Title: Searchable Symmetric Encryption: Locality Lower Bounds and Constructions for Large Indexes & Richer Queries
Searchable symmetric encryption (SSE) allows a data owner to encrypt an index in a way that allows for searching by an untrusted server that cannot decrypt the data. In this talk I will describe joint works on building SSE that scales to indexes with tens of billions of record/keyword pairs while securely supporting rich search queries like conjunctions of keywords. I will also describe a theoretical lower bound on the spatial locality of searchable encryption, showing that encrypted search is "inherently non-local" (and thus often slower) when compared to plaintext searching.
Joint work with Joseph Jaeger, Stanislaw Jarecki, Charanjit Jutla, Hugo Krawcyzk, Marcel Rosu, Michael Steiner, & Stefano Tessaro.
Title: SilverLine: Preventing Data Leaks from Compromised Web Applications
Web applications can have vulnerabilities that result in server-side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite entire applications is challenging. We present SilverLine, which prevents bulk data leaks caused due to code injection in Web applications as well as compromised user-level processes on the application server. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record and applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. SilverLine focuses on isolating data between user sessions and is thus most suitable to applications that involve single user sessions (e.g., banking, e-commerce). We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks by modifying only about 60 lines of code from the original application. Our evaluation shows that SilverLine incurs a performance overhead of about 20-30% over unmodified applications.
Joint work with Yogesh Mundada and Anirudh Ramachandran.
Title: Automating Isolation and Least Privilege in Web Services
Does the architecture of cloud services make least privilege easier to achieve? This has been a guiding principle of secure computer systems since their onset, but rarely attained.
Even today, in many client-facing applications, a vulnerability in any part can compromise the entire application. I describe a new system, Passe, that protects a data store from unintended data leaks and unauthorized writes even in the face of application compromise. Passe automatically splits (previously shared-memory-space) web applications into sandboxed processes, and then restricts communication between those components and the types of accesses each component can make to shared storage, such as a backend database. To limit components to their least privilege, Passe applies dynamic analysis to learn data and control-flow relationships between data accesses, and then strongly enforces those relationships.
Joint work with Aaron Blankstein.
Title: New Abstractions for Responsible Big-Data Management
Modern mobile and cloud technologies, which billions of users rely upon to access and host sensitive data, have become easy targets for theft, espionage, hacking, and legal attacks. Despite the threats, today's data management practices are looser and more irresponsible than ever. Although prone to theft and loss, mobile devices are saturated with confidential information due to careless operating system design that never securely erases data and applications that hoard it aggressively for performance. Cloud services accumulate endless logs of user activity, such as searches, site visits, and locations; they retain them for extended periods of time, mine them for business value, and at times share them with others -- all without the users' knowledge or control. This has become an untenable situation.
In this talk, I will describe my ongoing efforts to design, build, and deploy systems to facilitate a more rigorous and responsible approach to data management in clouds and on mobile devices. These efforts are organized in two directions: (1) devising new abstractions for mobile and cloud programmers to better reason about the data they hoard, whether it is all needed, and how it can be trimmed to promote security; and (2) creating tools to increase user awareness about how their data is being managed, what it is being used for, with whom it is being shared, etc. As examples of each direction, I will describe two systems that we are now building and evaluating with encouraging results. CleanOS (published at OSDI'12) is an Android-based OS that provides programmers with a sensitive data object abstraction, and manages that abstraction rigorously to prevent its accumulation on a theft-prone device. xRay (in progress) is a browser plugin that lets users audit how Web services, such as Amazon, Gmail, or YouTube, use their personal data (e.g., search or purchase history, emails, etc.) to target ads, products, or prices.
Title: Towards Accountable Clouds
Current cloud platforms require a considerable amount of trust: Cloud customers are handing their code and data to a set of machines they have never seen, and of which they may not even know the precise location; at the same time, cloud providers are running software on their platforms whose functionality they do not know. This can be a problem when something goes wrong; for instance, misconfigurations, hardware malfunctions, software bugs, or successful attacks by hackers can all cause the cloud machines to deviate from their expected behavior. In such cases, it is often difficult to detect and diagnose the problem, and to determine who is responsible for it. In this talk, I will show how accountability can help to overcome some of these challenges. An accountable system produces cryptographic evidence of its actions, and it can 'explain' why each action has been taken. Cloud customers and cloud providers can use this capability to remotely detect and diagnose problems, and to hold each other accountable for them. I will also discuss several techniques we have been developing that can be used to build accountable clouds.
Title: Security Event Management: Challenges and Opportunities
Security Event Management (SEM) is a key process in protecting enterprise networks, including cloud infrastructure. The process involves collecting security events from many diverse sources in enterprise networks, normalizing the events to a common format, storing the normalized events in archival storage for forensic analysis, and correlating the events to identify malicious activities in real time. In this talk, we describe the SEM process in practice, highlight technical and operational challenges in dealing with billions of events every day, and describe research opportunities in dealing with future scale as enterprises move to the cloud.
Title: Cloud Security: A Practitioner's Perspective
From the era of the mainframe, to the PC, the web and now the cloud, we have witnessed, time and again, that innovations in security are driven by industry shifts in platform. Migration of enterprise-based applications and workloads to the cloud, provides with a unique opportunity to address a number of vexing security and compliance problems, while raising a new set of interesting challenges. In this talk, we will review the approaches being adopted by the security industry and present a new and promising approach being explored at IBM Research on contextual and adaptive security.
Title: How to Misuse, Use, and Mitigate Side Channels in Virtualized Environments
A side channel is an attack against (usually) a cryptographic algorithm that leverages aspects of the algorithm's implementation, versus relying entirely on its abstract design or underlying assumptions. Side channels have been studied for decades but have received renewed attention due to the increasing use of virtualization to isolate mutually distrustful virtual machines (VMs) from each other (e.g., in clouds), thereby highlighting the question of whether modern virtualization techniques do an adequate job of isolating VMs against side-channel attacks from their co-tenants. In this talk we will answer this question in the negative, and then paradoxically show how side channels and related techniques can be used by cloud-resident VMs to defend themselves from abuse by others. Finally, we will describe a novel design for cloud environments to mitigate a wide range of potential sources of side channels.
Title: Take Back the Cloud: Towards End-User Control of Cloud Services
A serious concern about cloud computing is the protection of data and computations of end-user clients against various attacks from outsiders as well as from insiders (e.g., the cloud administrators). Particularly the latter requires a high level of trust in the cloud provider. On the other hand, cloud clients are rather limited in implementing, deploying and controlling their own security and privacy measures in the cloud. This challenge has motivated many researchers to investigate a variety of solutions towards more end-user and client control and assurance in the cloud in the recent years.
In this talk, we present our recent and ongoing work on security architectures and technologies (including Intel's SGX) that aim at establishing trusted environments to allow cloud clients to be in control of the provisioning/usage of their credentials as well as access to their data and sensitive operations in the cloud. We conclude with some open challenges.
Title: Verifiable Cloud Outsourcing for Network Functions
Many recent efforts have argued for bringing the benefits that virtualization and cloud computing offersreduced capital costs, reduced operating costs, and the ability to dynamically scale servicesto networking requirements. This type of network function outsourcing (or NFO for short) is especially relevant in the context of expensive and compute-intensive middlebox functions (e.g., firewalls, intrusion detection systems, and application- level performance accelerators).
In order for this vision to fully take root, however, we argue that NFO customers must be able to verify that the service is operating as intended w.r.t.: (1) functionality (e.g., did the packets traverse the desired sequence of middlebox modules?); (2) performance (e.g., is the latency comparable to an "in-house" service?); and (3) accounting (e.g., are the CPU/memory consumption being accounted for correctly?).
I will present some of our early work in formalizing these requirements and also some initial work in addressing a more general verifiable accounting problem.
Title: Practical Challenges and Opportunities in Cloud Security Theory: Semantics, Humans and Metrics
Cloud computing provides yet another opportunity to provide better security. In this talk I highlight notional theory that would have practicable impact on building and operating cloud capabilities securely. The goal is to connect practical needs to questions for which security theory might provide well-founded answers, models, and insights.
Semantics: Sophisticated threats leverage the inherent semantic gaps between levels of abstraction as well as abstractions and actual artifacts. Semantic gaps ensure that an abstraction can't reason about, describe, or mitigate threats at lower layers enabled by the completeness of an artifact at the higher layer (e.g., a program on your computer). Furthermore, any(!) assumption made about a system, theory, artifact, etc. serves as a possible point of attack. Recent research has sought to "tighten" abstractions so as to ensure that abstractions don't ignore "undocumented functionality" in lower layers. However, further research is needed in minimizing assumptions (i.e. axiom narrowing) as well as in formally representing semantic gaps.
Humans: While a cloud is an engineering artifact, humans are present throughout design, implementation, installation, operation, as users, as owners, as attackers, etc. Furthermore, humans aren't logical nor are they fully predictable. Humans behave as distributions with peculiar inference systems (e.g., decisions made in one second are fundamentally different from those made in ten seconds or ten days). A theory of how to account for the role of humans in homogeneous yet fractal artifacts, like a cloud, would enhance how we reason about and mitigate the security implications of human frailties and malfeasance.
Metrics: A securon? A threaton? What are fundamental units of abstraction on which a science of security might build useful metrics? The practical impact of the lack of well-founded security metrics makes security investment decisions impossible. Can enforced homogeneity in a cloud artifact enable a different kind of metric and measurement?
The CERT Division (cert.org) is part of Carnegie Mellon University's Software Engineering Institute (cmu.sei.cmu).
Title: Practical Oblivious Computation
I will describe a new binary-tree based paradigm of constructing Oblivious RAM, leading to extremely simple constructions. Within this framework, I will describe Path ORAM. Under reasonable assumptions about the block size, Path ORAM achieves O(log n) bandwidth overhead with just a little more than O(log n) trusted cache --- this is nearly optimal in light of Goldreich and Ostrovsky's lower bound.
Based on Path ORAM, we implement the first real-life ORAM-capable secure processor prototype called Phantom. We run real-world programs such as sqlite on top of Phantom, and demonstrate reasonable practical performance.
Then, I will describe programming language techniques that can compile a program into its memory-trace oblivious equivalent, while achieving order-of-magnitude speedup in comparison with the naive approach of placing all variables in a single, large ORAM.
Finally, I will describe a vision of building a cloud computing platform secure against physical attacks.
Title: CloudFlow: Cloud-wide policy enforcement using fast VM introspection
Shared cloud hardware creates inherent side-channel vulnerabilities, which an attacker can use to leak information from victim VMs. Although efficient prevention is difficult within a single node, there is a unique opportunity within a cloud. This paper proposes a low-overhead approach to cloud-wide information flow policy enforcement: using fast run-time introspection to identify node-level side channels which could potentially be used to violate a security policy, and reactively migrating virtual machines to eliminate them. CloudFlow is built as an information flow control extension for OpenStack. Its novel virtual machine introspection mechanism is orders of magnitude faster than previous approaches. CloudFlow efficiently and transparently enforces information flow policies cloud-wide, including information leaks through undesirable side-channels. Finally, CloudFlow has potential uses for cloud management and resource-efficient virtual machine scheduling.
Title: Verifying the Correctness of Remote Executions: from Theoretical Possibility to near Practicality
How can we trust results computed by a third party or the integrity of data stored by such a party? This is a classic question in systems security, and it is particularly relevant in the context of cloud computing.
Various solutions have been proposed that make assumptions about the class of computations or the failure modes of the performing computer. However, deep results in theoretical computer science -- probabilistically checkable proofs (PCPs) coupled with cryptographic commitments in the context of arguments -- tell us that a fully general solution exists that makes no assumptions about the third party: the local computer can check the correctness of a remotely executed computation by inspecting a proof returned by the third party. The rub is practicality: if implemented naively, the theory would be preposterously expensive (e.g., trillions of CPU-years or more to verify simple computations).
Over the last several years, a number of projects have brought this theory to near-practicality in the context of implemented systems. The pace of progress has been rapid, and there have been many encouraging developments in this emerging area of proof-based verifiable computation.
I will cover the high-level problem, the theory that solves the problem in principle, the projects that have reduced the theory to near-practicality and implemented it, and open questions for the area. My hope is to communicate the excitement surrounding all of the projects in the area.
Title: Guest OS Purification and Minimization for Virtual Machine Hosting in the Cloud
Emerging malware against operating systems (OSes) exhibits more sophisticated strategy and behavior. For example, we have recently witnessed "trojan" kernel drivers that contain malicious logic while performing benign functions and kernel-level "accomplice" of Advanced Persistent Threats (e.g., Stuxnet) for hiding attacker presence. However, state-of-the-art OS security is not catching up with the attack trend. For example, many recent solutions assume a "gold standard" version of the kernel and kernel drivers, usually designated and white-listed by the vendor or administrator. Apparently, one major limitation of such approaches is that any malicious code embedded in a white-listed kernel or kernel driver can be executed unhindered. Meanwhile, it has been observed that the kernel and kernel drivers tend to have a large footprint, with code that is not needed by legitimate applications in a machine.
Ironically malware programs benefit from such code by leveraging it for malicious actions. In this talk, I will present two of our recent efforts towards kernel/kernel driver purification and minimization for virtual machines (VMs) in the cloud: DRIP is a framework for eliminating malicious logic embedded in a kernel driver through iteratively eliminating unnecessary kernel API invocations from the driver. When provided with the binary of a trojaned driver, DRIP will generate a purified driver with benign functionalities preserved and malicious ones removed. FACE-CHANGE is a system to facilitate dynamic switching among multiple minimized kernels -- each customized for an individual application -- in the same VM, hence maintaining kernel minimalism at the fine time granularity of CPU time slices.