AutonomicTrustManagementforaPervasiveSystem Zheng Yan1

Autonomic Trust Management for a Pervasive SystemZheng Yan

Nokia Research Center, Helsinki, Finland

Secrypt’08, July 27, 2008, Porto, Portugal

AutonomicTrustManagementforaPervasiveSystem Zheng Yan2

Outline

• Introduction and motivation

• Related work

• Fundamental technologies

• Solution: autonomic trust management

• An example application

• Further discussion

• Conclusions and future work

AutonomicTrustManagementforaPervasiveSystem Zheng Yan3

Introduction & motivation

• Pervasive systems• Allow seamless interactions among various portable and networked

processing devices, distributed at all scales throughout everyday routine life

• Decentralized, distributed, open, dynamic

• Communications depend on trust among devices: classical, centralized security-managing mechanisms unusable

• Trust becomes a crucial issue to ensure effective collaborations among various devices for expected services

• A holistic notion of trust• Include several properties, such as security, availability and reliability,

depending on the requirements of a trustor.

• The assessment of a trustor on how well the observed behavior that can be measured through a number of quality attributes of a trustee meets the trustor’s own standards for an intended purpose

AutonomicTrustManagementforaPervasiveSystem Zheng Yan4

Related work

• Xu, Xin, and Lu (2007): a hybrid model encompassing a trust model, a security model and a risk model for pervasive computing

• Shand, Dimmock, and Bacon (2004): a trust and risk framework to facilitate secure collaboration

• Claycomb and Shin (2006): a visual framework for securing impromptu collaboration • Yin, Ray, and Ray (2006): a trust model for pervasive computing applications and

strategies for establishing trust between entities to support dynamic of trust• Spanoudakis (2007): a platform for dynamic trust assessment of software services • Wolfe, Ahamed, and Zulkernine (2006): trust management based on a scheme for

categorizing devices, calculating trust, and facilitating trust-related communications• Remarks

• Mainly on establishing distinct trust models based on different theories or methods in terms of various scenes and motivations.

• Apply trust, reputation and/or risk analysis mechanism based on fuzzy logic, probabilistic theory, cloud theory, traditional authentication and cryptography methods and so on to manage trust

• Did not support autonomic control of trust for the fulfillment of an intended service. • Influence the effectiveness of trust management since trust is both subjective and dynamic.

AutonomicTrustManagementforaPervasiveSystem Zheng Yan5

Main idea of our paper

• An autonomic trust management solution for the pervasive system• Based on a trusted computing platform

• Support autonomic trust control on the trustee device based on the trustor device’s specification

• An adaptive trust control model. • Assume several trust control modes, each of which contains a number of control

mechanisms or operations• Ensure a suitable set of control modes are applied

• A Fuzzy Cognitive Map to model the factors related to trust for control mode prediction and selection

• Use runtime trust assessment result as a feedback to autonomously adapt weights in the adaptive trust control model in order to find a suitable set of control modes in a specific pervasive computing context.

AutonomicTrustManagementforaPervasiveSystem Zheng Yan6

Fundamental technologies (1): a mechanism to sustain trust • Trust form

• Trustor A trusts trustee B for purpose P under condition C based on root trust R

• Root trust (RT) module• Hardware-based security module

• Register, protect and manage the conditions for trust sustaining and self-regulating

• Monitor any computing platform’s change including any alteration or operation on hardware, software and their configurations.

• Check changes and restrict them based on the trust conditions, as well as notifying the trustor accordingly.

• Approaches to notify changes• active method and passive method

conditions for trust

sustaining and self-

regulating

Root Trust Module

Secure Registers

Reporter

Monitor Controller

Hardware and Software

signal of distrust

monitor & notify control

register report

Platform trusted booting record

register

AutonomicTrustManagementforaPervasiveSystem Zheng Yan7

A mechanism to sustain trust: protocol

• Root trust challenge and attestation to ensure the trustor’s basic trust dependence at the trustee in steps 1-2;

• Trust establishment by specifying the trust conditions and registering them at the trustee’s RT module for trust sustaining in steps 3-6;

• Sustaining the trust relationship through the monitor and control by the RT module in steps 7-8;

• Re-challenge the trust relationship if necessary when any changes against trust conditions are reported.

Trustor A Trustee B

Device A Device B

1. Root trust challenge from A

2. Evidence of root trust from Bevidence verification

fail

Root Trust Module of Device B

3. Trust relationship establishment request from A

4. Confirmation from B

5. Trust relationship conditions C conditions verification & registration

6. Confirmation of conditions from B

7. Transaction and cooperation between A and B local environment

change against conditions

8.2 Notification of distrust to A (optional)take corresponding

action

re-challenge needed

8.1 Restrictions on changes

AutonomicTrustManagementforaPervasiveSystem Zheng Yan8

Fundamental technologies (2): an adaptive trust control model• Considering the trustworthiness is

influenced by a number of quality attributes .

• These quality attributes are ensured or controlled through a number of control modes.

• A control mode contains a number of control mechanism or operations.

• A weight is used to indicate the importance rate of the quality attribute

• An influence factor of control mode is set based on impact of the control mode to the quality attributes

• We also apply a selection factor of control mode to indicate which control mode is actually applied in the system

inessTrustworth

1QA 2QA nQA

1C 2C mC

T

1QAV 2QAV

nQAV

1CV

2CV

mCV

1w 2w nw

11cw

21cw

22cw 12cw 2mcw

mncw

1CB

2CB

mCB

oldn

iQAi TVwfT

i1

m

j

oldiQAjCjCjiiQA VBVcwfV

1

oldCCC jjjVBTfV

AutonomicTrustManagementforaPervasiveSystem Zheng Yan9

Autonomic trust management: a system definition• User

• Pervasive system• Pervasive computing

devices• Trusted computing

platform• Root Trust module

• Autonomic trust management framework (ATMF)

• Operating System (OS)• A performance

observer

• Services

Pervasive System

Trusted Computing Platform

Device

Autonomic Trust Management framework

includes

includes

Service

offers

manages

Root Trust Module

contains

supports

has

OS, Performance Observer

includes

Useruses

uses

Runs & monitors

protects

AutonomicTrustManagementforaPervasiveSystem Zheng Yan10

Autonomic Trust Management Framework (ATMF) • Responsibility: Manage the

trustworthiness of a trustee service • Configure its trust properties• Switch on/off the trust control

mechanisms, i.e. selecting a suitable set of control modes

• Secure storages• Experience base• Policy base• Mechanism base

• ATMF secure access to the RT module

• Extract the policies into the policy base for trust assessment if necessary

• An evaluation, decision and selection engine (EDS engine)

• Trust assessment• Make trust decision• Select suitable trust control modes

Root Trust Module

Operating System with Performance Observer

Service 1 Service 2 Service n…...

Trusted Computing Platform

secure access

Autonomic Trust management Framework

Policy BaseExperience Base Mechanism Base

Evaluation, Decision and Selection (EDS) Engine

AutonomicTrustManagementforaPervasiveSystem Zheng Yan11

Autonomic trust management procedure• Remote service

collaboration check• Yes, trust sustaining

mechanism• Embed device trust

conditions (including trust policies) into RT

• Extract trust policies, save into policy base

• Trustworthiness and trust control mode prediction, selection

• Monitor performance and behavior

• Adjust trust control model

Trustworthiness and trust control mode prediction

Trust control mode selection

Adaptive trust control model adjustment

Is trust assessment on trustee positive?

Yes

No

Are suitable modes found?

Apply selected control modes

Yes

Raise warning or optimize trust control mode

configurations

No

Monitor the behavior of trustee service at runtime

Root trust challenge and attestation on the device of trustee service

Service collaboration starts

Is it local service collaboration?

Specify the trust conditions and registering them at the trustee device RT module

Extract trust policies for trust assessment from the trust conditions

Input trust policies into the policy base of the trustee device’s ATMF

Yes

No

No

AutonomicTrustManagementforaPervasiveSystem Zheng Yan12

Algorithms

• Trust assessment• Trust value generator:

• Weighted summation:

• Control mode prediction and selection• Anticipate the performance or feasibility of all possibly applied trust

control modes.

• Select a set of suitable trust control modes based on the control mode prediction results.

• Adaptive Trust Control Model Adjustment • Adjust the influence factors of the trust control model in order to make it

reflect the real system situation or context

1),/( rrnpp

iiT ir

AutonomicTrustManagementforaPervasiveSystem Zheng Yan13

Trust Control Mode Prediction and Selection• The control modes are predicted

through evaluating all possible modes and their compositions based on the adaptive trust control model

• The prediction algorithm • ,

while , do

• The control modes are selected based on the control mode prediction results

• The selection algorithm• Calculate selection threshold

;

• - Compare and of to , set selection factor if ; set if ;

• - For , calculate the distance of and to as ; For , calculate the distance of and to as only when and ;

• - If , select the best winner with the biggest ; else , select the best loser with the smallest .

),...,1( KkSk oldkkk TTT

oldkCkCkkC jjj

VBTfV ,,,

m

j

oldkQAkCkCjikQA jjji

VBVcwfV1

,,,,

oldk

n

ikQAik TVwfT

i1

,

K

Ttr

K

kk

1

kQAiV , kT tr

1kS

SF trTtrV kkQAi ,

1kS

SF trV kQAi , trTk

1kS

SF kQAiV ,

kT tr },min{ , trTtrVd kkQAk i

1kS

SF kQAiV ,

kT tr },max{ , trTtrVd kkQAk i

trV kQAi, trTk

1kS

SF

kd 1kS

SF

kd

kS

kS

AutonomicTrustManagementforaPervasiveSystem Zheng Yan14

Adaptive Trust Control Model Adjustment • Subjective & dynamic support

• Context-aware trust model adjustment• The influencing factors of each control mode

should be context-aware.

• The trust control model should be dynamically maintained and optimized in order to reflect the real system situation.

• Observation based trust assessment plays as the feedback for adaptive model adjustment.

• Two schemes• Equal adjustment scheme: each control mode

has the same impact on the deviation between

and

• Unequal adjustment scheme: the control mode with the biggest absolute influencing factor always impacts more on the deviation between

and

• The equal adjustment scheme• While , do

• a) If , for ,

, if ;

• Else, for ,

, if

• b) Run the control mode prediction function

• The unequal adjustment scheme• While , do

• a) If , for ,

, if ;

• Else,

, if

• b) Run the control mode prediction function

monitorViQA _

monitorViQA _ predictV

iQA _

predictViQA _

predictVmonitorVii QAQA __

predictVmonitorVii QAQA __ jicw

jiji cwcw 1,1 jiji cwcw

jicw

jiji cwcw 1,1 jiji cwcw

predictVmonitorVii QAQA __

predictVmonitorVii QAQA __ )max( jicw

jiji cwcw 1,1 jiji cwcw

jiji cwcw 1,1 jiji cwcw

AutonomicTrustManagementforaPervasiveSystem Zheng Yan15

An application example: mobile healthcare • System devices

• A potable mobile device• a health sensor: monitor a user’s health status;• a healthcare client service: provide multiple ways to transfer health data to other devices and receive

health guidelines. • A healthcare centre

• A healthcare consultant service: provide health guidelines to the user according to the health data reported, inform a hospital service at a hospital server if necessary.

• A hospital server• A hospital service

• Trust requirements• Each device and service’s trustworthiness• Trustworthy cooperation of all related devices and services

• Satisfy trust requirements with each other and its user’s• Examples

• Confidentiality: the healthcare client service provides a secure network connection and communication; • Availability: respond to the request from the health sensor within expected time;• Reliability: perform reliably without any break in case of an urgent health information transmission.

• Example application scenario: the user’s health is monitored by the mobile device which reports his/her health data to the healthcare centre in a secure and efficient way. In this case, the hospital service should be informed since the user’s health needs to be treated by the hospital immediately. Meanwhile, the consultant service also provides essential health guidelines to the user.

AutonomicTrustManagementforaPervasiveSystem Zheng Yan16

Autonomic trust management for a healthcare application

AutonomicTrustManagementforaPervasiveSystem Zheng Yan17

Discussion

• Two-level autonomic trust management• Autonomic trust management among different system devices (hard trust solution)

• Apply the mechanism to sustain trust, embed trust policies for remote trusted service collaboration

• Autonomic trust management on pervasive services for their trustworthy collaboration (soft trust solution)

• Both levels of autonomic trust management can cooperate to ensure the trustworthiness of the entire pervasive system.

• Standardized devices (supported by TCG compatible devices)• Implementation of the RT module and Autonomic Trust Management Framework

• Designed and implemented inside a secure main chip in the mobile computing platform• The RT module functionalities and the ATMF functionalities can be implemented by a number of

protected applications. • Small applications dedicated to performing security critical operations inside a secure environment.• Strict size limitations and resemble function libraries. • Access any resource in the secure environment. • Communicate with normal applications in order to offer security services. • New protected applications can be added to the system at any time, Signature based protection.

• Onboard Credential based implementation for the secure register of the RT module, the policy base, the execution base and the mechanism base

• A flexible and light secure storage mechanism supported by the trusted computing platform

AutonomicTrustManagementforaPervasiveSystem Zheng Yan18

Conclusions and future work

• Presented our arguments for autonomic trust management in the pervasive system.

• Proposed an autonomic trust management solution based on the trust sustaining mechanism and the adaptive trust control model.

• Main contribution: • Support two levels of autonomic trust management: between devices as

well as between services offered by the devices.

• Effectively avoid or reduce risk by stopping or restricting any potential risky activities based on the trustor’s specification

• Demonstrated the effectiveness of our solution by applying it into an example pervasive system

• Discussed the advantages of and implementation strategies for the solution.

• Future work: study the performance through a prototype implementation on the basis of a mobile trusted computing platform

AutonomicTrustManagementforaPervasiveSystem Zheng Yan19

Thank You!

Questions and Comments!