Hayawardh Vijayakumar

[1] Hayawardh Vijayakumar and Xinyang Ge and Mathias Payer and Trent Jaeger, JIGSAW: Protecting Resource Access by Inferring Programmer Expectations, In Proceedings of the 23rd USENIX Security Symposium (USENIX Security 2014), [ bibtex | abstract | pdf ] [acceptance rate: 19.1% (67/350)]
[2] Hayawardh Vijayakumar and Xinyang Ge and Trent Jaeger, Policy Models to Protect Resource Retrieval, In Proceedings of the 19th ACM Symposium on Access Control Models (SACMAT 2014), [ bibtex | abstract | pdf ]
[3] Xinyang Ge and Hayawardh Vijayakumar and Trent Jaeger, SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture, In Proceedings of the 3rd IEEE Mobile Security Technologies Workshop (MoST 2014), [ bibtex | abstract | pdf ]
[4] Joshua Schiffman and Yuqiong Sun and Hayawardh Vijayakumar and Trent Jaeger, Cloud Verifier: Verifiable Auditing Service for IaaS Clouds, In Proceedings of the IEEE 1st International Workshop on Cloud Security Auditing (CSA 2013), [ bibtex | abstract | pdf ]
[5] Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger, Process Firewalls: Protecting Processes During Resource Access, In Proceedings of the 8th ACM European Conference on Computer Systems (EUROSYS 2013), [ bibtex | abstract | pdf ] [acceptance rate: 17.9% (28/156)]
[6] Trent Jaeger and Divya Muthukumaran and Joshua Schiffman and Yuqiong Sun and Nirupama Talele and Hayawardh Vijayakumar, Configuring Cloud Deployments for Integrity, In Proceedings of the Computer And Security Applications Rendezvous: Cloud and Security (CESAR 2012), [ bibtex | abstract | pdf ]
[7] Hayawardh Vijayakumar and Trent Jaeger, The Right Files at the Right Time, In Proceedings of the 5th IEEE Symposium on Configuration Analytics and Automation (SAFECONFIG 2012), [ bibtex | abstract | pdf ]
[8] Divya Muthukumaran and Sandra Rueda and Nirupama Talele and Hayawardh Vijayakumar and Trent Jaeger and Jason Teutsch and Nigel Edwards, Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity, In Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC 2012), [ bibtex | abstract | pdf ] [acceptance rate: 19.0% (44/231)]
[9] Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger, STING: Finding Name Resolution Vulnerabilities in Programs, In Proceedings of the 21st USENIX Security Symposium (USENIX Security 2012), [ bibtex | abstract | pdf ] [acceptance rate: 19.4% (43/222)]
[10] Joshua Schiffman and Hayawardh Vijayakumar and Trent Jaeger, Verifying System Integrity by Proxy, In Proceedings of the 5th International Conference on Trust and Trustworthy Computing (TRUST 2012), [ bibtex | abstract | pdf ]
[11] Hayawardh Vijayakumar and Guruprasad Jakka and Sandra Rueda and Joshua Schiffman and Trent Jaeger, Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies., In Proceedings of the 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012), [ bibtex | abstract | pdf ] [acceptance rate: 22% (35/159)]
[12] Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger, A Rose by Any Other Name or an Insane Root? Adventures in Name Resolution, In Proceedings of 7th European Conference on Computer Network Defense (EC2ND 2011), [ bibtex | abstract | pdf ] [acceptance rate: 32% ]
[13] Joshua Schiffman and Thomas Moyer and Hayawardh Vijayakumar and Trent Jaeger and Patrick McDaniel, Seeding Clouds with Trust Anchors, In Proceedings of the 2010 ACM Workshop on Cloud Computing Security (CCSW 2010), [ bibtex | abstract | pdf ]
[14] Divya Muthukumaran and Sandra Rueda and Hayawardh Vijayakumar and Trent Jaeger, Cut Me Some Security, In Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration (SAFECONFIG 2010), [ bibtex | abstract | pdf ]
[15] Sandra Rueda and Hayawardh Vijayakumar and Trent Jaeger, Analysis of Virtual Machine System Policies, In Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT 2009), [ bibtex | abstract | pdf ] [acceptance rate: 32% (24/75)]
[16] Thanukrishnan Srinivasan and R. Balakrishnan and S. A. Gangadharan and Hayawardh Vijayakumar, A Scalable Parallelization of All-Pairs Shortest Path Algorithm for a High Performance Cluster Environment, In Proceedings of the 13th IEEE International Conference on Parallel and Distributed Systems (ICPADS 2007), [ bibtex | abstract | pdf ]
[17] Thanukrishnan Srinivasan and R. Balakrishnan and S. A. Gangadharan and Hayawardh Vijayakumar, Supervised Grid-of-Tries: A Novel Framework for Classifier Management, In Proceedings of the 8th International Conference on Distributed Computing and Networking (ICDCN 2006), [ bibtex | abstract | pdf ] [acceptance rate: 25.3% (62/245)]

JIGSAW: Protecting Resource Access by Inferring Programmer Expectations

@inproceedings{vgp_2014_usenixsec,
    author = {Hayawardh Vijayakumar and Xinyang Ge and Mathias Payer and Trent Jaeger},
    title = {JIGSAW: Protecting Resource Access by Inferring Programmer Expectations},
    booktitle = {Proceedings of the 23rd USENIX Security Symposium (USENIX Security 2014)},
    month = {August},
    year = {2014},
    location = {San Diego, CA, USA},
}

Policy Models to Protect Resource Retrieval

@inproceedings{vgj_2014_sacmat,
    author = {Hayawardh Vijayakumar and Xinyang Ge and Trent Jaeger},
    title = {Policy Models to Protect Resource Retrieval},
    booktitle = {Proceedings of the 19th ACM Symposium on Access Control Models (SACMAT 2014)},
    month = {June},
    year = {2014},
    location = {London, Ontario, Canada},
}

SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture

@inproceedings{gvj_2014_most,
    author = {Xinyang Ge and Hayawardh Vijayakumar and Trent Jaeger},
    title = {SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture},
    booktitle = {Proceedings of the 3rd IEEE Mobile Security Technologies Workshop (MoST 2014)},
    month = {May},
    year = {2014},
    location = {San Jose, CA, USA},
}

Cloud Verifier: Verifiable Auditing Service for IaaS Clouds

@inproceedings{ssv_2013_csa,
    author = {Joshua Schiffman and Yuqiong Sun and Hayawardh Vijayakumar and Trent Jaeger},
    title = {Cloud Verifier: Verifiable Auditing Service for IaaS Clouds},
    booktitle = {Proceedings of the IEEE 1st International Workshop on Cloud Security Auditing (CSA 2013)},
    month = {June},
    year = {2013},
    location = {Santa Clara, California, USA},
}

Process Firewalls: Protecting Processes During Resource Access

@inproceedings{vsj_2013_eurosys,
    author = {Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger},
    title = {Process Firewalls: Protecting Processes During Resource Access},
    booktitle = {Proceedings of the 8th ACM European Conference on Computer Systems (EUROSYS 2013)},
    month = {April},
    year = {2013},
    location = {Prague, Czech Republic},
}

Configuring Cloud Deployments for Integrity

@inproceedings{jmsstv_2012_cesar,
    author = {Trent Jaeger and Divya Muthukumaran and Joshua Schiffman and Yuqiong Sun and Nirupama Talele and Hayawardh Vijayakumar},
    title = {Configuring Cloud Deployments for Integrity},
    booktitle = {Proceedings of the Computer And Security Applications Rendezvous: Cloud and Security (CESAR 2012)},
    month = {November},
    year = {2012},
    location = {Rennes, France},
}

The Right Files at the Right Time

@inproceedings{vj_2012_safeconfig,
    author = {Hayawardh Vijayakumar and Trent Jaeger},
    title = {The Right Files at the Right Time},
    booktitle = {Proceedings of the 5th IEEE Symposium on Configuration Analytics and Automation (SAFECONFIG 2012)},
    month = {October},
    year = {2012},
    location = {Baltimore, Maryland, USA},
}

Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity

@inproceedings{mrt_2012_acsac,
    author = {Divya Muthukumaran and Sandra Rueda and Nirupama Talele and Hayawardh Vijayakumar and Trent Jaeger and Jason Teutsch and Nigel Edwards},
    title = {Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity},
    booktitle = {Proceedings of the 28th Annual Computer Security Applications Conference (ACSAC 2012)},
    month = {December},
    year = {2012},
    location = {Orlando, Florida, USA},
}

STING: Finding Name Resolution Vulnerabilities in Programs

@inproceedings{vsj_2012_usenixsec,
    author = {Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger},
    title = {STING: Finding Name Resolution Vulnerabilities in Programs},
    booktitle = {Proceedings of the 21st USENIX Security Symposium (USENIX Security 2012)},
    month = {August},
    year = {2012},
    location = {Bellevue, Washington, USA},
}

Verifying System Integrity by Proxy

@inproceedings{svj_2012_trust,
    author = {Joshua Schiffman and Hayawardh Vijayakumar and Trent Jaeger},
    title = {Verifying System Integrity by Proxy},
    booktitle = {Proceedings of the 5th International Conference on Trust and Trustworthy Computing (TRUST 2012)},
    month = {June},
    year = {2012},
    location = {Vienna, Austria},
}

Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies.

@inproceedings{vjr_2012_asiaccs,
    author = {Hayawardh Vijayakumar and Guruprasad Jakka and Sandra Rueda and Joshua Schiffman and Trent Jaeger},
    title = {Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies.},
    booktitle = {Proceedings of the 7th ACM Symposium on Information, Computer, and Communications Security (ASIACCS 2012)},
    month = {May},
    year = {2012},
    location = {Seoul, South Korea},
}

A Rose by Any Other Name or an Insane Root? Adventures in Name Resolution

@inproceedings{vsj_2011_ec2nd,
    author = {Hayawardh Vijayakumar and Joshua Schiffman and Trent Jaeger},
    title = {A Rose by Any Other Name or an Insane Root? Adventures in Name Resolution},
    booktitle = {Proceedings of 7th European Conference on Computer Network Defense (EC2ND 2011)},
    month = {September},
    year = {2011},
    location = {Gothenburg, Sweden},
}

Seeding Clouds with Trust Anchors

@inproceedings{smv_2010_ccsw,
    author = {Joshua Schiffman and Thomas Moyer and Hayawardh Vijayakumar and Trent Jaeger and Patrick McDaniel},
    title = {Seeding Clouds with Trust Anchors},
    booktitle = {Proceedings of the 2010 ACM Workshop on Cloud Computing Security (CCSW 2010)},
    month = {October},
    year = {2010},
    location = {Chicago, Illinois, USA},
}

Cut Me Some Security

@inproceedings{mrv_2010_safeconfig,
    author = {Divya Muthukumaran and Sandra Rueda and Hayawardh Vijayakumar and Trent Jaeger},
    title = {Cut Me Some Security},
    booktitle = {Proceedings of the 3rd ACM Workshop on Assurable and Usable Security Configuration (SAFECONFIG 2010)},
    month = {October},
    year = {2010},
    location = {Chicago, Illinois, USA},
}

Analysis of Virtual Machine System Policies

@inproceedings{rvj_2009_sacmat,
    author = {Sandra Rueda and Hayawardh Vijayakumar and Trent Jaeger},
    title = {Analysis of Virtual Machine System Policies},
    booktitle = {Proceedings of the 14th ACM Symposium on Access Control Models and Technologies (SACMAT 2009)},
    month = {June},
    year = {2009},
    location = {Stresa, Italy},
}

A Scalable Parallelization of All-Pairs Shortest Path Algorithm for a High Performance Cluster Environment

@inproceedings{sbgv_2007_icpads,
    author = {Thanukrishnan Srinivasan and R. Balakrishnan and S. A. Gangadharan and Hayawardh Vijayakumar},
    title = {A Scalable Parallelization of All-Pairs Shortest Path Algorithm for a High Performance Cluster Environment},
    booktitle = {Proceedings of the 13th IEEE International Conference on Parallel and Distributed Systems (ICPADS 2007)},
    month = {December},
    year = {2007},
    location = {Hsinchu, Taiwan},
}

Supervised Grid-of-Tries: A Novel Framework for Classifier Management

@inproceedings{sbgv_2006_icdcn,
    author = {Thanukrishnan Srinivasan and R. Balakrishnan and S. A. Gangadharan and Hayawardh Vijayakumar},
    title = {Supervised Grid-of-Tries: A Novel Framework for Classifier Management},
    booktitle = {Proceedings of the 8th International Conference on Distributed Computing and Networking (ICDCN 2006)},
    month = {December},
    year = {2006},
    location = {Guwahati, India},
}



JIGSAW: Protecting Resource Access by Inferring Programmer Expectations

Processes retrieve a variety of resources, such as files, from the operating system to function. However, securely accessing resources has proven to be a challenging task, accounting for 10-15% of vulnerabilities reported each year. Current defenses address only a subset of these vulnerabilities in ad-hoc and incomplete ways. In this paper, we provide a comprehensive defense against vulnerabilities during resource access. First, we identify a fundamental reason that resource access vulnerabilities exist – a mismatch between programmer expectations and the actual environment the program runs in. To address such mismatches, we propose JIGSAW, a system that can automatically derive programmer expectations and enforce it on the deployment. JIGSAW constructs programmer expectations as a name flow graph, which represents the data flows from the inputs used to construct file pathnames to the retrieval of system resources using those pathnames. We find that whether a program makes any attempt to filter such flows implies expectations about the threats the programmer expects during resource retrieval, the enabling JIGSAW to enforce those expectations. We evaluated JIGSAW on widely-used programs and found that programmers have many implicit expectations. These mismatches led us to discover two previously-unknown vulnerabilities and a default misconfiguration in the Apache webserver. JIGSAW enforces program expectations for approximately 5% overhead for Apache webservers, thus eliminating vulnerabilities due to resource access efficiently and in a principled manner.

Policy Models to Protect Resource Retrieval

Processes need a variety of resources from their operating environment in order to run properly, but adversary may control the inputs to resource retrieval or the end resource itself, leading to a variety of vulnerabilities. Conventional access control methods are not suitable to prevent such vulnerabilities because they use one set of permissions for all system call invocations. In this paper, we define a novel policy model for describing when resource retrievals are unsafe, so they can be blocked. This model highlights two contributions: (1) the explicit definition of adversary models as adversarial roles, which list the permissions that dictate whether one subject is an adversary of another, and (2) the application of data-flow to determine the adversary control of the names used to retrieve resources. An evaluation using multiple adversary models shows that while data-flow is necessary to authorize resource retrieval in over 90\% of system calls. By making adversary models and the adversary accessibility of all aspects of resource retrieval explicit, we can block resource access attacks system-wide.

SPROBES: Enforcing Kernel Code Integrity on the TrustZone Architecture

Many smartphones now deploy conventional operating systems, so the rootkit attacks so prevalent on desktop and server systems are now a threat to smartphones. While researchers have advocated using virtualization to detect and prevent attacks on operating systems (e.g., VM introspection and trusted virtual domains), virtualization is not practical on smartphone systems due to the lack of virtualization support and/or the expense of virtualization. Current smartphone processors do have hardware support for running a protected environment, such as the ARM TrustZone extensions, but such hardware does not control the operating system operations sufficiently to enable VM introspection. In particular, a conventional operating system running with TrustZone still retains full control of memory management, which a rootkit can use to prevent traps on sensitive instructions or memory accesses necessary for effective introspection. In this paper, we present SPROBES, a novel primitive that enables introspection of operating systems running on ARM TrustZone hardware. Using SPROBES, an introspection mechanism protected by TrustZone can instrument individual operating system instructions of its choice, receiving an unforgeable trap whenever any SPROBE is executed. The key challenge in designing SPROBES is preventing the rootkit from removing them, but we identify a set of five invariants whose enforcement is sufficient to restrict rootkits to execute only approved, SPROBE-injected kernel code. We implemented a proof-of-concept version of SPROBES for the ARM Fast Models emulator, demonstrating that in Linux kernel 2.6.38, only 12 SPROBES are sufficient to enforce all five of these invariants. With SPROBES we show that it is possible to leverage the limited TrustZone extensions to limit conventional kernel execution to approved code comprehensively.

Cloud Verifier: Verifiable Auditing Service for IaaS Clouds

Cloud computing has commoditized compute, storage, and networking resources creating an on-demand utility. Despite the attractiveness of this new paradigm, its adoption has been stymied by cloud platform’s lack of transparency, which leaves customers unsure if their sensitive data and computation can be entrusted to the cloud. While techniques like encryption can protect customers’ data at rest, clouds still lack mechanisms for customers to verify that their computations are being executed as expected, a guarantee one could obtain if they were running the computation in their own data center. In this paper, we present the cloud verifier (CV), a flexible framework that cloud vendors can configure to provide cloud monitoring services for customers to validate that their computations are configured and being run as expected in Infrastructure as a Service (IaaS) clouds. The CV builds a chain of trust from the customer to their hosted virtual machine (VM) instances through the cloud platform, enabling it to check customer-specified requirements against a comprehensive view of both the VM’s load-time and run-time properties. In addition, the CV enables cloud vendors to provide more responsive remediation techniques than traditional attestation mechanisms. We built a proof of concept CV for the OpenStack cloud platform whose evaluation demonstrates that a single CV enables over 20,000 simultaneous customers to verify numerous properties with little impact on cloud application performance. As a result, the CV gives cloud customers a low-overhead method for assuring that their instances are running according to their requirements.

Process Firewalls: Protecting Processes During Resource Access

Processes retrieve a variety of resources from the operating system in order to execute properly, but adversaries have several ways to trick processes into retrieving resources of the adversaries' choosing. Such resource access attacks use name resolution, race conditions, and/or ambiguities regarding which resources are controlled by adversaries, accounting for 5-10\% of CVE entries over the last four years. programmers have found these attacks extremely hard to eliminate because resources are managed externally to the program, but the operating system does not provide a sufficiently rich system-call API to enable programs to block such attacks. In this paper, we present the Process Firewall, a kernel mechanism that protects processes in manner akin to a network firewall for the system-call interface. Because the Process Firewall only protects processes - rather than sandboxing them - it can examine their internal state to identify the protection rules necessary to block many of these attacks without the need for program modification or user configuration. We built a prototype Process Firewall for Linux demonstrating: (1) the prevention of several vulnerabilities, including two that were previously-unknown; (2) that this defense can be provided system-wide for less than 4\% overhead in a variety of macrobenchmarks; and (3) that it can also improve program performance, shown by Apache handling 38\% more requests when program resource access checks are replaced by Process Firewall rules. These results show that it is practical for the operating system to protect processes by preventing a variety of resource access attacks system-wide.

Configuring Cloud Deployments for Integrity

Many cloud vendors now provide pre-configured OS distributions and network firewall policies to simplify deployment for customers. However, even with this help, customers have little insight into the possible attack paths that adversaries may use to compromise the integrity of their computations on the cloud. In this paper, we leverage the pre-configured security policies for cloud instances to compute the integrity protection required to protect cloud deployments. In particular, we show that it is possible to compute security configurations for cloud instance deployments that can prevent information flow integrity errors and that these configurations can be measured into attestations using trusted computing hardware. We apply these proposed methods to the OpenStack cloud platform, showing how web server application instance can be configured to protect their integrity in the cloud and how integrity measurement can be used to validate such configurations for approximately 3\% overhead.

The Right Files at the Right Time

Programs fetch resources, such as files, from the operating system through the process of name resolution. However, name resolution can be subverted by adversaries to redirect victim processes to resources chosen by the adversaries, leading to a variety of attacks. These attacks are possible because traditional access control treats processes as black boxes, permitting all process permissions to all process system calls, enabling adversaries to trick victims into using resources that are not appropriate for particular system calls. Researchers have examined methods for enforcing distinct policies on individual system calls, but these methods are difficult to use because programmers must specify which permissions apply when manually. In this work, we examine the generation of system call-specific program policies to augment access control to defend against such name resolution attacks. Our insight in this paper is that system calls can be classified by the properties of the resources accessed to produce policies automatically. Given specific knowledge about name resolution attacks, such a classification may be refined further to prevent many name resolution attacks with little chance of false positives. In this paper, we produce a policy using runtime analysis for an Ubuntu 12.04 distribution, finding that 98.7\% of accesses can be restricted to prevent typical name resolution attacks and more than 65\% of accesses can be restricted to a single file without creating false positives. We also examine three programs in detail to evaluate the efficacy of using the provided package test suites to generate policies, finding that administrators can produce effective policies automatically.

Transforming Commodity Security Policies to Enforce Clark-Wilson Integrity

Modern distributed systems are composed from several off-the-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application software (e.g., web application) is often deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual components, the complexity of such MAC policies and the myriad of possible interactions among individual hosts in distributed systems makes it difficult to identify the attack paths available to adversaries. As a result, security practitioners react to vulnerabilities as adversaries uncover them, rather than proactively protecting the system's data integrity. In this paper, we develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively protects system integrity, approximating the Clark-Wilson integrity model. The method uses the insights from the Clark-Wilson model, which requires integrity verification of security-critical data and mediation at program entrypoints, to extend existing MAC policies with the proactive mediation necessary to protect system integrity. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized Ubuntu SELinux hosts, where our method finds: (1) that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries over the entire distributed system and (2) and only 20 additional local threats require mediation to approximate Clark-Wilson integrity comprehensively. As a result, available security policies can be used as a foundation for proactive integrity protection from both local and remote threats.

STING: Finding Name Resolution Vulnerabilities in Programs

The process of name resolution, where names are resolved into resource references, is fundamental to computer science, but its use has resulted in several classes of vulnerabilities. These vulnerabilities are difficult for programmers to eliminate because their cause is external to the program: the adversary changes namespace bindings in the system to redirect victim programs to a resource of the adversary's choosing. Researchers have also found that these attacks are very difficult to prevent systematically. Any successful defense must have both knowledge about the system namespace and the program intent to eradicate such attacks. As a result, finding and fixing program vulnerabilities to such as attacks is our best defense. In this paper, we propose the STING~test engine, which finds name resolution vulnerabilities in programs by performing a dynamic analysis of name resolution processing to produce directed test cases whenever an attack may be possible. The key insight is that such name resolution attacks are possible whenever an adversary has write access to a directory shared with the victim, so STING~automatically identifies when such directories will be accessed in name resolution to produce test cases that are likely to indicate a true vulnerability if undefended. STING~utilizes a shadow resolution mechanism to identify the namespace bindings used in resolution and program-specific adversary models to identify those bindings that can be exploited by adversaries. Using this information, STING produces and runs directed test cases automatically, detecting vulnerabilities with few false positives. Using STING, we found 21 previously-unknown vulnerabilities in a variety of Linux programs on Ubuntu and Fedora systems, demonstrating that comprehensive testing for name resolution vulnerabilities is practical.

Verifying System Integrity by Proxy

Users are increasingly turning to online services, but are concerned for the safety of their personal data and critical business tasks. While secure communication protocols like TLS authenticate and protect connections to these services, they cannot guarantee the correctness of the endpoint system. Users would like assurance that all the remote data they receive is from systems that satisfy the users' integrity requirements. Hardware-based integrity measurement (IM) protocols have long promised such guarantees, but have failed to deliver them in practice. Their reliance on non-performant devices that generate attestations as the basis for conveying integrity limits the efficiency, flexibility, and completeness of remote integrity verification. In this paper, we introduce the integrity verification proxy (IVP), a service that enforces integrity requirements over connections to remote systems. The IVP monitors changes to the unmodified system and immediately terminates connections to clients whose integrity requirements are not satisfied while eliminating the attestation reporting bottleneck imposed by current IM protocols. We implemented a proof-of-concept IVP that detects several classes of integrity violations on a Linux KVM system, while imposing less than 1.5\% overhead on two application benchmarks and no more than 8\% on I/O-bound micro-benchmarks.

Integrity Walls: Finding Attack Surfaces from Mandatory Access Control Policies.

Adding new programs or configuration options to a system often leads to new exploits because it provides adversaries with new ways to access possible vulnerabilities. As a result, application developers often must react to exploits as they are found. One proactive defense is to protect programs at their attack surfaces, the program entry points (e.g., system calls) accessible to adversaries. However, experience has shown that developers often fail to defend these entry points because they do not locate all such system calls where programs access system resources controlled by attackers. In this paper, we develop a runtime analysis method to compute program attack surfaces in system deployments, which uses a novel approach to computing program adversaries to determine which program entry points access adversary-controlled objects. We implemented our design as a Linux kernel mechanism capable of identifying entry points for both binary and interpreted programs. Using this mechanism, we computed the attack surfaces for all the programs in the Ubuntu Linux 10.04 Desktop distribution automatically. On examining located attack surfaces, we discovered previously unknown vulnerabilities in an X Windows startup script available since 2006 and the GNU Icecat web browser. Our tools enable developers to find attack surfaces for their programs quickly and to produce defenses prior to the emergence of attacks, potentially moving us away from the penetrate-and-patch rut.

A Rose by Any Other Name or an Insane Root? Adventures in Name Resolution

Namespaces are fundamental to computing systems. Each namespace maps the names that clients use to retrieve resources to the actual resources themselves. However, the indirection that namespaces provide introduces avenues of attack through the name resolution process. Adversaries can trick programs into accessing unintended resources by changing the binding between names and resources and by using names whose target resources are ambiguous. In this paper, we explore whether a unified system approach may be found to prevent many name resolution attacks. For this, we examine attacks on various namespaces and use these to derive invariants to defend against these attacks. Four prior techniques are identified that enforce aspects of name resolution, so we explore how these techniques address the proposed invariants. We find that each of these techniques are incomplete in themselves, but a combination could provide effective enforcement of the invariants. We implement a prototype system that can implement these techniques for the Linux filesystem namespace, and show that invariant rules specific to each, individual program system call can be enforced with a small overhead (less than 3\%), indicating that fine-grained name resolution enforcement may be practical.

Seeding Clouds with Trust Anchors

We are finding that customers with security-critical data processing needs are beginning to push back strongly against using cloud computing. In cloud computing, a vendor runs their computations upon cloud provided VM systems. Customers are worried that such host systems may not be able to protect themselves from attack, ensure isolation of customer processing, or load customer processing cor rectly. To provide assurance of data processing protection in clouds to customers, we advocate methods to improve cloud transparency using hardware-based attestation mechanisms. We find that the centralized management of cloud data centers is ideal for attesta tion frameworks, enabling the development of a practical approach for customers to trust in the cloud platform. Specifically, we pro pose a cloud verifier service that generates integrity proofs for customers to verify the integrity and access control enforcement abilities of the cloud platform that protect the integrity of customer’s application VMs in IaaS clouds. While a cloud-wide verifier service could present a significant system bottleneck, we demonstrate that aggregating proofs enables significant overhead reductions. As a result, transparency of data security protection can be verified at cloud-scale.

Cut Me Some Security

Computer security is currently fraught with fine-grained access control policies, in operating systems, applications and even programming languages. All this policy configuration means that too many decisions are left to administrators, developers and even users to some extent and as a result we do not get any comprehensive security guarantees. In this position paper, we take a stand for the idea that less policy is better and propose that limiting the choices given to parties along the development and deployment process leads to a more secure system. We argue that other systems processes like scheduling and memory management achieve their goals with minimal user input and access control configuration should also follow suit. We then suggest a technique to automate access control configuration using graph-cuts and show that this gets us closer to achieving our goal.

Analysis of Virtual Machine System Policies

The recent emergence of mandatory access (MAC) enforcement for virtual machine monitors (VMMs) presents an opportunity to enforce a security goal over all its virtual machines (VMs). However, these VMs also have MAC enforcement, so to determine whether the overall system (VM-system) is secure requires an evaluation of whether this combination of MAC policies, as a whole, complies with a given security goal. Previous MAC policy analyses either consider a single policy at a time or do not represent the interaction between different policy layers (VMM and VM). We observe that we can analyze the VMM policy and the labels used for communications between VMs to create an inter-VM flow graph that we use to identify safe, unsafe, and ambiguous VM interactions. A VM with only safe interactions is compliant with the goal, a VM with any unsafe interaction violates the goal. For a VM with ambiguous interactions we analyze its local MAC policy to determine whether it is compliant or not with the goal. We used this observation to develop an analytical model of a VM-system, and evaluate if it is compliant with a security goal. We implemented the model and an evaluation tool in Prolog. We evaluate our implementation by checking whether a VM-system running XSM/Flask policy at the VMM layer and SELinux policies at the VM layer satisfies a given integrity goal. This work is the first step toward developing layered, multi-policy analyses.

A Scalable Parallelization of All-Pairs Shortest Path Algorithm for a High Performance Cluster Environment

We present a parallelization of the Floyd-Warshall all pairs shortest path algorithm for a distributed environment. A lot of versions of the Floyd-Warshall algorithm have been proposed for a uniprocessor environment, optimizing cache performance and register usage. However, in a distributed environment, communication costs between nodes have to be taken into consideration. We present a novel algorithm, Phased Floyd-Warshall, for a distributed environment, which optimally overlaps computation and communication. Our algorithm is compared with a register optimized version of the blocked all pairs shortest path algorithm [6, 4, 1] which is adapted for a distributed environment. We report speedups of 2.8 in a 16-node cluster and 1.2 in a 32-node cluster for a matrix size of 4096.

Supervised Grid-of-Tries: A Novel Framework for Classifier Management

Packet classification is the problem of identifying which one of a set of rules maintained in a database is best matched by an incoming packet at a router and taking the action specified by the rule. This is a uniform enabler for many new network services like firewalls, quality of service and virtual private networks. These services require dynamic management of rules. While many algorithms recently proposed can perform packet classification at very high speeds, rule update times for these are not very fast. This paper presents an efficient classifier management algorithm, which effectively reduces the rule update time for the well known Grid-of-Tries classifier. To this end, we have devised a novel structure called Supervised Grid-of-Tries, which employs additional tracking pointers embedded into the trie to facilitate efficient rule updates.