Cornelius Namiluko

Managing application whitelists in trusted distributed systems

Many distributed batch systems, such as computational grids, require a level of integrity protection to guarantee the proper execution of a job or workflow. One way of achieving this, implicit in many trusted computing proposals, is to use application whitelisting to prevent unknown and untrusted applications from being executed on remote services. However, this approach has significant shortcomings across multiple administrative domains, as conflicts between locally managed whitelists will result in many useful services appearing untrustworthy to users. This has the potential to limit availability and prevent trusted distributed systems from ever being successfully deployed. We propose a set of requirements for a system which will manage these conflicts, and provide a mechanism for updating application whitelists that will increase service availability and trustworthiness. We also suggest and specify a set of components, including a centralised configuration manager, which will meet these requirements.

Model-driven architectural risk analysis using architectural and contextualised attack patterns

A secure system architecture is often based on a variety of design and security model elements. Without some way of evaluating the impact of these individual design elements in the face of possible attacks, design flaws may weaken a software architecture. This paper illustrates how architectural and contextualised attack patterns can be used to formalise the elements of architectural attacks and possible defences. We illustrate how these patterns, and tool-support building upon them, can be used to automate an architectural risk analysis process. We demonstrate this approach using an example from the EU FP7 webinos project.

A taxonomy for securely sharing information among others in a trust domain

In any given collaboration, information needs to flow from one participant to another. While participants may be interested in sharing information with one another, it is often necessary for them to establish the impact of sharing certain kinds of information. This is because certain information could have detrimental effects when it ends up in wrong hands. For this reason, any would-be participant in a collaboration may need to establish the guarantees that the collaboration provides, in terms of protecting sensitive information, before joining the collaboration as well as evaluating the impact of sharing a given piece of information with a given set of entities. The concept of a trust domains aims at managing trust-related issues in information sharing. It is essential for enabling efficient collaborations. Therefore, this research attempts to develop a taxonomy for trust domains with measurable trust characteristics, which provides security-enhanced, distributed containers for the next generation of composite electronic services for supporting collaboration and data exchange within and across multiple organisations. Then the developed taxonomy is applied to a possible scenario, in which the concept of trust domains could be useful.

Provenance-Based model for verifying trust-properties

Trust establishment requires evidence about the systems ability to operate as expected. However, the nature of this evidence and its representation and usage in trust evaluation still remains an open problem. Current mechanisms for collecting this evidence, such as the TCG integrity schema, do not support the linkage of this evidence and therefore limit the kinds of properties that can be verified. We argue that provenance provides more comprehensive evidence that can be represented in a manner that eases trust evaluation. Towards this end, we propose a provenance-based model for reasoning about a systems ability to satisfy trust properties of interest. This approach enables interoperability, supports multiple abstractions and enables evaluation of varying trust properties. Its application on verifying properties of platforms for use in a trust domain demonstrate its feasibility and flexibility.

Verifying trustworthiness of virtual appliances in collaborative environments

Often in collaborative research environments that are facilitated through virtual infrastructures, there are requirements for sharing virtual appliances and verifying their trustworthiness. Many researchers assume that virtual appliances -- shared between known virtual organisations -- are naturally safe to use. However, even if we assume that neither of the sharing parties are malicious, these virtual appliances could still be mis-configured (in terms of both security and experiment requirements) or have out-of-date software installed. Based on formal methods, we propose a flexible method for specifying such security and software requirements, and verifying the virtual appliance events (captured through logs) against these requirements. The event logs are transformed into a process model that is checked against a pre-defined whitelist -- a repository of formal specifications. Verification results indicate whether or not there is any breach of the requirements and if there is a breach, the exact steps leading to it are made explicit.

An abstract model of a trusted platform

A trusted platform is a fundamental building block in most trusted computing based architectures. Although it can be constructed from a finite set of components, there are several ways of combining the components and several configuration options that affect trust-related properties. Examples of such properties may be specifying that a platform will not expose a secret or delegate a task to a rogue entity. Despite its importance, very little attention has been directed towards reasoning about the properties that result from the way the platform is constructed and configured. Reasoning about these properties enables one to understand their security implications. In order to reason about such properties, we propose an abstract model, based on CSP, in which a platform is treated as a potentially malicious composition of sub-systems that interact through communication of messages. The model enables instantiation of platforms with varying trust levels and verification against specified properties. The applicability of the model is demonstrated on a trusted grid platform.