Luigi Catuogno

Trusted virtual domains – design, implementation and lessons learned

A Trusted Virtual Domain (TVD) is a coalition of virtual machines and resources (e.g., network, storage) that are distributed over multiple physical platforms and share a common security policy. The concept of TVDs and their usage scenarios have been studied extensively. However, details on certain implementation aspects have not been explored in depth yet, such as secure policy deployment and integration of heterogeneous virtualization and trusted computing technologies. In this paper, we present implementation aspects of the life cycle management of TVDs. We describe the components and protocols necessary to realize the TVD design on a cross-platform architecture and present our prototype implementation for the Xen and L4 microkernel platforms. In particular, we discuss the need for and the realization of intra-TVD access control, a hypervisor abstraction layer for simplified TVD management, necessary components of a TVD policy and revocation issues. We believe that these integration details are essential and helpful inputs for any large-scale real-world deployment of TVD.

A trusted versioning file system for passive mobile storage devices

Versioning file systems are useful in applications like post-intrusion file system analysis, or reliable file retention and retrievability as required by legal regulations for sensitive data management. Secure versioning file systems provide essential security functionalities such as data integrity, data confidentiality, access control, and verifiable audit trails. However, these tools build on top of centralized data repositories operating within a trusted infrastructure. They often fail to offer the same security properties when applied to repositories lying on decentralized, portable storage devices like USB flash drives and memory chip cards. The reason is that portable storage devices are usually passive, i.e., they cannot enforce any security policy on their own. Instead, they can be plugged in any (untrusted) platform which may not correctly maintain or intentionally corrupt the versioning information on the device. However, we point out that analogous concerns are also raised in those scenarios in which data repositories are hosted by outsourced cloud-based storage services whose providers might not satisfy certain security requirements. In this paper we present TVFS: a Trusted Versioning File System which stores data on untrusted storage devices. TVFS has the following features: (1) file integrity and confidentiality; (2) trustworthy data retention and retrievability; and (3) verifiable history of changes in a seamless interval of time. With TVFS any unauthorized data change or corruption (possibly resulting from being connected to an untrusted platform) can be detected when it is connected to a legitimate trusted platform again. We present a prototype implementation and discuss its performance and security properties. We highlight that TVFS could fit those scenarios where different stakeholders concurrently access and updates shared data, such as financial and e-health multiparty services as well as civil protection application systems such as hazardous waste tracement systems, where the ability to reliably keep track of documents history is a strong (or legally enforced) requirement.

On the security of a two-factor authentication scheme

In this paper we evaluate the security of a two-factor Graphical Password scheme proposed in [1]. As in the original paper, we model the attack of a passive adversary as a boolean formula whose truth assignment corresponds to the user secret. We show that there exist a small number of secrets that a passive adversary cannot extract, independently from the amount information she manages to eavesdrop. We then experimentally evaluate the security of the scheme. Our tests show that the number of sessions the adversary needs to gather in order to be able to extract the users secret is relatively small. However, the amount of time needed to actually extract the user secret from the collected information grows exponentially in the system parameters, making the secret extraction unfeasible. Finally we observe that the graphical password scheme can be easily restated in as a device-device authentication mechanism.

Analysis of a two-factor graphical password scheme

Graphical passwords are a promising research branch, but implementation of many proposed schemes often requires considerable resources (e.g., data storage, high quality displays) making difficult their usage on small devices, such as old-fashioned ATM terminals. Furthermore, most of the time, such schemes lack a careful security analysis. In this paper, we analyze the security and usability for an authentication mechanism that can be instantiated as a graphical password scheme. We model the information an adversary might extract by analyzing the transcripts of authentication sessions as a boolean formula. Our experiments show that the time needed by a passive adversary to extract the user secret in the last presented protocol grows exponentially in the system parameter, giving evidence of the security of the proposed scheme.

An Architecture for Kernel-Level Verification of Executables at Run Time

Digital signatures have been proposed by several researchers as a way of preventing execution of malicious code. In this paper we propose a general architecture for performing the signature verification as part of the kernel execution process. The proposed architecture does not require any change in the interpreters used to execute code and it can accommodate any executable format. We also report on our implementation for the Linux operating system that focuses on ELF and script executables. Experimental results show that our solution is of potential interest as virtually no slowdown is experienced in the execution.

Trusted virtual domains: Color your network

Trusted Virtual Domains (TVDs) provide a secure IT infrastructure offering a homogeneous and transparent enforcement of access control policies on data and network resources. In this article, we give an overview of the fundamental ideas and basic concepts behind TVDs, present a realization of TVDs, and discuss application scenarios.

On user authentication by means of video events recognition

Graphical password schemes have been widely analyzed in the last couple of decades. Typically such schemes are not resilient to adversaries who are able to collect a considerable amount of session transcripts, and can process them automatically in order to extract the secret. In this paper we discuss a possible enhancement to graphical passwords aiming at making infeasible to the attacker to automatically process the collected transcripts. In particular, we investigate the possibility of replacing static graphical challenges with on-the-fly edited videos. In our approach, the system challenges the user by showing her a short film containing a number of pre-defined pass-events and the user replies with the proof that she recognized such events. We present a proof-of-concept prototype, FilmPW, and discuss some issues related to event life-cycle management. Our preliminary experiments show that such an authentication mechanism is well accepted by users and achieves low error rates.

A secure file sharing service for distributed computing environments

Distributed cryptographic file systems enable file sharing among their users and need the adoption of a key management scheme for the distribution of the cryptographic keys to authorized users according to their specific degree of trust. In this paper we describe the architecture of a basic secure file sharing facility relying on a multi-party threshold-based key-sharing scheme that can be overlaid on top of the existing stackable networked file systems, and discuss its application to the implementation of distributed cryptographic file systems. It provides flexible access control policies supporting multiple combination of roles and trust profiles. A proof of concept prototype implementation within the Linux operating system framework demonstrated its effectiveness in terms of performance and security robustness.

On asynchronous enforcement of security policies in “Nomadic” storage facilities

The fast advance in networked and ubiquitous computing leads to remarkable innovation also in data storage technologies. The classical local/remote storage dichotomy has been enriched due the introduction of new hardware and networking technologies such as plenty of different kinds of solid-state storage devices (e.g., USB pen drives) as well as several advanced distributed serverless storage facilities such as peer-to-peer file sharing networks and cloud-based storage services (SaaS). Such sample technologies can be considered as the endpoints of a wide range of storage facilities that, although characterized by important technological differences, share several crucial security issues. Indeed, such kind of storage, (here referred to as “nomadic”) could undermine data security and privacy within large organizations even if they adopt strong security policies. This paper faces the problem of enforcing security policies within a security domain whose nodes are not permanently connected each other, mainly concerning of the protection of data stored on nomadic data stores. The authors survey some solutions available in literature that could potentially fit this scenario with the aim of defining a framework to secure such storage facilities in terms of file system engineering. To this end, two practical scenarios leveraging on nomadic storage facilities are discussed: (1)the deployment of USB storage devices to asynchronously share sensitive data, and (2) facing assurance requirements in managing large projects conducted by cooperating independent communities of software developers (such as the so called Open Source Community) by means of Distributed Revision Control Systems.

The Dark Side of the Interconnection: Security and Privacy in the Web of Things

The Web of Things (WoT) promises to dramatically boost the potentiality of interconnecting smart and physical devices over the Internet as it not only enhances ergonomics and productivity of the Internet of Things (IoT), but it also introduces new capabilities for device interoperation and data aggregation and analysis. These advances pose the challenge of preserving data security and privacy (S&P), as well as the reliability of the overall infrastructure. Deploying existing S&P solutions and technologies in the WoT is not straightforward because of its potential vastness, its intrinsic inhomogeneity and the wide variety of involved entities and interests. In such scenario, every choice comes from a non-trivial trade-off among different aspects including security, availability and legal issues. In this paper, we investigate the nature of this trade-off, pointing out the different kinds of S&P issues and surveying some of the available solutions. In addition, we discuss the major issues raised while securing an existing WoT infrastructure.