Security Research at Harvard SEAS. Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct

Transcription

1 Security Research at Harvard SEAS Stephen Chong Asst. Prof. of Computer Science Harvard SEAS Cybersecurity Awareness Day Oct

2 What Must You Trust? Bank Browser User-level libraries EVERYTHING Operating system Kernel, Modules, Device Drivers, File System, Networking,... Hypervisor CPU, Memory & Devices Facebook 2

3 We need... Advances that cut across traditional disciplines New hardware architectures New systems software architectures New policy enforcement techniques New cryptographic techniques New techniques for minimizing trust New markets, application contexts Policy & law 3

4 Computer Security Research at SEAS Eddie Kohler Margo Seltzer Salil Vadhan Greg Morrisett Michael Rabin David Parkes Latanya Sweeney Jonathan Zittrain Steve Chong Michael Mitzenmacher Jim Waldo Yiling Chen 4

5 Cryptography Policy/law Michael Rabin Jonathan Zittrain Michael Mitzenmacher Salil Vadhan Privacy Jim Waldo Latanya Sweeney Yiling Chen David Parkes Mechanism design Programming languages Information-flow Steve Chong Operating systems Margo Seltzer Eddie Kohler Greg Morrisett 5

6 Privacy Tools for Sharing Data

7 Computational Social Science The potential: massive new sources of data and ease of sharing will revolutionize social science. The problem: protecting the privacy of individual subjects privacy open data utility traditional approaches (e.g. stripping PII ) e.g. NYT 5/21/12 Troves of Personal Data, Forbidden to Researchers privacy

8 Our Goal utility Achieve: privacy privacy open data open data & Via: Dwork (MSR) social science Altman (MIT) privacy Chong Nissim (BGU) computer science Vadhan King Sweeney statistics Airoldi Crosas Malone law & policy

9 Elements of Our Approach Defining & Measuring Privacy Mathematical, legal, statistical, experimental Defining & Measuring Data Utility Replicating real studies on real data Implemented on IQSS Tools for Privacy Algorithms Legal instruments & best practices 52,000 studies, 700,000 files. Sociology, Political Science, Economics, Psychology, Anthropology, and aspects of Public Policy, Education, Law, Public Health, History Education & Outreach Open materials & videos Multidisciplinary training 9

10 Why Are We Doing This? Why is this important? Two values: privacy & knowledge. Why do it now? Urgent need in computational social science. New insights from CS & stats Why us? Integrated multidisciplinary approach Experienced team, already collaborating, with institutional support External impact through Dataverse Network 10

11 STONESOUP Securely Taking on Executable Software of Uncertain Provenance CHILI Cornell, Harvard, Illinois Initiative

12 CHILI Greg Morrisett Steve Chong Vikram Adve University of Illinois Andrew Myers Cornell University 12

13 Big picture How can we securely execute software? Who wrote it? May be malicious Or just have bugs. We don t have a spec for it But we want it to do the right thing How does the executable relate to the source code? 13

14 Multi-pronged approach Analysis, Confinement, Diversification, Verification Analyze code before we execute it Understand potential vulnerabilities Confine vulnerabilities and errors in the program Diversify the program, to increase robustness against attacks Verify that the executing program Two key ideas Memory safety Array-bounds violations; format string errors; uninitialized variables; dangling pointers Helps ensure our analyses are sound Information-flow control Help confine errors and vulnerabilities precisely 14

15 Architecture Number handling analysis Info-flow monitoring Memory safety checks Java Information flow analysis Object analysis Dynamic instrumentation Runtime enforcement Dynamic type checking Polyglot Java static analysis pointer analysis, call graph, information flow, & number handling analysis results Optimization validation (LLVM MD) SVA type checker Verification memory safe bitcode C/C++ Java (VMKit) C/C++ (clang) LLVM front ends LLVM bitcode Pool allocation Data Structure Analysis Static instrumentation Static array bounds checking (Capsaicin) Static analysis &Transformations Secure Virtual Architecture (SVA) 15

16 Integer overflow Computers can only represent finitely different numbers E.g., with 32 bits, the largest (signed) integer is 2,147,483,647 2,147,483, = 2,147,483,647 2,147,483, = -2,147,483,648 Programmers often forget this But sometimes they use it Integer overflows can cause security vulnerabilities! How do we stop the security vulnerabilities while allowing the intentional uses of integer overflow? 16

17 Information-flow Problem: Data from an untrusted source causes overflow, which influences a dangerous operation Insight: Controlling information flow can mitigate integer overflow vulnerabilities, with few false positives 17

18 Solution Analysis Information-flow analysis to understand which integer overflows are a problem Confinement Dynamic and static techniques to restrict flow of overflowed integers Diversification Defense in depth: make it harder for integer overflow vulnerabilities to be exploited Verification Make sure compiler did not introduce additional vulnerabilities 18

19 Cryptography Policy/law Michael Rabin Jonathan Zittrain Michael Mitzenmacher Salil Vadhan Privacy Jim Waldo Latanya Sweeney Yiling Chen David Parkes Mechanism design Programming languages Information-flow Steve Chong Operating systems Margo Seltzer Eddie Kohler Greg Morrisett 19