End System Security

This area includes tools and methods for building software artifacts, servers, and networks that are resistant to attacks and failures. This includes research into vulnerability assessment and identification, programming languages and tools for secure programming, mobile code and "sandboxes," proof-carrying systems, trusted embedded systems, resilient server architectures, protection against malicious software, dynamic reconfiguration of systems, hardware architecture design, fault-tolerance, code tamperproofing, and penetration testing. Research into more secure operating systems and database systems falls in this area, as does research into better human-computer interfaces for security (HCI).

Biometric Information Lifecycle Framework

The deployment and usage of biometric systems is increasing at a rapid rate as the technology becomes more mature and gains user acceptance. Large-scale civilian applications like Registered Traveler program and US-VISIT program rely heavily on biometric systems as part of its authentication process. Biometric systems are also deployed in commercial applications like Automated Teller Machines (ATM) to replace or complement ATM cards. Securing the user’s biometric information is just as important as securing the biometric system. Improving security of biometric systems does have a positive impact on securing biometric information, but securing the system does not imply that the information is also secure. The technology ecosystem needs to be analyzed taking into account its principle constituents: the biometric system, the biometric process and the biometric information lifecycle. The concept of information lifecycle management has been under development for some time now, but it has not been applied to biometric information. Biometric Information Lifecycle Management refers to a sustainable strategy of maintaining confidentiality, integrity and availability of biometric information and developing policies or its use. The Biometric Information Lifecycle comprises of the following phases: creation, transformation, storage, usage, and disposition. This research is a work in progress which will define the biometric information lifecycle phases, create a taxonomy of attacks on biometric information lifecycle phases, and improve the security and management of biometric information.

Secure Group Communication Over wired/wireless networks

Secure group communications (SGC) refers to a setting in which a group of participants can send and receive messages (sent to the group members), in a way that outsiders are unable to glean information even if they are able to intercept the messages. SGC is important because several prevalent applications require it. These applications include teleconferencing, tele-medicine, real-time information services, distributed interactive simulations, collaborative work, interactive games and the deployment of VPN (Virtual Private Networks). The goals for this project are four-fold: 1. study various issues enabling SGC which include, but are not limited to, group key management, burst behavior and efficient burst operations, membership management, group member admission control, authentication and non-repudiation; 2. study and provide solutions for specific SGC scenarios such as dynamic conferencing and SGC with hierarchical access control; 3. investigate research challenges for SGC over wireless/mobile environments; 4. integrate research results into the curriculum and perform public dissemination of findings and software.

Precise Calling Context Encoding

Calling contexts are very important for a wide range of applications such as intrusion detection, event logging, profiling, and debugging. Most applications perform expensive stack walking to recover contexts. The resulting contexts are often explicitly represented as a sequence of call sites and hence bulky. We propose a technique to encode the current calling context of any point during an execution. In particular, an acyclic call path is encoded into one number through only integer additions. Recursive call paths are divided into acyclic subsequences and encoded independently. We leverage stack depth in a safe way to optimize encoding: if a calling context can be safely and uniquely identified by its stack depth, we do not perform encoding. We propose an algorithm to seamlessly fuse encoding and stack depth based identification. The algorithm is safe because different contexts are guaranteed to have different IDs. It also ensures contexts can be faithfully decoded. Our experiments show that our technique incurs negligible overhead (1.89% on average). For most medium-sized programs (<100k LOC), it can encode all contexts with just one number. For large programs, we are able to encode most calling contexts to a few numbers.

Convicting Exploitable Software Vulnerabilities: Practical Input Provenance Based Approach

Vulnerabilities in software, especially those that are remote exploitable, are the root cause of wave after wave of security attacks, such as botnet, zero-day worms, non-control data corruptions, and even server-break-ins. Thus, analyzing and exposing software vulnerabilities has become one of the most active research areas today. In the past, software vulnerability detection/exposing approaches could be divided into two categories: dynamic and static. Static analysis creates a lot of false positives. Dynamic approaches monitor program execution and detect attempts of attacking a software system. These technique incur non-trivial runtime overhead and cannot detect vulnerabilities that not under attack. Dynamic test generation has the potential of generating exploit inputs to confirm vulnerabilities. However, most existing dynamic test generation techniques suffer from the scalability problem. In this project, we develop a practical dynamic approach that is intended to use in combination with other static tools. We observe that although the suspect pool produced by existing static tools has a high false positive rate, it is nonetheless much smaller than the whole population. Therefore, we use existing static tools as the frontend to generate a set of suspects. Our technique then tries to generate exploits for these suspects. A suspect is convicted only when an exploit can be acquired as the evidence. Such exploits significantly assist regular users and administrators to evaluate the robustness of their software and convince vendors to debug and patch. The key idea is to use data lineage tracing to identify a set of input values relevant to the execution of a vulnerable code location. Exploit specific mutations are applied to the relevant input values in order to trigger an attack, e.g., for example, changing an integer value to MAXUINT to induce an integer overflow. Since these inputs are usually a very small subset of the whole input sequence, mutating the whole input, like in random test generation, is avoided. Our technique does not rely on symbolic execution and constraint solving and thus can easily handle long execution. In case an execution that covers a vulnerable code location cannot be found, our technique also allows user interactions to mutate an input so that the execution driven by the mutated input covers the vulnerable code location. Our technique addresses a wide range of vulnerabilities including buffer overflow, integer overflow, format string, etc. Our dynamic analysis works at binary level, which greatly facilitates users that do not have the source code access but are concerned about software vulnerabilities. We have developed a data lineage tracing prototype. It traces the set of input that is relevant to a particular execution point. The lineage information is used to guide our evidence generation procedure. The challenge of efficiency is overcome by using Reduced Ordered Binary Decision Diagrams (RoBDDs). Our initial experience with a set of known and unknown real vulnerabilities showed that our technique can very quickly generate exploit inputs.

Virtualization-Enabled Malware Research

In the battle against Internet malware, we have witnessed increasingly novel features of emerging malware in their infection, propagation, and contamination strategies – examples include polymorphic appearance, multi-vector infection, self-destruction, and intelligent payloads such as self-organized attack networks or mass-mailing. Furthermore, the damages caused by a malware incident can be detrimental and hard to recover (e.g., the installation of kernel-level rootkits). Our research goal is to thoroughly understand key malware behavior such as probing, propagation, exploitation, contamination, and “value-added” payloads. These results will be used to design effective malware detection and defense solutions. To reach this goal, we realize that effective malware experimentation tools and environments are lacking in current malware research. By leveraging and extending virtualization technology, we propose to develop a virtualization-based integrated platform for the capture, observation, and analysis of malware. The platform consists of two parts: The front-end of the platform is a virtual honey farm system called Collapsar, which captures and contains malware instances from the real Internet. The back-end of the platform is a virtual playground environment called vGround, where the captured malware instances are unleashed to run while remaining completely isolated from the real Internet. Using this integrated platform, security researchers will be able to observe and analyze various aspects of malware behavior as well as to evaluate corresponding malware defense solutions, with high fidelity and efficiency.

Cryptanalysis of RSA

We study the minimum period of the Bell numbers, which arise in combinatorics, modulo a prime. It is shown that this period is probably always equal to its maximum possible value. Interesting new divisibility theorems are proved for possible prime divisors of the maximum possible period. The conclusion is that these numbers are not suitable for use as RSA public keys.

The Poly^2 Project

As modern computer technology advances, manufacturers are able to integrate a large number of processors and processor components into smaller and more unified packages. The results are low cost computer systems with significant multiprocessing capabilities. Can these computing resources be organized to perform dedicated services in a reliable and secure manner? Poly^2 (short for poly-computer, poly-network) is a hardened framework in which critical services can operate. This framework is intended to provide robust protection against attacks to the services running within its domain. The design and implementation is based on sound, widely acknowledged security design principles. It will form the basis for providing present and future services while, at the same time, being highly robust and resistant to attack. A prototype of the new architecture has been developed that provides traditional network services (e.g. web, FTP, email, DNS, etc.) using commodity hardware and an open source operating system. Our efforts include developing and exploring security metrics that we hope will define the level of security provided by this approach.

Transparency & Legal Compliance in Information Systems

Analysts need mechanisms to disambiguate regulations so they may be clearly specified as software requirements. Additionally, those responsible for certifying compliance within relevant systems need controls and assurances that measure conformance with policies and regulations. Our goal is to develop methods, tools, and procedures to help software designers and policy makers achieve transparency and consistency by bringing regulations, policies and system requirements into better alignment.

Results: There are three main expected results of this work. First, we will produce tools to assist software designers in determining a clear set of actionable requirements for system design and access control from regulations and legislation. Second, we will produce methods to develop audit mechanisms and procedures that may be used to verify that a functioning system meets its requirements. This will aid organizations as they conduct policy and legal compliance. Third, we will develop a realistic corpus of synthetic electronic patient record data that can be used to test any such experimental system. We will make this available so that other researchers can use it.

Assurable Configuration of Security Policies in Enterprise Networks

The design and configuration of enterprise networks is one of the hardest challenges that operators face today. A key challenge in doing so is the need to reconfigure network devices to ensure high-level operator goals are correctly realized. The high-level objectives (such as performance and security goals) that operators have for their networks are embedded in hundreds of low-level device configurations. Reconfiguring network devices is challenging given the huge semantic gap between these high-levelobjectives, and low-level configurations. Errors in changing configurations have been known to result in outages, business service disruptions, violations of Service Level Agreements~(SLA) and cyber-attacks~\cite{mahajan:02,kerravala02,Alloy}. In our research, we are looking at principled approaches for the systematic design and configuration of enterprise networks. We believe our research will minimize errors, and enable operators to ensure their networks continue to meet desired high-level security objectives. An important problem that we are currently tackling is that of ensuring correctness of security policies when migrating enterprise data centers to cloud computing models.

Access Control Policy Specification and Verification

This research program is motivated by the observation that today’s security problems are often caused by errors in policy specification and management, rather than failure in, for example, cryptographic primitives. Formal verification techniques have been successfully applied to the design and analysis of hardware, software, distributed algorithms, and cryptographic protocols. This project aims at achieving similar success in access control.

This project studies novel approaches to specifying properties about access control policies and the verification of them. Recent results include security analysis in trust management and role based access control, analyzing the relationship between separation of duty policies and role mutual exclusion constraints, the development of a novel algebra for specifying multi-user policies, the introduction of resiliency policies, and so on.

Footer

Intranet Site