Today, there is a fundamental imbalance in cybersecurity. While attackers act more and more globally and coordinated, network defense is limited to examine local information only due to privacy concerns. To overcome this privacy barrier, we use secure multiparty computation (MPC) for the problem of aggregating network data from multiple domains. We first optimize MPC comparison operations for processing high volume data in near real-time by not enforcing protocols to run in a constant number of synchronization rounds. We then implement a complete set of basic MPC primitives in the SEPIA library. For parallel invocations, SEPIA's basic operations are between 35 and several hundred times faster than those of comparable MPC frameworks. Using these operations, we develop four protocols tailored for distributed network monitoring and security applications: the entropy, distinct count, event correlation, and top-k protocols. Extensive evaluation shows that the protocols are suitable for near real-time data aggregation. For example, our top-k protocol PPTKS accurately aggregates counts for 180,000 distributed IP addresses in only a few minutes. Finally, we use SEPIA with real traffic data from 17 customers of a backbone network to collaboratively detect, analyze, and mitigate distributed anomalies. Our work follows a path starting from theory, going to system design, performance evaluation, and ending with measurement. Along this way, it makes a first effort to bridge two very disparate worlds: MPC theory and network monitoring and security practices.
{"title":"Privacy-preserving distributed network troubleshooting—bridging the gap between theory and practice","authors":"M. Burkhart, X. Dimitropoulos","doi":"10.1145/2043628.2043632","DOIUrl":"https://doi.org/10.1145/2043628.2043632","url":null,"abstract":"Today, there is a fundamental imbalance in cybersecurity. While attackers act more and more globally and coordinated, network defense is limited to examine local information only due to privacy concerns. To overcome this privacy barrier, we use secure multiparty computation (MPC) for the problem of aggregating network data from multiple domains. We first optimize MPC comparison operations for processing high volume data in near real-time by not enforcing protocols to run in a constant number of synchronization rounds. We then implement a complete set of basic MPC primitives in the SEPIA library. For parallel invocations, SEPIA's basic operations are between 35 and several hundred times faster than those of comparable MPC frameworks. Using these operations, we develop four protocols tailored for distributed network monitoring and security applications: the entropy, distinct count, event correlation, and top-k protocols. Extensive evaluation shows that the protocols are suitable for near real-time data aggregation. For example, our top-k protocol PPTKS accurately aggregates counts for 180,000 distributed IP addresses in only a few minutes. Finally, we use SEPIA with real traffic data from 17 customers of a backbone network to collaboratively detect, analyze, and mitigate distributed anomalies. Our work follows a path starting from theory, going to system design, performance evaluation, and ending with measurement. Along this way, it makes a first effort to bridge two very disparate worlds: MPC theory and network monitoring and security practices.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"129 1","pages":"31:1-31:30"},"PeriodicalIF":0.0,"publicationDate":"2011-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77893398","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Privacy of RFID systems is receiving increasing attention in the RFID community. Basically, there are two kinds of RFID privacy notions in the literature: one based on the indistinguishability of two tags, denoted as ind-privacy, and the other based on the unpredictability of the output of an RFID protocol, denoted as unp-privacy. In this article, we first revisit the existing unpredictability-based RFID privacy models and point out their limitations. We then propose a new RFID privacy model, denoted as unp*-privacy, based on the indistinguishability of a real tag and a virtual tag. We formally clarify its relationship with the ind-privacy model. It is proven that ind-privacy is weaker than unp*-privacy. Moreover, the minimal (necessary and sufficient) condition on RFID tags to achieve unp*-privacy is determined. It is shown that if an RFID system is unp*-private, then the computational power of an RFID tag can be used to construct a pseudorandom function family provided that the RFID system is complete and sound. On the other hand, if each tag is able to compute a pseudorandom function, then the tags can be used to construct an RFID system with unp*-privacy. In this sense, a pseudorandom function family is the minimal requirement on an RFID tag's computational power for enforcing RFID system privacy. Finally, a new RFID mutual authentication protocol is proposed to satisfy the minimal requirement.
{"title":"On two RFID privacy notions and their relations","authors":"Yingjiu Li, R. Deng, Junzuo Lai, Changshe Ma","doi":"10.1145/2043628.2043631","DOIUrl":"https://doi.org/10.1145/2043628.2043631","url":null,"abstract":"Privacy of RFID systems is receiving increasing attention in the RFID community. Basically, there are two kinds of RFID privacy notions in the literature: one based on the indistinguishability of two tags, denoted as ind-privacy, and the other based on the unpredictability of the output of an RFID protocol, denoted as unp-privacy. In this article, we first revisit the existing unpredictability-based RFID privacy models and point out their limitations. We then propose a new RFID privacy model, denoted as unp*-privacy, based on the indistinguishability of a real tag and a virtual tag. We formally clarify its relationship with the ind-privacy model. It is proven that ind-privacy is weaker than unp*-privacy. Moreover, the minimal (necessary and sufficient) condition on RFID tags to achieve unp*-privacy is determined. It is shown that if an RFID system is unp*-private, then the computational power of an RFID tag can be used to construct a pseudorandom function family provided that the RFID system is complete and sound. On the other hand, if each tag is able to compute a pseudorandom function, then the tags can be used to construct an RFID system with unp*-privacy. In this sense, a pseudorandom function family is the minimal requirement on an RFID tag's computational power for enforcing RFID system privacy. Finally, a new RFID mutual authentication protocol is proposed to satisfy the minimal requirement.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"6 1","pages":"30:1-30:23"},"PeriodicalIF":0.0,"publicationDate":"2011-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"84227145","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This issue of TISSEC includes extended versions of articles selected from the programs of the 14th and 15th ACM Symposium on Access Control Models and Technologies (SACMAT 2009 and SACMAT 2010), which were held, respectively, in Stresa, Italy on June 3-5, 2009, and in Pittsburgh, USA on June 9-11, 2010. These symposiums continued the SACMAT tradition of being the premier forum for presentation of research results on cutting edge issues of access control, including models, systems, applications, and theory. SACMAT 2009 received 75 submissions from around the world. After a rigorous review process and program committee discussion, 24 papers were included in the program. SACMAT 2010 attracted a total of 79 papers from Africa, Asia, Australia, Europe and North America. In SACMAT 2010, submissions were anonymous, and each of them was reviewed according to a blind review process by at least three reviewers who are experts in the field. As result of this review process, the SACMAT 2010 program committee selected 19 articles that cover a variety of topics, including RBAC, policy analysis, role engineering and access control in distributed environments. Based on the original reviews and the feedback from session chairs, two papers from SACMAT 2009 and two papers from SACMAT 2010 were invited for submission for this special issue. The journal submissions went through an additional review process by selected members of the SACMAT 2010 program committee as well as external reviewers. The authors were required to incorporate significant technical extensions into their extended versions. Each article went through two rounds of reviews where the authors were requested to respond to the review comments and update the submissions accordingly. As the result of this review process, we finalized three articles to be included in this special issue. The first two articles are from the SACMAT 2009 program and the third article is from the SACMAT 2010 program. The first article titled “Group-Centric Secure Information-Sharing Models for Isolated Groups” by Ram Krishnan, Jianwei Niu, Ravi Sandhu, and William H. Winsborough proposes a theory for Group-Centric Secure Information Sharing (g-SIS) with isolated groups and formalizes a family of g-SIS models. The proposed g-SIS approach brings together users and objects in a group from different external sources and facilitates information sharing. The authors focus on the authorization semantics of group operations of join, leave for users and add, remove and create for objects. They use first-order temporal logic to define the core properties and some additional properties related to authorization consequences of these operations. They show that the core properties are logically consistent and mutually dependent. Further, they specify authorization behavior for a family of g-SIS models and prove that these models satisfy the core and selected additional properties. The second article titled “Combining Discretionary Policy wi
{"title":"Guest Editorial SACMAT 2009 and 2010","authors":"J. Joshi, B. Carminati","doi":"10.1145/2043621.2043622","DOIUrl":"https://doi.org/10.1145/2043621.2043622","url":null,"abstract":"This issue of TISSEC includes extended versions of articles selected from the programs of the 14th and 15th ACM Symposium on Access Control Models and Technologies (SACMAT 2009 and SACMAT 2010), which were held, respectively, in Stresa, Italy on June 3-5, 2009, and in Pittsburgh, USA on June 9-11, 2010. These symposiums continued the SACMAT tradition of being the premier forum for presentation of research results on cutting edge issues of access control, including models, systems, applications, and theory. SACMAT 2009 received 75 submissions from around the world. After a rigorous review process and program committee discussion, 24 papers were included in the program. SACMAT 2010 attracted a total of 79 papers from Africa, Asia, Australia, Europe and North America. In SACMAT 2010, submissions were anonymous, and each of them was reviewed according to a blind review process by at least three reviewers who are experts in the field. As result of this review process, the SACMAT 2010 program committee selected 19 articles that cover a variety of topics, including RBAC, policy analysis, role engineering and access control in distributed environments. Based on the original reviews and the feedback from session chairs, two papers from SACMAT 2009 and two papers from SACMAT 2010 were invited for submission for this special issue. The journal submissions went through an additional review process by selected members of the SACMAT 2010 program committee as well as external reviewers. The authors were required to incorporate significant technical extensions into their extended versions. Each article went through two rounds of reviews where the authors were requested to respond to the review comments and update the submissions accordingly. As the result of this review process, we finalized three articles to be included in this special issue. The first two articles are from the SACMAT 2009 program and the third article is from the SACMAT 2010 program. The first article titled “Group-Centric Secure Information-Sharing Models for Isolated Groups” by Ram Krishnan, Jianwei Niu, Ravi Sandhu, and William H. Winsborough proposes a theory for Group-Centric Secure Information Sharing (g-SIS) with isolated groups and formalizes a family of g-SIS models. The proposed g-SIS approach brings together users and objects in a group from different external sources and facilitates information sharing. The authors focus on the authorization semantics of group operations of join, leave for users and add, remove and create for objects. They use first-order temporal logic to define the core properties and some additional properties related to authorization consequences of these operations. They show that the core properties are logically consistent and mutually dependent. Further, they specify authorization behavior for a family of g-SIS models and prove that these models satisfy the core and selected additional properties. The second article titled “Combining Discretionary Policy wi","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"36 1","pages":"22:1-22:2"},"PeriodicalIF":0.0,"publicationDate":"2011-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"88339265","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this article, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We show that verifying whether a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios. We then describe a practical algorithmic framework for translating relational access control policies into their XML equivalent, expressed in the eXtensible Access Control Markup Language. Finally, we examine the difficulty of minimizing translated policies, and contribute a minimization algorithm applicable to nonrecursive translated policies.
{"title":"Access Control Policy Translation, Verification, and Minimization within Heterogeneous Data Federations","authors":"G. Leighton, Denilson Barbosa","doi":"10.1145/2043621.2043625","DOIUrl":"https://doi.org/10.1145/2043621.2043625","url":null,"abstract":"Data federations provide seamless access to multiple heterogeneous and autonomous data sources pertaining to a large organization. As each source database defines its own access control policies for a set of local identities, enforcing such policies across the federation becomes a challenge. In this article, we first consider the problem of translating existing access control policies defined over source databases in a manner that allows the original semantics to be observed while becoming applicable across the entire data federation. We show that such a translation is always possible, and provide an algorithm for automating the translation. We show that verifying whether a translated policy obeys the semantics of the original access control policy defined over a source database is intractable, even under restrictive scenarios. We then describe a practical algorithmic framework for translating relational access control policies into their XML equivalent, expressed in the eXtensible Access Control Markup Language. Finally, we examine the difficulty of minimizing translated policies, and contribute a minimization algorithm applicable to nonrecursive translated policies.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"97 1","pages":"25:1-25:28"},"PeriodicalIF":0.0,"publicationDate":"2011-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76028059","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Discretionary Access Control (DAC) is the primary access control mechanism in today’s major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC’s easy-to-use discretionary policy specification and MAC’s defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us. In addition, we analyze their security property and their relationships with other protection systems. We also describe our implementations of IFEDAC in Linux and the evaluation results and deployment experiences of the systems.
{"title":"Combining Discretionary Policy with Mandatory Information Flow in Operating Systems","authors":"Ziqing Mao, Ninghui Li, Hong Chen, Xuxian Jiang","doi":"10.1145/2043621.2043624","DOIUrl":"https://doi.org/10.1145/2043621.2043624","url":null,"abstract":"Discretionary Access Control (DAC) is the primary access control mechanism in today’s major operating systems. It is, however, vulnerable to Trojan Horse attacks and attacks exploiting buggy software. We propose to combine the discretionary policy in DAC with the dynamic information flow techniques in MAC, therefore achieving the best of both worlds, that is, the DAC’s easy-to-use discretionary policy specification and MAC’s defense against threats caused by Trojan Horses and buggy programs. We propose the Information Flow Enhanced Discretionary Access Control (IFEDAC) model that implements this design philosophy. We describe our design of IFEDAC, and discuss its relationship with the Usable Mandatory Integrity Protection (UMIP) model proposed earlier by us. In addition, we analyze their security property and their relationships with other protection systems. We also describe our implementations of IFEDAC in Linux and the evaluation results and deployment experiences of the systems.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"107 1","pages":"24:1-24:27"},"PeriodicalIF":0.0,"publicationDate":"2011-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81382223","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
R. Krishnan, Jianwei Niu, R. Sandhu, W. Winsborough
Group-Centric Secure Information Sharing (g-SIS) envisions bringing users and objects together in a group to facilitate agile sharing of information brought in from external sources as well as creation of new information within the group. We expect g-SIS to be orthogonal and complementary to authorization systems deployed within participating organizations. The metaphors “secure meeting room” and “subscription service” characterize the g-SIS approach.� The focus of this article is on developing the foundations of isolated g-SIS models. Groups are isolated in the sense that membership of a user or an object in a group does not affect their authorizations in other groups. Present contributions include the following: formal specification of core properties that at once help to characterize the family of g-SIS models and provide a “sanity check” for full policy specifications; informal discussion of policy design decisions that differentiate g-SIS policies from one another with respect to the authorization semantics of group operations; formalization and verification of a specific member of the family of g-SIS models; demonstration that the core properties are logically consistent and mutually independent; and identification of several directions for future extensions.� The formalized specification is highly abstract. Besides certain well-formedness requirements that specify, for instance, a user cannot leave a group unless she is a member, it constrains only whether user-level read and write operations are authorized and it does so solely in terms of the history of group operations; join and leave for users and add, create, and remove for objects. This makes temporal logic one of the few formalisms in which the specification can be clearly and concisely expressed. The specification serves as a reference point that is the first step in deriving authorization-system component specifications from which a programmer with little security expertise could implement a high-assurance enforcement system for the specified policy.
{"title":"Group-Centric Secure Information-Sharing Models for Isolated Groups","authors":"R. Krishnan, Jianwei Niu, R. Sandhu, W. Winsborough","doi":"10.1145/2043621.2043623","DOIUrl":"https://doi.org/10.1145/2043621.2043623","url":null,"abstract":"Group-Centric Secure Information Sharing (g-SIS) envisions bringing users and objects together in a group to facilitate agile sharing of information brought in from external sources as well as creation of new information within the group. We expect g-SIS to be orthogonal and complementary to authorization systems deployed within participating organizations. The metaphors “secure meeting room” and “subscription service” characterize the g-SIS approach.\u0000 The focus of this article is on developing the foundations of isolated g-SIS models. Groups are isolated in the sense that membership of a user or an object in a group does not affect their authorizations in other groups. Present contributions include the following: formal specification of core properties that at once help to characterize the family of g-SIS models and provide a “sanity check” for full policy specifications; informal discussion of policy design decisions that differentiate g-SIS policies from one another with respect to the authorization semantics of group operations; formalization and verification of a specific member of the family of g-SIS models; demonstration that the core properties are logically consistent and mutually independent; and identification of several directions for future extensions.\u0000 The formalized specification is highly abstract. Besides certain well-formedness requirements that specify, for instance, a user cannot leave a group unless she is a member, it constrains only whether user-level read and write operations are authorized and it does so solely in terms of the history of group operations; join and leave for users and add, create, and remove for objects. This makes temporal logic one of the few formalisms in which the specification can be clearly and concisely expressed. The specification serves as a reference point that is the first step in deriving authorization-system component specifications from which a programmer with little security expertise could implement a high-assurance enforcement system for the specified policy.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"3 1","pages":"23:1-23:29"},"PeriodicalIF":0.0,"publicationDate":"2011-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"89972757","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Eric Chan-Tin, Victor Heorhiadi, Nicholas Hopper, Yongdae Kim
A network coordinate system assigns Euclidean “virtual” coordinates to every node in a network to allow easy estimation of network latency between pairs of nodes that have never contacted each other. These systems have been implemented in a variety of applications, most notably the popular Vuze BitTorrent client. Zage and Nita-Rotaru (at CCS 2007) and independently, Kaafar et al. (at SIGCOMM 2007), demonstrated that several widely-cited network coordinate systems are prone to simple attacks, and proposed mechanisms to defeat these attacks using outlier detection to filter out adversarial inputs. Kaafar et al. goes a step further and requires that a fraction of the network is trusted. More recently, Sherr et al. (at USENIX ATC 2009) proposed Veracity, a distributed reputation system to secure network coordinate systems. We describe a new attack on network coordinate systems, Frog-Boiling, that defeats all of these defenses. Thus, even a system with trusted entities is still vulnerable to attacks. Moreover, having witnesses vouch for your coordinates as in Veracity does not prevent our attack. Finally, we demonstrate empirically that the Frog-Boiling attack is more disruptive than the previously known attacks: systems that attempt to reject “bad” inputs by statistical means or reputation cannot be used to secure a network coordinate system.
{"title":"The Frog-Boiling Attack: Limitations of Secure Network Coordinate Systems","authors":"Eric Chan-Tin, Victor Heorhiadi, Nicholas Hopper, Yongdae Kim","doi":"10.1145/2043621.2043627","DOIUrl":"https://doi.org/10.1145/2043621.2043627","url":null,"abstract":"A network coordinate system assigns Euclidean “virtual” coordinates to every node in a network to allow easy estimation of network latency between pairs of nodes that have never contacted each other. These systems have been implemented in a variety of applications, most notably the popular Vuze BitTorrent client. Zage and Nita-Rotaru (at CCS 2007) and independently, Kaafar et al. (at SIGCOMM 2007), demonstrated that several widely-cited network coordinate systems are prone to simple attacks, and proposed mechanisms to defeat these attacks using outlier detection to filter out adversarial inputs. Kaafar et al. goes a step further and requires that a fraction of the network is trusted. More recently, Sherr et al. (at USENIX ATC 2009) proposed Veracity, a distributed reputation system to secure network coordinate systems. We describe a new attack on network coordinate systems, Frog-Boiling, that defeats all of these defenses. Thus, even a system with trusted entities is still vulnerable to attacks. Moreover, having witnesses vouch for your coordinates as in Veracity does not prevent our attack. Finally, we demonstrate empirically that the Frog-Boiling attack is more disruptive than the previously known attacks: systems that attempt to reject “bad” inputs by statistical means or reputation cannot be used to secure a network coordinate system.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"31 1","pages":"27:1-27:23"},"PeriodicalIF":0.0,"publicationDate":"2011-11-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74540042","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Protecting end users from security threats is an extremely difficult, but increasingly critical, problem. Traditional security models that focused on separating users from each other have proven ineffective in an environment of widespread software vulnerabilities and rampant malware. However, alternative approaches that provide more finely grained security generally require greater expertise than typical end users can reasonably be expected to have, and consequently have had limited success.� The functionality-based application confinement (FBAC) model is designed to allow end users with limited expertise to assign applications hierarchical and parameterised policy abstractions based upon the functionalities each program is intended to perform. To validate the feasibility of this approach and assess the usability of existing mechanisms, a usability study was conducted comparing an implementation of the FBAC model with the widely used Linux-based SELinux and AppArmor security schemes. The results showed that the functionality-based mechanism enabled end users to effectively control the privileges of their applications with far greater success than widely used alternatives. In particular, policies created using FBAC were more likely to be enforced and exhibited significantly lower risk exposure, while not interfering with the ability of the application to perform its intended task. In addition to the success of the functionality-based approach, the usability study also highlighted a number of limitations and problems with existing mechanisms. These results indicate that a functionality-based approach has significant potential in terms of enabling end users with limited expertise to defend themselves against insecure and malicious software.
{"title":"Empowering End Users to Confine Their Own Applications: The Results of a Usability Study Comparing SELinux, AppArmor, and FBAC-LSM","authors":"Z. Schreuders, T. McGill, Christian N. Payne","doi":"10.1145/2019599.2019604","DOIUrl":"https://doi.org/10.1145/2019599.2019604","url":null,"abstract":"Protecting end users from security threats is an extremely difficult, but increasingly critical, problem. Traditional security models that focused on separating users from each other have proven ineffective in an environment of widespread software vulnerabilities and rampant malware. However, alternative approaches that provide more finely grained security generally require greater expertise than typical end users can reasonably be expected to have, and consequently have had limited success.\u0000 The functionality-based application confinement (FBAC) model is designed to allow end users with limited expertise to assign applications hierarchical and parameterised policy abstractions based upon the functionalities each program is intended to perform. To validate the feasibility of this approach and assess the usability of existing mechanisms, a usability study was conducted comparing an implementation of the FBAC model with the widely used Linux-based SELinux and AppArmor security schemes. The results showed that the functionality-based mechanism enabled end users to effectively control the privileges of their applications with far greater success than widely used alternatives. In particular, policies created using FBAC were more likely to be enforced and exhibited significantly lower risk exposure, while not interfering with the ability of the application to perform its intended task. In addition to the success of the functionality-based approach, the usability study also highlighted a number of limitations and problems with existing mechanisms. These results indicate that a functionality-based approach has significant potential in terms of enabling end users with limited expertise to defend themselves against insecure and malicious software.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"103 1","pages":"19:1-19:28"},"PeriodicalIF":0.0,"publicationDate":"2011-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"75059154","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this article we introduce a technique, guaranteeing access pattern privacy against a computationally bounded adversary, in outsourced data storage, with communication and computation overheads orders of magnitude better than existing approaches. In the presence of a small amount of temporary storage (enough to store O(√n log n) items and IDs, where n is the number of items in the database), we can achieve access pattern privacy with computational complexity of less than O(log2 n) per query (as compared to, for instance, O(log4 n) for existing approaches).� We achieve these novel results by applying new insights based on probabilistic analyses of data shuffling algorithms to Oblivious RAM, allowing us to significantly improve its asymptotic complexity. This results in a protocol crossing the boundary between theory and practice and becoming generally applicable for access pattern privacy. We show that on off-the-shelf hardware, large data sets can be queried obliviously orders of magnitude faster than in existing work.
{"title":"Practical Oblivious Outsourced Storage","authors":"P. Williams, R. Sion, M. Sotáková","doi":"10.1145/2019599.2019605","DOIUrl":"https://doi.org/10.1145/2019599.2019605","url":null,"abstract":"In this article we introduce a technique, guaranteeing access pattern privacy against a computationally bounded adversary, in outsourced data storage, with communication and computation overheads orders of magnitude better than existing approaches. In the presence of a small amount of temporary storage (enough to store O(√n log n) items and IDs, where n is the number of items in the database), we can achieve access pattern privacy with computational complexity of less than O(log2 n) per query (as compared to, for instance, O(log4 n) for existing approaches).\u0000 We achieve these novel results by applying new insights based on probabilistic analyses of data shuffling algorithms to Oblivious RAM, allowing us to significantly improve its asymptotic complexity. This results in a protocol crossing the boundary between theory and practice and becoming generally applicable for access pattern privacy. We show that on off-the-shelf hardware, large data sets can be queried obliviously orders of magnitude faster than in existing work.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"43 1","pages":"20:1-20:28"},"PeriodicalIF":0.0,"publicationDate":"2011-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74237470","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Authenticated dictionaries are a widely discussed paradigm to enable verifiable integrity for data storage on untrusted servers, such as today’s widely used “cloud computing” resources, allowing a server to provide a “proof,” typically in the form of a slice through a cryptographic data structure, that the results of any given query are the correct answer, including that the absence of a query result is correct. Persistent authenticated dictionaries (PADs) further allow queries against older versions of the structure. This research presents implementations of a variety of different PAD algorithms, some based on Merkle tree-style data structures and others based on individually signed “tuple” statements (with and without RSA accumulators). We present system throughput benchmarks, indicating costs in terms of time, storage, and bandwidth as well as considering how much money would be required given standard cloud computing costs. We conclude that Merkle tree PADs are preferable in cases with frequent updates, while tuple-based PADs are preferable with higher query rates. For Merkle tree PADs, red-black trees outperform treaps and skiplists. Applying Sarnak-Tarjan’s versioned node strategy, with a cache of old hashes at every node, to red-black trees yields the fastest Merkle tree PAD implementation, notably using half the memory of the more commonly used mutation-free path copying strategy. For tuple PADs, although we designed and implemented an algorithm using RSA accumulators that offers constant update size, constant storage per update, constant proof size, and sublinear computation per update, we found that RSA accumulators are so expensive that they are never worthwhile. We find that other optimizations in the literature for tuple PADs are more cost-effective.
{"title":"Authenticated Dictionaries: Real-World Costs and Trade-Offs","authors":"Scott A. Crosby, D. Wallach","doi":"10.1145/2019599.2019602","DOIUrl":"https://doi.org/10.1145/2019599.2019602","url":null,"abstract":"Authenticated dictionaries are a widely discussed paradigm to enable verifiable integrity for data storage on untrusted servers, such as today’s widely used “cloud computing” resources, allowing a server to provide a “proof,” typically in the form of a slice through a cryptographic data structure, that the results of any given query are the correct answer, including that the absence of a query result is correct. Persistent authenticated dictionaries (PADs) further allow queries against older versions of the structure. This research presents implementations of a variety of different PAD algorithms, some based on Merkle tree-style data structures and others based on individually signed “tuple” statements (with and without RSA accumulators). We present system throughput benchmarks, indicating costs in terms of time, storage, and bandwidth as well as considering how much money would be required given standard cloud computing costs. We conclude that Merkle tree PADs are preferable in cases with frequent updates, while tuple-based PADs are preferable with higher query rates. For Merkle tree PADs, red-black trees outperform treaps and skiplists. Applying Sarnak-Tarjan’s versioned node strategy, with a cache of old hashes at every node, to red-black trees yields the fastest Merkle tree PAD implementation, notably using half the memory of the more commonly used mutation-free path copying strategy. For tuple PADs, although we designed and implemented an algorithm using RSA accumulators that offers constant update size, constant storage per update, constant proof size, and sublinear computation per update, we found that RSA accumulators are so expensive that they are never worthwhile. We find that other optimizations in the literature for tuple PADs are more cost-effective.","PeriodicalId":50912,"journal":{"name":"ACM Transactions on Information and System Security","volume":"144 1","pages":"17:1-17:30"},"PeriodicalIF":0.0,"publicationDate":"2011-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76812822","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: