Security and Privacy Day: Program
New Jersey Institute of Technology (NJIT)
Friday, December 2, 2011
Campus Center Atrium
9:00 - 9:50 |
Breakfast/Registration |
9:50 - 10:00 |
Welcome/Opening Remarks |
10:00 - 11:00 |
Software self-healing Using REASSURE
George Portokalidis, Columbia University
TUF: Exploiting Insecurity to Secure Software Update Systems
Justin Cappos, NYU-Poly
|
11:00 - 11:30 |
Coffee Break |
11:30 - 12:30 |
Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers
Rosario Gennaro, IBM Research
Efficient signature schemes supporting redaction, pseudonymization, and data deidentification
Stuart Haber, HP Labs, Princeton
|
12:30 - 2:00 |
Lunch |
2:00 - 3:00 |
Skynet: flying botnets and wireless attacks
Sven Dietrich, Stevens Institute of Technology
Automating Security Configuration and Administration: An Access Control Perspective
Jaideep Vaidya, Rutgers University
|
3:00 - 3:30 |
Coffee Break |
3:30 - 5:00 |
Challenges and Opportunities in cloud-scale provenance tracking and policy enforcement
Don Porter, Stony Brook University
SPORC: Group Collaboration using Untrusted Cloud Resources
Ari Feldman, Princeton University
Hypervisor-Free Virtualization with NoHype
Jakub Szefer, Princeton University
|
5:00 - 5:05 |
Closing Remarks |
Abstracts
Software self-healing Using REASSURE
George Portokalidis, Columbia University
Software errors are frequently responsible for the limited availability
of Internet Services, loss of data, and many security com- promises.
Self-healing using rescue points (RPs) is a mechanism that can be used to
recover software from unforeseen errors until a more permanent remedy, like
a patch or update, is available. We present REASSURE, a self-contained
mechanism for recovering from such errors using RPs. Essentially, RPs are
existing code locations that handle certain anticipated errors in the target
application, usually by returning an error code. REASSURE enables the use of
these locations to also handle unexpected faults. This is achieved by
rolling back execution to a RP when a fault occurs, returning a valid error
code, and enabling the application to gracefully handle the unexpected error
itself. REASSURE can be applied on already running applications, while
disabling and removing it is equally facile. We tested REASSURE with various
applications, including the MySQL and Apache servers, and show that it
allows them to successfully recover from errors, while incurring moderate
overhead between 1% and 115%. We also show that even under very adverse
conditions, like their continuous bombardment with errors, REASSURE
protected applications remain operational.
TUF: Exploiting Insecurity to Secure Software Update Systems
Justin Cappos, Poly-NYU
Software has bugs. In order to keep software secure, computers
download software updates to patch vulnerabilities in the running
software. Surprisingly, these software update systems are relatively
unstudied and are also widely insecure. Software update systems
often run with administrator privileges and retrieve code they will
execute or insert into running programs. This makes them a
high-value attack vector that is hard to protect using different
means. To make matters worse, it is challenging to build a secure
software update system. We have studied dozens of widely used
software update systems and discovered serious vulnerabilities and
limitations. Given there are tens of thousands of software update
system implementations by thousands of companies, it seems infeasible
to protect this attack vector. In this talk, we present a system
called TUF that addresses software update security in real world
environments.
Non-Interactive Verifiable Computing: Outsourcing Computation to Untrusted Workers
Rosario Gennaro, IBM Research
In this talk I will present protocols that allow a computationally weak client to securely outsource arbitrary computations to a powerful server. Security in this context means that the client will receive an assurance that the computation performed by the server is correct, with the optional property that the client will be able to hide some of his data from the server. The problem of securely outsourcing computation has received widespread attention due to the rise of cloud computing a paradigm where businesses lease computing resources from a service rather than maintain their own infrastructure. A crucial component of secure cloud computing is a mechanism that enforces the integrity and correctness of the computations done by the provider. Of course, the computation invested by the (weak) client in order to verify the result of the server's computation must be substantially smaller than the amount of computation required to perform the work to begin with.
In the first part of the talk I will present a protocol that allows the worker to return a computationally-sound, non-interactive proof for any computation that can be verified in linear time. The protocol requires a one-time expensive pre-processing stage by the client which can be amortized over several invocations of the protocol. Our scheme also provides privacy for the client, meaning that the server does not learn any information about the input to the computation.
In the second part of the talk I will discuss a specific instance of this paradigm to the case of computations over large datasets. I will present the first practical verifiable computation scheme for high degree polynomial functions. In addition to the many non-cryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, proofs of retrievability and verifiable databases.
First result is joint work with Craig Gentry and Bryan Parno. The second result is joint work with Yevgeniy Vahlis and Siavosh Benabbas
Efficient signature schemes supporting redaction, pseudonymization, and data deidentification
Stuart Haber, HP Labs, Princeton
We present a new signature algorithm that allows for controlled
changes to the signed data. The change operations we study are
removal of subdocuments (redaction), pseudonymization, and gradual
deidentification of hierarchically structured data. These operations
are applicable in a number of practically relevant application
scenarios, including the release of previously classified government
documents, privacy-aware management of audit-log data, and the
release of tables of health records. When applied directly to
redaction, our algorithm improves on previous work by reducing
significantly the overhead of cryptographic information that has to
be stored with the original data. (This is joint work with Yasuo
Hatano, Yoshinori Honda, Bill Horne, Kunihiko Miyazaki, Tomas
Sander, Satoru Tezuka and Danfeng Yao.)
Skynet: flying botnets and wireless attacks
Sven Dietrich, Stevens Institute of Technology
We present some experiments with a commercial toy drone to perform attacks
to penetrate wireless networks. SkyNET is a stealth network that connects
hosts to a botmaster through a mobile drone. The network is comprised of
machines on home Wi-Fi networks in a proximal urban area, and one or more
autonomous attack drones. The SkyNET is used by a botmaster to command
their botnet(s) without using the Internet, and creates a gap between the
botmaster and its bots. Reverse engineering the botnet, or enumerating the
bots, does not reveal the identity of the botmaster. In this talk we
present a working example, SkyNET complete with a prototype attack drone,
discuss the impact of using such a command and control method, and provide
insight on how to protect against such attacks.
Automating Security Configuration and Administration: An Access
Control Perspective
Jaideep Vaidya, Rutgers University
Access control facilitates controlled sharing and protection
of resources in an enterprise. When correctly implemented and
administered, it is effective in providing security. However, in many
cases, there is a belief on the part of the consumers that security
requirements can be met by simply acquiring and installing a product.
Unfortunately, since the security requirements of each organization are
different, there is no single tool (or even any meaningful set of tools)
that can be readily employed. Most organizations today perform
permission assignment to its entities on a more or less ad-hoc basis,
with poor documentation. Such lack of system administrators' awareness
of comprehensive view of total permissions of an entity on all systems
results in an ever growing set of permissions leading to
misconfigurations such as under privileges, violation of the least
privilege requirement (i.e., over authorization), and expensive security
administration. In this talk, we examine the problem of automated
security configuration and administration, especially from the access
control perspective. This is a challenging area of research where many
of the underlying problems are NP-hard and it is necessary to find
solutions that work with reasonable performance without trading-off
accuracy. We discuss some of the existing work that addresses this and
lay out future problems and challenges.
Challenges and Opportunities in cloud-scale provenance tracking
and policy enforcement
Don Porter, Stony Brook University
This will introduce the new CloudTracker project at Stony Brook.
The talk will survey background material in the domains of provenance
tracking and policy enforcement,
and then discuss ongoing research efforts to build cloud-scale versions
of these primitives.
SPORC: Group Collaboration using Untrusted Cloud Resources
Ari Feldman, Princeton University
Cloud-based services are an attractive deployment model for user-facing
applications like word processing and calendaring. Unlike desktop
applications, cloud services allow multiple users to edit shared state
concurrently and in real-time, while being scalable, highly available,
and globally accessible. Unfortunately, these benefits come at the cost
of fully trusting cloud providers with potentially sensitive and
important data.
To overcome this strict tradeoff, we present SPORC, a generic framework
for building a wide variety of collaborative applications with untrusted
servers. In SPORC, a server observes only encrypted data and cannot
deviate from correct execution without being detected. SPORC allows
concurrent, low-latency editing of shared state, permits disconnected
operation, and supports dynamic access control even in the presence of
concurrency. We demonstrate SPORC's flexibility through two prototype
applications: a causally-consistent key-value store and a browser-based
collaborative text editor.
Conceptually, SPORC illustrates the complementary benefits of
operational transformation (OT) and fork* consistency. The former allows
SPORC clients to execute concurrent operations without locking and to
resolve any resulting conflicts automatically. The latter prevents a
misbehaving server from equivocating about the order of operations
unless it is willing to fork clients into disjoint sets. Notably, unlike
previous systems, SPORC can automatically recover from such malicious
forks by leveraging OT's conflict resolution mechanism.
Hypervisor-Free Virtualization with NoHype
Jakub Szefer, Princeton University
Hypervisor-Free Virtualization with NoHype
Abstract:
Cloud computing is a disruptive trend that is changing the way we use
computers and virtualization software, namely hypervisor, is its key
component. Unfortunately, hypervisors are large, complex, and have a
considerable attack surface. Moreover, because multiple virtual
machines run on the same server and since the hypervisor plays a
considerable role in the operation of a virtual machine, a malicious
party has the incentive to attack the hypervisor. A successful attack
would give the malicious party control over the all-powerful
virtualization software, potentially compromising the confidentiality
and integrity of the software and data of any virtual machine on that
system.
To secure cloud computing, we propose hypervisor-free virtualization
which eliminates the hypervisor attack surface. It enables the guest
VMs to run natively on the underlying hardware while maintaining the
ability to run multiple VMs concurrently, start and stop VMs, etc.
Because there VMs run natively on the hardware, not only is the
hypervisor attack surface removed but now the hypervisor can be removed
altogether. This is realized in our NoHype architecture which embodies
four key ideas: (i) pre-allocation of processor cores and memory
resources, (ii) use of virtualized I/O devices, (iii) minor
modifications to the guest OS to perform all system discovery during
bootup, and (iv) avoiding indirection by bringing the guest virtual
machine in more direct contact with the underlying hardware.
NoHype capitalizes on the unique use model in cloud computing, where
customers specify resource requirements ahead of time and providers
offer a suite of guest OS kernels. Additionally, our prototype shows
that NoHype architecture is indeed "no hype" since nearly all of the
needed features to realize the NoHype architecture are currently
available as hardware extensions to processors and I/O devices.
Our prototype utilizes Xen 4.0 to prepare the environment for guest VMs,
and a slightly modified version of Linux 2.6 for the guest OS. Our
evaluation with both SPEC and Apache benchmarks shows a roughly 1%
performance gain when running applications on NoHype compared to running
them on top of Xen 4.0.