Adam J. Lee

NVisionIP: netflow visualizations of system state for security situational awareness

The number of attacks against large computer systems is currently growing at a rapid pace. Despite the best efforts of security analysts, large organizations are having trouble keeping on top of the current state of their networks. In this paper, we describe a tool called NVisionIP that is designed to increase the security analysts situational awareness. As humans are inherently visual beings, NVisionIP uses a graphical representation of a class-B network to allow analysts to quickly visualize the current state of their network. We present an overview of NVisionIP along with a discussion of various types of security-related scenarios that it can be used to detect.

Traust: a trust negotiation-based authorization service for open systems

In recent years, trust negotiation (TN) has been proposed as a novel access control solution for use in open system environments in which resources are shared across organizational boundaries. Researchers have shown that TN is indeed a viable solution for these environments by developing a number of policy languages and strategies for TN which have desirable theoretical properties. Further, existing protocols, such as TLS, have been altered to interact with prototype TN systems, thereby illustrating the utility of TN. Unfortunately, modifying existing protocols is often a time-consuming and bureaucratic process which can hinder the adoption of this promising technology.In this paper, we present Traust, a third-party authorization service that leverages the strengths of existing proto-type TN systems. Traust acts as an authorization broker that issues access tokens for resources in an open system after entities use TN to satisfy the appropriate resource access policies. The Traust architecture was designed to allow Traust to be integrated either directly with newer trust-aware applications or indirectly with existing legacy applications; this exibility paves the way for the incremental adoption of TN technologies without requiring widespread software or protocol upgrades. We discuss the design and implementation of Traust, the communication protocol used by the Traust system, and its performance. We also discuss our experiences using Traust to broker access to legacy resources, our proposal for a Traust-aware version of the GridFTP protocol, and Trausts resilience to attack.

Toward a threat model for storage systems

The growing number of storage security breaches as well as the need to adhere to government regulations is driving the need for greater storage protection. However, there is the lack of a comprehensive process to designing storage protection solutions. Designing protection for storage systems is best done by utilizing proactive system engineering rather than reacting with ad hoc countermeasures to the latest attack du jour. The purpose of threat modeling is to organize system threats and vulnerabilities into general classes to be addressed with known storage protection techniques. Although there has been prior work on threat modeling primarily for software applications, to our knowledge this is the first attempt at domain-specific threat modeling for storage systems. We discuss protection challenges unique to storage systems and propose two different processes to creating a threat model for storage systems: one based on classical security principles Confidentiality, Integrity, Availability, Authentication, or CIAA) and another based on the Data Lifecycle Model. It is our hope that this initial work will start a discussion on how to better design and implement storage protection solutions against storage threats.

Eyeing your exposure: quantifying and controlling information sharing for improved privacy

A large body of research has focused on disclosure policies for controlling information release in social sharing (e.g., location-based) applications. However, less work has considered how exposed these policies actually leave users; i.e., to what extent are disclosures in compliance with these policies actually being made? For instance, consider a disclosure policy granting Alices coworkers access to her location during work hours. Alice might feel that this policy appropriately controls her exposure, but may feel differently if she learned that her boss was accessing her location every 5 minutes. In addition to specifying who has access to personal information, users need a way to quantify, interpret, and control the extent to which this data is shared. We propose and evaluate an intuitive mechanism for summarizing and controlling a users exposure on smartphone-based platforms. Our approach uses the visual metaphor of eyes appearing and growing in size on the home screen; the rate at which these eyes grow depends on the number of accesses granted for a users location, and the type of person (e.g., family vs. friend) making these accesses. This approach gives users an accurate and ambient sense of their exposure and helps them take actions to limit their exposure, all without explicitly identifying the social contacts making requests. Through two systematic user studies (N = 43,41) we show that our interface is indeed effective at summarizing complex exposure information and provides comparable information to a more cumbersome interface presenting more detailed information.

The Traust Authorization Service

In recent years, trust negotiation has been proposed as a novel authorization solution for use in open-system environments, in which resources are shared across organizational boundaries. Researchers have shown that trust negotiation is indeed a viable solution for these environments by developing a number of policy languages and strategies for trust negotiation that have desirable theoretical properties. Further, existing protocols, such as TLS, have been altered to interact with prototype trust negotiation systems, thereby illustrating the utility of trust negotiation. Unfortunately, modifying existing protocols is often a time-consuming and bureaucratic process that can hinder the adoption of this promising technology. In this paper, we present Traust, a third-party authorization service that leverages the strengths of existing prototype trust negotiation systems. Traust acts as an authorization broker that issues access tokens for resources in an open system after entities use trust negotiation to satisfy the appropriate resource access policies. The Traust architecture was designed to allow Traust to be integrated either directly with newer trust-aware applications or indirectly with existing legacy applications; this flexibility paves the way for the incremental adoption of trust negotiation technologies without requiring widespread software or protocol upgrades. We discuss the design and implementation of Traust, the communication protocol used by the Traust system, and its performance. We also discuss our experiences using Traust to broker access to legacy resources, our proposal for a Traust-aware version of the GridFTP protocol, and Trausts resilience to attack.

TrustBuilder2: A Reconfigurable Framework for Trust Negotiation

To date, research in trust negotiation has focused mainly on the theoretical aspects of the trust negotiation process, and the development of proof of concept implementations. These theoretical works and proofs of concept have been quite successful from a research perspective, and thus researchers must now begin to address the systems constraints that act as barriers to the deployment of these systems. To this end, we present TrustBuilder2, a fully-configurable and extensible framework for prototyping and evaluating trust negotiation systems. TrustBuilder2 leverages a plug-in based architecture, extensible data type hierarchy, and flexible communication protocol to provide a framework within which numerous trust negotiation protocols and system configurations can be quantitatively analyzed. In this paper, we discuss the design and implementation of TrustBuilder2, study its performance, examine the costs associated with flexible authorization systems, and leverage this knowledge to identify potential topics for future research, as well as a novel method for attacking trust negotiation systems.

Defeasible security policy composition for web services

The ability to automatically compose security policies created by multiple organizations is fundamental to the development of scalable security systems. The diversity of policies leads to conflicts and the need to resolve priorities between rules. In this paper we explore the concept of defeasible policy composition, wherein policies are represented in defeasible logic and composition is based on rules for non-monotonic inference. This enables policy writers to assert rules tentatively; when policies are composed the policy with the firmest position takes precedence. In addition, the structure of our policies allows for composition to occur using a single operator; this allows for entirely automated composition. We argue that this provides a practical system that can be understood by typical policy writers, analyzed rigorously by theoreticians, and efficiently automated by computers. We aim to partially validate these claims here with a formulation of defeasible policy composition for web services, an emerging foundation for B2B commerce on the World Wide Web.

A privacy-preserving interdomain audit framework

Recent trends in Internet computing have led to the popularization of many forms of virtual organizations. Examples include supply chain management, grid computing, and collaborative research environments like PlanetLab. Unfortunately, when it comes to the security analysis of these systems, the whole is certainly greater than the sum of its parts. That is, local intrusion detection and audit practices are insufficient for detecting distributed attacks such as coordinated network reconnaissance, stepping-stone attacks, and violations of application-level trust constraints between security domains. A distributed process that coordinates information from each member could detect these types of violations, but privacy concerns between member organizations or safety concerns about centralizing sensitive information often restrict this level of information flow. In this paper, we propose a privacy-preserving framework for distributed audit that allows member organizations to detect distributed attacks without requiring the release of excessive private information. We discuss both the architecture and mechanisms used in our approach and comment on the performance of a prototype implementation.

Safety and consistency in policy-based authorization systems

In trust negotiation and other distributed proving systems, networked entities cooperate to form proofs that are justi?ed by collections of certi?ed attributes. These attributes may be obtained through interactions with any number of external entities and are collected and validated over an extended period of time. Though these collections of credentials in some ways resemble partial system snapshots,these systems currently lack the notion of a consistent global state in which the satisfaction of authorization policies should be checked. In this paper, we argue that unlike the notions of consistency studied in other areas of distributed computing, the level of consistency required during policy evaluation is predicated solely upon the security requirements of the policy evaluator. As such,there is little incentive for entities to participate in complicated consistency preservation schemes like those used in distributed computing,distributed databases, and distributed shared memory. We go on to show that the most intuitive notion of consistency fails to provide basic safety guarantees under certain circumstances and then propose several more refined notions of consistency which provide stronger safety guarantees. We provide algorithms that allow each of these re ?ned notions of consistency to be attained in practice with minimal overheads.

Application-Sensitive Access Control Evaluation Using Parameterized Expressiveness

Access control schemes come in all shapes and sizes, which makes choosing the right one for a particular application a challenge. Yet todays techniques for comparing access control schemes completely ignore the setting in which the scheme is to be deployed. In this paper, we present a formal framework for comparing access control schemes with respect to a particular application. The analysts main task is to evaluate an access control scheme in terms of how well it implements a given access control workload (a formalism that we introduce to represent an applications access control needs). One implementation is better than another if it has stronger security guarantees, and in this paper we introduce several such guarantees: correctness, homomorphism, AC-preservation, safety, administration-preservation, and compatibility. The scheme that admits the implementation with the strongest guarantees is deemed the best fit for the application. We demonstrate the use of our framework by evaluating two workloads on ten different access control schemes.