3. Herklotz - Information

8/7/2019 3. Herklotz - Information

1/26

INFORMATION OPERATIONS

&SECURITY

14 March 2011

Dr. Robert HerklotzProgram Manager

AFOSR/RSLAir Force Office of Scientific Research

AFOSR

Distribution A: Approved for public release; distribution is unlimited. 88ABW-2011-0777


2/26

2

2011 AFOSR SPRING REVIEW2311F PORTFOLIO OVERVIEW

NAME: Dr. Robert Herklotz

GOAL OF PROGRAM:

Fund science that will enable the AF and DOD to dominatecyberspace: Science to develop secure information systems for ourwarfighters and to deny the enemy such systems.

SUB-AREAS IN PORTFOLIO:

Formal Methods, Secure Software, Secure Hardware, Secure Data,Security Policy, Science of Security


3/26

3

Scientific Challenges

Science of Security

Covert Channels: Steganographyand Steganalysis

Security Policy

Execute Mission On InsecureComponents


4/26

4

Transformational Opportunities

Develop a theory of cyber security to understand thesecurity of system architectures

Develop a theory of Covert Channels and relationships

to system architectures Future Dynamic cyber systems will be managed

autonomously by dynamic policies

Methods to Fight through attack and autonomiclyrecover will be needed to execute the missioncontinuously


5/26

5

Other Organizations That FundRelated Work

ARO, ONR, NSA, NIST, NSF, IARPA, DARPA, DHS

Niche:

Science of Security

Covert Channels: Steganography and Steganalysis

Security Policy

Execute Mission On Insecure Components

P T d


6/26

6

Program Trends:Information Operations & Security

Formal Methods Advanced theorem proving

Static analysis Dynamic analysis Symbolic evaluation and constraint solving

Secure Software Code-level specification/verification Obfuscation

Artificial, dynamic diversity Fully homomorphic encryption Statistical models, error virtualization and rescue points Automated Program Repair with Genetic Programming Binary translation

Secure Hardware Combinational logic

Secure Data Theory for incentive-compatibility

Security Policy policy specification language Novel logics abstractions for security policy compliance

Science of Security Hyperproperties Information flows/covert channels

T hH i


7/26

7

TechHorizonsPriority Key Technology Areas

(Information Operations and Security, RSL)

Autonomous systems Autonomous reasoning and learning

Resilient autonomy

Complex adaptive systems

V&V for complex adaptive systems

Collaborative/cooperative control

Autonomous mission planning

Cold-atom INS

Chip-scale atomic clocks

Ad hoc networks

Polymorphic networks

Agile networks

Laser communications

Frequency-agile RF systems

Spectral mutability Dynamic spectrum access

Quantum key distribution

Multi-scale simulation technologies

Coupled multi-physics simulations

Embedded diagnostics

Decision support tools

Automated software generation

Sensor-based processing

Behavior prediction and anticipation

Cognitive modeling

Cognitive performance augmentation

Human-machine interfaces


8/26

8

Recent Transitions

Hatcliff-KSU/Apple-Princeton: a novel Hoare logic forspecifying and verifying expressive information flowpolicies as needed in MLS systems and cross-domainsolutionsto DoD projects and industry

Weimer UVA and Forrest UNM: Automatically andsafely generate program repairsto DARPA andIARPA

Anti-forensics research transitionedto AF

Botnet research transitioned to applied programsDHS, ARL


9/26

9

Towards a General Theory of CounterdeceptionScott Craver, Binghamton University, Binghamton, New York

In counterdeception problems, we seek to detectunauthorized behavior, while an attacker seeks toevade our detection algorithm.

Many hard security problems today arecounterdeception problems

Virus detection and intrusion detection

Covert communications (steganography)

Biometrics and face/voice recognition Spam filtering

Media forensics and tamper detection

Digital Watermarking (our area)


10/26

10

The Big Problem

Cryptography has a strong theoretical foundation;adversarial detection does not.

Previous work, based on classical detection theory,

wrongly models the adversary as noise. Adversaries adaptively attack fixed detection

algorithms (so-called oracle or sensitivity attacks)

Detectors leak information with use, to a degree thatisnt exactly known

In fact, we cant say much at all about the security ofa detector.


11/26

11

Problem: Entropy Of A Detector

Adversaries can reverse-engineer a detector by itsresponse to experimental inputs

Often very quickly, using basic linear algebra orgradient descent

Quickly means linear in the number of features n(the dimension of feature space) examined by thedetector.

What we want:

To characterize the entropy of a region in space, ina way that captures difficulty of mapping it out;

A detector that maximizes entropy, or at

least takes more than linear time to break.


12/26

12

Basic Result

If a detector satisfies some basic error constraints...

Bounds on false alarm and miss rate

...then the detector surface is locally flat

A disc at the surface must have most of a hemisphereoutside and most of a hemisphere inside

Implies an entropy bound of nlog n

n is the data size (dimension of space)

Estimate slope of disk with O(n) tries

O(2n

) discs to reverse-engineer Entropy is roughly the log of # of tries

Attacker can beat you in at most 2^(nlog n)

tries, now an attacker can beat you in

about n tries


13/26

13

Science Base for SecurityFred B. Schneider, Cornell University

SCIENCE: A body of laws that are predictive

Transcend specific systems, attacks, and defenses.

Laws are not necessarily quantitative, but:

Applicable in real settings

Provide explanatory value

Abstractions and models

Connections and relationships


14/26

14

Laws about What?

Features:

Classes of policies

Classes of attacks

Classes of defenses Relationships (= SoS)

Defense class D enforces policyclass P despite attacks from classA.

Application App new policies P New policies P new attacks A New attacks A new defenses M

Attacks

Defenses Policies


15/26

15

Foundations for Policy

Policy: What the system should do; what the system should not do: Confidentiality: Who is allowed to learn what?

Integrity: What changes are allowed by system. includes resource utilization, input/output to environment.

Availability: When must service be rendered.

Hyper-properties: sets of sets of traces. Can be decomposed into: Safety hyper-property

Liveness hyper-property

Expressive enough for all security policies and has a

formal mathematical foundation.


16/26

16

Power of Obfuscation

What class of attacks are resisted by making

semantics-preserving random transformations?

All morphs implement the same interface.

Interface attacks. Obfuscation cannot blunt attacks that exploit

the semantics of that (flawed) interface.

Implementation attacks. Obfuscation can blunt attacks thatexploit implementation details.

Thm: Obfuscation and probabilistic dynamic typesystems defend against the sameimplementation attacks.


17/26

17

Quantification of Integrity Erosion

Contamination (dual of leakage) Output := (t, u) Predict untrusted input from trusted input and trusted output

Suppression (trusted input suppressed from trusted output): n := rand(); Output := t XOR n Predict trusted input from trusted output.

Thm: Leakage + Suppression = Constant

Applications: Comparison and evaluation of database privacy schemes:

K-anonymity [Sweeney 02]

Doesnt bound leakage or suppression

Entropy L-diversity [Machanavajjhala et al. `07]

Suppresses at least L bits of information about individual

Differential Privacy [Dwork 06]

Bounds derived.

untrusted

ProgramUser

Attacker

Usertrusted

E id b d T t i


18/26

18

Evidence-based Trust inLarge-scale MLS Systems

John Hatcliff (PI), Kansas State University andAndrew Appel, Princeton University

This project aims to provide innovations in architecturemodeling, semantic analysis, and logic-based verificationtechniques that dramatically increase the safety, security,and ability to certify critical components of DoD systems

It targets security architectures such as MultipleIndependent Levels of Security (MILS) and developingtechniques that dramatically improve assurance and

reduce certification costs in MILS components.


19/26

19

Technical Achievements

--# derives

--# Output_1_Data from

--# Input_0_Data

--# when (Input_0_Ready and

--# Output_1_Ready),

--# Output_1_Data,

--# when (not Input_0_Ready or

--# not Output_1_Read),

--# Input_0_Ready,

--# Output_1_Ready

One of our most important achievement to date is a novel Hoare logic for

specifying and verifying expressive information flow policies as needed inMLS systems and cross-domain solutions

SPARK Ada Program Info Flow Spec

flows exist onlyunder certainconditions

I. Our logic provides a formal semanticfoundation for specifying howinformation should flow betweenprogram components

non-interference, non-leakage

II. A proven correct pre-condition generationalgorithm automatically generates a derivationin the logic showing that a program conformsto its information flow specification

III. Using advanced compiler technology, wemake the logic easy to use for programmersand verification teams by presenting it in high-

level user-friendly program-level annotations

Logic is embedded (hidden) in the SPARK Adalanguage designed for programming criticalsystems (could also work for safety-critical C)


20/26

20

Automated Program RepairWeimer (University of Virginia) and Forrest (University of New Mexico)

Research Goal: Automatically and

safely generate program repairs

Result: Automatic repairs of over adozen defect types, including securityvulnerabilities. Analyzed evolutionaryalgorithm on programs totalinghundreds of thousands of lines ofcode. Demonstrated close-loop hotrepair of running server.

Technique: Use genetic

programming techniques to searchthe space of nearby programs untilone is found that repairs the bug andmaintains required functionality.Ordinary test cases are used toevaluate candidate program repairs.

Highlights: Keynote at OPSLA10,best paper and presentationawards at multiple conferences,gold human-competitive award @GECCO

C t S it f C dit S ft


21/26

21

Component Security of Commodity SoftwareKwon and Su, UC Davis

Research Goal: Identify and

demonstrate prevalence of unsafeloading of components in modernsoftware.

Example: (1) Attacker co-locatesmalicious DLL with file on aWebDAV share. (2) Victim opensthe file and executes the maliciousDLL.

Result: Discovered 4000 unsafe

loadings on 27 popular Windows(including Office) and 24 LinuxUbuntu applications. Found 41remotely exploitable unsafeloadings under Windows.

Technique: Detection of unsafe

loadings via offline-profile analysisand dynamic profile generation

Highlights:

Extensive media coverage:

Reuters, ComputerWorld andNetwork World, among others

Microsoft issued a hotfix

ACM Distinguished Paper

Award

C i E d D


22/26

22

Computing on Encrypted DataGentry/Boneh, Stanford

Longstanding open problem Many useful applications

Store encrypted database in cloud or untrusted data center

Produce encrypted query result, without decryptingdata

Private Internet search Encrypt my query, send to Google, receive encrypted result

Breakthrough in cryptography [Gentry (Stanford)]

Homomorphic encryption: E[x], E[y] E[x+y], E[xy]

x1 x2 x3 x4

+

f(x1,,x4)

For any function f :

E[x1], , E[xn] E[ f(x1,,xn )]

Student Craig Gentry received 2010ACM Doctoral Dissertation Award for hishomomorphic encryption breakthrough

Advisor: Boneh


23/26

23

Towards Statistically Undetectable SteganographyJessica Fridrich, Binghamton University

Objectives

Identify fundamental laws determining security of covert communication indigital multimedia objects, such as images or video. Determine an appropriate measure of secure payload for practical data-hiding methods. Use it for design and benchmarking. Develop practical methods capable of embedding large payloads withminimal statistical impact.

Main requirement:Undetectability(no algorithmcan distinguish stego andcover objects with successbetter than random guessing)

Warden: passive

Constructing Practical Secure


24/26

24

Constructing Practical SecureSteganographic Schemes

There exist two fundamental approaches to designing securesteganography:

(1) Model-based: Choose a model (statistical distribution) and forcethe embedding to preserve it (2) Distortion-based: Choose a distortion measure and minimize itwhile embedding.

In (1), the model must be simple = unrealistic. While the embedding issecure within the model, it may become even more insecure for a differentmodel. The problem is lack of robustness to the model.

In (2), the designer gives up perfect security (it is unachievable anyway)but gains substantially because even very complex (realistic) distortionmeasures can be used with low implementation complexity.

Most practical embedding schemes that follow (2) are ad hoc,suboptimal, and it is not clear how to optimize their design.


25/26

25

The Gibbs construction

The breakthroughs: Discovered a connection between statistical physics andsteganography. Porting of powerful algorithms from physics to the field ofinformation security. The first scheme that considers interaction of embeddingchanges. General framework for adaptive steganography.

1) Methodology for obtaining the rate

distortion bounds using the Gibbssampler.2) Methodology for simulating the impact of optimal schemes (operating on

the bound). This is achieved using the Gibbs sampler, too.3) Methodology for building near-optimal practical embedding schemes.

Achieved using syndrometrellis codes on disjoint sublattices of pixels and

the Gibbs sampler.


26/26

26

The Gibbs construction in practice

Steganaly

zererrorPE

undetectable steganography (detector makes random guesses)

Perfectdetection

Relative payload in bits per pixel Relative payload in bits per pixel

Very significant improvement over prior art Very high payloads of ~0.20.4 bits per pixel can be embeddedundetectably, depending on the cover source.

Changes of pixels by 2 are beneficial as long as made adaptively

Prior art

Documents

3. Herklotz - Information