Physical Sciences and Mathematics Commons^™

A Method For Comparative Analysis Of Trusted Execution Environments, Stephano Cetola

Dissertations and Theses

The problem of secure remote computation has become a serious concern of hardware manufacturers and software developers alike. Trusted Execution Environments (TEEs) are a solution to the problem of secure remote computation in applications ranging from "chip and pin" financial transactions to intellectual property protection in modern gaming systems. While extensive literature has been published about many of these technologies, there exists no current model for comparing TEEs. This thesis provides hardware architects and designers with a set of tools for comparing TEEs. I do so by examining several properties of a TEE and comparing their implementations in several technologies. …

Extensible Performance-Aware Runtime Integrity Measurement, Brian G. Delgado

Dissertations and Theses

Today's interconnected world consists of a broad set of online activities including banking, shopping, managing health records, and social media while relying heavily on servers to manage extensive sets of data. However, stealthy rootkit attacks on this infrastructure have placed these servers at risk. Security researchers have proposed using an existing x86 CPU mode called System Management Mode (SMM) to search for rootkits from a hardware-protected, isolated, and privileged location. SMM has broad visibility into operating system resources including memory regions and CPU registers. However, the use of SMM for runtime integrity measurement mechanisms (SMM-RIMMs) would significantly expand the amount …

Novel Cryptographic Primitives And Protocols For Censorship Resistance, Kevin Patrick Dyer

Dissertations and Theses

Internet users rely on the availability of websites and digital services to engage in political discussions, report on newsworthy events in real-time, watch videos, etc. However, sometimes those who control networks, such as governments, censor certain websites, block specific applications or throttle encrypted traffic. Understandably, when users are faced with egregious censorship, where certain websites or applications are banned, they seek reliable and efficient means to circumvent such blocks. This tension is evident in countries such as a Iran and China, where the Internet censorship infrastructure is pervasive and continues to increase in scope and effectiveness.

An arms race is …

Finding Irc-Like Meshes Sans Layer 7 Payloads, Akshay Dua, Jim Binkley, Suresh Singh

Computer Science Faculty Publications and Presentations

We present an algorithm for detecting IRC-like chat networks that does not rely on Layer 7 payload information. The goal is to extract only those meshes from conventional flows where long-term periodic data is being exchanged between an external server and multiple internal clients. Flow data is passed through a series of filters that reduce the memory requirements needed for final candidate mesh sorting. Final outputs consist of two sorted lists including the fanout list, sorted by the number of client hosts in the mesh, and a secondary list called the evil sort. The latter consists of meshes with any …

Traffic Analysis Of Udp-Based Flows In Ourmon, Jim Binkley, Divya Parekh

Computer Science Faculty Publications and Presentations

We present a custom UDP flow tuple with an IP address key and a set of simple related statistical attributes. Attributes are used to calculate a per host metric called the UDP work weight which roughly measures the amount of network noise caused by a host. The work weight is used to produce a near real-time sorted top N report for UDP host tuples. We also present a derived attribute based on an algorithm called the UDP guesstimator. The UDP guesstimator roughly classifies port report hosts into various traffic categories including security threats (DOS/scanning) or P2P hosts based on high …

Protecting The Internet With Public Work, Ed Kaiser, Wu-Chang Feng

Computer Science Faculty Publications and Presentations

Distributed denial-of-service attacks represent a growing problem for networked systems. To tackle this problem, this paper explores the addition of a public work function to the service advertisement mechanisms used by such systems. When under attack, services advertise this function along with their location information and clients must attach a solution to the function with subsequent requests. The function, which can be made specific to the source of traffic, is publicly verifiable, allowing arbitrary network devices at the edges of the network to quickly verify that subsequent communication from the source will be accepted by the destination. We describe a …

Locality, Network Control And Anomaly Detection, Jim Binkley

Computer Science Faculty Publications and Presentations

Ourmon is a near real-time network monitoring and anomaly detection system that captures packets using port-mirroring on Ethernet switches. It primarily displays data via web graphics using either RRDTOOL stripcharts or via histograms for top talker style graphs. We have developed a theory that network scanning launched primarily by worm programs including TCP and UDP scanners may be caught by monitoring network control data including TCP control packets (SYNS, FINS, RESETS) and ICMP errors, or by monitoring certain carefully chosen metadata such as the flow count itself. In this paper we concentrate on TCP and present a ”flow tuple” focused …

The Cracker Patch Choice: An Analysis Of Post Hoc Security Techniques, Crispin Cowan, Heather Hinton, Calton Pu, Jonathan Walpole

Computer Science Faculty Publications and Presentations

It has long been known that security is easiest to achieve when it is designed in from the start. Unfortunately, it has also become evident that systems built with security as a priority are rarely selected for wide spread deployment, because most consumers choose features, convenience, and performance over security. Thus security officers are often denied the option of choosing a truly secure solution, and instead must choose among a variety of post hoc security adaptations. We classify security enhancing methods, and compare and contrast these methods in terms of their effectiveness vs. cost of deployment. Our analysis provides practitioners …

Stackguard: Automatic Adaptive Detection And Prevention Of Buffer-Overflow Attacks, Crispin Cowan, Calton Pu, David Maier, Heather Hinton, Jonathan Walpole, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, Qian Zhang

Computer Science Faculty Publications and Presentations

This paper presents a systematic solution to the persistent problem of buffer overflow attacks. Buffer overflow attacks gained notoriety in 1988 as part of the Morris Worm incident on the Internet. While it is fairly simple to fix individual buffer overflow vulnerabilities, buffer overflow attacks continue to this day. Hundreds of attacks have been discovered, and while most of the obvious vulnerabilities have now been patched, more sophisticated buffer overflow attacks continue to emerge.

We describe StackGuard: a simple compiler technique that virtually eliminates buffer overflow vulnerabilities with only modest performance penalties. Privileged programs that are recompiled with the StackGuard …

A Policy-Independent Secure X Server, Kirk Joseph Bittler

Dissertations and Theses

This thesis demonstrates that a secure X system can be designed and implemented to be independent of a particular security policy. The advantages and costs of a separation of security policy and enforcement are examined by developing a large scale application, the DX windowing system, on a DTOS platform. DTOS is a high assurance operating system that isolates policy decisions in a Security Server. A security conscious process, such as DX, eliminates policy considerations from the code. The process instead consults the Security Server and enforces the decisions that server derives from the policy. The DX architecture is described and …