Associate Professor, Department of Computer Science, University of Illinois at Chicago.
Director, Center for Research and Instruction in Technologies for Electronic Security (RITES)
This paper examines the role of authentication, certificates, and certificate processing. It considers authentication very widely, not just in its traditional use of identification, but more generally in terms of a authenticating a document. In particular, it considers the role fo certificates to make informal statements and how they might be formally processed.
To protect the private key that a Certificate Authority uses for signing certificates, the key is kept offline. This means that signing is relatively infrequent, and hence the certificate inforation can become stale and then the ceritificate needs to be revoked. At CSAW, Ravi Sandhu defined "instant revocation" as revocations which take place within a second or two. Peter Guttman has called PKI revocation a "grand challenge problem". Existing techniques do not achieve timely and efficient revocations. In this paper, we show how to achieve instant revocation which is hundreds to thousands of times more Internet bandwidth efficient than existing tecnhiques.
Distributed authentication typically is an afterthought in applications. It is rarely done well, and hence is subject to attack. And it is difficult surprisingly difficult to do. In this paper, we show a very simple API for combining authentication with traditional network sockets. This scheme is very easy to program and enables service processes to be specialized by user. We then port dovecot (a IMAP/POP mail delivery agent). The port results in the elimination of some 37\% of the code in dovecot and the reduction in the number of process types from 4 to 1.
This is the paper at Oakland which caused such a big fuss one year after it was published. In it we show that a taxonomy for Discretionary Access Controls (DACs) due to Osborn-Sandhu-Munawer could be implemented in a decidable general-purpose access control model. It is the first access control model which was known to be both non-monotonic and decidable.
A paper by Li and Tripunitara in the 2005 Oakland conference claimed that our result is wrong since it cannot represent the invariant of single owner under change of ownership. Their claim is erroneous, the technical details are here.
This paper describes two information flow security properties, information flow confidentiality and information flow integrity. It describes a general purpose access control model, based on our DAC model in Oakland, which allows these properties to hold selectively (which we call expressibility) and which allows the permissions to change in a controlled way (which we call robustness). This paper shows that our administrative controls are well formed; in particular they show that it is decidable what approvals are needed (and whether such approval is possible) to create a new flow.
This is an earlier version of a paper we have currently submitted. Our ESORICS'04 paper showed that the result of a single administrative action was decidable. This paper shows that the result of an arbitrary number of administrative actions was descidable; that is, that the system could bound any evolution of the privileges to determine what is and is not possible in our system. This is the MAC analogue to the DAC decidability result at Oakland'04.
This paper describes how an operating system authorization system can be be made sufficiently flexible to adapt the the needs of the application base on the application history. Support is shown for dynamic separation of duty, information flow, and other mandatory access controls.
This paper shows a method for modelling dynamic separation of duty which enables loops and alternative outcomes to be described. Lower bound on dynamic separation of duty scheduling are given, conditions are developed which ensure that a task does not get stuck if there are sufficient number of users, and different schedule mechanisms are given to ensure that a task does not get stuck.
Access matrix based descriptions provide an efficient implementation for reference monitors to determine whether a given access model is allowed or denied. But the access matrix is unwieldy to specify and modify, particularly as the number of properties enforced increases. To enable easier specification, a higher level model is very desirable which is composable, stateless, and succinct. We show how a simple higher level model can be automatically translated to into an access matrix level description in kernelSec.
Sandboxes (also called jails) are invoked by applications such as mail user agents and browsers in order to isolate untrusted entities from the rest of the system. But it is also possible to evade the sandbox protections by copying such untrusted entities out of the sandbox. We describe dyanmic sandboxes, in which the sandbox is invoked automatically on reading untrusted data. Moreover, information flow based controls ensured copied data maintains its label.
In Fall 2006 I became alarmed at the grow of botnets, and the uses to which they were put. The existing computing base is so riddled with security holes that I believe that its replacement is both essential and inevitable. But new operating systems have traditionally not been successful, and are inordinately expensive to build. This paper considers how we will build a new generation of system software and make it secure. This is the kickoff paper for the Ethos project.
Working in security means spanning a large range of techniques and (for computer science) a long period of time. Some of these papers are difficult to find and may be confusing to read because of changing terminology. The above bibliography attempts to provide some organization to these ideas, and these papers are almost all available at UIC.