Sachiko Yoshihama

SMash: secure component model for cross-domain mashups on unmodified browsers

Mashup applications mix and merge content (data and code) from multiple content providers in a users browser, to provide high-value web applications that can rival the user experience provided by desktop applications. Current browser security models were not designed to support such applications and they are therefore implemented with insecure workarounds. In this paper, we present a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of a security policy. We have developed an implementation of this model that works currently in all major browsers, and addresses challenges of communication integrity and frame-phishing. An evaluation of the performance of our implementation shows that this approach is not just feasible but also practical.

WS-attestation: efficient and fine-grained remote attestation on Web services

This paper proposes WS-attestation, attestation architecture on Web services framework. We aim at providing software oriented, dynamic and fine-grained attestation mechanism that leverages TCG technologies to increase trust and confidence in integrity reporting. In addition, the architecture allows efficient binding of attestation with application context, privacy protection, as well as infrastructural support for attestation validation.

Dynamic information flow control architecture for web applications

In typical Web applications, the access control at the database management system is not effective due to the dependency on application behavior. That is, once the information is retrieved, a careless application can easily leak the information to undesirable parties. In addition, database accounts are often shared for multiple Web users in order to allow connection pooling. We propose DIFCA-J (Dynamic Information Flow Control Architecture for Java), to keep track of and control fine-grained information propagation through execution of the program. DIFCA-J allows controlling the information flow at run-time, without needing to modify the source code of the target application or the Java VMs.

Adaptive Security Dialogs for Improved Security Behavior of Users

Despite the increasing awareness of the importance of security for daily computer users, we see that many users still fail to behave securely when confronted with a security-related decision. In this paper, we introduce a new approach to security-related dialogs called Adaptive Security Dialogs (ASD). This approach is a combination of a new architecture and a new way of interacting with users to provide them with appropriate and effective security dialogs. ASD realizes this goal by matching the complexity and intrusiveness of security-related dialogs to the risk associated with the decision the user is making. This results in an architecture in which users can focus on their tasks, get (immediate) feedback on their decisions, and interact with dialogs with an appropriate complexity and appearance for the decisions associated risk. This paper makes the following three contributions. First, we introduce a general architecture for handling security-related decisions. Second, through an empirical user study using a web-based e-mail client, we show significant improvement in the care exercised by our participants without sacrificing usability. Third, we describe how the different pieces of existing research fit into the bigger picture of improving users behavior.

Managing behavior of intelligent environments

It has become increasingly important to support agile organizations with easily re-configurable work environments. This paper describes an on-going work on a platform for managing behavior of intelligent environments. The platform promotes the development of futuristic workspaces that support peoples work practices in an unobtrusive, context-aware, and personalized manner. The platform accommodates individual preferences and organizational policies in a way that allows rapid and impromptu customizations. There are several advantages to this, in particular, the ability to represent users preferences about their work environments separately from the actual configurations of the physical spaces they occupy at a given time, thus supporting emerging workplace needs such as hoteling and impromptu group settings.

Integrity Management Infrastructure for Trusted Computing

Computer security concerns have been rapidly increasing because of repeated security breaches and leakages of sensitive personal information. Such security breaches are mainly caused by an inappropriate management of the PCs, so maintaining integrity of the platform configuration is essential, and, verifying the integrity of the computer platform and software becomes more significant. To address these problems, the Trusted Computing Group (TCG) has developed various specifications that are used to measure the integrity of the platform based on hardware trust. In the trusted computing technology, the integrity data of each component running on the platform is recorded in the security chip and they are securely checked by a remote attestation. The infrastructure working group in the TCG is trying to define an Integrity Management Infrastructure in which the Platform Trust Services (PTS) is a new key component which deals with an Integrity Report. When we use the PTS in the target platform, it is a service component that collects and measures the runtime integrity of the target platform in a secure way. The PTS can also be used to validate the Integrity Reports. We introduce the notion of the Platform Validation Authority, a trusted third party, which verifies the composition of the integrity measurement of the target platform in the Integrity Reports. The Platform Validation Authority complements the role of the current Certificate Authority in the Public Key Infrastructure which attests to the integrity of the user identity as well as to related artifacts such as digital signatures. In this paper, we cover the research topics in this new area, the relevant technologies and open issues of the trusted computing, and the detail of our PTS implementation.

ws-Attestation: Enabling Trusted Computing on Web Services

This chapter proposes ws-Attestation, an attestation architecture based upon a Web Services framework. The increasing prevalence of security breaches caused by malicious software shows that the conventional identity-based trust model is insufficient as a protection mechanism. It is unfortunately common for a computing platform in the care of a trustworthy owner to behave maliciously. Zombie computers used to send spam being a common example.

Bridging the gap between inter-communication boundary and internal trusted components

Despite increasing needs for the coalition-based resource sharing, establishing trusted coalition of nodes in an untrusted computing environment is a long-standing yet increasingly important issue to be solved. The Trusted virtual domain (TVD) is a new model for establishing trusted coalitions over heterogeneous and highly decentralized computing environment. The key technology to enable TVD is the integrity assurance mechanism, which allows a remote challenger to verify the configuration and state of a node. n nA modern computer system consists of a multi-layer stack of software, such as a hypervisor, a virtual machine, an operating system, middleware, etc. The integrity assurance of software components is established by chains of assurance from the trusted computing base (TCB) at the lowest layer, while the communication interface provided by nodes should be properly abstracted at a higher layer to support interoperable communication and the fine-grained handling of expressive messages. n nTo fill the gap between ”secure communication between nodes” and ”secure communication between trusted components”, a notion of ”Secure Message Router (SMR)”, domain-independent, easy to verify, multi-functional communication wrapper for secure communication is introduced in this paper. The SMR provides essential features to establish TVDs : end-to-end secure channel establishment, policy-based message translation and routing, and attestability using fixed clean implementation. A virtual machine-based implementation with a Web service interface is also discussed.

Layering negotiations for flexible attestation

Recently, much attention has been paid to research on distributed coalitions that establish trust among the members of groups of computing components in distributed environments. The Trusted Virtual Domains (TVD) that our research division is proposing is a new model of a distributed coalition for establishing multiple trusted coalitions of components on nodes in distributed heterogeneous environments. In a large-scale distributed computing environment where many kinds of components exist and there might be difficult situations to agree common attestation methods among all components beforehand, it is necessary to provide each component with flexible attestation according to its usage scenario for increasing the number of components that can participate in TVD.In this paper, we propose a layering negotiation approach. It divides an attestation process into a global attestation phase that verifies that a TVD is fundamentally secure and supporting essential trusted primitives and a local attestation phase that verifies the integrity of a specific component involved in a usage scenario. And, a combination of attestation methods is decided as a result of negotiation between the components for each kind of attestation at each phase. With our approach, the attestation corresponding to a usage scenario can be done flexibly based on the minimal required attestation needed in the TVD, so the component developers can concentrate on the implementation of the higher-level functions.

Fine-grained sticky provenance architecture for office documents

Current business situations require improved confidentiality and integrity for office documents. However, existing content management systems for office documents lack required security properties such as the *-property, or have problems such as label creep. In this paper we propose a meta-data format called sticky provenance and a fine-grained information flow control architecture using the sticky provenance. The sticky provenance contains the change history and the labels of an office document in a secure form, and it ensures the verifiability of the change history of the documents in distributed environments. The Provenance Manager, which is a key module of the architecture, reduces the label creep problem of the information flow control models with the sticky provenance. In other words, the sticky provenance and the Provenance Manager can introduce a practical fine-grained information flow control capability to office applications so that we can ensure both the confidentiality and the verifiability of office documents.