Trust Seminar

If you are visiting Soda Hall from offsite, please see the Visitor Information page.

To receive notification of future Trust Seminars, either join the trustlocal workgroup or the trustseminar workgroup.

Almost all members of Trust that are located at UC Berkeley should join trustlocal instead of joining the trustseminar group.

Past Trust Seminars

You can download a PDF flier to advertise the calendar for the Fall Semester of 2007.

Fall 2007 Trust Seminars

Object Capabilities for Security

David Wagner, University of California, Berkeley

1pm, Thursday, September 6, 2007, 290 Hearst Memorial Mining Building

Abstract
Existing systems often do a poor job of meeting the principle of least privilege. I will discuss how object capability systems and language-based methods can help address this shortcoming. In language-based object capability systems, an object reference is treated as a capability; unforgeability of references ensures unforgeability of capabilities; and all privileges are expressed as capabilities in this way. This makes it possible to decompose the system into distrusting "privilege-separated" components, providing each component with the least privilege it needs to do its job; to reason about the privileges and powers available to various program elements, often in a local (modular) way; and to avoid common pitfalls, such as confused deputy and TOCTTOU vulnerabilities. I will attempt to introduce the audience to some work in this area that is perhaps not so widely known, and I will describe some work in progress to construct a subset of Java, called Joe-E, that is intended to enable capability-style programming using a programming syntax that is familiar to Java programmers.

Bio
David Wagner is an Associate Professor in the Computer Science Division at the University of California at Berkeley with extensive experience in computer security and cryptography. He and his Berkeley colleagues are known for discovering a wide variety of security vulnerabilities in various cellphone standards, 802.11 wireless networks, and other widely deployed systems, and he has published two books and over 90 peer-reviewed scientific papers. David is a founding member of the ACCURATE center. He is active in the areas of systems security, cryptography, and electronic voting.

A High Assurance Least Privilege Separation Kernel and its Application

Cynthia E. Irvine, Naval Postgraduate School

1pm, Thursday, September 13, 2007, Wozniak Lounge, Soda Hall

Abstract
Recent advances have made the practical development of separation kernels feasible. These resource managers are excellent candidates for use as the basis for highly trustworthy components within distributed security architectures. However, not all separation kernels are the same and these differences can dramatically affect the subsequent design of security-critical applications. A high assurance separation kernel must provide mechanisms to facilitate controlled sharing and trustworthy dissemination of information with differing confidentiality and integrity attributes. This talk will present the Trusted Computing Exemplar Project, which includes a high assurance, least privilege separation kernel (LPSK). The development methodology for this component will be reviewed, along with the government requirements standard to which it must conform. The application of the LPSK in several related projects will illustrate the utility of this basic trustworthy element in distributed architectures that must protect information with different security attributes and classification levels.

Bio
Cynthia Irvine is the Director of the Center for Information Systems Security Studies and Research (CISR) and a Professor of Computer Science at the Naval Postgraduate School, where she has worked since 1994. Her research centers on the design and construction of high assurance systems and multilevel security. She is an author on over 100 papers and reports on security and has supervised the research of over 80 Masters and PhD students. She has served on numerous government committees and review boards. She is a member of the ACM, a life member of the ASP, and a Senior Member of the IEEE. She is currently serving as Vice Chair of the IEEE Technical Committee on Security and Privacy.

Can Systems and Networks Really Be Trustworthy?

Peter Neuman, SRI

1pm, Thursday, September 20, 2007, Wozniak Lounge, Soda Hall

Abstract
By now, most of you should have a good idea of the extent to which systems and people fail to do what is expected of them. Software development is an imprecise art form, neither a science nor an engineering discipline. Furthermore, the industry is not tackling the hard problems. As a result, the current situation is really appalling in many instances. Although I have written extensively on that subject, this talk will not dwell on past failures -- apart from a brief introduction on why things are the way they are. Instead, I'll try to consider what might be done right. My background includes dealing with complexity and a wide range of application areas, and I will probably relate my suggestions to specific kinds of systems. If anyone feels like doing some background reading before the talk, you might consider looking at my DARPA report on principled assuredly trustworthy composable architectures (http://www.csl.sri.com/neumann/chats4.pdf or .html ), some recent. Inside Risks columns in the Communications of the ACM (http://www.csl.sri.com/neumann/insiderisks.html), and recent issues of the ACM Risks Forum (http://www/risks.org).

Bio
*Peter G. Neumann* has Ph.D. from Harvard and Darmstadt. After 10 years at Bell Labs in Murray Hill, NJ, in the 1960s, during which he was heavily involved in the Multics development jointly with MIT and Honeywell, and a year as a visiting lecturer in EECS at Berkeley (1970-71), he has been in SRI's Computer Science Lab since September 1971. He has been concerned with computer systems and networks, trustworthiness/ dependability, high assurance, security, reliability, survivability, safety, and many risks-related issues such as voting-system integrity, crypto policy, social implications, and human needs including privacy. He moderates the ACM Risks Forum, edits CACM's monthly Inside Risks column, chairs the ACM Committee on Computers and Public Policy, and chairs the National Committee for Voting Integrity (http://www.votingintegrity.org ). He has participated in four studies forthe National Academies of Science: Multilevel Data Management Security (1982), Computers at Risks (1991), Cryptography's Role in Security the Information Society (1996), and Improving Cybersecurity for the 21st Century: Rationalizing the Agenda (2007). His 1995 book, Computer-Related Risks, is still timely. He is a Fellow of the ACM, IEEE, and AAAS, and is also an SRI Fellow. He received the National Computer System Security Award in 2002 and the ACM SIGSAC Outstanding Contributions Award in 2005. In addition to UCB, he has taught courses at Darmstadt, Stanford, and the University of Maryland.

Technologies for Massively Scalable VPNs

David McGrew, Cisco

1pm, Thursday, September 27, 2007, Wozniak Lounge, Soda Hall

Abstract
Communities of interest, such as the devices comprising an ad-hoc network or a set of remote enclaves, often require secure network connections between them. However, as the number of devices needing to communicate grows the result of secure connections approaches a mesh configuration. Conventional Virtual Private Networks (VPNs) built out of meshes of IPsec or SSL tunnels have significant scalability limitations. The size of these VPNs are limited by the amount of VPN-specific state maintained on each device, which can include both cryptographic state and routing information, and by the communication costs of synchronizing this state among all of the VPN devices. We describe new ways of building VPNs that avoid all of these bottlenecks, while still providing a suitable security.

Bio
David MacGrew is a Fellow at Cisco Systems , where he manages the Advanced Crypto Development group in the Security Technologies Group. His main interest is building practical security systems using cryptography, with an emphasis on performance, scalability and deployability. His theoretical interests include cryptanalysis, the design of symmetric ciphers and message authentication codes, and information theory. At Cisco, he researches and develops secure protocols and systems, and represents security issues on the University Research Board . He is also co-chair of the IRTF Crypto Forum Research Group . He is a member of the International Association for Cryptologic Research , the IEEE , the IEEE Information Theory Society , and the Internet Society .

Authentication Without Identification

Anna Lysyanskaya, Brown University

1pm, Thursday, October 4, 2007, Wozniak Lounge, Soda Hall

Abstract
Suppose that we have a valuable on-line resource (for example, an on-line library), and a whole bunch of people authorized to access various sections of this resource (for example, some people have subscribed to the fiction section of the library, while others have subscribed to the biography section.) How does the resource verify that a given user is authorized to access the requested section? One approach to resolving this issue is to first find out who the user is, and then check which sections this user is authorized to access. Some users, in the context of certain types of resources, may find this unacceptable from the privacy point of view: they may not feel comfortable communicating who they are every time that they need to access an on-line resource! Another approach would be to verify that the user has the appropriate credentials for accessing the resource in such a way that no other information about this user is revealed. The fact that this is at all possible may sound paradoxical. Even more surprising is the fact that one can remain anonymous while behaving legally, but can become identifiable should one ever violate a particular policy. In this talk, I will explain (some of) the theory of zero-knowledge proof systems that makes this possible in principle. I will then describe my past and on-going work on developing highly practical methods for authentication without identification and for balancing privacy with accountability.

Bio
Anna Lysyanskaya is an Assistant Professor of Computer Science at Brown University. She received an A.B. in Computer Science and Mathematics from Smith College in 1997, and a Ph.D. in Computer Science and Electrical Engineering from MIT in 2002. She is a recipient of the NSF CAREER award. Her research interests are in cryptography, theoretical computer science, and computer security.

Need Credit? No Identity? No Problem!

Chris Hoofnagle, University of California, Berkeley

1pm, Thursday, October 18, 2007, 540 A/B Cory Hall

Abstract
In synthetic identity theft cases, an impostor creates a new identity using some information from a victim that is enhanced with fabricated personal information. For instance, the impostor may use a real Social Security number, but a falsified name and address. Since this synthetic identity is based on some real information, and sometimes supplemented with artfully created credit histories, it can be used to apply for new credit accounts. In a currently-ongoing case, two men alleged to have used this tactic applied for and obtained 250 credit cards and amassed $760,000 in charges. Experts following fraud trends claim that synthetic identity theft is a growing problem, and is responsible for massive losses among financial services institutions. How can fabricated person obtain credit? This presentation will explore the synthetic identity theft problem, its roots in credit authentication, and possible approaches to reducing its incidence and severity.

Bio
Chris Hoofnagle is a privacy expert and lawyer admitted to practice in California and DC. He serves as senior staff attorney to the Samuelson Law, Technology and Public Policy Clinic and senior fellow to the Berkeley Center for Law and Technology at the University of California-Berkeley Boalt Hall School of Law. Prior to joining Boalt, Chris was senior counsel to the Electronic Privacy Information Center, where he ran the organization's West Coast Office. In 2005, Chris was a non-residential fellow at Stanford University's Center for Internet and Society. Over the years, Chris has testified before Congress, the California Legislature, and before the Judicial Conference of the United States on various privacy issues. Chris has commentated in over 1,000 news stories in national print and broadcast media. Chris' academic articles on the First Amendment and privacy are online at SSRN.

Distributed Wireless Sensors on the Human Body

Ruzena Bajcsy, University of California, Berkeley

1pm, Thursday, October 25, Wozniak Lounge, Soda Hall

Abstract
Advances in technology have led to development of various sensing, computing and communication devices that can be woven into the physical environment of our daily lives. Such systems enable on-body and mobile health-care monitoring, can integrate information from different sources, and can initiate actions or trigger alarms when needed. In this talk, we describe a collaborative signal processing scheme for physical movement monitoring with motion sensors. The signal processing consists of preprocessing, feature extraction and classification. We define a measure on feature significance as well as features correlations. We characterize a graph model for collaborative signal processing based on the aforementioned measures, and illustrate how this model can be utilized to efficiently synthesize computation and communication for highly resource constrained wearable and mobile systems. We are examining the optimal positioning of sensors on the body for given physical activities, and focus on the segmentation and classification problem of the analysis of the continuous measurements of the observations obtained from the sensors. We have experimental data from different age subjects and show the individual differences amongst subjects.

Bio
Dr. Ruzena Bajcsy was appointed Director of CITRIS and professor of EECS department at the University of California, Berkeley on November 1, 2001. Prior to coming to Berkeley, she was Assistant Director of the Computer Information Science and Engineering Directorate (CISE) between December 1, 1998 and September 1, 2001. As head of National Science Foundation's CISE directorate, Dr. Bajcsy managed a $500 million annual budget. She came to the NSF from the University of Pennsylvania where she was a professor of computer science and engineering. In 2004 she became a CITRIS director emeritus and now she is a full time professor of EECS. Dr. Bajcsy was a member of President George W. Bush's Information Technology Advisory Committee (2003-2006). In this role, she co-authored the report entitled "Computational Science: Ensuring America's Competitiveness" which was submitted to President Bush on May 27, 2005. Dr. Bajcsy is a pioneering researcher in machine perception, robotics and artificial intelligence. She is a professor in the Electrical Engineering and Computer Science Department at Berkeley. She was also Director of the University of Pennsylvania's General Robotics and Active Sensory Perception Laboratory, which she founded in 1978. Dr. Bajcsy has done seminal research in the areas of human-centered computer control, cognitive science, robotics, computerized radiological/medical image processing and artificial vision. She is highly regarded, not only for her significant research contributions, but also for her leadership in the creation of a world-class robotics laboratory, recognized world wide as a premiere research center. She is a member of the National Academy of Engineering, as well as the Institute of Medicine. She is especially known for her wide-ranging, broad outlook in the field and her cross-disciplinary talent and leadership in successfully bridging such diverse areas as robotics and artificial intelligence, engineering and cognitive science. Dr. Bajcsy received her master's and Ph.D. degrees in electrical engineering from Slovak Technical University in 1957 and 1967, respectively. She received a Ph.D. in computer science in 1972 from Stanford University, and since that time has been teaching and doing research at Penn's Department of Computer and Information Science. She began as an assistant professor and within 13 years became chair of the department. Prior to her work at the University of Pennsylvania, she taught during the 1950s and 1960s as an instructor and assistant professor in the Department of Mathematics and Department of Computer Science at Slovak Technical University in Bratislava. She has served as advisor to more than 50 Ph.D. recipients. In 2001 she received an honorary doctorate from Universty of Ljubljana in Slovenia. In 2001 she became a recipient of the ACM A. Newell award.

Experiences With Countering Internet Attacks

Vern Paxson, University of California, Berkeley / International Computer Science Institute, Berkeley / Lawrence Berkeley National Laboratory

1pm, Thursday, November 1, Wozniak Lounge, Soda Hall

Abstract
As the Internet assumes an evermore important role in our lives, it becomes increasingly vital to secure it from those seeking to exploit it through misuse. The nature of the network's technology and end systems, however, makes this a formidable challenge. Not only must we secure myriad forms of mechanisms and services, but we must do so (1) faced with adversaries who continually improve their tactics, (2) armed only with technology we can "bolt on" to an architecture not designed with defense in mind, (3) in the presence of ambiguities, some fundamental, regarding semantics and intent, (4) as the reach of the network and breadth of its applications continues to race forward. This talk draws upon my experiences from over a decade of conducting network security research in a hands-on operational setting at the Lawrence Berkeley National Laboratory. I will frame the range of real-world constraints that shape the efforts, the deep problem of "evasion", and the successes and challenges of tackling the threat posed by the large-scale compromise of Internet hosts due to automated malware such as worms and botnets.

Bio
Vern Paxson is a professor at the University of California, Berkeley, a senior scientist at the International Computer Science Institute (ICSI) in Berkeley as well as a staff scientist with the Lawrence Berkeley National Laboratory. His main active research projects address network intrusion detection in the context of Bro, a high-performance network intrusion detection system he developed; large-scale network measurement and analysis; and Internet-scale attacks, particularly rapidly-propagating network "worms." The last item is realized as part of CCIED, the US NSF-sponsored Collaborative Center for Internet Epidemiology and Defenses, which he co-directs with Prof. Stefan Savage of the University of California, San Diego. Some of his other professional activities include service as the vice-chair of ACM SIGCOMM, program co-chair for the 2006 IEEE Symposium on Security & Privacy and the ACM SIGCOMM HotNets 2007, and co-founder of the ACM Internet Measurement Conference.

POTSHARDS: Secure Long Term Archival Storage Without Encryption

Ethan Miller, University of California, Santa Cruz

1pm, Thursday, November 8, Wozniak Lounge, Soda Hall

Abstract
Modern archival storage systems either store data in the clear, ignoring security, or rely on keyed encryption to ensure privacy. However, the use of encryption is a major concern when data must be stored an indefinite period of time - key management becomes increasingly difficult as file lifetimes increase, and data loss becomes increasingly likely because keys are a single point of failure and losing a key is comparable to data deletion. Moreover, traditional systems are subject to the obsolescence of encryption algorithms themselves, which can expose petabytes of data the instant a cryptographic algorithm is broken. To address these concerns, we developed POTSHARDS, an archival storage system that addresses the long-term security needs of data with very long lifetimes without the use of encryption. POTSHARDS separates security and redundancy by utilizing two levels of secret splitting in a way that allows the original data to be reconstructed from the stored pieces. However, the data structures used in POTSHARDS are also designed in such a way that an unauthorized user attempting to collect sufficient shares to reconstruct any data will not go unnoticed. An evaluation of our POTSHARDS implementation shows that it stores and retrieves data at 2.5-5 MB/s, demonstrates its ability to recover user data given all of the pieces a user has stored across the archives, and proves its ability to recover from the loss of an entire archive.

Bio
Ethan L. Miller is an associate professor of computer science at the University of California, Santa Cruz, where he is a member of the Storage Systems Research Center (SSRC). He received his ScB from Brown in 1987 and his PhD from UC Berkeley in 1995, where he was a member of the RAID project. He spent six years at the University of Maryland Baltimore County before joining the UC Santa Cruz faculty in 2000. He has written over 80 papers covering topics such as archival storage, large-scale storage systems, file systems for next-generation storage technologies, secure file systems, distributed systems, and information retrieval. His current research projects, which are funded by the National Science Foundation, Department of Energy, and industry support for the SSRC, include issues in petabyte-scale storage systems, long-term archival storage systems, and file systems for non-volatile RAM technologies; earlier research on information retrieval was funded by the Department of Defense. Prof. Miller's broader interests include file systems, operating systems, parallel and distributed systems, and computer security. In addition to research and teaching in storage systems and operating systems, Prof. Miller has consulted with industry to help move research results into commercial use. He can be contacted at elm@cs.ucsc.edu

Privacy Tools for the End User

Jessica Staddon, PARC

1pm, Thursday, November 15, 2007, Wozniak Lounge, Soda Hall

Abstract
We frequently find ourselves in a position to release potentially sensitive content and left with the challenge of determining if doing so constitutes a privacy risk. This occurs in our personal lives when we register at web sites, or author blogs, as well as in our professional lives when we work with customer data or other corporate/government documents. There have been many well publicized examples of the consequences of failing to evaluate the sensitivity of the content correctly, including job loss, classified leaks and endangerment of the lives of the individuals referred to in the content. Despite this, there is little in the way of tools to help the user determine content sensitivity or give the user recourse in case the content is misused. I'll talk about work we've done at PARC to address these problems.

Bio
Jessica's research interests include the secure broadcast of digital content and data privacy. She regularly serves on program committees for ACM and IACR sponsored conferences and serves on the editorial boards of the International Journal of Information and Computer Security and the Journal of Computer Security. Jessica received her Ph.D. in Mathematics from U.C. Berkeley in 1997 and currently manages PARC's Security and Privacy research area: http://www.parc.com/security

Building Reliable Voting Machine Software

Ka-Ping Yee, University of California, Berkeley

1pm, Thursday, November 29, Wozniak Lounge, Soda Hall

Abstract
The democracy upon which our modern society is built ultimately depends on a system that collects and counts votes. In the United States today, and to an increasing extent elsewhere, nearly every part of that system relies on computer software in some way. Widely reported failures in the usability, security, stability, and correctness of such software have led to a crisis in confidence. I will discuss ways to achieve confidence in the voting system as a whole and voting machine software in particular, with emphasis on that most thorny of software security challenges, the insider attack. How can we design reliable software, and if someone else designs it, how can we tell if it is reliable? I will explain why the software in the voting machine is the most crucial of all, propose a design for software that is hundreds of times smaller and simpler than that used in some of today's leading voting machines, and argue that this can help lead to voting machines that are more reviewable, usable, accessible, and secure.

Bio
Ka-Ping Yee is a Ph. D. candidate in Computer Science at UC Berkeley. His graduate research has focused on security and usability. He participated in this past summer's Voting Systems Review for the California Secretary of State as a reviewer of voting system source code, and his work on voting systems has been published at the USENIX/ACCURATE Electronic Voting Technology workshop.

Quantifying Strengths and Risk Assessments of Software Protections

George Cybenko, Dartmouth College

1pm, Thursday, December 6, 2007, Wozniak Lounge, Soda Hall

Abstract
There has been great interest in developing quantitative metrics and economic models for computer security, but relatively little progress. This talk will present a novel approach called 'Quantitative Evaluation of Risk for Investment Efficient Strategies" (QUERIES) for quantitative metrics and economic models relevant to cybersecurity. The methodology relies on a variety of different ingredients: red teaming, information markets, partially observable Markov decision processes and even American options pricing algorithms. The technique has been applied to a specific DoD software protection problem in which critical digital intellectual property is to be protected against reverse engineering, piracy and/or unauthorized modification. The methodology and actual experimental results will be presented in this talk. Possibilities for extending the methodology to other security domains will be discussed.

Bio
George Cybenko, Dorothy and Walter Gramm Professor of Engineering at Dartmouth, received his B.Sc. in mathematics at the University of Toronto, and an M.A. in mathematics and Ph.D. in applied mathematics from Princeton. He has taught on the computer science faculty at Tufts University and was professor of electrical engineering and computer science at the University of Illinois, Champaign-Urbana. He has served as editor for several mathematics, computer, and information theory publications, has helped organize dozens of conferences and symposia, and has published over one hundred journal papers, book chapters, and conference proceedings. An IEEE Fellow, he is a member of the IEEE Computer Society and SIAM. In November 2002, he was named founding editor-in-chief of IEEE Security & Privacy magazi

Two Techniques for Programming by Sketching

Rastislav Bodik. University of California, Berkeley

1pm, Thursday, December 13, 2007, Wozniak Lounge, Soda Hall

Abstract
Programmers would love to have their code automatically synthesized but current synthesizers are domain-specific and require expert guidance. With programming by sketching, we seek to bring software synthesis to everyday programming. I will present results from two efforts: a sketching language for high-performance kernels and a programmer's search engine. SKETCH: In the SKETCH language, the programmer writes a program with holes, called a sketch. The synthesizer then fills in the holes so that the completed sketch behaves like a separately provided specification. Buggy sketches are rejected, giving us correctness by construction. Also, since holes stand for tricky code fragments, programmer can develop sophisticated implementations faster. SKETCH is based on the first combinatorial (2QBF) synthesizer. PROSPECTOR: Reusing code is hard because flexible APIs are necessarily complex. To ease development of client code, we developed Prospector, a programmer's search engine. Given a query expressing the coding intent, Prospector synthesizes code candidates ready for insertion into the program. The enabling innovation is the jungloid, a code pattern that covers many API coding headaches. I will explain how jungloids lead to simple search queries, how jungloids are mined, and how Prospector synthesizes jungloids never seen in the mining corpus.

Bio
Ras Bodik is an Assistant Professor at UC Berkeley. Previously, he was at University of Wisconsin. His current projects explore how run-time information can aid program analysis in solving problems of computer architecture, software engineering, and dynamic compilation.

Details about how the seminar is managed can be found at How is the TRUST Seminar managed?

If you are interested in presenting, or have a question about our seminar please contact Alvaro A. Cárdenas.