David Durham

Encrypting the internet

End-to-end communication encryption is considered necessary for protecting the privacy of user data in the Internet. Only a small fraction of all Internet traffic, however, is protected today. The primary reason for this neglect is economic, mainly security protocol speed and cost. In this paper we argue that recent advances in the implementation of cryptographic algorithms can make general purpose processors capable of encrypting packets at line rates. This implies that the Internet can be gradually transformed to an information delivery infrastructure where all traffic is encrypted and authenticated. We justify our claim by presenting technologies that accelerate end-to-end encryption and authentication by a factor of 6 and a high performance TLS 1.2 protocol implementation that takes advantage of these innovations. Our implementation is available in the public domain for experimentation.

Mitigating the lying-endpoint problem in virtualized network access frameworks

Malicious root-kits modify the in-memory state of programs executing on an endpoint to hide themselves from security software. Such attacks negatively affect network-based security frameworks that depend on the trustworthiness of endpoint software. In network access control frameworks this issue is called the lying-endpoint problem, where a compromised endpoint spoofs software integrity reports to render the framework untrustworthy. We present a novel architecture called Virtualization-enabled Integrity Services (VIS) to protect the run-time integrity of network-access software in an untrusted environment. We describe the design of a VIS-protected network access stack, and characterize its performance. We show that a network access stack running on an existing operating system can be protected using VIS with less than 5% overhead, even when each network packet causes protection enforcement.

Human Perceivable Authentication: An Economical Solution for Security Associations in Short-Distance Wireless Networking

A challenge in secure pairing of two wireless devices is how to share a secret between the two devices in a user-friendly manner, as many users practically choose the simplest setup of no security. Various out-of-band (OOB) methods have been proposed in the literature, where either extra hardware is required (e.g. infrared device, digital camera, near-field communication device, USB flash drive, etc.) or wireless devices with a keyboard/display are assumed. In this paper, we propose a novel method of human perceivable authentication (HPA) that, without any extra hardware, achieves industry-standard security for user interface (UI) constrained devices. A feature of the proposed HPA scheme is the simplicity of user operation for device pairing: a user presses and releases a button on an initiating wireless device in concert with the on/off pattern of LED light on a correspondent wireless device. Simulation experiments have been performed to evaluate the usability aspect of the proposed HPA scheme.

Mitigating exploits, rootkits and advanced persistent threats

Presents a collection of slides that address the topic of computer security. Addresses some of the following topics: attacks that are becoming increasingly sophisticated; malware signatures; major areas of vulnerability; and applications and programs for better network and computer security.

Building intelligent traffic engineering solutions

In today’s ever more complex IT networked computing environment, it is becoming increasingly necessary to control and automate traditional tasks of provisioning, monitoring and management of network bandwidth and resources. In this paper, we propose an intelligent traffic engineering system to deliver next-generation provisioning and management network services. The proposed solution is capable of providing autonomic control of networks to provision bandwidth, routing and QoS to meet user SLA expectations, and dynamically engineer and manage traffic for optimal stability and performance.

Non-recursive computation of the probability of more than two people having the same birthday

We address a well known problem of computer science, the problem of computing the probability that a given number of people m > 1 have the same birthday from among the members of a larger set of cardinality n ≥ m. The solution to this problem for m = 2 is well known and is usually referred to as the ‘birthday surprise probability’. A solution for m = 3 is also known and appears in the 2004 paper by DasGupta [The matching, birthday and the strong birthday problem: a contemporary review, Journal of Statistical Planning and Inference]. Further approximations to the solution of the related problem of computing the minimum number of people to interview until m people with the same birthday are found are presented in the seminal work by Klamkin and Newman [Extensions on the birthday surprise, Journal of Combinatorial Theory, 1967]. In this paper we present a new non-recursive approximation for the birthday probability applicable to any value of m > 1, which yields results that are experimentally proven accurate under the assumption that the number of birthdays is significantly larger than the number of people. Our expression is easy to compute, non-recursive, and applicable to values of m that can be arbitrarily larger than 2 or 3. We verify the validity of our result computing the birthday probability for different values of m, over billions of sets of random values generated using the Intel ® RDRAND hardware random number generation instruction. Our solution is based on a novel tree-based description of the event space which, if used, allows for the computation of the birthday probability efficiently and without involving recursions or multinomial distributions.

System-wide anatomy and tuning of a SPECweb SSL server

In this paper we present system-wide analysis and performance tuning of a SPECweb SSL server. We focus on the banking workload of SPECweb because this workload is 100% SSL-enabled and thus designed to evaluate the SSL web server performance and capacity. In order to gain insight into the unique characteristics of a SPECweb banking server, we conduct extensive experiments and present module and function-level anatomy data. Based on our results, we propose methods for tuning up the server performance, alleviating some of the bottlenecks. One of our main results is that the SPECweb banking workload may not always be a realistic environment for measuring the capacity of an SSL server, due to the fact that it is burdened with overheads which are not related to cryptography and can be removed.