2006 Trust Seminars

In this talk I will present the problem of detecting MAC layer misbehavior techniques in wireless networks. I will review the detection schemes DOMINO and SPRT. The evaluation process is carried out in three steps. We first evaluate a formal statistical model of adversarial behavior. Following that, we define the properties of an optimal detector and develop a new tractable analytical model for DOMINO. Furthermore, we present a new analytical derivation of the SPRT test for detection of the worst-case attacker. Finally, we evaluate the optimality of each algorithm by testing it against worst-case attacks of different intensities, proving the optimality of SPRT-based schemes for all attack intensities. This work is done in collaboration with Svetlana Radosavac.

Note: Special Day and time: 2:30pm, Wednesday, December 6, 540 A/B Cory

Since the 1990s Internet attacks have seen a great deal of growth in both sophistication and automation. Today, the severity and pace of innovation of attacks threatens to increase much further, as the perpetrators find ways to commercialize their activities and create economic markets in which to conduct them.

This talk draws upon experiences from a decade of conducting network security research in a hands-on operational setting at the Lawrence Berkeley National Laboratory. I will frame the range of real-world constraints that shape the efforts, the deep problem of "evasion", and the successes and challenges of tackling the threat posed by the large-scale compromise of Internet hosts due to automated malware such as worms and botnets.

Note: Special Day, time and place!: 1:00pm, Tuesday, December 5, 521 Cory

The increased need for security has furthered the cause of biometrics, which is seen as a strong proof of identity. The UK, for instance, will set up a National Identity Register, in which face, iris and fingerprints of each citizen are to be recorded. Some of the prospective users have doubts about the reliability of the technology, and concerns about privacy and identity theft. In the seminar, I will discuss if and how the concerns can be overcome. Based on past deployments and recent field trials, I will examine the reliability, performance and usability of current equipment, and describe problems some individuals and user groups have encountered, and identify improvements required and unresolved issues.

Note: Special Location: 299 Cory

Increasingly sophisticated and wily attackers aren't the only challenges that network security researchers face. A number of legal considerations also raise considerable challenges for security researchers, particularly for those working in the area of experimental network defense. My goal is to bring some clarity to the body of law that governs a variety of experimental activities that researchers pursue, and to suggest ways that law and policy might better accommodate this important area of research. In addition, I will highlight some of the broader public policy concerns, such as individual privacy, that researchers should weigh when designing experiments. To illustrate the kinds of legal and policy challenges that researchers face, I will discuss the issues as they relate to collecting, distributing, and storing network traffic datasets; running honeynets; and running testbed experiments that contain instances of malicious code. Through these examples, I will point to some possible legal reforms that would facilitate network research, while still protecting the public policy interests that current laws are intended to embody.

Static program analysis suffers from a fundamental trade-off between precision and scalability, and the analyses that scale to the largest programs are generally not the most precise methods known. This talk describes how recent advances in algorithms for solving instances of Boolean satisfiability (SAT) can be exploited to relax this trade-off, resulting in analyses that are both more precise and more scalable than existing techniques, as well as how these improved capabilities might be used in verification of properties of large systems.

Ad-hoc sensor networks have become common over the past few years and the domain of their application is increasing widely. However, the security of these networks poses a great challenge due to the fact that they consist of tiny wireless devices which have limited hardware and energy resources. In addition, these networks are generally deployed and then left unattended. These facts coupled together make it impractical to directly apply the traditional security mechanisms to the sensor network paradigm. Therefore, there is a need to analyze and better understand the security requirements of sensor networks. This talk provides a comprehensive taxonomy of security attacks on sensor networks, and outlines the existing solutions for each set of attacks and points out the research directions which need to be further investigated in the future.

http://www.cyberconflict.org:

November 3, 2006.

"Automated Intruder Tracking using Particle Filtering and a Network of Binary Motion Sensors."

Jeremy Schiff (UC Berkeley), 4pm, Thursday, November 2, 2006, 540 A/B Cory

Our objective is to automatically track and capture photos of an intruder using a robotic pan-tilt-zoom camera. In this talk, we consider the problem of automated position estimation using a wireless network of inexpensive binary motion sensors. The challenge is to incorporate data from a network of noisy sensors that suffer from refractory periods during which they may be unresponsive. We propose an estimation method based on Particle Filtering, a numerical sequential Monte Carlo technique. We model sensors with conditional probability density functions and incorporate a probabilistic model of an intruder's state that utilizes velocity. We present simulation and experiments with passive infrared (PIR) motion sensors that suggest that our estimator is effective and degrades gracefully with increasing sensor refractory periods.

Governance of Trusted Computing

Clark Thomborson (University of Auckland) Note: Special Day and time: 3-4pm, Wednesday, October 25, 2006. 540 A/B Cory

Trusted computing systems offer great promise in corporate and governmental applications. Their uptake has been very slow outside of the national security agencies for which they were developed, in part because they have been difficult and expensive to configure and use. Recent designs are easier to use, but some compliance and governance issues are unresolved. Our analysis suggests that cryptographic systems, in order to be trustworthy in corporate environments, must support an audit of their most important operations. At minimum the audit record must reveal the number of keys that have been generated, as well as the creation times and authorities of these keys. This record of cryptographic activity must be tamper-evident, and must be open to inspection by the IT staff of the corporate owners as well as by their independent auditors.

When a Good Reputation isn't Good Enough

Jonathan Traupman (UC Berkeley), 4pm, Thursday, October 19, 2006, 540 A/B Cory

We propose a game theoretic model for the trading and feedback process in peer-to-peer marketplaces. Using this model, we construct an evolutionary marketplace simulator, which we use to investigate the effectiveness of reputation systems. Our experiments show that under the right circumstances, a reputation system is sufficient for encouraging cooperation among a pool of self-interested agents. However, we also show that features of existing reputation systems, namely allowing users to retaliate for negative feedback, drastically undermine reputation system effectiveness.

Detection of attacks on cognitive channels

Annarita Giani (Dartmouth), 4pm, Thursday, October 12, 2006, 540 A/B Cory

This talk introduces a variety of novel approaches to modeling and detecting attacks on cognitive channels. A cognitive channel is the communication channel between a person and the information technology used. An attack on a cognitive channel exploits the vulnerabilities between the user, her perception of the information system, and the actual underlying technology.

The sophistication of modern information systems and their growing presence in human activities has made these channels attractive targets. Cognitive channels are increasingly the weak links in an information system because traditional technical vulnerabilities are being fixed. This has created a significant gap between computer security technology and the threat space.

Modern cognitive channel attacks are in fact complex processes that can be detected and tracked. An effective approach to defending against cognitive channel attacks therefore involves accurate process modeling and the development of new attack models based on processes. We have identified and implemented several approaches based on the Process Query System paradigm.

"What Price Insularity? Dialogs about Computer Security Failings"

Fred Schneider (Cornell), October 4th, 4-5 p.m., 202 South Hall
Pod Cast

It is risky for technologists to ignore the non-technical context in which their systems will be deployed, just as it is risky for policy makers to ignore the limits and potential of technology. Yet such insularity is all too common. The results are unfortunate but not surprising. This lecture explores the structure dialogs take to bring about what might be termed "security failings" by revisiting: identity theft, electronic voting, digital right management, and the overall vulnerabilities of today's deployed software.

"Statistical Methods for Multimedia Forensics"

Negar Kiyavash, UIUC, 4pm, Wednesday, May 31, 540 A/B Cory.

This talk will address several fundamental questions in the general area of Digital Rights Management (DRM) for multimedia, and in particular digital fingerprinting (a.k.a. traitor tracing) methods. These methods are targeted at Intellectual Property Protection (IPP) problems as they deter users from illegally redistributing digital content. Applications range from movie screening to file sharing and national security.

A particularly nefarious form of attack on Digital Fingerprinting systems is posed by coalitions of legal users who combine their contents to undermine the fingerprints. In fact, the main challenge in Digital Fingerprinting is the design of collusion resistant fingerprints. My research has addressed fundamental issues of design and analysis of collusion resistant fingerprints. In this talk, I will introduce a novel mathematical framework for analyzing the performance of collusion attacks. The collusion attack is viewed as the cascade of an estimator of digital content and a source of randomness. Statistical signal processing methods are used to design and analyze these attacks. The worst attack in a vast class of deterministic and randomized order-statistic attacks will be identified. I will also present an algebraic fingerprint construction that can resist any attack as long as number of colluders is much smaller than the square root of the length of the digital content. This is the first provably optimal code construction for multimedia Digital Fingerprinting. Finally, I will address the performance of random codes and describe the regime where satisfactory performance can be guaranteed.

"Network Protocol Security Standards" ( PDF Slides - Windows Media Webcast)

John Mitchell, Stanford
Webcast: Wednesday, May 24th, 4:15-5:30PM PDT

A small number of network protocols such as SSL/TLS and Kerberos are extremely widely used to protect a vast assortment of extremely valuable information. This talk will describe some systematic ways of analyzing the security of network protocols that use cryptography and discuss some example case studies. Using the methods described in this talk, groups at Stanford and elsewhere have found errors and improvements in SSL/TLS, the key management protocols for IPSEC, the 802.11i wireless authentication protocol, other wireless protocols, and Kerberos.

"Evaluation of Classifiers used in Security Applications"

Alvaro Cardenas, University of Maryland
Thursday, May 25th, 4-5pm, 540 A-B Cory

In recent years several tools based on statistical methods and machine learning have been incorporated in security related tasks involving classification, such as intrusion detection systems, fraud detection, spam filters, biometrics and multimedia forensics. Measuring the security performance of these classifiers is an essential part for facilitating decision making, determining the viability of the product, and providing the insight necessary to improve the design of the system. There are however relevant considerations for security related problems that are sometimes ignored by traditional evaluation schemes. The first consideration is the usually large class imbalance between normal events and attack events. The second consideration is the fact that the classifier or learning rule will be deployed in an adversarial environment. In this talk we introduce the Bayesian-ROC curves for the class imbalance problem and provide a framework to evaluate the performance under the worst type of adversarial attacks. We provide practical examples in intrusion detection and multimedia watermarking.

"Building Security into Embedded Systems: Validating Theoretical Design using Experimental Platforms"

Yuan Xue, Vanderbilt University
Webcast: Tuesday, May 23, 3-4PM CDT

Embedded systems play a crucial role in national critical infrastructure. There is an increasing concern of security threats as embedded systems are migrating from proprietary solutions to open standard, and from standalone systems to networked environments. Although security has been the subject of intensive research in the areas of cryptography, operating systems, and networks, designing secure embedded systems still faces unique challenges and has unsolved problems. One comes from the fact that embedded system design is a systems-software co-design problem that needs to meet cross cutting requirements in terms of performance and physical constraints. Security considerations introduce additional cross-cutting requirements that need to be integrated into the design process and validated over the software and hardware platforms. This talk will present our efforts in validating secure embedded system designs using two experimental platforms.

1. Model-based approaches have proven to be an effective solution for embedded system design. We propose a co-design framework to integrate security modeling in embedded system design. To validate our approach, we built an experimental platform which allows for "Hardware"-in-the-Loop testing of embedded controllers. The platform is based on a high-fidelity real-time simulation of a physical plant with a three tank fluid-transfer system. Code Generators create code from security enriched models of the system. We exercise this code on the experimental platform to test for security properties. We show example attacks on the embedded controller and demonstrate how security models can be mapped to underlying platform services.
2. Our research on secure wireless embedded sensor networks is motivated and based on an application, called "Dirty Bomb Detection and Localization", in collaboration with Oak Ridge National Lab. Based on this sensor network platform, we have conducted security analysis for wireless sensor systems and showcased the security solutions for a list of system vulnerabilities using variety of techniques. This includes performing ranging and tracking using multiple frequencies to defend against jamming attacks, and preventing bogus tracking result and false tracking command based on a novel peer authentication mechanism.

"Security in Sensor Networks: Industry Trends, Present and Future Research Directions"

Adrian Perrig, CMU.
Webcast: Monday, April 17, 12 noon EDT.

"Trust NSF Site Visit Planning"

Vijay Raghavan, UC Berkeley EECS, Tuesday, April 11 UC Berkeley, 540 AB Cory, 12:30-2 (Lunch: 12:30-1, Presentation: 1-2)

Our 4/11 Trust seminar will be a brainstorming session in advance of the NSF site visit on 11/27-28.

"Authenticated Key Exchange: Passwords, Groups, and Low-Powered Devices"

Dr. Olivier Chevassut (LBNL), Tuesday, April 4 UC Berkeley, 540 AB Cory, 12:30-2 (Lunch: 12:30-1, Presentation: 1-2)

Many emerging technologies such as web services, grid computing, peer-to-peer, and sensor networks can achieve significant benefits if they leverage distributed computing concepts. However, these next generation technologies also need to be secure. Existing communication protocols to support distributed systems are missing many important security features. Modifying existing security protocols is risky and complicated since even minor modifications change the security model and the assumptions upon which the technologies were built. While the security goals (i.e. confidentiality, integrity, authentication, ...) remain the same, new foundations need to be laid down in order to construct and develop cryptographic protocols that would support these goals. In this talk, I will clarify the immediate needs in secure communication for next generation distributed applications and present the "provably-secure" cryptographic protocols we have developed to address these needs: (i) authentication methods based on (one-time) passwords; (ii) session-key establishment methods for groups; (3) session-key establishment for low-powered devices. I will also present our on-going work on integrating these cryptographic protocols into implementations where they can provide immediate benefit to users such as the Web Services Resource Framework (WSRF) and the OpenSSL library.

This work is in collaboration with Michel Abdalla (ENS, France), David Pointcheval (ENS, France), Emmanuel Bresson (CELAR, France), and Bodo Moeller (Ruhr-Universitat Bochum, Germany).

Dr. Olivier Chevassut obtained his doctorate in computer science (with a minor in cryptography) for his work on the authenticated group Diffie-Hellman key exchange at both the Universite Catholique de Louvain in Belgium (UCL) and the Lawrence Berkeley National Laboratory (LBNL). Olivier is the lead cryptographic expert for the Computational Research Division at LBNL.

"Privacy and Security in Demand Response Energy Systems"

Erin Jones, UC Berkeley Law, Tuesday, March 21, UC Berkeley, 540 AB Cory, 12:30-2 (Lunch: 12:30-1, Presentation: 1-2)

In the wake of the California energy crisis of 2000-2001, the California Energy Commission and California Public Utilities Commission began to develop demand response energy programs that might reduce peak energy demand. With demand response, residential customers will be subject to energy rates that vary over the day, rising during times of peak demand.

To enable this vision, utilities plan widespread deployment of advanced energy meters that will measure energy usage every 15 minutes - 1 hour and send this information to the utility, often wirelessly. Longer term plans include a switch to time-varying dynamic tariffs, demand response, and in-home sensor networks that can monitor and control energy usage.

This project has focused on privacy and security issues that may evolve along with demand response technologies and infrastructures. Having completed interviews with energy industry practitioners about current and future plans, interviews with law enforcement to understand how energy records may be used, and by studying the current legal and regulatory framework for privacy in energy systems, wireless transmissions and in the home, we discuss how a demand response network could be constructed to optimally protect privacy and security.

"Can Machine Learning Be Secure?"

Doug Tygar, UC Berkeley EECS, Tuesday, March 14, UC Berkeley, 540 AB Cory, 12:30-2 (Lunch: 12:30-1, Presentation: 1-2)

Machine learning systems offer unparalleled flexibility in dealing with evolving input in a variety of applications, such as intrusion detection systems and spam e-mail filtering. However, machine learning algorithms themselves can be a target of attack by a malicious adversary. This talk discusses the security of Machine Learning. This talk is joint work with Marco Barreno, Anthony Joseph, Blaine Nelson, and Russell Sears.

"Defending the Internet"

Vern Paxson, UC Berkeley EECS
Note: different place & time: UC Berkeley, 306 Soda Hall, Tuesday, March 14, 4-5pm

As the Internet assumes an ever more important role in our lives, it becomes increasingly vital to secure it from those seeking to exploit it through misuse. The nature of the network's technology and end systems, however, makes this a formidable challenge. Not only must we secure myriad forms of mechanisms and services, but we must do so (1) faced with adversaries who continually improve their tactics, (2) armed only with technology we can "bolt on" to an architecture not designed with defense in mind, (3)in the presence of ambiguities, some fundamental, regarding semantics and intent, (4) as the reach of the network and breadth of its applications continues to race forward.

This talk will frame my perspectives on this landscape, particularly the factors that increasingly push for embedding defense elements directly in network hardware. As an exemplar of the issues that arise, I will discuss my recent work on exploring hardware support for a seemingly trivial network analysis task, namely reassembling potentially out-of-order Internet packets to recover the "byte stream" they carry.

This task - quite prosaic viewed in isolation - becomes orders of magnitude more difficult in the presence of an adversary whose goal is to either subvert further network analysis, or impede legitimate traffic. Finally, I will argue for pursuing a fundamental change in the paradigm of how hardware supports network security.

"Some Applications of Number Theory and Algebraic Geometry to Cryptography"

Alice Silverberg, UC Irvine,
Note: different place & time: UC Berkeley, 60 Evans Hall, Thursday, March 16, 4:10-5pm

We will discuss cryptography based on the discrete logarithm problem in multiplicative groups of finite fields, including an introduction to the Diffie-Hellman, ElGamal, and XTR cryptosystems. We will show that studying the underlying mathematics of these systems leads to interesting questions about algebraic tori, which in turn lead to new cryptosystems (such as the CEILIDH cryptosystem).

http://math.berkeley.edu/events_week.html

"Better web browser privacy using automation"

Umesh Shankar, UC Berkeley EECS, Tuesday, March 7, UC Berkeley, 540 AB Cory, 12:30-2 (Lunch: 12:30-1, Presentation: 1-2)

Many existing computer security systems often have powerful policy languages that allow great flexibility and control, but are hard to use. A real-world analogy is a home alarm system with sophisticated sensors but with an inscrutable control panel. In each case, the result is the same: users become frustrated and bypass the security mechanism: functionality wins over privacy. The causes of the usability failures are manifold; policies may be complicated, and people are not supplied relevant information to make their decisions.

I will be talking about ongoing work in a visible area: web browser privacy. We propose a new set of automation mechanisms for handling browser cookies that attempts to simultaneously decrease the burden on users and increase the accuracy and precision of the resulting cookie policy. We also have implemented a single-click error recovery mechanism. We tackle several challenging subproblems on the way.

"Human Computation"

Luis von Ahn, Thursday, Feb 2, 4:00pm, 306 Soda, Faculty Candidate Talk

Tasks like image recognition are trivial for humans, but continue to challenge even the most sophisticated computer programs. This talk introduces a paradigm for utilizing human processing power to solve problems that computers cannot yet solve. Traditional approaches to solving such problems focus on improving software. I advocate a novel approach: constructively channel human brainpower using computergames. For example, the ESP Game, described in this talk, is an enjoyable online game -- many people play over 40 hours a week -- and when people play, they help label images on the Web with descriptive keywords. These keywords can be used to significantly improve the accuracy of image search. People play the game not because they want to help, but because they enjoy it. The ESP Game has been licensed by a major Internet company and will soon become the basis of their image search engine.

I describe other examples of "games with a purpose": Peekaboom, which helps determine the location of objects in images, and Verbosity, which collects common-sense knowledge. I also explain a general approach for constructing games with a purpose.In addition, I describe my work on CAPTCHAs, automated tests that humans can pass but computer programs cannot. CAPTCHAs take advantage of human processing power in order to differentiate humans from computers, an ability that has important applications in practice.The results of this work are currently in use by hundreds of Web sites and companies around the world, and over 100,000 people have played some of the games presented in this talk.

Practical applications include improvements in areas such as: image search, adult-content filtering, spam prevention, common-sense reasoning, computer vision, accessibility, and security in general.