PEI Models for Scalable, Usable and High-Assurance Information Sharing

Secure Information Sharing (SIS) or “share but protect” is a challenging and elusive problem both because of its broad scope and complexity ranging right from conception (objective and policy) to culmination (implementation). In this paper, we consider how to solve SIS challenges with three main and conflicting objectives: scalability, usability and high-assurance. In the context of SIS, high-assurance requires strong controls on the client. It is widely accepted that such controls cannot be entirely software-based. In this regard, we consider solutions based on commercially emerging hardware-rooted Trusted Computing Technology. For SIS, we argue super-distribution (“protect once and access wherever authorized”) and off-line access are necessary to achieve scalability and usability. As we will see, although a Trusted Platform Module [1] (TPM) provides a range of powerful functionalities, it does not enable true super-distribution in any obvious manner. We therefore limit super-distribution to occur within a group. A group is an abstract set of TPM-enabled machines. For simplicity, we assume all content that are distributed to be readonly. Drilling down, we propose concrete Policy, Enforcement and Implementation (PEI) models for SIS within a group (group-based SIS or g-SIS). In the policy layer, we develop a framework for specifying subject and object group membership. In the enforcement layer, we explore ways to approximate instant and preemptive revocation of group members to support off-line access. We use the UCON [9] model to formally specify the policy and enforcement models. In the implementation layer, we outline protocols using Trusted Computing Technology [1] that would realize our policy model and thereby our objectives. We also demonstrate the value of this layered approach by showing how our enforcement and implementation models can easily accommodate enhancements in the policy model.