Security Research in Project Oxygen

1
Security Research in Project Oxygen

• Srini Devadas
• Ronald L. Rivest
• Students Burnside, Clarke, Gassend, Kotwal,
  Raman
• Oxygen Visitors Marten van Dijk (Philips)
• Kevin Chuang, Shawn
  Wang (Acer)

2
Major Question

• How can we securely utilize a multitude of
  inexpensive, potentially untrustworthy,
  potentially indistinguishable devices?

3
Approaches

• Security automation for cheap devices
  proxy-based security protocols ? access
  controlled resource discovery
• Two-way user/proxy authentication through
  untrusted devices secure image
  verification secure user
  authentication
• Secure hardware architectures physical
  unknown functions on-chip

4
Intentional Naming

• Resource discovery and service location system
  for dynamic networks
• Uses a simple language based on attributes and
  values to identify resources
• Language used to describe the desired resource
• Applications describe what they are looking for,
  not where to find it

5
Intentional Naming
6
Integrating Security into INS

• INS is a naming service designed to be a layer
  below security
• No built-in mechanism to implement access control
• Cannot explicitly reject requests from
  unauthorized users
• Integrate access control decision making into INS
  
• Application should find best resource to which it
  has access
• Increases scalability and performance
• Costly to perform full authentication check

7
The Naïve Solution
User B
K21 Proxy
8
A Scalable Solution

Cricket Beacon
K21 Proxy
K21 Proxy
K21
K21 Proxy
Printer Proxy
pulp.lcs.mit.edu
9
Key Ideas

• Store ACL as attribute-value pair on each
  resource proxy AND at nodes of the INS name-tree
• INS routers maintain dynamic name-trees
• Propagate ACLs up the tree when they are modified
• OR (?) ACLs at each parent node
• Access Control decisions made during traversal
• Name-Lookup algorithms will eliminate resources
  based on membership in intermediate ACLs
• K21 Proxy performs transitive closure of its
  certificates and sends appropriate rules to INS
  with request

10
Integration of Access Control
NAME-TREE
root
service
location
Periodic Updates
printer
camera
speakers
lcs
ai-lab
mit
name-record
Name record resolution
11
System Architecture Revisited

Cricket Beacon
K21 Proxy
K21 Proxy
K21 Proxy
K21
Printer Proxy
K21s Certificates
K1 students ? K2 students
K2 students ? Kc
192.168.0.45
12
Scalable Solution
Intentional Naming Service
NAME-TREE
root
service
location
User B
ACL1 ? ACL2 ? ACL3
K21 Proxy
printer 1 ACL1
printer 2 ACL2
lcs
ai-lab
printer 3 ACL3
mit
13
Results

• If naïve strategy queries more than one resource,
  then the scalable (ORed ACL) strategy
  outperforms it.
• For large number of resources (gt 100), naïve
  strategy is not feasible
• Could take several seconds to find accessible
  resource
• ACL maintenance can be performed periodically and
  does not cause significant network overheads