My research focuses on security issues for practical distributed systems. System security is a dynamically changing field: advances in computer networks and distributed systems always pose new challenges to system security. It is usually my first step of system security research to identify the changes in system models, security objectives, and tradeoffs. These changes often render the existing security mechanisms inappropriate, insufficient, or even invalid, thereby demanding a new look at system security.
System security constitutes just one dimension of a distributed system and thus should not be studied in isolation. Throughout my research, I find that system security frequently demands multidisciplinary research spanning over fields in computer science (e.g., programming languages, compilers, distributed systems, and cryptography) and beyond (e.g., biology and military strategy). My research aims to bridge the gaps between these fields to address challenging system security issues.
My research in system security reflects my philosophy of "theory meets practice." On the one hand, a system without a solid theoretical foundation provides limited security assurance: It is hard, if not impossible, to enumerate all scenarios to evaluate whether a system withstands every possible malicious attacks under consideration. On the other hand, many solutions provided by theoretical research turn out to be impractical because the solutions rely on models that do not reflect reality or because of poor performance and scalability. My research attempts to bring together theory and practice by constructing a theoretical model based on realistic assumptions and by building prototypes to evaluate the feasibility of the theoretical solutions. The prototypes also serve as a platform for me to investigate practical issues (such as performance) that are not covered by the theoretical model.
All these themes are fully reflected in the following list of research projects I have been involved in.
Research Projects:
From 1996 to 1997, I worked on mobile code security as
code mobility, exemplified by applets, mobile agents, and active networks,
became a new paradigm on computer networks. Here, we use agent to refer to a piece of
mobile code, together with the associated data. The new paradigm introduced by mobile code
imposes new security challenges on
how to protect both agents and the hosts that accept the agents. Our
research in particular focused on how to protect hosts from misbehaving agents, as well
as preventing agents from interfering with each other.
Together with Robbert van Renesse and Fred B. Schneider, we designed a framework on top of a safe language (a dialect of O'Caml) and built a secure active network prototype (T2CAN) that achieved host security and inter-agent security. The solution drew from both traditional system security mechanisms (e.g., the notion of security domains and security policies) and programming languages (e.g., language safety).
Our design centers around the concept of security domains, with a well-defined set of security policies associated with each security domain. There is a set of rules that govern how agents could influence policies associated with security domains. Two basic forms of continuous domain changes are supported: domain amplification and domain attenuation. These provide agents certain flexibility to change their domains based on their needs, under the precondition that no security policies are compromised. Another way to support dynamic domain changes is through a security automaton, where each state in the automaton specifies a domain, and domain changes are specified in the transition functions.
Enforcements of the security policy for each security domain rely heavily on a type-safe language, as follows:
An unpublished draft on T2CAN is available here.
My research on trustworthy on-line services started with my investigation, joint with Professor Zygmunt J. Haas, into a security infrastructure for ad hoc networks. Unlike traditional cellular wireless networks, an ad hoc network has no fixed infrastructure and instead rely on mobile hosts to act as routers for each other. In our paper published in IEEE Network, we focused on two issues: secure routing and establishing a trustworthy key management service. The proposed solutions took advantage of redundancies in ad hoc networks and hinged on the concept of distributed trust. The observation that no single node in the network is trustworthy led me to develop a framework that builds a trustworthy service from untrustworthy components for general networks (e.g., the Internet). This became a joint work with Fred Schneider and Robbert van Renesse. This work falls into the intersection of distributed systems and cryptography (especially, secure multi-party computation).
For the investigation, I designed and implemented COCA (Cornell On-line Certification Authority), a secure distributed on-line certification authority. COCA has been built and deployed both in a local area network and in the Internet. Replication is used to achieve availability; proactive recovery with threshold cryptography is used for digitally signing certificates in a way that defends against mobile adversaries which attack, compromise, and control one replica for a limited period of time before moving on to another.
Relatively weak assumptions characterize environments in which COCA's protocols will execute correctly. No assumption is made about execution speed and message delivery delays; channels are expected to exhibit only intermittent reliability; and with 3t+1 COCA servers up to t may be faulty or compromised. The result is a system with inherent defenses to certain denial of service attacks because, by their very nature, weak assumptions are difficult for attackers to invalidate. In addition, traditional techniques, including request authorization, resource management based on segregation and scheduling different classes of requests, as well as caching results of expensive cryptographic operations further reduce COCA's vulnerability to denial of service attacks. Results from experiments in a local area network and the Internet allow a quantitative evaluation of the various means COCA employs to resist denial of service attacks. More on COCA can be found here.
I am continuing my research on building trustworthy services. The design of COCA exploits the specific semantics of COCA and thus might not be applicable to other services. With Fred, we are trying to design a general framework for building arbitrary trustworthy services, much as the state-machine approach adds fault tolerance. In particular, we strive to understand the capabilities of Byzantine quorum systems and to explore how to build a general framework on top of Byzantine quorum systems.
Together with Mike Marsh, we have designed protocols for COPS (Cornell On-line Publish/subscribe System), a secure distributed publish/subscribe system. COPS differs from COCA in the service semantics it provides and in having a confidentiality requirement on published information stored on servers. Such differences lead to different design choices for COPS. For example, to achieve scalability in COPS, I designed a new protocol, based on the asynchronous proactive secret sharing protocol in COCA, that manages a hierarchy of publish/subscribe services, while maintaining the required confidentiality of published information. I am hoping that the experience from COPS will not only shed light on a general framework for building trustworthy services but also provide insights about different design choices. A prototype is currently in the making.
I am also engaged in several other new and exciting research projects.
My work on securing ad hoc networks continues with a focus on secure routing. Because every node in an ad hoc network contributes to the network infrastructure, a compromised node can do more harm to the infrastructure than on a traditional network. While most proposed routing protocols for ad hoc networks cope well with the dynamically changing topology, they often ignore malicious attacks towards the routing protocols. Our objective is to devise a secure routing protocol without introducing prohibitively high overhead.
Another interesting area I am working on is security for peer-to-peer (P2P) systems. P2P systems represent a deviation from the traditional client/server model and advocate a decentralized architecture. Such deviation has a fundamental impact on implementing system security. Together with Robbert, we are building a peer-to-peer communication infrastructure based on IPv6 and hope to gain understanding on how P2P philosophies affect system design.
I am also looking into the problem of providing fault tolerance for computational grids, an emerging field concerned with harnessing the computational power available on a network. Because computational grids concern the sharing of computational resources, rather than only information resources, and place high priority on performance, a new look at fault tolerance and security is required. One promising approach, advocated in Professor Pingali's CS 717 seminar, is to employ compiler technology to aid fault tolerance mechanisms, such as checkpointing and message logging. The added knowledge of program structure, traditionally ignored in distributed system research, could potentially lead to a better solution. This is again going to be a multidisciplinary research effort.
As digital video and images prevail,
there is a pressing need to protect their ownership. In this research, we have
designed a watermarking algorithm for JPEG images. The watermarked images
preserve the quality of the original images. We implemented the algorithm in C
and tested the robustness of watermarks under various attacks. A detailed report
at http://www.cs.cornell.edu/home/ldzhou/Watermark/report.html.
This research studies algorithms for control dependence analysis and conversion to static single assignment form, which are key operations in program optimization and parallelization. We have implemented a generalized algorithm with a tunable parameter and performed thorough measurement and comparison for different settings. The implementation is in C/C++ and is adopted by the former Digital Equipment Corporation (acquired by Compaq). A detailed report at http://www.cs.cornell.edu/home/ldzhou/CD/report.html.
Last Updated on December 29, 2001. Please send your comments to ldzhou@cs.cornell.edu.