Integrating Security and Fault Tolerance
NSF CyberTrust Grant 0430161

Principal Investigators:

We are interested in the construction of trustworthy distributed systems: systems that tolerate both malicious attacks and benign faults while preserving data integrity and confidentiality. The development of high-assurance systems has been dominated by work on two separate themes: security and fault tolerance. The security viewpoint holds that a trustworthy system must be able to defend against malicious attacks, building from a trusted computing base. The fault tolerance viewpoint is that a trustworthy system cannot depend on any single component functioning correctly, because that component becomes a vulnerability. These two views are incompatible because a trusted computing base could become a single point of failure, and because efficient fault-tolerant replication protocols assume non-malicious failures. Under the auspices of this project, we are exploring new ways to synthesize these two approaches. Our goal is new methods for constructing distributed systems that are trustworthy in the aggregate even when some nodes in the system have been compromised by malicious attackers.

Project Publications

  1. Krysztof Ostrowski, Ken Birman, Danny Dolev, and Jong Hoon Ahnn. Programming with Live Distributed Objects. Proceedings of the 22nd European Conference on Object-Oriented Programming (ECOOP 2008), pages 463–489. July 2008.
  2. Stephen Chong and Andrew C. Myers. End-to-End Enforcement of Erasure and Declassification. Proceedings of the IEEE Computer Security Foundations Symposium, pages 98–111, June 2008.
  3. Michael R. Clarkson and Fred B. Schneider. Hyperproperties. Proceedings of the IEEE Computer Security Foundations Symposium, pages 51–65, June 2008.
  4. Lantian Zheng and Andrew C. Myers. Securing Nonintrusive Web Encryption through Information Flow. Proceedings of the 3rd ACM SIGPLAN Workshop on Programming Languages and Security, pages 125–134, June 2008.
  5. Michael R. Clarkson, Stephen Chong, and Andrew C. Myers. Civitas: A Secure Voting System. Proceedings of the 2008 IEEE Symposium on Security and Privacy, pages 354–368, Oakland, CA, May 2008. [ Civitas web site ]
  6. Stephen Chong, Jed Liu, Andrew C. Myers, Xin Qi, K. Vikram, Lantian Zheng, and Xin Zheng. Secure Web Applications via Automatic Partitioning
    Proceedings of the 21st ACM Symposium on Operating Systems Principles (SOSP'07), pages 31–44, October 2007. [ Swift web site ]
  7. Stephen Chong, K. Vikram, and Andrew C. Myers. SIF: Enforcing Confidentiality and Integrity in Web Applications. Proceedings of USENIX Security Symposium 2007, pages 1–16, August 2007. [ SIF web site ]
  8. Lantian Zheng and Andrew C. Myers. Dynamic Security Labels and Static Information Flow. International Journal of Information Security, 6(2–3), March 2007. Springer.
  9. Michael Clarkson, Andrew C. Myers, and Fred B. Schneider. Quantifying Information Flow with Beliefs. Journal of Computer Security, to appear.
  10. Maya Haridasan and Robbert van Renesse. Defense Against Intrusion in a Live Streaming Multicast System. 6th IEEE International Conference on Peer-to-Peer Computing (P2P2006). Cambridge, UK. September 2006.
  11. Robbert van Renesse, Håvard Johansen and André Allavena. Fireflies: Scalable Support for Intrusion-Tolerant Overlay Networks. Proc. EuroSys 2006.
  12. Andrew C. Myers, Andrei Sabelfeld, Steve Zdancewic. Enforcing Robust Declassification and Qualified Robustness. Journal of Computer Security, 14(2):157–196, 2006.
  13. Kevin R. O'Neill, Michael R. Clarkson, Stephen Chong. Information-Flow Security for Interactive Programs. Proc. 19th IEEE Computer Security Foundations Workshop (CSFW'06), July 2006. Full version available as Cornell CIS TR 2006-2022.
  14. Steve Chong, Andrew C. Myers. Decentralized Robustness. Proc. 19th IEEE Computer Security Foundations Workshop (CSFW'06), pp. 242–253, July 2006.
  15. Michael R. Clarkson, Andrew C. Myers. Coercion-Resistant Remote Voting using Decryption Mixes. Frontiers in Electronic Elections, September 2005.
  16. Lantian Zheng, Andrew C. Myers. End-to-End Availability Policies and Noninterference. Proc. 18th IEEE Computer Security Foundations Workshop (CSFW'05), pages 272–286, June 2005.
  17. Michael Clarkson, Andrew C. Myers, Fred B. Schneider. Belief in Information Flow. Proc. 18th IEEE Computer Security Foundations Workshop (CSFW'05), pages 31–45, June 2005.
  18. Stephen Chong, Andrew C. Myers. Language-Based Information Erasure. Proc. 18th IEEE Computer Security Foundations Workshop (CSFW'05), pages 241–254, June 2005.
  19. Alan Shieh, Andrew C. Myers, Emin Gün Sirer. Trickles: A Stateless Network Stack for Improved Scalability, Resilience, and Flexibility Proc. 2nd USENIX Symposium on Networked Systems Design and Implementation (NSDI), pages 175–188, May 2005. [ Trickles web site ]

Current areas of investigation

With Birman, Mahesh Balakrishnan is developing Tempest, a new way to program clusters by drag-and-drop importation of Web Services applications, automatically replicated and managed to preserve time-critical properties despite faults, node restart, or load surges. Working in this drag-and-drop paradigm, Tudor Marian is exploring chain-replication scenarios in which gossip mechanisms can be used for infrastructure management and repair of inconsistencies.

Birman and Krzysztof Ostrowski are developing QuickSilver, a scalable, reliable, eventing (publish-subscribe) architecture. His initial focus is on scalability in numbers of communication subjects (modeled as process groups and supported by a protocol stack capable of implementing virtual synchrony).

Robbert van Renesse, Maya Haridasan, and Andre Allavena are investigating support for intrusion-tolerant overlay networking.

Myers and Lantian Zheng are investigating automatic synthesis of distributed systems that use quorum protocols to meet integrity and availability requirements.

Myers, Steve Chong, and K. Vikram are developing a secure servlet architecture using static information flow to track confidential information end-to-end through web browser interactions.

Myers, Schneider, and Michael Clarkson are exploring a new way of measuring and enforcing information flow quantitatively, based on attacker beliefs rather than on changes in uncertainty.

Schneider and Clarkson are exploring hyperproperties, a unified mathematical characterization of a wide range of system properties, including security and fault tolerance.

Myers, Clarkson, and Chong are building a secure remote voting system called Civitas. It provides universal verifiability and coercion resistance.