2008 Security and Privacy Day @ IBM Research

The Security and Privacy Day will be held on Friday, December 5, 2008, in the auditorium of IBM T. J. Watson Research Center, 19 Skyline Drive, Hawthorne, New York 10532. Note that the main lobby is located at rear of the building. For directions to the site, please see Watson Visitor Webpage Watson Visitor .

Registration

Location and driving directions

Please follow directions at the site to visitor's entrance reception, which is on the BACK SIDE of the building. From the reception area, follow directions to room GN-F15. You will be reaching Skyline drive via Rt. 9A. Both ends of Skyline drive meet Rt. 9A. If you come in via the south end of Skyline drive, IBM Research is the first building on the right. Move to the left lane, as the right lane leads to the employee's entrance (the first entrance). Take the next entrance (the second entrance) to reception. After you go through the gate, go to the parking lot on the right side.

You are welcome from 8:30AM onwards, and the keynote presentation will start at 10AM sharp.

Agenda

Abstracts

Registration

Please register at the front lobby. Bring a photo identification, otherwise the security person will probably get annoyed. Please do send me an email (vugranam@us.ibm.com) if you plan to attend.

Introduction
Dr. Chung-Sheng Li
IBM Research, Hawthorne

Chung-Sheng Li received the BSEE degree from National Taiwan University, Taiwan, R.O.C., in 1984, and the MS and PhD degrees in electrical engineering and computer science from the University of California, Berkeley, in 1989 and 1991, respectively. He has been with the Computer Science Division at the IBM T.J. Watson Research Center as a research staff member since Sept. 1991, and has been the Department Group Manager of the Security, Information Analytics, and Business Integrity department since May 2006.

His research interests include security and compliance, digital library and multimedia databases, knowledge discovery and data mining. He has initiated and coinitiated several research programs in IBM on fast tunable receiver for all-optical networks, content-based retrieval in the compressed domain for large image/video databases, federated digital libraries, and bio-surveillance.

He has authored or coauthored more than 130 journal and conference papers and received the best paper award from IEEE Transactions on Multimedia in 2003. He is both a member of IBM Academy of Technology and a Fellow of the IEEE.

Chung-Sheng Li will introduce how S&P Day is vital to local community and why it is important to continue this tradition and bring local security experts together to share ideas and collaborate.

Key Note Speech: Hardware-assisted System Security
Prof. Ruby Lee
Princeton University
Ruby B. Lee is the Forrest G. Hamrick Professor of Engineering and Professor of Electrical Engineering at Princeton University, with an affiliated appointment in the Computer Science Department. She is the director of the Princeton Architecture Laboratory for Multimedia and Security (PALMS). Her current research is in designing security-aware processors, secure and resilient systems, protecting critical information, and advanced ISA for ubiquitous parallelism and security. She is a Fellow of the ACM, Fellow of the IEEE and Associate Editor-in-Chief of IEEE Micro.

Prior to joining the Princeton faculty in 1998, Dr. Lee served as chief architect at Hewlett-Packard, responsible at different times for processor architecture, multimedia architecture and security architecture. She was a key architect of the PA-RISC architecture used for HP workstations and servers. She pioneered adding multimedia instructions to microprocessors, facilitating ubiquitous and pervasive multimedia. She co-led an Intel-HP architecture team designing new ISA for multimedia and data parallelism for 64-bit Intel microprocessors. Simultaneous with her full-time HP tenure, she was also Consulting Professor of Electrical Engineering at Stanford University. She has a Ph.D. in Electrical Engineering and a M.S. in Computer Science, both from Stanford University, and an A.B. with distinction from Cornell University, where she was a College Scholar. She has been granted over 120 United States and international patents, and has authored numerous conference and journal papers on computer architecture, processor design, multimedia and security topics.

Security will be ubiquitous in commodity systems only if it does not compromise performance, cost, usability and energy efficiency. Building security into systems without compromising performance is often difficult with software-only solutions, especially if this has to be done during runtime. Hardware can also provide “trust anchors” for enhancing software trustworthiness. We discuss how security-aware microprocessors can provide the means to enhance trust for applications, without necessarily depending on commodity operating systems which can be compromised due to their complexity. This includes runtime attestation to a remote party that a computer can perform a certain security-critical task even if part of the software stack may be corrupted. Such mechanisms go beyond what TPM can provide today. We also discuss how hardware subsystems, such as shared caches, can be designed so that they cannot be used to leak secret information through software cache-based side-channel attacks. Note that such attacks can undermine strong software isolation provided by virtualization technology and strong cryptography. We show a novel cache architecture that improves performance beyond that achievable by traditional cache architectures while simultaneously improving security and power efficiency -- to demonstrate that design for security need not sacrifice performance and other important market-driven goals.

Key Note Speech: Trends in Security Research - An Industrial Research Perspective
Dr. Josyula Rao
IBM Research
J.R. Rao leads the Security Department at IBM's Thomas J. Watson Research Center. The group a range of areas including Web Services Security, Information Security, Virtualization and Cloud Computing, Software as as Service, Secure Hardware, Applied Cryptography and Side Channel Cryptanalysis. JR is a member of the IFIP Working Group 2.3 (Programming Methodology) and is on the Steering Committee of the CHES Conference. He has published widely in a number of security conferences and holds numerous US and European patents. He was an Adjunct Professor at the Department of Computer Sciences, New York University in 1997.

JR has a Ph.D. in Computer Science from the University of Texas at Austin, 1992, an M.S. in Computer Science from the State University of New York at Stony Brook, 1986 and a B.Tech. in Electrical Engineering from the Indian Institute of Technology, Kanpur, 1984.

The emergence of the globally integrated enterprise, new and disruptive modes of IT delivery along with the rapid adoption and deployment of relatively untested technologies have combined to create new and increasingly sophisticated avenues of attack. The concomitant explosion and spread of sensitive information and the increasing sophistication of adversaries ranging from script kiddies to nation states, necessitates an enterprise security model that can meet these challenges in the face of a ubiquitous and universal security threat. In this talk, we will describe these trends, question the effectiveness of current security models and highlight current research directions being pursued at IBM (and elsewhere) to address these problems.

Student Presentations

Defending Against Malware and Intrusion Attacks on Embedded Systems
Najwa Aaraj
Princeton University
Najwa Aaraj received the B.Eng. degree in Computer and Communication Engineering from the American University of Beirut, Beirut, Lebanon, in 2004, and the M.A. degree in Electrical Engineering from Princeton University, Princeton, NJ in 2006. She is currently pursuing a Ph.D. degree in Electrical Engineering at Princeton University. For her dissertation, she is working on the design of architectures for secure and trusted systems against software and hardware vulnerabilities.

The incidence of malicious code and intrusion attacks on embedded platforms is constantly on the rise. Yet, little effort is being devoted to combating such threats to embedded systems. Moreover, adapting security approaches designed for general-purpose systems generally fails because of the limited processing capabilities of their embedded counterparts. In this work, we evaluate a malware and intrusion attack defense framework for embedded systems. The utilized framework is adapted from prior work, which protects against security attacks using the concept of isolated execution environments and dynamic binary instrumentation (DBI). We present a suite of software and hardware optimizations to reduce the overheads induced by the defense framework on embedded systems. Software optimizations include the usage of static analysis, complemented with DBI in the Testing environment (i.e., a hybrid software analysis approach is used). Hardware optimizations exploit parallel processing capabilities of multiprocessor systems-on-chip. We have evaluated the defense framework and proposed optimizations on the ARM-Linux operating system. Experiments demonstrate that our framework achieves a high coverage of considered security threats, with acceptable performance penalties (the average execution time of applications goes up to 1.68X, considering all optimizations).

Access Privacy on Untrusted Storage
Peter Williams
State University of New York at Stony Brook
Peter Williams is a 3rd year PhD student in the Network Security and Applied Cryptography Lab at Stony Brook University. His research focus is security in outsourced environments, especially with respect to private information retrieval.

We introduce a practical mechanism for remote data storage with efficient access pattern privacy and correctness. A storage client can deploy this mechanism to issue encrypted reads, writes, and inserts to a potentially curious and malicious storage service provider, without revealing information or access patterns. The provider is unable to establish any correlation between successive accesses, or even to distinguish between a read and a write. Moreover, the client is provided with strong correctness assurances for its operations - illicit provider behavior does not go undetected. We built a first practical system - orders of magnitude faster than existing implementations - that can execute over several queries per second on 1Tbyte+ databases with full computational privacy and correctness.

Online Self-update for Anomaly Detection Models
Gabriela Cretu-Ciocarlie
Columbia University
Gabriela Cretu-Ciocarlie is a fifth year PhD student in Computer Science Department of Columbia University. She is currently working on methods for improving the quality of training datasets and models for AD systems. She got her MS from Columbia University in Computer Science and BS from Politechnical University of Bucharest in Computer Engineering.

The efficacy of Anomaly Detection (AD) sensors depends heavily on the quality of the data used to train them. Artificial or contrived training data may not provide a realistic view of the deployment environment. Most realistic data sets are dirty; that is, they contain a number of attacks or anomalous events. The size of these high-quality training data sets makes manual removal or labeling of attack data infeasible. As a result, sensors trained on this data can miss attacks and their variations. We propose extending the training phase of AD sensors (in a manner agnostic to the underlying AD algorithm) to include a fully calibrated sanitization phase. Our results suggest that this phase automatically and significantly improves the quality of unlabeled training data by making it as "attack-free" and "regular" as possible in the absence of absolute ground truth. We also explore techniques in which we can cope with the dynamics of a changing system and update the models accordingly.

Enforcing Authorization Policies using Transactional Memory Introspection
Prof. Vinod Ganapathy
Rutgers University
Vinod Ganapathy is an Assistant Professor of Computer Science at Rutgers University and a member of DIMACS. He completed my Ph.D. in Computer Science from the University of Wisconsin-Madison in August 2007. Before that, He was an undergraduate student at IIT Bombay, from where he earned a B.Tech. in Computer Science and Engineering in May 2001. He hails from Bangalore, the silicon valley of India

Correct enforcement of authorization policies is a difficult task, especially for multi-threaded software. Even in carefully-reviewed code, unauthorized access may be possible in subtle corner cases. We introduce Transactional Memory Introspection (TMI), a novel reference monitor architecture that builds on Software Transactional Memory---a new, attractive alternative for writing correct, multi-threaded software. TMI facilitates correct security enforcement by simplifying how the reference monitor integrates with software functionality. TMI can ensure complete mediation of security-relevant operations, eliminate race conditions related to security checks, and simplify handling of authorization failures. We present the design and implementation of a TMI-based reference monitor and experiment with its use in enforcing authorization policies on four significant servers. Our experiments confirm the benefits of the TMI architecture and show that it imposes an acceptable runtime overhead.

Automatically Generating Malicious Disks using Symbolic Execution
Prof. Junfeng Yang
Columbia University
Junfeng Yang is an assistant professor in Computer Science department at Columbia University. Before that, he was a Post-doc researcher at Microsoft Research Silicon Valley. Junfeng Yang received his Ph.D. in Computer Science from Stanford University in 2008, his MS in Computer Science from Stanford in 2002, and his BS in Computer Science from Tsinghua University, Beijing, China in 2000. He is a receipt of the Best Paper Award of OSDI 2004.

Many current systems allow data produced by potentially malicious sources to be mounted as a file system. File system code must check this data for dangerous values or invariant violations before using it. Because file system code typically runs inside the operating system kernel, even a single unchecked value can crash the machine or lead to an exploit. Unfortunately, validating file system images is complex: they form DAGs with complex dependency relationships across massive amounts of data bound together with intricate, undocumented assumptions.

This talk shows how to automatically find bugs in such code using symbolic execution. Rather than running the code on manually-constructed concrete input, we instead run it on symbolic input that is initially allowed to be "anything." As the code runs, it observes (tests) this input and thus constrains its possible values. We generate test cases by solving these constraints for concrete values. The approach works well in practice: we checked the disk mounting code of three widely-used Linux file systems: ext2, ext3, and JFS and found bugs in all of them where malicious data could either cause a kernel panic or form the basis of a buffer overflow attack.

Efficient Verifiable Random Functions and Applications
Prof. Rob Johnson
State University of New York at Stony Brook
Rob Johnson is an Assistant Professor of Computer Science at Stony Brook University and the director of the Security, Programming Languages, And Theory (SPLAT) Lab. His current research focuses on software security, secure system design, usable security, web security, and cryptography. He received his Ph.D. from the University of California at Berkeley and his B.S. from the University of North Carolina at Greensboro. He is a co-author of CQual, which is still the world's best format-string bug finder.

A Verifiable Random Function (VRF) is a PRF that enables one to prove that an arbitrary set of $\ell$ VRF outputs were computed correctly, without compromising the pseudo-randomness of the other VRF outputs. We present two new VRF constructions. First, we modify the RSA-based construction of Micali, et al, to speed up the verification operation. This modification also enables a batching optimization that increases the efficiency of this scheme from $1$ bit per exponentiation to $\Theta(\frac{n}{\log n})$ bits per exponentiation. We also show how to create a constant-sized proof that any number of outputs were generated correctly. We then build a VRF using a PRF and a Merkle hash-tree. This VRF can be built from any efficient PRF, e.g. AES, and collision-resistant hash function, e.g, SHA-256, so it could be quite efficient, although the proofs are longer. We finally point out that, in the random oracle model, any verifiable unpredictable function leads immediately to an efficient VRF with a tight security reduction.

We then describe two example VRF applications. We add a VRF to an existing cryptographic voting protocol to eliminate all the subliminal channels. We then show how to use VRFs to perform cut-and-choose with constant communication.

Causality and Accountability
Prof. Dominic Duggan
Stevens Institute of Technology
Professor Duggan is an Associate Professor in the Computer Science Department at Stevens Institute of Technology in Hoboken NJ. A graduate of the University of Maryland, College Park, he has previously held faculty positions at the University of Waterloo and Case Western Reserve University. His research interests are in language-based security, programming languages and software engineering.

Noninterference is a standard correctness condition for information flow control, but achieving it may sometimes be too expensive to be practical, particularly for distributed applications. A framework is introduced for specifying what forms of information flow control should be secured. Accountable noninterference requires that there be no information leaks via accountable information flows. An example application is in delineating sequential and distributed information flows, allowing different enforcement mechanisms for each. As such, the framework allows the specification of mechanism, dual to policy, in information flow control.

Joint work with Ye Wu.

Security for Cloud Computing
Dr. Dimitrios Pendarakis
IBM Research
D. Pendarakis is a Research Staff Member and manager of the Secure Systems group at the IBM T.J. Watson Research Center. His current research interests include secure virtualization and cloud computing, trusted computing and secure hardware. He previously worked in various areas related to computer security, including IPsec/IKE, secure multi-party communication and secure messaging with applications to sensor networks. Dimitrios joined IBM in 1995 after receiving his PhD from Columbia University. Between 2000 and 2003 he was Principal architect with Tellium, where he led the development of next generation management systems for intelligent optical networks.

Virtualization technologies are increasingly used in data centers, driven by the ability to consolidate workloads and thus reduce power consumption, as well as the promise of increased flexibility and ease of workload migration. The resultant management simplification facilitates the emergence of the cloud computing paradigm, in which IT infrastructure, applications and data are provided to users as services over a network, public or private. Computing clouds can achieve economies of scale, thus providing services that can be made available globally at very large scale and low cost. What is unique about cloud computing security? Certainly, the loss of physical ownership redefines the boundaries of traditional IT infrastructure and introduces new technological and cultural challenges. Additionally, the large scale and number of tenants coupled with the more dynamic deployment patterns poses higher misconfiguration risks and makes it harder to reason about security in a cloud computing environment. To address these challenges we present an architecture in which security is build-in to computing clouds instead of being an add on. Our objective is to provide strong isolation between different tenant workloads as well as between tenants and cloud administrators, protecting cloud users from interference, malicious applications and misconfigurations. Our architecture combines strong isolation at the infrastructure level with security services that monitor the integrity of the underlying cloud components and the various workloads. It uses a high-level specification of isolation and integrity requirements and constraints that supports simplified, policy-driven security management enabling quick and consistent response to dynamic data center conditions. We discuss how the high-level policy drives the consistent configuration of distributed cloud resources such as servers/hypervisors, network infrastructure and storage and how it gets translated into lower level security policies. Continuous auditing and scanning of the cloud resources for misconfigurations and vulnerabilities is an essential element in maintaining secure operation of a cloud. We conclude by discussing some early implementation results.