Compositional Security

Optimal Monitoring of Security Events

V.S. Subrahmanian (Dartmouth) with S. Jajodia (George Mason), N. Park (University of North Carolina), E. Serra (Boise State)

Objectives

  • Security analysts are swamped by false alarms, leading to considerable wastage of time. They only examine “major alerts, leading to easy strategies for attackers to compromise an enterprise.
  • Help managed security service providers
  • Understand how the adversary may use this asymmetry
  • to better target an enterprise
  • Develop methods for the defender to allocate cybersecurity analysts to scrutinize alerts from machines

Key Science Methods & Advances

  • Use annotated probabilistic temporal (APT) logic programs to capture information about a network.
  • Formalize adversary’s behavior as a set of exploit actions directed at nodes that either maximize probability of success, or maximize expected damage.
  • Develop integer program based solutions for attacker.
  • Defender must allocate analysts to monitor alerts on machines so as to minimize either the maximal success probability of the attacker or the maximal expected damage cause. We develop linear program based solutions together with column generation methods to solve the problem effectively in practice.
  • Develop a highly scalable greedy algorithm as well.

Results & Impact

  • Forecasts are regularly utilized by USG, UN, NGOs and foreign governments around the world
  • Project profiled in major media outlets

Secure Popcorn Linux

J. Reeves, S.W. Smith, J.P. Brady, P. Anantharaman (Students) with Virginia Tech and NARF

Objectives

  • Seamlessly switch running processes between different architectures (x86, ARM, PowerPC, etc.) to block code reuse
  • and hardware side-channel attacks
  • Establish and enforce intra-process boundaries to mitigate memory-based attacks and exploits that rely on specific memory locations
  • Do all of this without rewriting legacy programs

Key Science Methods & Advances

  • Extend the existing Popcorn Linux prototype to allow a process to switch between heterogeneous architectures at runtime.
  • Apply our ELFbac approach: Define intra-process security policies that specify which memory regions different pieces of a program may access, and when they are allowed to access them.
  • Investigate ways to continuously randomize the instruction layout of a program at regular intervals during runtime.

Results & Impact

  • Project recently began

Language-Theoretic Security: Preventing O-Days

S. Bratus, J. Reeves, S.W. Smith, P. Anantharaman, M. Millian (Students) with SRI and Upstanding Hackers

Objectives

  • Prevention of 0-days and forever-days arising from input-handling vulnerabilities.

Key Idea

  • represent input at a formal language
  • treat parsing/validation as a language recognition problem

Key Science Methods & Advances

Defenses

  • Developed a high assurance parser-combinator toolkit – hammer.
  • Developed parsers for various SCADA/ICS protocols – DNP3, MQTT, C37.118, IEC61850.
  • Developing a novel technique of injecting parsers in legacy binaries, to expunge input-handling vulnerabilities from them.

Testing

  • Differential parsing
  • Using recognizability limits to develop fuzz-testing

Results & Impact

  • Our parsers are resilient to the American Fuzzy Lop (AFL) Fuzzer, and the DNP3 parser is resilient to the custom fuzzer, Aegis.

Public Key Infrastructure

S.W. Smith, R. Brentrup, S. Rea, et al.

Objectives

  • In theory, public key cryptography enables scalable trust communication in large populations
  • In practice, many obstacles emerge
  • What can we do, in both theory and practice?
  • Joint with Dartmouth’s IT Services

Key Science Methods & Advances

Deployment

  • Retrofitted all Dartmouth online services to accept client-side PKI authentication
  • Set up and operated (for many years) a PKI for all Dartmouth students, faculty, and staff
  • Helped run the Higher Education Bridge CA

Research

  • Founding program chair for NIST’s PKI Research Workshop (later IDTrust)
  • Experimental applications of attribute certificates for real-world trust settings
  • Security of OTS keystores
  • Trusted paths and usability of user-facing PKI tools
  • Scalability issues for PKI in BGP routing and in other Internet-scale populations

Ongoing Work

  • Cryptographic glue for identity and attributes in smart grids an the IoT

Results & Impact

  • P. Anantharaman, K. Palani, D. Nicol, S.W. Smith. "I am Joe's Fridge: Scalable Identity in the Internet of Things" IEEE International Conference on Internet of Things. December 2016
  • S.W. Smith. "Cryptographic Scalability Challenges in the Smart Grid." Innovative Smart Grid Technologies (ISGT 2012).IEEE Power Engineering Society. January 2012.
  • M. Pala, S.W. Smith. "PRQP: Finding the PKI Needles in the Internet Haystack." Journal of Computer Security. 18(3). 2010.
  • J. Marchesini, S.W. Smith, M. Zhao. "Keyjacking: the Surprising Insecurity of
  • Client-side SSL." Computers and Security. 4 (2): 109-123. March 2005.
  • G. Weaver, S. Rea., S.W. Smith. "Computational Techniques for Increasing PKI Policy Comprehension by Human Analysts." IDtrust 2010: 9th Symposium on Identity and Trust on the Internet. ACM. 51--62
  • M. Zhao, S.W. Smith and D. Nicol. "Aggregated Path Authentication for Efficient BGP Security." 12th ACM Conference on Computer and Communications Security. November 2005.
  • E. Ye, S.W. Smith. "Trusted Paths for Browsers." 11th USENIX Security Symposium.August 2002.

Trusted Computing

S.W. Smith (IBM Research, then Dartmouth)

Objectives

  • How can Alice trust computation that takes place at Bob’s computer, if Alice doesn’t trust Bob?

Key Science Methods & Advances

  • AT IBM:
    • Design, implementation, and formal validation of IBM 4758 secure coprocessor platform
    • World’s first FIPS 140-1 Level 4 device
    • Attestation and secure execution environments---before TCPA/TCG/SGX etc.
    • Continues to be a product line
  • At Dartmouth
    • Design and prototype of Web server taking the SSL tunnel all the way into a trusted environment
    • (Arguably) the world’s first open-source TCPA/TCG platform implementation
    • Using trusted hardware for protecting end user privacy on large servers
    • Using networks of tiny trusted third parties for privacy and security of large computations, even from root

Results & Impact

  • Falcon Darkstar Momot, Sergey Bratus, Sven M. Hallberg, and Meredith L. Patterson. 2016. The Seven Turrets of Babel: A Taxonomy of LangSec Errors and How to Expunge Them. In IEEE Cybersecurity Development. 45–52.
  • Ira Ray Jenkins, Sergey Bratus, Sean Smith, and Maxwell Koo. 2018. Reinventing the Privilege Drop: How Principled Preservation of Programmer Intent Would Prevent Security Bugs. In HoTSoS ’18: Hot Topics in the Science of Security: Symposium and Bootcamp, April 10–11, 2018

Part of the CREDC/TCIPG/TCIP Project

Attribute-Based Usefully Secure Email

C. Masone, S.W. Smith (Dartmouth)

Objectives

  • How do we enable humans to make correct trust judgments about communications?
  • Response and recovery from the 2003 East Coast Blackout
    • Most coordination carried out over the phone
    • Need to take mitigating action quickly
    • Often, collaborators do not know each other beforehand
    • Leverage informal trust connections to get work done
  • Corpus: telephone transcripts from MISO 
    • Motivating our work
    • Moving away from phone is more efficient, auditable
    • But signed email not useful in absence of pre-existing relationships
    • We can help!

Key Science Methods & Advances

  • Rather than automate the trust decision, we automate the trust signals so the user can make the correct decision.
  • Identify trust flows in 2003 transcripts: how grid operators decided to authenticate remote requests for information or action
    • Delegation
    • Role-based delegation
    • Role-sourced arbitrary delegation
    • Friend-sourced arbitrary delegation
  • Use X.509 attribute certificates to express relevant assertions on top of identity PKI
  • Integrate into email
    • Certs encoded as text, put into headers
    • Avoids push-back experienced by PGP/MIME
    • Tied to message signature by hash appended to body
  • Prototype code and GUI
  • Validation via user study

Results & Impact

  • ABUSE helps users identify trustworthy messages without help ...without more false positives!
  • C. Masone, S.W. Smith. “ABUSE: PKI for Real-World Email Trust.” Public Key Infrastructure: EuroPKI 2009. Springer-Verlag LNCS 6391, 2010. 146--162.
  • C. Masone, S.W. Smith. “Towards Usefully Secure Email.” IEEE Technology and Society (Special Issue on Security and Usability) 26 (12): 25-34. Spring 2007.
  • Ph.D. thesis: Dartmouth TR2008-633

Part of the CREDC/TCIPG/TCIP Project

Extended UNIX Tools (XUTOOLS)

G.A. Weaver (UIUC), S.W. Smith (Dartmouth)

Objectives

  • Practitioners need to be able to measure how security policies and policy artifacts change over time.
  • Extend Unix text processing tools to operate on the high-level languages in which security policies are expressed.
  • Enable practitioners to process policy at multiple levels of abstraction depending upon the level of detail needed.
  • Provide a set of tools to compare security policies expressed in natural language documents, configuration files, or code.

Key Science Methods & Advances

  • During policy analysis, people identify meaningful substrings of text and categorized them into groups such as sentences, pages, lines, and function blocks.
  • Our research interprets these useful structures as different context-free languages by which we can analyze text.

Results & Impact

  • Articles on our research have been featured in various news outlets including ComputerWorld, CIO Magazine, Communications of the ACM, and Slashdot. XUTools website.
  • Papers:
    • Weaver, Gabriel A., and Sean W. Smith. "XUTools: Unix Commands for Processing Next-Generation Structured Text." LISA. 2012.
    • Weaver, Gabriel A., et al. "Re-engineering Grep and Diff for NERC CIP." Power and Energy Conference at Illinois (PECI), 2012 IEEE. IEEE, 2012.