W. Michael Petullo

MinimaLT: minimal-latency networking through better security

MinimaLT is a new network protocol that provides ubiquitous encryption for maximal confidentiality, including protecting packet headers. MinimaLT provides server and user authentication, extensive Denial-of-Service protections, privacy-preserving IP mobility, and fast key erasure. We describe the protocol, demonstrate its performance relative to TLS and unencrypted TCP/IP, and analyze its protections, including its resilience against DoS attacks. By exploiting the properties of its cryptographic protections, MinimaLT is able to eliminate three way handshakes and thus create connections faster than unencrypted TCP/IP.

Studying Naive Users and the Insider Threat with SimpleFlow

Most access control systems prohibit illicit actions at the moment they seem to violate a security policy. While effective, such early action often clouds insight into the intentions behind negligent or willful security policy violations. Furthermore, existing control mechanisms are often very low-level; this hinders understanding because controls must be spread throughout a system. We propose SimpleFlow, a simple, information-flow-based access control system which allows illicit actions to occur up until sensitive information would have left the local network. SimpleFlow marks such illicit traffic before transmission, and this allows network devices to filter such traffic in a number of ways. SimpleFlow can also spoof intended recipients to trick malware into revealing application-layer communication messages even while blocking them. We have written SimpleFlow as a modification to the Linux kernel, and we have released our work as open source.

Ethos' Deeply Integrated Distributed Types

Programming languages have long incorporated type safety, increasing their level of abstraction and thus aiding programmers. Type safety eliminates whole classes of security-sensitive bugs, replacing the tedious and error-prone search for such bugs in each application with verifying the correctness of the type system. Despite their benefits, these protections often end at the process boundary, that is, type safety holds within a program but usually not to the file system or communication with other programs. Existing operating system approaches to bridge this gap require the use of a single programming language or common language runtime. We describe the deep integration of type safety in Ethos, a clean-slate operating system which requires that all program input and output satisfy a recognizer before applications are permitted to further process it. Ethos types are multilingual and runtime-agnostic, and each has an automatically generated unique type identifier. Ethos bridges the type-safety gap between programs by (1) providing a convenient mechanism for specifying the types each program may produce or consume, (2) ensuring that each type has a single, distributed-system-wide recognizer implementation, and (3) inescapably enforcing these type constraints.

Using VisorFlow to Control Information Flow without Modifying the Operating System Kernel or its Userspace

VisorFlow aims to monitor the flow of information between processes without requiring modifications to the operating system kernel or its userspace. VisorFlow runs in a privileged Xen domain and monitors the system calls executing in other domains running either Linux or Windows. VisorFlow uses its observations to prevent confidential information from leaving a local network. We describe the design and implementation of VisorFlow, describe how we used VisorFlow to confine naïve users and malicious insiders during the 2017 Cyber-Defense Exercise, and provide performance measurements. We have released VisorFlow and its companion library, libguestrace, as open-source software.

Improving Application Security through TLS-Library Redesign

Research has revealed a number of pitfalls inherent in contemporary TLS libraries. Common mistakes when programming using their APIs include insufficient certificate verification and the use of weak cipher suites. These programmer errors leave applications susceptible to man-in-the-middle attacks. Furthermore, current TLS libraries encourage system designs which leave the confidentiality of secret authentication and session keys vulnerable to application flaws. This paper introduces libtlssep pronounced lib.tăi¾ź.el.sep, a new, open-source TLS library which provides a simpler API and improved security architecture. Applications that use libtlssep spawn a separate process whose role is to provide one or more TLS-protected communication channels; this child process assures proper certificate verification and isolates authentication and session keys in its separate memory space. We present a security, programmability, and performance analysis of libtlssep.

PivotWall: SDN-Based Information Flow Control

Advanced Persistent Threats (APTs) commonly use stepping stone attacks that allow the adversary to move laterally undetected within an enterprise network towards a target. Existing network security techniques provide limited protection against such attacks, because they lack intra-network mediation and the context of information semantics. We propose PivotWall, a network security defense that extends information flow tracking on each host into network-level defenses. PivotWall uses a novel combination of information-flow tracking and Software Defined Networking (SDN) to detect a wide range of attacks used by advanced adversaries, including those that abuse both application- and network-layer protocols. It further enables a variety of attack responses including traffic steering, as well as advanced mechanisms for forensic analysis. We show that PivotWall incurs minimal impact on network throughput and latency for untainted traffic and less than 58% overhead for tainted traffic. As such, we demonstrate the utility of information flow tracking as a defense against advanced network-level attacks.