CS 563

Reading Assignments Spring 2020

Access Control and Privilege Separation (MAC)

Access control is oldest and most storied subject in computer security, but the influence of pioneering work in this space is often less obvious in modern work. We will foudational concepts from the access control space, tracing its evolution to the current literature.

Preliminaries: Ravi S. Sandhu. ``Lattice-Based Access Control Models.'' IEEE Computer 1993.

Student-Presented Papers:
  1. Lester J. Fraim. ``Scomp: A Solution to the Multilevel Security Problem.'' IEEE Computer 1983.
  2. David D. Clark and David R. Wilson. ``A Comparison of Commercial and Military Computer Security Policies.'' IEEE Security and Privacy 1987.
  3. Trent Jaeger, Reiner Sailer, and Xiaolan Zhang. ``Analyzing Integrity Protection in the SELinux Example Policy.'' USENIX Security 2003.
  4. Umesh Shankar, Trent Jaeger, and Reiner Sailer. ``Toward Automated Information-Flow Integrity Verification for Security-Critical Applications.'' ISOC NDSS 2006.
  5. Andrei Sabelfeld and Andrew C. Myers. ``Language-Based Information Flow Security.'' IEEE JSAC 2003.
  6. Andrew C. Myers and Barbara Liskov. ``A Decentralized Model for Information Flow Control.'' ACM SOSP 1997.
  7. Maxwell Krohn, Alexander Yip, Micah Brodsky, Natan Cliffer, M. Frans Kaashoek, Eddie Kohler, and Robert Morris. ``Information Flow Control for Standard OS Abstractions.'' ACM SOSP 2007.
  8. Winnie Cheng, Dan R. K. Ports, David Schultz, Victoria Popic, Aaron Blankstein, James Cowling, Dorothy Curtis, Liuba Shrira, Barbara Liskov. ``Abstractions for Usable Information Flow Control in Aeolus.'' USENIX ATC 2012.
  9. Niels Provos, Markus Friedl, and Peter Honeyman. ``Preventing Privilege Escalation.'' USENIX Security 2003.
  10. Vikram Narayanan, Abhiram Balasubramanian, Charlie Jacobsen, Sarah Spall, Scott Bauer, Michael Quigley, Aftab Hussain, Abdullah Younis, Junjie Shen, Moinak Bhattacharyya, and Anton Burtsev. ``LXDs: Towards Isolation of Kernel Subsystems'' USENIX ATC 2019.
  11. Shen Liu, Dongrui Zeng, Yongzhe Huang, Frank Capobianco, Stephen McCamant, Trent Jaeger, and Gang Tan. ``Program-mandering: Quantitative Privilege Separation.'' ACM CCS 2019.

Is anything actually interesting about the Internet of Things? (IOT)

Whenever a new computing paradigm emerges, security researchers rush to refactor foundational solutions within this new domain. Suffice to say, at present the Internet of Things is a runaway hype train, with dozens of researchers concurrently scratching and clawing to publish highly-related ideas. As the dust begins to settle on this first wave of IoT Security research, we have an opportunity to sift through the heap of literature and identify the truly unique challenges and opportunities within this space. We will focus on consumer-facing IoT technologies. Our goal in discussing each paper will be to identify how methods in the IoT space are similar and/or distinct from prior work in other areas.

Preliminaries: Earlence Fernandes, Justin Paupore, Amir Rahmati, Daniel Simionato, Mauro Conti, and Atul Prakash. ``FlowFence: Practical Data Protection for Emerging IoT Application Frameworks.'' USENIX Security 2016.

Student-Presented Papers:
  1. Blase Ur, Elyse McManus, Melwyn Pak Yong Ho, and Michael L. Littman. ``Practical Trigger-action Programming in the Smart Home.'' ACM CHI 2014.
  2. Milijana Surbatovich, Jassim Aljuraidan, Lujo Bauer, Anupam Das, and Limin Jia. ``Some Recipes Can Do More Than Spoil Your Appetite: Analyzingthe Security and Privacy Risks of IFTTT Recipes.'' WWW 2017.
  3. Eyal Ronen, Coline O'Flynn, Adi Shamir, and Achi-Or Weingarten. ``IoT Goes Nuclear: Creating a ZigBee Chain Reaction.'' IEEE Security and Privacy 2017.
  4. Earlence Fernandes, Amir Rahmati, Jaeyeon Jung, and Atul Prakash. ``De-centralized Action Integrity for Trigger-Action IoT Platforms.'' ISOC NDSS 2018.
  5. Jiongyi Chen, Qenrui Diao, Qingchuan Zhao, Chaoshun Zuo, Zhiqiang Lin, XiaoFeng Wang, Wing Cheong Lau, Menghan Sun, Ronghai Yang, and Kehuan Zhang. ``IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing.'' ISOC NDSS 2018.
  6. Weijia He, Maximilian Golla, Roshni Padhi, Jordan Ofek, Markus Dürmuth,Earlence Fernandes, and Blase Ur. ``Rethinking Access Control and Authentication for the Home Internet of Things.'' USENIX Security 2018
  7. Z. Berkay Celik, Leonardo Babun, Amit Kumar Sikder, Hidayet Aksu, Gang Tan, Patrick McDaniel, and A. Selcuk Uluagac. ``Sensitive Information Tracking in Commodity IoT.'' USENIX Security 2018.
  8. Wenbo Ding and Hongxin Hu. ``On the Safety of IoT Device Physical Interaction Control.'' ACM CCS 2018.
  9. Roei Schuster, Vitaly Shmatikov, and Eran Tromer. ``Situational Access Control in the Internet of Things.'' ACM CCS 2018.
  10. Wei Zhang, Yan Meng, Yugeng Liu, Xiaokuan Zhang, Yingqian Zhang, and Hojin Zhu. ``HoMonit: Monitoring Smart Home Apps from Encrypted Traffic.'' ACM CCS 2018.
  11. Cut due to a reschedule; review IOT #5 instead. Eric Zeng and Franziska Roesner. ``Understanding and Improving Security and Privacy in Multi-User Smart Homes: A Design Exploration and In-Home User Study.'' USENIX Security 2019.

Host Intrusion Detection (HID)

The goal of accurate and reliable host-layer intrusion detection is one of the "Holy Grails" of the security field. Whereas significant progress has been made at the network layer, the reality is that a generic solution to host anomaly detection continues to elude the community. As advancements in auditing and machine learning technology signal a renewed interest in HIDS, our goal is to review the highlights from 20 years of literature on this subject in order to gain a better sense of the pitfalls and opportunities.

Preliminaries: S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff. ``A Sense of Self for Unix Process.'' IEEE Security and Privacy 1996.

Student-Presented Papers:
  1. Kymie M.C. Tan and Roy A. Maxion. ``"Why 6?" Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector.'' IEEE Security and Privacy 2000.
  2. R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. ``A fast automaton-based method for detecting anomalous program behaviors.'' IEEE Security and Privacy 2001.
  3. D. Wagner, P. Soto. ``Mimicry attacks on host-based intrusion detection systems.'' ACM CCS 2002.
  4. H.H. Feng, O.M. Kolesnikov, P. Fogla, W. Lee, W. Gong. ``Anomaly detection using call stack information.'' IEEE Security and Privacy 2003.
  5. Debin Gao, Michael K. Reiter, Dawn Song. ``On Gray-Box Program Tracking for Anomaly Detection.'' USENIX Security 2004.
  6. Jonathon T. Giffin, David Dagon, Somesh Jha, Wenke Lee, and Barton P. Miller. ``Environment-Sensitive Intrusion Detection.'' RAID 2005.
  7. Christopher Kruegel, Engin Kirda, Darren Mutz, William Robertson, and Giovanni Vigna. ```Automating Mimicry Attacks Using Static Binary Analysis.'' USENIX Security 2005.
  8. S. Bhatkar, A. Chaturvedi, R. Sekar. ``Dataflow Anomaly Detection.'' IEEE Security and Privacy 2006.
  9. Emaad Manzoor, Sadegh M. Milajerdi, Leman Akoglu. ``Fast Memory-efficient Anomaly Detection in Streaming Heterogeneous Graphs.'' ACM KDD 2016.
  10. Xiaokui Shu, Daphne Yao, Naren Ramakrishnan, Trent Jaeger. ``Long-Span Program Behavior Modeling and Attack Detection.'' ACM Transactions on Privacy and Security 2017.
  11. Sadegh M. Milajerdi, Rigel Gjomemo, Birhanu Eshete, R. Sekar, V.N. Ventakakrishnan. ``HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows.'' IEEE Security and Privacy 2019.

Modern Cloud Computing (MCC)

The landscape of cloud computing continues to change rapidly. Once dominated by cumbersome ``Infrastructure-as-a-Service''-style virtual machines, today developers leverage clouds to deploy leaner software stacks through containerization or event-driven functions. How has the increasingly serverless nature of clouds affected cloud security?

Preliminaries:Eric Jonas, Johann Schleier-Smith, Vikram Sreekanti, Chia-Che Tsai, Anurag Khandelwal, Qifan Pu, Vaishaal Shankar, Joao Carreira, Karl Krauth, Neeraja Yadwadkar, Joseph E. Gonzalez, Raluca Ada Popa, Ion Stoica, and David A. Patterson. ``Cloud Programming Simplified: A Berkeley View on Serverless Computing.'' Techical Report.

Student-Presented Papers:
  1. Xing Gao, Benjamin Steenkamer, Zhongshu Gu, Mehmet Kayaalp, Dimitrios Pendarakis, and Haining Wang. ``A Study on the Security Implications of Information Leakages in Container Clouds.'' IEEE DSN 2017.
  2. Xing Gao, Zhongshu Gu, Zhengfa Li, Hani Jamjoom, and Cong Wang. ``Houdini's Escape: Breaking the Resource Rein of Linux Control Groups.'' ACM CCS 2019.
  3. Sergei Arnautov, Bohdan Trach, Franz Gregor, Thomas Knauth, and Andre Martin, Christian Priebe, Joshua Lind, Divya Muthukumaran, Dan O'Keeffe, Mark L Stillwell, David Goltzsche, Dave Eyers, Rüdiger Kapitza, Peter Pietzuch, and Christof Fetzer.``SCONE: Secure Linux Containers with Intel SGX.'' USENIX OSDI 2016.
  4. Jörg Thalheim, Pramod Bhatotia, Pedro Fonseca, and Baris Kasikci. ``Cntr: Lightweight OS Containers.'' USENIX ATC 2018.
  5. Filipe Manco, Costin Lupu, Florian Schmidt, Jose Mendes, Simon Kuenzer, Sumit Sati, Kenichi Yasukata, Costin Raiciu, and Filipe Huici. ``My VM is Lighter (and Safer) than your Container.'' ACM SOSP 2017.
  6. Sébastien Vaucher, Rafael Pires, Pascal Felber, Marcelo Pasin, Valerio Schiavoni, and Christof Fetzer. ``SGX-Aware Container Orchestration for Heterogeneous Clusters.'' IEEE ICDCS 2018.
  7. Yuqiong Sun, David Safford, Mimi Zohar, Dimitrios Pendarakis, Zhongshu Gu, and Trent Jaeger. ``Security Namespace: Making Linux Security Frameworks Available to Containers.'' USENIX Security 2018.
  8. Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, and Michael Swift. ``Peeking Behind the Curtains of Serverless Platforms.'' USENIX ATC 2018.
  9. Sol Boucher, Anuj Kalia, David G. Andersen, and Michael Kaminsky. ``Putting the "Micro" Back in Microservice.'' USENIX ATC 2018.
  10. Stefan Brenner and Rudiger Kapitza. ``Trust More, Serverless.'' ACM SYSTOR 2019.
  11. Kalev Alpernas, Cormac Flanagan, Sadjad Fouladi, Leonid Ryzhyk, Mooly Sagic, Thomas Schmitz, and Keith Winstein. ``Secure serverless computing using dynamic information flow control.'' ACM OOPSLA 2018.