PORTIA Robert Grimm New York University Security Challenges for Rich-Media Educational Environments

The Chasm in Medicine  Scientific knowledge  Rapid advances in molecular biology  Medical practice  Reduced lengths-of-stay in hospitals  Increased compartmentalization  Chasm is self-widening  Specialization helps keep up with sciences, costs down  Existing solutions do not work  Outpatient care for education, PCPs for practice ÜResult: Ever harder to train “good” physicians

Crossing the Chasm: The IRMEE Project at NYU  NYU-wide collaboration  Medicine, computer science, libraries, center for teaching excellence, center for advanced technology, IT  Goal: Integration  Across specializations  Between theory and practice  Across geographical boundaries and time  Chosen approach: Web-based rich-media environment  Provides lifelong access to educational & scientific content  Structures content along narrative lines  Fosters community of students and practitioners

Prototypes in Use, Have Impact  Complemented by guided discussion on bulletin board

Where Do We Go from Here?  Content  Better evaluations through script concordance tests  More modules  Authoring is labor- and resource-intensive, does not scale  Focus on exchanging content with other authors  XML schema being co-developed with University of Pittsburgh  Delivery infrastructure  Existing multi-tier architecture does not scale  We need a scalable and affordable solution  Focus for the rest of this talk, but keep IRMEE in mind

Building a Scalable & Affordable Implementation Platform  Active CDN (Content Distribution Network)  Interposes on client/server interactions (DNS redirection)  Authoritative content remains on server  Caches static content  Executes application-specific scripts  For dynamic content creation as well as transformation  Why another edge-side computing platform?  Familiar programming model for web developers  As added benefit, easier to provide resource controls, security  General structured overlay: Distributed Hash Table  Easier to leverage advances in peer-to-peer technologies

Integrity and Privacy Issues for Active CDNs  Nodes in peer-to-peer overlay generally untrusted  Though, local nodes may be trusted  Connection-oriented security (SSL) inappropriate  End-to-end negates CDN, hop-by-hop negates security  Resource-oriented security required  Servers sign or encrypt content  Trusted proxy verifies signatures, decrypts content  What about dynamically generated/transformed content?  Scripts still may execute on any node (for p2p load balancing)  But trusted proxy probabilistically verifies dynamic content and adjusts reputation based on results

What’s Missing?  Reputation-based security model  Selection of content to verify  Scoring and accumulation of results  Exchange of results  Centralized blacklists vs. web of trust  HTTP extensions for resource-based security  Beware of interaction with caching  E.g., sign only headers but not body, include hash of body  Experiences from real deployment  On the Wild Wild Web, surprising things may happen  E.g., see Pai et al., The Dark Side of the Web, HotNets ‘03

The Larger Issue  Securely placing functionality (computations & storage) on untrusted nodes placed between clients and servers