Abstract

Few of the security architectures proposed for the past four decades (e.g., fine-grain domains of protection, security kernels, virtual machines) have made a significant difference on client-side security. In this presentation, I examine some of the reasons for this and some of the lessons learned to date. Focus on client-side security is warranted primarily because it is substantially more difficult to achieve than server security in practice, since clients interact with human users directly and have to support their security needs. I argue that system and application partitioning to meet user security needs is now feasible [2,3,5], and that special focus must be placed on how to design and implement trustworthy communication between users and their partitions and between partitions themselves.

Trustworthy communication goes beyond secure channels, firewalls, guards and filters. The extent to which one partition accepts input from or outputs to another depends on the trust established with the input provider and output receiver. It also depends on input-rate throttling and output propagation control, which often require establishing some degree of control over remote communication end points. I illustrate some of the fundamental challenges of trustworthy communication at the user level, and introduce the notion of optimistic trust with its technical requirements for deterrence for non-compliant input providers and output receivers. Useful insights for trustworthy communication are derived from the behavioral economics, biology [1] and social [4] aspects of trust.

References

[1] E. Fehr, “On the Economics and Biology of Trust,” Journal of the European Economic Association, April – May 2009, pp. 235-266.

[2] B. Lampson, ``Usable Security: How to Get it,” Comm. of the ACM , vol. 52, no. 11, Nov. 2009.

[3] J. McCune, Y. Li, N. Qu, Z. Zhou, A. Datta, V. Gligor, and A. Perrig, ``TrustVisor: Efficient TCB Reduction and Attestation,” Proc. of IEEE Symp. on Security and Privacy, Oakland, CA, May 2010.

[4] F. Stajano and P. Wilson, “Understanding Scam Victims: Seven Principles for Systems Security,” University of Cambridge Computing Laboratory, UCAM -CL-TR-754, Aug. 2009.

[5] A. Vasudevan, B. Parno, N. Qu, V. Gligor and A. Perrig, ``Lockdown: A Safe and Practical Environment for Security Applications,” Technical Report, CMU -CyLab-09-011, July 14, 2009.