Chameleon: Towards Usable RBAC

1
Chameleon Towards Usable RBAC

• A. Chris Long
• Courtney Moskowitz, Greg Ganger
• ECE Department
• Carnegie Mellon University

2
Problem Malware

• Malware viruses, trojan horses, worms, etc.
• Current approaches are inadequate
• Few address typical home user
• Malware enabler all software has permission to
  do everything

3
Problem Higher Level View

• The computer is too ignorant
• Are these secure?
• format c
• cp confidential-info /mnt/floppy
• Can we get users to tell the computer more about
  whats allowable?

4
Project Inspiration

• People understand physical access
• Different access at home for plumbers vs.
  accountant
• What about file access control?
• Answer too fine-grained, rarely used
• Few people can manage fine-grained security
  (e.g., file permissions)
• Can we improve de facto security with
  coarse-grained security?

5
Chameleon Coarse-grained Security

• Partition computer into roles, e.g.
• Vault
• Communication
• Internet
• Testing
• System
• Each app confined to its own role
• Can we make this model usable?

6
Outline

• Introduction
• Related Work
• Chameleon
• User Studies
• Discussion,Future Work, Conclusions

7
Related Work

• HCISEC
• Security usability Whitten Tygar 1999
• Design guidelines Yee 2002
• WindowBox Balfanz Simon 2000
• HCI
• Desktop info organization Barreau Nardi 1995
• WorkspaceMirror Boardman 2002

8
Related Work (contd)

• Security models
• Compartmented mode workstationBerger, et al
  1990
• Role-based access controlFerraiolo Kuhn 1992
• Sandboxing Schmid, et al 2002

9
Outline

• Introduction
• Related Work
• Chameleon
• User Studies
• Discussion,Future Work, Conclusions

10
Chameleon

• Research agenda
• Interface design
• Awareness
• Control
• Usability vs. and security
• File organization synergy
• Software design

11
Usable Role Management

• Target audience typical home computer user
• Key properties
• Intelligible
• Convenient
• Key tasks
• Switching roles
• Moving data files across roles
• Plan to throw the first one away. You will,
  anyway. Fred Brooks

12
Paper Prototype
Security manager
Unsafeapp.
Personal files
Comm. app.
13
Outline

• Introduction
• Related Work
• Chameleon
• User Studies
• Discussion,Future Work, Conclusions

• Security in Context
• Security Mechanisms
• Software prototype

14
User Study 1Security In Context

• Goals
• Observe ease of use of securityfeatures in
  realistic task
• Explicit vs. implicit role switching
• Results
• Positive opinions about roles
• Interface implications
• Changed to single clipboard model
• Keep implicit role switching
• Keep plan for role customization

15
User Study 2 Security Interface Mechanisms

• Goals
• Evaluate desktop display options
• Evaluate methods for security operations
• Result summary
• Generally positive 5/6 would use interface
• Opinion divided on desktop icon display
• Liked drag and drop
• I wish some of your designswould be common
  practice amongst big leading software companies.
• An enthusiastic participant

16
Software Prototype
Comm. apps.
Testing app.
Internet app.
17
Study 3 Software Prototype

• Goals
• Continue usability evaluation
• Investigate appropriate feedback levels
• 3 levels minimal, animated, dialog box
• Issues subjective impact, prevent being tricked
• Results
• No quantitative effect of feedback on being
  tricked
• Few participants caught tricks
• Overall positive view of Chameleon
• Security concerns generally correlated with
  positive views of Chameleon

18
Outline

• Introduction
• Related Work
• Chameleon
• User Studies
• Discussion,Future Work, Conclusions

19
Discussion

• Chameleon lessons
• Make UI role-aware (file dialog)
• Eliminate active role
• Role purposes must be clear
• Add Neutral or Default role
• Make indicators active (Security Manager)
• Need better role awareness
• HCISEC evaluation
• Laboratory setting ill-suited for evaluation of
  interaction with normal tasks

20
Future Work

• Chameleon development
• Improve UI design
• Implement prototype usable by real apps
• Deploy Chameleon for daily use
• Continue investigation of
• Security awareness control
• Software architecture for security

21
Future Work (contd)
Level Pro Con
Operating System Single implementation No context information
Applications Context available Multiple impls.
Toolkit Some context available Single (or few) implementations Right abstractions unknown
22
Conclusions

• Chameleon work in progress
• HCISEC UI design issues
• Software architecture
• HCISEC evaluation
• Usable RBAC seems feasible

23
lt 0.5-baked Idea

• Problem How to run software with less than all
  permissions?
• Solution Attach trust/authority/ permission to
  user action (capability)
• Propagate capability
• Starts at input device
• To OS, to toolkit, to application

24
Thank You

• chrislong_at_acm.org
• http//www.cs.cmu.edu/chrisl
• (1 spot in my car for a short person)