Suresh Chari

Towards Sound Approaches to Counteract Power-Analysis Attacks

Side channel cryptanalysis techniques, such as the analysis of instantaneous power consumption, have been extremely effective in attacking implementations on simple hardware platforms. There are several proposed solutions to resist these attacks, most of which are ad-hoc and can easily be rendered ineffective. A scientific approach is to create a model for the physical characteristics of the device, and then design implementations provably secure in that model, i.e, they resist generic attacks with an a priori bound on the number of experiments. We propose an abstract model which approximates power consumption in most devices and in particular small single-chip devices. Using this, we propose a generic technique to create provably resistant implementations for devices where the power model has reasonable properties, and a source of randomness exists. We prove a lower bound on the number of experiments required to mount statistical attacks on devices whose physical characteristics satisfy reasonable properties.

BlueBoX: A policy-driven, host-based intrusion detection system

Detecting attacks against systems has, in practice, largely been delegated to sensors, such as network intrustion detection systems. However, due to the inherent limitations of these systems and the increasing use of encryption in communication, intrusion detection and prevention have once again moved back to the host systems themselves. In this paper, we describe our experiences with building BlueBox, a host-based intrusion detection system. Our approach, based on the technique of system call introspection, can be viewed as creating an infrastructure for defining and enforcing very fine-grained process capabilities in the kernel. These capabilities are specified as a set of rules (policies) for regulating access to system resources on a per executable basis. The language for expressing the rules is intuitive and sufficiently expressive to effectively capture security boundaries.We have prototyped our approach on Linux operating system kernel and have built rule templates for popular daemons such as Apache and wu-ftpd. Our design has been validated by testing against a comprehensive database of known attacks. Our system has been designed to minimize the kernel changes and performance impact and thus can be ported easily to new kernels. We describe the motivation and rationale behind BlueBox, its design, implementation on Linux, and how it relates to prior work on detecting and preventing intrusions on host systems.

SMash: secure component model for cross-domain mashups on unmodified browsers

Mashup applications mix and merge content (data and code) from multiple content providers in a users browser, to provide high-value web applications that can rival the user experience provided by desktop applications. Current browser security models were not designed to support such applications and they are therefore implemented with insecure workarounds. In this paper, we present a secure component model, where components are provided by different trust domains, and can interact using a communication abstraction that allows ease of specification of a security policy. We have developed an implementation of this model that works currently in all major browsers, and addresses challenges of communication integrity and frame-phishing. An evaluation of the performance of our implementation shows that this approach is not just feasible but also practical.

Randomness-Optimal Unique Element Isolation withApplications to Perfect Matching and Related Problems

In this paper, we precisely characterize the randomness complexity of the unique element isolation problem, a crucial step in the

Security Issues in M-Commerce: A Usage-Based Taxonomy

RNC

Improved Algorithms via Approximations of Probability Distributions

algorithm for perfect matching due to Mulmuley, Vazirani, and Vazirani [Combinatorica, 7 (1987), pp. 105--113] and in several other applications. Given a set

Security 360°: Enterprise security for the cognitive era

S

Authentication for Distributed Web Caches

and an unknown family

Improving the resilience of content distribution networks to large scale distributed denial of service attacks

{\cal F} \subseteq 2^S

Randomness-optimal unique element isolation, with applications to perfect matching and related problems

with