Eran Gabber

How to Make Personalized Web Browising Simple, Secure, and Anonymous

An increasing number of web-sites require users to establish an account before they can access the information stored on that site (“personalized web browsing”). Typically, the user is required to provide at least a unique username, a secret password and an e-mail address. Establishing accounts at multiple web-sites is a tedious task. A security-and privacy-aware user may have to invent a distinct username and a secure password, both unrelated to his/her identity, for each web-site. The user may also desire mechanisms for anonymous e-mail. Besides the information that the user supplies voluntarily to the web-site, additional information about the user may flow (involuntarily) from the users site to the web-site, due to the nature of the HTTP protocol and the cookie mechanism.

Disk scheduling with quality of service guarantees

The paper introduces YFQ, a new disk scheduling algorithm that allows applications to set aside for exclusive use portions of the disk bandwidth. We implemented YFQ as part of the Eclipse/BSD operating system, which is derived from FreeBSD, a version of 4.4 BSD Unix. YFQs disk bandwidth reservations can guarantee file accesses with high throughput, low delay, and good fairness. Such quality of service (QoS) guarantees to individual applications unfortunately can also hinder global disk scheduling optimizations. We propose and evaluate several disk scheduling enhancements that promote global optimizations and give to YFQ aggregate disk throughput approaching that of FreeBSDs conventional disk scheduler, which does not provide QoS guarantees. We believe that our enhancements may be helpful also in other disk scheduling algorithms.

Consistent, yet anonymous, Web access with LPWA

In recent years the World Wide Web WWW has become an immensely popular and powerful medium To attract more users many web sites o er personalized services whereby users identify themselves and register their information preferences On return visits they conveniently receive a personalized selection of information However personalized services raise user concerns with respect to convenience and privacy

Curbing Junk E-Mail via Secure Classification

We introduce a new method and system to curb junk e-mail by employing extended e-mail addresses. It enables a party to use her (core) e-mail address with different extensions and consequently classify incoming e-mail messages according to the extension they were sent to. Our contributions are threefold: First, we identify the components of a system that realizes the concept of extended e-mail addresses and investigate the functionality of these components in a manner which is backwards compatible to current e-mail tools. Secondly, we specify an adversarial model, and give the necessary properties of extended e-mail addresses and of the procedure to obtain them in the presence of the adversary. Finally, we design cryptographic functions that enable realizing extended e-mail addresses which satisfy these properties.

On secure and pseudonymous client-relationships with multiple servers

This paper introduces a cryptographic engine, Janus, which assists clients in establishing and maintaining secure and pseudonymous relationships with multiple servers. The setting is such that clients reside on a particular subnet (e.g., corporate intranet, ISP) and the servers reside anywhere on the Internet. The Janus engine allows each client-server relationship to use either weak or strong authentication on each interaction. At the same time, each interaction preserves privacy by neither revealing a clients true identity (except for the subnet) nor the set of servers with which a particular client interacts. Furthermore, clients do not need any secure long-term memory, enabling scalability and mobility. The interaction model extends to allow servers to send data back to clients via e-mail at a later date. Hence, our results complement the functionality of current network anonymity tools and remailers. The paper also describes the design and implementation of the Lucent Personalized Web Assistant (LPWA), which is a practical system that provides secure and pseudonymous relations with multiple servers on the Internet. LPWA employs the Janus function to generate site-specific person , which consist of alias usernames, passwords, and e-mail addresses.

How to prove where you are: tracking the location of customer equipment

Monitoring the location of customer equipment is an important problem in the direct broadcasting sateMte indw try. This is because the service providers wotdd We to pr~ vent unauthorized movement of a customer’s set top terminal (STT) from a home to a pubtic venue, or acro~ an international border, due to tious kancid, copyright and po~ticd issues. h this paper we study four schemw for detecting the movement of the an STT using the ~ting (or emerging) communication tiastructttre. We start with the currently used scheme which is based on the telephone network’s ~ or Cm (cdlw-~) featurw, and show how it can be undermined. Then we suggest three new schem= which are more robust than the cder ~ scheme one that that uses the Globrd Positioning System (GPS), one that uses the cefldar phone’s enhanced 911 (E911) service, and one that measur~ the tim~Werenceof-arriti of the sateMte’s broadcast. We ~ the accuracy, featur~ and vtdnerabtities of ed scheme. We *O present possible attacks that Mow pirates to coned their movement when these schemw are employed. due to pirated decoders. Therefore the management of the decryption keys is central to the d=ign of such systems (see [MQ95]). An important aspect of key management is how the keys for the n% b~g period are dodoaded into the customer’s STT. Modern DBS systems typicWy use a “callback” (or %eturn path”) scheme for this purpose Once every b~ig period, the STT makw a phone cdl to the service provider, authenticate itse~, and dodoads the new keys.

Move-to-rear list scheduling: a new scheduling algorithm for providing QoS guarantees

In order to support multiple real time applications on a sin gle platform the operating system must provide Quality of Service QoS guarantees so that the system resources can be provisioned among applications to achieve desired levels of predictable performance The traditional QoS pa rameters include fairness delay and throughput In this paper we introduce a new QoS criterion called cumulative service The cumulative service criterion relates the total service obtained by a process under a scheduling policy to the ideal service that the process would have accumulated by executing on each resource at a reserved rate We say that a scheuling policy provides a cumulative service guar antee if the performance of the real system di ers from the ideal system by at most a constant amount A cumulative service guarantee is vital for applications e g a continous media le service that require multiple resources and de mand predictable aggregated throughput over all these re sources Existing scheduling algorithms that guarantee tra ditional QoS paramaters do not provide cumulative service guarantees We present a new scheduling algorithm called Move To Rear List Scheduling which provides a cumulative service guarantee as well as the traditional guarantees such as fairness proportional sharing and bounded delay The complexity of MTR LS is O ln n where n is the number

Let's put NetApp and CacheFlow out of business!

We believe that a lightweight and portable specialized file system library can provide applications with performance close to that of special-built appliances running on closed proprietary operating systems. Moreover, the application may execute on commodity hardware with a general-purpose operating system, and with minimal changes to the application source code. Such a file system would allow anyone to build cheap, high-performance appliances. We present the design of Hummingbird, a file system for caching web proxies. Hummingbird is 6-11 times faster than a general-purpose file system when serving a web proxy cache.

Building appliances out of components using Pebble

Appliances are special purpose systems that offer high processing speed, ease of configuration, safety, fault isolation, and minimal need for administration by human experts. Traditional approaches to building an appliance operating system have been either building it from scratch [CacheOS] or stripping down a monolithic kernel to its basic components [Jaeger99]. The former approach is costly and the resulting product is likely to be highly specialized and not easily extensible. The latter approach is not easy, as the OS code and data structures are often shared and closely intertwined. The resulting OS is also likely to be coarse-grained and not easily customizable. Most appliances are network-centric (e.g. HTTP caches, proxies, file servers, routers) in the sense that they require high-performance network connections. Such performance is often achieved with application-specific specialization of system I/O [Cao95] requiring a modification of a portion of the operating system, such as the protocol stack or the file system.Safety is a major concern for appliances, since new functions are constantly added, and there is never enough time to debug all possible interactions, especially when third party software is running on the appliance. The problem is more severe with legacy software written in C or other unsafe languages (in contrast with type-safe languages such as Java). Extensible routers are an example of network appliances where custom software processing has to be quickly added and safety is paramount. Diagnostic code and custom (e.g. multimedia) schedulers are also examples of extensions that appliances will need to support.Resource management is especially important for appliances. New operating system abstractions such as paths [Mosberger96], resource containers [Banga99], reservation domains [Bruno98] and activities [Jones95] have been proposed for resource management and control. We believe that an appliance operating system should be flexible enough to support such abstractions. It should also be able to overlay resource management in modular operating systems without such support.Pebble [Gabber99] is a component-based operating system that combines efficient IPC with strong modularity and safety features. Pebble provides the necessary infrastructure for building fine-grained, modular operating systems for appliances out of reusable components. We found that a typical network appliance application (e.g. a Web server) built on Pebble using components has comparable performance to a traditional monolithic kernel. In this way, there is no performance reason not to use a safer, more modular component structure for such appliances. Moreover, we claim that Pebble is a general purpose operating system framework that allows us to implement diverse OS structures and mechanisms, alleviating the need for writing specialized operating systems from scratch.

Smart box architecture: a hybrid solution for IP QoS provisioning

Abstract This work proposes a hybrid solution, called the smart box architecture (SBoX), that provides quality of service (QoS) in internet protocol (IP)-based networks. SBoX architecture consists of SBoX servers, which are located at the network boundary, and SBoX routers, which are add-on label switching routers (LSR), which are located at interior network nodes. This approach combines the advantages of three existing technologies: integrated services (Intserv), differentiated services (Diffserv), and multi-protocol label switching (MPLS). SBoX aggregates traffic in three levels: commodity-flows, macro-flows and micro-flows. Commodity-flows aggregate flow between every pair of edge points. The packets of the same commodity-flow are marked by an MPLS label. Commodity-flows are composed of macro-flows, which aggregate the traffic of a particular enterprise. Macro-flows are associated with an explicit service level agreement (SLA), which is offered to users. Macro-flows are composed of micro-flows, which are the traffic associated with a particular individual in an enterprise or a particular application. SBoX servers provide Diffserv like SLA to users, and use class-based queuing (CBQ) with a hierarchy of flow aggregation. SBoX servers manage macro-flows and commodity-flows only, and leave the management of micro-flows to the enterprise/users which signed the SLA for the macro-flow. SBoX routers perform MPLS routing of commodity-flows in interior network nodes. SBoX routers can be combined with existing best-effort routers to provide QoS in a network that lacks end-to-end deployment of LSRs. This paper describes the SBoX architecture and its operation in detail. It also reports experimental results obtained on a prototype network. The results indicate that the SBoX architecture can indeed provide guaranteed performance in a congested network, and that SBoX routers can be combined with commodity best-effort routers to enable QoS in a heterogeneous network.