The Design of Efficient Internetwork Authentication for Ubiquitous Wireless Communications

A variety of wireless technologies have been standardized and commercialized, but no single solution is considered the best to satisfy all communication needs due to different coverage and bandwidth limitations. Therefore, internetworking between heterogeneous wireless networks is extremely important for ubiquitous and high performance wireless communications. The security problem is one of the major challenges in internetworking. To date, most research on internetwork authentication has focused on centralized authentication approaches, where the home network participates in each authentication process. For high latency between the home and visiting networks, such approaches tend to be inefficient. In this paper, we describe chained authentication, which requires collaboration between adjacent networks without involvement of the home network. After categorizing chained protocols, we propose a novel design of chained authentication methods under 3G-WLAN internetworking. The experiments show that proactive context transfer and ticket forwarding reduce the 3G authentication latency to 36.8% and WLAN EAP-TLS latency to 23.1% when RTT between visiting and home networks is 200 ms

A Secure and Reliable Bootstrap Architecture

In a computer system, the integrity of lower layers is treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity chain inductively guarantees system integrity. When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made. Yet, these guarantees are increasingly important to diverse applications such as Internet commerce, intrusion detection systems, and active networks. In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems. We discuss our prototype implementation for the IBM personal computer (PC) architecture, and show that the cost of such system protection is surprisingly small

Design and Implementation of Signed Executables for Linux

We describe the design and implementation of signed executables for Linux, which provide the following strong integrity guarantees: the inability to tamper with executables and the inability to add new unauthorized executables. Unlike other implementations, ours covers statically and dynamically linked executables as well as executable scripts. In addition, we reduced the overhead of signature verification to almost zero by caching the successful verification results. The negligible overhead enables signature verification to be used as a basic building block for other applications of which some are described in this paper. Also UMIACS-TR-2001-4

VICI Virtual Machine Introspection for Cognitive Immunity

When systems are under constant attack, there is no time to restore those infected with malware to health manually—repair of infected systems must be fully au-tomated and must occur within milliseconds. After de-tecting kernel-modifying rootkit infections using Virtual Machine Introspection, the VICI Agent applies a collec-tion of novel repair techniques to automatically restore infected kernels to a healthy state. The VICI Agent oper-ates without manual intervention and uses a form of au-tomated reasoning borrowed from robotics to choose its best repair technique based on its assessment of the cur-rent situation, its memory of past engagements, and the potential cost of each technique. Its repairs have proven effective in tests against a collection of common kernel-modifying rootkit techniques. Virtualized systems moni-tored by the VICI Agent experience a decrease in appli-cation performance of roughly 5%. 1

The Price of Safety in an Active Network

Security is a major challenge for "Active Networking," accessible programmability creates numerous opportunities for mischief. The point at which programmability is exposed, e.g., through the loading and execution of code in network elements, must therefore be carefully crafted to ensure security. The SwitchWare active networking research project has studied the architectural implications of various tradeoffs between performance and security. Namespace protection and type safety were achieved with a module loader for active networks, ALIEN, which carefully delineated boundaries for privilege and dynamic updates. ALIEN supports two extensions, the Secure Active Network Environment (SANE), and the Resource Controlled Active Network Environment (RCANE). SANE extends ALIEN's node protection model into a distributed setting, and uses a secure bootstrap to guarantee integrity of the namespace protection system. RCANE provides resource isolation between active network node users, including separate heaps and robust time-division multiplexing of the node. The SANE and RCANE systems show that convincing active network security can be achieved. This paper contributes a measurement-based analysis of the costs of such security with an analysis of each system based on both execution traces and end-to-end behavior

Chaining Layered Integrity Checks

No work the size of this dissertation is done in isolation, and I would like to thank the people who worked with and supported me over the last four years. Harold F. Bower has worked with me on numerous occasions. He found and added the entry points in the BIOS source to call AEGIS. He also served as a sounding board for me in the design of AEGIS, and the AEGIS interrupt service routine (ISR). Hal and I also worked together on a pre-cursor of AEGIS, the Security Enhanced Processor (SEP). The problems encountered with the SEP project lead to AEGIS. Hal is also responsible for RATBAG which is described in Chapter 3. Angelos Keromytis and I jointly designed the protocol used with the AEGIS network recovery and DHCP++. Angelos also served as the ideal person to discuss ideas. He is never shy about telling someone that their idea is nuts. Scott Alexander, Angelos, and I worked together on the design of SANE, Section 7.1. Scott’s contributions are “above the OS”, and mine are “below the OS”. Angelos worked with both Scott and myself, and developed the naming and threat models. Ralph Droms et. al. developed the DHCP authentication scheme described in Section 7.2. I developed the delayed aspect of the authentication mechanism along with the threat model