Contents
Development of security technology will require a fundamentally
new look at some of the foundations of computer and information
technology in the areas of:
- Software Security,
- Trusted Platforms,
- Applied Cryptography and
- Network Security.
The number of software vulnerabilities discovered each year (as
reported by CERT) has increased fivefold in the past four years. The
most commonly exploited security vulnerabilities today, including
those used by worms, viruses, and "hacker kits" directly reflect
software security failures. The commonality behind these
vulnerabilities is that they arise from implementation flaws, and the
field of software security is directed at detecting, mitigating, and
removing such flaws. We propose to address these needs by developing
the fundamental principles and applications of language-based
security:
- Static code verification: We will identify design
principles for security-friendly API's, develop disciplined styles of
programming, and build automated tools for lightweight static checking
of these programming disciplines.
- Dynamic analysis: We will develop new methods for
dynamic monitoring and runtime enforcement of security properties.
- Multi-lingual security: We will develop language-based
security for multi-lingual programs (common in large systems) by
building a multi-lingual runtime platform enforcing memory safety.
- Software design: We will develop specification languages,
methods, and tools that support the principle of "security by design"
to allow compositional reasoning of software components.
Program analysis. A significant class of security
vulnerabilities, such as command injection attacks, stems from the
flow of malicious data and code in multi-lingual systems. Tracking the
flow of malicious values in a program consisting of many components
written in many different languages is, we believe, an appropriate
target for a combination of static and dynamic analysis. A
particularly useful form of dynamic analysis for enforcing security is
known as tainting analysis for tagging values as trusted or untrusted
at run time.
System composition. The interface between software artifacts
written in different languages is a source of errors and potential
security holes. The problem here is that type checking must be done
for pieces of code with incompatible semantics. Our initial approach
will model the incompatible aspects of a multi-lingual system as
differing capabilities. An initial implementation would be based on
the CQUAL system
[AFKT03,FTA02]. We will extend the benefits of
language-based security to multi-lingual programs by extending the
notion of proof-carrying code. The challenge is to allow extensible
code verification, so one can provide multiple language-specific,
un-trusted verifiers. Our architecture will be based on a single
trusted meta-verifier that can supervise execution of many un-trusted,
domain-specific verifiers.
So-called "trusted platforms"
are a significant present focus of development in the information
security industry (beginning with the industry consortium, Trusted
Computing Platform Alliance (TCPA) in 1999, now renamed the
Trusted
Computing Group (TCG)). Roughly, a "trusted platform" is a computing
platform that has a trustworthy component, possibly in the form of
built-in hardware, and that uses this component to create a secure
foundation for software processes and for communication with software
vendors. While development of other "trusted platforms," such as
Intel's LaGrande
and Microsoft's
Palladium,
is now being spearheaded by industry, the basic principles underlying
trusted computing have not been subject to scientific study and
review.
New hardware opens new vistas for research, especially in the case of
new trusted platforms. We will perform research to:
- understand the composition of "trusted platforms,"
- evaluate the security and vulnerability of these systems, as some
have alleged that they open the door for a range of abuses and
anti-competitive practices [AND03],
and
- examine minimal hardware and software configurations that can
provide "trusted platform's" while minimizing undesirable
consequences.
Individual computing systems can be compromised and
become unreliable when only a small fraction of the system is
altered. This phenomenon makes computers, intranets, distributed
systems untrustworthy to their owners and operators. Accordingly, the
TRUST center will address this fundamental security issue through the
following mechanisms:
- Virtualization, which is a powerful method for isolating
independent system functions by running independent operating
environments, from the operating system on up, on a software-based
virtualization of the underlying hardware. Going beyond VMWare, TRUST
will provide methods for leveraging virtualization to protect
individual computer systems and networks of interconnected computing
devices.
- Attestation, which is a hierarchical mechanism for
software components to authenticate each other, allowing a trustworthy
system to be layered over a basic attestation primitive provided
either in hardware or by a virtualization layer. TRUST will develop
privacy-preserving attestation methods.
- Obfuscation, which is a method of replacing hardware
mechanisms with software that cannot be analyzed or reverse engineered
to enable the sharing of software with coalition partners.
Network protocols that use cryptographic primitives are an
essential part of Internet security, the security of closely or
loosely coupled distributed systems, sensor net security, and security
components of critical infrastructure systems. For example, wireless
network security not only involves traditional end- to-end security
between specific systems, but protection of network access points from
transmission by unauthorized devices. Surprisingly, as demonstrated by
David Wagner et al [CHWWO3], the authentication protocol in IEEE standard
802.11b is ineffective. Proposed TRUST activity related to protocols
using cryptography falls into two categories:
- Protocol design methods: Many network protocols with
security objectives are designed using a smaller set of concepts, such
as challenge-response, Diffie-Hellman-like key agreement, and
"cookies" to reduce potential denial of service. We propose a protocol
derivation framework based on the use of composition, refinement, and
transformation. In this framework, a protocol designer may choose two
initial protocol components, refine each of them, compose the results
to get a candidate protocol, and then apply one or more
transformations to improve efficiency or resist particular forms of
attack. Each such derivation will induce an associated security proof,
with the security property and its proof determined by the choice of
derivation steps.
- Protocol analysis, testing and verification:
Traditionally, there have been two main approaches to security
analysis of protocols:
- use of a symbolic computation model of
protocol execution and malicious attack, and
- the computational
approach involving modeling data as sequences of separable bits
(instead of as symbolic expressions), probability, and complexity.
We will unify the two models, using mathematically rigorous cryptography
tools, by looking at how encryption is handled in the two models
[AR02,MW03] or by trying to extend the symbolic model with additional
operations such as Diffie-Hellman exponentiation and exclusive-or
[CKRT03a,CKRT03b,CS03,MS03,Herz03] that extend its range. Related
interesting soundness proofs are in [BP03,War03,IK03], but so far,
there is apparently no general computational soundness theorem for the
general symbolic model. This unification will provide the scientific
basis for automated protocol design and analysis tools, as well as
insights into the composition of multiple protocols on the same
networks (allowing an attacker to compose attacks from different runs
of different protocols). See some of our recent work in, for example,
[LMMS98,MMS99,LMMS99,MRST01,MMS03,LKV99].
The initial design of the Internet did not consider malicious
attacks, and so many Internet protocols and services are vulnerable
[Bir00,BV96]. Large scale Distributed Denial-of-Service (DDoS) attacks
have disrupted critical Internet services and caused significant
financial loss and operational instability. Routing protocols that
perform the main function of the Internet are also vulnerable to
malicious route updates, and attacks on these protocols could bring
down a large fraction of the Internet. We will tackle some of the
fundamental challenges required to make the Internet more secure (see
[PACR02]):
- Denial of service: In today's Internet, an end-host can do
little to defend against a flooding attack. Techniques and software
capable of disabling large portions of the Internet for hours or days
could be developed relatively easily today by sophisticated hackers or
nation states. Additionally, many protocol enhancements, such as
multicast (see [Bir99]), further exacerbate the security problem.
- Spoofed source addresses: One of the most difficult
challenges in defending against DDoS and many other attacks is that
attackers often spoof the source address of their packets. This hides
the origin of the attack and can confound defenses based on examining
source IP addresses.
- Routing security: Routing protocols that form the main function of the Internet, such as BGP, are
vulnerable to malicious route updates, and attacks on them can bring down a large fraction of the Internet.
We plan to study Internet security issues, design new mechanisms,
build frameworks for evaluation, and study deployment issues on DETER
and Planet Lab, our networking testbeds:
- Structured overlay networks: To provide protection against
DDoS attacks, we will design an overlay infrastructure (see
[CSK02,SAZS02,ZHSRJK04]) based on two simple design principles for
end-hosts: (1) communication without revealing IP addresses; and (2)
defense against attacks before the attack reaches them.
- Better infrastructure: We will tackle problems ranging
from increasing the security of Internet routing to new
"indirection"-based approaches to software design. The use of IP
anycast to direct traffic to a perimeter of proxy servers is a
promising approach. In the context of various architectures we will
explore issues such as load balancing, DDoS attack detection, and
dynamic control over perimeter systems to react to various forms of
DDoS attack (see [AT02,WCB01,ZHSJK03])
- Epidemic protocols: We are exploring a new class of
peer-to-peer protocols (also known as epidemic protocols) for
dynamically tracking the evolving state of a network or application in
an intrusion-resistant manner
[GBL03,GLB03,JB01,VBW04,RS04,BHO99,BVW01]. With these protocols, we
can build monitoring and control systems that are robust and
responsive even when an attack has shut down many applications. We
see applications of the tools such as Cornell's Astrolabe system that
built these epidemic protocols for settings other than the electric
power grid that it was built for [VBW04,JB01].
Up: Research
Next: Systems Science
|
