"The nation's security and economy rely on infrastructures for communication, finance, energy distribution and transportation - all increasingly dependent on networked information systems. When these networked information systems perform badly or do not work at all, they put life, liberty and property at risk." --National Research Council, Trust in Cyberspace (F.B. Schneider, editor)

Cornell is a leader on a broad range of research issues related to computer security. We tackle the fundamental problem of ensuring the security and reliability of our global critical computing infrastructure. And Cornell faculty are also quite visible on the national policy scene, as part of the NSF-funded TRUST Science and Technology Center and through individual faculty member involvement in advisory boards to DARPA, DoD, NSA, NIST, and Microsoft.

Currently, we have many active research projects aimed at developing a science and technology base to enhance information assurance and ensure the trustworthiness of networked information systems. These project areas range from system and network security to reliability and assurance.

Emin Gün Sirer and Fred B. Schneider are leading the development of a new operating system, called the Nexus, for trusted computing. Newly emerging secure coprocessors make it possible to build systems that can provide unprecedented security guarantees; unfortunately, past efforts at achieving these properties have yielded systems that restrict the user's control over her local machine. The Nexus is a new operating system, built from scratch, that introduces new system abstractions, mechanisms and a novel system architecture for taking advantage of secure computing hardware. It enables users to leverage security guarantees of secure coprocessors without limiting flexibility and control over the local software configuration. The resulting system enables novel applications, including spam-free email, secure firewalls, and flexible digital rights management systems.

The COCA (Cornell On-line Certification Authority) project, led by Fred B. Schneider, was concerned with composing fault-tolerance and security. Traditionally, these two elements of system trustworthiness have been treated as distinct problems with disjoint solutions. Yet when replication is used to achieve fault-tolerance, replicated secrets (such as private keys) become more vulnerable to compromise. COCA examined how to compose fault tolerance with security in the context of a fault-tolerant and secure on-line certification authority prototype we built and deployed.

The Quicksilver project is interested in security issues arising in large-scale systems where probabilistic mechanisms are used, like the ones using Bimodal Multicast and Astrolabe technologies. Several dimensions are being investigated: how to build new security mechanisms that use these kinds of scalable, robust tools; how to secure the tools themselves, and how to deal with scalability issues that arise when building secure systems. An example of a concrete problem involves security issues seen in scalable publish-subscribe systems -- we're building one and the security issues that arise seem to be new and really interesting. Examples of recent systems built include Quicksilver (a scalable publish-subscribe technology, for which the project was named), Tempest (a development tool for building scalable web services, running on our Ricochet protocols), and Fireflies, a Byzantine-fault tolerant, rapidly adaptive, overlay technology that supports scalable media delivery.

The Jif project, led by Andrew Myers, examines security-typed programming languages and has extended Java with support for static information flow control. The compiler tracks the correspondence between data and the information flow policies that restrict its use, so that security is enforced in an end-to-end fashion. Information flow policies can also be used to securely partition code and data across a distributed system. This is demonstrated in the Swift system, which automatically partitions web applications into server-side Java and client-side JavaScript, while enforcing secure information flow.

Civitas is a new, secure voting system. It is the first voting system implementation that allows voters to vote securely from the remote client of their choice, while provably providing universal verifiability, voter verifiability, anonymity, and coercion resistance. It achieves this by combining sophisticated cryptography with language-based security methods.

Joe Halpern is looking at logics for reasoning about various aspects of security, including logics that can model resource-bounded intruders, that can deal with both qualitative and quantitative aspects of security, for reasoning about noninterference, and for reasoning about security policies inolving permission, authority, control, and delegation.

The ECC project, led by Dexter Kozen, addresses issues of performance and ease of implementation in the verification of basic safety properties for untrusted mobile code. In contrast to other more general approaches, it sacrifices language and implementation independence for performance and succinctness of certificates. Verification takes place at the level of native code and does not require just-in-time compilation. We ensure a basic but nontrivial level of code safety, including control flow safety, memory safety, and stack safety. A prototype has been implemented for SCHEME to x86. Current work includes applying this technology to boot-time drivers for plug-in components in the context of the IEEE Open Firmware standard.

The CorSSO project, led by Emin Gün Sirer and Fred B. Schneider, is developing a decentralized, fault-tolerant network single sign-on service. The goal of a single sign-on service is to authenticate users. CorSSO enables application servers to delegate client identity-checking to sets of authentication servers, wherein the compromise or failure of a threshold of authenticators will not impact the correctness of the overall authentication system. A novel partitioning of the work associated with authentication of principals means that the system scales well with increases in the numbers of users and services.

The Nysiad project at Cornell, led by Robbert van Renesse, is concerned with tolerating Byzantine failures, ranging from compromised machines, insider attacks, but also faults caused by bit rot or accidental operator error. Indeed, crash failures are relatively rare among failures in today's computing systems. Nysiad technology allows distributed computer systems tolerant only of crash failures to be transformed, automatically, into systems tolerant of Byzantine failures, while maintaining scalability. Prior art is significantly more expensive, because it relies on solving Byzantine consensus, but we show that it is not necessary to solve consensus when the application is already able to deal with crash failures. In related efforts, we have developed a Byzantine-tolerant peer-to-peer overlay network, and a highly efficient Byzantine one-step consensus algorithm.

Besides the samples cited above, there are many other ongoing projects at Cornell related to all aspects of system security, ranging from highly applied work on intrusion detection to theoretical foundations of computer security.

Overall, the breadth and depth of the projects undertaken at Cornell are a direct result of the well-integrated, diverse and collegial environment that our department provides. Our work draws its strength from the synergy between the groups working on security, programming languages, operating systems, logic and formal methods.

Faculty and Researchers

Ken Birman
Joe Halpern
Dexter Kozen
Andrew Myers
Rafael Pass
Fred B. Schneider
Gün Sirer

Ongoing and Recent Projects

Astrolabe
Civitas
COCA
CorSSO
ECC
Fabric
Jif
Nexus
Swift
Quicksilver