Siis laboratory overview
Download
1 / 13

SIIS Laboratory Overview - PowerPoint PPT Presentation


  • 263 Views
  • Uploaded on

SIIS Laboratory Overview Patrick McDaniel October 4, 2004 Computer Science and Engineering Pennsylvania State University Mission

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'SIIS Laboratory Overview' - Faraday


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Siis laboratory overview l.jpg

SIIS Laboratory Overview

Patrick McDaniel

October 4, 2004

Computer Science and Engineering

Pennsylvania State University


Mission l.jpg
Mission

“The SIIS Laboratory promotes student and scientific advancement through the investigation of emerging technologies upon which computer, network, and information security is based.”


Current focus areas l.jpg
Current Focus Areas

  • Current projects span broad topic areas in general systems security.

  • Actively expanding interests to other fields and applications

Network Security

OS Security

Security Policy

Applied Cryptography

Applied Cryptography

Privacy


Interdomain routing security l.jpg
Interdomain Routing Security

  • Organizational exchange of prefixes and path vectors to converge on global routing tables (BGP)

    • Associates address ranges (prefixes) with parent organizations (autonomous systems)

    • Builds global forwarding tables for IP traffic

  • Highlyvulnerable -- low and slow attacks or mis-configuration can remove continents

  • Ongoing work

    • Security/Threat models for IDR

    • Efficient cryptographic constructions

      • Origin authentication

      • Path Authentication

      • Control-plane security

Network Security


Origin data mining and analysis l.jpg
Origin Data Mining and Analysis

Origin (prefix ownership)

  • Data (August 2002-July 2003) - 6,898,383 origin transitions, 16,474 prefixes

  • Generally stable for most prefixes, constant AS

  • Most origin AS holding times are exponential, some Pareto (caused by edge effects)

Path (routing stability)

  • Data (January 2003 - April 2004) - 2.55 billion route updates worldwide, 150 prefixes, thousands of routers

  • Most prefixes are very stable, reachable by a few paths

  • AS topology is relatively stable, most ASes reachable by a few paths

  • Paths restricted to simple “path sets”

Network Security


Artifact authentication in ir l.jpg
Artifact Authentication in IR

Origin Authentication

  • Validating the authenticity of ownership claims of address usage

  • Semantic definition for address use

  • Approximated delegation hierarchy from route advertisements

    • 16 organization delegate 80% of address space, 3-10% movement/month

  • Proposed and simulated vastly improved cryptographic proof systems (feasible)

Path Authentication

  • Validating the authenticity of transient routes in Internet paths

  • Semantics of path advertisement

  • Stability study that the set of paths than AS advertises is relatively small

    • Use cryptographic proof systems, led to efficient structures

  • Simulations reduce common solutions by 96.5% over S-BGP

  • First feasible system demonstration

Network Security


Detecting spy ware l.jpg
Detecting Spy-ware

  • Spy-ware implements some valuable function, and at the same time exposes sensitive data or resource (KaZaa)

  • Problem: How do we detect the execute of Spy-ware code in a running program?

  • Solution: use dynamic slicing to reconstruct dependencies from event traces (sys calls, Win API) toward, find privacy violations

    • Policy language used to describe policy violations, state

    • Implemented and benchmarked

    • Caught leakage in KaZaa

    • 0.05% additional system call cost for interactive program

Operating Systems Security


Antigone l.jpg
Antigone

  • Policy Languages

    • Provisioning policy vs. authorization policy

    • Composition is fundamentally intractable

    • General purpose policy: Ismene

    • Enforcement separation

  • Antigone System build to compose large collections of diverse policies in single infrastructure.

    • Policy Compiler

    • Enforcement Infrastructure

    • Dozen of security mechanisms

    • 75,000+ lines of code

  • Applications

    • AMirD - general purpose replication platform

    • Highly flexible Transport layer security

    • Security for squad level hand held communications

  • In permanent demonstration exhibit at Fort Monmouth, NJ (ARMY)

  • Winner of DARPA’s Bang for the Buck award in Dynamic Coalition program

Security Policy


Forward secure signatures l.jpg
Forward Secure Signatures

  • Advanced cryptographic construction used to mitigate future key compromise.

    • Signing key “lost” once signature made

    • Intractable to obtain signing key with future private key

  • Implementation of FSS

    • Search parameter space

    • Evaluate key size/memory tradeoffs

    • Community service

  • Constructed calculus for determine optimally of FSS solutions

    • RSA not necessarily better

  • Bottom line: like many constructions

    • Good or bad, be careful

    • 1 to 4 if properly used

    • 3+ OOM worse if not

    • RSA/DSA/ECC are appropriate for different environments (trade-offs)

Applied Cryptography


Searching for privacy l.jpg
Searching for privacy …

  • Recently, the Internet community has demanded more information about how websites deal with Privacy

  • P3P is an automated system for specifying site machine readable privacy policies

  • P3Poogle

    • Caches/evaluates P3P /wrt a user privacy policy

    • Privacy violations are visually indicated with site

    • integrates the Google API with caching of P3P

  • Implementation complete

    • Working HCI study at CMU

    • Reasonable performance

Privacy


The future l.jpg
The future?

  • Security is about often applications

    … it should be about environments.

  • The ad hoc nature in which security is defined and achieved across and between systems is a central source of vulnerability.


Environmental security l.jpg
Environmental Security

POLICY

VERIFICAITON

Language

Assessment

Composition

ENFORCEMENT

  • Articulating Intent

  • Enforcing across platforms and services

  • Understanding evolving compliance

… must start with some trustable core

(e.g., network)


The siis laboratory l.jpg
The SIIS Laboratory …

  • Systems and Internet Infrastructure Laboratory

    • Launched 9/04 at CSE/PSU

  • Committed to the investigation and development of environment-oriented security solutions, e.g.,

    • Infrastructure Security (routing, OS, DRM, etc.)

    • Policy (authorization, provisioning)

    • Security service analysis

  • Current support: ARPA, Symantec, and NSF

  • View papers and documentation of activites at:

    http://siis.cse.psu.edu/