Visualization of Automated
Trust Negotiation
Danfeng Yao
Brown University
Roberto Tamassia
Brown University
Michael Shin
Goldman Sachs Inc.
William H. Winsborough
University of Texas, San Antonio
Supported in part by NSF grants CCF–0311510, IIS–0324846,
CNS–0303577 and CNS-0325951
Overview

Introduction to two-party automated
trust negotiation (ATN)
– Trust target graph (TTG)

Design of the visualization framework
– Prototype implementation

Example of a visualization session
– Demo of our visualization program
Monitoring the release of
sensitive credentials


Accessing protected resources requires releasing
digital credentials
Credentials may be sensitive
– Need to control the release of digital credentials
– Trust Negotiation is an incremental, bilateral exchange of
credentials and policies between resource owner and
requester

Visualization of automated trust negotiation
– Gives teaching and learning support for ATN users
– Enables users to visually examine the ATN process
– The combination of interactive visualization and ATN
improves the security of protected resources
– We demonstrate that Grappa and GraphViz (AT&T) are
suitable graph drawing systems for visualizing ATN
A simple trust negotiation
example
Alice
Request for discount
Request UID
Request BBB
Send BBB
Policy
Releasing UID
requires BBB
Cred.
UID (student ID)
Send UID
Grant the discount
Discount
Policy
requires UID
BBB (better
Cred.
business bureau)
A general trust
negotiation Protocol
Request for resource
Alice
Primary trust target
Request credential
Sensitive, request proof
Sensitive, request more credential
Policies
Credentials
Send proof
Send credential
Grant the resource
Policies
Credentials
Trust target graph

Trust target graph (TTG) is a directed graph representing the
state of negotiation [Winsborough Li ’02]
– The negotiation succeeds when the primary trust target is
satisfied
– Fails when the primary target cannot be satisfied, or when
neither negotiator changes the graph
– TTG can have cycles and be non-planar

Construction of TTG
– Each negotiator keeps a local copy of TTG
– Nodes are trust targets:
 < Amazon: Amazon.discount ? Alice >
 The state of a node: unknown, satisified, or unsatisfied
– Edges represent implication and control relationships
 Satisfied states propagate along the edges
– Negotiators take turns extending the TTG by adding new edges
and nodes to the current graph
 At the beginning TTG contains only the primary trust target
 The new TTG is a supergraph of the previous one
 Associated credentials or policies are transmitted
TTG construction of the
example
Amazon: Amazon.discount
?
Amazon: Univ.Student
?
Alice: BBB.member
Alice: Amazon
?
??
Amazon
Amazon
Alice
Alice
Components of our ATN
visualization framework
User Inputs
(6)
Visualization
(View)
(5)
Protocol
State &
Update
(4)
Log
Parser
(3)
Logs
text
(2)
Modifier
(8) Credentials,
Policies,
text
Strategies
(1)
ATN
Engine
Prototype
implementation


The visualizer displays the construction of TTG
for negotiators
Uses Grappa system [Barghouti, Mocenigo, Lee.
GD ‘97], a Java port of GraphViz system [Ellson,
Gansner, Koutsofios, North, Woodhull et al] for
graph drawing
– Layout provided by dot in GraphViz
– The upward drawing heuristics and hierarchical
(layered) drawing features are suitable for drawing
directed graphs such as TTGs
– Layout algorithms try to avoid edge crossings and
reduce edge length


Colors and shapes of nodes and edges represent
different types in TTG and can be customized
Displays local credentials, remote credentials,
and policies
Intersection target
Linked role target
Standard target
Trivial target
Edge types
Edge name
Color
Meaning
Implication
Purple
A parent node implies the child
node
Linking monitor
Blue
Form a target with a linked role to
a linking goal
Linking solution
Gold
From a linked goal to a standard
target
Linking implication
Green
From a target with a linked role to
a linked role target
Control
Sienna
Used with ack and access policies
Intersection
Orange
From an intersection target to
standard targets
Demo of a visualization session

Requester: Alice
– Works at purchase department in Medix Fund
(MedixFund.purchasingA)
– She considers this credential sensitive

Resource owner: Medical Supply Company (MedSup)
– A member of ReliefNet (ReliefNet.member)

Requested resource: Discount from MedSup
– MedSup.discount

Delegation credentials transfer privileges between roles
– Role provisioner at ReliefNet is delegated to
MedixFund.purchasingA
– cPartner at Medix Fund is delegated to ReliefNet.member
– Discount is given to provisioner at ReliefNet
ATN-Vis Demo
Example -- Start
Requester: Alice
Provider: Medical Supply (MedSup)
Example -- 3% progress
Example -- 16% progress
Example -- 19% progress
Example -- 23% progress
Example -- 29% progress
Example -- 42% progress
Example -- 45% progress
Example -- 52% progress
Example -- 61% progress
Example -- 71% progress
Example -- 77% progress
Example -- 74% progress
Example -- 84% progress
Example -- 97% progress
Example -- 100%
progress
Related Work

Graph drawing systems
– Grappa [Barghouti, Mocenigo, Lee. GD ‘97]
– GraphViz [Ellson, Gansner, Koutsofios, North, Woodhull et al]

Visualization of protocols
– [Hall, Moore, Pratt, Leslie. SIGCOMM Workshop ‘03]
– [Zhao, Mayo. ICEE ’02]
– [Koch, Parisi-Presicce. FASE ‘03]

Trust negotiation
–
–
–
–

[Winsborough, Seamons, Jones. DISCEX’00]
[Yu, Ma, Winslett. CCS’00]
[Winsborough, Li. POLICY ’02]
[Li, Du, Boneh ‘03]
Combination of visualization and automated protocols
– Anomaly detection [Teoh, Zhang, Tseng, Ma, Wu. VizSEC/DMSEC
‘04]
– Mining geo-spatial datasets [Keim, Panse, Sips, North. CG ‘04]
Conclusions and future
work




We have described the architecture and data model of
an interactive visualization framework for ATN
We have presented a prototype of our ATN
visualization framework
Grappa and GraphViz are suitable tools for drawing
trust target graphs in ATN
For future work, we plan to bring more interactive
components into the implementation
– Provide more interactive explanations of texts inside TTG
nodes
– Visualization and modification of negotiation strategies