Presentation is loading. Please wait.

Presentation is loading. Please wait.

L C SL C S Security Research in Project Oxygen Srini Devadas Ronald L. Rivest Students: Burnside, Clarke, Gassend, Kotwal, Raman Oxygen Visitors: Marten.

Published byEmily Carpenter Modified over 9 years ago

Similar presentations

Presentation on theme: "L C SL C S Security Research in Project Oxygen Srini Devadas Ronald L. Rivest Students: Burnside, Clarke, Gassend, Kotwal, Raman Oxygen Visitors: Marten."— Presentation transcript:

1 L C SL C S Security Research in Project Oxygen Srini Devadas Ronald L. Rivest Students: Burnside, Clarke, Gassend, Kotwal, Raman Oxygen Visitors: Marten van Dijk (Philips) Kevin Chuang, Shawn Wang (Acer)

2 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Major Question How can we securely utilize a multitude of inexpensive, potentially untrustworthy, potentially indistinguishable devices?

3 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Approaches – Security automation for cheap devices: proxy-based security protocols  access controlled resource discovery – Two-way user/proxy authentication through untrusted devices: secure image verification & secure user authentication – Secure hardware architectures: physical unknown functions on-chip

4 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Intentional Naming Resource discovery and service location system for dynamic networks Uses a simple language based on attributes and values to identify resources Language used to describe the desired resource –Applications describe what they are looking for, not where to find it [building = lcs [floor = 2 [service = printer [load <= 4]]] pulp.lcs.mit.edu INSDNS

5 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Intentional Naming root servicelocation printercamera name-record lcsai-lab speakers mit N AME -T REE

6 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Integrating Security into INS INS is a naming service; designed to be a layer below security –No built-in mechanism to implement access control –Cannot explicitly reject requests from unauthorized users Integrate access control decision making into INS Application should find best resource to which it has access –Increases scalability and performance –Costly to perform full authentication check

7 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science The Naïve Solution K21 Proxy root servicelocation printer 1printer 2lcsai-labprinter 3mit N AME -T REE Intentional Naming Service [service = printer [load <= 2]] Printer 1 Proxy User A User C Printer 2 Proxy User D Printer 3 Proxy User A User B printer1.lcs.mit.edu authentication [user B] authentication [user B] authentication [user B] printer2.lcs.mit.edu printer3.lcs.mit.edu

8 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science A Scalable Solution Cricket Listener Wireless Comm. K21 Proxy Cricket Beacon {print to closest, least-loaded printer} K21 Proxy Intentional Name Routers pulp.lcs.mit.edu Printer Proxy K21 {request} Proxy-to-proxy security name

9 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Key Ideas Store ACL as attribute-value pair on each resource proxy AND at nodes of the INS name-tree INS routers maintain dynamic name-trees –Propagate ACLs up the tree when they are modified –“OR” (  ) ACLs at each parent node Access Control decisions made during traversal –Name-Lookup algorithms will eliminate resources based on membership in intermediate ACLs K21 Proxy performs transitive closure of its certificates and sends appropriate rules to INS with request

10 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Integration of Access Control root service location printercamera name-record lcsai-lab speakers mit N AME -T REE ACL 1 ACL 2 ACL 3 Resource-level ACLs Name record resolution Periodic Updates ACL 1  ACL 2  ACL 3 Constructed ACL

11 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science System Architecture Revisited K21 Proxy Intentional Name Routers K21’s Certificates K 1 students  K 2 students K 2 students  K c 192.168.0.45 Printer Proxy Proxy-to-proxy security {request} (*) K 2 students  K c K 1 students  K 2 students Transitive Closure of K21’s Certificates (*) K 1 students  K c Cricket Listener Wireless Comm. {print to closest, least-loaded printer} Cricket Beacon K21 name

12 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Scalable Solution K21 Proxy root servicelocation printer 1 ACL 1 printer 2 ACL 2 lcsai-labprinter 3 ACL 3 mit N AME -T REE Intentional Naming Service [service = printer [load <= 2]] && [Relevant Certificates] Printer 1 Proxy User A User C Printer 2 Proxy User D Printer 3 Proxy User A User B authentication [user B] printer3.lcs.mit.edu ACL 1  ACL 2  ACL 3

13 Oxygen Alliance Annual Meeting — June 12 - 13, 2002 Srini Devadas — Lab for Computer Science Results If naïve strategy queries more than one resource, then the scalable (OR’ed ACL) strategy outperforms it. For large number of resources (> 100), naïve strategy is not feasible –Could take several seconds to find accessible resource ACL maintenance can be performed periodically and does not cause significant network overheads

Download ppt "L C SL C S Security Research in Project Oxygen Srini Devadas Ronald L. Rivest Students: Burnside, Clarke, Gassend, Kotwal, Raman Oxygen Visitors: Marten."

Similar presentations

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab

Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer.

Offline Untrusted Storage with Immediate Detection of Forking and Replay Attacks Marten van Dijk, Jonathan Rhodes, Luis Sarmenta Srini Devadas MIT Computer.
Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.

Chapter 6 User Protections in OS. csci5233 computer security & integrity (Chap. 6) 2 Outline User-level protections 1.Memory protection 2.Control of access.
1 Towards Secure Interdomain Routing For Dr. Aggarwal 60-592 Win 2004.

1 Towards Secure Interdomain Routing For Dr. Aggarwal Win 2004.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.

Dept. of Computer Science & Engineering, CUHK1 Trust- and Clustering-Based Authentication Services in Mobile Ad Hoc Networks Edith Ngai and Michael R.
Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.

Edward Tsai – CS 239 – Spring 2003 Strong Security for Active Networks CS 239 – Network Security Edward Tsai Tuesday, May 13, 2003.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Distributed Systems CS 15-440 Naming – Part II Lecture 6, Sep 26, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.

Distributed Systems CS Naming – Part II Lecture 6, Sep 26, 2011 Majd F. Sakr, Vinay Kolar, Mohammad Hammoud.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.

Hands-On Microsoft Windows Server 2003 Networking Chapter 1 Windows Server 2003 Networking Overview.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.

DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.
L C SL C S The Untrusted Computer Problem and Camera-Based Authentication Dwaine Clarke, Blaise Gassend, Thomas Kotwal, Matt Burnside, Marten van Dijk,

L C SL C S The Untrusted Computer Problem and Camera-Based Authentication Dwaine Clarke, Blaise Gassend, Thomas Kotwal, Matt Burnside, Marten van Dijk,
Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Similar presentations

Ads by Google