siis laboratory overview l.
Skip this Video
Loading SlideShow in 5 Seconds..
SIIS Laboratory Overview PowerPoint Presentation
Download Presentation
SIIS Laboratory Overview

Loading in 2 Seconds...

play fullscreen
1 / 13

SIIS Laboratory Overview - PowerPoint PPT Presentation

  • Uploaded on

SIIS Laboratory Overview Patrick McDaniel October 4, 2004 Computer Science and Engineering Pennsylvania State University Mission

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'SIIS Laboratory Overview' - Faraday

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
siis laboratory overview

SIIS Laboratory Overview

Patrick McDaniel

October 4, 2004

Computer Science and Engineering

Pennsylvania State University


“The SIIS Laboratory promotes student and scientific advancement through the investigation of emerging technologies upon which computer, network, and information security is based.”

current focus areas
Current Focus Areas
  • Current projects span broad topic areas in general systems security.
  • Actively expanding interests to other fields and applications

Network Security

OS Security

Security Policy

Applied Cryptography

Applied Cryptography


interdomain routing security
Interdomain Routing Security
  • Organizational exchange of prefixes and path vectors to converge on global routing tables (BGP)
    • Associates address ranges (prefixes) with parent organizations (autonomous systems)
    • Builds global forwarding tables for IP traffic
  • Highlyvulnerable -- low and slow attacks or mis-configuration can remove continents
  • Ongoing work
    • Security/Threat models for IDR
    • Efficient cryptographic constructions
      • Origin authentication
      • Path Authentication
      • Control-plane security

Network Security

origin data mining and analysis
Origin Data Mining and Analysis

Origin (prefix ownership)

  • Data (August 2002-July 2003) - 6,898,383 origin transitions, 16,474 prefixes
  • Generally stable for most prefixes, constant AS
  • Most origin AS holding times are exponential, some Pareto (caused by edge effects)

Path (routing stability)

  • Data (January 2003 - April 2004) - 2.55 billion route updates worldwide, 150 prefixes, thousands of routers
  • Most prefixes are very stable, reachable by a few paths
  • AS topology is relatively stable, most ASes reachable by a few paths
  • Paths restricted to simple “path sets”

Network Security

artifact authentication in ir
Artifact Authentication in IR

Origin Authentication

  • Validating the authenticity of ownership claims of address usage
  • Semantic definition for address use
  • Approximated delegation hierarchy from route advertisements
    • 16 organization delegate 80% of address space, 3-10% movement/month
  • Proposed and simulated vastly improved cryptographic proof systems (feasible)

Path Authentication

  • Validating the authenticity of transient routes in Internet paths
  • Semantics of path advertisement
  • Stability study that the set of paths than AS advertises is relatively small
    • Use cryptographic proof systems, led to efficient structures
  • Simulations reduce common solutions by 96.5% over S-BGP
  • First feasible system demonstration

Network Security

detecting spy ware
Detecting Spy-ware
  • Spy-ware implements some valuable function, and at the same time exposes sensitive data or resource (KaZaa)
  • Problem: How do we detect the execute of Spy-ware code in a running program?
  • Solution: use dynamic slicing to reconstruct dependencies from event traces (sys calls, Win API) toward, find privacy violations
    • Policy language used to describe policy violations, state
    • Implemented and benchmarked
    • Caught leakage in KaZaa
    • 0.05% additional system call cost for interactive program

Operating Systems Security

  • Policy Languages
    • Provisioning policy vs. authorization policy
    • Composition is fundamentally intractable
    • General purpose policy: Ismene
    • Enforcement separation
  • Antigone System build to compose large collections of diverse policies in single infrastructure.
    • Policy Compiler
    • Enforcement Infrastructure
    • Dozen of security mechanisms
    • 75,000+ lines of code
  • Applications
    • AMirD - general purpose replication platform
    • Highly flexible Transport layer security
    • Security for squad level hand held communications
  • In permanent demonstration exhibit at Fort Monmouth, NJ (ARMY)
  • Winner of DARPA’s Bang for the Buck award in Dynamic Coalition program

Security Policy

forward secure signatures
Forward Secure Signatures
  • Advanced cryptographic construction used to mitigate future key compromise.
    • Signing key “lost” once signature made
    • Intractable to obtain signing key with future private key
  • Implementation of FSS
    • Search parameter space
    • Evaluate key size/memory tradeoffs
    • Community service
  • Constructed calculus for determine optimally of FSS solutions
    • RSA not necessarily better
  • Bottom line: like many constructions
    • Good or bad, be careful
    • 1 to 4 if properly used
    • 3+ OOM worse if not
    • RSA/DSA/ECC are appropriate for different environments (trade-offs)

Applied Cryptography

searching for privacy
Searching for privacy …
  • Recently, the Internet community has demanded more information about how websites deal with Privacy
  • P3P is an automated system for specifying site machine readable privacy policies
  • P3Poogle
    • Caches/evaluates P3P /wrt a user privacy policy
    • Privacy violations are visually indicated with site
    • integrates the Google API with caching of P3P
  • Implementation complete
    • Working HCI study at CMU
    • Reasonable performance


the future
The future?
  • Security is about often applications

… it should be about environments.

  • The ad hoc nature in which security is defined and achieved across and between systems is a central source of vulnerability.
environmental security
Environmental Security







  • Articulating Intent
  • Enforcing across platforms and services
  • Understanding evolving compliance

… must start with some trustable core

(e.g., network)

the siis laboratory
The SIIS Laboratory …
  • Systems and Internet Infrastructure Laboratory
    • Launched 9/04 at CSE/PSU
  • Committed to the investigation and development of environment-oriented security solutions, e.g.,
    • Infrastructure Security (routing, OS, DRM, etc.)
    • Policy (authorization, provisioning)
    • Security service analysis
  • Current support: ARPA, Symantec, and NSF
  • View papers and documentation of activites at: