Jefferson's Wheel

The Special Issue of IEEE Security and Privacy Magazine that I co-edited with Sal Stolfo on The Science of Security is now available.

It includes:

• David Evans and Sal Stolfo. Guest Editor’s Introduction: The Sciecne of Security [PDF].
• Sal Stolfo, Steven Bellovin, and David Evans. Measuring Security [PDF]

as well as three selected special issue articles: Security Modeling and Analysis (by Jason Bau and John Mitchell), On Adversary Models and Compositional Security (by Anupam Datta, Jason Franklin, Deepak Garg, Limin Jia, and Dilsun Kaynar), and Provable Security in the Real World (by Jean Paul Degabriele, Kenneth G. Paterson, and Gaven J. Watson).

I also gave a presentation about A Research Agenda for Scientific Foundations of Security at the NITRD Federal Cyber-Security Research event organized at Oakland 2011. 25 May 2011, Berkeley CA. [PPTX, PDF]

Yan Huang and Peter Chapman presented a poster and demo at Oakland 2011 conference on Secure Computation on Smartphones.

Our paper on how to use untrusted cloud services like Google Docs to edit and manage documents, without trusting them with your content, is now available:

Yan Huang and David Evans. Private Editing Using Untrusted Cloud Services. Second International Workshop on Security and Privacy in Cloud Computing. Minneapolis, Minnesota. 24 June 2011. [PDF, 10 pages]

Yan will present the paper at the workshop on June 24.

Abstract

We present a general methodology for protecting the confidentiality and integrity of user data for a class of on-line editing applications. The key insight is that many of these applications are designed to perform most of their data-dependent computation on the client side, so it is possible to maintain their functionality while only exposing an encrypted version of the document to the server. We apply our methodology to Google Documents and describe a prototype extension tool that enables users to use a cloud application to manage their documents without sacrificing confidentiality or integrity. To provide adequate performance, we employ an incremental encryption scheme and extend it to support variable-length blocks. We analyze the security of our scheme and report on experiments that show our extension preserves most of the cloud application’s functionality with less than 10% overhead for typical use.

http://www.mightbeevil.com/securedocs/

Our USENIX WebApps 2011 Paper is now available:

Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans. GuardRails: A Data-Centric Web Application Security Framework. 2nd USENIX Conference on Web Application Development (WebApps 2011). Portland, Oregon, 15-16 June 2011.

Abstract
Modern web application frameworks have made it easy to create powerful web applications. Developing a secure web application, however, still requires a developer to posses a deep understanding of security vulnerabilities and attacks. Even for experienced developers it is tedious, if not impossible, to find and eliminate all vulnerabilities. This paper presents GuardRails, a source-to-source tool for Ruby on Rails that helps developers build secure web applications. GuardRails works by attaching security policies defined using annotations to the data model itself. GuardRails produces a version of the input application that automatically enforces the specified policies. GuardRails helps developers prevent a myriad of security problems including cross-site scripting attacks and access control violations while providing a large degree of flexibility to support a range of policies and development styles.

Full paper (12 pages): [PDF]
GuardRails website

Jonathan Burket, Patrick Mutchler, Michael Weaver, and Muzzammil Zaveri will present GuardRails: A (Nearly) Painless Solution to Insecure Web Applications at the RubyNation conference in Reston (near Washington, DC), on April 2.

With web applications continuing to grow in popularity and frameworks becoming simpler to use, creating a web application is easier than ever. While building an application may be straightforward, ensuring that it is secure requires both a deep understanding of subtle security vulnerabilities as well as tedious and careful insertion of security checks. We propose GuardRails, an open source source-to-source tool for Ruby on Rails applications that adds extra layers of security to web applications with only minimal effort from the developer. GuardRails works by attaching security policies to the data itself. These policies are automatically enforced throughout the application, without the need for the developer to write large amounts of code. Our system helps prevent against a variety of security vulnerabilities from CrossSite Scripting to faulty access controls without requiring the developer to have a sophisticated knowledge of web security.

Our paper on using lattice ciphers for low-power public-key encryption targeted to RFID tags is now available. Yu Yao will present the paper in Wuxi, China in April.

Yu Yao, Jiawei Huang, Sudhanshu Khanna, abhi shelat, Benton Highsmith Calhoun, John Lach, and David Evans. A Sub-0.5V Lattice-Based Public-Key Encryption Scheme for RFID Platforms in 130nm CMOS. 2011 Workshop on RFID Security (RFIDsec’11 Asia)
Wuxi, China. 6-8 April 2011.

Abstract: Implementing public-key cryptography on passive RFID tags is very challenging due to the limited die size and power available. Typical public-key algorithms require complex logical components such as modular exponentiation in RSA. We demonstrate the feasibility of implementing public-key encryption on low-power, low cost passive RFID tags to large-scale private identification. We use Oded Regev’s Learning-With-Error (LWE) cryptosystem, which is provably secure under the hardness assumption of classic lattice problems. The advantage of using the LWE cryptosystem is its intrinsic computational simplicity (the main operation is modular addition). We leverage the low speed of RFID application by using circuit design with supply voltage close to transistor threshold (V_t) to lower power. This paper presents protocols for using the LWE cipher to provide private identification, evaluates a design for implementing those protocols on passive RFID tags, and reports on simulation experiments that demonstrate the feasibility of this approach.

Full paper (19 pages): [PDF]

We’ve released our code and paper on efficient privacy-preserving biometric identification:

Yan Huang (University of Virginia), Lior Malka (Intel/University of Maryland), David Evans (University of Virginia), and Jonathan Katz (University of Maryland). Efficient Privacy-Preserving Biometric Identification. To appear in 18^th Network and Distributed System Security Conference (NDSS 2011), 6-9 February 2011. [PDF, 14 pages]

We present an efficient matching protocol that can be used in many privacy-preserving biometric identification systems in the semi-honest setting. Our most general technical contribution is a new backtracking protocol that uses the by-product of evaluating a garbled circuit to enable efficient oblivious information retrieval. We also present a more efficient protocol for computing the Euclidean distances of vectors, and optimized circuits for finding the closest match between a point held by one party and a set of points held by another. We evaluate our protocols by implementing a practical privacy-preserving fingerprint matching system.

Yan will present the paper at NDSS in February. The code for our system is available under the MIT open source license.

flickr cc: didbygraham

Jonathan Burket, Patrick Mutchler, Michael Weaver and Muzzammil Zaveri will present GuardRails at AppSec DC on Wednesday, 10 November. The conference is at the Walter E. Washington Convention Center in Washington, DC.

GuardRails is a framework for automating many of the tasks necessary to build a security web application. For more, see the talk abstract: GuardRails: A Nearly Painless Solution to Insecure Web Applications. (and video and slides will appear there soon)

Update 9 December: The slides are here [PDF].

Yuchen Zhou will present a paper [PDF] on HTTP-only cookies and why it is so hard to deploy security technologies at Web 2.0 Security and Privacy (attached to the Oakland conference) on May 20.

HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed.

The list of papers accepted to the 31st IEEE Symposium on Security and Privacy is now posted:
http://oakland10.cs.virginia.edu/papers.html.

The PC accepted 26 research papers (from 237 submissions) and 5 Systematization of Knowledge papers (from 30 submissions).

Hope to see everyone at the conference in Berkeley this May!