TRUST Seminar Series

If you are visiting Cory Hall from off campus, please see the Visitor Information page.

To receive notification of future TRUST Seminar Series talks, please join either the trustlocal or the trustseminar workgroup.

(Most members of TRUST that are located to UC Berkeley should join the trustlocal workgroup instead of the trustseminar workgroup.)

Information on past TRUST Seminars is available here.

Fall 2008 TRUST Seminar Series

On the Fragility of Adversary Definitions in Cryptographic Protocols

Virgil Gligor, Carnegie Mellon University

1pm, Thursday, September 4, 2008, 540 A/B, Cory Hall

Abstract
Adversary definitions that have been successfully used in cryptography theory are fragile; i.e., restrictions placed on the adversary behavior can be circumvented in practice. Fragility is caused by mismatches between the computational models assumed by adversary definitions and the practical realities of large-scale networks, such as the Internet. For example, a large number of encryption/decryption oracles may be available to an adversary in practice when only single-oracle access is assumed in theory; or bounds on the number of attack queries that can be issued by an adversary in theory cannot be enforced in practice. I illustrate these mismatches with two examples of new PPT adversaries: a "concurrent" and a "network" adversary. In the first example, bounds placed on the number of attack queries launched by an adversary against password-based authenticated key exchange (PAKE) protocols whose security is proven in either the standard or the random oracle models, can be circumvented by multi-threaded, client-server models of computation in the Internet. (This is based on joint work with Taekyoung Kwon and Ji Sun Shin.) In the second example, I argue that a PPT adversary with access to a large, but bounded, number of different oracles can break encryption schemes that offer a very strong sense of security (i.e., schemes proved to be IND-CCA2 secure) can be broken with non-negligible probability. (This example is based on joint work with Bryan Parno.) I conclude that adversary definitions used in cryptographic-protocol analyses must come with "warning labels" regarding the models of computation assumed and the security vulnerabilities that might arise in practice when model mismatches arise. Good theory owes this to good practice.

Bio
Virgil D. Gligor received his B.Sc., M.Sc., and Ph.D. degrees from the University of California at Berkeley. He taught at the University of Maryland between 1976 and 2007, and is currently a Professor of Electrical and Computer Engineering at Carnegie Mellon University. He was an Editorial Board member of the ACM Transactions on Information System Security, and several IEEE Transactions (i.e., Dependable and Secure Computing, Computers, and Mobile Computing) and he is currently the Ediro In Chief of IEEE TDSC. Over the past three decades, his research interests ranged from access control mechanisms, penetration analysis, and denial-of-service protection to cryptographic protocols and applied cryptography. He was awarded the 2006 National Information Systems Security Award jointly given by NIST and NSA in the US for his contributions to security research.

Spectator: detection and containment of JavaScript worms

Ben Livshits, Microsoft Research

1pm, Thursday, September 11, 2008, 540 A/B, Cory Hall

Abstract
Recent popularity of interactive AJAX-based Web 2.0 applications has given rise to a new breed of security threats: JavaScript worms. We propose Spectator, the first automatic detection and containment solution for JavaScript worms. Spectator performs distributed data tainting by observing and tagging the traffic between the browser and the Web application. When a piece of data propagates too far, a worm is reported. To prevent worm propagation, subsequent upload attempts performed by the same worm are blocked. Spectator is able to detect fast and slow moving, monomorphic and polymorphic worms with a low rate of false positives. In addition to our detection and containment solution, we propose a range of deployment models for Spectator, ranging from simple intranet-wide deployments to a scalable load-balancing scheme appropriate for large Web sites. We demonstrate the effectiveness and efficiency of Spectator through both large-scale simulations as well as a case study that observes the behavior of a real-life JavaScript worm propagating across a social networking site. Spectator is able to detect all JavaScript worms released to date while maintaining a low detection overhead for a range of workloads.

Bio
Ben Livshits is a researcher at Microsoft Research in Redmond, WA. He received a B.A. from Cornell University in 1999, and his M.S. and Ph.D. from Stanford University in 2002 and 2006, respectively. Dr. Livshits' research interests include application of sophisticated static and dynamic analysis techniques to finding errors in programs. He is known for his work on software reliability and especially tools to improve software security, with a primary focus on approaches to finding buffer overruns in C programs and a variety of security vulnerabilities (cross-site scripting, SQL injections, etc.) in Web-based applications. Lately he has been focused on how Web 2.0 application reliability, performance, and security can be improved through a combination of static and runtime techniques.

Engineering for compliance: influencing security behaviour in organisations

Angela Sasse, University College London

1pm, Thursday, September 18, 2008, 540 A/B, Cory Hall

Abstract
Information security professionals often complain that employees undermine security because they do not comply with the security policies. Based on data from a series of interviews with security professionals and employees, this talk will identify factors that influence the decision of whether to comply with a security policy, and discuss measures for improving compliance, including security awareness and training, social marketing, psychological contracts, and leadership. Key to achieving compliance, however, is to engineer security so that the set of behaviours required for compliance is appropriate and manageable. Information security professionals have to accept that there is a limit to the amount of effort employees can to expend on compliance with security policies, and use that effort wisely, by designing security that requires a limited and consistent set of security behaviours.

Bio
Read psychology in Germany and holds an M.Sc. in Occupational Psychology from Sheffield University, and a PhD in Computer Science (on Users' Models) from the University of Birmingham. Worked as a Human Factors Specialist for Philips Corporate Industrial Design in 1990. Started as Lecturer in the Department of Computer Science at UCL in November 1990.

Protection and Communication Abstractions for Web Browsers in MashupOS

Helen Wang, Microsoft Research

1pm, Friday, September 19, 2008, 540 A/B, Cory Hall

Abstract
The advent of AJAX and client mashups has turned Web browsers into a multiprincipal operating environment. But browser support for Web programmers has lagged behind and remained in a single-principal world: The Same Origin Policy that dictates today's browser-security model offers either no trust through complete isolation between principals (sites) or full trust by incorporating third-party code as libraries. The consequences of such limited support include cross-site-scripting attacks that seriously plague today's Web and undesirable programming practices that make tradeoffs between security and functionality. In the MashupOS project, we address this deficiency. Our goal is to enable a browser to be a multiprincipal OS. Our initial focus is on protection and communication abstractions. Protection is to provide default isolation boundaries among principals (sites), while communication enables custom, fine-grained access control. We have designed our abstractions to be backward-compatible and easily adoptable. We have built a MashupOS prototype that we will demonstrate. Our experience and evaluation show that our abstractions make it easy to build more secure and robust client-side Web mashups and can be implemented easily in browsers with negligible performance overhead.

Bio
Helen J. Wang is a senior researcher and leads a security research group at Microsoft Research, Redmond. Her research interests are in system/network security, mobile/wireless computing, and wide-area large scale distributed system design. She received her Ph.D. degree from the Computer Science department of U. C. Berkeley in December, 2001. She obtained her Bachelor of Science in Computer Science from U. T. Austin, and Master of Science in Computer Science from U. C. Berkeley, respectively.

Redundant Computing for Security

David Evans, University of Virginia

1pm, Thursday, September 25, 2008, 540 A/B, Cory Hall

Abstract
Increases in transistor counts, without corresponding advances in programming techniques and I/O latency, has lead to a situation where unused computing capacity is often cheaply available. Our research explores ways to use redundant computation to improve security. I will present a new architectural framework that uses redundant computation and artificial diversity to enhance security. The framework runs variants in a synchronized way that requires an attacker to compromise one of the system variants without producing detectably different behavior in another system variant. By constructing variants with disjoint exploitation sets, we make it impossible to successfully carry out large classes of important attacks. In this talk, I will describe our framework, identify some useful variations, and present results using a prototype implementation to protect an Apache server.

Bio
David Evans, currently on sabbatical visiting UC Berkeley, is an Associate Professor at the University of Virginia and Founding Director of the Interdisciplinary Major in Computer Science. He has SB, SM and PhD degrees in Computer Science from MIT. His other research interests include program analysis, RFID privacy, and web application security. The talk describes joint work with Ben Cox, Anh Nguyen-Tuong, Jonathan Rowanhill, John Knight, and Jack Davidson.

Modern Malware Detection:A Symantec Perspective

Tzi-cker Chiueh, Symantec

1pm, Thursday, October 16, 2008, 540 A/B, Cory Hall

Abstract
Malware is any malicious software that intrudes into a victim machine to take control of its resources, to steal its sensitive information, or both. To detect and prevent these malware programs, academic researchers with different backgrounds, e.g. compiler, operating system, distributed system and networking, develop different solutions that attempt to deter them at different points on their way of successful compromise. However, computer security vendors such as Symantec generally do not such latitude because their solutions have to work in much more constrained and demanding operating environments. This is a major reason why most past malware detection research had little impact on commercial computer security products. In this talk, I will present Symantec's view of the modern malware detection problem, the technical challenges it entails going forward, and several research efforts at Symantec Research Labs that specifically aim to address these challenges.

Bio
Dr. Tzi-cker Chiueh is Director of the Core Research group at Symantec Research Labs and a Professor in the Computer Science Department of Stony Brook University. He received his B.S. in EE from National Taiwan University, M.S. in CS from Stanford University, and Ph.D. in CS from University of California at Berkeley in 1984, 1988, and 1992, respectively. He received an NSF CAREER Award in 1995, and Best Paper Awards from the 21st Annual Computer Security Applications Conference (ACSAC 2005), the 8th International Symposium on Systems and Information Security (SSI 2006), the third International Symposium on Information Assurance and Security (IAS 2007), and the 24th International Conference on Data Engineering (ICDE 2008). Dr. Chiueh has published over 170 technical papers in refereed conferences and journals. His current research interests lie in computer security, storage systems, and wireless networking.

Privacy Integrated Queries: An Extensible Platform for Private Data Analysis

Frank McSherry, Microsoft Research

1pm, Thursday, October 23, 2008, 540 A/B, Cory Hall

Abstract
Privacy Integrated Queries (PINQ) is a data analysis platform designed to overcome what is currently one of the most substantial hurdles in the deployment of privacy-preserving data analysis: despite the substantial interest on the part of both data analyst and data provider, inordinate effort is required to for the two parties to convince themselves of the privacy guarantees of a given technique. Even in the uncommon case that both parties are privacy experts, different dialects of privacy can make agreement difficult. This communication barrier prevents the collaboration of willing participants, and holds back the fruitful analysis of sensitive data. PINQ aims to be a lingua franca for privacy, providing a simple and natural data access API for data analysts and unconditional privacy guarantees for data providers. All programs written in PINQ provide "differential privacy", a recent and powerful privacy guarantee. Analysts and providers can convince themselves of the privacy of an algorithm simply by limiting its data access to the API provided by PINQ; analysts needn't prepare complex theoretical analyses, and providers needn't understand them. This simple and powerful platform opens the doors to privacy-preserving analysis of arbitrarily sensitive data, without requiring any privacy expertise in the design or implementation of the analyses.

Bio
Frank McSherry is a researcher at Microsoft Research's Silicon Valley research lab. He did his PhD research at the University of Washington with Anna Karlin, working on spectral method for data analysis. His current research interests span the theoretical and practical aspects of large-scale data analysis and associated privacy issues, among other topics.

Anonymous Mobility in Suspicious MANETs

Gene Tsudik, University of California, Irvine

1pm, Thursday, November 6, 2008, 540 A/B, Cory Hall

Abstract
In most network scenarios, nodes initiate communication on the basis of (public) identities. However, in some hostile and suspicious MANET settings, node identities must not be exposed and node movements must not be traceable. Instead, nodes need to communicate on the basis of their current locations. In this work, we address some interesting issues arising in such MANETs by designing two privacy-agile routing methods: ALARM and PRISM. Both use a location-centric (as opposed to traditional identity-centric) communication paradigm. In ALARM, nodes' current locations are used to construct a current secure MANET map. Based on this map, each node can decide which other nodes it wants to communicate with. PRISM exposes less topology information by adopting hit-and-miss communication paradigm: nodes communicate to specific locations (areas). Both methods take advantage of advanced cryptographic primitives to achieve node authentication, data integrity, anonymity/untraceability (tracking-resistance). as well as resistance to insider attacks.

Bio
Gene Tsudik is a Professor (and Vice-Chair for Graduate Studies) in the Computer Science Department at the University of California, Irvine. He has been conducting research in Internetworking, network security and applied cryptography since 1987. He obtained his PhD in Computer Science from USC in 1991 for research on firewalls and Internet access control. Before coming to UC Irvine in 2000, he was a Project Leader at IBM Zurich Research Laboratory (1991-1996) and USC Information Science Institute (1996-2000). Over the years, his research interests included: routing, firewalls, authentication, mobile networks, e-commerce, anonymity, group communication, digital signatures, key management, ad hoc networks, as well as database privacy and secure storage. Between 2003 and 2007, Professor Tsudik served as Associate Dean of Research and Graduate Studies in the School of Information and Computer Sciences at UCI. He spent April-September 2007 in Italy as a Fulbright Scholar at the University of Rome (La Sapienza).

Practical Proactive Integrity Preservation: A Basis for Robust Malware Defense

R. Sekar, Stony Brook University

1pm, Thursday, November 13, 2008, 540 A/B, Cory Hall

Abstract
Today's defenses against malware rely primarily on reactive approaches such as signature-based scanning and file integrity monitoring to detect the presence of malware after it has already entered the system. Unfortunately, clever adversaries can develop malware that conceals itself before these defense mechanisms can detect them, thus giving the malware developers an edge over the defenders. In contrast, this talk describes proactive techniques that are aimed at putting the system administrator firmly in control over the security of their system. Our approach relies on system-wide information-flow tracking to ensure that security-critical processes and files are not influenced by code or data from untrusted sources. Although information-flow based techniques have been proposed in the past, they have not had much impact on modern COTS operating systems. This is, in part, due to the fact that a strict application of information flow policy can break existing applications and OS services. Another important factor is the difficulty of policy development, which requires us to specify policies involving hundreds of applications and hundreds of thousands of files and other resources. We address the first problem by developing a flexible policy framework aimed at preserving the usability of applications. We then proceed to address the second problem by developing a technique for automating the synthesis of information flow policies that preserve integrity. Preliminary implementation results with popular Linux distributions have been very promising. Whereas the first part of the talk is concerned with preserving integrity in the face of malware that arrives in the form of stand-alone applications, in the second part, we consider malware that arrives in the form of libraries or plug-ins. Enforcing integrity policies on such plug-ins is complicated by the fact that they share the same address-space with a benign host application. We describe a fine-grained information flow tracking technique that can provide the basis for sound enforcement of integrity policies on such plug-ins. Our solution is based on an efficient static binary rewriting technique that is effective on many COTS binaries and provides excellent runtime performance.

Bio
R. Sekar (http://www.cs.stonybrook.edu/~sekar) is a Professor of Computer Science and the Director of the Secure Systems Laboratory (http://seclab.cs.stonybrook.edu/) and the Center for Cybersecurity (http://ccs.cs.stonybrook.edu/) at Stony Brook University. He has a Bachelor's degree in Electrical Engineering from IIT, Madras (India) and a Ph.D. in Computer Science from Stony Brook. He then served as a Research Scientist in Networking Research at Bellcore. After five years, he moved to Iowa State University, and then subsequently to Stony Brook. Sekar's research interests are focused on computer security, with specialization in attack detection, prevention, containment, response, and recovery; mobile and untrusted code security; malware; security policies and enforcement; anomaly detection; vulnerability analysis; and testbeds for network security experiments. His research has been supported by AFOSR, DARPA, NSF, ONR, State of New York, and industry sponsors

Cyber Security Issues In The Competitive Electricity Market Environment

George Gross, University Illinois, Urbana-Champaign

1pm, Thursday, November 20, 2008, 540 A/B, Cory Hall

Abstract
We focus this presentation on the cyber security of the interconnected power grid: the backbone of the electricity infrastructure of the nation. We consider impacts of the cyber security issues within the context of the side-by-side operations of the grid and the competitive electricity markets. We examine the nature of the cyber security vulnerability in the grid and discuss the range of consequences. The discussion is carried out using a multi-layer conceptual structure to represent the physical grid, the market operations and the control/communications subsystem. We focus in on the metering issues as an example of some of our recent work in power system cyber security. We conclude with a description of the multiple challenges ahead.

Bio
George Gross is Professor of Electrical and Computer Engineering and Professor, Institute of Government and Public Affairs, at the University of Illinois at Urbana-Champaign. His research and teaching activities are in the areas of power system analysis, economics and operations, utility regulatory policy and industry restructuring. He was formerly with the Pacific Gas and Electric Company, where, Dr. Gross founded the company's Management Science Department and held other key management, technical and policy positions. During 1992-93, Dr. Gross was at the Electric Research Power Institute to develop research directions on open access transmission. A Fellow of IEEE, Dr. Gross was awarded the Franz Edelman Management Science Achievement Award by the Institute of Management Science. Dr. Gross is the author of a large number of publications and book chapters. He was a Visiting Professor at the Politecnico di Milano, University of Pavia and the Politecnico di Torino during the academic year 1999-2000. George Gross received his undergraduate degree at McGill University in Montreal and he did his graduate studies at the University of California, Berkeley.

Details about how the seminar is managed can be found at How is the TRUST Seminar managed?