MinimaLT: Minimal-latency Networking Through Better Security

Minimal Latency Tunneling (MinimaLT) is a new network protocol that provides ubiquitous encryption for maximal confidentiality, including protecting packet headers. MinimaLT provides server and user authentication, extensive Denial-of-Service protections, privacy-preserving IP mobility, and fast key erasure. We describe the protocol, demonstrate its performance relative to TLS and unencrypted TCP/IP, and analyze its protections, including its resilience against DoS attacks. By exploiting the properties of its cryptographic protections, MinimaLT is able to eliminate three-way handshakes and thus create connections faster than unencrypted TCP/IP

Epochs

To date, the implementation of message passing languages have required the communications variables (sometimes called ports) either to be limited to the number of physical communications registers in the machine, or to be mapped to memory. Neither solution is satisfactory. Limiting the number of variables decreases modularity and efficiency of parallel programs. Mapping variables to memory increases the cost of communications and the granularity of parallelism. We present here a new programming language construct called epochs. Epochs are a scoping mechanism within which the programmer can declare communications variables, which are live only during the scope of that epoch. To limit the range of time a register has to be allocated for a communications variable, the compiler ensures that all processors enter an epoch simultaneously. The programming style engendered fits somewhere between the SIMD data parallel and MIMD process spawning models. We describe an implementation for epochs including an efficient synchronization mechanism, means of statically binding registers to communications variables and a method of fusing epochs to reduce synchronization overhead

Robustly secure computer systems: A new security paradigm of system discontinuity

For over 30 years, system software has been bound by compatibility with legacy applications. The system software base, whether proprietary or open source, is dominated by the programming language C and the POSIX operating system specification. Even when commercial operating systems stray from this model, they don’t go very far. Unfortunately, the POSIX/C base was constructed in a more benign environment than today and before many security issues were widely understood. Rather than fix these issues, compatibility has been deemed more important than security, and so this base has been kept intact with all its flaws. As a result, programmers routinely create software with security holes—even in the most security critical software—and today’s systems are easily attacked. We propose a new paradigm of system discontinuity which emphasizes security over compatibility by removing those constructs in our system software which lead to security holes in applications. Of course, removing parts of the interface will break applications, and hence the discontinuity. To deal with this situation, we advocate the use of virtual machines to enable multiple operating systems to run concurrently. Thus high security OSs can be used for the most security sensitive applications. Compatibility is maintained for less security sensitive applications using legacy operating systems. Over time, legacy applications can migrate to a more secure OS, thus raising the security of all applications

The GENERIC Programming Language Manual

GENERIC is a programming language for the description and manipulation of integrated circuits. GENERIC works on the layout level with the designer in complete control of the layout process. To design an integrated circuit, a program is written which hierarchically describes the chip. The dynamic calling structure of the program determines the integrated circuit's hierarchical cell structure. These cells are created by special procedures called generators. Generators are capable of producing completely custom structures-they do not consist of predefined layout. In addition to the specification, GENERIC provides operators for the manipulation of integrated circuit layouts, thus enabling existing geometry to be modified. These modifications can be geometrical, topological or circuit. GENERIC is a very high level language. The language is general purpose-the VLSI aspects of the language are layered on top of the basic language as a run-time library. Since the library itself is written in GENERIC, the language is completely extensible

Decidable administrative controls based on security properties, 2004. Available at http://www.rites.uic.edu/˜solworth/ kernelSec.html

Abstract It is a desirable goal for a protection system to be expressive (providing the desired protections), robust (enabling the system to change without invalidating protections), and analyzable (so it can be understood which protections are provided). Of particular interest in analyzing a system is the decidability of security properties. If the system is not analyzable, how does one know what protections are being provided? Protections can be provided at two levels: the ordinary privileges and the ability to change the system via administrative controls. Administrative controls provide a graceful means to perform the inevitable modifications to the system, that is to provide robust protection systems. To date, existing protection systems are able to achieve at most two of expressibility, robustness, and decidability. In this paper, we explore administrative controls which enable the security properties of information flow to be selectively enforced, and show that they have decidable information flow security properties, thus simultaneously achieving all three of these goals

Quarantining untrusted entities: Dynamic sandboxing using LEAP

Jails, Sandboxes and other isolation mechanisms limit the damage from untrusted programs by reducing a process’s privileges to the minimum. Sandboxing is designed to thwart such threats as (1) a program created by an attacker or (2) an input crafted to exploit a security vulnerability in a program. Examples of the later include input containing interpreted code or machine language to be injected via a buffer overflow. Traditionally, sandboxes are created by an invoking process. This is effective for (1) but only partially so for (2). For example, when a file is downloaded by a browser or processed as a mail attachment, the invoking process can sandbox it. However, sandboxing protections can be circumvented when the file is copied outside the sandbox. The problem is that traditional sandboxes do not provide complete mediation. We introduce dynamic sandboxes, and show how even when data is saved and/or copied, sandboxing protections are not lost. In addition, and in contrast to traditional sandbox implementations, dynamic sandboxes are implemented using general purpose access controls. Not only does this provide a more flexible sandbox mechanism, and enable complete mediation, but these same primitives can be used to build other (non-sandbox) authorization policies. 1

Microflow: A Fine-Grain Parallel Processing Approach

ABSTRACT NOT SUPPLIE

Decidable administrative controls based on security properties

A security property is a high-level statement about what may occur (is authorized) within a system. One of the oldest such security properties is information flow confidentiality. Given a security property p, it is a desirable goal for an authorization model to be expressive for p (enabling p to be both enforced and violated in different parts of the system), robust (enabling the authorization state to change without invalidating p where it holds), and analyzable (so it can be understood where p holds). Of particular interest in analyzing an authorization model is the decidability of security properties. If the system is not analyzable, how does one know what protections are being provided? Protections can be provided at two levels: the ordinary privileges and the ability to change the system via administrative controls. Administrative controls provide a graceful means to perform the inevitable modifications to the system, that is to provide robust authorization systems. To date, existing authorization systems are known to achieve at most two of expressibility, robustness, and decidability with respect to a security property. This paper proves that a previously proposed authorization model with administrative controls is decidable with respect to information flow confidentiality, thus simultaneously achieving all three of these goals

The Complexity of Discretionary Access Control

Abstract. A recent paper presented an access control scheme for discretionary access controls with a decidable safety problem. This paper deals with the complexity analysis of that access control, and finds it to be, in its worst cases, PSPACE-complete, but polynomial time for practical cases. The PSPACE-hardness reduction uses the theory of succinct problems in a more general manner than circuit representation.