CS Faculty Candidate Talk
Friday, March 19th
10:30am,  ST2 Room 320

Enforcement techniques for security policies addressing confidentiality and integrity of information

VN Venkatakrishnan
Computer Science Department
SUNY at Stony Brook

In this talk, I will discuss  two different scenarios that result in
system faults or compromises, and present techniques for addressing
these scenarios. These techniques essentially involve enforcement of
security policies related to integrity and confidentiality of systems.

The first scenario  involves execution of a faulty program (e.g., a
freeware file compression utility) or an untrusted program, operating
on system or application data (e.g., personal image/multimedia files).
In this case, execution monitoring techniques do not work, as they
typically disallow execution any such operations (e.g., modifications
to such files) in the first place. We present a solution that is based
on program isolation, that works by  isolating the effects of the
faulty/untrusted program execution from the rest of the system.
isolation is achieved by intercepting and redirecting file modification
operations made by the untrusted process so that they access a
``modification cache'' invisible to other processes in the system.  On
termination of an untrusted process, the user is presented with a
concise summary of the files modified by the process. Additionally, the
user can inspect these files to determine if the modifications are
acceptable. The user then has the option to commit these modifications,
or simply discard them. Essentially, our approach provides ``play'' and
``rewind'' buttons for running such software. Key benefits of our
approach are that it requires no changes to the untrusted programs (to
be isolated) or the underlying operating system; it cannot be subverted
by malicious programs; and it achieves these benefits with acceptable
runtime overheads.

A related scenario is one that involves data and control flow related
errors in a program that operates on sensitive data, resulting in loss
of data confidentiality. Here too, it is well known that this problem
cannot be solved by use of pure execution monitors that employ runtime
monitoring mechanisms. Hence, recent research has focused on pure
static analysis (such as type analysis) for addressing this problem.
The drawback of such approaches is that they  are overly conservative
and result in  a loss of precision, and  reject many useful programs.
In this ongoing work, we present an approach that uses a natural way to
improve precision -- by augmenting  static analysis with runtime
checking. We show that by using a preliminary static analysis to gather
information about the "effects" of a program, and by combining this
information with runtime checking techniques, a more precise solution
is possible.
In addition, I will give a brief overview of my research background,
and will discuss some ideas for future research work.

This research is being conducted under the umbrella of the Model
Carrying Code project at Stony Brook. Papers related to this talk and
other related  efforts that I have been involved with are available
under the project home page at: http://www.seclab.cs.sunysb.edu/mcc/
P ersonal home page with links to publications and an informal
biography is available here:  http://www.seclab.cs.sunysb.edu/~venkat/