resp. Vr ) at a given time. The entities participating in the protocols are: the issuer I, responsible for the creation and revocation of credentials; the user U, the owner of an anonymous credential; and the verifier V. The verifier checks the revocation status of the user with the help of a zero knowledge proof (authCred). In the schemes below, the following notation will be used to denote a local computation performed by X and a protocol between X and Y respectively: X : (outc ; outx ) ← f (inc ; inx ) X ↔ Y : (outc ; outx ; outy ) ← f (inc ; inx ; iny ) The computations take public input inc and secret input inx , iny from X and Y respectively and result in outputs outx and outy to X and Y respectively; outc is public output. Empty inputs and outputs are represented by ε . / skI )← initScheme(1k , Nt ; ε ) I : (pkI , acc, H = 0; is a probabilistic key generation algorithm that is executed by the issuer. It initializes the environment for the credential scheme for a given security level k. The second input is the capacity of the accumulator Nt , i.e., the maximum number of elements that can be accumulated. The public key pkI also fixes the set X of all elements that can potentially be accumulated (with |X| = Nt ). acc is the initial cryptographic accumlator. The history H, is initially empty. U ↔ I : (acc , H  ; credU ; ε )← issueCred(acc, H, pkI ; ε ; skI ) is a probabilistic interactive algorithm run by the issuer and a user. The issuer issues the credential credU to the user and adds the credential’s identifier idC ∈ X to the accumulator acc. The credential includes witness information witC and a private key, that is unknown to the issuer. Only the issuer can add new credentials, as the secret key skI is required for issuing. The new history H  = H ∪ {idC , “add” } is updated accordingly.

292

J. Lapon et al.

I : (acc , H  ; ε ; ε )← revokeCred(acc, H, pkI ; skI , idC ) is a probabilistic algorithm that is executed by the issuer to revoke the credential idC . The new history becomes H  = H ∪ {idC , “delete” }. U : (ε ; witC  )← updWitness(acc , H  , pkI ; witC ) is a deterministic algorithm, usually executed by the user, that updates the witness to correspond with the latest accumulator value acc . However, as no secret data is required, this protocol can be performed by another, possibly untrusted, entity. The duration of witness updates depends on the number of elements added or revoked since the last witness update. The latter can be inferred from the book-keeping information H. U : (ε ; boolean)← verifyAccu(acc, pkI ; idC , witC ) is a deterministic algorithm to verify that idC is indeed accumulated in acc based on the up-to-date witness information witC . U → V : (ε ; ε ; boolean)← authCred(acc, pkI ; credU ; ε ) is a two-party non-interactive zero-knowledge proof protocol that allows the user to prove to the verifier that credU is a valid credential (i.e. authentic and not revoked). 3.1 CL Scheme Camenisch and Lysyanskaya [3] were the first to introduce an accumulator scheme for the revocation of anonymous credentials. The scheme extends the collision-resistant accumulator defined by Baric and Pfitzman, based on the strong RSA assumption, allowing dynamic updates of the accumulated set. The core of the accumulator is constructed as follows: acc = g

∏id ∈Va \Vr idi i

id =id

mod n, witC = g

∏idi ∈VaC\Vr idi i

?

mod n, verifyAccu: acc = (witC )idC mod n,

with n an RSA modulus (i.e. the product of two safe primes p and q), g a quadratic residue modulo n, idC the accumulated value (X is the set of random primes from a predefined interval), witC the witness of the user and idi ∈ Va \Vr the currently accumulated values.

The authors applied the accumulator scheme to the identity escrow scheme due to Ateniese et al. [16], which was at that time, the most efficient and secure identity escrow scheme known. Later on, the efficiency of the protocol has been further improved. One of these schemes, based on the so-called SRSA-CL-signatures [17], is used in the credential scheme proposed in [15]. This scheme, that is also used in idemix, can be easily combined with the proof that a committed value has been accumulated, using Pedersen commitments. This proof was also mentioned in the paper [3]. We integrate the accumulated value idC as an attribute of the credential. For the signature, we compute A such s id that Z = Sv R1C R2 C Ae mod n with S ∈R QRn , R1 , R2 , Z ∈R S , random prime e, master secret sC and accumulated value, prime idC ∈ X. 3.2 LN Scheme Nguyen [4], was the first to use bilinear maps to implement a dynamic accumulator for revocation. The security of the accumulator is based on the q-SDH assumption, with q

Performance Analysis of Accumulator-Based Revocation Mechanisms

293

an upper-bound on the number of elements to be accumulated. The scheme employs a symmetric bilinear map e: G1 × G1 → GT 1 . ∏id ∈Va \Vr (idi +s)

acc = g

i

id =id

∏idi ∈VaC\Vr (idi +s)

, witC = g

i

?

, verifyAccu: e(hidC h pub , witC ) = e(h, acc),

with g, h generators of G1 , idC ∈R Z∗q , the accumulated value and witC the witness of the user, idi ∈ Va \Vr the currently accumulated values, and issuer secret s ∈R Z∗q with h pub = hs .

The signature scheme, used by the authors, is based on the signature scheme due s to Boneh and Boyen [18] : σ = (h0 h1C )1/(idC +sI ) with h0 , h1 generators of G1 , master secret sC ∈R Z∗q , accumulated value idC and issuer secret sI . This scheme is proven secure [19] under the q-SDH assumption [18]. 3.3 CKS Scheme A recent scheme (2009) implementing dynamic accumulators was proposed by Camenisch, Kohlweiss and Soriente [5]. Similar to the LN-scheme, this scheme uses a bilinear map e: G1 × G1 → GT . However, the construction of the accumulator is different and is based on another assumption, the n-DHE assumption. Additionally, the n-HSDHE assumption is required for the proof that a hidden value is accumulated. acc = ∏idi

∈ Va \Vr (gNt +1−i ),

id =id

witC = ∏idii ∈ Vja \Vr (gNt +1−i+ j ), verifyAccu:

e(gi ,acc) ? = e(g,witC )

z,

with g a generator of the group G1 , Nt , the capacity of the accumulator such that X=[g1 = 1 Nt gs , . . . , gNt = gs ], state information [g1 , . . . , gNt , gNt +2 , . . . , g2Nt ], issuer secret s and the set of currently accumulated values Va \Vr .

The signature scheme originates from the same Boneh and Boyen signatures as the LN scheme, which is further modified by Camenisch et al. [20] for the issuance of anonymous credentials and proven secure in [21] under the q-SDH assumption: σ = (gi h0 hs1C )1/(c+sI ) with h0 , h1 generators of G1 , master secret sC , issuer secret sI , random number c, and the accumulated value gi .

4 Implementation 4.1 Implementation Notes To compare the schemes discussed above, they are all implemented in C++. The bilinear maps applied in the LN and CKS scheme, are initialized using the PBC Library [22]. This library is built on top of the GNU Multiple Precision Arithmetic Library (GMP [23]), which performs the underlying mathematical operations. To make the comparison as fair as possible, the CL scheme, which does not use bilinear maps, is implemented using the GMP library directly. Where applicable, optimized versions for applying pairings and multi-exponentiations in both libraries are used. However, further optimisations may still be possible. 1

Note: in the original paper, the group operations were expressed using the additive notation.

294

J. Lapon et al.

Various protocols are used to prove knowledge of a valid credential. Most of the papers use the notation introduced by Camenisch and Stadler [24]. Nevertheless, the implementation of these schemes was not straightforward. We had to deal with many details and small differences: e.g., some schemes use a group of known order, others of hidden order; interactive versus non-interactive proofs of knowledge; the length of random values and nonces. In the implementation, the proofs of knowledge were made non-interactive. Interactive proofs can be converted to non-interactive ones, using the Fiat Shamir heuristic [25]. For the anonymous credential schemes, only the required minimal set of attributes are added to the credentials (i.e the master secret). Thus, the overhead in storage and computation, resulting from additional attributes embedded in the anonymous credential, is not reflected in the results. Likewise, for interactive protocols, the communication overhead is not considered. 4.2 Configuration The pairing-based schemes, LN and CKS are constructed using symmetric pairings. The pairing used, is a ’Type A’ pairing, as defined in the PBC Library. This pairing is the fastest, available in the library, and allows the user to select the field-size and subgroupsize. However, as the implementation is independent of the type of pairing, other symmetric pairings could be used as well. The ’Type A’ pairing has the following properties: e: G1 × G1 → GT on a supersingular curve E : y2 = x3 + x with embedding degree 2, field-size lq = 1024 bits, and a subgroup of size lr = 192 bits. For the idemix-based CL scheme, the following system parameters2 are used: ln = 2048, k = 80, k = 80, le = 838, le = 120, lv = 2965, lΓ = 1632, lρ = lm = 498, lH = 256, lidi = 160.

5 Results This section reports the results of 3 experiments. The storage analysis deals with the size of key-material in the scheme. The computational complexity analysis illustrates the complexity of the protocols and the timing analysis validates the results of the complexity analysis by running the actual protocols. The experiments were executed with the security parameters of section 4.2 on a DELL Latitude P9600 @ 2.53GHz, 4GB RAM. 5.1 Storage Analysis For each of the implementations, Table 1 summarizes the bit-sizes of the private and public key of the issuer, one credential, and the accumulator. Additionally, the size of one accumulated value is listed. Pairings generally allow better results with respect to the size of cryptographic keys than other schemes. This is reflected in the paper of 2

Note that the parameters proposed for the CL scheme in [4] do not satisfy the constraints posed by the respective scheme.

Performance Analysis of Accumulator-Based Revocation Mechanisms

295

Nguyen [4]. However, as can be seen in table 1, the difference is less extreme than in the paper. Since the PBC Library does not provide the pairing proposed in Nguyen’s paper, another type of pairing, was used, resulting in a larger subgroup G1 . A more important observation is the fact that the public key of the issuer (pkI ) in the CKS scheme contains state information that depends on the capacity of the accumulator. Although, this information can be omitted for most of the protocols, it is required to make witness updates. This will have an impact on how this scheme is used in practice. In case of massive deployment, for instance, witness updates will require special purpose update servers. Finally, the elements accumulated in the CL and LN scheme are exponents, while in the CKS scheme they are group elements. Table 1. Bit-sizes of objects in the credential schemes skI

pkI

credU

acc

idC

CL ln 2048 5ln + lr + 3lg 15634 2ln + k + lv + lr 7719 ln 2048 le 160 LN 3lr 576 16lq + lr 16576 6lq + 2lr 6528 2lq 2048 lr 192 CKS 3lr 576 (16 + 4Nt )lq + lr 16576+4096Nt 10lq + 2lr 10624 2lq 2048 2lq 2048

5.2 Computational Complexity Analysis Table 2 presents the most computationally expensive operations. As shown in the table, the complexity of the witness update protocol significantly differs for the three schemes. As each call of authCred requires an up-to-date witness, the efficiency of witness updates is very important. The CL scheme only requires one exponentiation for newly accumulated elements, and one for newly revoked elements. However, as the size of the exponents is growing linear with the number of accumulated, respectively revoked elements (i.e Na .lidi , resp. Nr .lidi ), the performance decreases considerably (see Timing Analysis). The LN scheme, on the other hand, requires an exponentiation on a base in G1 for every element accumulated (Na ) or revoked (Nr ), since the last witness update. Updating witness is more Table 2. The most expensive operations (i.e. exponentiations, pairings, multiplications) for the protocols in the credential scheme, with Na the number of accumulated values and Nr , the number of revoked values. The numbers between brackets denote operations that can be precalculated. CL expZn issueCred Receiver Issuer revokeCred updWitness verifyAccu authCred Prover Verifier

LN expG1 expGT

18 17 10 8 8 9 1 1 1+1 Na + Nr 1 1 52 [+2] 25 25 [+2] 14 27 11

pair

∗/G1

5 5

CKS expG1 expGT 10 4 6

pair 2 2

1 Na + Nr + 1 24 10 14

2 9 [+12] 3 [+5] 6 [+7]

31 19 12

28 12 16

2 24 [+4] 9 [+2] 15 [+2]

296

J. Lapon et al.

efficient in the CKS scheme, as the most expensive operations are a number of multiplications linear in the number of accumulated and revoked elements. Moreover, the scheme requires less expensive operations during the issuance of the credential. However, proving knowledge of a valid credential requires slightly more exponentiations and pairings than in the other schemes. This is due to the fact that idC is a group element. The credential proof of possession needs to be extended to show that this group element is bound to the other credential attributes. Finally, the table reveals that optimizations of the authCred protocol are possible, especially in the LN scheme, in which twelve pairing operations can be precomputed as they do not alter during the lifetime of the credential. Unfortunately, this requires more storage space. Thus, a balance must be found between storage space and processing efficiency. 5.3 Timing Analysis Table 3 shows the results of the experiments that are applied to all the protocols in the three schemes. The results are averaged over 200 test-runs in an accumulator scheme with a maximum capacity of 2500 elements. The witness update results are presented separately. Table 3. Performance results for the 3 schemes, with respect to the different protocols (ms)

CL

LN

CKS

initScheme (sec.) 97 1, 26 1, 26s + Nt .4ms 617 365

219

Receiver

274 230

110

Issuer

343 135

109

23

0, 09

issueCred

revokeCred

14

verifyAccu

1, 90 130

93

authCred

684 754

938

Prover

389 346

448

Verifier

296 408

490 0

250

500

750

1000

As can be seen, the results clearly reflect the analysis of the computational complexity. The setup of the CL scheme takes substantially more time than the schemes using bilinear pairings. CL requires the generation of an RSA-modulus as a product of 2 safe primes, which is dominating the setup. Note that the setup of the CL scheme takes on average 1,5 minutes, while the same algorithm takes about 2,5 minutes in idemix (which

Performance Analysis of Accumulator-Based Revocation Mechanisms

50

LN CL CKS

40 Duration (s)

297

30 20 10 0 0

2000 4000 6000 Number of revoked credentials

8000

10000

Fig. 1. Performance results for witness updates with respect to the number of revoked credentials, shown graphically

was implemented in Java). The setup time of the CKS scheme, however, includes the creation of state information, which is computed by a large number of exponentiations (twice the capacity of the accumulator). For accumulators with a large capacity (Nt ), this may take a substantial amount of the initialisation time. Another interesting fact, not shown in the table, is that for the CL scheme, the generation of a prime number of about 2965 bits takes about 1/3 of the time needed for the issueCred protocol. Figure 1 shows the time required for updating a witness, depending on the number of elements (from 1 up to 10000) that have been revoked since the previous witness update. It clearly shows the linear relation with respect to the number of revoked elements. Similar results are found when elements are added to the accumulator. The figure reveals that the CKS scheme clearly outperforms the others. Nevertheless, the CL and LN scheme may still be useful in specific settings.

6 Discussion 6.1 Current Bottlenecks As the different schemes are based on different security assumptions, a straightforward comparison is difficult. While the CL scheme is based on the strong RSA assumption, both CKS and LN schemes are based on the q-SDH assumption. However, the CKS break accumulator scheme requires two additional assumptions: the n-DHE and nHSDHE assumption. According to [26], the q-SDH assumption is a weaker assumption than n-DHE assumption. As a result, the CKS scheme could have a weaker security than the LN scheme. Additionally, the efficiency of the pairing based systems (i.e. LN and CKS) strongly depends on the efficiency of the selected pairing and its implementation.

298

J. Lapon et al. Table 4. Bottlenecks () and benefits ( ) of the schemes CL

initScheme  safe prime generation issueCred  prime generation updWitness authCred

LN  exponentiations

CKS  state info ( size of state info)  exp’s + pairings

When we analyse the signatures, we can observe that the LN and CKS signature schemes have a similar construction. The most important difference is that in the CKS version, the accumulated value is added as a group element, while in the LN scheme it is an exponent. As a consequence, showing a CKS credential requires the proof of a group element. This makes the proof of knowledge (in the authCred protocol) more complicated than the LN version. Nevertheless, the CL scheme outperforms the others for this protocol. The benefits and drawbacks of the individual schemes are clearly distinct. The construction of the accumulator is important, with a major impact on the updWitness protocol. On the other hand, the efficiency of the issueCred and authCred heavily depends on the design of the credential scheme accompanying the accumulator scheme. Table 4 summarizes the most important bottlenecks of the schemes. As for efficiency in time and processing, the CL, LN and CKS scheme are comparable, with CL scoring the best on the authCred protocol. However, the LN scheme is faster at the prover side for the same protocol with smaller credentials. Though still acceptable for most practical applications, the CKS scheme is the slowest for proving a valid credential. On the other hand, this scheme clearly outperforms the others with respect to witness updates. In fact, it’s the only scheme that is practical for massive deployment. It is about 180 times faster than the LN scheme, and 22 times faster than the CL scheme. Yet, there is a snag in it. For witness updates, the CKS scheme requires state information, which is linear to the capacity of the accumulator. For instance, with the configuration above, an accumulator for 10 million elements, requires about 4.8 GB of storage. However, since the update of the witness does not require any secret information, special purpose (possibly untrusted) services may perform the update remotely. With respect to storage, the credentials are comparable in size, with the LN-credential the smallest with only 6.528 bits (i.e. 816 bytes). Large versus small scale environments. The scheme that will be selected depends on the characteristics of the concrete application. In small scale environments with a limited number of revocations or additions, the efficiency of the authCred protocol may be more important than the efficiency of the updWitness protocol. However, an important reason for doing this experiment is to explore the applicability of this technology for the use with an electronic identity card (eID) in a nationwide environment. Compared with the Belgian electronic identity card3 , the accumulator size should contain about 10 million elements. During the introduction of the card, about 2,25 million cards were issued every year, of which 375.000 were revoked. 3

Results obtained from http://godot.be/eidgraphs

Performance Analysis of Accumulator-Based Revocation Mechanisms

299

Suppose in an ’extreme’ case, the eID card is used only once a year; this is a valid assumption as a recent survey on the use of the Belgian eID in corporate environments4 reveals that 56% of the respondents never used it. If we can make an interpolation, this would mean that in the best case (i.e. update time grows linearly) an update of 375.000 revoked elements takes about 0.5 minutes, using the fastest update scheme (CKS) and 10 minutes with the CL scheme. While the former may be acceptable in applications such as eID authentication, the latter certainly is not. In the example, we only take the revocations into account, as the accumulator can be precalculated (see PreissuanceAccumulation below). 6.2 Practical Solutions Together with improving the efficiency of the protocols, some relevant application level optimisations can render the schemes practical: Clustering. Instead of having one accumulator for all users, each user can be assigned to one of M accumulators. Therefore, they could, for instance, be classified per region or even at random into a specific accumulator. As a result, the average number of updates will be about M times less than would be the case with a single accumulator. However, this may entail important privacy consequences. A service will always be able to link an anonymous user to an accumulator. In the worst case, if only one customer of that service is assigned to a particular accumulator, then the service can link all the user’s actions. Preissuance-Accumulation. The example of the Belgian eID shows that during the introduction of the eID, many users are added to the accumulator. To reduce the number of updates, the accumulator could be pre-computed. Meaning that every required element is added to the accumulator and stored securely by the issuer, together with its respective witness. The CL scheme does not require this pre-computation. As already pointed out by the authors [3], the witness can simply be calculated from the current accumulator by calculating the (idx )th root of the accumulator, with idx the new ’accumulated’ value. This is possible when the factorisation of the modulus is known. Delegation of witness updates. To make the CKSscheme practical, without loss of privacy, the witness update should be performed by special purpose update servers. This same strategy may be useful for the other schemes as well. For instance, a resource constrained device, such as a smart card, can delegate the calculation to a more resourceful host. Epochs. With the protocols provided above, every authCred must be preceded by the updWitness protocol. As described in the CKS paper [5], it is possible to make use of epochs. The accumulator is kept valid for a specific amount of time (i.e. epoch), during which the witness remains valid.

7 Conclusion The experiments in this paper do not yield a straightforward winner. The revocation of anonymous credentials takes a considerable share in the efficiency of the overall 4

SAP Survey: Belgen verdeeld over gebruik van eID op het werk (sept. 2009 by Indigov).

300

J. Lapon et al.

system. Moreover, for nationwide electronic identity cards, the current schemes appear to be inappropriate. Only the CKS scheme may be applicable for massive deployment, provided that special update services are used. The efficiency of witness updates is an important property in accumulator based revocation systems, and becomes critical in applications with a substantial amount of revocations or additions. The construction of the accumulator has a major impact on the efficiency of the update. Nevertheless, the witness update is also affected by the design of the credential scheme accompanying the accumulator scheme. The schemes all have different advantages but also different drawbacks. We presented an overview and some relevant guidelines as a lead for future research. Although the accumulators can be used as a building block for anonymous credentials, care must be taken when combining it with a credential scheme. Acknowledgements. We want to thank Lan Nguyen and Jan Camenisch for providing insight in their schemes; Frederik Vercauteren, for the recommendations on the configuration and security of the bilinear maps; and Patrik Bichsel and Alfredo Rial for the discussions on various implementation problems. This research is partially funded by the Interuniversity Attraction Poles Programme Belgian State, Belgian Science Policy and the Research Fund K.U.Leuven, and the IWT-SBO project (DiCoMas) “Distributed Collaboration using Multi-Agent System Architectures”. Markulf Kohlweiss was supported in part by the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government, by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy), and in part by the European Commission through the ICT and IST programmes under the following contracts: ICT-216483 PRIMELIFE and ICT-216676 ECRYPT II.

References 1. Camenisch, J., Herreweghen, E.V.: Design and implementation of the idemix anonymous credential system. In: Atluri, V. (ed.) ACM Conference on Computer and Communications Security, pp. 21–30. ACM, New York (2002) 2. Brands, S.: A Technical Overview of Digital Credentials (2002) 3. Camenisch, J., Lysyanskaya, A.: Dynamic Accumulators and Application to Efficient Revocation of Anonymous Credentials. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 61–76. Springer, Heidelberg (2002) 4. Nguyen, L.: Accumulators from Bilinear Pairings and Applications. In: Menezes, A. (ed.) CT-RSA 2005. LNCS, vol. 3376, pp. 275–292. Springer, Heidelberg (2005) 5. Camenisch, J., Kohlweiss, M., Soriente, C.: An Accumulator Based on Bilinear Maps and Efficient Revocation for Anonymous Credentials. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 481–500. Springer, Heidelberg (2009) 6. Boneh, D., Shacham, H.: Group signatures with verifier-local revocation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, Washington DC, USA, pp. 168–177. ACM, New York (2004) 7. Benaloh, J.C., de Mare, M.: One-Way Accumulators: A Decentralized Alternative to Digital Sinatures (Extended Abstract). In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 274–285. Springer, Heidelberg (1994)

Performance Analysis of Accumulator-Based Revocation Mechanisms

301

8. Bari, N., Pfitzmann, B.: Collision-Free Accumulators and Fail-Stop Signature Schemes Without Trees. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 480–494. Springer, Heidelberg (1997) 9. Papamanthou, C., Tamassia, R., Triandopoulos, N.: Authenticated hash tables. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, Virginia, USA, pp. 437–448. ACM, New York (2008) 10. Tartary, C.: Ensuring Authentication of Digital Information Using Cryptographic Accumulators. In: Garay, J.A., Miyaji, A., Otsuka, A. (eds.) CANS 2009. LNCS, vol. 5888, pp. 315–333. Springer, Heidelberg (2009) 11. Li, J., Li, N., Xue, R.: Universal Accumulators with Efficient Nonmembership Proofs. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 253–269. Springer, Heidelberg (2007) 12. Damgard, I., Tri, N.: Opoulos: Supporting Non-membership Proofs with Bilinear-map Accumulators (2008), http://eprint.iacr.org/2008/538 13. Chaum, D.: Security Without Identification: Transaction Systems to Make Big Brother Obsolete. ACM Commun. 28(10), 1030–1044 (1985) 14. Camenisch, J., Lysyanskaya, A.: An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001) 15. Bangerter, E., Camenisch, J., Lysyanskaya, A.: A Cryptographic Framework for the Controlled Release of Certified Data. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2004. LNCS, vol. 3957, pp. 20–42. Springer, Heidelberg (2006) 16. Ateniese, G., Camenisch, J., Joye, M., Tsudik, G.: A Practical and Provably Secure CoalitionResistant Group Signature Scheme. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 255–270. Springer, Heidelberg (2000) 17. Camenisch, J., Lysyanskaya, A.: A Signature Scheme with Efficient Protocols. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 268–289. Springer, Heidelberg (2003) 18. Boneh, D., Boyen, X., Shacham, H.: Short Group Signatures. In: [27], pp. 41–55 (2004) 19. Nguyen, L., Safavi-Naini, R.: Efficient and Provably Secure Trapdoor-Free Group Signature Schemes from Bilinear Pairings. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 372–386. Springer, Heidelberg (2004) 20. Camenisch, J., Lysyanskaya, A.: Signature Schemes and Anonymous Credentials from Bilinear Maps. In: [27], pp. 56–72 21. Au, M.H., Susilo, W., Mu, Y.: Constant-Size Dynamic -TAA. In: De Prisco, R., Yung, M. (eds.) SCN 2006. LNCS, vol. 4116, pp. 111–125. Springer, Heidelberg (2006) 22. PBC: Pairing-Based Cryptography Library by Ben Lynn (2009) 23. GMP: GNU Multiple Precision Arithmetic Library (2009) 24. Camenisch, J., Stadler, M.: Efficient Group Signature Schemes for Large Groups (Extended Abstract). In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997) 25. Fiat, A., Shamir, A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987) 26. Cheon, J.H.: Security Analysis of the Strong Diffie-Hellman Problem. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 1–11. Springer, Heidelberg (2006) 27. Franklin, M. (ed.): CRYPTO 2004. LNCS, vol. 3152. Springer, Heidelberg (2004)

IFIP Technical Committee 11 Security and Privacy Protection in Information Processing Systems Kai Rannenberg, S.H. (Basie) von Solms, and Leon Strous

Abstract. IFIP Technical Committee 11 (TC-11) on Security and Privacy Protection in Information Processing Systems was created in 1983 under the chairship of the late Kristian Beckman of Sweden. Representatives from more than 30 IFIP member societies are members of TC-11 and meet at least once a year at the IFIP/Sec conferences that are held in different member countries. This text gives an overview on the state of TC-11 and its development over the last 27 years. It starts with a snapshot on the current situation of TC-11, followed in Section 2 by an overview of the historical background and trends of TC-11 and its flagship conference IFIP/Sec. Section 3 is dedicated to the main development trends in the field of TC-11, while Section 4 honours the awardees of TC-11’s Kristian Beckman Award, many of them TC-11 Pioneers. Section 5 then gives an outlook on the future role of TC-11.

1 TC-11 – A Snapshot TC-11 can to some degree be recognized by its aims, scope, and last but not least its working groups, which are introduced in the following sections. All three underwent some significant changes over the past 27 years, which are documented in the remainder of this article 1.1 TC-11 Aims To increase the trustworthiness and general confidence in information processing and to act as a forum for security and privacy protection experts and others professionally active in the field 1.2 TC-11 Scope Work towards: • the establishment of a common frame of reference for security and privacy protection in organizations, professions and the public domain; • the exchange of practical experience; • the dissemination of information on and the evaluation of current and future protective techniques; K. Rannenberg, V. Varadharajan, and C. Weber (Eds.): SEC 2010, IFIP AICT 330, pp. 302–310, 2010. © IFIP International Federation for Information Processing 2010

IFIP TC-11 Security and Privacy Protection in Information Processing Systems

303

• the promotion of security and privacy protection as essential elements of information processing systems; • the clarification of the relation between security and privacy protection. 1.3 TC-11 Working Groups Already in 1985 TC-11 established its first working groups. Since then number and activity of TC-11’s WGs underwent a non-linear but steady growth with two new WGs being established in 2010 driving the number of TC-11s WGs up to twelve, of which two WGs are shared with fellow TCs. The current WG list reads as follows: 1. 2. 3. 4.

5. 6. 7. 8. 9. 10. 11. 12.

WG 11.1: Information Security Management (established 1985) WG 11.2: Pervasive Systems Security (established 1985 as the WG on Office Automation and from 1992 until 2009 named Small System Security) WG 11.3: Data and Application Security (established 1987 under the name of Database Security and renamed 2001) WG 11.4: Network & Distributed Systems Security (established 1985 under the name of Crypto Management and from 1992 until 2003 named Network Security) WG 11.6: Identity Management (established 2006) WG 9.6 / 11.7: IT Misuse and The Law (established 1990) WG 11.8: Information Security Education (established 1991) WG 11.9: Digital Forensics (established 2004) WG 11.10: Critical Infrastructure Protection (established 2006) WG 11.11: Trust Management (established 2006) WG 11.12: Human Aspects of Information Security and Assurance (established 2010) WG 8.11 / 11.13: Information Systems Security Research (established 2010)

2 The Historical Background of TC-11 and Its Flagship Conference In May 1983, the 1st International Conference on Information Security, IFIP/Sec '83, took place in Stockholm, Sweden. This conference was organized by members of the Swedish Special Interest Group on Information Security, as well as a number of further people, including some from existing IFIP Committees. The organization was under the chairman-ship of Kristian Beckman of Sweden. A proposal was submitted to IFIP's General Assembly (GA), and at its meeting in September 1983 in Paris, TC-11 was formally established. Kristian Beckman was appointed as the first Chairman of TC-11. The 2nd International Conference on Information Security, IFIP/Sec '84, took place in May 1984 in Toronto with the motto “Computer security: a global challenge”. During this conference, the first official meeting of TC-11 was held. Unfortunately, because of ill health, Kristian Beckman could not attend that meeting. He asked Per

304

K. Rannenberg, S.H. von Solms, and L. Strous

Hoving from Sweden to act as Chairman, but during the conference, the sad news that Kristian Beckman passed away, reached TC-11. The next TC-11 meeting took place in Dublin during IFIP/Sec 85, which had the motto “Computer security: The practical issues in a troubled world”. Per Hoving was elected as Chairman for a three year term, with Willis Ware from the USA as Vice-Chairman. Subsequent IFIP/Sec Conferences took place as follows and show the real global approach of TC-11 both with regards to its flagship conference as well as its management teams: • IFIP/Sec 86 Monte Carlo: “Security and protection in information systems” • 1987: No IFIP/Sec Conference took place, but a TC-11 meeting was held in Vienna (Austria) in conjunction with a TC-11 Working Group conference. • IFIP/Sec 88 Gold Coast, Australia: “Computer security in the age of information“. At the corresponding TC-11 meeting Bill Caelli from Australia was elected as new Chair, Willis Ware re-elected as Vice-Chair, and David Lindsay from the UK as Secretary. • 1989: No IFIP/Sec conference was held, and efforts were combined with the IFIP Congress which took place in San Francisco, USA. • IFIP/Sec 90 Helsinki, Finland: “Computer security and information integrity” • IFIP/Sec 91 Brighton, England: “Information security” • IFIP/Sec 92 Singapore: “IT security: the need for international cooperation” • IFIP/Sec 93 Toronto, Canada: “Computer security”. Unfortunately David Lindsay died before IFIP/Sec 93. Bertil Fortrie from the Netherlands took over as Secretary. • IFIP/Sec 94 Curaçao: At the TC-11 meeting during this conference Sebastiaan von Solms from South Africa was elected as Vice-Chair and David Bachelor from Canada as Secretary. Later that year Sebastiaan von Solms was appointed as acting Chair of TC-11 by the IFIP President. • IFIP/Sec 95 Cape Town, South Africa: “Information security - the next decade”. At the TC-11 meeting preceding the conference Sebastiaan von Solms was elected as new Chair with Reinhard Posch from Austria as Vice-Chair. • IFIP/Sec 96 Samos Island, Greece: “Information systems security: facing the information society of the 21st century” • IFIP/Sec 97 Copenhagen, Denmark: “IT Security in Research and Business” • IFIP/Sec 98 Vienna/Budapest, Austria/Hungary with the motto “Global IT security “ and as part of the IFIP World Computer Congress • 1999: No IFIP/Sec Conference took place, but a TC-11 meeting was held in Amsterdam (Netherlands) in conjunction with a TC-11 Working Group conference. • IFIP/Sec 2000 Beijing, China with the motto “Information Security for global information infrastructures “as part of the IFIP World Computer Congress: Geoff Fairall from Zimbabwe was appointed as new Secretary of TC-11.

IFIP TC-11 Security and Privacy Protection in Information Processing Systems

305

• IFIP/Sec 2001 Paris, France: “Trusted information: the new decade challenge“. At the TC-11 meeting preceding the conference Leon Strous from the Netherlands was elected as new Chair with Kai Rannenberg from Germany as Vice-Chair. Rossouw von Solms from South Africa was appointed as WG coordinator. • IFIP/Sec 2002 Cairo, Egypt: “Security in the information society: visions and perspectives” • IFIP/Sec 2003 Athens, Greece: “Security and privacy in the age of uncertainty” • IFIP/Sec 2004 Toulouse, France with the motto “Security and protection in information processing systems “ as part of the IFIP World Computer Congress • IFIP/Sec 2005 Tokyo-Chiba, Japan: “Security and privacy in the age of ubiquitous computing“. Lech Janczewski from New Zealand, representing SEARCC, was appointed as Secretary. • IFIP/Sec 2006 Karlstad, Sweden: “Security and privacy in dynamic environments” • IFIP/Sec 2007 Johannesburg-Sandton, South Africa: “New approaches for security, privacy and trust in complex environments”. At the TC-11 meeting preceding the conference Kai Rannenberg from Germany was elected as new Chair with Rossouw von Solms from South Africa as Vice-Chair. • IFIP/Sec 2008 Milano, Italy as part of the IFIP World Computer Congress: At the TC-11 meeting preceding the conference Yuko Murayama from Japan was appointed as WG Coordinator. • IFIP/Sec 2009 Pafos, Cyprus: “Emerging Challenges for Security, Privacy and Trust” • IFIP/Sec 2010 Brisbane, Australia with the motto “Security & Privacy − Silver Linings in the Cloud“ as part of the IFIP World Computer Congress • IFIP/Sec 2011 scheduled for Lucerne, Switzerland with the motto “Future Challenges in Security and Privacy for Academia and Industry” TC-11's annual IFIP/Sec conferences are established as an integral and well-reputed part of the international Information Security conference scene. The same holds for many Working Group conferences.

3 Main Development Trends in the Field of TC-11 3.1 The 80es The early eighties were the years when personal computers started to invade people's lives. One saw an increasing concern about several issues like privacy and witnessed the “birth” of computer viruses. The attention for security started to evolve from the closed defence and mainframe environments to business and small computer environments, from confidentiality towards integrity, from technical security to managerial issues. This was clearly an era where establishing a TC dedicated to security was an obvious thing to do. The founders made it clear by the name and aims and scope of TC-11 that security is not limited to computers but encompasses computers, applications, data and the organization. That was more or less a visionary view because in those days the term computer security was more common than the term information security.

306

K. Rannenberg, S.H. von Solms, and L. Strous

3.2 The 90es The increasing trend towards distributed systems, and the associated use of communication networks, as well as the tendency to use such systems and networks for more and more highly sensitive applications like electronic commerce and medical applications, catapulted the absolute importance of the securing and protecting of electronic information during storage, processing and transmission right into the forefront of Information Technology research and implementation. It became clear that a very large number of such systems would not be acceptable if proper solutions would not exist for the security and protection of such systems. Developments in cryptography showed to be essential to provide non-reputability and proof of origin in electronic messages. Without digital signatures, provided by cryptography, electronic purchasing was deemed to be not possible. Security in distributed systems became known to be much more difficult and complex than in centralized systems. Authentication and Authorization in distributed systems are of extreme importance, and must be given the necessary attention. New techniques to implement and to specifically manage Information Security were constantly needed, and with the growing complexity of IT systems, the internal control of the systems became ever more important. The same held for the growing role, importance and commitment of senior management of companies, up to Board level, towards the security of their companies' IT systems. Special efforts were needed to provide skilled people to be able to evaluate, address and manage security risks involved in IT systems, and to ensure that such systems are operated within the necessary secure environment. With the fact that computers became so much more user friendly than before, and so much more were being used by the public in general, a serious effort showed up as being needed to make these people aware of the importance of Information Security on their systems, and to show them the risks if such security measures were ignored. In the application field, Information Security became ever more essential for the growing use of systems in medical applications. Standardization efforts and cryptology policies in different countries also required attention. All in all, Information Security had never before been a more important and essential part of IT systems and networks. These developments were reflected in TC-11’s work mainly by the expanding activities in the respective TC-11’s Working Groups, but also by public statements from TC-11. One statement concerns IFIP's position on crypto policies and was drafted in the second half of the nineties. It reflected that cryptography was a hot topic from a policy point of view and discussions concentrated on questions such as whether governments should have access to the keys in encryption systems used by companies and individuals. A second statement concerned information security assessment and certification and addressed TC-11's opinion that the information security status of IT systems and the information security management of such systems should be assessed against specified standards related to information security management and that members of IFIP should be instrumental to ensure that such standards, for systems and individuals, be harmonized on an international level.

IFIP TC-11 Security and Privacy Protection in Information Processing Systems

307

3.3 The Beginning of the New Millennium The early beginning of the new Millennium was driven by the Internet and mobile Communication becoming more and more mainstream. “E-words” such as “ECommerce” and “E-Business” became and more popular. While many of them were just buzzwords, as almost everything from the “old” world became e-d there was little doubt that some of these areas would have significant impact on business and society as a whole. Following this it stepwise became clear that trust and confidence in the security and reliability of all those “e-words” was necessary for them to become the success that everybody was hoping (and waiting) for. So many topics within the scope of TC-11 were influential in that respect, e.g. identification and authentication means (biometrics and smart(er) cards), integrity of messages, secure business transactions and payments. The events of September 11, 2001 pointed strongly to further aspects of security such as cyber terrorism and (critical) infrastructure protection (CIP). Not only did these issues require new technologies or larger scale use of known technologies (biometrics and smart(er) cards again?) they also shed a different light on privacy issues and human aspects. To address these issues in an effective way even more cooperation between the different IFIP disciplines was required. Topics of most of the TC's became relevant such as topics like software quality (TC-2), training people (TC-3), safety-critical systems (TC-10), and social aspects and human-computer interaction (TC-9 and TC-13). And although those issues may have seemed to be of a technical nature, one could not hide from the fact that cultural and political aspects also do play a role. IFIP had to consider this when addressing the issues and trying to find a way to deal with them in an as “neutral” as possible fashion. New successful WGs such as WG 11.9 Digital Forensics (established 2004) and the trio of WG 11.6: Identity Management, WG 11.10 Critical Infrastructure Protection, and WG 11.11 Trust Management (all three established 2006) reflected these developments. A related achievement concerned the objective to promote security and protection as essential elements of information processing systems. TC-11 had been successful in this area, which can be measured directly within the IFIP community by the fact that more and more TC's and working groups were including security in their aims and scopes. This also resulted in an increasing cooperation between TC's and working groups on security topics such as the Communications and Multimedia Security (CMS) conferences of TC-6 and TC-11 and the E-Commerce, E-Government and E-Business (I3E) conferences of TC-6, TC-8 and TC-11, and last but not least the joint WG with TC-9 on legal, privacy and social issues (WG 9.6/11.7 IT Misuse and the Law), a very successful example of an active cooperation. At the same time some “old” issues did not disappear and one did not succeed in eliminating them. Although their “hot” days were over and they were no longer in the focus of attention (with the exception of an occasional short hype), these activities still had and continued to have a significant impact. Hackers and viruses continued to cost society a lot of money and the security professionals kept trying to find ways to limit the effects as much as possible.

308

K. Rannenberg, S.H. von Solms, and L. Strous

Another important issue was attention for developing countries. While IFIP as a whole supported the work of the Developing Countries Support Committee (DCSC) and the World IT Forum (WITFOR) TC-11 was one of the TCs actively participating in these initiatives by e.g. actively strengthening its activities in developing countries and encouraging participation from the respective member societies to also review and revise traditional (maybe “northern” or “western”) views. Moreover in 2002 TC-11 agreed on another statement which contains a request to all member societies of IFIP to urge their relevant government and education bodies to ensure that proper education and certification requirements are set for those people who intend to become information technology security professionals and including those who audit the security of IT systems. 3.4 Current Challenges Especially the Internet but also other Information and Communication Technology (ICT) systems such as Mobile Communication systems have moved even further on: From popular and established mainstream technologies to the information and communication backbones for many societies and countries and moreover as the essential infrastructures for global and international cooperation. The rapid and radical movement towards new and Internet based ICT systems was partially supported by the decline of some established technologies, but also by the changing habits of users. It has raised major questions of trust in to the ICT systems and into information security as such and demonstrated the importance of projection of citizens, consumers and their privacy. TC-11 reflected this development in more and more IFIP/Sec mottos since 2003 and moreover with its first TC name change since its inception: In 2007 the term “Privacy” was added to TC-11’s name and subsequently the aims and scope were adapted accordingly. This was preferred to simply establishing a new WG on Privacy as the deep and delicate relations between security and privacy were considered where information security sometimes supports privacy and sometimes endangers it. These delicate relations affect the work of most WGs in IFIP TC-11. The further miniaturisation and the pervasive use of ICT lead WG 11.2 to changing its name from “Small System Security” to “Pervasive Systems Security” reflecting the fact, that almost every aspect of (human) life is now exposed to ICT. This trend also led to the founding of WG 11.12 “Human Aspects of Information Security and Assurance”. At the same time it became clear, that Information Security is also important for researchers and in the information systems field leading to a new WG 8.11 / 11.13 “Information Systems Security Research” together with TC-8.

4 The Kristian Beckman Award TC-11 established the Kristian Beckman Award in 1992 to commemorate the first chair of the committee, Kristian Beckman from Sweden, who had also been responsible for promoting the founding of TC-11 in 1983. This award is granted not more than annually to a successful nominee and is usually presented at IFIP/Sec. The

IFIP TC-11 Security and Privacy Protection in Information Processing Systems

309

objective of the award is to publicly recognise an individual, not a group or organisation, who has significantly contributed to the development of information security, especially achievements with an international perspective. However this particular requirement will not necessarily preclude nominations of those whose main achievements have been made on a national level. TC-11 was honoured to announce this award to: • • • • • • • • • • • • • •

Harold Highland (USA) in 1993, presented in Toronto (Sweden) Per Hoving (Sweden) in 1995, presented in Cape Town (South Africa) Sushil Jajodia (USA) in 1996, presented in Samos (Greece) Donald Davies (UK) in 1997, presented in Copenhagen (Denmark) Richard Sizer (UK) in 1998, presented in Vienna and Budapest (Austria and Hungary) Willis W. Ware (USA) in 1999, presented in Amsterdam (Netherlands) William Caelli (Australia) in 2002, presented in Cairo (Egypt) Roger Needham (UK) in 2003, presented in Athens (Greece) Jean-Jacques Quisquater (Belgium) in 2004, presented in Toulouse (France) William List (UK) in 2005, presented in Tokyo-Chiba (Japan) Butler W. Lampson (USA) in 2006, presented in Karlstad (Sweden) Pierangela Samarati (Italy) in 2008, presented in Milano (Italy) Klaus Brunnstein (Germany) in 2009, presented in Pafos (Cyprus) Sebastiaan von Solms (South Africa) in 2010, to be presented in Brisbane (Australia)

5 The Future Role of TC-11 With the rising importance of ICT systems and society’s dependability on these systems, the role of TC-11 and its topics has risen significantly over the last years, and is still rising. TC-11 has taken up this challenge and is active on several fronts through its Working Groups, its special conferences to discuss research developments, and other dissemination services to member societies of IFIP and to the international community in general. However a number of challenges remain and are even growing: • Still relevant security and privacy issues are only considered relatively late in system development processes – and often still too late. • Security and privacy are “horizontal” subjects and orthogonal to many topics that are cared for by other IFIP TCs. • In many cases appropriate decisions with regard to security and privacy can only be taken, if the respective (application) context is considered. Therefore TC-11 is encouraging the inclusion of security and privacy topics in all areas and actively cooperates with other TCs. This will hopefully contribute to a situation, where relevant security and privacy considerations and measures are embedded as a natural topic in all domains rather than coming in late.

310

K. Rannenberg, S.H. von Solms, and L. Strous

6 Contact Information TC-11 Homepage: www.ifiptc11.org TC-11 Management: TC-11 Chair

TC-11 Vice-Chair

Prof. Dr. Kai Rannenberg Goethe University Frankfurt Chair of Mobile Business & Multilateral Security Postfach 66 Grüneburgplatz 1 60629 Frankfurt /Main Germany Tel.: +49 69 798 34701 Fax:+49 69 798 35004 www.m-chair.net [email protected]

Prof. Dr. Rossouw von Solms Nelson Mandela Metropolitan University Institute for ICT Advancement, School of ICT Summerstrand (North) P.O. Box 77000 Port Elizabeth 6031 South Africa Tel.: +27 41 504 3604 Fax: +27 41 504 3313 [email protected]

TC-11 Secretary

TC-11 WG Coordinator

Prof. Dr. Lech Janczewski The University of Auckland Dept. of ISOM Private Bag 92019 Owen G Glen Building 12 Grafton Road Auckland, New Zealand Tel.: +64 9 923 7538 Fax: +64 9 373 7430 [email protected]

Prof. Dr. Yuko Murayama Faculty of Software and Information Science Iwate Prefectural University 152-52 Sugo, Takizawa, Takizawa-mura Iwate, 020-0193 Japan Tel.: +81 19-694-2548 Fax: +81 19-694-2549 [email protected]

TC-11 Webmaster: Gökhan Bal Goethe University Frankfurt Chair of Mobile Business & Multilateral Security Grüneburgplatz 1, 60629 Frankfurt /Main, Germany Tel.: +49 69 798 34701, Fax:+49 69 798 35004 www.m-chair.net [email protected]

Author Index

Ahmad, Atif 55 Ahmed, Ejaz 124 Akram, Raja Naeem

Kahl, Christian 277 Karlsson, Fredrik 43 Kheir, Nizar 148 Kittl, Christian 103 Kohlweiss, Markulf 289 Kowalski, Stewart 31 Kuntze, Nicolai 90 Kwok, Lam-For 9

161

Badii, Atta 90 Barabanov, Rostyslav 31 Bertino, Elisa 253 Bhatia, Sajal 124 Borschbach, Markus 136 B¨ ottcher, Katja 277 Boyd, Colin 229 Bracher, Shane 112 Brunie, Lionel 253

Lapon, Jorn 289 Longley, Dennis 9

Caelli, William J. 9 Centner, Martin 103 Clark, Andrew 112 Colantonio, Alessandro 19 Corney, Malcom 112 Coull, Scott E. 68 Cuppens-Boulahia, Nora 148 Cuppens, Fr´ed´eric 148

Naessens, Vincent 289 Nieto, Juan Manuel Gonz´ alez

Debar, Herv´e 148 De Decker, Bart 289 Dhillon, Gurpreet 43 Di Pietro, Roberto 19 Echizen, Isao

Ocello, Alberto 19 Orthacker, Clemens

103

241 Pyka, Martin

Flegel, Ulrich 112 Fuchs, Andreas 90 Greifeneder, Rainer

203

Islam, Asadul Khandoker 187

136

Rannenberg, Kai 277, 302 Raub, Tobias 112 Reiter, Michael K. 68 Ruighaver, Anthonie B. 55 Russo, Alejandro 173

Hasan, Omar 253 Hauke, Sascha 136 Hedstr¨ om, Karin 43 Heider, Dominik 136 Heim, Stephan 277 Huber, Markus 80

Jin, Hongxia

Magazinius, Jonas 173 Markantonakis, Konstantinos Mayes, Keith 161 Mink, Martin 203 Mohay, George 112, 124 Monrose, Fabian 68 Mulazzani, Martin 80 M¨ uller, G¨ unter 241 Myles, Gideon 187

112

Sabelfeld, Andrei 173 Sch¨ utte, Julian 90 Sonehara, Noboru 241 Stegelmann, Mark 265 Strous, Leon 302 Sun, Dongdong 229 Sun, Lili 217

161

229

312

Author Index

Tan, Terence C.C. 55 Tickle, Alan 124 Tschersich, Markus 277

van Niekerk, Johan F. 215 Varadharajan, Vijay 217 Verde, Nino Vincenzo 19

von Solms, Rossouw 215 von Solms, S.H. (Basie) 1, 302 Wang, Hua 217 Weippl, Edgar 80 White, Andrew M. 68 Wohlgemuth, Sven 241 Yen, Ting-Fang

68