TRUST Autumn 2007 Conference Proceedings · enhance system security, privacy, and trustworthiness. • Secure embedded sensor networks for large-scale applications critical to the

TTRRUUSSTT TTeeaamm ffoorr RReesseeaarrcchh iinn UUbbiiqquuiittoouuss

SSeeccuurree TTeecchhnnoollooggyy

SSpprriinngg 22000088 CCoonnffeerreennccee

AApprriill 22 –– 33,, 22000088

BBeerrkkeelleeyy,, CCaalliiffoorrnniiaa

TRUST is funded by the National Science Foundation (award number CCF‐0424422)

TTeeaamm ffoorr RReesseeaarrcchh iinn UUbbiiqquuiittoouuss SSeeccuurree TTeecchhnnoollooggyy ((TTRRUUSSTT))

CONTENTS

CONTENTS................................................................................................................................................. 3

WELCOME MESSAGE............................................................................................................................. 4

TRUST OVERVIEW................................................................................................................................... 5

CONFERENCE AGENDA ........................................................................................................................ 6

PRESENTATION ABSTRACTS.............................................................................................................. 8

KEYNOTE SPEAKER BIOGRAPHY.................................................................................................... 15

SPEAKER BIOGRAPHIES .................................................................................................................... 16

NOTES....................................................................................................................................................... 22

TRUST Spring 2008 Conference April 2‐3, 2008 – Berkeley, California Page 3 of 23


WELCOME MESSAGE It is with great pleasure that we welcome you to the TRUST Spring 2008 Conference in Berkeley, California.

This is one of two major conferences each year that showcase activities of the TRUST center. Specifically, work of the center focused on:

• Advancing a leading-edge research agenda to improve the state-of-the art in cybersecurity and critical infrastructure protection;

• Developing a robust education plan to teach the next generation of computer scientists, engineers, and social scientists; and

• Pursuing knowledge transfer opportunities to transition TRUST results to end users within industry and the government.

This conference provides an opportunity to hear firsthand about recent research results and future plans of TRUST faculty and students across all TRUST-affiliated universities. We hope you will find the conference educational, engaging, and insightful.

We are honored to have as a keynote speaker UC Berkeley Professor David Wagner. David is well known for his research in computer security and cryptography and is the co-founder of ACCURATE, a multi-institution voting research center funded by the National Science Foundation. David will share with us his work into the security of electronic voting and an initiative he ran for the California Secretary of State. In a time when many states are moving toward e-voting, and in a presidential election year in the U.S., I think we will all find David’s talk both timely and insightful.

For those of you not affiliated with TRUST, or new to TRUST, I encourage you to use this conference to meet the TRUST team and find out more about the center and its projects.

Sincerely,

S. Shankar Sastry Director, Team for Research in Ubiquitous Secure Technology Dean of Engineering, University of California, Berkeley



TRUST OVERVIEW The role and penetration of computing systems and networks in our societal infrastructure continues to grow, and their importance to societal safety and the security has never been greater. Beyond mere connection to the Internet and access to global resources, information systems are now used for controlling critical infrastructures for electricity, healthcare, finance, and medical networks. As society uses computers, systems, and networks in increasingly important ways, the underlying technology provided often does not meet the desired level of trust and many critical infrastructure systems remain untrustworthy. Viruses and worms sweep the Internet and exhibit increasing virulence and a rate of speed that is directly proportional to their growing ease of deployment. Privacy and security remain poorly understood, poorly supported, and generally inadequate. Broader issues of software usability, reliability, and correctness remain challenging as does understanding how users interact with computers and ways in which systems can be designed to influence users to behave in a more secure manner. The Team for Research in Ubiquitous Secure Technology (TRUST) is addressing these

challenges of developing, deploying, and using trustworthy systems. TRUST, a National Science Foundation sponsored Science and Technology Center (STC) is focused on the development of cyber security science and technology that will radically transform the ability of organizations to design, build, and operate trustworthy information systems for our state and nation's critical infrastructure.

TRUST is led by the University of California, Berkeley with partner institutions Carnegie Mellon University, Cornell University, Mills College, San Jose State University, Smith College, Stanford University, and Vanderbilt University. TRUST projects have a holistic, interdisciplinary view that address computer security, software technology, analysis of complex interacting systems, and economic, legal, and public policy issues. As such, TRUST draws on researchers is such diverse fields as Computer Engineering, Computer Science, Economics, Electrical Engineering, Law, Public Policy, and the Social Sciences. TRUST is addressing fundamental problems and advancing the state-of-the-art in a number of areas:

• Security and privacy issues associated with the rapidly increasing use of electronic media for the archival and access of patient medical records.

• Web authentication, end-user privacy, next-generation browser security, malware detection, and improved system forensic techniques to combat online attacks.

• Application defenses for network-level intrusions and attacks including compromised and malfunctioning legacy applications, viruses, worms, and spyware.

• Incentives for research, investment, policies, and procedures for technology that enhance system security, privacy, and trustworthiness.

• Secure embedded sensor networks for large-scale applications critical to the nation’s economy, energy, security, and health.

• Techniques that ensure trustworthy computing by securing hardware, improving software robustness, and increasing the survivability of critical systems.

More information on TRUST is available at www.truststc.org.


http://www.truststc.org/


CONFERENCE AGENDA

Taking Advantage of Data Correlation to Control the Topology of Wireless Sensor Networks Sergio A. Bermudez (Cornell), Stephen B. Wicker (Cornell University)

1030 – 1100

A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks Adrian P. Lauf (Vanderbilt University), Richard A. Peters (Vanderbilt University), William H. Robinson (Vanderbilt University)

1100 – 1130

Power Consumption Monitoring – An Emerging Threat to Privacy Mikhail A. Lisovich (Cornell University), Stephen B. Wicker (Cornell University)

1630 – 1700

Security Breach Notification Laws: A "Race-to-the-Top"? Deirdre K. Mulligan (UC Berkeley)

1530 – 1600

Detecting Data Leakage Panagiotis Papadimitriou (Stanford University), Hector Garcia-Molina (Stanford University)

1600 – 1630

Experimental Platform for Model-Integrated Clinical Information Systems Janos Mathe (Vanderbilt University), Jan Werner (Vanderbilt University), Yonghwan Lee (Vanderbilt University), Bradley Malin (Vanderbilt University), Akos Ledeczi (Vanderbilt University), John Mitchell (Stanford University), Janos Sztipanovits (Vanderbilt University)

1430 – 1500

A Testbed for Secure and Robust SCADA Systems Annarita Giani (UC Berkeley), Gabor Karsai (Vanderbilt University), Tanya Roosta (UC Berkeley), Aakash Shah (Carnegie Mellon University), Bruno Sinopoli (Carnegie Mellon University), Jon Wiley (Vanderbilt University)

1400 – 1430

Conference Attendee Dinner [Napa Room] 1800

Break 1500 – 1530

Deploying Distributed Real-time Healthcare Applications on Wireless Body Sensor Networks Allen Y. Yang (UC Berkeley), Sameer Iyengar (UC Berkeley), Shanshan Jiang (Vanderbilt University), Philip J. Kuryloski (Cornell University), Yanchuan Cao (Vanderbilt University), Roozbeh Jafari (UT-Dallas), Yuan Xue (Vanderbilt University), Ruzena Bajcsy (UC Berkeley), Stephen Wicker (Cornell University), Shankar Sastry (UC Berkeley)

1330 – 1400

WWEEDDNNEESSDDAAYY,, AAPPRRIILL 22,, 22000088

Break 1000 – 1030

The Inherent Security of Routing Protocols in Ad-Hoc and Sensor Networks Tanya Roosta (UC Berkeley), Sameer Pai (Cornell University), Phoebus Chen (UC Berkeley), Shankar Sastry (UC Berkeley), Stephen Wicker (Cornell University)

1130 – 1200

Keynote Speech – California Top-To-Bottom Review of Voting Systems David Wagner (UC Berkeley)

0900 – 1000

TTOOPPIICC TTIIMMEE

Lunch [Napa Room] 1200 – 1330

Conference Welcome 0845 – 0900

Breakfast [Sonoma Room] 0800 – 0845

NOTE: Unless otherwise noted, conference events will be held in the Sonoma Room of the Claremont Resort & Spa.



CONFERENCE AGENDA (cont.)

Maelstrom: An Enterprise Continuity Protocol for Financial Data Centers Ken Birman (Cornell University), Mahesh Balakrishnan (Cornell University), Tudor Marian (Cornell University), Hakim Weatherspoon (Cornell University)

0900 – 0930

Securing Frame Communication in Browsers Adam Barth (Stanford University), Collin Jackson (Stanford University), John C. Mitchell (Stanford University)

1200 – 1230

Write Markers for Probabilistic Quorum Systems Michael G. Merideth (Carnegie Mellon University), Michael K. Reiter (University of North Carolina, Chapel Hill)

0930 – 1000

Effective Testing via Symbolic Execution and Input Recombination Daniel Dunbar (Stanford University), Christian Cadar (Stanford University), Peter Pawlowski (Stanford University), Dawson Engler (Stanford University)

1100 – 1130

Flicker: An Execution Infrastructure for TCB Minimization Jonathan M. McCune (Carnegie Mellon University), Bryan Parno (Carnegie Mellon University), Adrian Perrig (Carnegie Mellon University), Michael K. Reiter (University of North Carolina, Chapel Hill), Hiroshi Isozaki (Carnegie Mellon University, Toshiba Corp.)

1000 – 1030

Wrap Up / Conference Closing 1230 – 1245

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft), Michael Y. Levin (Microsoft), David Molnar (UC Berkeley)

1130 – 1200

TTHHUURRSSDDAAYY,, AAPPRRIILL 33,, 22000088

Break 1030 – 1100

TTOOPPIICC TTIIMMEE

TRUST Student Poster Review [Sonoma Room](Lunch Provided in Napa Room)

1245

Breakfast [Sonoma Room] 0800 – 0900

NOTE: Unless otherwise noted, conference events will be held in the Sonoma Room of the Claremont Resort & Spa.



PRESENTATION ABSTRACTS WWeeddnneessddaayy,, AApprriill 22 1030 – 1100 Taking Advantage of Data Correlation to Control the Topology of

Wireless Sensor Networks Sergio A. Bermudez (Cornell University)

Stephen B. Wicker (Cornell University) Sleep-based topology control is an important technique used in wireless sensor

networks (WSNs) to reduce the energy consumption of the individual node platforms and, as a consequence, sleep-based topology control is useful to increase the functional lifetime of the networks. While in the literature there are several schemes that address sleep-based topology control in WSNs, there is no proposal that operates exploiting the information provided by the correlation among sensed data. This paper describes a method to control the topology of a WSN using information about data correlation. With the correlation information, the node platforms are able to create a two-tier network—one tier of active while the other of backup nodes—and thus extend the functional lifetime of the WSN. Basically, the mechanism consists of two steps: (1) autonomous creation of clusters and (2) use of a scheduling algorithm within these clusters. Our scheme has practical relevance since it is simple, localized, decentralized, and scalable. Moreover, using correlation information allows relaxing common assumptions imposed in other topology control schemes. This article provides a tractable model of the scheme and analytical results showing its performance along with simulations that support the analytical results.

1100 – 1130 A Distributed Intrusion Detection System for Resource-Constrained Devices in Ad Hoc Networks

Adrian P. Lauf (Vanderbilt University) Richard A. Peters (Vanderbilt University) William H. Robinson (Vanderbilt University)

This paper describes the design and implementation of a hybrid, two-stage intrusion detection system (IDS). The hybrid nature of the IDS is captured in the cooperation of two detection strategies. The first detection strategy analyzes peaks within probability density functions to isolate deviance at the level of a single node. It can perform this analysis with zero prior knowledge of its operating environment; it requires no calibration data. In contrast, the secondary method relies on a cross-correlative component, which requires careful tuning of a detection threshold. Its primary advantage is the ability to detect multiple threats simultaneously. The first stage provides tuning and calibration information for the second stage. Our approach distributes the IDS among all connected network nodes, allowing each node to identify potential threats individually. Although the initial deployment studied mobile, ad hoc networks, the IDS could be deployed within Supervisory Control and Data Acquisition (SCADA) systems. Our work will leverage the development of the SCADA testbed within TRUST to enhance the intrusion detection capability within remote terminal units (RTUs).

1130 – 1200 The Inherent Security of Routing Protocols in Ad-Hoc and Sensor Networks

Tanya Roosta (University of California, Berkeley) Sameer Pai (Cornell University) Phoebus Chen (University of California, Berkeley) Shankar Sastry (University of California, Berkeley) Stephen Wicker (Cornell University)

Many of the routing protocols that have been designed for wireless ad-hoc networks



focus on energy-efficiency and guaranteeing high throughput in a non-adversarial setting. However, given that ad-hoc and sensor networks are deployed and left unattended for long periods of time, it is crucial to design secure routing protocols for these networks. Over the past few years, attacks on the routing protocols have been studied and a number of secure routing protocols have been designed for wireless ad-hoc sensor networks. However, there has not been a comprehensive study of how these protocols compare in terms of achieving security goals and maintaining high throughput. In this paper, we focus on the problem of analyzing the inherent security of routing protocols with respect to two categories: multi-path and single-path routing. Within each category, we focus on deterministic vs. probabilistic mechanisms for setting up the routes. We consider the scenario in which an adversary has subverted a subset of the nodes, and as a result, the paths going through these nodes are compromised. We present our findings through simulation results.

1330 – 1400 Deploying Distributed Real-time Healthcare Applications on Wireless Body Sensor Networks

Allen Y. Yang (University of California, Berkeley) Sameer Iyengar (University of California, Berkeley) Shanshan Jiang (Vanderbilt University) Philip J. Kuryloski (Cornell University) Yanchuan Cao (Vanderbilt University) Roozbeh Jafari (University of Texas-Dallas) Yuan Xue (Vanderbilt University) Ruzena Bajcsy (University of California, Berkeley) Stephen Wicker (Cornell University) Shankar Sastry (University of California, Berkeley)

Body sensor networks have the potential to revolutionize healthcare. Remote patient monitoring can increase quality of care in a cost-efficient manner. Development of these systems combines many interdisciplinary challenges: the system architecture must be reliable, secure and easily deployed, and the algorithms must be accurate and efficient. We propose an extensible, developer-focused hardware and software framework that aids in creation of healthcare monitoring applications. This framework allows us to deploy a highly accurate, distributed, real-time human action recognition system. The distributed nature of the system allows nodes to perform local decision-making and processing. We leverage this to build a recognition system that has three integrated components: 1. Multi-resolution action feature extraction. 2. Fast distributed classifiers via L-1 minimization. 3. An adaptive global classifier.

1400 – 1430 A Testbed for Secure and Robust SCADA Systems Annarita Giani (University of California, Berkeley)

Gabor Karsai (Vanderbilt University) Tanya Roosta (University of California, Berkeley) Aakash Shah (Carnegie Mellon University) Bruno Sinopoli (Carnegie Mellon University) Jon Wiley (Vanderbilt University)

The Supervisory Control and Data Acquisition systems (SCADA) monitor and control real-time systems. SCADA systems are the backbone of the critical infrastructure, and any compromise in their security can have grave consequences. Doing experiments on physical plants is infeasible, so there is a strong need to have a SCADA testbed for checking vulnerabilities and validating security solutions. In this paper we develop such a SCADA testbed. The paper introduces the generic components found in SCADA systems then describes the reference architecture for the testbed and presents three



different approaches for implementing it. This is followed by the presentation of some interesting experimental scenarios, followed by a description of next steps in the construction of the testbed.

1430 – 1500 Experimental Platform for Model-Integrated Clinical Information Systems Janos Mathe (Vanderbilt University)

Jan Werner (Vanderbilt University) Yonghwan Lee (Vanderbilt University) Bradley Malin (Vanderbilt University) Akos Ledeczi (Vanderbilt University) John Mitchell (Stanford University) Janos Sztipanovits (Vanderbilt University)

This paper describes an experimental platform for Model-Integrated Clinical Information Systems (MICIS). The role of MICIS is to provide a common integration testbed for security and privacy aware Clinical Information Systems (CIS). The MICIS architecture includes a component integration platform and model integration platform. The MICIS component integration platform is based on a standard Service-Oriented Architecture (SOA) framework that is extended with policy evaluation and enforcement capabilities. We have developed the reusable, application independent Prolog-based Policy Evaluation Point and Policy Enforcement Point (MICIS-PROPER) components and integrated those with the Apache Orchestration Director Engine (ODE). The embedded Prolog engine in MICIS-PROPER allows constructing rigorous experiments with privacy and security languages. The architecture of PROPER enables the description of complex security and privacy constraints with temporal aspects and supports user-defined rich context dependence. The MICIS model integration platform is built on Vanderbilt's metaprogrammable Model-Integrated Computing (MIC) toolsuite. Different CIS application prototypes are developed in the following steps: (1) specification of domain-specific modeling languages capturing all relevant architectural and policy modeling aspects of selected CIS applications, (2) development of model transformations for mapping the domain specific models on the MICIS component integration platform and (3) building application models and running experiments. In this paper we demonstrate MICIS using a Patient Portal example. The system models capture workflows, services, organizations, roles, messages, message attributes, deployment, and access control and security policies. The privacy modeling language is based on Stanford's work on contextual integrity and enables the formal representation of permitted communications considering both past and future communication instances. The necessary application components are then automatically generated, assembled, and deployed on the MICIS experimental platform. The generated artifacts include workflow descriptions in WS-BPEL, web service descriptors in WSDL, and access control and privacy policies in Prolog.

1530 – 1600 Security Breach Notification Laws: A "Race-to-the-Top"? Deirdre K. Mulligan (University of California, Berkeley) The California Security Breach Information Act (AB 700/SB 1386) has been adopted,

with modest modifications, by 39 additional states and the District of Columbia. This law encourages firms to adopt sounder security investments by requiring them to notify individuals of security breaches of their personal information. The use of compulsory information disclosures as a regulatory tool is an important, modern, development in American law. The Toxics Release Inventory (TRI), a publicly available EPA database that contains information on toxic chemical releases and other waste management activities, established under the Emergency Planning and



Community Right-to-Know Act of 1986 (EPCRA) is credited with providing incentives for reductions and better management of toxic chemicals by firms eager to avoid reporting releases and with providing information essential to citizen and government oversight, engagement and action. The California Security Breach Information Act was modeled on the TPRI. Based on research documenting how the specific aspects of the EPCRA-including standardized, centralized and electronic reporting and public accessibility of data-the reported incidents, and the non-profit community contributed to its successes, as well as qualitative interviews of security and privacy professionals within firms about security investments and the effects of security breach notification laws in particular, this paper considers the extent to which the current structure of security breach notification laws are producing a "race-to-the-top" with respect to information security and makes recommendations for statutory reforms aimed at facilitating such a race by enabling greater public oversight, cross-firm learning, market activity, and targeted regulatory intervention.

1600 – 1630 Detecting Data Leakage Panagiotis Papadimitriou (Stanford University)

Hector Garcia-Molina (Stanford University) Data leakage detection is complementary to prevention, where security mechanisms

like encryption ensure that unauthorized parties do not get data. In some cases sensitive data must be released to supposedly trusted parties so they can do their work, so prevention is not applicable. However, since the "trusted" parties may intentionally or unintentionally leak data to others, we would like to be able to detect such instances, so we can take action against the leaking party. Our approach to detect the leaking party is the following: we look for a subset of leaked data (say on the web or in someone's laptop) and asses the likelihood that it came from our sensitive source, as opposed to having been independently gathered by other means. Furthermore, we propose data distribution "patterns" (across parties receiving data) that maximize the probability of identifying leakages. These methods do not rely on alterations of the released data (e.g., watermarks). In some cases we can also inject "realistic but fake" data records to again improve our chances of detecting leakage and identifying the guilty parties.

1630 – 1700 Power Consumption Monitoring – An Emerging Threat to Privacy Mikhail A. Lisovich (Cornell University)

Stephen B. Wicker (Cornell University) The collection of power consumption data in current and future demand-response

systems creates serious privacy concerns. In a lax regulatory environment, the detailed household consumption data gathered by advanced metering pro jects can and will be repurposed by interested parties to reveal personally identifying information, including an individual’s activities, preferences, and beliefs. To develop this claim, we begin with an overview of demand-response technologies and their deployment trends. We formalize the notion of privacy and discuss the relevant legal precedents. A list of the types of personal information that can be estimated with current and upcoming monitoring technologies is then developed. To support our list, we conduct a small-scale monitoring experiment on a private residence. Our results show that personal information can be estimated with a high degree of accuracy, even with relatively unsophisticated hardware and algorithms. We discuss the implications of our results for future demand-response projects. Our paper concludes with guidelines for data-handling policies that ensure the protection of privacy.



TThhuurrssddaayy,, AApprriill 33 0900 – 0930 Maelstrom: An Enterprise Continuity Protocol for Financial Data Centers Ken Birman (Cornell University)

Mahesh Balakrishnan (Cornell University) Tudor Marian (Cornell University) Hakim Weatherspoon (Cornell University)

Data centers for financial enterprises face an increasingly difficult problem: as data rates have risen, it is harder and harder to maintain hot-standby systems at a safe distance for use in the event of an emergency. The issue isn't wire speed: optical networks can support data rates as high as 40Gb today and 100Gb is within sight. But even when running on a dedicated optical link, TCP performs poorly, particularly when latency becomes high. In this talk, I'll describe an experimental effort that started with an exploration of the problem as seen in cutting edge networks such as TerraGrid and NLR, then led to the development of Maelstrom [NSDI 2008], a new network appliance that completely eliminates the issue, and the Smoke and Mirrors File System, which runs on Maelstrom and mirrors enterprise data at remote sites. Both achieve very high performance and are shown to be latency-insensitive. The financial services community has already shown interest in this work, and we are hoping to see experimental use of the technology for hot backups by Wall Street firms later this year.

0930 – 1000 Write Markers for Probabilistic Quorum Systems Michael G. Merideth (Carnegie Mellon University)

Michael K. Reiter (University of North Carolina, Chapel Hill) Probabilistic quorum systems can tolerate a larger fraction of faults than can traditional

(strict) quorum systems, while guaranteeing consistency with an arbitrarily high probability for a system with enough replicas. However, they are hampered in that, like strict quorum systems, they allow for Byzantine-faulty servers to collude maximally to provide incorrect values to clients. We present a technique based on write markers that prevents faulty servers from colluding unless they are all also selected to be participants in the same update operations. We show that write markers increase the maximum fraction of faults that can be tolerated to b < n/ 2 from b < n/ 2.62, where n is the total number of replicas, for probabilistic masking quorum systems (compared with b < n/4 for strict masking quorum systems) and to b < n/ 2.62 from b < n/ 3.15 for probabilistic opaque quorum systems (compared with b < n/ 5 for strict opaque quorum systems). In addition, with write markers, probabilistic masking quorums no longer require write quorums of large or maximal size in order to tolerate the maximum fraction of faults. We describe an implementation of write markers that is effective even if Byzantine clients collude with faulty servers.

1000 – 1030 Flicker: An Execution Infrastructure for TCB Minimization Jonathan M. McCune (Carnegie Mellon University)

Bryan Parno (Carnegie Mellon University) Adrian Perrig (Carnegie Mellon University) Michael K. Reiter (University of North Carolina, Chapel Hill) Hiroshi Isozaki (Carnegie Mellon University, Toshiba Corp.)

We present Flicker, an infrastructure for executing security-sensitive code in complete isolation while trusting as few as 250 lines of additional code. Flicker can also provide meaningful, fine-grained attestation of the code executed (as well as its inputs and outputs) to a remote party. Flicker guarantees these properties even if the BIOS, OS and DMA-enabled devices are all malicious. Flicker leverages new commodity processors from AMD and Intel and does not require a new OS or VMM. We demonstrate a full implementation of Flicker on an AMD platform and describe our development environment for simplifying the construction of Flicker-enabled code.



1100 – 1130 Effective Testing via Symbolic Execution and Input Recombination Daniel Dunbar (Stanford University)

Christian Cadar (Stanford University) Peter Pawlowski (Stanford University) Dawson Engler (Stanford University)

We describe a new architecture for symbolic execution which scales to real applications. We demonstrate an application of this architecture to automated program testing and present a framework that achieves good statement and branch coverage on a variety of applications. Finally, we describe a method for synthesizing larger test cases from generated ones to further improve coverage.

1130 – 1200 Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Corp.)

Michael Y. Levin (Microsoft Corp.) David Molnar (University of California, Berkeley)

Fuzz testing is an effective technique for finding security vulnerabilities in software. Traditionally, fuzz testing tools apply random mutations to well-formed inputs of a program and test the resulting values. We present an alternative whitebox fuzz testing approach inspired by recent advances in symbolic execution and dynamic test generation. Our approach records an actual run of the program under test on a well-formed input, symbolically evaluates the recorded trace, and gathers constraints on inputs capturing how the program uses these. The collected constraints are then negated one by one and solved with a constraint solver, producing new inputs that exercise different control paths in the program. This process is repeated with the help of a code-coverage maximizing heuristic designed to find defects as fast as possible. We have implemented this algorithm in SAGE (Scalable, Automated, Guided Execution), a new tool employing x86 instruction-level tracing and emulation for whitebox fuzzing of arbitrary file-reading Windows applications. We describe key optimizations needed to make dynamic test generation scale to large input files and long execution traces with hundreds of millions of instructions. We then present detailed experiments with several Windows applications. Notably, without any format-specific knowledge, SAGE detects the MS07-017 ANI vulnerability, which was missed by extensive blackbox fuzzing and static analysis tools. Furthermore, while still in an early stage of development, SAGE has already discovered 30+ new bugs in large shipped Windows applications including image processors, media players, and file decoders. Several of these bugs are potentially exploitable memory access violations.

1200 – 1230 Securing Frame Communication in Browsers Adam Barth (Stanford University)

Collin Jackson (Stanford University) John C. Mitchell (Stanford University)

Web pages embed third-party content in frames, leveraging the browser's security policy to protect themselves from malicious content. Frames are often insufficient isolation primitives because most browsers are lenient and allow the framed content to interact with the rest of the page by navigating other frames. We evaluate current navigation policies, which we determine through extensive browser testing. Based on known and new attacks, we advocate a stricter navigation policy, which we implement and deploy in the open-source browsers. After examining frame isolation, we turn our attention to securing communication between frames. The first method we examine, navigation with fragment identifiers, provides confidentiality without authenticity, which we repair using concepts from a well-known network protocol. The second, postMessage, provides authentication but lacks confidentiality due to an attack we



discover. We propose and deploy an improvement to postMessage that adds confidentiality.



KEYNOTE SPEAKER BIOGRAPHY David Wagner (University of California, Berkeley) David Wagner is an Associate Professor in the Computer Science Division at the University of California at Berkeley with extensive experience in computer security and cryptography. He and his UC Berkeley colleagues are known for discovering a wide variety of security vulnerabilities in various cellphone standards, 802.11 wireless networks, electronic voting systems, and other widely deployed systems. David is active in the field of e-voting security. David is a co-founder of the ACCURATE center on voting, a member of the federal advisory committee charged with helping draft the next-generation voting standard, and in 2007 he helped to lead California's top-to-bottom review of voting systems certified for use in California. David is a past Alfred P. Sloan Research Fellow and a past CRA Digital Government Fellow. He received an Honorable Mention in the ACM Doctoral Dissertation Award competition for his Ph.D. work. In order to provide an independent assessment of the voting systems certified for use in California, Secretary of State Debra Bowen initiated a top-to-bottom review of those e-voting systems. She asked Matt Bishop (UC Davis) and David Wagner (UC Berkeley) to recruit a team of experts and lead the review, and she gave the teams unprecedented access to the equipment, source code, and technical information about these voting systems. The study constituted the most comprehensive security analysis of these systems to date, and the results revealed serious shortcomings in the design of these systems. As a result of this study, Secretary Bowen instituted a number of additional safeguards and procedural protections for California's voting systems, and several other states have since taken similar measures.



SPEAKER BIOGRAPHIES Sergio Bermudez Cornell University Sergio Bermudez is a graduate student in the School of Electrical and Computer Engineering at Cornell University. He received his BS in Electrical and Communications Engineering from Monterrey Institute of Technology, Mexico. His research interests include the analysis of topology, mobility, and security of wireless sensor networks. Ken Birman Cornell University Ken Birman is Professor of Computer Science at Cornell University. He currently heads the QuickSilver project, which is developing the world’s fastest and most scalable publish-subscribe system and a new, highly automated, platform aimed at making it dramatically easier to build scalable clustered applications. Previously he worked on fault-tolerance, security, and reliable multicast. In 1987 he founded a company, Isis Distributed Systems, which developed robust software solutions for stock exchanges, air traffic control, and factory automation. For example, Isis currently operates both the New York and Swiss Stock Exchanges, the French air traffic control system, and the US Navy AEGIS warship. The technology permits these and other systems to automatically adapt themselves when failures or other disruptions occur, and to replicate critical services so that availability can be maintained even while some system components are down. In contrast to his past work, Birman’s recent work has focused on issues of scale, self-management and self-repair mechanisms for complex distributed systems, such as large data centers and wide-area publish-subscribe. The very large scale of these kinds of applications poses completely new challenges. For example, while protocols for data replication on a small scale are closely tied to database concepts such as two-phase commit, these large scale applications are best viewed as probabilistic systems, and the most appropriate technologies are similar to techniques seen in peer-to-peer file sharing applications. Birman is the author of several books. His most recent textbook, Reliable Distributed Computing: Technologies, Web Services, and Applications, was published by Springer-Verlag in May of 2005. Previously he wrote two other books and more than 200 journal and conference papers, including one that appeared in Scientific American in May, 1996. Dr. Birman was also Editor in Chief of ACM Transactions on Computer Systems from 1993-1998 and is a Fellow of the ACM. A complete list of publications can be found at http://www.cs.cornell.edu/ken.


http://www.cs.cornell.edu/ken


Daniel Dunbar Stanford University Daniel Dunbar is a second year Ph.D. graduate student at Stanford University in Dawson Engler's group. He works on symbolic execution tools for program testing and bug finding. Sameer Iyengar University of California, Berkeley Sameer Iyengar is a graduate student in the Electrical Engineering and Computer Sciences department at the University of California, Berkeley. He received his bachelor's degree in EECS from UC Berkeley. His primary research focuses on design challenges in embedded systems, specifically those with bio-medical applications. Collin Jackson Stanford University Collin Jackson is a fourth-year Ph.D. student in the Department of Computer Science at Stanford University. His research on browser security includes topics in authentication, privacy, and mashup communication. Adrian P. Lauf Vanderbilt University Adrian Lauf is a Graduate Student in the Department of Electrical Engineering and Computer Science at Vanderbilt University. He received his B.E. in Computer Engineering at Vanderbilt University in 2005, his M.S. in Electrical Engineering in 2007 at Vanderbilt University, and is continuing his studies for a Ph.D. in Electrical Engineering. His research thrust is harbored within the Institute for Software Integrated Systems (ISIS), a research institute part of the Electrical Engineering and Computer Science department at Vanderbilt University. As part of TRUST, he researches computer security and intrusion detection mechanisms applicable to networked, embedded device platforms. Such work can be applied to both civilian and military applications, scalable from a small network size of less than 10 agents to large collections spanning thousands of nodes. He is a student member of the IEEE.



Mikhail A. Lisovich Cornell University Mikhail Lisovich is a second year Ph.D. student at Cornell University working in Professor Wicker's WISL networks research group. His current interests include emerging privacy concerns in next generation sensor systems, particularly those associated with upcoming demand-response and SCADA technologies. He is also interested in the impact of mobility on large-scale sensor networks, including both problems of initial deployment and the use of mobility to improve sensing effectiveness & network topology. Bradley Malin Vanderbilt University Bradley Malin is an assistant professor of biomedical informatics at the Vanderbilt University Medical Center. His primary research focus is on data privacy and management issues in biomedical research and clinical management systems. He is the author of numerous scientific articles on data privacy, fraud detection, and surveillance within various technologies, including text databases, biomedical databases, and face recognition systems. His research on the re-identification and privacy protection of patient-specific genomic database records has received several awards from the American Medical Informatics Association and International Medical Informatics Association. Brad holds a bachelor’s in molecular biology, a master’s in public policy and management, a master’s in computer science ("data mining and knowledge discovery"), and a doctorate in computer science ("computation, organizations, and society") from Carnegie Mellon University. Prior to joining Vanderbilt, he was a graduate researcher in the Data Privacy Laboratory at Carnegie Mellon University. Michael G. Merideth Carnegie Mellon University Mike Merideth is a PhD student advised by Prof. Mike Reiter in the software research (ISR) department of the School of Computer Science at Carnegie Mellon University. Mike received an AB from Bowdoin College, Maine, and an MS from Carnegie Mellon University. He spent a year of his undergraduate studies at the University of Manchester, England, and worked full time in Boston and the Bay Area for three years before coming to CMU. Mike is presently working on the late stages of his thesis research in the area of survivable distributed systems.



David Molnar University of California, Berkeley David Molnar is a graduate student in Electrical Engineering and Computer Sciences at the University of California, Berkeley advised by David Wagner. His research interests include software security, RFID security and privacy, and cryptography. His most recent work focuses on the problem of improving software testing through symbolic execution and dynamic test generation techniques. David is an NSF Graduate Fellow and a previous holder of an Intel OCR Fellowship. Deirdre K. Mulligan University of California, Berkeley Deirdre K. Mulligan is the director of the Samuelson Law, Technology & Public Policy Clinic and a clinical professor of law at the UC Berkeley School of Law (Boalt Hall). Before coming to Boalt, she was staff counsel at the Center for Democracy & Technology in Washington. Through the clinic, Mulligan and her students foster the public’s interest in new computer and communication technology by engaging in client advocacy and interdisciplinary research, and by participating in developing technical standards and protocols. The clinic’s work has advanced and protected the public’s interest in free expression, individual privacy, balanced intellectual property rules, and secure, reliable, open communication networks. Mulligan writes about the risks and opportunities technology presents to privacy, free expression, and access and use of information goods. Recent publications about privacy include: “Storing Our Lives Online: Expanded Email Storage Raises Complex Policy Issues,” with Ari Schwartz and Indrani Mondal (2005), I/S: A Journal of Law and Policy for the Information Society; and, “Reasonable Expectations in Electronic Communications: A Critical Perspective on the Electronic Communications Privacy Act,” 72 Geo. Wash. L. Rev. 1557 (2004). Mulligan was a member of the National Academy of Sciences Committee on Authentication Technology and Its Privacy Implications; the Federal Trade Commission’s Federal Advisory Committee on Online Access and Security, and the National Task Force on Privacy, Technology, and Criminal Justice Information. She was a vice-chair of the California Bipartisan Commission on Internet Political Practices and chaired the Computers, Freedom, and Privacy (CFP) Conference in 2004. She is currently a member of the California Office of Privacy Protection’s Advisory Council and a co-chair of Microsoft’s Trustworthy Computing Academic Advisory Board. She serves on the board of the California Voter Foundation and on the advisory board of the Electronic Frontier Foundation.



Panagiotis Papadimitriou Stanford University Panagiotis Papadimitriou is a graduate student at Stanford University. His advisor is Hector Garcia-Molina in the Stanford Infolab. He received his DiplEng in Electrical and Computer Engineering from National Technical University of Athens (NTUA) in 2006. Panagiotis' research interests include data privacy, data mining and web search. Adrian Perrig Carnegie Mellon University Adrian Perrig is an Associate Professor in Electrical and Computer Engineering, Engineering and Public Policy, and Computer Science at Carnegie Mellon University. He earned his Ph.D. degree in Computer Science from Carnegie Mellon University, and spent three years during his Ph.D. degree at University of California at Berkeley. He received his B.Sc. degree in Computer Engineering from the Swiss Federal Institute of Technology in Lausanne (EPFL). Adrian's research interests revolve around building secure systems and include Internet security, security for sensor networks and mobile applications, and trusted computing. More information about his research is available on Adrian’s web page: http://www.ece.cmu.edu/~adrian/. Adrian is a recipient of the NSF CAREER award in 2004, the IBM faculty fellowship in 2004 and 2005, and the Sloan research fellowship in 2006. Tanya Roosta University of California, Berkeley Tanya Roosta is in the last year of her Ph.D. in Electrical Engineering and Computer Science at the University of California, Berkeley, after having received her B.S. in EECS there in 2000 and her M.S. there in 2004. Tanya’s research interests include sensor network security at the application layer, fault detection, data integrity, reputation systems, sensor correlation modeling, power saving methods, and privacy issues associated with the application of sensors at home. Tanya is also interested in ad-hoc wireless networks, specifically the design of low power protocols at the network and MAC layer as well as robust statistical methods, outlier detection models, statistical modeling and model validation, and the application of game theory to sensor network design.


http://www.ece.cmu.edu/%7Eadrian/


Bruno Sinopoli Carnegie Mellon University Bruno Sinopoli received his M.S. and Ph.D. in Electrical Engineering from the University of California at Berkeley, in 2003 and 2005 respectively. Previously he received the Dr. Eng. degree from the University of Padova. Dr. Sinopoli is assistant professor in the Department of Electrical and Computer Engineering at Carnegie Mellon University. His research interests include networked embedded control systems, distributed estimation and control, hybrid systems with applications to wireless sensor-actuator networks and system security. Dr. Sinopoli was awarded, jointly with Dr. Schenato, the 2006 Eli Jury Award for outstanding research achievement in the areas of systems, communications, control and signal processing at UC Berkeley. Allen Y. Yang University of California, Berkeley Allen Y. Yang is a postdoctoral researcher in the department of EECS at UC Berkeley. His primary research is on pattern analysis of geometric or statistical models in very high-dimensional data space, and applications in motion segmentation, image segmentation, face recognition, and signal processing in heterogeneous sensor networks. He has published five journal papers and more than 10 conference papers. He is the co-inventor of two U.S. patent applications. He received his BEng in Computer Science from the University of Science and Technology of China (USTC) in 2001. He received an MS in Electrical Engineering in 2003, an MS in Mathematics in 2005, and a PhD in Electrical and Computer Engineering in 2006, all from the University of Illinois at Urbana-Champaign (UIUC). Among the awards he received are a Best Bachelor's Thesis Award from USTC and a Henry Ford II Scholar Award from UIUC.



NOTES



NOTES (cont.)


Documents

TRUST Autumn 2007 Conference Proceedings · enhance system security, privacy, and trustworthiness. • Secure embedded sensor networks for large-scale applications critical to the