This report documents the program and the outcomes of Dagstuhl Seminar 15102 “Secure Routing for ... more This report documents the program and the outcomes of Dagstuhl Seminar 15102 “Secure Routing for Future Communication Networks”. Routing is a fundamental mechanism in communication networks, and its security is critical to ensure availability and prevent attacks; however, devel-oping and deploying secure routing mechanism is still a challenge. Significant research effort is required to advance routing security in key areas: intra-domain routing, inter-domain routing, routing in new Internet architectures, and routing in mobile and wireless networks. The seminar covered these general aspects along with the following important guiding questions. How to systematise the topic area of routing security? What are evolutionary or revolutionary options towards more secure routing systems? How to secure inter-domain routing? How to secure intra-domain routing and routing in mobile/wireless settings? How to achieve data plane/forwarding security?
Systems using capabilities to provide preferential service to selected flows have been proposed a... more Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker’s resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.
Proceedings of the 3rd Workshop on System Software for Trusted Execution, 2018
Monitoring software of low-end devices is a key part of defense in depth for IoT systems. These d... more Monitoring software of low-end devices is a key part of defense in depth for IoT systems. These devices are particularly susceptible to memory corruption vulnerabilities because the limited computational resources restrict the types of countermeasures that can be implemented. Run-time monitoring therefore is fundamental for the security of these devices. We propose a monitoring architecture for untrusted software at the I/O event granularity for TrustZone-enabled devices. The architecture enables us to measure the integrity of the code immediately before its execution is triggered by any input. To verify the integrity in a lightweight manner, we statically determine the minimal code region that needs to be measured based on the I/O operation. We develop a prototype of the architecture using TrustZone-M and demonstrate that our prototype has a low processing overhead and small ROM memory footprint.
Today’s computer users receive few assurances that their software executes as expected. The probl... more Today’s computer users receive few assurances that their software executes as expected. The problem is that legacy devices do not enable personal verification of code execution. In addition, legacy devices lack trusted paths for secure user I/O making it difficult to ensure the privacy of data. We present PRISM, a software-only humanverifiable code execution system that temporally separates a legacy computer system into a trusted component and an untrusted component. PRISM enables a user to securely interact with applications by establishing a trusted path and enables personal verification of untampered application execution. PRISM enables the development of a new class of applications which we term personally verifiable applications (PVAs). PVAs have the property that a user can both securely interact with and execute these applications even in the face of a kernel-level compromise. We develop a personally verifiable digital signature application that assures the user that the password-protected private key is not misused and that neither the private key nor the password are disclosed to malware on the device. We describe an implementation of this application on a personal device, and evaluate the usability of our approach with a user study. 1
Proceedings of the sixth ACM international workshop on VehiculAr InterNETworking - VANET '09, 2009
Security plays a critical role in Vehicular Ad-Hoc Networks (VANETs). In the absence of secure me... more Security plays a critical role in Vehicular Ad-Hoc Networks (VANETs). In the absence of secure mechanisms, malicious parties could inject bogus information, at best robbing VANETs of their safety benefits or at worst causing accidents. Unfortunately, VANETs pose unique new research challenges, preventing the use of existing network security mechanisms. Industry has proposed security mechanisms to safeguard VANET operations. In this talk, we will discuss the properties and limitations of these mechanisms and present remaining research challenges. We will then present promising proposed research mechanisms to secure VANETs beyond current industry standards, such as the application of advanced cryptographic techniques to provide anonymity, the use of trusted computing technologies such as the Trusted Computing Group's (TCG's) Trusted Platform Module (TPM), or the use of location verification. We conclude the talk with remaining open research challenges, as well as opportunities and directions for addressing these challenges.
Trust in any system needs a foundation or a root of trust. Here, we discuss the roots of trust th... more Trust in any system needs a foundation or a root of trust. Here, we discuss the roots of trust that have been proposed or deployed. Typically, the root of trust is based on the secrecy of a private key that is embedded in hardware; the corresponding public key is certified by the hardware’s manufacturer. As we discuss, some systems further
This report documents the program and the outcomes of Dagstuhl Seminar 15102 “Secure Routing for ... more This report documents the program and the outcomes of Dagstuhl Seminar 15102 “Secure Routing for Future Communication Networks”. Routing is a fundamental mechanism in communication networks, and its security is critical to ensure availability and prevent attacks; however, devel-oping and deploying secure routing mechanism is still a challenge. Significant research effort is required to advance routing security in key areas: intra-domain routing, inter-domain routing, routing in new Internet architectures, and routing in mobile and wireless networks. The seminar covered these general aspects along with the following important guiding questions. How to systematise the topic area of routing security? What are evolutionary or revolutionary options towards more secure routing systems? How to secure inter-domain routing? How to secure intra-domain routing and routing in mobile/wireless settings? How to achieve data plane/forwarding security?
Systems using capabilities to provide preferential service to selected flows have been proposed a... more Systems using capabilities to provide preferential service to selected flows have been proposed as a defense against large-scale network denial-of-service attacks. While these systems offer strong protection for established network flows, the Denial-of-Capability (DoC) attack, which prevents new capability-setup packets from reaching the destination, limits the value of these systems. Portcullis mitigates DoC attacks by allocating scarce link bandwidth for connection establishment packets based on per-computation fairness. We prove that a legitimate sender can establish a capability with high probability regardless of an attacker’s resources or strategy and that no system can improve on our guarantee. We simulate full and partial deployments of Portcullis on an Internetscale topology to confirm our theoretical results and demonstrate the substantial benefits of using per-computation fairness.
Proceedings of the 3rd Workshop on System Software for Trusted Execution, 2018
Monitoring software of low-end devices is a key part of defense in depth for IoT systems. These d... more Monitoring software of low-end devices is a key part of defense in depth for IoT systems. These devices are particularly susceptible to memory corruption vulnerabilities because the limited computational resources restrict the types of countermeasures that can be implemented. Run-time monitoring therefore is fundamental for the security of these devices. We propose a monitoring architecture for untrusted software at the I/O event granularity for TrustZone-enabled devices. The architecture enables us to measure the integrity of the code immediately before its execution is triggered by any input. To verify the integrity in a lightweight manner, we statically determine the minimal code region that needs to be measured based on the I/O operation. We develop a prototype of the architecture using TrustZone-M and demonstrate that our prototype has a low processing overhead and small ROM memory footprint.
Today’s computer users receive few assurances that their software executes as expected. The probl... more Today’s computer users receive few assurances that their software executes as expected. The problem is that legacy devices do not enable personal verification of code execution. In addition, legacy devices lack trusted paths for secure user I/O making it difficult to ensure the privacy of data. We present PRISM, a software-only humanverifiable code execution system that temporally separates a legacy computer system into a trusted component and an untrusted component. PRISM enables a user to securely interact with applications by establishing a trusted path and enables personal verification of untampered application execution. PRISM enables the development of a new class of applications which we term personally verifiable applications (PVAs). PVAs have the property that a user can both securely interact with and execute these applications even in the face of a kernel-level compromise. We develop a personally verifiable digital signature application that assures the user that the password-protected private key is not misused and that neither the private key nor the password are disclosed to malware on the device. We describe an implementation of this application on a personal device, and evaluate the usability of our approach with a user study. 1
Proceedings of the sixth ACM international workshop on VehiculAr InterNETworking - VANET '09, 2009
Security plays a critical role in Vehicular Ad-Hoc Networks (VANETs). In the absence of secure me... more Security plays a critical role in Vehicular Ad-Hoc Networks (VANETs). In the absence of secure mechanisms, malicious parties could inject bogus information, at best robbing VANETs of their safety benefits or at worst causing accidents. Unfortunately, VANETs pose unique new research challenges, preventing the use of existing network security mechanisms. Industry has proposed security mechanisms to safeguard VANET operations. In this talk, we will discuss the properties and limitations of these mechanisms and present remaining research challenges. We will then present promising proposed research mechanisms to secure VANETs beyond current industry standards, such as the application of advanced cryptographic techniques to provide anonymity, the use of trusted computing technologies such as the Trusted Computing Group's (TCG's) Trusted Platform Module (TPM), or the use of location verification. We conclude the talk with remaining open research challenges, as well as opportunities and directions for addressing these challenges.
Trust in any system needs a foundation or a root of trust. Here, we discuss the roots of trust th... more Trust in any system needs a foundation or a root of trust. Here, we discuss the roots of trust that have been proposed or deployed. Typically, the root of trust is based on the secrecy of a private key that is embedded in hardware; the corresponding public key is certified by the hardware’s manufacturer. As we discuss, some systems further
Uploads
Papers by Adrian Perrig