Our research is about the establishment and maintenance of trust in information, services, and individuals in open distributed systems. In open systems, resources are shared across organizational boundaries and as such, traditional identity-based access control lists (ACLs) are not viable options for protecting resources, as the set of authorized users may not be known a priori. One facet of our research involves the investigation of trust negotiation, an approach to authorization in which resource owners describe the properties of those eligible to access a resource, rather than explicitly listing their identities. For example, a policy might say that all University Illinois graduate students who are over the age of 21 and are permanent residents or citizens of the US are eligible to access a particular resource. Parties use digital credentials, such as a digital driver's license issued by the State of Illinois, to prove to a resource owner that they possess the properties listed in the policy for a resource. At run time, users can discover the policy associated with a resource. Users can also require resource owners to prove their own trustworthiness; in other words, the trust establishment is bilateral, rather than the traditional unilateral approach to authorization. Further, trust negotiation can be used in an incremental manner to gain access to any kind of resource, including services, roles, capabilities, personal credentials, and sensitive system policies. The TrustBuilder project has investigated many aspects of trust negotiation, including families of interoperable negotiation strategies, requirements for policy languages, architectures for trust negotiation, enforcing the safety and consistency of access decisions, enhancing the reliability and robustness of trust negotiation systems, and the establishment of privacy-preserving identifiers to enable reputation establishment and distributed audit in ABAC systems. An introduction to trust negotiation is available here.
The TrustBuilder project has produced several sub-projects providing more in-depth treatment of specific issues related to the properties of, deployment strategies for, and uses of trust negotiation. PeerAccess provides a logical framework for reasoning about the properties of trust negotiations and other forms of distributed proof construction. Such a framework is a necessity if we are to rigorously prove the properties needed to accept more advanced access control systems. The Traust project examined the use a third-party authorization service that relies on trust negotiation to broker access tokens to legacy services operating within a security domain. In this system, clients can carry out trust negotiation sessions with a Traust server to gain access to resources within a security domain without requiring existing services and protocols be modified to support trust negotiation natively.
For a society to function well, it must have trust in its institutions. Enron, Arthur Andersen, Global Crossing, Tyco, Adelphia Communications, WorldCom: the financial scandals of the past decade rocked society’s confidence in the financial accountability of US corporations and the business ethics of their top management. To restore confidence by ensuring accountability, Congress passed the Sarbanes-Oxley Act (SOX) in 2002. SOX requires long-term retention of all routine business documents, including corporate email, reports, spreadsheets, instant messages, and memoranda; the goal is to ensure that insider misdeeds will leave an electronic “paper trail” that can be subpoenaed and used to track the actions of individual miscreants and bring them to justice. Other high-profile recent regulations that impose significant data retention and trustworthiness requirements include the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, Securities and Exchange Commission Rule 17-a4, and the Department of Defense Records Management Program under directive 5015.2. A common thread running through all these regulations is the need to protect against insider tampering and deletion of records. In other words, these regulations recognize that evildoers are not necessarily hackers outside the organization, who the organization just needs to repel; an evildoer can be inside the company, often a CEO or CFO who has unlimited access to system administrators with superuser powers. Yet in spite of this, the company’s records must be protected against deletion or alteration until the end of their mandated retention periods. In response to these directives, a huge market has developed for compliance storage servers sold by IBM, EMC, Network Appliance, HP, Sony, and other vendors. These storage servers provide an approximation of write-once read-many (WORM) storage to ensure that files committed to a WORM device are read-only during their predeclared retention periods (term-immutable), and cannot be deleted or altered even by a system administrator inside the company or a hacker with administrative privileges. Some products also support eradication of files at the end of their retention periods and can enforce “litigation holds” to ensure that subpoenaed files are not deleted. Companies can put all their email, financial records, reports, and other documents on these servers, in what is advertised as a turnkey compliance solution. In practice, the security guarantees provided by compliance storage products are relatively weak. Our compliance research project aims to create ways to provide stronger guarantees at minimal cost, for indexing compliance documents, tracking their provenance, and ensuring that database contents are not tampered with. When the additional cost is outweighed by the expected benefit to society, regulators can require organizations to use these improved technical solutions, thus providing a higher level of organizational accountability and increasing societal trust in our institutions.
All e-mail addresses are in the cs.uiuc.edu domain.
Principal Investigator: Marianne Winslett
8/10/06: The paper "A Statistical Analysis of Disclosed Storage Security Breaches" by Ragib Hasan and William Yurcik, has been accepted for publication in the "2nd International Workshop on Storage Security and Survivability (StorageSS)" in conjunction with 12th ACM Conference on Computer and Communications Security (CCS 2006), October 2006.
7/21/2006: The paper "Safety and Consistency in Policy-Based Authorization Systems" was accepted for publication at the 13th ACM Conference on Computer and Communications Security (CCS 2006).
7/15/2006: Graduate student Soumyadeb Mitra leaves for a six-month internship at IBM Almaden to work on Compliance Storage.
6/26/2005: The paper "Toward an On-Demand Restricted Delegation Mechanism for Grids" was accepted for publication at the 7th ACM/IEEE International Conference on Grid Computing (Grid 2006).
6/2006:The paper "Trustworthy Inverted Index for Regulatory Compliance" was accepted for publication at the 32nd International Conference on Very Large Data Bases (VLDB 2006).
3/24/2006: The paper "Synergy: A Trust-aware, Policy-driven Information Dissemination Framework" was accepted for publication at the IEEE International Conference on Intelligence and Security Informatics (ISI 2006), San Diego, USA, May 23-24, 2006.
2/28/2006: The paper "Traust: A Trust Negotiation-Based Authorization Service for Open Systems" was accepted for publication at the 11th ACM Symposium on Access Control Models and Technologies (SACMAT 2006).
2/19 - 2/25/2006: Professor Piero Bonatti visits our group to discuss agent modelling research and to serve on Charles's prelim committee. A picture from a dinner with Prof. Bonatti at Dos Reales can be found here.
2/17/2006: The demonstration paper "Traust: A Trust Negotiation Based Authorization Service" was accepted for publication at the Fourth International Conference on Trust Management (iTrust 2006).Older News Return to top