Dynamic Policy Discovery with Remote Attestation

  • Corin Pitcher
  • James Riely
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3921)


Remote attestation allows programs running on trusted hardware to prove their identity (and that of their environment) to programs on other hosts. Remote attestation can be used to address security concerns if programs agree on the meaning of data in attestations. This paper studies the enforcement of code-identity based access control policies in a hostile distributed environment, using a combination of remote attestation, dynamic types, and typechecking. This ensures that programs agree on the meaning of data and cannot violate the access control policy, even in the presence of opponent processes. The formal setting is a π-calculus with secure channels, process identity, and remote attestation. Our approach allows executables to be typechecked and deployed independently, without the need for secure initial key and policy distribution beyond the trusted hardware itself.


remote attestation code-identity based access control policy establishment key establishment π-calculus Next Generation Secure Computing Base 


  1. 1.
    Abadi, M.: Secrecy by typing in security protocols. J. ACM 46(5) (1999)Google Scholar
  2. 2.
    Abadi, M.: Trusted computing, trusted third parties, and verified communications. In: SEC 2004: 19th IFIP International Information Security Conference (2004)Google Scholar
  3. 3.
    Abadi, M., Blanchet, B.: Secrecy types for asymmetric communication. Theoretical Computer Science 298(3) (2003)Google Scholar
  4. 4.
    Abadi, M., Cardelli, L., Pierce, B., Plotkin, G.: Dynamic typing in a statically typed language. ACM Trans. Program. Lang. Syst. 13(2) (1991)Google Scholar
  5. 5.
    Abadi, M., Fournet, C.: Mobile values, new names, and secure communication. In: POPL 2001 (2001)Google Scholar
  6. 6.
    Abadi, M., Fournet, C.: Access control based on execution history. In: Proceedings of the 10th Annual Network and Distributed System Security Symposium (2003)Google Scholar
  7. 7.
    Abadi, M., Fournet, C., Gonthier, G.: Authentication primitives and their compilation. In: POPL 2000 (2000)Google Scholar
  8. 8.
    Abadi, M., Fournet, C., Gonthier, G.: Secure implementation of channel abstractions. Inf. Comput. 174(1) (2002)Google Scholar
  9. 9.
    Abadi, M., Gordon, A.D.: A calculus for cryptographic protocols: The spi calculus. Information and Computation 148(1) (1999)Google Scholar
  10. 10.
    Abadi, M., Wobber, T.: A logical account of NGSCB. In: Núñez, M., Maamar, Z., Pelayo, F.L., Pousttchi, K., Rubio, F. (eds.) FORTE 2004. LNCS, vol. 3236, Springer, Heidelberg (2004)Google Scholar
  11. 11.
    Amadio, R.M., Castellani, I., Sangiorgi, D.: On bisimulations of the asynchronous π-calculus. Theor. Comput. Sci. 195(2) (1998)Google Scholar
  12. 12.
    Anderson, R.: ‘Trusted Computing’ Frequently Asked Questions, Version 1.1 (2003),
  13. 13.
    Anderson, R., Kuhn, M.: Tamper resistance - a cautionary note. In: Second USENIX Workshop on Electronic Commerce Proceedings (1996)Google Scholar
  14. 14.
    Arbaugh, W.A.: Improving the TCPA specification. IEEE Computer (2002)Google Scholar
  15. 15.
    Arbaugh, W.A., Farber, D.J., Smith, J.M.: A secure and reliable bootstrap architecture. In: IEEE Symposium on Security and Privacy (1997)Google Scholar
  16. 16.
    Berry, G., Boudol, G.: The chemical abstract machine. In: POPL 1990 (1990)Google Scholar
  17. 17.
    Bugliesi, M., Crafa, S., Prelic, A., Sassone, V.: Secrecy in untrusted networks. In: Baeten, J.C.M., Lenstra, J.K., Parrow, J., Woeginger, G.J. (eds.) ICALP 2003. LNCS, vol. 2719, Springer, Heidelberg (2003)Google Scholar
  18. 18.
    Bugliesi, M., Focardi, R., Maffei, M.: Compositional analysis of authentication protocols. In: Schmidt, D. (ed.) ESOP 2004. LNCS, vol. 2986, Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Bugliesi, M., Focardi, R., Maffei, M.: Analysis of typed analyses of authentication protocols. In: CSFW (2005)Google Scholar
  20. 20.
    Cardelli, L.: Program fragments, linking, and modularization. In: POPL 1997 (1997)Google Scholar
  21. 21.
    Fournet, C., Gordon, A., Maffeis, S.: A type discipline for authorization policies. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, Springer, Heidelberg (2005)CrossRefGoogle Scholar
  22. 22.
    Gordon, A.D., Jeffrey, A.S.A.: Authenticity by typing for security protocols. J. Computer Security 11(4) (2003)Google Scholar
  23. 23.
    Gordon, A.D., Jeffrey, A.S.A.: Types and effects for asymmetric cryptographic protocols. J. Computer Security 12(3/4) (2004)Google Scholar
  24. 24.
    Gordon, A.D., Jeffrey, A.S.A.: Secrecy despite compromise: Types, cryptography, and the pi-calculus. In: Abadi, M., de Alfaro, L. (eds.) CONCUR 2005. LNCS, vol. 3653, Springer, Heidelberg (2005)Google Scholar
  25. 25.
    Haack, C., Jeffrey, A.S.A.: Pattern-matching spi-calculus. In: Proc. IFIP WG 1.7 Workshop on Formal Aspects in Security and Trust (2004)Google Scholar
  26. 26.
    Haldar, V., Chandra, D., Franz, M.: Semantic remote attestation: A virtual machine directed approach to trusted computing. In: USENIX VM (2004)Google Scholar
  27. 27.
    Haldar, V., Franz, M.: Symmetric behavior-based trust: A new paradigm for internet computing. In: New Security Paradigms Workshop (2004)Google Scholar
  28. 28.
    Hennessy, M., Riely, J.: Resource access control in systems of mobile agents. Information and Computation 173 (2002)Google Scholar
  29. 29.
    Honda, K., Tokoro, M.: On asynchronous communication semantics. In: America, P. (ed.) ECOOP 1991. LNCS, vol. 512, Springer, Heidelberg (1991)Google Scholar
  30. 30.
    Honda, K., Vasconcelos, V.T., Yoshida, N.: Secure information flow as typed process behaviour. In: Smolka, G. (ed.) ESOP 2000 and ETAPS 2000. LNCS, vol. 1782, Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
    Huang, A.: Hacking the Xbox. Xenatera Press (2003)Google Scholar
  32. 32.
    Irvine, C., Levin, T.: A cautionary note regarding the data integrity capacity of certain secure systems. In: Integrity, Internal Control and Security in Information Systems (2002)Google Scholar
  33. 33.
    Leroy, X., Mauny, M.: Dynamics in ML. In: Hughes, J. (ed.) FPCA 1991. LNCS, vol. 523, Springer, Heidelberg (1991)CrossRefGoogle Scholar
  34. 34.
    Li, N., Mitchell, J.C.: RT: A role-based trust-management framework. In: DARPA Information Survivability Conference and Exposition (DISCEX III) (2003)Google Scholar
  35. 35.
    Lie, D., Thekkath, C., Lincoln, P., Mitchell, M., Boneh, D., Mitchell, J., Horowitz, M.: Architectural support for copy and tamper resistant software. In: ASPLOS-IX (2000)Google Scholar
  36. 36.
    Lie, D., Thekkath, C.A., Horowitz, M.: Implementing an untrusted operating system on trusted hardware. In: 19th ACM Symposium on Operating Systems Principles (2003)Google Scholar
  37. 37.
    Microsoft. Longhorn developer preview documentation. Distributed at Microsoft’s Professional Developers Conference in Los Angeles (2003)Google Scholar
  38. 38.
    Microsoft. NGSCB: TCB and software authentication (2003)Google Scholar
  39. 39.
    Microsoft. Security model for the Next-Generation Secure Computing Base (2003)Google Scholar
  40. 40.
    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, I. Inf. Comput. 100(1) (1992)Google Scholar
  41. 41.
    Odersky, M.: Polarized name passing. In: FST-TCS 1995 (1995)Google Scholar
  42. 42.
    Pearson, S. (ed.): Trusted Computing Platforms: TCPA Technology in Context. Prentice-Hall, Englewood Cliffs (2002)Google Scholar
  43. 43.
    Riely, J., Hennessy, M.: Trust and partial typing in open systems of mobile agents. J. Automated Reasoning 31(3–4) (2003)Google Scholar
  44. 44.
    Sadeghi, A.-R., Stüble, C.: Property-based attestation for computing platforms: Caring about properties, not mechanisms. In: New Security Paradigms Workshop (2004)Google Scholar
  45. 45.
    Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and implementation of a TCG-based integrity measurement architecture. In: 13th USENIX Security Symposium (2004)Google Scholar
  46. 46.
    Sandhu, R., Zhang, X.: Peer-to-peer access control architecture using trusted computing technology. In: SACMAT (2005)Google Scholar
  47. 47.
    Seshadri, A., Perrig, A., van Doorn, L., Khosla, P.: SWATT: SoftWare-based ATTestation for embedded devices. In: IEEE Symposium on Security and Privacy (2004)Google Scholar
  48. 48.
    Smith, S., Weingart, S.: Building a high-performance, programmable secure coprocessor. Computer Networks 31 (1999) Special Issue on Computer Network SecurityGoogle Scholar
  49. 49.
    Thompson, K.: Reflections on trusting trust. CACM 27(8) (1984)Google Scholar
  50. 50.
    Trusted Computing Group. Trusted Computing Platform Alliance: Main specification, version 1.1b (2003),
  51. 51.
    Wallach, D.S., Appel, A.W., Felten, E.W.: SAFKASI: a security mechanism for language-based systems. ACM Trans. Softw. Eng. Methodol. 9(4) (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Corin Pitcher
    • 1
  • James Riely
    • 1
  1. 1.CTI, DePaul UniversityUSA

Personalised recommendations