Académique Documents
Professionnel Documents
Culture Documents
1. INTRODUCTION
Secure information sharing across different organizations is a crucial issue for collaborative software development, product design, etc. So far, most organizations have taken countermeasures such as firewalls, and mail filtering appliances to protect against information leakage out of individual organizations.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CCSW10, October 8, 2010, Chicago, Illinois, USA. Copyright 2010 ACM 978-1-4503-0089-6/10/10...$10.00.
organization projects are often temporal, additional costs can not be ignored in many cases.
Content-based policy enforcement is not restricted to the aforementioned cryptographic manners. In a case where the existing services are located in the same intranet, content filtering is practically secure. In the case of file sharing between divisions in a company, risk is lower than it is an Internet case. In this case, the access control is enough for secure information sharing. Not only are encryption and filtering required, we also require many content based policy enforcements such as virus scan for file sharing services, and web filtering for web services.
Figure 4: Architecture of CoVD To meet requirements (d) to (g), each physical member environment uses a virtualization platform (D), and also uses a member authentication component (E), a resource authorization component (F), a policy enforcer (G), where (D) The virtualization platform receives a copy of the virtual resource image and creates the virtual resources for constructing a virtual member environment. It also constructs a management environment for the following components. (E) The member authentication component authenticates the members with the accounts provisioned by the member management component or mediates an authentication protocol to the existing authentication server. (F) The resource authorization component checks the signature of the authorized virtual resources to confirm whether the structure of the resources is as defined by the manager. (G) The policy enforcer monitors network communications and enforces the policy on the exchanged documents.
which hooks IP packets and calls the condition plug-in modules and the obligation plug-in modules according to the policies. The condition plug-in module corresponds to a condition function in figure 5 and performs filtering according to the condition. The obligation plug-in module corresponds to an obligation function and performs required content transformation.
Figure 8: Context handler and plug-in modules Next, we design the context handler, which monitors all network communication so that it enforces policies without fail. For this requirement, we implemented the context handler as a bridge driver. In the Xen architecture, the bridge driver connects DomU (the virtual member environment) and a physical Network Interface Card (NIC). Therefore, the context handler can monitor all network traffic as a bridge. To enforce policies, the context handler finds an appropriate policy by identifying the IP address and port number of IP packets. Then, the context handler interprets the policy and calls condition plug-in modules and obligation plug-in modules. In order to call the plug-in modules, the context handler performs a Network Address Translation (NAT) (Figure 8). Each plug-in module has a virtual NIC and opens sockets on its virtual NIC. Then, the context handler hooks IP packets to/from the DomU and performs the NAT so that the network connection goes thorough plug-in modules. To be more precise, the context handler performs the NAT according to the policy as the following steps. Step 1 (find out the policy): The context handler monitors the IP packets and identifies the source/destination IP address and the source/destination port number. Then, the context handler finds the policy according to the IP addresses and port numbers. If the IP addresses and the port
10
numbers do not match any policies, the context handler drops the packet. Step 2 (call condition functions): The context handler refers to the first condition plug-in modules IP address. Then the context handler changes the destination IP address into the first module's IP address. Next, the context handler hooks the packets from the first module, and then the context handler transfers the packets to the next module. In the same way, the context handler repeats the NAT till the last condition module. Step 3 (call obligation functions): The context handler transfers the packets to obligation plug-in modules. If the context handler hooks a packet from the last obligation module, the context handler changes the destination IP address into the servers IP address.
module permitted the mail, and the mail encryption module encrypted the mail. Recipient check module: recipient matches the project member list Mail encryption module: encrypt mail Figure 11: Log of recipient check and encryption Next, we sent a mail to a non-project member. The recipient check module output the following log (Figure 12), which means that the recipient check module dropped the mail. Recipient check module: recipient does not match Figure 12: Log of mail reject Those results demonstrate that project members can share information safely in the CoVD using the mail service.
Figure 9: Secure mail exchange In this use case, we assumed that project members should send mail only to other project members to prevent information leakage. Moreover, the mail must be encrypted to prevent eavesdropping. Thus, we described following policy (Figure 10) and deployed the policy to the senders context handler. RecipientCheck ( MailEncryption(*:*,,192.168.0.3:25) ) Figure 10: A policy for secure mail exchange To send a mail using the existing mail server, we specified the IP address of the existing mail server as destination IP (192.168.0.3) and also specified the SMTP port (25) as the destination port. Moreover, in order to enforce recipient check and mail encryption, we specified that a recipient check module block mail to non-project members and that a mail encryption module encrypt the body of the mail. When a project member sends a mail, the recipient check module and the mail encryption module work as follows. The recipient check module analyzes the SMTP protocol and identifies recipients. Then, it checks to see if the recipient is allowed using the allowable recipient list. If the recipient is allowed, the module mediates the mail. Otherwise, the module drops the mail and closes the network connection to the server. The mail encryption module also analyzes the SMTP protocol and identifies the mail body. Then, it encrypts the mail body using the project key. First, we sent a mail to a project member whose mail address was allowed by the allowable recipient list. Then the modules output following log (Figure 11), which means that the recipient check
Time (sec)
15
10
0 0 20 40 60 80 100 120
Figure 13:
11
7. CONCLUSION
In this paper we proposed a method of constructing Content Oriented Virtual Domains, which leverages existing common services and enables a secure collaborative workspace. The CoVD monitors document exchange, checks conditions, and enforces obligations according to project policies. We implemented the policy management component and the policy enforcer, which can expand policy description capability by adding a plug-in module. We evaluated its performance and concluded that CoVD allows us to share project documents safely using existing services such as e-mail.
8. REFERENCES
[1] Anthony Bussani et al, Trusted Virtual Domains: Secure Foundations for Business and IT Services TBM Research Report RC23792, 2005 Xinwen Zhang, Towards A Usage-based Security Framework for Collaborative Computing Systems, ACM Transactions on Information and System Security, Volume 11 , Issue 1, 2008. Reiner Sailer, Attestation-based Policy Enforcement for Remote Access, Conference on Computer and Communications Security ,2004 Heng Yin et al, Building an Application-Aware Ipsec Policy System, IEEE/ACM transactions on networking, Vol 15,NO.6, December 2007 TCG Architecture Overview, Version 1.4, http://www.trustedcomputinggroup.org/developers/trusted_net work_connect/specifications TPM Main Specification, http://www.trustedcomputinggroup. org/resources/tpm_main_specification Reiner Sailer et al. , Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor, ACSAC Proceedings of the 21st Annual Computer Security Applications Conference, 2005 Yacine Gasmi, et al, Flexible and Secure Enterprise Rights Management based on Trusted Virtual Domain, STC'08 Yuji Watanabe, Sachiko Yoshihama, Takuya Mishina, Michiharu Kudo , and Hiroshi Maruyama. Bridging the Gap Between Inter-communication Boundary and Internal Trusted Components, Lecture Notes in Computer Science, volume 4189, 2006
[2]
[3]
[4]
[5]
[6] [7]
[8] [9]
[10] Ahmad-Reza Sadeghi et al. European Multilateral Secure Computing Base - Open Trusted Computing for You and Me, Datenschutz und Datensicherheit (DUD) 9/2004, Vieweg Verlag, pp. 548-554, 2004. [11] HP NetTop, http://h71028.www7.hp.com/enterprise/cache/48 852-0-0-225-121.html?jumpid=ex_R2548_go/nettop [12] Trusted Solaris, http://www.sun.com/software/solaris/trusteds olaris/index.xml [13] Yasuharu Katsuno, Yuji Watanabe, Sanehiro Furuichi, Michiharu Kudo , Chinese-wall process confinement for practical distributed coalitions, SACMAT '07
12