This talk will present SELinks, an extension of the Links web programming language, that allows a database and web server to collaboratively enforce a security policy with high assurance. SELinks has a number of benefits. First, the relationship between data and its security label is made explicit by the SELinks type system, which allows the compiler to ensure that a policy is always correctly enforced. Next, application-specific logic is communicated seamlessly to the database by compiling SELinks code and values to user-defined functions and custom datatypes, respectively, to be stored in the database. As a result, application-specific security policies can be enforced at the database while processing queries, improving both the overall efficiency of the application, as well as ensuring that sensitive data never leaves the database needlessly. Our experience with two sizeable web applications indicates that cross-tier policy enforcement in SELinks is flexible, relatively easy to use and improves efficiency, in terms of increased throughput, by as much as an order of magnitude. More information about SELinks can be found here.

In this talk, we present a new language for dynamic tracking of information flow across multiple, interdependent dimensions of information. Typical dimensions of interest are integrity and confidentiality. Our new language supports arbitrary domain-specific policies that can be developed independently. Our language treats information-flow metadata as a first-class entity and tracks information flow on the metadata itself (integrity on integrity, integrity on confidentiality, etc.). In this talk, we also define Information Management POlicies in a LImited Trust Environment (IMPOLITE), a novel class of information-flow policies for the language. Unlike many systems, which only allow for absolute-security relations, IMPOLITE can model more realistic security policies based on relative-security relations. IMPOLITE demonstrates how policies on interdependent dimensions of information can be simultaneously enforced within the unified framework of the language. Joint work with Avraham Shinnar (Harvard University) and Anindya Banerjee (Kansas State University).

Motivated by the "database-as-service" (DAS) paradigm wherein data owned by a client is hosted by a third-party server, there is significant interest in secure and efficient query evaluation over encrypted databases. In this talk, we will discuss several security and efficiency issues of query evaluation over encrypted XML databases in DAS model. Specifically, we will explain our security model and discuss the techniques that we proposed to evaluate queries efficiently over XML databases with provable security guarantees.

In this talk I will survey the Software as a Service (SaaS) landscape and highlight a number of security challenges which arise with this model. Specifically I will describe problems in identity management, secure composition and multi-tenancy.

We model the task of interdomain routing---the task of connecting the networks that compose the Internet---as an iterative, highly distributed, asynchronous game. Unlike previous examinations of this game, we assume that each node dervies a utility depending not only on the route it believes it is assigned in the outcome, but also on other nodes assigned to route through it. This more realistic model decouples forwarding from signaling and captures out-of-band business relationships that may affect nodes' behavior in the game and the difficulty of monitoring traffic flows on the Internet. We show by example that conditions that guarantee incentive compatibility when utility does not depend on signaling do not provide this assurance in the model we study. We also extend the well-studied Stable Paths Problem to decouple forwarding from signaling. We show that this allows stable signaling solutions to have forwarding loops and we give a sufficient condition to prevent this. Finally, we provide positive results about incentive compatibility when using utility functions that depend on both forwarding and signaling; this relies on nodes having next-hop policies (so that their forwarding preferences depend only on the next hops of available routes) and certain other assumptions. In conjunction with these results, we provide examples of networks that violate these conditions and in which nodes have incentive to lie about their chosen paths. This is joint work with Sharon Goldberg, Shai Halevi, Aaron Jaggard, and Vijay Ramachandran.

Over the past few years, Voice over IP (VoIP) has become an attractive alternative to more traditional forms of telephony. Naturally, with its increasing popularity in daily communications, practitioners are continually exploring ways to improve both the efficiency and security of this new communication technology. Unfortunately, while it is well understood that VoIP packets must be encrypted to ensure confidentiality, we show that simply encrypting packets may not be sufficient from a privacy standpoint. In this talk, we focus on information leakage in encrypted VoIP communications. In particular, we will show that when VoIP packets are first compressed with variable bit rate (VBR) encoding schemes to save bandwidth, and then encrypted with a length preserving stream cipher to ensure confidentiality, it is possible to determine the language spoken in the encrypted conversation, and more importantly, to spot arbitrary phrases of interest within the encrypted conversation. We will discuss the underlying reasons for the success of our techniques, and present a summary of our findings.

In which we chat a bit about trusted hardware and how to use it for entertainment and profit.

Location based services (LBS) aim at delivering point of need information. Personalization and customization of such services, based on the profiles of mobile users, would significantly increase their value. Since profiles may include sensitive information of mobile users and moreover can help identify a person, customization is allowed only when the security and privacy policies dictated by them are respected. In this talk, we discuss the problem of privacy preservation via anonymization by extending the well-known notion of k-anonymity to ``profile based k-anonymization'' that guarantees anonymity even when profiles of mobile users are known to untrusted entities. Specifically, we discuss approaches to generalize both location and profiles to the extent specified by the user, and how different types of queries in this environment can be efficiently processed.

We present a novel, practical, and effective mechanism for identifying the IP address of Tor clients. We approximate an almost-global passive adversary (GPA) capable of eavesdropping anywhere in the network by using LinkWidth, a novel bandwidth-estimation technique. LinkWidth allows network edge-attached entities to estimate the available bandwidth in an arbitrary Internet link without a cooperating peer host, router, or ISP. By modulating the bandwidth of an anonymous connection (e.g., when the destination server or its router is under our control), we can observe these fluctuations as they propagate through the Tor network and the Internet to the end-user's IP address. Our technique exploits one of the design criteria for Tor (trading off GPA-resistance for improved latency/bandwidth over MIXes) by allowing well-provisioned (in terms of bandwidth) adversaries to effectively become GPAs. Although timing-based attacks have been demonstrated against non-timing-preserving anonymity networks, they have depended either on a global passive adversary or on the compromise of a substantial number of Tor nodes. Our technique does not require compromise of any Tor nodes or collaboration of the end-server (for some scenarios). We demonstrate the effectiveness of our approach in tracking the IP address of Tor users in a series of experiments. Even for an under-provisioned adversary with only two network vantage points, we can accurately identify the end user (IP address) in many cases. Furthermore, we show that a well-provisioned adversary, using a topological map of the network, can trace-back the path of an anonymous user in under 20 minutes. Finally, we can trace an anonymous Location Hidden Service in approximately 120 minutes.