1. REFEREE: Trust Management for Web Applications Yang-hua Chu (MIT/W3C) Joint Work with Joan Feigenbaum (AT&T Labs) Brian LaMacchia (AT&T Labs) Paul Resnick (AT&T Labs) Martin Strauss (AT&T Labs)

2. Outline Problem statement Trust management REFEREE trust management system REFEREE reference implementation demo Conclusion

3. Example: code signing Away from shrink-wrapped model Toward code distribution through network

4. Trust FAQ Does X contain a virus that will erase my HD? [security] Does X secretly collect information without my knowledge? [privacy] Will X run on my 386? [capability] Is X fun to play? [content] Has X been tampered with? [integrity] Who wrote X? [authentication] Should I trust Y who vouches for X [delegation]?

5. Current technology is not enough: why should I trust those bits? Digital Signature (RSA, DSA) –How many bits of signature is trustworthy? –What does the signature mean [PICS]? –How do I get the right public key to verify the signature? Public Key Infrastructure (X.509, PGP, SDSI) –How do I get the CA’s public key? –What is this certificate authorized to do? Whom do I trust to vouch for X? –X=give me public key of person Y, sign code, authenticate document, make this assertion, …etc.

6. Trust management ‘Decentralized Trust Management’ [BFL96] Probes the question –‘Does this requested action, supported by credentials, conform to my policy?’ PolicyMaker –certificates are programs

7. Trust management in code signing Requested action: download and run this code. Security policy: download the code only if signed by two entities that MIT endorses, and both entities must state in the signature that X is ‘safe’ according to MIT’s code safety practice. Security credentials: relevant PICS labels and certificates.

8. Other trust management applications in WWW document authentication and integrity access control on-line negotiation electronic commerce privacy protection intellectual property rights … more

9. REFEREE “Rule-controlled Environment For Evaluation of Rules and Everything Else” Joint effort by researchers from AT&T Labs and W3C Goal: create a general-purpose trust management system for Web applications

10. REFEREE design principle A ‘policy’ is a program –has a fixed language syntax and semantics –may call another policy ‘Policy’ controls everything –order of execution under policy control –credential fetching under policy control –departure from PolicyMaker[BFL96] approach

11. REFEREE API a sub-system embedded inside a Web application –can be in a browser, a proxy, or a server Application REFEREE Input API : request with arguments Output API : answer with justification Dispatch Actions

12. REFEREE Primitive Data Types tri-values –TRUE, FALSE, UNKNOWN statements and statement-lists –each statement is an s-expression –a pair of (, ), both are also s-expressions ( “code-signing”, ((virus-checked 1) (network-access 0) … ) )

13. REFEREE Primitive Data Types (continued) policy –a triplet (,, ) –(“code-signing”,..., “code-signing-language”) –(“code-signing”,, “Java”) interpreter –a pair (, ) –(“code-signing-language”, )

14. Bootstrapping REFEREE The host application loads REFEREE initial setting: –trust assertions –a database of policies –a database of interpreters all bootstrapping information is unconditionally trusted

15. Invoking REFEREE input a requested action and additional arguments REFEREE gets the corresponding policy for that action REFEREE executes the policy with the additional arguments output a tri-value and a list of statements

16. REFEREE Demo in English: “I only execute code if PCWeek says OK according to MIT code safety practice.” (invoke "load-label" STATEMENT-LIST URL "http://web.mit.edu/safety" ("http://labels.com/")) (invoke "check-hash" STATEMENT-LIST) (false-if-unknown (match (("check-hash" *) (* ((version "PICS-1.1") * (service "http://web.mit.edu/safety") * (by "mailto:rater@pcweek.com") * (ratings * (RESTRICT > overall 8) * )))) STATEMENT-LIST))

17. Components of the REFEREE Calling Module REFEREE Fetcher Profiles-0.92 Label-loader Check-hash bootstrapinvoke 1 2 3 4 5 6

18. Sample Query application calls REFEREE –(“code-signing”, “http://foo/bar.class”) line 1: gets the PICS label from the label bureau “http://label-bureau” (PICS-1.1 "http://web.mit.edu/safety" labels by "mailto:rater@pcweek.com" md5 "7A2B1a2bA72BxyzyplehJQ==" ratings (crash 2 overall 10 virus 0))

19. Sample Query (Continued) line 2: authenticates the signature and checks the source integrity line 3: checks the confidence level > 8 return TRUE (10 > 8)

20. Recap of major REFEREE design principles Local policy controls everything Separate security policy specification from policy evaluation –policies are programs –Profiles-0.92 vs. PICS RULZ Systematic, consistent, and modular management of trust

21. Conclusion: Now and Future Trust management is an important component for Web applications REFEREE is our initial attempt to tackle the problem in the context of the WWW and it provides insight for future research and development.

22. Reference REFEREE Website –http://www.w3.org/pub/WWW/PICS/TrustMgt –link to the REFEREE demo –link to [BFL96] paper M. Blaze, J. Feigenbaum, J. Lacy, “Decentralized Trust Management”, in Proceedings of the 1996 Symposium on Security and Privacy, pp. 164-173 Friday, 4/11, 4pm-5:30pm –trust management for Electronic Commerce