Relevant Degree Programs
Graduate Student Supervision
Doctoral Student Supervision (2008-2018)
The full abstract for this thesis is available in the body of the thesis, and will be available when the embargo expires.
Master's Student Supervision (2010-2017)
Anonymous communications is a long sought goal of dissidents, privacy advocates, and a host of other user communities. While a large number of systems have been proposed, those systems generally require large-scale communication infrastructure to be built in order to achieve a non-trivial amount of anonymity. However, the very nature of anonymity has meant that a business rationale for building such infrastructure is lacking.Motivated to design a practical receiver anonymity network with large anonymity set sizes, we present Twistor: a new system for receiver-anonymous communications which leverages the Twitter social graph as the underlying anonymizing layer. To send a twist, a Twistor client first checks for reachability of its intended recipient, using local graph information maintained by interactions with the Twistor server. It then encrypts the message under the recipient's public key and posts the ciphertext to the corresponding user's timeline. Larger ciphertexts are encoded into an image, so as to conform with Twitter's 140 UTF-8 character limit. Twistor clients are listening for Twistor posts and decrypt and repost when those they follow publish a new twist, except for when a TTL indicator is 0. Given self-reducibility properties of ElGamal, even if the adversary, e.g., Twitter, monitors all Twistor posts and re-posts that cascade from an initial post, the anonymity of the receiver and the confidentiality of the plaintext are reducible to the hardness of Decisional Diffie-Hellman problem. Twistor derives its increase in size of the receiver anonymity set from asymmetric social connections combined with the publish-subscribe communication model in Twitter. Our aim is to achieve receiver anonymity set sizes on the order of hundreds of thousands. In this thesis we describe our built system, the cost to the underlying infrastructure and the tradeoffs between those costs and the size of the anonymity set.
Software that is in use and under development today still contains as many bugs as ever. These bugs are often exploitable by attackers using advanced techniques such as Return-Oriented Programming (ROP), where pieces of legitimate code are stitched together to form a malicious exploit. One class of defenses against these attacks is Address-Space Layout Randomization (ASLR), which randomly selects the base addresses of legitimate code. However, it has recently been shown that this randomization can be unravelled with memory disclosure attacks, which divulge the contents of memory at a given address. In this work, we strengthen code randomization against memory disclosure attacks, in order to make it a viable defense in the face of Return-Oriented Programming. We propose a technique called binary shuffling, which dynamically re-randomizes the position of code blocks at runtime. While a memory disclosure may reveal the contents of a memory address (thus unravelling the randomization), this information is only valid for a very short time. Our system, called Shuffler, operates on program binaries without access to source code, and can re-randomize the position of all code in a program in as little as ten milliseconds. We show that this is fast enough to defeat any attempt at Return-Oriented Programming, even when armed with a memory disclosure attack. Shuffler adds only 10 to 21% overhead on average, making it a viable defense against these types of attack.
Ciphertext-Policy Attribute Based Encryption (CP-ABE) is a promising method for end-to-end, fine grained access control. However, based on our knowledge, there is no massive deployment of CP-ABE based systems. Expensive and insecure key revocation should be one of the major reasons. In this thesis, we hypothesize that key revocation can be performed client side by combining existing trust computing technologies and validate this hypothesis with a prototype file system called ABFS. ABFS uses CP-ABE to do client side access control, at the same time, provide strong assurance on key revocation. Enterprises equipped with ABFS can reliably relocate their data from centralized storage to unused space on untrustedclient machines and thus decentralize most aspects of their storage, mitigate data backup cost, improve storage durability and remove the threat of single point of failure. ABFS combines existing TPM and attribute-based encryption technologies to perform access control checks on otherwise untrusted clients and ensure confidentiality of data.
Virtualization platforms have grown with an increasing demand for new technologies, with the modern enterprise-ready virtualization platform being a complex,feature-rich piece of software. Despite the small size of hypervisors, the trusted computing base (TCB) of most enterprise platforms is larger than that of most monolithic commodity operating systems. Several key components of the Xen platform reside in a special, highly-privileged virtual machine or the “Control VM”.We present Xoar, a modified version of the Xen platform that retrofits the modularity and isolation principles championed by microkernels onto a mature virtualization platform.Xoar divides the large, shared control VM of Xen’s TCB into a set of independent, isolated, single purpose components called shards. Shards improve securityin several ways: components are restricted to the least privilege necessary for functioning and any sharing between guest VMs is explicitly configurable and auditablein tune with the desired risk exposure policies. Microrebooting components at configurable frequencies reduces the temporal attack surface.Our approach does not require any existing functionality to be sacrificed and allows components to be reused rather than rewritten from scratch. The low performance overhead leads us to believe that Xoar is viable alternative for deployment in enterprise environments.
Based on analysis from collected network traces, a decade of literature in the field of intrusion detection, experiences shared by people in the network security domain, and some new heuristics, this thesis explores several directions in which to extend the functionality and performance of existing Intrusion Detection Systems(IDS). We first present a new method for detecting a whole range of TCP attacks, and an extension of that method for detecting Distributed Denial of Service attacks. We then analyze two directions for enhancing performance: using cloud services to flexibly scale to higher IDS throughput; and leveraging hardware functionality in modern network cards for efficient multi-core processing.