Lenin Singaravelu

Reducing TCB complexity for security-sensitive applications: three case studies

The large size and high complexity of security-sensitive applications and systems software is a primary cause for their poor testability and high vulnerability. One approach to alleviate this problem is to extract the security-sensitive parts of application and systems software, thereby reducing the size and complexity of software that needs to be trusted. At the system software level, we use the Nizza architecture which relies on a kernelized trusted computing base (TCB) and on the reuse of legacy code using trusted wrappers to minimize the size of the TCB. At the application level, we extract the security-sensitive portions of an already existing application into an AppCore. The AppCore is executed as a trusted process in the Nizza architecture while the rest of the application executes on a virtualized, untrusted legacy operating system. In three case studies of real-world applications (e-commerce transaction client, VPN gateway and digital signatures in an e-mail client), we achieved a considerable reduction in code size and complexity. In contrast to the few hundred thousand lines of current application software code running on millions of lines of systems software code, we have AppCores with tens of thousands of lines of code running on a hundred thousand lines of systems software code. We also show the performance penalty of AppCores to be modest (a few percent) compared to current software.

Spidle: a DSL approach to specifying streaming applications

Multimedia stream processing is a rapidly evolving domain which requires much software development and expects high performance. Developing a streaming application often involves low-level programming, critical memory management, and finely tuned scheduling of processing steps.To address these problems, we present a domain-specific language (DSL) named Spidle, for specifying streaming applications. Spidle offers high-level and declarative constructs; compared to general-purpose languages (GPL), it improves robustness by enabling a variety of verifications to be performed.To assess the expressiveness of Spidle in practice, we have used it to specify a number of standardized and special-purpose streaming applications. These specifications are up to 2 times smaller than equivalent programs written in a GPL such as C.We have implemented a compiler for Spidle. Preliminary results show that compiled Spidle programs are roughly as efficient as the compiled, equivalent C programs.

A Secure Information Flow Architecture for Web Service Platforms

Current Web service platforms (WSPs) often perform all Web services-related processing, including security-sensitive information handling, in the same protection domain. Consequently, the entire WSP may have access to security-sensitive information, forcing us to trust a large and complex piece of software. To address this problem, we propose ISO-WSP, a new information flow architecture that decomposes current WSPs into a small trusted T-WSP to handle security-sensitive data and a large, legacy untrusted U-WSP that provides the normal WSP functionality. To achieve end-to-end security, the application code is also decomposed into a small trusted part and the remaining untrusted code. The trusted part encapsulates all accesses to security-sensitive data through a secure functional interface (SFI). To ease the migration of legacy applications to ISO-WSP, we developed tools to translate direct manipulations of security-sensitive data by the untrusted part into SFI invocations. Using a prototype implementation based on the Apache Axis2 WSP, we show that ISO-WSP reduces software complexity of trusted components by a factor of five, while incurring a modest performance overhead of few milliseconds per request. We also show that existing applications can be migrated to run on ISO-WSP with a few tens of lines of new and modified code.

Fine-Grain Adaptive Compression in Dynamically Variable Networks

Despite voluminous previous research on adaptive compression, we found significant challenges when attempting to fully utilize both network bandwidth and CPU. We describe the fine-grain (FG) mixing strategy that compresses and sends as much data as possible, and then uses any remaining bandwidth to send uncompressed packets. Experimental measurements show that FG mixing achieves significant gains in effective throughput, particularly at higher network bandwidths. However, non-trivial interactions between system components and layers (e.g., compression algorithms and middleware settings such as block size and buffer size) have significant impact on the overall system performance. Finally, the trade-offs and performance profiles of FG mixing are measured, observed, and found to be consistent over a wide range of combinations of compression algorithms (GZIP, LZO, BZ1P2), workload compression ratios (from 1 to 4), and network bandwidth (from 0 to 400 Mbps)

Fine-Grain, End-to-End Security for Web Service Compositions

Web service composition introduces two research challenges to end-to-end integrity and confidentiality of information flow. First, component services need the ability to selectively read or modify information flows. Second, component web services may or may not be trusted by all participants in the same degree. Existing specifications such as WS-security provide fine-grained signatures and encryption for pair-wise interactions, but insufficient support for end-to-end security properties in open environments. Using an electronic prescription application, we illustrate the need for an enhanced framework for providing end-to-end security properties. We then describe a fine-grained, security framework, called WS-FESec, that leverages WS-security to support flexible preservation of end-to-end integrity and confidentiality in web service compositions. Finally, we discuss WS-FESecs support for the lattice model of secure information flow and show how it can be employed to preserve end-to-end security properties in the electronic prescriptions application.

Guarding Sensitive Information Streams through the Jungle of Composite Web Services

Complex and dynamic web service compositions may introduce unpredictable and unintentional sharing of security-sensitive data (e.g., credit card numbers) as well as unexpected vulnerabilities that cause information leak. This paper describes a fine-grain access policy specification of security-sensitive data items for each component web service. We propose the SF-Guard architecture to enforce these access policies at component web services. A prototype implementation of SF-Guard (on Apache Axis2) and its evaluation show that effective protection of security-sensitive information can be achieved at low overhead (a few percent addition to response time) while preserving the functionality of flexible web service composition.

A Secure Information Flow Architecture for Web Services

Current Web service platforms (WSPs) often perform all Web services-related processing, including security-sensitive information handling, in the same protection domain. Consequently, the entire WSP may have access to security-sensitive information such as credit card numbers, forcing us to trust a large and complex piece of software. To address this problem, we propose ISO-WSP, a new information flow architecture that decomposes current WSPs into two parts executing in separate protection domains: (1) a small trusted T-WSP to handle security-sensitive data, and (2) a large, legacy untrusted U-WSP that provides the normal WSP functionality, but uses the T-WSP for security-sensitive data handling. By restricting security-sensitive data access to T-WSP, ISO-WSP reduces the software complexity of trusted code, thereby improving the testability of ISO-WSP. Using a prototype implementation based on the Apache Axis2 WSP, we show that ISO-WSP reduces software complexity of trusted components by a factor of five, while incurring a modest performance overhead of few milliseconds per request.