Presentation is loading. Please wait.

Presentation is loading. Please wait.

Year 1: Research – Education – Outreach Overview

Similar presentations


Presentation on theme: "Year 1: Research – Education – Outreach Overview"— Presentation transcript:

1 Year 1: Research – Education – Outreach Overview
John Mitchell and Janos Sztipanovits

2 Research Goals Address pressing issues of the day
Why are computer systems vulnerable to attack? Will Internet fraud, worms, viruses … be with us forever? Can malicious groups take down critical infrastructures? How can we make systems more secure? In ways that are acceptable and desirable to their users? What new problems of societal significance can be solved? Medical applications? Manage energy and natural resources? Deep and lasting scientific progress Advance the science of computer security Understand its intersection with system design Recognize and utilize interdependence w/ other disciplines Leverage the scale of the TRUST center effectively Collaboration, education, develop career paths Year 1 Research Overview

3 Research Organization
Five research projects + Web authentication and online identity theft Electronic medical records Sensor nets and embedded systems Trustworthy systems Network security and defenses + Education (managed through same process) Each research project combines Faculty and students from several (3-5) sites Security, Systems and Software, Social Sciences Education and outreach activities Some activities contribute to several projects Year 1 Research Overview

4 TRUST Research Vision Societal Challenges Details have changed but spirit of this vision remains Privacy TRUST will address social, economic and legal challenges Critical Computer and Infrastructure Network Security Integrative Efforts Identity Theft Project Specific systems that represent these social Electronic Medical Secure Networked challenges. Records Embedded Systems Component Technologies Software Security Complex Inter - Dependency mod. Secure Info Mgt. Software Tools Trusted Platforms Secure Network Embedded Sys Econ., Public Pol. Soc. Chall. Component technologies Applied Crypto - graphic Protocols Model - based Security Integration. Forensic and Privacy that will provide solutions Network Security Secure Compo - nent platforms HCI and Security Year 1 Research Overview

5 Problem 1: Online Identity Theft
Password phishing Forged and fake web sites steal passwords Passwords used to withdraw money, degrade trust Password theft Criminals break into servers and steal password files Spyware Keyloggers steal passwords, product activation codes, etc. Botnets Networks of compromised end-user machines spread SPAM, launch attacks, collect and share stolen information Magnitude $$$ Hundreds of millions in direct loss per year Significant Indirect loss in brand erosion Loss of confidence in online transactions Inconvenience of restoring credit rating, identity Challenge for critical infrastructure protection Year 1 Research Overview

6 TRUST team Stanford Berkeley CMU Partners and collaborators
D Boneh, J Mitchell, D Dill, M Rosenblum, Jennifer Granick (Law School) A Bortz, N Chou, C Jackson, N Miyake, R Ledesma, B Ross, E Stinson, Y Teraguchi, … Berkeley D Tygar, R Dhamija, ,,, Deidre Mulligan (UC Berkeley Law), Erin Jones, Steve Maurer, … CMU A Perrig, D Song B Parno, C Kuo Partners and collaborators US Secret Service, DHS/SRI Id Theft Tech Council, RSA Securities, … R Rodriguez, D Maughan, … And growing … Year 1 Research Overview

7 TRUST ID Theft Team (+ more)
Year 1 Research Overview

8 Phishing Attack Sends “There is a problem with your eBuy account” password? Password sent to bad guy User clicks on link to User thinks it is ebuy.com, enters eBuy username and password. Year 1 Research Overview

9 SpoofGuard browser extension
SpoofGuard is added to IE tool bar User configuration Pop-up notification as method of last resort Year 1 Research Overview

10 Berkeley: Dynamic Security Skins
Automatically customize secure windows Visual hashes Random Art - visual hash algorithm Generate unique abstract image for each authentication Use the image to “skin” windows or web content Browser generated or server generated Year 1 Research Overview

11 CMU Phoolproof prevention
Eliminates reliance on perfect user behavior Protects against keyloggers, spyware. Uses a trusted mobile device to perform mutual authentication with the server password? Year 1 Research Overview

12 Tech Transfer SpoofGuard PwdHash New browser extensions for privacy
Some SpoofGuard heuristics now used in eBay toolbar and Earthlink ScamBlocker. Very effective against basic phishing attacks. PwdHash Collaboration with RSA Security to implement PwdHash on one-time RSA SecurID passwords. RSA SecurID passwords vulnerable to online phishing PwdHash helps strengthen SecurID passwords New browser extensions for privacy SafeCache and SafeHistory Client-side architecture for spyware resistance SpyBlock: virtualization, browser extension, trusted agent Year 1 Research Overview

13 Botnets: detect and disable
Botnet - Collection of compromised hosts Spread like worms and viruses Platform for many attacks Spam forwarding, Keystroke logging , denial of service attacks Unique characteristic: “rallying” Bots spread like worms and trojans Centralized control of botnet is characteristic feature Current efforts Spyware project with Stanford Law School CMU botnet detection Based on methods that bots use to hide themselves Stanford host-based bot detection Taint analysis, comparing network buffer and syscall args Botnet and spyware survival Spyblock: virtualization and containment of pwd Year 1 Research Overview

14 Research Spotlight Stanford Cyberlaw Clinic Spyware Litigation Project
Lisa Schwartz Stanford Cyberlaw Clinic Henry Huang Spyware Litigation Project Law, CS faculty, Law students, Many CS grad, undergrad students Jennifer Granick Year 1 Research Overview

15 Cyberlaw Clinic: PacerD
Backdoor Trojan spyware distributed via misleading pop-up installed even if user clicked the pop-up’s “close” button Users’ computers transformed into “marketing machines” Up to 7 pop-ups/minute, … Who is behind PacerD? Seychelles P.O. box, Seattle voice mail number, Russian ISPs Spyware bundle will install unless user takes complex or difficult action Oct. ’05 CS team sets up testing environment Nov. ’05 CS team creates videos depicting PacerD installation, …, removal Rootkits detected inside PacerD Dec. ’05 – Feb. ‘06 Cyberlaw Clinic drafts lawsuit March – April ‘06 Over 300 PacerD victims contacted Litigation plan being developed “Pyramid of Deception” CPM Media KVM Media PacerD Exfol Year 1 Research Overview

16 Cyberlaw Clinic: Enternet
Enternet Media (EM) Internet ad firm in CA EliteBar a.k.a. Elite Toolbar distributed through websites no notice of installation prevents uninstallation collects personal information EULA: unconscionable terms Enternet hides EULA and uninstaller: Gov’t Suits Against Enternet FTC filed against Enternet 11/4/05 injunction froze assets stopping distribution of EliteBar City of L.A. also sued Enternet alleging unfair competition, deception Criminal charges: In LA, March 2006 Incl false advertising, consumer fraud Uninstaller purposely fails to remove EliteBar Year 1 Research Overview

17 ID Theft: Future challenges
Criminals become increasingly sophisticated “In 25 years of law enforcement, this is the closest thing I’ve seen to the perfect crime” – Don Wilborn Increasing interest at server side Losses are significant Need improved platform security Protect assets from crimeware Need improved web authentication Basic science can be applied to solve problem: challenge-response, two-factor auth, … Social awareness, legal issues, and human factors Studies with Law Clinics; user studies, how are users fooled? Technology transfer More free software, RSA Security, … Multi-campus project developing technology, evaluation, social impact Project meetings this spring. Public workshop at Stanford in June. Year 1 Research Overview

18 Problem 2: Healthcare Information
Rise in mature population Population of age 65 and older with Medicare was 35 million for 2003 and 35.4 million for 2004 New types of technology Electronic Patient Records Telemedicine Remote Patient Monitoring Empower patients: Access to own medical records Control the information Monitor access to medical data Regulatory compliance Table compiled by the U.S. Administration on Aging based on data from the U.S. Census Bureau. United Nations ▪ “Population Aging ▪ 2002” 2050 Percentage of Population over 60 years old Global Average = 21% Year 1 Research Overview

19 Privacy and regulatory issues
Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA Privacy Rule (2003): gives US citizens Right to access their medical records Right to request amendments, accounting of disclosures, etc. HIPAA Security Rule (2005): requires healthcare organizations to Protect for person-identifiable health data that is in electronic format Complexity of privacy Variable levels of sensitivity; “sensitive” in the eye of multiple beholders No bright line between person-identifiable and “anonymous” data Complexity of access rights and policies Simple role-based access control is insufficient Governing principles: “need-to-know” and “minimum disclosure” Year 1 Research Overview

20 Healthcare Information Access Roles
Provider Patient Payer Society Primary care Specialists Ancillaries Immediate Family Extended Community Support Friends Legally Authorized Reps Admin. Staff Claims Processors Subcontractors Clearinghouses Insurers Public Health State Licensure Boards Law Enforcement Internal QA External accreditation orgs Clinical Trials Sponsors Fraud Detection Medical Information Bureau Business Consultants National Security Bioterrorism Detection From: Dan Masys: “The nature of biomedical data” Year 1 Research Overview

21 TRUST and MyHealth Teams (Faculty)
Vanderbilt J Sztipanovits, G Karsai, A Ledeczi Stanford J Mitchell, H Garcia-Molina, R Motwani Berkeley R Bajcsy, S Sastry, M Eklund Deidre Mulligan (UC Berkeley Law) CMU M Reiter, D Song Cornell J Gehrke, S Wicker, F Schneider VU Medical Center Collaborators D Masys, M Frisse, D Giuse, J Jirjis, M Johnson, N Lorenzi, D Mays, Year 1 Research Overview

22 Year 1 Research Overview

23 Patient Portal Project
Vanderbilt MyHealth Patient Portal Enrolled 8000 patients and grows at the rate of over 1000 new enrollees per month Secure messaging, access to medical records, appointments Include real-time monitoring of congestive heart failure patients Heterogeneous sensor network for monitoring Data integrated into Berkeley ITALH Testbed: seniors in Sonoma Stationary sensors: Motion detectors, Camera systems Wearable sensor: Fall sensors, Heart rate or pulse monitors Year 1 Research Overview

24 Technical Challenges (1/2)
Access Control Unique problems: Policy languages Policy validation Distributed policy enforcement Data Privacy Unique problems: Learning from data while keeping individual data private Publishing data without possibility to link back to individuals Information flow through data access: “leaking secret data” Incorporating background knowledge Interaction between privacy and policy languages Year 1 Research Overview

25 Technical Challenges (2/2)
Distributed trust management Unique problems: Maintaining trust across multiple players with conflicting interests and policies Information architecture modeling and analysis Unique problems: Technical and organizational heterogeneity Major role of legacy systems Scale and complexity Benchmarking Creation of synthetic patient data Real-life patient data Societal Impact of Patient Portals What privacy policy would make patients comfortable with contributing data to research study? Year 1 Research Overview

26 Approaches What solutions are possible? Some examples:
Policy languages (Stanford) Data privacy (Cornell, Stanford) Information architecture modeling and analysis (VU, Berkeley) Distributed trust management (Cornell, Stanford) Societal impact (Berkeley) Use MyHealth (VU) as demo system Put TRUST research thrusts in MyHealth contexts Year 1 Research Overview

27 Initial Steps Discussions with VU Medical Center in September, 2005
Prof. Bill Stead, Director, Informatics Center Prof. Dan Masys, Chair, Department of Biomedical Informatics Design Workshop for Integrative Project on Patient Portals December 16, 2005 at Vanderbilt Center for Better Health ( Identified two project candidates and a joint White Paper topic. Detailed project planning between TRUST and VU MyHealth We have a joint memo of collaboration management structure and research agenda for the next year Workshop on Trust and Privacy in Electronic Medical Records April 28th at Berkeley Year 1 Research Overview

28 Meeting at Vanderbilt Year 1 Research Overview

29 Milestones (Year 1) Policy languages Data Privacy
HIPAA policy representation and validation Data Privacy Assemble sample medical database for evaluating privacy mechanisms, other mechanisms Information architecture modeling and analysis Modeling aspects and language specifications MyHealth architecture modeling and analysis methods Distributed trust management Societal impact Organizational impacts, changes in the decision processes Unintended consequences study Year 1 Research Overview

30 Research Spotlight Berkeley ITALH Testbed
Mike Eklund Berkeley ITALH Testbed Ruzena Bajcsy Electronic Medical Record Project Tanya Roosta Marci Meingast Edgar Lobotan EECS Faculty, Grad, Undergrad, and SUPERB students Shankar Sastry Adeeti Ullal Rustom Dessai Willy Cheung Albert Chang Year 1 Research Overview

31 Berkeley ITALH Testbed
Biomedical sensor systems Can monitor for acute and chronic conditions and emergency events Can be kept locally or transmitted to healthcare professional and EMRs Storage in medical record Potential very useful Currently ad-hoc and manually performed ITALH System Access Control Privacy Data Aggregation Security Oct ’05 – Mar ’06 Development and testing of fall sensor system joint with Tampere, Finland and Aarhus, Denmark Mar – Apr ‘06 Commitment from Telecon Italia Evaluation of EMR system for integration in Sonoma Apr – May ‘06 Preparation of lab for experimentation and EMR integration Jun – Jul ‘06 SUPERB program focus ITALH/EMR Development Use Berkeley Motes, Fall sensors with accelerometers Year 1 Research Overview

32 Berkeley ITALH Testbed
Initial Focus: Fall Detection Falls are the leading cause of fatal and nonfatal injuries to older people in the U.S. Each year, more than 11 million people over 65 fall – one of every three senior citizens Treatment of the injuries and complications associated with these falls costs the U.S. over 20 billion annually Daily Activity Identification: Sitting, standing, walking Secondary Foci: The devices reveal significant information about the user This provides significant additional opportunities for health monitoring It also creates a potential threat to the users privacy Requirements of such a system: Privacy of data and user activity, location, etc Accuracy and robustness Interoperability as it will form only one component of a broader system Year 1 Research Overview

33 Berkeley ITALH Testbed
Being able to measure and analyze a patients activity, enables: Accurate feedback for at home treatment, e.g. osteoporosis, where a clear negative correlation has been shown between activity level and bone density loss Rapid and automated response to critical and emergency situations Protocols and policies must be established for the inclusion of automated data collection A test system is being developed to integrate the ITALH testbed with an open source EMR system This will be integrated with the Vanderbilty myHealth system following initial development This benefit can only be had on a societal scale if such devices can be integrated in the EMR systems, so that: Data acquisition is at least semi-autonomous The data can be guaranteed to be accurate The system is secure ITALH/EMR Development Target implementation Development and testing Year 1 Research Overview

34 Summary Excellent integrative project candidate
Strong interest inside TRUST and in the medical community We have teamed up with VUMC, which has the strongest research program and operational testbed Rapid start-up Year 1 Research Overview

35 Problem 3: Embedded Secure Sensor Networks
TRUST is engaged in the development of embedded secure sensor networks Integrated center R&D at all levels Sensor Technology Networks Applications Policy/Legal Issues Activity at all TRUST sites + collaborators Oak Ridge National Laboratory, … Year 1 Research Overview

36 Societal Relevance Health Care Urban Infrastructure Utilities
Energy production and transport (e.g. SCADA) Energy utilization monitoring in homes Search and Rescue Disaster response Heavy Industry Process Control Oil refineries, chemical, etc. Chevron is an interested player Border Control and Monitoring Year 1 Research Overview

37 Year 1 Research Overview

38 Sensor Technology - The Mote
Year 1 Research Overview

39 Sensor Technology Example: Sensors for Bio-Defense
Bi-layer lipid membrane used to create designer bio-sensors When target analyte binds to protein, ion channel conductivity increases. Currently considering use in water supply protection. Sensor performance statistics used to define networking requirements. Outside Player: NY Dept of Health/ Wadsworth Laboratories Year 1 Research Overview

40 Sensor Platform Technologies
CU Asynchronous Processor Event-driven execution is ideal for sensor platforms Clockless logic Spurious signal transitions (wasted power) eliminated Hardware only active if it is used for the computation MIPS: high-performance 24pJ/ins and V Processor Bus Year E/op Ops/sec Atmel 8 200? 1-4 nJ 4 MIPS StrongARM 32 1.9 nJ 130 MIPS MiniMIPS 1998 2.3 nJ* 22 MIPS Amulet3i 2000 1.6 nJ* 80 MIPS 80C51 (P) 1 nJ** Lutonium 2003 43 pJ SNAP 16 24 pJ 28 MIPS Year 1 Research Overview

41 Designer OS for Sensor Networks
Tiny OS Large, active open source community: 500 research groups worldwide OEP for DARPA Network Embedded Systems Technology Thousands of active implementations - the world’s largest (distributed)sensor testbed MagnetOS: Provide a unifying single-system image abstraction The entire network looks like a single Java virtual machine MagnetOS performs automatic partitioning Converts applications into distributed components that communicate over a network MagnetOS provides transparent component migration Moves application components within the network to improve performance metrics MagnetOS Rewriter Year 1 Research Overview

42 Sextant: Node Localization
Use of large numbers of randomly distributed nodes creates need to discover geographic location GPS is bulky, expensive, power-hungry Set up a set of geographic constraints and solve it in a distributed fashion Aggressively extract constraints Use just a few landmarks (e.g. GPS nodes) to anchor the constraints Can determine node location with good accuracy, without GPS or other dedicated hardware Year 1 Research Overview

43 SHARP: Hybrid Routing Protocol
Two extremes in routing Proactive: disseminate routes regardless of need Reactive: discover routes when necessary Neither are optimal for dynamic sensor networks SHARP adaptively finds the balance point between reactive and proactive routing Enables multiple nodes in the network to optimize the routing layer for different metrics Outperforms purely reactive and proactive approaches across a range of network conditions Year 1 Research Overview

44 Securing the Sensor Network
Security issues Develop Taxonomy of Attacks Attacks with and without defined defenses Generic basis on which to evaluate new networks Characterizing Worst-Case Results Statistical learning proposed as a means for determining what can be inferred from data Evaluate privacy concerns Ties into privacy road map Security thrusts Secure building blocks Secure key distribution Secure node-to-node and broadcast communication Secure routing Secure information aggregation Real-time aspects and security Secure middleware Secure information processing Sensing biometrics Sensor database processing Internet-scale sensor networks Year 1 Research Overview

45 Application Projects (Examples)
Patient Monitoring Remote monitoring of cardiac patients See Vanderbilt/Cornell/Berkeley poster Museum Project Expressive AI projects using sensors to monitor patrons at public demonstrations Home Sensor Network Development Energy monitoring beyond metering Opportunities for local information fusion LA Water Supply Protection BioSensors + Networking + Civil Infrastructure Year 1 Research Overview

46 Research Spotlight TRUST-ORNL TuFNet Federated Sensor Networks Project
Yuan Xue ISIS-VU TRUST-ORNL TuFNet Federated Sensor Networks Project Akos Ledeczi ISIS-VU TRUST researchers, graduate students, ORNL researchers ORNL Year 1 Research Overview

47 Dirty Bomb Detection Demo in VU Stadium April 20, 06
Outside the window Jumbotron: automatic camera feed Jumbotron/Screen: Tracking info inside Google Earth Security is guard walking around the stadium with a cell-phone connected radiation detector and an XSM mote. His position is continuously tracked using a radio interferometric technique running on the motes. A camera automatically tracks his position using the geolocation info from the mote network. When the radiation level crosses a threshold the detector sends an alarm and the camera zooms in on the position. Year 1 Research Overview

48 System Vulnerabilities
Sensor network vulnerabilities Bogus tracking results Tracking command Spoofing Battery consumption attack Mote network Tracking service and user interface Rad detector, mobile phone mote Internet Rad level servlet and camera glue code Application/Service Nextel/ Internet Packet dropping Mis-forwarding ID spoofing Forging routing Information Disclosing/modifying /replaying tracking results VGA to NTSC adapter Camera control node (Linux) Jumbotron controller Network Traditional network/system vulnerabilities MAC DoS Eavesdropping Mac/Link Denial of Service Attack Information disclosing/modification/replaying Address Spoofing etc.. Jamming Physical Year 1 Research Overview

49 Security Support Implemented
Security Support Overview Jamming Attack Ranging and Tracking using Multiple Frequencies Bogus Tracking Result Majority-based Voting to Filtering outrange result Peer Authentication among Sensors False Tracking Command Injection of Tracking Result from Spoofed Sensors Group-based Peer Authentication Objective Provide efficient, effective, and flexible peer sensor authentication Solution Symmetric-key based (SkipJack in TinySec) Each sensor node has a different set of keys through a pre-key distribution scheme Multiple MACs are generated for each message from a sensor node MACs are verified at the receiver sensor using its common keys with the sender Results computation: 5.3 ms; verification: 2.5 ms (2 common keys), 1.3~1.4ms (1 shared key), < 0.1 (no keys in common) Year 1 Research Overview

50 Privacy Issues Policy instruments often lag technology development
Proposed development of Privacy Road Map that will frontload policy development Map sensor capabilities and network mission into deployment and data use rules Key near-term: RFIDs, broad-based visual surveillance Raises issue of impact of network configuration and heterogeneity on road map Approach: Extend fair information practices to cover sensor nets at regulatory or legislative level Consent enablement is an important issue Year 1 Research Overview

51 Economic Issues Consider standards for transactions between sensor network owners/operators market creation, bargaining, trading rules for passing data, avoiding monopolies Open platforms enhance markets, range of products, efficiency Software for computers vs. software for cell phones Significant literature on economic costs of privacy decision making Cost of inadvertent disclosure Year 1 Research Overview

52 Further Development Integrate cross-cutting security, privacy, and economic issues into ongoing project development. Try to stay as generic as possible, while developing technology/policy amenable to evaluation. Year 1 Research Overview

53 Problem 4: Trustworthy Systems
Important problems in the public eye Why are computer systems vulnerable to attack? Many security vulnerabilities are software bugs How can we make systems more secure? Better human factors, security science and engineering practices Four core areas Robust software Including: static, dynamic analysis methods for detecting vulnerabilities Security policy What actions should be allowed? How to express, enforce policy? Platform integrity Including: hardware attestation, software-based isolation, virtualization Intrusion-tolerant systems System architectures and implementation techniques so that systems will resist and survive attacks Year 1 Research Overview

54 Subarea 1. Robust software
Computer attacks are serious problem Scripts for exploiting known vulnerabilities Techniques and tools for creating new exploits Many possible targets Widely used UNIX programs: sendmail, BIND, etc. Various server-type programs ftp, http (Web server and file transfer) pop, imap ( server) irc, whois, finger (Other applications, services) Mail clients (overrun filenames for attachments) Netscape mail (7/1998) MS Outlook mail (11/1998) Year 1 Research Overview

55 Research Spotlight Monica Lam Automated Software Analsys
Find errors that can lead to vulnerabilities Year 1 Research Overview

56 Static Analysis D. Wagner - Detection of Buffer Overrun Vulnerabilities Integer range analysis problem Sendmail: 4 bugs/44 warnings Features necessary to achieve better precision Flow sensitivity Pointer analysis A. Aiken - Format String Vulnerabilities Type Qualifiers “Tainted” annotations, requires some, infers the rest Features necessary to achieve better precision Context sensitivity Field sensitivity Can add new analyses M. Lam – Combine and improve previous results Interprocedural methods Strategically leverage more precise aliasing analysis Standard architecture for combining methods Today: B Livshits poster Program Buffer overruns Format violations IP SSA Error traces Data flow NULL deref’s easy to write tools …others… Year 1 Research Overview

57 Example: Tainting Violation in muh
muh.c:839 0838             s = ( char * )malloc( 1024 ); 0839             while( fgets( s, 1023, messagelog ) ) { 0840                 if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s )... 0841                 irc_notice( &c_client, status.nickname, s ); 0842             } 0843             FREESTRING( s ); 0844              0845             irc_notice( &c_client, status.nickname, CLNT_MSGLOGEND ); irc.c:263 257 void irc_notice(connection_type *connection, char nickname[], char *format, ... ) 258 { 259     va_list va; 260     char buffer[ BUFFERSIZE ]; 261  262     va_start( va, format ); 263     vsnprintf( buffer, BUFFERSIZE - 10, format, va ); 264     va_end( va ); Year 1 Research Overview

58 Example: Buffer Overrun in gzip
gzip.c:593 0589     if (to_stdout && !test && !list && (!decompress || ... 0590         SET_BINARY_MODE(fileno(stdout)); 0591     } 0592         while (optind < argc) { 0593         treat_file(argv[optind++]); gzip.c:716 0704 local void treat_file(iname) 0705     char *iname; 0706 { ... 0716     if (get_istat(iname, &istat) != OK) return; gzip.c:1009 0997 local int get_istat(iname, sbuf) 0998     char *iname; 0999     struct stat *sbuf; 1000 { ... 1009     strcpy(ifname, iname); Need to have a model of strcpy Year 1 Research Overview

59 Sample Experimental Results
Monica Lam study: 7 server-type programs Other studies (Engler, Wagner, etc.) achieve similar results for other kinds of errors Significant bugs found using automated tools TRUST challenge: compare and combine methods developed by different campuses Year 1 Research Overview

60 Larger Picture Goal: New techniques for improving the security of our software Many complementary approaches: Static analysis of source code; Dynamic analysis with symbolic execution; Taint and information flow tracking; Inline reference monitors; Proof-carrying code; Logical decision procedures; Semantics and foundations of programming languages Many exciting uses: Detection of security bugs; Automatic generation of signatures for intrusion detection or virus scanning; Verification of security properties TRUST Collaboration Many cross-institution collaborations underway / recently initiated Challenge applications to demonstrate our methods: Hardening the security of open source software Protect network services/servers against data-driven remote attacks Improving the quality of electronic voting software Shared benchmarks: Apache (including core, plug-ins, PHP scripts, …) TCP/IP stacks Network servers? One or two key industrial applications? (Productivity software? Medical? E-commerce? Internet services?) Year 1 Research Overview

61 Partner: Coverity, Inc Stanford, Symantec, Coverity, DHS
Open Source Software Quality Project Year 1 Research Overview

62 Subarea 2. Security policy
Access policy How to express, enforce policy? Policy lifecycle management (debugger, etc) Enforcement Control access and propagation E.g., Java stack inspection What code to trust? How to enforce end-to-end policy? e.g., information I cannot be transmitted to output O Access control mechanisms are necessary, access control policies are insufficient Year 1 Research Overview

63 Enforcing language-based security
Source Code Programs are annotated with security policies Compiler checks, possibly transforms program to ensure that all executions obey rules Loader, run-time system validates program policy against system policies Policy Target Code Policy So the big picture that we are pursuing starts with programs annotated with explicit security policies. These programs can be statically checked and transformed by a compiler that ensures that the program will satisfy these policies. When the program is run, the policies can be checked against system policies and against policies on external resources. This means that the programmer does not define what security is obtained. ? System Policy Executable code Year 1 Research Overview

64 Subarea 3. Platform integrity
Trusted platforms and attestation “Trusted platforms” refers to platforms in which the running software has been authenticated as having desirable attributes “Attestation” refers to authenticating the software running on a node remotely Example projects Nexus OS implementing new trustworthy computing abstractions (Cornell) Privacy-preserving attestation (Stanford) TERRA attestation of full virtual machines (Stanford) Software attestation (CMU) Trusted user input/output (CMU, Stanford) Year 1 Research Overview

65 Subarea 4. Intrusion-tolerant systems
Sample direction: distributed trust Implement services in a distributed fashion so that no one component is trusted Example projects In P2P systems that mask node misbehaviors (Cornell) Prevents injecting a name into CODONS (a DNS replacement) Prevents injecting a page into Cobweb (Akamai-like web cache) Prevents injecting bad info into Corona (news system for web) In certificate authorities and single sign-on (Cornell) In storage systems (Stanford, CMU) Underlying protocols for service deployment, access (CMU) Formal verification of distributed trust protocols (Cornell) Implementing default-disconnect in LANs (Stanford) Year 1 Research Overview

66 Problem 5: Network Security
Networked applications are susceptible to attack Develop secure methods for resisting network attacks Cryptography is powerful, but requires key management Examples: SSL/TLS, VPN, key management for IPSEC New applications raise new challenges, e.g. VoIP Network infrastructure is susceptible to attack DoS, Virus and worm propagation flood network, blocks traffic Authenticated access to wireless network Isolation (traffic shaping, firewalls), Intrusion detection Goals include: Improve security of networks and applications that use them Collaborate on next-generation networking Improve educational resources on network security Year 1 Research Overview

67 Example True SCADA Scenarios
Port of Houston, 20 Sept 2001 >1 billion containers (2000), 6,400 ships (2002), $11 billion revenue (2002) $15 billion petrochemical complex: largest in nation, second in the world Web site disabled by denial of service attack 19 year old UK teenage member of a group called Allied Haxor Elite trying to get back at a girl he met in a chatroom (Found not guilty) Ohio's Davis-Besse nuclear power plant, offline, Jan 2003 Slammer worm penetrated a private computer network and disabled a safety monitoring system for ~5 hours Penetrated unsecured network of an unnamed Davis-Besse contractor, then squirmed through a T1 line bridging that network and Davis-Besse's corporate network Northeast power outage, 50 million people, August 2003 MSBlaster worm crippled key detection systems and delayed response during a critical time: “significantly worsened the effect of the outage” Year 1 Research Overview

68 General Network Threats
Worms/Viruses – Propagation Hackers/Intruders – Infiltration Compromised Machines – Botnets Insider Threat – Exfiltration Year 1 Research Overview

69 Research Spotlight Worm/DoS Defense
One slice of network security research in TRUST Year 1 Research Overview

70 Can We Build a “DOS Firewall”?
[Collins & Reiter] Trained on attack & normal traffic Trained on normal traffic only Example of the efficacy of published DoS filters Year 1 Research Overview

71 Egress Limiting for Worm Containment
[Wong, Studer, Bielski & Wang] Detection: Large fan-out, increased failures, no DNS translations Containment: Rate limiting Fast-spreading worms have these characteristics: large fan-out (to find potential victims), increased failures (many scan targets are unused IP addresses), and no DNS translations (scans are direct IP-to-IP connections). The first graph shows the false positive and false negative rates of a failed-connection based worm rate limiting method—a host is subject to rate limiting if it exhibits a failure rate higher than some pre-defined threshold. The second graph shows the relative precisions of various rate limiting schemes. This graph includes distinct IP rate limiting (to restrict large fan-out), failed-connection-based rate limiting, and DNS-based rate limiting (restrict the rate of outgoing connections without prior DNS translations). As shown, the DNS-based rate limiting performs the best in comparison. Year 1 Research Overview

72 Internet Indirection Infrastructure (i3)
[Stoica] id data id data Sender id R trigger Receiver (R) R data Use backup triggers on other i3 nodes to mitigate DoS attacks Attacker (A) id V Victim (V) Year 1 Research Overview

73 Ingress Rate Limiting w/ Client Puzzles
[Wang & Reiter] Server Legitimate client Adversary Designing puzzle mechanisms to defend against Connection depletion attacks (TCP) Bandwidth exhaustion attacks (IP) Year 1 Research Overview

74 A π π π V PI Marking Queue-based marking Marks can be used to filter …
[Yaar, Perrig, Song] Queue-based marking Routers “push” marking into IP Identification field A π π π V xx 00 xx 00 11 00 xx 11 10 Marks can be used to filter … Unaffected by source address spoofing … or returned to source to use as a capability Year 1 Research Overview

75 Sting: Auto Worm Defense System
[Brumley, Newsome, Song] ! This is the vision of Sting, an automatic worm defense system that automatically detects new attacks and generates efficient & accurate filters to filter out attack packets. Here we have the Internet. Now suppose some fraction of the Internet (hosts or networks) are using a software monitoring mechanism that is able to detect when they’ve been exploited. When a new worm starts to spread, it will eventually try to infect one of these monitoring points. When that happens, the exploit detection mechanism detects the attack, generates a signature describing the new worm, and publishes it. Now the signature can be used to filter out the worm at the network level, thus stopping the worm outbreak at an early stage. Sting employs novel methods to enable accurate attack detection and signature generation, one of the first approaches demonstrating promising defense against zero-day exploits. Sting is currently being deployed at CMU, and will later on be deployed in a large scale. Exploit Detected! Year 1 Research Overview

76 TrafficComber Distributed high-speed network monitoring system
[Blum, Gibbons, Kissner, Song, Venkataraman] Distributed high-speed network monitoring system Efficiently detect new (global) traffic behavior Accurately identify malicious IP addresses & attack patterns Focuses & components Streaming algorithms design Fast memory-efficient algorithms for high-speed links New streaming algorithms for superspreader detection Machine learning, graph theory techniques Traffic correlation & anomaly detection Stepping-stone detection Privacy-preserving information sharing New cryptographic algorithms/protocols Privacy-preserving set operations Year 1 Research Overview

77 Finding the Source of Worms
[Sekar, Xie, Maltz, Reiter, Zhang] t4 t1 t3 B F E t2 t7 t5 D C H t6 G Host contact graph Host attack tree Attack Reconstruction: identify communications that carry attack forward Attacker Identification: pinpoint attack source(s) Are these possibly feasible? Year 1 Research Overview

78 DETER (http://www.deterlab.net/)
Background Lack of large-scale experimental infrastructure Missing objective test data, traffic and metrics Goals Facilitate scientific experimentation Establish baseline for validation of new approaches Scientifically rigorous testing frameworks/methodologies Attack scenarios/simulators, topology generators, background traffic, monitoring/visualization tools Provide an open safe platform for experimental approaches that involve breaking the network “Real systems, Real code, Real attacks!” Year 1 Research Overview

79 UCB Cluster ISI Cluster
User Internet UCB Cluster ISI Cluster FW FW User files Backup ‘User’ Backup ‘Boss’ ‘User’ Server ‘Boss’ Server Node Serial Line Server Node Serial Line Server Control Network IPsec Control Network CENIC PC PC PC Power Cont’ler Power Cont’ler PC PC IPsec Cisco SW Foundry SW trunk trunk Year 1 Research Overview

80 Example DETER Topologies
Year 1 Research Overview

81 DETER Testbed Status 201 nodes now available! Experimental node OS:
Expect to double in 2006 Experimental node OS: Standard OS: RedHat Linux 7.3 or FreeBSD 4.9 New: Windows XP Users can load arbitrary code, in fact User has root access to all allocated nodes Secure process replaces OS after each experiment Adding support to scrub disks after experiments Funded by NSF CISE and DHS HSARPA Open to all researchers: gov’t, industrial, and academic Year 1 Research Overview

82 Network protocol analysis
Protocol analysis methods Model checking, automated tools Logical proof methods Case studies 802.11i Wireless networking IKE for IPSEC VoIP – security additions to SIP Work with standards organizations IEEE: contributed to i standard IETF/IEEE: e metro area networking Wi-Fi Alliance: wireless access point registration Education: course development, materials Research challenges Extend applicability of tools, improve usability Fundamental science: protocol analysis and crypto Clean slate network design: what are better designs? Year 1 Research Overview

83 Network Security Huge field Outstanding opportunities
Many challenges Lots of different kinds of work From network protocols to routing, congestion control Outstanding opportunities GENI initiative for Internet redesign DETER testbed, Industrial collaboration Network researchers at all TRUST sites Drinking from a firehose Year 1 Research Overview

84 Sigurd Meldal (SJSU) Janos Sztipanovits (Vanderbilt)
Education Sigurd Meldal (SJSU) Janos Sztipanovits (Vanderbilt)

85 Education Vision Trust education Trust education integrates domains
part of technological and social literacy central to technological and policy-making professional competency Trust education integrates domains trust solutions = policy options + technology options Trust education within domains From engineering to the social sciences Trust education cuts across education levels K-12, undergraduate programs, profession-oriented masters programs, research-oriented doctoral programs There are trust issues that everyone should understand in order to be an informed member of society and the electorate. There are trust components that integrate professions (lawyers must understand technology, etc). There are trust components within a profession (e.g., a software engineer has to understand trust issues technologically when designing a system) Year 1 Research Overview

86 Education Implementation
Main Activities Education Community Development (EDC) The TRUST Academy Online (TAO) Curriculum Development and Refinement TRUST Workshops At the end: The education work, like the other components of TRUST, will be project and team-based, with well-defined objectives and deliverables for each project. Year 1 Research Overview

87 Participants in the Ecosystem
Year 1 Research Overview

88 Knowledge Certification
Standardized knowledge units: National Information Assurance Training Standards (CNSS) NIETP Centers for Academic Excellence in IA Education Assist in the broad adoption of such curricula. Evaluate, adapt or substitute units or standards as indicated by domain requirements Year 1 Research Overview

89 Learning Technology Infrastructure
Established strong relationship between TRUST and VaNTH* Assessment Methods and Technology Learning Technology Challenge-based courses (design and delivery methods) Adaptive learning and course delivery strategies, development of adaptive expertise * Vanderbilt-Northwestern-Texas-Harvard/MIT Engineering Research Center Year 1 Research Overview

90 Education Spotlight TRUST Academy On-Line TRUST Repository Project
Larry Howard ISIS-VU TRUST Academy On-Line Simon Shim SJSU TRUST Repository Project Xiao Su SJSU TRUST researchers, graduate students, VaNTH researchers Weider Yu SJSU Sigurd Meldal SJSU Yuan Xue ISIS-VU Year 1 Research Overview

91 TRUST Academy On-line Aspects of support Principal components
Collaborative, evolutionary design of adaptive learning experiences Instrumented enactment of designs with learners Design reflection by educators Online dissemination Principal components Visual integrated design environment (CAPE) Design and content repository Interoperable delivery platform (eLMS) Dissemination Portal (TAO) Year 1 Research Overview

92 TAO Content WEB-based dissemination
portal/content management system for classroom resources: syllabi, lecture notes, readings, assessment materials, and instructor guides re-targetable learning modules on-line learning resources: direct access to courseware for evaluation Network Security Course Modules How bad guys work Attacks from hackers’ perspective Cryptography Secret key, public key, hash functions Authentication protocols Key exchange protocols Network security standards Wireless security, IP security, SSL, .. Network Security Courseware Yuan Xue (Vanderbilt), Xiao Su (SJSU) Sources Vanderbilt’s CS291 (Network Security) Stanford’s CS259 (Security Analysis of Network Protocols) SJSU’s CmpE209 (Network Security) Year 1 Research Overview

93 General Steps Content creation Presentation & Packaging
Learning Strategy Formalization Delivery methods Evangelization and dissemination Challenges Bringing in the policy-oriented educators Bringing in the non-CS engineering disciplines Evangelizing Year 1 Research Overview

94 Undergraduate Curriculum Refinement & Development
Develop (new) material for (new) domains Collect course material and teaching experiences from the TRUST partners Identify knowledge units – generate retargetable learning modules Define appropriate taxonomic structures Year 1 Research Overview

95 Facilitate Adoption of New Material
Security science (incremental, integrative, learning modules) In-discipline: operating systems, programming languages, cryptography, secure networking, hardware architectures… Canonical security courses Cross-discipline: Social impact, law, privacy, organizational roles, infrastructure Case studies as vehicle for learning modules Social sciences (incremental, integrative, learning modules) In-discipline: Privacy, information management and security, economics, organization theory, IP Cross-discipline: Fundamentals of security technologies, technology awareness General Education TRUST as a core competency for the educated person Systems science (new capstone courses) Cross-discipline: Design and analysis of complex systems Courseware repository Web-deliverable courseware – VaNTH/eLMS Security Science: operating systems, programming languages, cryptography, secure networking, … Social Sciences: Bringing policy, social, economic issues to student community: economics of information technology, information management, privacy and security Systems Science: “systems integration using software” curriculum needs to be developed from scratch, capstone design course for undergrads (or 5th year MS) NSA-NSF Cybersecurity Center of Excellence in Information Assurance Education to be developed at San Jose State, on going certification efforts for other Centers of Excellence at CMU Year 1 Research Overview

96 Graduate Curriculum Refinement & Development
New courses will be jointly developed: Design and Analysis of Secure Systems. Integrative Systems Science Advanced graduate seminars Computer and system security laboratory Team competitions New courses designed for engineering audience; joint offering across partners using web-cast technology Year 1 Research Overview

97 Repository Content Retargetable Learning Modules Courses
Elements of the learning process Courses Teach security in a context Year 1 Research Overview

98 Learning Module Repository
Facilitate efficient reuse of courseware Lectures Projects Homework assignments Organized into small modules May be incorporated into other courses Example: The RSA module may be used in an algorithms class Easy to adapt to different audiences Same topics covered by different instructors in different courses at different universities Example: cryptography Facilitate designing course architectures The Lego approach to coursework design Year 1 Research Overview

99 Course Repository Implement Course Repository in CAPE
Specify taxonomy Define course learning objectives Simulate learning process via sequencing of course modules Include relevant resources in a course module Lecture notes, Presentation slides Home assignments, Projects Exams, Quizzes Web-based Delivery System Hosted by VaNTH from Vanderbilt University Year 1 Research Overview

100 Ongoing Work Pilot module sets: Network security
Introductory upper-division topics Security in chemical processing systems Pilot experiment: Design a course on the basis of the repository Establishing a broader community: Invite CERT, SEI, other IA institutions and initiatives to make use of the repository and authoring tools. Establish a CSU-wide consortium for security curriculum development Year 1 Research Overview

101 TRUST Education Workshops
Engaging the broader teaching community Work with CERT, the IA Capability Building effort and minority serving institutions. Immediate expectations: A TRUST/CERT sponsored participation in education conferences (proposal with CMU, UC Berkeley, Vanderbilt and SJSU to the annual FIE Conference series) A TRUST/SEI symposium following up on the SEI IA Education Summer Schools and the TRUST Summer Schools (proposal with SJSU and CMU/SEI under the NSF IACBP) Year 1 Research Overview

102 TRUST Workshops Sensor Networking Workshop, Cornell and New York Department of Health - Tuesday, October 11, 2005. Cornell-Tsinghua Workshop on Information Technology, November 18, Tsinghua University, Beijing, China. TRUST Workshop on Social Security Numbers (jointly with PORTIA), Stanford – May 2006. Year 1 Research Overview

103 Lead: Ruzena Bajcsy (UC Berkeley)
OUTREACH Lead: Ruzena Bajcsy (UC Berkeley)

104 OUTREACH Strategy We are engaged in two kinds of outreach activities:
Local, in which each local groups have their own outreach activities tailored to the local conditions. Overall Center activities which engage the community at large. Here, we are most concerned how to disseminate our knowledge to the widest diverse population. Year 1 Research Overview

105 Local Activities BFOIT - Berkeley Foundation for Opportunities in Information Technology (Nurturing underrepresented high school students and their teachers in TRUST areas. Prof. Bajcsy, personal participation and fund raising.) SUPERB-IT - Summer Undergraduate Program in Engineering Research at Berkeley - Information Technology (Increased number of underrepresented students by 4) SIPHER - Summer Internship Program in Hybrid and Embedded Software Research (Increased number of underrepresented students by 2) Pennsylvania Area HBCU Outreach - Historically Black Colleges and Universities (Increased number of underrepresented students by 5) Year 1 Research Overview

106 Center Activities: WISE
Women’s Institute in Summer Enrichment (WISE) is a residential summer program on the University of California, Berkeley campus that brings together women (but it is not restricted to women only!) from all disciplines that are interested in TRUSTed systems in Science and Technology and all of the social, political, and economical ramifications that are associated with these systems. Professors from across the country come to Berkeley to teach power courses in several disciplines, including computer science, economics, law, and electrical engineering. The one-week program includes rigorous classes in the morning, and allows participants to explore through hands-on experiments and team-based projects in the afternoons. Year 1 Research Overview

107 Application for the WISE program
Applications for summer 2006 are available on this website on the Application page (we shall shortly set this up). Our tuition fee for summer 2006 will be $1, applicants with financial need may request a fee waiver on the application form. 20 participants was selected from a nationwide applicant pool of young women and men who have demonstrated outstanding academic talent. No prior experience in computer programming, law, or engineering is required, but we expect students to be able to handle college-level material at a rapid pace. 19 out of the 20 participants are women (graduate students and junior faculty) Year 1 Research Overview

108 The currently signed up faculty for WISE
Name Cynthia Dwork Cynthia Irvine Gail Kaiser Jeanette Wing Joan Feigenbaum John Mitchell Klara Nahrstedt Rebecca Wright Sonia Fahmy Stephen Mauer Steve Weber Yuan Xue Institution Microsoft Palo Alto Naval Postgraduate School Columbia University CMU Yale University Stanford University UIUC Stephen Institute of Technology Purdue University UC Berkeley Vanderbilt Year 1 Research Overview

109 WISE Schedule The workshop will be held at UC Berkeley Campus starting on July 5th ,06 until July 11th,06 included. The summer school will be organized into two parts: Mornings 3 hours lectures; Afternoons 3 hours exercises. The lectures will be given by the teachers listed above, the exercises will be supervised by graduate students. Year 1 Research Overview

110 Center Activities: National Visibility
Participation in National Conferences to build contacts and “get the word out”: Dr. W.Robinson from Vanderbilt University attended the NSF Joint Annual Meeting HER, on March 16-17th, 2006 in Washington, DC.,see : Meltem Erol from UCB attended HBCU conference in February, 2006 in Baltimore, Md. See: Year 1 Research Overview

111 Visiting positions Cornell has funded Judy Cardell from Smith college to be engaged in the TRUST Sensor Networking project TRUST funded Weider Yu from SJSU to participate in CMU’s Information Assurance Capacity Building Program (IACPB) Stanford will host this summer professor Mario Garcia from Texas A&M University –Corpus Christi. This visit is sponsored by NSF Quality Education for Minorities (QEM) Program Year 1 Research Overview

112 Center Activities: National Visibility
Joint projects: Professor Bajcsy together with Prof. Nahrsted from UIUC, Prof. Wymur (UCB) and prof. Katherine Mezure form Mills college are building cyberinfrastructure for distributed dance performances in the Cyberspace Professor Xue from Vanderbilt and Professor Xiao Su at SJSU worked on a pilot project on designing network security courseware repository Year 1 Research Overview

113 Other OUTREACH plans Organize regular TRUST seminars, weekly from a speaker pool (Researchers engaged in cyber security agenda) Reach out to collaborate with the National Laboratories Recruit diverse population of students as graduate students interested in TRUST agenda. Year 1 Research Overview


Download ppt "Year 1: Research – Education – Outreach Overview"

Similar presentations


Ads by Google