José Carlos Brustoloni

Disk scheduling with quality of service guarantees

The paper introduces YFQ, a new disk scheduling algorithm that allows applications to set aside for exclusive use portions of the disk bandwidth. We implemented YFQ as part of the Eclipse/BSD operating system, which is derived from FreeBSD, a version of 4.4 BSD Unix. YFQs disk bandwidth reservations can guarantee file accesses with high throughput, low delay, and good fairness. Such quality of service (QoS) guarantees to individual applications unfortunately can also hinder global disk scheduling optimizations. We propose and evaluate several disk scheduling enhancements that promote global optimizations and give to YFQ aggregate disk throughput approaching that of FreeBSDs conventional disk scheduler, which does not provide QoS guarantees. We believe that our enhancements may be helpful also in other disk scheduling algorithms.

Effects of buffering semantics on I/O performance

We present a novel taxonomy that characterizes in a structured way the software and hardware tradeoos for I/O data passing between applications and operating system. This work contributes new techniques, input-disabled pageout, transient output copy-on-write, and input alignment, that are used for copy avoidance in an optimized buuering semantics, emulated copy. Emulated copy ooers the same API and integrity guarantees as those of copy semantics and, therefore, can transparently replace it. We implemented an I/O framework, Genie, that allows applications to select any semantics in the taxonomy. Using Genie for communication between PCs and AlphaStations over an ATM network at 155 Mbps, we found that all non-copy semantics performed similarly , and that only copy semantics had distinctly inferior performance. We analyzed end-to-end laten-cies in terms of the costs of primitive data passing operations and modeled how those costs scale with CPU, memory, and network speeds. The analysis suggests that current trends tend to intensify the observed performance clustering. The main conclusion is that existing I/O interfaces with copy semantics, such as that of Unix, can be transparently converted to emulated copy semantics and thus achieve performance comparable to the best obtainable with any semantics in the taxonomy.

Bayesian bot detection based on DNS traffic similarity

Bots often are detected by their communication with a command and control (C&C) infrastructure. To evade detection, botmasters are increasingly obfuscating C&C communications, e.g., by using fastflux or peer-to-peer protocols. However, commands tend to elicit similar actions in bots of a same botnet. We propose and evaluate a Bayesian approach for detecting bots based on the similarity of their DNS traffic to that of known bots. Experimental results and sensitivity analysis suggest that the proposed method is effective and robust.

Hardening Web browsers against man-in-the-middle and eavesdropping attacks

Existing Web browsers handle security errors in a manner that often confuses users. In particular, when a user visits a secure site whose certificate the browser cannot verify, the browser typically allows the user to view and install the certificate and connect to the site despite the verification failure. However, few users understand the risk of man-in-the-middle attacks and the principles behind certificate-based authentication. We propose context-sensitive certificate verification (CSCV), whereby the browser interrogates the user about the context in which a certificate verification error occurs. Considering the context, the browser then guides the user in handling and possibly overcoming the security error. We also propose specific password warnings (SPW) when users are about to send passwords in a form vulnerable to eavesdropping. We performed user studies to evaluate CSCV and SPW. Our results suggest that CSCV and SPW can greatly improve Web browsing security and are easy to use even without training. Moreover, CSCV had greater impact than did staged security training.

Improving security decisions with polymorphic and audited dialogs

Context-sensitive guidance (CSG) can help users make better security decisions. Applications with CSG ask the user to provide relevant context information. Based on such information, these applications then decide or suggest an appropriate course of action. However, users often deem security dialogs irrelevant to the tasks they are performing and try to evade them. This paper contributes two new techniques for hardening CSG against automatic and false user answers. Polymorphic dialogs continuously change the form of required user inputs and intentionally delay the latter, forcing users to pay attention to security decisions. Audited dialogs thwart false user answers by (1) warning users that their answers will be forwarded to auditors, and (2) allowing auditors to quarantine users who provide unjustified answers. We implemented CSG against email-borne viruses on the Thunderbird email agent. One version, CSG-PD, includes CSG and polymorphic dialogs. Another version, CSG-PAD, includes CSG and both polymorphic and audited dialogs. In user studies, we found that untrained users accept significantly less unjustified risks with CSG-PD than with conventional dialogs. Moreover, they accept significantly less unjustified risks with CSG-PAD than with CSG-PD. CSG-PD and CSG-PAD have insignificant effect on acceptance of justified risks.

Interoperation of copy avoidance in network and file I/O

Copy avoidance techniques for network I/O often assume that server buffers are ephemeral (i.e., are deallocated as soon as I/O processing completes). Such techniques cannot be used for file I/O, where buffers may need to be cached long-term. Mapped file I/O, however, can easily provide copy avoidance for cached server buffers. This paper demonstrates experimentally that mapped file I/O interoperates correctly with emulated copy, a previously proposed copy avoidance scheme for ephemeral server buffers. The resulting solution allows data to be passed between networks and file systems without copying and without changing existing interfaces. Greatest benefits are obtained when copying is avoided both in network and file I/O. Two new optimizations are contributed: header patching, for stripping packet headers and restoring page alignment without hardware support; and user-directed page swapping, for passing data between regions without copying. These optimizations are useful also for network I/O with operating system bypass or with noncopy semantics.

Intellectual Property Protection in Collaborative Design through Lean Information Modeling and Sharing

ing intellectual property is vital to maintain organizational competence in today’s global business environment. In this paper, a lean information modeling and sharing framework is described to support engineering data security management in a peer-to-peer collaborative environment. It allows for selective and interoperable data sharing with finegrained access control at both the server and client sides, thus securing different levels of design information dissemination for intellectual property protection purposes. The considerations of time and value-adding activity with roles, policy delegation relation in a distributed context, and fine-grained control at data set level in the model are to adhere to the general least privilege principle in access control. Heterogeneous design data are exchanged selectively through an eXtensible Markup Language common interface, which provides a neutral format to enhance data interoperability and prevents reverse engineering. DOI: 10.1115/1.2190235

Detecting and Blocking Unauthorized Access in Wi-Fi Networks

Academic and commercial 802.11 hotspots often use an SSL-secured captive portal to authenticate clients. Captive portals provide good usability and interoperability, but poor security. After a captive portal has authenticated a client, session hijacking and freeloading allow attackers to capture or use the client’s session. Freeloading does not require special tools and, surprisingly, is strengthened by the (widely recommended) use of personal firewalls. We propose and evaluate novel defenses against these attacks, session id checking and MAC sequence number tracking, both of which are transparent to clients and do not require changes in client computers. Experiments demonstrate that the proposed defenses are effective against the mentioned attacks and have little overhead.

Uclinux: a linux security module for trusted-computing-based usage controls enforcement

Usage controls allow the distributor of some information to limit how recipients of that information may use it. The Trusted Computing Group has standardized Trusted Platform Modules (TPMs) that are built into an increasing number of computers and could greatly harden usage controls against circumvention. However, existing operating systems support TPMs only partially. We describe UCLinux, a novel Linux Security Module that, unlike previous work, supports TPM-based attestation, sealing, and usage controls on existing processors and with minimal modifications in the operating system kernel and applications. Experiments show that UCLinux has modest impact on the systems boot latency and run-time performance.

Copy emulation in checksummed, multiple-packet communication

Data copying can be a bottleneck in end-to-end communication over high-speed networks. Emulated copy is an alternative I/O data passing scheme that preserves the API and integrity guarantees of copying but avoids the latter using virtual memory manipulations - transient output copy-on-write (TCOW), input alignment, and page swapping. We characterize and evaluate the support necessary in network adapters for emulated copy in checksummed, multiple-packet communication. Our experiments on an ATM network show that: (1) emulated copy gives performance better than that of copying even without hardware checksumming support; (2) TCOW improves multiple-packet output performance without any hardware support or changes in applications; (3) page swapping provides additional similar improvements on multiple-packet input if there is input alignment, which requires either hardware support (early-demultiplexed/system-aligned buffering) or changes in applications (pooled/application-aligned buffering); and (4) The performance of application-aligned buffering is largely unaffected by header/data splitting, a common optimization. We propose a new optimization, buffer snap-off, that extends system-aligned buffering to the general case of arbitrary, unmatched data transfer and application input buffer lengths.