1. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE USC CSci599 Trusted Computing Lecture Nine – Propagating Obligation March 9, 2007 Dr. Clifford Neuman University of Southern California Information Sciences Institute

2. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Announcements Grades on mid-term by Sunday Grades on assignment 1 by Sunday Assignment 2 has been posted –Due in two weeks Project proposal has been posted –Due in one week

3. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Review: Policies in Trusted Computing Three levels of policy in trusted computing –That enforced by the basic mechanisms –That enforced by the outer rings / applications –That which is determined when creating virtual systems

4. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Propagating Obligation Last week we focused on –Policies used to determine which components can join a virtual system. This week –Policies that apply once a component has joined a virtual system.

5. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Once Formed Accepted components have access to resources within the virtual system. –But they have agreed to limits on what they can do.

6. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Limits on New Joins May not be allowed to join certain other virtual systems. –Could require approval by other members –Might carry a policy that says what other components can join. –Might allow joins if component is known to provide controls on cross VS information flow.

7. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Doesn’t Apply to New Instances New Instances of software components can be created to join other VS’s so that there is not possibility of moving information across boundaries.

8. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Limits Enforced by Component Itself The negotiation phase required assurances that the component could and would enforce those limits. Less trusted components end up encapsulated in components that will provide the enforcement.

9. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE How to Allow Flow Across Boundaries Some components trusted to make fine grained decisions which allow data to flow across VS boundaries. –Component is in multiple virtual systems. –Data flows to component, in one VS. –Data flows our of component in other VS. –Component decides where data can flow.

10. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Example Flow DRM –Data received over network –DRM enabled application can communicate to display. ▪Application trusted to decide what data can go to a particular display.

11. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Example Flow Financial Virtual System –Privacy manager on Smart Card –Trusted application accepts such information from smartcard. –Application determines which financial sites get access to information.

12. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Alternate Flow Financial Virtual System –Privacy manager on Smart Card –Trusted application is interface to user, and requests direct communication of PIF to certain remote sites.

13. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Policy Storage / Transmission Provided to component when it joins a virtual system. Inherently known by the component. Provided to the component with the data whose access it mediates.

14. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Application Specific Policies There may be policies that are enforced by trusted components that are “non-standard”. –Such as inclusion of a watermark.

15. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Network Admission Control New Topic –How do we control access to a network to ensure that we do not allow malicious code in, or protected content out.

16. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Several Aspects Commonly considered as limiting which computers can physically connect to a corporate network. –Based on MAC address –Other characteristics –User authentication –Computer Health Monitoring

17. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Health Monitor Several Commercial Products (including Cisco, etc). –Hard part is how to ensure that all required security software is installed and up-to-date. –NSF example. –Can it be automated? –Can it be tricked.

18. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE VPN Containment Home machine used for multiple functions. –Used for VPN access to corporate network. –How do we keep malware from the gaming side from sneaking into the corporate VPN. ▪Must use virtualization and secure storage. ▪Must consider if simultaneous access allowed.

19. Copyright © 1995-2006 Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE Current Event Some interesting papers: –Joanna Rutkowska, Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case) – BlackHat, February 2007. Other Events: –Xbox Hypervisor Cracked – This one is a software issue, but the exploit has been known for some time.