Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security最新文献
Yan Zhu, Hongxin Hu, Gail-Joon Ahn, Xiaorui Gong, Shimin Chen
There has been little work that explores cryptographic temporal constraints, especially for data sharing in cloud computing. In this paper, we present a temporal attribute-based encryption (TABE) scheme to implement temporal constraints for data access control in clouds. This scheme has a constant size for ciphertext, private-key, and a nearly linear-time complexity. In addition, we implement a prototype system to evaluate our proposed approach. Our experimental results not only validate the effectiveness of our scheme and algorithms, but also show our scheme has better performance for integer comparison than BSW's bitwise comparison scheme.
{"title":"Poster: temporal attribute-based encryption in clouds","authors":"Yan Zhu, Hongxin Hu, Gail-Joon Ahn, Xiaorui Gong, Shimin Chen","doi":"10.1145/2046707.2093517","DOIUrl":"https://doi.org/10.1145/2046707.2093517","url":null,"abstract":"There has been little work that explores cryptographic temporal constraints, especially for data sharing in cloud computing. In this paper, we present a temporal attribute-based encryption (TABE) scheme to implement temporal constraints for data access control in clouds. This scheme has a constant size for ciphertext, private-key, and a nearly linear-time complexity. In addition, we implement a prototype system to evaluate our proposed approach. Our experimental results not only validate the effectiveness of our scheme and algorithms, but also show our scheme has better performance for integer comparison than BSW's bitwise comparison scheme.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81190719","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Authentication is an all-embracing mechanism in today's (digital) society. While current systems require users to provide much personal data and offer many attack vectors due to using a username/passwords combination, systems that allow for minimizing the data released during authentication exist. Implementing such data-minimizing authentication reduces the number of attack vectors, enables enterprises to reduce the risk associated with possession of sensitive user data, and realizes better privacy for users. Our prototype demonstrates the use of data-minimizing authentication using the scenario of accessing a teenage chat room in a privacy-preserving way. The prototype allows a user to retrieve credentials, which may be seen as the digital equivalent of the plastic cards we carry in our wallets today. It also implements a service provider who requires authentication with respect to a service-specific policy. The prototype determines whether and how the user can fulfill the policy with her credentials, which typically results in various options. A graphical user interface then allows the user to select one of these options. Based on the user's input, the prototype generates an Identity Mixer proof that shows fulfillment of the service provider's policy without revealing unnecessary information. Finally, this proof is sent to the service provider for verification. Our prototype is the first implementation of such far-reaching data-minimizing authentication, where we provide the building blocks of our implementation as open-source software.
{"title":"Demo: a comprehensive framework enabling data-minimizing authentication","authors":"Patrik Bichsel, Franz-Stefan Preiss","doi":"10.1145/2046707.2093480","DOIUrl":"https://doi.org/10.1145/2046707.2093480","url":null,"abstract":"Authentication is an all-embracing mechanism in today's (digital) society. While current systems require users to provide much personal data and offer many attack vectors due to using a username/passwords combination, systems that allow for minimizing the data released during authentication exist. Implementing such data-minimizing authentication reduces the number of attack vectors, enables enterprises to reduce the risk associated with possession of sensitive user data, and realizes better privacy for users. Our prototype demonstrates the use of data-minimizing authentication using the scenario of accessing a teenage chat room in a privacy-preserving way. The prototype allows a user to retrieve credentials, which may be seen as the digital equivalent of the plastic cards we carry in our wallets today. It also implements a service provider who requires authentication with respect to a service-specific policy. The prototype determines whether and how the user can fulfill the policy with her credentials, which typically results in various options. A graphical user interface then allows the user to select one of these options. Based on the user's input, the prototype generates an Identity Mixer proof that shows fulfillment of the service provider's policy without revealing unnecessary information. Finally, this proof is sent to the service provider for verification. Our prototype is the first implementation of such far-reaching data-minimizing authentication, where we provide the building blocks of our implementation as open-source software.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"85292401","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper we provide a preliminary analysis of Google+ privacy. We identified that Google+ shares photo metadata with users who can access the photograph and discuss its potential impact on privacy. We also identified that Google+ encourages the provision of other names including maiden name, which may help criminals performing identity theft. We show that Facebook lists are a superset of Google+ circles, both functionally and logically, even though Google+ provides a better user interface. Finally we compare the use of encryption and depth of privacy control in Google+ versus in Facebook.
{"title":"Poster: preliminary analysis of Google+'s privacy","authors":"Shah Mahmood, Y. Desmedt","doi":"10.1145/2046707.2093499","DOIUrl":"https://doi.org/10.1145/2046707.2093499","url":null,"abstract":"In this paper we provide a preliminary analysis of Google+ privacy. We identified that Google+ shares photo metadata with users who can access the photograph and discuss its potential impact on privacy. We also identified that Google+ encourages the provision of other names including maiden name, which may help criminals performing identity theft. We show that Facebook lists are a superset of Google+ circles, both functionally and logically, even though Google+ provides a better user interface. Finally we compare the use of encryption and depth of privacy control in Google+ versus in Facebook.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90092632","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart E. Schechter, D. Wetherall
We examine two privacy controls for Android smartphones that empower users to run permission-hungry applications while protecting private data from being exfiltrated: (1) covertly substituting shadow data in place of data that the user wants to keep private, and (2) blocking network transmissions that contain data the user made available to the application for on-device use only. We retrofit the Android operating system to implement these two controls for use with unmodified applications. A key challenge of imposing shadowing and exfiltration blocking on existing applications is that these controls could cause side effects that interfere with user-desired functionality. To measure the impact of side effects, we develop an automated testing methodology that records screenshots of application executions both with and without privacy controls, then automatically highlights the visual differences between the different executions. We evaluate our privacy controls on 50 applications from the Android Market, selected from those that were both popular and permission-hungry. We find that our privacy controls can successfully reduce the effective permissions of the application without causing side effects for 66% of the tested applications. The remaining 34% of applications implemented user-desired functionality that required violating the privacy requirements our controls were designed to enforce; there was an unavoidable choice between privacy and user-desired functionality.
{"title":"These aren't the droids you're looking for: retrofitting android to protect data from imperious applications","authors":"Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart E. Schechter, D. Wetherall","doi":"10.1145/2046707.2046780","DOIUrl":"https://doi.org/10.1145/2046707.2046780","url":null,"abstract":"We examine two privacy controls for Android smartphones that empower users to run permission-hungry applications while protecting private data from being exfiltrated: (1) covertly substituting shadow data in place of data that the user wants to keep private, and (2) blocking network transmissions that contain data the user made available to the application for on-device use only. We retrofit the Android operating system to implement these two controls for use with unmodified applications. A key challenge of imposing shadowing and exfiltration blocking on existing applications is that these controls could cause side effects that interfere with user-desired functionality. To measure the impact of side effects, we develop an automated testing methodology that records screenshots of application executions both with and without privacy controls, then automatically highlights the visual differences between the different executions. We evaluate our privacy controls on 50 applications from the Android Market, selected from those that were both popular and permission-hungry. We find that our privacy controls can successfully reduce the effective permissions of the application without causing side effects for 66% of the tested applications. The remaining 34% of applications implemented user-desired functionality that required violating the privacy requirements our controls were designed to enforce; there was an unavoidable choice between privacy and user-desired functionality.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"77958521","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present the design, implementation and evaluation of an algorithm that checks audit logs for compliance with privacy and security policies. The algorithm, which we name reduce, addresses two fundamental challenges in compliance checking that arise in practice. First, in order to be applicable to realistic policies, reduce operates on policies expressed in a first-order logic that allows restricted quantification over infinite domains. We build on ideas from logic programming to identify the restricted form of quantified formulas. The logic can, in particular, express all 84 disclosure-related clauses of the HIPAA Privacy Rule, which involve quantification over the infinite set of messages containing personal information. Second, since audit logs are inherently incomplete (they may not contain sufficient information to determine whether a policy is violated or not), reduce proceeds iteratively: in each iteration, it provably checks as much of the policy as possible over the current log and outputs a residual policy that can only be checked when the log is extended with additional information. We prove correctness, termination, time and space complexity results for reduce. We implement reduce and optimize the base implementation using two heuristics for database indexing that are guided by the syntactic structure of policies. The implementation is used to check simulated audit logs for compliance with the HIPAA Privacy Rule. Our experimental results demonstrate that the algorithm is fast enough to be used in practice.
{"title":"Policy auditing over incomplete logs: theory, implementation and applications","authors":"D. Garg, Limin Jia, Anupam Datta","doi":"10.1145/2046707.2046726","DOIUrl":"https://doi.org/10.1145/2046707.2046726","url":null,"abstract":"We present the design, implementation and evaluation of an algorithm that checks audit logs for compliance with privacy and security policies. The algorithm, which we name reduce, addresses two fundamental challenges in compliance checking that arise in practice. First, in order to be applicable to realistic policies, reduce operates on policies expressed in a first-order logic that allows restricted quantification over infinite domains. We build on ideas from logic programming to identify the restricted form of quantified formulas. The logic can, in particular, express all 84 disclosure-related clauses of the HIPAA Privacy Rule, which involve quantification over the infinite set of messages containing personal information. Second, since audit logs are inherently incomplete (they may not contain sufficient information to determine whether a policy is violated or not), reduce proceeds iteratively: in each iteration, it provably checks as much of the policy as possible over the current log and outputs a residual policy that can only be checked when the log is extended with additional information. We prove correctness, termination, time and space complexity results for reduce. We implement reduce and optimize the base implementation using two heuristics for database indexing that are guided by the syntactic structure of policies. The implementation is used to check simulated audit logs for compliance with the HIPAA Privacy Rule. Our experimental results demonstrate that the algorithm is fast enough to be used in practice.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74726148","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Load balancing has been widely used on the field of Cloud Computing, which makes sure that none of the existing resources are idle while other physical machines are being utilized by Cloud Computing providers. However, VMs of tenants may be migrated to a physical machine with potential attacks which may use memory caches as side channels. So the security problem coexisting on the same physical machine is an important barrier for enterprise to adopt of cloud computing. We present a new security load balancing architecture--Load Balancing based on Multilateral Security (LBMS) which can migrate tenants' VMs automatically to the ideal security physical machine when reach peak-load by index and negotiation. We are implementing our prototype based on CloudSim, a Cloud computing simulation. Our architecture makes an effort to avoid potential attacks when VMs migrate to physical machine due to load balancing.
负载平衡在云计算领域得到了广泛的应用,它可以确保在云计算提供商使用其他物理机器时,没有任何现有资源是空闲的。但是,租户的虚拟机可能会迁移到有潜在攻击的物理机上,这些攻击可能会使用内存缓存作为侧通道。因此,在同一台物理机上共存的安全问题是企业采用云计算的重要障碍。提出了一种新的安全负载均衡架构——基于多边安全的负载均衡(load balancing based on Multilateral security, LBMS),该架构可以通过索引和协商的方式,在负载达到峰值时将租户的虚拟机自动迁移到理想的安全物理机上。我们正在实现基于CloudSim的原型,这是一种云计算模拟。当虚拟机由于负载平衡迁移到物理机时,我们的架构努力避免潜在的攻击。
{"title":"Poster: LBMS: load balancing based on multilateral security in cloud","authors":"Pengfei Sun, Qingni Shen, Ying Chen, Zhonghai Wu, Cong Zhang, Anbang Ruan, Liang Gu","doi":"10.1145/2046707.2093512","DOIUrl":"https://doi.org/10.1145/2046707.2093512","url":null,"abstract":"Load balancing has been widely used on the field of Cloud Computing, which makes sure that none of the existing resources are idle while other physical machines are being utilized by Cloud Computing providers. However, VMs of tenants may be migrated to a physical machine with potential attacks which may use memory caches as side channels. So the security problem coexisting on the same physical machine is an important barrier for enterprise to adopt of cloud computing. We present a new security load balancing architecture--Load Balancing based on Multilateral Security (LBMS) which can migrate tenants' VMs automatically to the ideal security physical machine when reach peak-load by index and negotiation. We are implementing our prototype based on CloudSim, a Cloud computing simulation. Our architecture makes an effort to avoid potential attacks when VMs migrate to physical machine due to load balancing.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81955675","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Role-Based Access Control (RBAC) is a powerful and versatile access control system for large-scale access control management within an organization. Most studies so far consider RBAC models that have a single consistent access control policy, which implicitly confine an RBAC system to one organization. However, many real-world requirements of access control span multiple organizations; thus, there is a need to design scalable RBAC models for such use cases. We propose a trans-organizational RBAC model that enables access control within and across organizations. A formal definition of trans-organizational RBAC is presented. We show that the model is scalable in a multi-organization setup, and does not require the creation of federations. Finally, a security issue in the model is identified and possible approaches to address this are discussed.
{"title":"Poster: trans-organizational role-based access control","authors":"Ramon Francisco Pacquiao Mejia, Y. Kaji, H. Seki","doi":"10.1145/2046707.2093501","DOIUrl":"https://doi.org/10.1145/2046707.2093501","url":null,"abstract":"Role-Based Access Control (RBAC) is a powerful and versatile access control system for large-scale access control management within an organization. Most studies so far consider RBAC models that have a single consistent access control policy, which implicitly confine an RBAC system to one organization. However, many real-world requirements of access control span multiple organizations; thus, there is a need to design scalable RBAC models for such use cases. We propose a trans-organizational RBAC model that enables access control within and across organizations. A formal definition of trans-organizational RBAC is presented. We show that the model is scalable in a multi-organization setup, and does not require the creation of federations. Finally, a security issue in the model is identified and possible approaches to address this are discussed.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"81830889","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Using the Internet and other electronic media for our daily tasks has become common. Thereby a lot of sensitive information is exchanged, processed, and stored at many different laces. Once released, controlling the dispersal of this information is virtually impossible. Worse, the press reports daily on incidents where sensitive information has been lost, stolen, or misused - often involving large and reputable organizations. Privacy-enhancing technologies can help to minimize the amount of information that needs to be revealed in transactions, on the one hand, and to limit the dispersal, on the other hand. Many of these technologies build on common cryptographic primitives that allow for data to be authenticated and encrypted in such a way that it is possible to efficiently prove possession and/or properties of data revealing the data or side-information about it. Proving such statements is of course possible for any signature and encryption scheme. However, if the result is to be practical, special cryptographic primitives and proof protocols are needed.� In this talk we will first consider a few example scenarios and motivate the need for such cryptograph building block before we then present and discuss these. We start with efficient discrete logarithms based proof protocols often referred to as generalized Schnorr proofs. They allow one to prove knowledge of different discrete logarithms (exponents) and relations among them. Now, to be able to prove possession of a (valid) signature and a message with generalized Schnorr proofs, it is necessary that the signature and the message signed are exponents and that no hash-function is used in the signature verification. Similarly, for encryption schemes, the plain text needs to be an exponent. We will present and discuss a number of such signature and encryption schemes.� To show the power of these building blocks, we will consider a couple of example protocols such as anonymous access control and anonymous polling. We then conclude with a discussion on security definition and proofs. We hope that the presented building blocks will enable many new privacy-preserving protocols and and applications in the future.
{"title":"Cryptographic primitives for building secure and privacy respecting protocols","authors":"J. Camenisch","doi":"10.1145/2046707.2046749","DOIUrl":"https://doi.org/10.1145/2046707.2046749","url":null,"abstract":"Using the Internet and other electronic media for our daily tasks has become common. Thereby a lot of sensitive information is exchanged, processed, and stored at many different laces. Once released, controlling the dispersal of this information is virtually impossible. Worse, the press reports daily on incidents where sensitive information has been lost, stolen, or misused - often involving large and reputable organizations. Privacy-enhancing technologies can help to minimize the amount of information that needs to be revealed in transactions, on the one hand, and to limit the dispersal, on the other hand. Many of these technologies build on common cryptographic primitives that allow for data to be authenticated and encrypted in such a way that it is possible to efficiently prove possession and/or properties of data revealing the data or side-information about it. Proving such statements is of course possible for any signature and encryption scheme. However, if the result is to be practical, special cryptographic primitives and proof protocols are needed.\u0000 In this talk we will first consider a few example scenarios and motivate the need for such cryptograph building block before we then present and discuss these. We start with efficient discrete logarithms based proof protocols often referred to as generalized Schnorr proofs. They allow one to prove knowledge of different discrete logarithms (exponents) and relations among them. Now, to be able to prove possession of a (valid) signature and a message with generalized Schnorr proofs, it is necessary that the signature and the message signed are exponents and that no hash-function is used in the signature verification. Similarly, for encryption schemes, the plain text needs to be an exponent. We will present and discuss a number of such signature and encryption schemes.\u0000 To show the power of these building blocks, we will consider a couple of example protocols such as anonymous access control and anonymous polling. We then conclude with a discussion on security definition and proofs. We hope that the presented building blocks will enable many new privacy-preserving protocols and and applications in the future.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"80684387","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Mohammad Mannan, Beom Heyn Kim, A. Ganjali, D. Lie
Malware and phishing are two major threats for users seeking to perform security-sensitive tasks using computers today. To mitigate these threats, we introduce Unicorn, which combines the phishing protection of standard security tokens and malware protection of trusted computing hardware. The Unicorn security token holds user authentication credentials, but only releases them if it can verify an attestation that the user's computer is free of malware. In this way, the user is released from having to remember passwords, as well as having to decide when it is safe to use them. The user's computer is further verified by either a TPM or a remote server to produce a two-factor attestation scheme. We have implemented a Unicorn prototype using commodity software and hardware, and two Unicorn example applications (termed as uApps, short for Unicorn Applications), to secure access to both remote data services and encrypted local data. Each uApp consists of a small, hardened and immutable OS image, and a single application. Our Unicorn prototype co-exists with a regular user OS, and significantly reduces the time to switch between the secure environment and general purpose environment using a novel mechanism that removes the BIOS from the switch time.
{"title":"Unicorn: two-factor attestation for data security","authors":"Mohammad Mannan, Beom Heyn Kim, A. Ganjali, D. Lie","doi":"10.1145/2046707.2046712","DOIUrl":"https://doi.org/10.1145/2046707.2046712","url":null,"abstract":"Malware and phishing are two major threats for users seeking to perform security-sensitive tasks using computers today. To mitigate these threats, we introduce Unicorn, which combines the phishing protection of standard security tokens and malware protection of trusted computing hardware. The Unicorn security token holds user authentication credentials, but only releases them if it can verify an attestation that the user's computer is free of malware. In this way, the user is released from having to remember passwords, as well as having to decide when it is safe to use them. The user's computer is further verified by either a TPM or a remote server to produce a two-factor attestation scheme. We have implemented a Unicorn prototype using commodity software and hardware, and two Unicorn example applications (termed as uApps, short for Unicorn Applications), to secure access to both remote data services and encrypted local data. Each uApp consists of a small, hardened and immutable OS image, and a single application. Our Unicorn prototype co-exists with a regular user OS, and significantly reduces the time to switch between the secure environment and general purpose environment using a novel mechanism that removes the BIOS from the switch time.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"90225320","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In many software attacks, inducing an illegal control-flow transfer in the target system is one common step. Control-Flow Integrity (CFI) protects a software system by enforcing a pre-determined control-flow graph. In addition to providing strong security, CFI enables static analysis on low-level code. This paper evaluates whether CFI-enabled static analysis can help build efficient and validated data sandboxing. Previous systems generally sandbox memory writes for integrity, but avoid protecting confidentiality due to the high overhead of sandboxing memory reads. To reduce overhead, we have implemented a series of optimizations that remove sandboxing instructions if they are proven unnecessary by static analysis. On top of CFI, our system adds only 2.7% runtime overhead on SPECint2000 for sandboxing memory writes and adds modest 19% for sandboxing both reads and writes. We have also built a principled data-sandboxing verifier based on range analysis. The verifier checks the safety of the results of the optimizer, which removes the need to trust the rewriter and optimizer. Our results show that the combination of CFI and static analysis has the potential of bringing down the cost of general inlined reference monitors, while maintaining strong security.
{"title":"Combining control-flow integrity and static analysis for efficient and validated data sandboxing","authors":"Bin Zeng, Gang Tan, Greg Morrisett","doi":"10.1145/2046707.2046713","DOIUrl":"https://doi.org/10.1145/2046707.2046713","url":null,"abstract":"In many software attacks, inducing an illegal control-flow transfer in the target system is one common step. Control-Flow Integrity (CFI) protects a software system by enforcing a pre-determined control-flow graph. In addition to providing strong security, CFI enables static analysis on low-level code. This paper evaluates whether CFI-enabled static analysis can help build efficient and validated data sandboxing. Previous systems generally sandbox memory writes for integrity, but avoid protecting confidentiality due to the high overhead of sandboxing memory reads. To reduce overhead, we have implemented a series of optimizations that remove sandboxing instructions if they are proven unnecessary by static analysis. On top of CFI, our system adds only 2.7% runtime overhead on SPECint2000 for sandboxing memory writes and adds modest 19% for sandboxing both reads and writes. We have also built a principled data-sandboxing verifier based on range analysis. The verifier checks the safety of the results of the optimizer, which removes the need to trust the rewriter and optimizer. Our results show that the combination of CFI and static analysis has the potential of bringing down the cost of general inlined reference monitors, while maintaining strong security.","PeriodicalId":72687,"journal":{"name":"Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security","volume":null,"pages":null},"PeriodicalIF":0.0,"publicationDate":"2011-10-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"76677528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Conference on Computer and Communications Security : proceedings of the ... conference on computer and communications security. ACM Conference on Computer and Communications Security
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: