Michael Reiter

Conference Leibniz International Proceedings in Informatics, LIPIcs · September 1, 2024 Cryptocurrency introduces usability challenges by requiring users to manage signing keys. Popular signing key management services (e.g., custodial wallets), however, either introduce a trusted party or burden users with managing signing key shares, posing ... Full text Cite

A General Framework for Data-Use Auditing of ML Models

Preprint · July 21, 2024 Link to item Cite

Concealing Backdoor Model Updates in Federated Learning by Trigger-Optimized Data Poisoning

Preprint · May 9, 2024 Link to item Cite

Formally Verifying a Rollback-Prevention Protocol for TEEs

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2024 Formal verification of distributed protocols is challenging and usually requires great human effort. Ivy, a state-of-the-art formal verification tool for modeling and verifying distributed protocols, automates this tedious process by leveraging a decidable ... Full text Cite

Delphi: Efficient Asynchronous Approximate Agreement for Distributed Oracles

Conference Proceedings - 2024 54th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2024 · January 1, 2024 Agreement protocols are crucial in various emerging applications, spanning from distributed (blockchains) oracles to fault-tolerant cyber-physical systems. In scenarios where sensor/oracle nodes measure a common source, maintaining output within the convex ... Full text Cite

SensorBFT: Fault-Tolerant Target Localization Using Voronoi Diagrams and Approximate Agreement

Conference Proceedings - International Conference on Distributed Computing Systems · January 1, 2024 The target localization primitive is used for detecting and locating an adverse event called a target in a geographic area. This versatile primitive is applicable in the physical security domain (e.g., detecting intruders in an area) or for disaster preemp ... Full text Cite

Mudjacking: Patching Backdoor Vulnerabilities in Foundation Models

Conference Proceedings of the 33rd USENIX Security Symposium · January 1, 2024 Foundation model has become the backbone of the AI ecosystem. In particular, a foundation model can be used as a general-purpose feature extractor to build various downstream classifiers. However, foundation models are vulnerable to backdoor attacks and a ... Cite

On the Criticality of Integrity Protection in 5G Fronthaul Networks

Conference Proceedings of the 33rd USENIX Security Symposium · January 1, 2024 The modern 5G fronthaul, which connects the base stations to radio units in cellular networks, is designed to deliver microsecond-level performance guarantees using Ethernet-based protocols. Unfortunately, due to potential performance overheads, as well as ... Cite

Near-Optimal Constrained Padding for Object Retrievals with Dependencies

Conference Proceedings of the 33rd USENIX Security Symposium · January 1, 2024 The sizes of objects retrieved over the network are powerful indicators of the objects retrieved and are ingredients in numerous types of traffic analysis, such as webpage fingerprinting. We present an algorithm by which a benevolent object store computes ... Cite

The Impact of Exposed Passwords on Honeyword Efficacy

Conference Proceedings of the 33rd USENIX Security Symposium · January 1, 2024 Honeywords are decoy passwords that can be added to a credential database; if a login attempt uses a honeyword, this indicates that the site's credential database has been leaked. In this paper we explore the basic requirements for honeywords to be effecti ... Cite

Prioritizing Remediation of Enterprise Hosts by Malware Execution Risk

Conference ACM International Conference Proceeding Series · December 4, 2023 Defending an enterprise network requires making prioritization decisions daily; one is deciding which compromised hosts to remediate (reimage). We study the utility of endpoint monitoring data to perform this prioritization, with the driving goal being to ... Full text Cite

EESMR: Energy Efficient BFT - -SMR for the masses

Conference Middleware 2023 - Proceedings of the 24th ACM/IFIP International Middleware Conference · November 27, 2023 Modern Byzantine Fault-Tolerant State Machine Replication (BFT-SMR) solutions focus on reducing communication complexity, improving throughput, or lowering latency. This work explores the energy efficiency of BFT-SMR protocols. First, we propose a novel SM ... Full text Cite

Tackling Credential Abuse Together

Conference Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy · April 24, 2023 Full text Cite

Looking Backwards (and Forwards): NSF Secure and Trustworthy Computing 20-Year Retrospective Panel Transcription

Journal Article IEEE Security and Privacy · March 1, 2023 The U.S. National Science Foundation (NSF) celebrated the 20th anniversary of its research funding programs in cybersecurity, and more generally, secure and trustworthy computing, with a panel session at its conference held in June, 2022. The panel members ... Full text Cite

Communication-Efficient BFT Using Small Trusted Hardware to Tolerate Minority Corruption

Conference Leibniz International Proceedings in Informatics, LIPIcs · February 1, 2023 Agreement protocols for partially synchronous networks tolerate fewer than one-third Byzantine faults. If parties are equipped with trusted hardware that prevents equivocation, then fault tolerance can be improved to fewer than one-half Byzantine faults, b ... Full text Cite

Deceiving ML-Based Friend-or-Foe Identification for Executables

Chapter · January 1, 2023 Deceiving an adversary who may, e.g., attempt to reconnoiter a system before launching an attack, typically involves changing the system’s behavior such that it deceives the attacker while still permitting the system to perform its intended function. We de ... Full text Cite

Using Amnesia to Detect Credential Database Breaches

Chapter · January 1, 2023 Known approaches for using decoy passwords (honeywords) to detect credential database breaches suffer from the need for a trusted component to recognize decoys when entered in login attempts, and from an attacker’s ability to test stolen passwords at other ... Full text Cite

Privately Evaluating Region Overlaps with Applications to Collaborative Sensor Output Validation

Conference Proceedings - 8th IEEE European Symposium on Security and Privacy, Euro S and P 2023 · January 1, 2023 Advances in computer vision have made it possible to accurately map objects as regions in 3-dimensional space using LIDAR point clouds. These systems are key building blocks of several emerging technologies including autonomous vehicles. Comparing and vali ... Full text Cite

Optimally Hiding Object Sizes with Constrained Padding

Conference Proceedings - IEEE Computer Security Foundations Symposium · January 1, 2023 Among the most challenging traffic-analysis attacks to confound are those leveraging the sizes of objects downloaded over the network. In this paper we systematically analyze this problem under realistic constraints regarding the padding overhead that the ... Full text Cite

Nimble: Fast and Safe Migration of Network Functions

Conference Proceedings - IEEE INFOCOM · January 1, 2023 Network function (NF) migration alongside (and possibly because of) routing policy updates is a delicate task, making it difficult to ensure that all traffic is processed by its required network functions, in order. Indeed, all previous solutions to this p ... Full text Cite

Adversarial Training for Raw-Binary Malware Classifiers

Conference 32nd USENIX Security Symposium, USENIX Security 2023 · January 1, 2023 Machine learning (ML) models have shown promise in classifying raw executable files (binaries) as malicious or benign with high accuracy. This has led to the increasing influence of ML-based classification methods in academic and real-world malware detecti ... Cite

Distance-Aware Private Set Intersection

Conference 32nd USENIX Security Symposium, USENIX Security 2023 · January 1, 2023 Private set intersection (PSI) allows two mutually untrusting parties to compute an intersection of their sets, without revealing information about items that are not in the intersection. This work introduces a PSI variant called distance-aware PSI (DA-PSI ... Cite

Bernoulli honeywords

Preprint · December 24, 2022 Link to item Cite

ENGRAFT: Enclave-guarded Raft on Byzantine Faulty Nodes

Conference Proceedings of the ACM Conference on Computer and Communications Security · November 7, 2022 This paper presents the first critical analysis of building highly secure, performant, and confidential Byzantine fault-tolerant (BFT) consensus by integrating off-the-shelf crash fault-tolerant (CFT) protocols with trusted execution environments (TEEs). T ... Full text Cite

Coordinating Followers to Reach Better Equilibria: End-to-End Gradient Descent for Stackelberg Games

Conference Proceedings of the 36th AAAI Conference on Artificial Intelligence, AAAI 2022 · June 30, 2022 A growing body of work in game theory extends the traditional Stackelberg game to settings with one leader and multiple followers who play a Nash equilibrium. Standard approaches for computing equilibria in these games reformulate the followers' best respo ... Cite

Defeating traffic analysis via differential privacy: a case study on streaming traffic

Journal Article International Journal of Information Security · June 1, 2022 In this paper, we explore the adaption of techniques previously used in the domains of adversarial machine learning and differential privacy to mitigate the ML-powered analysis of streaming traffic. Our findings are twofold. First, constructing adversarial ... Full text Cite

PRACTICAL INTEGRATION VIA SEPARABLE BIJECTIVE NETWORKS

Conference ICLR 2022 - 10th International Conference on Learning Representations · January 1, 2022 Neural networks have enabled learning over examples that contain thousands of dimensions. However, most of these models are limited to training and evaluating on a finite collection of points and do not consider the hypervolume in which the data resides. A ... Cite

Constrained Gradient Descent: A Powerful and Principled Evasion Attack Against Neural Networks

Conference Proceedings of Machine Learning Research · January 1, 2022 We propose new, more efficient targeted white-box attacks against deep neural networks. Our attacks better align with the attacker's goal: (1) tricking a model to assign higher probability to the target class than to any other class, while (2) staying with ... Cite

Distance-Aware Private Set Intersection

Journal Article · December 29, 2021 Private set intersection (PSI) allows two mutually untrusting parties to compute an intersection of their sets, without revealing information about items that are not in the intersection. This work introduces a PSI variant called distance-aware PSI (DA-PSI ... Link to item Cite

Constrained Gradient Descent: A Powerful and Principled Evasion Attack Against Neural Networks

Journal Article · December 28, 2021 We propose new, more efficient targeted white-box attacks against deep neural networks. Our attacks better align with the attacker's goal: (1) tricking a model to assign higher probability to the target class than to any other class, while (2) staying with ... Link to item Cite

Brief announcement: Communication-efficient BFT using small trusted hardware to tolerate minority corruption

Conference Leibniz International Proceedings in Informatics, LIPIcs · October 1, 2021 Small trusted hardware primitives can improve fault tolerance of Byzantine Fault Tolerant (BFT) protocols to one-half faults. However, existing works achieve this at the cost of increased communication complexity. In this work, we explore the design of com ... Full text Cite

Interpretable noninterference measurement and its application to processor designs

Journal Article Proceedings of the ACM on Programming Languages · October 1, 2021 Noninterference measurement quantifies the secret information that might leak to an adversary from what the adversary can observe and influence about the computation. Static and high-fidelity noninterference measurement has been difficult to scale to compl ... Full text Cite

Optimally Hiding Object Sizes with Constrained Padding

Report · August 3, 2021 Among the most challenging traffic-analysis attacks to confound are those leveraging the sizes of objects downloaded over the network. In this paper we systematically analyze this problem under realistic constraints regarding the padding overhead that the ... Link to item Cite

Malware Makeover: Breaking ML-based Static Analysis by Modifying Executable Bytes

Conference ASIA CCS 2021 - Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security · May 24, 2021 Motivated by the transformative impact of deep neural networks (DNNs) in various domains, researchers and anti-virus vendors have proposed DNNs for malware detection from raw bytes that do not require manual feature engineering. In this work, we propose an ... Full text Cite

Role-Based Deception in Enterprise Networks

Conference CODASPY 2021 - Proceedings of the 11th ACM Conference on Data and Application Security and Privacy · April 26, 2021 Historically, enterprise network reconnaissance is an active process, often involving port scanning. However, as routers and switches become more complex, they also become more susceptible to compromise. From this vantage point, an attacker can passively i ... Full text Cite

The Netivus Manifesto: Making Collaborative Network Management Easier for the Rest of Us

Other Computer Communication Review · April 1, 2021 We study operational issues faced by Small and Medium Enterprise (SME) network owners and find that SME network management practices have stagnated over the past decade, despite many recent advances in network management. Many of these advances target hype ... Full text Cite

TASE: Reducing Latency of Symbolic Execution with Transactional Memory

Conference 28th Annual Network and Distributed System Security Symposium, NDSS 2021 · January 1, 2021 We present the design and implementation of a tool called TASE that uses transactional memory to reduce the latency of symbolic-execution applications with small amounts of symbolic state. Execution paths are executed natively while operating on concrete v ... Full text Cite

Using amnesia to detect credential database breaches

Conference Proceedings of the 30th USENIX Security Symposium · January 1, 2021 Known approaches for using decoy passwords (honeywords) to detect credential database breaches suffer from the need for a trusted component to recognize decoys when entered in login attempts, and from an attacker's ability to test stolen passwords at other ... Cite

Effect of mood, location, trust, and presence of others on video-based social authentication

Conference Proceedings of the 30th USENIX Security Symposium · January 1, 2021 Current fallback authentication mechanisms are unreliable (e.g., security questions are easy to guess) and need improvement. Social authentication shows promise as a novel form of fallback authentication. In this paper, we report the results of a four-week ... Cite

CPU Elasticity to Mitigate Cross-VM Runtime Monitoring

Journal Article IEEE Transactions on Dependable and Secure Computing · September 1, 2020 In this paper, We present a new technique that offers lightweight, general, and elastic protection against Crum (Cross-VM runtime monitoring) attacks. Our protection, called Crease (CPU Resource Elasticity as a Service), enables a VM (called principal) to ... Full text Cite

Metering graphical data leakage with snowman

Conference Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT · June 10, 2020 A long-standing technique to interfere with theft of sensitive data by its intended users is permitting these insiders only remote access to the data via a thin client. Even allowing only remote access is inadequate, however, to counter an insider willing ... Full text Cite

N-m-Variant Systems: Adversarial-Resistant Software Rejuvenation for Cloud-Based Web Applications

Conference CODASPY 2020 - Proceedings of the 10th ACM Conference on Data and Application Security and Privacy · March 16, 2020 Web servers are a popular target for adversaries as they are publicly accessible and often vulnerable to compromise. Compromises can go unnoticed for months, if not years, and recovery often involves a complete system rebuild. In this paper, we propose n-m ... Full text Cite

Detecting stuffing of a user's credentials at her own accounts

Conference Proceedings of the 29th USENIX Security Symposium · January 1, 2020 We propose a framework by which websites can coordinate to detect credential stuffing on individual user accounts. Our detection algorithm teases apart normal login behavior (involving password reuse, entering correct passwords into the wrong sites, etc.) ... Cite

Defense through diverse directions

Conference 37th International Conference on Machine Learning, ICML 2020 · January 1, 2020 In this work we develop a novel Bayesian neural network methodology to achieve strong adversarial robustness without the need for online adversarial training. Unlike previous efforts in this direction, we do not rely solely on the stochasticity of network ... Cite

$n$-ML: Mitigating Adversarial Examples via Ensembles of Topologically Manipulated Classifiers

Report · December 19, 2019 This paper proposes a new defense called $n$-ML against adversarial examples, i.e., inputs crafted by perturbing benign inputs by small amounts to induce misclassifications by classifiers. Inspired by $n$-version programming, $n$-ML trains an ensemble of $ ... Link to item Cite

Malware Makeover: Breaking ML-based Static Analysis by Modifying Executable Bytes

Report · December 19, 2019 Motivated by the transformative impact of deep neural networks (DNNs) in various domains, researchers and anti-virus vendors have proposed DNNs for malware detection from raw bytes that do not require manual feature engineering. In this work, we propose an ... Link to item Cite

Efficient verifiable secret sharing with share recovery in BFT protocols

Conference Proceedings of the ACM Conference on Computer and Communications Security · November 6, 2019 Byzantine fault tolerant state machine replication (SMR) provides powerful integrity guarantees, but fails to provide any privacy guarantee whatsoever. A natural way to add such privacy guarantees is to secret-share state instead of fully replicating it. S ... Full text Cite

HotStuff: BFT Consensus with linearity and responsiveness

Conference Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · July 16, 2019 We present HotStuff, a leader-based Byzantine fault-tolerant replication protocol for the partially synchronous model. Once network communication becomes synchronous, HotStuff enables a correct leader to drive the protocol to consensus at the pace of actua ... Full text Cite

A general framework for adversarial examples with objectives

Journal Article ACM Transactions on Privacy and Security · June 10, 2019 Images perturbed subtly to be misclassified by neural networks, called adversarial examples, have emerged as a technically deep challenge and an important concern for several application domains. Most research on adversarial examples takes as its only cons ... Full text Open Access Cite

SBFT: A Scalable and Decentralized Trust Infrastructure

Conference Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2019 · June 1, 2019 SBFT is a state of the art Byzantine fault tolerant state machine replication system that addresses the challenges of scalability, decentralization and global geo-replication. SBFT is optimized for decentralization and is experimentally evaluated on a depl ... Full text Cite

Efficient and safe network updates with suffix causal consistency

Conference Proceedings of the 14th EuroSys Conference 2019 · March 25, 2019 Though centrally managed by a controller, a software-defined network (SDN) can still encounter routing inconsistencies among its switches due to the non-atomic updates to their forwarding tables. In this paper, we propose a new method to rectify these inco ... Full text Cite

How to End Password Reuse on the Web

Conference Proceedings 2019 Network and Distributed System Security Symposium · 2019 Full text Cite

How to End Password Reuse on the Web

Conference 26th Annual Network and Distributed System Security Symposium, NDSS 2019 · January 1, 2019 We present a framework by which websites can coordinate to make it difficult for users to set similar passwords at these websites, in an effort to break the culture of password reuse on the web today. Though the design of such a framework is fraught with r ... Full text Cite

Usability of augmented reality for revealing secret messages to users but not their devices

Conference SOUPS 2015 - Proceedings of the 11th Symposium on Usable Privacy and Security · January 1, 2019 We evaluate the possibility of a human receiving a secret message while trusting no device with the contents of that message, by using visual cryptography (VC) implemented with augmented-reality displays (ARDs). In a pilot user study using Google Glass and ... Cite

Statistical Privacy for Streaming Traffic

Conference 26th Annual Network and Distributed System Security Symposium, NDSS 2019 · January 1, 2019 Machine learning empowers traffic-analysis attacks that breach users’ privacy from their encrypted traffic. Recent advances in deep learning drastically escalate such threats. One prominent example demonstrated recently is a traffic-analysis attack against ... Full text Cite

Intent-driven composition of resource-management SDN applications

Conference CoNEXT 2018 - Proceedings of the 14th International Conference on Emerging Networking EXperiments and Technologies · December 4, 2018 As software-defined networking deployments mature, operators need to manage and compose multiple resource-management applications, such as traffic engineering and service chaining. Today such applications’ resource management algorithms run separately and ... Full text Cite

BEAT: Asynchronous BFT made practical

Conference Proceedings of the ACM Conference on Computer and Communications Security · October 15, 2018 We present BEAT, a set of practical Byzantine fault-tolerant (BFT) protocols for completely asynchronous environments. BEAT is flexible, versatile, and extensible, consisting of five asynchronous BFT protocols that are designed to meet different goals (e.g ... Full text Cite

Differentially Private Access Patterns for Searchable Symmetric Encryption

Conference Proceedings - IEEE INFOCOM · October 8, 2018 Searchable encryption enables searches to be performed on encrypted documents stored on an untrusted server without exposing the documents or the search terms to the server. Nevertheless, the server typically learns which encrypted documents match the quer ... Full text Cite

Static Evaluation of Noninterference Using Approximate Model Counting

Conference Proceedings - IEEE Symposium on Security and Privacy · July 23, 2018 Noninterference is a definition of security for secret values provided to a procedure, which informally is met when attacker-observable outputs are insensitive to the value of the secret inputs or, in other words, the secret inputs do not 'interfere' with ... Full text Cite

Secure Causal Atomic Broadcast, Revisited

Conference Proceedings - 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2017 · August 30, 2017 We revisit the problem of preserving causality in Byzantine fault-tolerant (BFT) atomic broadcast protocols, a requirement first proposed by Reiter and Birman (TOPLAS 1994). While over the past three decades, this requirement has been met through the deplo ... Full text Cite

Flow Reconnaissance via Timing Attacks on SDN Switches

Conference Proceedings - International Conference on Distributed Computing Systems · July 13, 2017 When encountering a packet for which it has no matching forwarding rule, a software-defined networking (SDN) switch requests an appropriate rule from its controller; this request delays the routing of the flow until the controller responds. We show that th ... Full text Cite

Rethinking Security in the Era of Cloud Computing

Journal Article IEEE Security and Privacy · May 1, 2017 Cloud computing has emerged as a dominant computing platform for the foreseeable future, disrupting the way we build and deploy software. This disruption offers a rare opportunity to integrate new computer security approaches. ... Full text Cite

Detecting privileged side-channel attacks in shielded execution with Déjà Vu

Conference ASIA CCS 2017 - Proceedings of the 2017 ACM Asia Conference on Computer and Communications Security · April 2, 2017 Intel Software Guard Extension (SGX) protects the confi- dentiality and integrity of an unprivileged program running inside a secure enclave from a privileged attacker who has full control of the entire operating system (OS). Program ex- ecution inside thi ... Full text Cite

Rethinking Security in the Era of Cloud Computing

Journal Article IEEE Security and Privacy · January 1, 2017 Cloud computing has emerged as a dominant computing platform for the foreseeable future, resulting in an ongoing disruption to the way we build and deploy software. This disruption offers a rare opportunity to integrate new approaches to computer security. ... Full text Cite

A system to verify network behavior of known cryptographic clients

Conference Proceedings of the 14th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2017 · January 1, 2017 Numerous exploits of client-server protocols and applications involve modifying clients to behave in ways that untampered clients would not, such as crafting malicious packets. In this paper, we develop a system for verifying in near real-time that a crypt ... Cite

On-demand time blurring to support side-channel defense

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2017 Side-channel attacks are a serious threat to multi-tenant public clouds. Past work showed how secret information in one virtual machine (VM) can be leaked to another, co-resident VM using timing side channels. Recent defenses against timing side channels f ... Full text Cite

Introducing reputation systems to the economics of outsourcing computations to rational workers

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2017 Outsourcing computation to remote parties (“workers”) is an increasingly common practice, owing in part to the growth of cloud computing. However, outsourcing raises concerns that outsourced tasks may be completed incorrectly, whether by accident or becaus ... Full text Cite

CCSW 2016 - Proceedings of the 2016 ACM Cloud Computing Security Workshop, co-located with CCS 2016: Foreword

Conference CCSW 2016 - Proceedings of the 2016 ACM Cloud Computing Security Workshop, co-located with CCS 2016 · October 28, 2016 Cite

Accessorize to a crime: Real and stealthy attacks on state-of-the-art face recognition

Conference Proceedings of the ACM Conference on Computer and Communications Security · October 24, 2016 Machine learning is enabling a myriad innovations, including new algorithms for cancer diagnosis and self-driving cars. The broad use of machine learning makes it important to understand the extent to which machine-learning algorithms are subject to attack ... Full text Cite

A software approach to defeating side channels in last-level caches

Conference Proceedings of the ACM Conference on Computer and Communications Security · October 24, 2016 We present a software approach to mitigate access-driven side-channel attacks that leverage last-level caches (LLCs) shared across cores to leak information between security domains (e.g., tenants in a cloud). Our approach dynamically manages physical memo ... Full text Cite

8th ACM Cloud computing security workshop

Conference Proceedings of the ACM Conference on Computer and Communications Security · October 24, 2016 Cloud computing is a dominant trend in computing for the foreseeable future; e.g., major cloud operators are now estimated to house over a million machines each and to host substantial (and growing) fractions of our IT and web infrastructure. CCSW is a for ... Full text Cite

Gremlin: Systematic Resilience Testing of Microservices

Conference Proceedings - International Conference on Distributed Computing Systems · August 8, 2016 Modern Internet applications are being disaggregated into a microservice-based architecture, with services being updated and deployed hundreds of times a day. The accelerated software life cycle and heterogeneity of language runtimes in a single applicatio ... Full text Cite

Server-side verification of client behavior in cryptographic protocols

Report · March 13, 2016 Numerous exploits of client-server protocols and applications involve modifying clients to behave in ways that untampered clients would not, such as crafting malicious packets. In this paper, we demonstrate practical verification of a cryptographic protoco ... Link to item Cite

WACCO and LOKO: Strong Consistency at Global Scale

Conference Proceedings - 2015 IEEE Conference on Collaboration and Internet Computing, CIC 2015 · March 1, 2016 Motivated by a vision for future global-scale services supporting frequent updates and widespread concurrent reads, we propose a scalable object-sharing system called WACCO offering strong consistency semantics. WACCO propagates read responses on a tree-ba ... Full text Cite

The effect of repeated login prompts on phishing susceptibility

Conference 2016 LASER Workshop - Learning from Authoritative Security Experiment Results · January 1, 2016 Background. Understanding the human aspects of phishing susceptibility is an important component in building effective defenses. People type passwords so often that it is possible that this act makes each individual password less safe from phishing attacks ... Cite

Stealing Machine Learning Models via Prediction APIs

Conference 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016 · 2016 Cite

Simplifying software-defined network optimization using SOL

Conference Proceedings of the 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016 · January 1, 2016 Realizing the benefits of SDN for many network management applications (e.g., traffic engineering, service chaining, topology reconfiguration) involves addressing complex optimizations that are central to these problems. Unfortunately, such optimization pr ... Cite

Nomad: Mitigating arbitrary cloud side channels via provider-assisted migration

Conference Proceedings of the ACM Conference on Computer and Communications Security · October 12, 2015 Recent studies have shown a range of co-residency side channels that can be used to extract private information from cloud clients. Unfortunately, addressing these side channels often requires detailed attack-specific fixes that require significant modific ... Full text Cite

Mitigating storage side channels using statistical privacy mechanisms

Conference Proceedings of the ACM Conference on Computer and Communications Security · October 12, 2015 A storage side channel occurs when an adversary accesses data objects influenced by another, victim computation and infers information about the victim that it is not permitted to learn directly. We bring advances in privacy for statistical databases to be ... Full text Cite

Toward practical encrypted email that supports private, regular-expression searches

Journal Article International Journal of Information Security · October 1, 2015 In this paper, we develop a protocol to enable private regular-expression searches on encrypted data stored at a $$\mathsf {server}$$server. A novelty of the protocol lies in allowing a user to securely delegate an encrypted search query to a $$\mathsf {pr ... Full text Cite

Replica Placement for Availability in the Worst Case

Conference Proceedings - International Conference on Distributed Computing Systems · July 22, 2015 We explore the problem of placing object replicas on nodes in a distributed system to maximize the number of objects that remain available when node failures occur. In our model, failing (the nodes hosting) a given threshold of replicas is sufficient to di ... Full text Cite

Caesar: High-speed and memory-efficient forwarding engine for future internet architecture

Conference ANCS 2015 - 11th 2015 ACM/IEEE Symposium on Architectures for Networking and Communications Systems · May 18, 2015 In response to the critical challenges of the current Internet architecture and its protocols, a set of so-called clean slate designs has been proposed. Common among them is an addressing scheme that separates location and identity with self-certifying, fl ... Full text Cite

Accelerating the Development of Software-Defined Network Optimization Applications Using SOL

Report · April 28, 2015 Software-defined networking (SDN) can enable diverse network management applications such as traffic engineering, service chaining, network function outsourcing, and topology reconfiguration. Realizing the benefits of SDN for these applications, however, e ... Link to item Cite

Crowdsourced exploration of security configurations

Conference Conference on Human Factors in Computing Systems - Proceedings · April 18, 2015 Smartphone apps today request permission to access a multitude of sensitive resources, which users must accept completely during installation (e.g., on Android) or selectively configure after installation (e.g., on iOS, but also planned for Android). Every ... Full text Cite

Defending against device theft with human notarization

Conference CollaborateCom 2014 - Proceedings of the 10th IEEE International Conference on Collaborative Computing: Networking, Applications and Worksharing · January 1, 2015 People increasingly rely on mobile phones for storing sensitive information and credentials for access to services. Because these devices are vulnerable to theft, security of this data is put at higher risk-once the attacker is in physical possession of th ... Full text Cite

An epidemiological study of malware encounters in a large enterprise

Conference Proceedings of the ACM Conference on Computer and Communications Security · November 3, 2014 We present an epidemiological study of malware encounters in a large, multi-national enterprise. Our data sets allow us to observe or infer not only malware presence on enterprise computers, but also malware entry points, network locations of the computers ... Full text Cite

Cross-tenant side-channel attacks in PaaS clouds

Conference Proceedings of the ACM Conference on Computer and Communications Security · November 3, 2014 We present a new attack framework for conducting cache- based side-channel attacks and demonstrate this framework in attacks between tenants on commercial Platform-as-a-Service (PaaS) clouds. Our framework uses the Flush- Reload attack of Gullasch et al. a ... Full text Cite

Stop watch: A cloud architecture for timing channel mitigation

Journal Article ACM Transactions on Information and System Security · November 1, 2014 This article presents StopWatch, a system that defends against timing-based side-channel attacks that arise from coresidency of victims and attackers in infrastructure-as-a-service clouds. StopWatch triplicates each cloud-resident guest virtual machine (VM ... Full text Cite

Message from program Chairs

Conference Proceedings of the International Conference on Dependable Systems and Networks · September 18, 2014 Full text Cite

Toward strong, usable access control for shared distributed data

Conference Proceedings of the 12th USENIX Conference on File and Storage Technologies, FAST 2014 · January 1, 2014 As non-expert users produce increasing amounts of personal digital data, usable access control becomes critical. Current approaches often fail, because they insufficiently protect data or confuse users about policy specification. This paper presents Penumb ... Cite

SNIPS: A software-defined approach for scaling intrusion prevention systems via offloading

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2014 Growing traffic volumes and the increasing complexity of attacks pose a constant scaling challenge for network intrusion prevention systems (NIPS). In this respect, offloading NIPS processing to compute clusters offers an immediately deployable alternative ... Full text Cite

Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 9, 2013 This paper presents the design, implementation and evaluation of a system called Düppel that enables a tenant virtual machine to defend itself from cache-based side-channel attacks in public clouds. Düppel includes defenses for time-shared caches such as p ... Full text Cite

The post anachronism: The temporal dimension of Facebook privacy

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 9, 2013 This paper reports on two studies that investigate empirically how privacy preferences about the audience and emphasis of Facebook posts change over time. In a 63-participant longitudinal study, participants gave their audience and emphasis preferences for ... Full text Cite

Ensuring file authenticity in private DFA evaluation on encrypted files in the cloud

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · October 4, 2013 Cloud storage, and more specifically the encryption of file contents to protect them in the cloud, can interfere with access to these files by partially trusted third-party service providers and customers. To support such access for pattern-matching applic ... Full text Cite

Mitigating access-driven timing channels in clouds using StopWatch

Conference Proceedings of the International Conference on Dependable Systems and Networks · September 9, 2013 This paper presents StopWatch , a system that defends against timing-based side-channel attacks that arise from coresidency of victims and attackers in infrastructure-as-a-service clouds. StopWatch triplicates each cloud-resident guest virtual machine (VM) ... Full text Cite

Verifiable network function outsourcing: Requirements, challenges, and roadmap

Conference HotMiddlebox 2013 - Proceedings of the 2013 Workshop on Hot Topics in Middleboxes and Network Function Virtualization · January 1, 2013 Network function outsourcing (NFO) enables enterprises and small businesses to achieve the performance and security benefits offered by middleboxes (e.g., firewall, IDS) without incurring high equipment or operating costs that such functions entail. In ord ... Full text Cite

Secure Decoupled Linkage (SDLink) system for building a social genome

Conference Proceedings - 2013 IEEE International Conference on Big Data, Big Data 2013 · January 1, 2013 Population informatics is the systematic study of populations via secondary analysis of massive data collections about people, called the social genome. A major challenge in building the social genome is the difficulty in data integration of heterogeneous ... Full text Cite

Toward Online Verification of Client Behavior in Distributed Applications

Conference 20th Annual Network and Distributed System Security Symposium, NDSS 2013 · January 1, 2013 Existing techniques for a server to verify the correctness of client behavior in a distributed application suffer from imprecision, increased bandwidth consumption, or significant computational expense. We present a novel method for a server to efficiently ... Cite

New opportunities for load balancing in network-wide intrusion detection systems

Conference CoNEXT 2012 - Proceedings of the 2012 ACM Conference on Emerging Networking Experiments and Technologies · December 1, 2012 As traffic volumes and the types of analysis grow, network intrusion detection systems (NIDS) face a continuous scaling challenge. Management realities, however, limit NIDS hardware upgrades to occur typically once every 3-5 years. Given that traffic patte ... Full text Cite

Cross-VM side channels and their use to extract private keys

Conference Proceedings of the ACM Conference on Computer and Communications Security · November 29, 2012 This paper details the construction of an access-driven side-channel attack by which a malicious virtual machine (VM) extracts fine-grained information from a victim VM running on the same physical computer. This attack is the first such attack demonstrate ... Full text Cite

Out of sight, out of mind: Effects of displaying access-control information near the item it controls

Conference 2012 10th Annual International Conference on Privacy, Security and Trust, PST 2012 · November 6, 2012 We take a detailed look at how users, while focusing on non-permission tasks, notice and fix access-control permission errors depending on where the access-control policy is spatially located on a photo-sharing website. The access-control policy was placed ... Full text Cite

Studying access-control usability in the lab: Lessons learned from four studies

Conference ACM International Conference Proceeding Series · October 29, 2012 In a series of studies, we investigated a user interface intended to help users stay aware of their access-control policy even when they are engaged in another activity as their primary task. Methodological issues arose in each study, which impacted the re ... Full text Cite

Understanding domain registration abuses

Conference Computers and Security · October 1, 2012 The ability to monetize domain names through resale or serving ad content has contributed to the rise of questionable practices in acquiring them, including domain-name speculation, tasting, and front running. In this paper, we perform one of the first com ... Full text Cite

Efficient, compromise resilient and append-only cryptographic schemes for secure audit logging

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · September 11, 2012 Due to the forensic value of audit logs, it is vital to provide compromise resiliency and append-only properties in a logging system to prevent active attackers. Unfortunately, existing symmetric secure logging schemes are not publicly verifiable and canno ... Full text Cite

Third-party private DFA evaluation on encrypted files in the cloud

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · September 5, 2012 Motivated by the need to outsource file storage to untrusted clouds while still permitting limited use of that data by third parties, we present practical protocols by which a client (the third-party) can evaluate a deterministic finite automaton (DFA) on ... Full text Cite

File system virtual appliances: Portable file system implementations

Journal Article ACM Transactions on Storage · September 1, 2012 File system virtual appliances (FSVAs) address the portability headaches that plague file system (FS) developers. By packaging their FS implementation in a virtual machine (VM), separate from the VM that runs user applications, they can avoid the need to p ... Full text Cite

BAF and FI-BAF: Efficient and publicly verifiable cryptographic schemes for secure logging in resource-constrained systems

Journal Article ACM Transactions on Information and System Security · July 1, 2012 Audit logs are an integral part of modern computer systems due to their forensic value. Protecting audit logs on a physically unprotected machine in hostile environments is a challenging task, especially in the presence of active adversaries. It is critica ... Full text Cite

Revisiting botnet models and their implications for takedown strategies

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · April 9, 2012 Several works have utilized network models to study peer-to-peer botnets, particularly in evaluating the effectiveness of strategies aimed at taking down a botnet. We observe that previous works fail to consider an important structural characteristic of ne ... Full text Cite

Design and implementation of a consolidated middlebox architecture

Conference Proceedings of NSDI 2012: 9th USENIX Symposium on Networked Systems Design and Implementation · January 1, 2012 Network deployments handle changing application, workload, and policy requirements via the deployment of specialized network appliances or "middleboxes". Today, however, middlebox platforms are expensive and closed systems, with little or no hooks for exte ... Cite

Discovering Access-Control Misconfigurations: New Approaches and Evaluation Methodologies

Conference CODASPY'12 - Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy · January 1, 2012 Accesses that are not permitted by implemented policy but that share similarities with accesses that have been allowed, may be indicative of access-control policy misconfigurations. Identifying such misconfigurations allows administrators to resolve them b ... Full text Cite

The middlebox manifesto: Enabling innovation in middlebox deployment

Conference Proceedings of the 10th ACM Workshop on Hot Topics in Networks, HotNets-10 · December 19, 2011 Most network deployments respond to changing application, workload, and policy requirements via the deployment of specialized network appliances or "middleboxes". Despite the critical role that middleboxes play in introducing new network functionality, the ... Full text Cite

Amplifying limited expert input to sanitize large network traces

Conference Proceedings of the International Conference on Dependable Systems and Networks · August 26, 2011 We present a methodology for identifying sensitive data in packet payloads, motivated by the need to sanitize packets before releasing them (e.g., for network security/dependability analysis). Our methodology accommodates packets recorded from an incomplet ... Full text Cite

False data injection attacks against state estimation in electric power grids

Conference ACM Transactions on Information and System Security · May 1, 2011 A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and st ... Full text Cite

Detecting and resolving policy misconfigurations in access-control systems

Conference ACM Transactions on Information and System Security · May 1, 2011 Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration, and, in the context of particular applications (e.g., health care), very severe consequences. In this article we apply associa ... Full text Cite

Summary-invisible networking: Techniques and defenses

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2011 Numerous network anomaly detection techniques utilize traffic summaries (e.g., NetFlow records) to detect and diagnose attacks. In this paper we investigate the limits of such approaches, by introducing a technique by which compromised hosts can communicat ... Full text Cite

Server-Side Verification Of Client Behavior In Online Games

Journal Article ACM Transactions on Information and System Security · January 1, 2011 Online gaming is a lucrative and growing industry but one that is slowed by cheating that compromises the gaming experience and hence drives away players (and revenue). In this paper we develop a technique by which game developers can enable game operators ... Full text Cite

Bounded vector signatures and their applications

Conference Proceedings of the 6th International Symposium on Information, Computer and Communications Security, ASIACCS 2011 · January 1, 2011 Although malleability is undesirable in traditional digital signatures, schemes with limited malleability properties enable interesting functionalities that may be impossible to obtain otherwise (e.g., homomorphic signatures). In this paper, we introduce a ... Full text Cite

More than skin deep: Measuring effects of the underlying model on access-control system usability

Conference Conference on Human Factors in Computing Systems - Proceedings · January 1, 2011 In access-control systems, policy rules conflict when they prescribe different decisions (ALLOW or DENY) for the same access. We present the results of a user study that demonstrates the significant impact of conflict-resolution method on policy-authoring ... Full text Cite

HomeAlone: Co-residency detection in the cloud via side-channel analysis

Conference Proceedings - IEEE Symposium on Security and Privacy · January 1, 2011 Security is a major barrier to enterprise adoption of cloud computing. Physical co-residency with other tenants poses a particular risk, due to pervasive virtualization in the cloud. Recent research has shown how side channels in shared hardware may enable ... Full text Cite

Usability Testing a Malware-Resistant Input Mechanism

Conference Proceedings of the Symposium on Network and Distributed System Security, NDSS 2011 · January 1, 2011 We report the results of a usability study of Bumpy, a system that enables a user to provide secret inputs to remote webservers without trusting the computer on which she types those inputs. Achieving this somewhat paradoxical property via Bumpy requires e ... Cite

The security of modern password expiration: An algorithmic framework and empirical analysis

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 16, 2010 This paper presents the first large-scale study of the success of password expiration in meeting its intended purpose, namely revoking access to an account by an attacker who has captured the account's password. Using a dataset of over 7700 accounts, we as ... Full text Cite

Understanding domain registration abuses

Conference IFIP Advances in Information and Communication Technology · December 1, 2010 The ability to monetize domain names through resale or serving ad content has contributed to the rise of questionable practices in acquiring them, including domain-name speculation, tasting, and front running. In this paper, we perform one of the first com ... Full text Cite

Network-wide deployment of intrusion detection and prevention systems

Conference Proceedings of the 6th International Conference on Emerging Networking Experiments and Technologies, Co-NEXT'10 · December 1, 2010 Traditional efforts for scaling network intrusion detection (NIDS) and intrusion prevention systems (NIPS) have largely focused on a single-vantage-point view. In this paper, we explore an alternative design that exploits spatial, network-wide opportunitie ... Full text Cite

Zzyzx: Scalable fault tolerance through Byzantine locking

Conference Proceedings of the International Conference on Dependable Systems and Networks · September 20, 2010 Zzyzx is a Byzantine fault-tolerant replicated state machine protocol that outperforms prior approaches and provides near-linear throughput scaling. Using a new technique called Byzantine Locking, Zzyzx allows a client to extract state from an underlying r ... Full text Cite

Are your hosts trading or plotting? Telling P2P file-sharing and bots apart

Conference Proceedings - International Conference on Distributed Computing Systems · August 27, 2010 Peer-to-peer (P2P) substrates are now widely used for both file-sharing and botnet command-and-control. Despite the commonality of their substrates, we show that the different goals and circumstances of these applications give rise to behaviors that can be ... Full text Cite

Access control for home data sharing: Evaluating social acceptability

Conference Conference on Human Factors in Computing Systems - Proceedings · July 1, 2010 As digital content becomes more prevalent in the home, non-technical users are increasingly interested in sharing that content with others and accessing it from multiple devices. Not much is known about how these users think about controlling access to thi ... Full text Cite

Coordinated sampling sans origin-destination identifiers: Algorithms and analysis

Conference 2010 2nd International Conference on COMmunication Systems and NETworks, COMSNETS 2010 · May 18, 2010 Flow monitoring is used for a wide range of network management applications. Many such applications require that the monitoring infrastructure provide high flow coverage and support fine-grained network-wide objectives. Coordinated Sampling (cSamp) is a re ... Full text Cite

Using web-referral architectures to mitigate denial-of-service threats

Journal Article IEEE Transactions on Dependable and Secure Computing · April 30, 2010 The web is a complicated graph, with millions of websites interlinked together. In this paper, we propose to use this web sitegraph structure to mitigate flooding attacks on a website, using a new web referral architecture for privileged service (WRAPS). W ... Full text Cite

Selected results from the latest decade of quorum systems research

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · April 26, 2010 Over the past decade, work on quorum systems in non-traditional scenarios has facilitated a number of advances in the field of distributed systems. This chapter surveys a selection of these results including: Byzantine quorum systems that are suitable for ... Full text Cite

Revisiting the case for a minimalist approach for network flow monitoring

Conference Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC · January 1, 2010 Network management applications require accurate estimates of a wide range of flow-level traffic metrics. Given the inadequacy of current packet-sampling-based solutions, several application-specific monitoring algorithms have emerged. While these provide ... Full text Cite

On challenges in evaluating malware clustering

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2010 Malware clustering and classification are important tools that enable analysts to prioritize their malware analysis efforts. The recent emergence of fully automated methods for malware clustering and classification that report high accuracy suggests that t ... Full text Cite

Server-side Verification of Client Behavior in Online Games

Conference Proceedings of the Symposium on Network and Distributed System Security, NDSS 2010 · January 1, 2010 Online gaming is a lucrative and growing industry, but one that is slowed by cheating that compromises the gaming experience and hence drives away players (and revenues). In this paper we develop a technique by which game developers can enable game operato ... Cite

Making peer-assisted content distribution robust to collusion using bandwidth puzzles

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · December 15, 2009 Many peer-assisted content-distribution systems reward a peer based on the amount of data that this peer serves to others. However, validating that a peer did so is, to our knowledge, an open problem; e.g., a group of colluding attackers can earn rewards b ... Full text Cite

Real life challenges in access-control management

Conference Conference on Human Factors in Computing Systems - Proceedings · December 1, 2009 In this work we ask the question: what are the challenges of managing a physical or file system access-control policy for a large organization? To answer the question, we conducted a series of interviews with thirteen administrators who manage access-contr ... Full text Cite

False data injection attacks against state estimation in electric power grids

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 1, 2009 A power grid is a complex system connecting electric power generators to consumers through power transmission and distribution networks across a large geographical area. System monitoring is necessary to ensure the reliable operation of power grids, and st ... Full text Cite

When and how to change quorums on wide area networks

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 2009 In wide-area settings, unpredictable events, such as flash crowds caused by nearly instantaneous popularity of services, can cause servers that are expected to respond quickly to instead suddenly respond slowly. This presents a problem for achieving consis ... Full text Cite

Automatically adapting a trained anomaly detector to software patches

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · December 1, 2009 In order to detect a compromise of a running process based on it deviating from its program's normal system-call behavior, an anomaly detector must first be trained with traces of system calls made by the program when provided clean inputs. When a patch fo ... Full text Cite

Authenticated data compression in delay tolerant wireless sensor networks

Conference INSS2009 - 6th International Conference on Networked Sensing Systems · December 1, 2009 Delay Tolerant Wireless Sensor Networks (DTWSNs) are sensor networks where continuous connectivity between the sensor nodes and their final destinations (e.g., the base station) cannot be guaranteed. Storage constraints are particularly a concern in DTWSNs ... Full text Cite

Privacy-preserving genomic computation through program specialization

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 1, 2009 In this paper, we present a new approach to performing important classes of genomic computations (e.g., search for homologous genes) that makes a significant step towards privacy protection in this domain. Our approach leverages a key property of the human ... Full text Cite

XDomain: Cross-border proofs of access

Conference Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT · November 30, 2009 A number of research systems have demonstrated the benefits of accompanying each request with a machine-checkable proof that the request complies with access-control policy - a technique called proof-carrying authorization. Numerous authorization logics ha ... Full text Cite

Data structures with unpredictable timing

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · November 11, 2009 A range of attacks on network components, such as algorithmic denial-of-service attacks and cryptanalysis via timing attacks, are enabled by data structures for which an adversary can predict the durations of operations that he will induce on the data stru ... Full text Cite

Browser fingerprinting from coarse traffic summaries: Techniques and implications

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · November 9, 2009 We demonstrate that the browser implementation used at a host can be passively identified with significant precision and recall, using only coarse summaries of web traffic to and from that host. Our techniques utilize connection records containing only the ... Full text Cite

The challenges of effectively anonymizing network data

Conference Proceedings - Cybersecurity Applications and Technology Conference for Homeland Security, CATCH 2009 · June 8, 2009 Full text Cite

Seeing-Is-Believing: Using camera phones for human-verifiable authentication

Journal Article International Journal of Security and Networks · January 1, 2009 Current mechanisms for authenticating communication between devices that share no prior context are inconvenient for ordinary users, without the assistance of a trusted authority. We present and analyse Seeing-Is-Believing (SiB), a system that utilises 2D ... Full text Cite

Beyond output voting: Detecting compromised replicas using HMM-based behavioral distance

Journal Article IEEE Transactions on Dependable and Secure Computing · January 1, 2009 Many host-based anomaly detection techniques have been proposed to detect code-injection attacks on servers. The vast majority, however, are susceptible to "mimicry attacks in which the injected code masquerades as the original server software, including r ... Full text Cite

Safe Passage for Passwords and Other Sensitive Data^∗

Conference Proceedings of the Symposium on Network and Distributed System Security, NDSS 2009 · January 1, 2009 The prevalence of malware such as keyloggers and screen scrapers has made the prospect of providing sensitive information via web pages disconcerting for security-conscious users. We present Bumpy, a system to exclude the legacy operating system and applic ... Cite

A user study of policy creation in a flexible access-control system

Conference Conference on Human Factors in Computing Systems - Proceedings · December 22, 2008 Significant effort has been invested in developing expressive and flexible access-control languages and systems. However, little has been done to evaluate these systems in practical situations with real users, and few attempts have been made to discover an ... Full text Cite

Expandable grids for visualizing and authoring computer security policies

Conference Conference on Human Factors in Computing Systems - Proceedings · December 22, 2008 We introduce the Expandable Grid, a novel interaction technique for creating, editing, and viewing many types of security policies. Security policies, such as file permissions policies, have traditionally been displayed and edited in user interfaces based ... Full text Cite

Detecting and resolving policy misconfigurations in Access-control systems

Conference Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT · December 15, 2008 Access-control policy misconfigurations that cause requests to be erroneously denied can result in wasted time, user frustration and, in the context of particular applications (e.g., health care), very severe consequences. In this paper we apply associatio ... Full text Cite

Towards practical biometric key generation with randomized biometric templates

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 1, 2008 Although biometrics have garnered significant interest as a source of entropy for cryptographic key generation, recent studies indicate that many biometric modalities may not actually offer enough uncertainty for this purpose. In this paper, we exploit a n ... Full text Cite

Write markers for probabilistic quorum systems

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · December 1, 2008 Probabilistic quorum systems can tolerate a larger fraction of faults than can traditional (strict) quorum systems, while guaranteeing consistency with an arbitrarily high probability for a system with enough replicas. However, the masking and opaque types ... Full text Cite

Fast and black-box exploit detection and signature generation for commodity software

Journal Article ACM Transactions on Information and System Security · December 1, 2008 In biology, a vaccine is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production. Inspired by this idea, we propose a packet vaccine mechanism that randomizes address-like st ... Full text Cite

Quiver: Consistent object sharing for edge services

Journal Article IEEE Transactions on Parallel and Distributed Systems · December 1, 2008 We present Quiver, a system that coordinates service proxies placed at the "edge" of the Internet to serve distributed clients accessing a service involving mutable objects. Quiver enables these proxies to perform consistent accesses to shared objects by m ... Full text Cite

Flicker: An execution infrastructure for tcb minimization

Conference EuroSys'08 - Proceedings of the EuroSys 2008 Conference · December 1, 2008 We present Flicker, an infrastructure for executing security-sensitive code in complete isolation while trusting as few as 250 lines of additional code. Flicker can also provide meaningful, fine-grained attestation of the code executed (as well as its inpu ... Full text Cite

On the limits of payload-oblivious network attack detection

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · November 27, 2008 We introduce a methodology for evaluating network intrusion detection systems using an observable attack space, which is a parameterized representation of a type of attack that can be observed in a particular type of log data. Using the observable attack s ... Full text Cite

AGIS: Towards automatic generation of infection signatures

Conference Proceedings of the International Conference on Dependable Systems and Networks · October 13, 2008 An important yet largely uncharted problem in malware defense is how to automate generation of infection signatures for detecting compromised systems, i.e., signatures that characterize the behavior of malware residing on a system. To this end, we develop ... Full text Cite

Self-optimizing distributed trees

Conference IPDPS Miami 2008 - Proceedings of the 22nd IEEE International Parallel and Distributed Processing Symposium, Program and CD-ROM · September 10, 2008 We present a novel protocol for restructuring a tree-based overlay network in response to the workload of the application running over it. Through low-cost restructuring operations, our protocol incrementally adapts the tree so as to bring nodes that tend ... Full text Cite

Traffic aggregation for malware detection

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · August 27, 2008 Stealthy malware, such as botnets and spyware, are hard to detect because their activities are subtle and do not disrupt the network, in contrast to DoS attacks and aggressive worms. Stealthy malware, however, does communicate to exfiltrate data to the att ... Full text Cite

A multi-layer framework for puzzle-based denial-of-service defense

Journal Article International Journal of Information Security · August 1, 2008 Client puzzles have been advocated as a promising countermeasure to denial-of-service (DoS) attacks in recent years. However, how to operationalize this idea in network protocol stacks still has not been sufficiently studied. In this paper, we describe our ... Full text Cite

How low can you go?: Recommendations for hardware-supported minimal TCB code execution

Conference Operating Systems Review (ACM) · April 30, 2008 We explore the extent to which newly available CPU-based security technology can reduce the Trusted Computing Base (TCB) for security-sensitive applications. We find that although this new technology represents a step in the right direction, significant pe ... Full text Cite

Flicker: An execution infrastructure for TCB minimization

Conference Operating Systems Review (ACM) · April 25, 2008 We present Flicker, an infrastructure for executing security-sensitive code in complete isolation while trusting as few as 250 lines of additional code. Flicker can also provide meaningful, fine-grained attestation of the code executed (as well as its inpu ... Full text Cite

CSAMP: A system for network-wide flow monitoring

Conference 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2008 · January 1, 2008 Critical network management applications increasingly demand fine-grained flow level measurements. However, current flow monitoring solutions are inadequate for many of these applications. In this paper, we present the design, implementation, and evaluatio ... Cite

The practical subtleties of biometric key generation

Conference Proceedings of the 17th USENIX Security Symposium · January 1, 2008 The inability of humans to generate and remember strong secrets makes it difficult for people to manage cryptographic keys. To address this problem, numerous proposals have been suggested to enable a human to repeatably generate a cryptographic key from he ... Cite

BinHunt: Automatically finding semantic differences in binary programs

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2008 We introduce BinHunt, a novel technique for finding semantic differences in binary programs. Semantic differences between two binary files contrast with syntactic differences in that semantic differences correspond to changes in the program functionality. ... Full text Cite

Taming the Devil: Techniques for Evaluating Anonymized Network Data

Conference Proceedings of the Symposium on Network and Distributed System Security, NDSS 2008 · January 1, 2008 Anonymization plays a key role in enabling the public release of network datasets, and yet there are few, if any, techniques for evaluating the efficacy of network data anonymization techniques with respect to the privacy they afford. In fact, recent work ... Cite

Lessons learned from the deployment of a smartphone-based access-control system

Conference ACM International Conference Proceeding Series · December 14, 2007 Grey is a smartphone-based system by which a user can exercise her authority to gain access to rooms in our university building, and by which she can delegate that authority to other users. We present findings from a trial of Grey, with emphasis on how com ... Full text Cite

Verifying distributed erasure-coded data

Conference Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · December 14, 2007 Erasure coding can reduce the space and band width overheads of redundancy in fault-tolerant data storage and delivery systems. But it introduces the fundamental difficulty of ensuring that all erasure-coded fragments correspond to the same block of data. ... Full text Cite

Low-overhead byzantine fault-tolerant storage

Conference SOSP'07 - Proceedings of 21st ACM SIGOPS Symposium on Operating Systems Principles · December 1, 2007 This paper presents an erasure-coded Byzantine fault-tolerant block storage protocol that is nearly as efficient as protocols that tolerate only crashes. Previous Byzantine fault-tolerant block storage protocols have either relied upon replication, which i ... Cite

Low-overhead byzantine fault-tolerant storage

Conference Operating Systems Review (ACM) · December 1, 2007 This paper presents an erasure-coded Byzantine fault-tolerant block storage protocol that is nearly as efficient as protocols that tolerate only crashes. Previous Byzantine fault-tolerant block storage protocols have either relied upon replication, which i ... Full text Cite

User-controllable security and privacy for pervasive computing

Conference Proceedings - 8th IEEE Workshop on Mobile Computing Systems and Applications, HOTMOBILE 2007 · December 1, 2007 We describe our current work in developing novel mechanisms for managing security and privacy in pervasive computing environments. More specifically, we have developed and evaluated three different applications, including a contextual instant messenger, a ... Full text Cite

Minimizing response time for quorum-system protocols over wide-area networks

Conference Proceedings of the International Conference on Dependable Systems and Networks · November 16, 2007 A quorum system is a collection of sets (quorums) of servers, where any two quorums intersect. Quorum-based protocols underly modern edge-computing architectures and throughput-scalable service implementations. In this paper we propose new algorithms for p ... Full text Cite

Minimal TCB code execution

Conference Proceedings - IEEE Symposium on Security and Privacy · September 25, 2007 We propose an architecture that allows code to execute in complete isolation from other software while trusting only a tiny software base that is orders of magnitude smaller than even minimalist virtual machine monitors. Our technique also enables more mea ... Full text Cite

Hit-list worm detection and bot identification in large networks using protocol graphs

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2007 We present a novel method for detecting hit-list worms using protocol graphs. In a protocol graph, a vertex represents a single IP address, and an edge represents communications between those addresses using a specific protocol (e.g., HTTP). We show that t ... Full text Cite

Efficient proving for practical distributed access-control systems

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2007 We present a new technique for generating a formal proof that an access request satisfies access-control policy, for use in logic-based access-control frameworks. Our approach is tailored to settings where credentials needed to complete a proof might need ... Full text Cite

Probabilistic opaque quorum systems

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2007 Byzantine-fault-tolerant service protocols like Q/U and FaB Paxos that optimistically order requests can provide increased efficiency and fault scalability. However, these protocols require n ≥ 5b + 1 servers (where b is the maximum number of faults tolera ... Full text Cite

Trustworthy services and the biological analogy

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2007 Biological systems survive through a combination of redundancy, diversity and modularity. It has been argued that these principles can also be applied to construct information services that survive a variety of hostile attacks, including even the compromis ... Full text Cite

Towards bounded wait-free PASIS

Conference Dagstuhl Seminar Proceedings · January 1, 2007 Cite

Consumable Credentials in Logic-Based Access-Control Systems

Conference Proceedings of the Symposium on Network and Distributed System Security, NDSS 2007 · January 1, 2007 We present a method to implement consumable credentials in a logic-based distributed authorization system. Such credentials convey use-limited authority (e.g., to open a door once) or authority to utilize resources that are themselves limited (e.g., concer ... Cite

Playing Devil’s Advocate: Inferring Sensitive Information from Anonymized Network Traces

Conference Proceedings of the Symposium on Network and Distributed System Security, NDSS 2007 · January 1, 2007 Encouraging the release of network data is central to promoting sound network research practices, though the publication of this data can leak sensitive information about the publishing organization. To address this dilemma, several techniques have been su ... Cite

On web browsing privacy in anonymized netflows

Conference 16th USENIX Security Symposium · January 1, 2007 Anonymization of network traces is widely viewed as a necessary condition for releasing such data for research purposes. For obvious privacy reasons, an important goal of trace anonymization is to suppress the recovery of web browsing activities. While sev ... Cite

Integrity checking in cryptographic file systems with constant trusted storage

Conference 16th USENIX Security Symposium · January 1, 2007 In this paper we propose two new constructions for protecting the integrity of files in cryptographic file systems. Our constructions are designed to exploit two characteristics of many file-system workloads, namely low entropy of file contents and high se ... Cite

A multi-resolution approach for worm detection and containment

Conference Proceedings of the International Conference on Dependable Systems and Networks · December 22, 2006 Despite the proliferation of detection and containment techniques in the worm, defense literature, simple threshold-based methods remain the most widely deployed and most popular approach among practitioners. This popularity arises out of the simplistic ap ... Full text Cite

Packet vaccine: Black-box exploit detection and signature generation

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 1, 2006 In biology,a vaccine is a weakened strain of a virus or bacterium that is intentionally injected into the body for the purpose of stimulating antibody production.Inspired by this idea, we propose a packet vaccine mechanism that randomizes address-like stri ... Full text Cite

WRAPS: Denial-of-service defense through web referrals

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 2006 The web is a complicated graph, with millions of websites interlinked together. In this paper, we propose to use this web sitegraph structure to mitigate flooding attacks on a website, using a new web referral architecture for privileged service ("WRAPS"). ... Full text Cite

Protecting privacy in key-value search systems

Conference Proceedings - Annual Computer Security Applications Conference, ACSAC · December 1, 2006 This paper investigates the general problem of efficiently performing key-value search at untrusted servers without loss of user privacy. Given key-value pairs from multiple owners that are stored across untrusted servers, how can a client efficiently sear ... Full text Cite

M2: Multicasting mixes for efficient and anonymous communication

Conference Proceedings - International Conference on Distributed Computing Systems · December 1, 2006 We present a technique to achieve anonymous multicasting in mix networks to deliver content from producers to consumers. Employing multicast allows content producers to send (and mixes to forward) information to multiple consumers without repeating work fo ... Full text Cite

Forensic analysis for epidemic attacks in federated networks

Conference Proceedings - International Conference on Network Protocols, ICNP · December 1, 2006 We present the design of a Network Forensic Alliance (NFA), to allow multiple administrative domains (ADs) to jointly locate the origin of epidemic spreading attacks. ADs in the NFA collaborate in a distributed protocol for post-mortem analysis of worm-lik ... Full text Cite

Quorum placement in networks: Minimizing network congestion

Conference Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · September 21, 2006 A quorum system over a universe of logical elements is a collection of subsets (quorums) of elements, any two of which intersect. In numerous distributed algorithms, the elements of the universe reside on the nodes of a physical network and the participati ... Cite

GENI design principles

Journal Article Computer · September 1, 2006 GENI, a major planned initiative of the US National Science Foundation to build an experimental facility for evaluating new network architectures, can lead to a future Internet that is more secure, available, manageable, and efficient. ... Full text Cite

Finding peer-to-peer file-sharing using coarse network behaviors

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2006 A user who wants to use a service forbidden by their site's usage policy can masquerade their packets in order to evade detection. One masquerade technique sends prohibited traffic on TCP ports commonly used by permitted services, such as port 80. Users wh ... Full text Cite

A linear logic of authorization and knowledge

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2006 We propose a logic for specifying security policies at a very high level of abstraction. The logic accommodates the subjective nature of affirmations for authorization and knowledge without compromising the objective nature of logical inference. In order t ... Full text Cite

Censorship resistance revisited

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2006 "Censorship resistant" systems attempt to prevent censors from imposing a particular distribution of content across a system. In this paper, we introduce a variation of censorship resistance (CR) that is resistant to selective filtering even by a censor wh ... Cite

Behavioral distance measurement using Hidden Markov Models

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2006 The behavioral distance between two processes is a measure of the deviation of their behaviors. Behavioral distance has been proposed for detecting the compromise of a process, by computing its behavioral distance from another process executed on the same ... Full text Cite

On consistency of encrypted files

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2006 In this paper we address the problem of consistency for cryptographic file systems. A cryptographic file system protects the users' data from the file server, which is possibly untrusted and might exhibit Byzantine behavior, by encrypting the data before s ... Full text Cite

Behavioral distance for intrusion detection

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2006 We introduce a notion, behavioral distance, for evaluating the extent to which processes - potentially running different programs and executing on different platforms - behave similarly in response to a common input. We explore behavioral distance as a mea ... Full text Cite

Bump in the Ether: A framework for securing sensitive user input

Conference USENIX 2006 Annual Technical Conference · January 1, 2006 We present Bump in the Ether (BitE), an approach for preventing user-space malware from accessing sensitive user input and providing the user with additional confidence that her input is being delivered to the expected application. Rather than preventing m ... Cite

Fault-scalable Byzantine fault-tolerant services

Conference Proceedings of the 20th ACM Symposium on Operating Systems Principles, SOSP 2005 · December 1, 2005 A fault-scalable service can be configured to tolerate increasing numbers of faults without significant decreases in performance. The Query/Update (Q/U) protocol is a new tool that enables construction of fault-scalable Byzantine fault-tolerant services. T ... Full text Cite

Fault-scalable Byzantine fault-tolerant services

Journal Article Operating Systems Review (ACM) · December 1, 2005 A fault-scalable service can be configured to tolerate increasing numbers of faults without significant decreases in performance. The Query/Update (Q/U) protocol is a new tool that enables construction of fault-scalable Byzantine fault-tolerant services. T ... Full text Cite

Lazy verification in fault-tolerant distributed storage systems

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 2005 Verification of write operations is a crucial component of Byzantine fault-tolerant consistency protocols for storage. Lazy verification shifts this work out of the critical path of client operations. Thin shift enables the system to amortize verification ... Full text Cite

Message from the program chairs

Conference Proceedings of the ACM Conference on Electronic Commerce · December 1, 2005 Cite

Distributed construction of a fault-tolerant network from a tree

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 2005 We present an algorithm by which nodes arranged in a tree, with each node initially knowing only its parent and children, can construct a fault-tolerant communication structure (an expander graph) among themselves in a distributed and scalable way. The tre ... Full text Cite

Seeing-is-believing: Using camera phones for human-verifiable authentication

Conference Proceedings - IEEE Symposium on Security and Privacy · November 10, 2005 Current mechanisms for authenticating communication between devices that share no prior context are inconvenient for ordinary users, without the assistance of a trusted authority. We present and analyze Seeing-Is-Believing, a system that utilizes 2D barcod ... Cite

Detection of denial-of-message attacks on sensor network broadcasts

Conference Proceedings - IEEE Symposium on Security and Privacy · November 10, 2005 So far, sensor network broadcast protocols assume a trustworthy environment. However, in safety and missioncritical sensor networks this assumption may not be valid and some sensor nodes might be adversarial. In these environments, malicious sensor nodes c ... Full text Cite

Distributed proving in access-control systems

Conference Proceedings - IEEE Symposium on Security and Privacy · November 10, 2005 We present a distributed algorithm for assembling a proof that a request satisfies an access-control policy expressed in a formal logic, in the tradition of Lampson et al. [16]. We show analytically that our distributed proof-generation algorithm succeeds ... Full text Cite

Worm origin identification using random moonwalks

Conference Proceedings - IEEE Symposium on Security and Privacy · November 10, 2005 We propose a novel technique that can determine both the host responsible for originating a propagating worm attack and the set of attack flows that make up the initial stages of the attack tree via which the worm infected successive generations of victims ... Full text Cite

Building reliable mix networks with fair exchange

Conference Lecture Notes in Computer Science · January 1, 2005 In this paper we present techniques by which each mix in a mix network can be paid for its services by message senders, in a way that ensures fairness and without sacrificing anonymity. We describe a payment mechanism for use in mix networks, and use this ... Full text Cite

Security by, and for, converged mobile devices

Conference Lecture Notes in Computer Science · January 1, 2005 Inheriting the vast mobile phone market, converged mobile devices ("smartphones") are poised to become the first ubiquitous personal computing platform. In this talk we detail our vision of the smart-phone as a universal access control device - replacing p ... Full text Cite

Device-enabled authorization in the grey system

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2005 We describe the design of Grey, a set of software extensions that convert an off-the-shelf smartphone-class device into a tool by which its owner exercises and delegates her authority to both physical and virtual resources. We focus on the software compone ... Full text Cite

Space-Efficient Block Storage Integrity

Conference Proceedings of the Symposium on Network and Distributed System Security, NDSS 2005 · January 1, 2005 We present new methods to provide block-level integrity in encrypted storage systems, i.e., so that a client will detect the modification of data blocks by an untrusted storage server. We present cryptographic definitions for this setting, and develop solu ... Cite

Quorum placement in networks to minimize access delays

Conference Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · January 1, 2005 A quorum system is a family of sets (themselves called quorums), each pair of which intersect. In many distributed algorithms, the basic unit accessed by a client is a quorum of nodes. Such algorithms are used for applications such as mutual exclusion, dat ... Full text Cite

Nested objects in a Byzantine quorum-replicated system

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 2004 Modern distributed, object-based systems support nested method invocations, whereby one object can invoke methods on another. In this paper we present a framework that supports nested method invocations among Byzantine fault-tolerant, replicated objects th ... Full text Cite

Homeland security

Journal Article IEEE Internet Computing · November 1, 2004 Full text Cite

An empirical analysis of target-resident DoS filters

Conference Proceedings - IEEE Symposium on Security and Privacy · August 16, 2004 Numerous techniques have been proposed by which an end-system, subjected to a denial-of-service flood, filters the offending traffic. In this paper, we provide an empirical analysis of several such proposals, using traffic recorded at the border of a large ... Full text Cite

Time-scoped searching of encrypted audit logs

Journal Article Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2004 In this paper we explore restricted delegation of searches on encrypted audit logs. We show how to limit the exposure of private information stored in the log during such a search and provide a technique to delegate searches on the log to an investigator. ... Full text Cite

Fragile mixing

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 2004 No matter how well designed and engineered, a mix server offers little protection if its administrator can be convinced to log and selectively disclose correspondences between its input and output messages, either for profit or to cooperate with an investi ... Full text Cite

Private keyword-based push and pull with applications to anonymous communication extended abstract

Journal Article Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2004 We propose a new keyword-based Private Information Retrieval (PIR) model that allows private modification of the database from which information is requested. In our model, the database is distributed over n servers, any one of which can act as a transpare ... Full text Cite

Seurat: A pointillist approach to anomaly detection

Journal Article Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2004 This paper proposes a new approach to detecting aggregated anomalous events by correlating host file system changes across space and time. Our approach is based on a key observation that many host state transitions of interest have both temporal and spatia ... Full text Cite

Alternatives to non-malleability: Definitions, constructions, and applications (extended abstract)

Journal Article Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2004 We explore whether non-malleability is necessary for the applications typically used to motivate it, and propose two alternatives. The first we call weak non-malleability (wnm) and show that it suffices to achieve secure contract bidding (the application f ... Full text Cite

Timing attacks in low-latency mix systems (Extended Abstract)

Journal Article Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2004 A mix is a communication proxy that attempts to hide the correspondence between its incoming and outgoing messages. Timing attacks are a significant challenge for mix-based systems that wish to support interactive, low-latency applications. However, the po ... Full text Cite

Efficient Byzantine-tolerant erasure-coded storage

Conference Proceedings of the International Conference on Dependable Systems and Networks · January 1, 2004 This paper describes a decentralized consistency protocol for survivable storage that exploits local data versioning within each storage-node. Such versioning enables the protocol to efficiently provide linearizability and wait-freedom of read and write op ... Full text Cite

Mitigating bandwidth-exhaustion attacks using congestion puzzles

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 2004 We present congestion puzzles (CP), a new countermeasure to bandwidth-exhaustion attacks. Like other defenses based on client puzzles, CP attempts to force attackers to invest vast resources in order to effectively perform denial-of-service attacks. Unlike ... Full text Cite

On user choice in graphical password schemes

Conference Proceedings of the 13th USENIX Security Symposium · January 1, 2004 Graphical password schemes have been proposed as an alternative to text passwords in applications that support graphics and mouse or stylus entry. In this paper we detail what is, to our knowledge, the largest published empirical evaluation of the effects ... Cite

On gray-box program tracking for anomaly detection

Conference Proceedings of the 13th USENIX Security Symposium · January 1, 2004 Many host-based anomaly detection systems monitor a process ostensibly running a known program by observing the system calls the process makes. Numerous improvements to the precision of this approach have been proposed, such as tracking system call sequenc ... Cite

Delegation of cryptographic servers for capture-resilient devices

Journal Article Distributed Computing · December 1, 2003 A device that performs private key operations (signatures or decryptions), and whose private key operations are protected by a password, can be immunized against offline dictionary attacks in case of capture by forcing the device to confirm a password gues ... Full text Cite

The design and implementation of a JCA-compliant capture protection infrastructure

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 2003 A capture protection server protects a cryptographic key on a device that may be captured by authenticating the user of the device (e.g., by password) before permitting the key to be used. Delegation from one capture protection server to another enables th ... Full text Cite

Defending against denial-of-service attacks with puzzle auctions

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · July 25, 2003 Although client puzzles represent a promising approach to defend against certain classes of denial-of-service attacks, several questions stand in the way of their deployment in practice: e.g., how to set the puzzle difficulty in the presence of an adversar ... Cite

Diffusion without false rumors: On propagating updates in a Byzantine environment

Journal Article Theoretical Computer Science · April 18, 2003 We study how to efficiently diffuse updates to a large distributed system of data replicas, some of which may exhibit arbitrary (Byzantine) failures. We assume that strictly fewer than t replicas fail, and that each update is initially received by at least ... Full text Cite

Objects shared by Byzantine processes

Journal Article Distributed Computing · February 1, 2003 Work to date on algorithms for message-passing systems has explored a wide variety of types of faults, but corresponding work on shared memory systems has usually assumed that only crash faults are possible. In this work, we explore situations in which pro ... Full text Cite

Automatic generation of two-party computations

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 2003 We present the design and implementation of a compiler that automatically generates protocols that perform two-party computations. The input to our protocol is the specification of a computation with secret inputs (e.g., a signature algorithm) expressed us ... Full text Cite

Defending against denial-of-service attacks with puzzle auctions

Conference Proceedings - IEEE Symposium on Security and Privacy · January 1, 2003 Although client puzzles represent a promising approach to defend against certain classes of denial-of-service attacks, several questions stand in the way of their deployment in practice: e.g., how to set the puzzle difficulty in the presence of an adversar ... Full text Cite

Advanced concurrency control in Java

Journal Article Concurrency and Computation: Practice and Experience · April 10, 2002 Developing concurrent applications is not a trivial task. As programs grow larger and become more complex, advanced concurrency control mechanisms are needed to ensure that application consistency is not compromised. Managing mutual exclusion on a per-obje ... Full text Cite

Toward speech-generated cryptographic keys on resource constrained devices

Conference Proceedings of the 11th USENIX Security Symposium · January 1, 2002 Programmable mobile phones and personal digital assistants (PDAS) with microphones permit voice-driven user interfaces in which a user provides input by speaking. In this paper, we show how to exploit this capability to generate cryptographic keys on such ... Cite

Discouraging software piracy using software aging

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2002 Most people consider frequent software updates a nuisance. However, we show how this common phenomenon can be turned into a feature that protects against software piracy.W e define a protocol for “drop-in” upgrades of software that renders a large class of ... Full text Cite

Probabilistic quorum systems

Journal Article Information and Computation · November 1, 2001 We initiate the study of probabilistic quorum systems, a technique for providing consistency of replicated data with high levels of assurance despite the failure of data servers. We show that this technique offers effective load reduction on servers and hi ... Full text Cite

Fault detection for Byzantine quorum systems

Journal Article IEEE Transactions on Parallel and Distributed Systems · September 1, 2001 In this paper, we explore techniques to detect Byzantine server failures in asynchronous replicated data services. Our goal is to detect arbitrary failures of data servers in a system where each client accesses the replicated data at only a subset (quorum) ... Full text Cite

Two-party generation of DSA signatures

Conference Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) · January 1, 2001 We describe a means of sharing the DSA signature function, so that two parties can efficiently generate a DSA signature with respect to a given public key but neither can alone. We focus on a certain instantiation that allows a proof of security for concur ... Full text Cite

Selective private function evaluation with applications to private statistics

Conference Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · January 1, 2001 Motivated by the application of private statistical analysis of large databases, we consider the problem of selective private function evaluation (SPFE). In this problem, a client interacts with one or more servers holding copies of a database x = x1,..., ... Full text Cite

On k-set consensus problems in asynchronous systems

Journal Article IEEE Transactions on Parallel and Distributed Systems · January 1, 2001 In this paper, we investigate the k-set consensus problem in asynchronous distributed systems. In this problem, each participating process begins the protocol with an input value and by the end of the protocol must decide on one value so that at most k tot ... Full text Cite

Delegation of cryptographic servers for capture-resilient devices

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 2001 A device that performs private key operations (signatures or decryptions), and whose private key operations are protected by a password, can be immunized against offline dictionary attacks in case of capture by forcing the device to confirm a password gues ... Full text Cite

Networked cryptographic devices resilient to capture

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · January 1, 2001 We present a simple technique by which a device that performs private key operations (signatures or decryptions) in networked applications, and whose local private key is activated with a password or PIN, can be immunized to offline dictionary attacks in c ... Cite

Backoff protocols for distributed mutual exclusion and ordering

Conference Proceedings - International Conference on Distributed Computing Systems · January 1, 2001 We present a simple and efficient protocol for mutual exclusion in synchronous, message-passing distributed systems subject to failures. Our protocol borrows design principles from prior work in backoff protocols for multiple access channels such as Ethern ... Cite

Cryptographic key generation from voice

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · January 1, 2001 We propose a technique to reliably generate a cryptographic key from a user's voice while speaking a password. The key resists cryptanalysis even against an attacker who captures all system information related to generating or verifying the cryptographic k ... Cite

Using voice to generate cryptographic keys

Conference 2001: A Speaker Odyssey - The Speaker Recognition Workshop · January 1, 2001 In this position paper, we motivate and summarize our work on repeatably generating cryptographic keys from spoken user input. The goal of this work is to enable a device to generate a key (e.g., for encrypting files) upon its user speaking a chosen passwo ... Cite

An Authorization Model for a Public Key Management Service

Journal Article ACM Transactions on Information and System Security · January 1, 2001 Public key management has received considerable attention from both the research and commercial communities as a useful primitive for secure electronic commerce and secure communication. While the mechanics of certifying and revoking public keys and escrow ... Full text Cite

Dynamic byzantine quorum systems

Conference Proceedings of the 2002 International Conference on Dependable Systems and Networks · December 1, 2000 Byzantine quorum systems [13] enhance the availability and efficiency of fault-tolerant replicated services when servers may suffer Byzantine failures. An important limitation of Byzantine quorum systems is their dependence on a static threshold limit on t ... Full text Cite

An architecture for survivable coordination in large distributed systems

Journal Article IEEE Transactions on Knowledge and Data Engineering · December 1, 2000 Coordination among processes in a distributed system can be rendered very complex in a large-scale system where messages may be delayed or lost and when processes may participate only transiently or behave arbitrarily, e.g., after suffering a security brea ... Full text Cite

Which PKI (Public Key Infrastructure) is the right one?

Conference Proceedings of the ACM Conference on Computer and Communications Security · December 1, 2000 Experts are urged to delicate over what method to use and whether a Public Key Infrastructure (PKI) is needed when building an expensive infrastructure. Although X500/509 is one of the first PKI proposed, others are suggested. Some of the alternative struc ... Cite

Privacy-preserving global customization

Conference EC 2000 - Proceedings of the 2nd ACM Conference on Electronic Commerce · October 17, 2000 We present an architecture for global customization of web content, by which a web site can customize content for each visitor based on the activities undertaken by the same user on other, unrelated sites. Our architecture distinguishes it- self in the pri ... Full text Cite

Load and availability of Byzantine quorum systems

Journal Article SIAM Journal on Computing · April 1, 2000 Replicated services accessed via quorums enable each access to be performed at only a subset (quorum) of the servers and achieve consistency across accesses by requiring any two quorums to intersect. Recently, b-masking quorum systems, whose intersections ... Full text Cite

On diffusing updates in a Byzantine environment

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 1999 We study how to efficiently diffuse updates to a large distributed system of data replicas, some of which may exhibit arbitrary (Byzantine) failures. We assume that strictly fewer than t replicas fail, and that each update is initially received by at least ... Cite

On Propagating Updates in a Byzantine Environment

Report · August 12, 1999 We study how to efficiently diffuse updates to a large distributed system of data replicas, some of which may exhibit arbitrary (Byzantine) failures. We assume that strictly fewer than $t$ replicas fail, and that each update is initially received by at lea ... Link to item Cite

On the security of pay-per-click and other Web advertising schemes

Journal Article Computer Networks · May 17, 1999 We present a hit inflation attack on pay-per-click Web advertising schemes. Our attack is virtually impossible for the program provider to detect conclusively, regardless of whether the provider is a third-party `ad network' or the target of the click itse ... Full text Cite

On k-set consensus problems in asynchronous systems

Journal Article Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · January 1, 1999 In this paper we investigate the k-set consensus problem in asynchronous, message-passing distributed systems. In this problem, each participating process begins the protocol with an input value and by the end of the protocol must decide on one value so th ... Full text Cite

Anonymous web transactions with crowds

Journal Article Communications of the ACM · January 1, 1999 An innovative way to become an invisible user is simply to get lost in the crowd. After all, anonymity loves company. ... Full text Cite

Password hardening based on keystroke dynamics

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 1999 We present a novel approach to improving the security of passwords. In our approach, the legitimate user's typing patterns (e.g., durations of keystrokes, and latencies between keystrokes) are combined with the user's password to generate a hardened passwo ... Full text Cite

The design and analysis of graphical passwords

Conference 8th USENIX Security Symposium · January 1, 1999 In this pap er we prop ose and evaluate new graphical password schemes that exploit features of graphical input displays to achieve b etter security than text-based passwords. Graphical input devices enable the user to decouple the position of inputs from ... Cite

Resilient authentication using path independence

Journal Article IEEE Transactions on Computers · December 1, 1998 Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating channels in a large distributed system. In this paper, we explore the use of multiple paths to redundantly a ... Full text Cite

Survivable consensus objects

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 1998 Reaching consensus among multiple processes in a distributed system is fundamental to coordinating distributed actions. In this paper we present a new approach to building survivable consensus objects in a system consisting of a (possibly large) collection ... Cite

Secure and scalable replication in Phalanx

Conference Proceedings of the IEEE Symposium on Reliable Distributed Systems · December 1, 1998 Phalanx is a software system for building a persistent, survivable data repository that supports shared data abstractions (e.g., variables, mutual exclusion) for clients. Phalanx implements data abstractions that ensure useful properties without trusting t ... Cite

Secure execution of Java applets using a remote playground

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · January 1, 1998 Mobile code presents a number of threats to machines that execute it. We introduce an approach for protecting machines and the resources they hold from mobile code, and describe a system based on our approach for protecting host machines from Java 1.1 appl ... Cite

Byzantine quorum systems

Journal Article Distributed Computing · January 1, 1998 Quorum systems are well-known tools for ensuring the consistency and availability of replicated data despite the benign failure of data repositories. In this paper we consider the arbitrary (Byzantine) failure of data repositories and present the first stu ... Full text Cite

Load and availability of Byzantine quorum systems

Conference Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · January 1, 1997 Replicated services accessed via quorums enable each access to be performed at only a subset (quorum) of the servers, and achieve consistency across accesses by requiring any two quorums to intersect. Recently, b-masking quorum systems, whose intersections ... Full text Cite

Unreliable intrusion detection in distributed computations

Conference Proceedings of the Computer Security Foundations Workshop · January 1, 1997 Distributed coordination is difficult, especially when the system may suffer intrusions that corrupt some component processes. In this paper we introduce the abstraction of a failure detector that a process can use to (imperfectly) detect the corruption (B ... Cite

Path independence for authentication in large-scale systems

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 1997 Authenticating the source of a message in a large distributed system can be difficult due to the lack of a single authority that can tell for whom a channel speaks. This has led many to propose the use of a path of authorities, each able to authenticate th ... Full text Cite

Probabilistic quorum systems

Conference Proceedings of the Annual ACM Symposium on Principles of Distributed Computing · January 1, 1997 Services replicated using a quorum system allow operations to be performed at only a subset (quorum) of the servers, and ensure consistency among operations by requiring that any two quorums intersect. In this paper we explore the consequences of requiring ... Full text Cite

Fair exchange with a semi-trusted third party

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 1997 We present new protocols for two parties to exchange documents with fairness, i.e., such that no party can gain an advantage by quitting prematurely or otherwise misbehaving. We use a third party that is `semi-trusted', in the sense that it may misbehave o ... Cite

Byzantine quorum systems

Conference Conference Proceedings of the Annual ACM Symposium on Theory of Computing · January 1, 1997 Quorum systems are well-known tools for ensuring the consistency and availability of replicated data despite the benign failure of data repositories. In this paper we consider the arbitrary (Byzantine) failure of data repositories and present the first stu ... Full text Cite

High-throughput secure reliable multicast protocol

Journal Article Journal of Computer Security · January 1, 1997 A (secure) reliable multicast protocol enables a process to multicast a message to a group of processes in a way that ensures that all honest destination-group members receive the same message, even if some group members and the multicast initiator are mal ... Full text Cite

Toward acceptable metrics of authentication

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · January 1, 1997 Authentication using a path of trusted intermediaries, each able to authenticate the next in the path, is a well-known technique for authenticating entities in a large-scale system. Recent work has extended this technique to include multiple paths in an ef ... Cite

A secure group membership protocol

Journal Article IEEE Transactions on Software Engineering · December 1, 1996 -A group membership protocol enables processes in a distributed system to agree on a group of processes that are currently operational. Membership protocols are a core component of many distributed systems and have proved to be fundamental for maintaining ... Full text Cite

The design and implementation of a secure auction service

Journal Article IEEE Transactions on Software Engineering · December 1, 1996 We present the design and implementation of a distributed service for performing sealed-bid auctions. This service provides an interface by which clients, or "bidders," can issue secret bids to the service for an advertised auction. Once the bidding period ... Full text Cite

High-throughput secure reliable multicast protocol

Conference Proceedings of the Computer Security Foundations Workshop · January 1, 1996 A reliable multicast protocol enables a process to multicast a message to a group of processes in a way that ensures that all honest destination-group members receive the same message, even if some group members and the multicast initiator are maliciously ... Cite

Ω key management service

Journal Article Journal of Computer Security · January 1, 1996 In this paper we introduce Ω, a distributed public key management service for open networks. Ω offers interfaces by which clients can register, retrieve, and revoke public keys, and escrow, use (to decrypt messages), and recover private keys, all of which ... Full text Cite

Ω key management service

Conference Proceedings of the ACM Conference on Computer and Communications Security · January 1, 1996 In this paper we introduce Ω, a distributed public key management service for open networks. Ω offers interfaces by which clients can register, retrieve, and revoke public keys, and escrow, use (to decrypt messages), and recover private keys, all of which ... Full text Cite

Distributing Trust with the Rampart Toolkit

Journal Article Communications of the ACM · January 1, 1996 The Rampart group communication protocols are designed to distribute trust among a group of nodes in a distributed system - so while individual nodes need not be fully trusted, the group can be. ... Full text Cite

Design and implementation of a secure auction service

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · January 1, 1995 We present the design and implementation of a distributed service for performing sealed-bid auctions. This service provides an interface by which clients, or 'bidders', can issue secret bids to the service for an advertised auction. Once the bidding period ... Cite

Issues and Mechanisms for Trustworthy Systems: Creating Transparent Mistrust

Journal Article AT&T Technical Journal · January 1, 1994 Traditionally, security in distributed systems is viewed as an “extra” that comes only at the expense of convenience, performance, or functionality. Security mechanisms are often provided only at the highest levels of abstraction, and are poorly integrated ... Full text Cite

Secure group membership protocol

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · January 1, 1994 A group membership protocol enables processes in a distributed system to agree on a group of processes that are currently operational. Membership protocols are a core component of many distributed systems and have proved to be fundamental for maintaining a ... Cite

Preventing denial and forgery of causal relationships in distributed systems

Conference Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy · January 1, 1993 In a distributed system, it is often important to detect the causal relationships between events, where event e1 is causally before event e2 if e1 happened before e2 and could possibly have affected the occurrence of e2. In this paper we argue that detecti ... Cite

Integrating security in a group oriented distributed system

Conference Proceedings of the Symposium on Security and Privacy · April 1, 1992 A distributed security architecture is proposed for incorporation into group-oriented distributed systems, and in particular, into the Isis distributed programming toolkit. The primary goal of the architecture is to make common group-oriented abstractions ... Cite