Cloud Computing

Cloud Data Protection for the Masses. Offering strong data protection to cloud users while enabling rich applications is a challenging task. We explore a new cloud platform architecture called Data Protection as a Service, which dramatically reduces the per-application development effort required to offer data protection, while still allowing rapid development and maintenance.

• The published article, which appeared as a cover feature in the January 2012 issue of Computer magazine: Dawn Song, Elaine Shi, Ian Fischer, Umesh Shankar, "Cloud Data Protection for the Masses," Computer, vol. 45, no. 1, pp. 39-45, Jan. 2012, doi:10.1109/MC.2012.1 [On the IEEE Computer site] [Bibtex for published article]. The published version is copyright IEEE, 2012.
• Preprint: [PDF]

Browser Security and Privacy

Locked same-origin policies to combat dynamic pharming. Dynamic pharming is a DNS poisoning attack that lets an adversary bypass web authentication by waiting until authentication is complete, then modifying the DNS record to hijack the user's session. A locked same-origin policy in the browser can prevent this attack for SSL-enabled servers by exploiting the fact that the adversary does not have the server's private key. By adding a bit to the same-origin check depending on the validity of the SSL certificate chain, interaction between attacker-generated content and legitimate content is eliminated, even though both are nominally served from the same domain.

• The paper:  Chris Karlof, Umesh Shankar, J. D. Tygar and David Wagner. "Dynamic pharming attacks and the locked same-origin policies for web browsers". In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), November 2007. [PDF] [Bibtex]

A Usability Study of Doppelganger, A Tool for Better Browser Privacy.  We conducted a lab study of the usability and effectiveness of Doppelganger (below), measuring how hard it was for people to complete tasks and how well they preserv privacy while doing so.

• The paper:  Chris Karlof and Umesh Shankar. Technical Report UCB/EECS-2007-116, University of California at Berkeley, September 2007. [PDF] [Bibtex]

Doppelganger: Better Browser Privacy Without the Bother.  Doppelganger represents a new way of thinking about and managing browser cookies, focusing on the privacy-functionality tradeoff and eliminating the need for users to have to think about individual cookies. It automatically explores multiple cookie policies, in many cases making choices without any user interaction. When choices are made, they are graphical left-or-right choices, and the system has a one-click error recovery mechanism. 

• Project homepage, with downloadable code: http://www.umeshshankar.com/doppelganger
• The paper:  Umesh Shankar and Chris Karlof. "Doppelganger: Better Browser Privacy Without the Bother". In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 2006), October 2006.  [PDF] [Bibtex]

Ph.D. dissertation

Bridging the Gap between People and Policies in Security and Privacy. Read the abstract

• Download it: Umesh Shankar. Bridging the Gap Between People and Policies in Security and Privacy. Ph.D. dissertation, Technical Report No. UCB/EECS-2006-191, EECS Department, University of California, Berkeley, December, 2006. [PDF] [Bibtex]

Trusted Computing

PRIMA: Policy-Reduced Integrity Measurement Architecture. Previous work defined an integrity measurement architecture, which uses a trusted hardware module to generate a  chain of trust (from an code integrity perspective) from boot through application and data loads. This allows a machine to attest to what is running on it to a remote party. In this paper, we extend that idea to allow attestations of interactions (information flows) between programs, in particular the CW-Lite property introduced in out NDSS 2006 paper.

• The paper: PRIMA: Policy-Reduced Integrity Measurement Architecture. Trent Jaeger, Reiner Sailer, and Umesh Shankar. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT 2006), June 2006. [PDF][Bibtex]

Preventing Secret Leakage. In a privilege-separated application, a trusted process forks an untrusted one and may inadvertently leak secrets or file handles containing sensitive data. This paper details the many ways that can happen and proposes solutions---most notably a combined control-flow and dataflow static analysis---to eliminate the threat.

• The paper:  Umesh Shankar and David Wagner. "Preventing Secret Leakage from fork(): Securing Privilege-Separated Applications." In Proceedings of the 2006 IEEE International Conference on Communications (Network Security and Information Assurance Symposium at ICC 2006), June 2006. [Postscript][PDF][Bibtex]

CW-Lite. OS security policies can be difficult to configure, and hard to verify as secure. We define a useful secure information-flow property, which we term CW-Lite, that says that untrusted processes should not be able to send unfiltered inputs to trusted processes. This is a basic security concern which can lead to system compromise, but it is unverified on most systems today because there is no effective, easy way to do the verification. A big advantage of our approach is that system administrators can perform a completely automated verification of CW-Lite using our tools, making it easier to integrate into a system.

• The paper: Umesh Shankar, Trent Jaeger, and Reiner Sailer.  "Toward Automated Information-Flow Integrity Verification for Security-Critical Applications." In Proceedings of the 13th Network and Distributed System Security Symposium (NDSS 2006), February 2006. [Postscript][PDF] [Bibtex]
  

Side effects are not sufficient to authenticate software. In 2003, a scheme called "Genuinity" for verifying trusted software on remote clients --- without using trusted hardware --- was proposed. It used a piece of checksum code which incorporated side-effects (e.g., TLB miss count) of its own computation into the checksum. We describe an attack on the scheme's main checksum primitive as well as larger scale attacks. We also show that the scheme is quite impractical and give both technical and economic reasons why similar schemes are likely to fail.

• The conference paper: Umesh Shankar, Monica Chew, J. D. Tygar. "Side effects are not sufficient to authenticate software." In Proceedings of the 13th USENIX Security Symposium, August 2004.  [Postscript] [PDF][Bibtex]
• The code: Genuinity + attack implementation. Be sure to read the README.
• Technical report containing a response to a critique of our paper by the Genuinity authors: Umesh Shankar, Monica Chew, J. D. Tygar. "Side effects are not sufficient to authenticate software." UC Berkeley EECS Technical Report UCB/CSD-04-1363 [Postscript] [PDF][Bibtex]

Sensor and Ad-hoc Networks

Security for Demand-Response / Sensor Nets. I worked with a group of researchers from CS, EE, and the law school on security issues in the proposed "demand-response" system, which would impose tiered pricing for electrical power in the State of California. The idea behind demand-response is to cut peak load on the grid, which is the source of problems like blackouts and very high costs of generation, by raising the price during peak times. Part of this solution involves responding to price changes and sensor nets were proposed to do that. This report addresses technical and legal issues surrounding DR, and, to that end, sensor network security as well.

• P.A.Subrahmanyam, David Wagner, Umesh Shankar, Deirdre K. Mulligan, Erin Jones, Jack Lerner. Network Security Architecture for Demand Response/Sensor Networks, Technical report, On behalf of California Energy Commission, Public Interest Energy Research Group, January, 2005. [PDF][Bibtex]

Secure Location Verification is about securely verifying that a wireless (probably sensor network-like) node is where it claims to be. This  enables access control based solely on location and not any knowledge of secrets. Our protocol is called the Echo Protocol; it is very lightweight, not requiring prearranged key setup or time synchronization.
For a more in-depth summary, see Naveen Sastry's page

• The paper: Naveen Sastry, Umesh Shankar, David Wagner. "Secure verification of Location Claims." ACM Workshop on Wireless Security (WiSe 2003). September 19, 2003. [Postscript] [PDF][Bibtex]
• Another version appeared in RSA Labs' Spring 2004 CryptoBytes publication (vol. 6, no. 1)  [PDF]
  
• Older version: Tech Report UCB//03-1245: Naveen Sastry, Umesh Shankar, David Wagner. "Secure Verification of Location Claims." Tech Report. University of California, Berkeley. June 2003. [Postscript] [PDF]

Self-Tuning Energy-Aware Multichannel (STEAM) Scheduling is a system for scheduling tree-based communication on sensor networks to minimize the energy used. The scheme is self-tuning, meaning that it automatically adapts so as to converge to a minimum-energy configuration with low protocol overhead. Scheduling is done in a distributed fashion using only local information, so the number of state exchange messages is kept low. Scheduling is done over the time and frequency domains, which precludes the use of overhearing; our system does not rely on hearing any messages not destined for it. We present analytic results and simulation results.

• Tech Report: UCB//04-1300: Umesh Shankar. "Self-Tuning Energy-Aware Multichannel (STEAM) Scheduling." Tech Report. University of California, Berkeley. March 2004. [Postscript] [PDF][Bibtex]
  
  

Intrusion Detection

Active Mapping is work I did with Vern Paxson on trying to eliminate ambiguities in TCP/IP streams that make it possible to evade Network Intrusion Detection Systems. The system can send carefully crafted packets to an end host to determine how that host handles corner cases or invalid packet sequences; differences among hosts make it easier to mount attacks undetected. Once the host behavior database has been compiled (it takes only seconds per host) it can be used to make accurate decisions in the intrusion detection system without any measurable runtime cost.

• The paper: Umesh Shankar and Vern Paxson. "Active Mapping: Resisting NIDS Evasion Without Altering Traffic."  In Proceedings of the 2003 IEEE Symposium on Security and Privacy, May 2003. [PDF][Postscript][Bibtex]. 
• My master's thesis (slightly older than IEEE version, but with more explanation): Tech Report UCB//CSD-2-03-1246. "Active Mapping: Resisting NIDS Evasion Without Altering Traffic." University of California, Berkeley.  December, 2002. [PDF] [Postscript][Bibtex]
• The code: The Active Mapper code is available. No warranties etc.

Stepping-Stone Detection using wavelet analysis. The problem is that an attacker uses a series of machines on the way to attacking a target; you'd like to know if a given machine is being used as a stepping stone. This is trying to see if an outgoing stream corresponds to an incoming one looking just at the network, when the output may have been altered in an attempt to disguise the traffic.

• The paper: David L. Donoho, Ana Georgina Flesia, Umesh Shankar, Vern Paxson, Jason Coit, and Stuart Staniford. "Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay."  Recent Advances in Intrusion Detection, 5th International Symposium. In Lecture Notes in Computer Science 2516, Wespi et al., eds., Springer, New York. 2002. [PDF] [Bibtex]

Static Analysis

Automatic Detection of Format-String Bugs is a paper describing the use of type qualifiers to catch format-string bugs in C programs automatically. Format string bugs arise when you says sprintf(buf, "%s") and the argument is user-supplied input; an attacker may overflow the buffer and take control of the process. We leverage the CQUAL system for adding user-defined types to C in order to perform a "taint analysis" that detects this bug with only a small number of user annotations.

• The paper: Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. "Automated Detection of Format-String Vulnerabilities Using Type Qualifiers," in Proceedings of the 10th USENIX Security Symposium, August 2001. [HTML] [PDF][Bibtex].  
• The code: "Percent-S" is a tool for automatically detecting format-string security holes in C programs. It's available as part of the CQual distribution. 

E-Commerce

"A Survey of Security in Online Credit Card Payments" with Miriam Walker. For a Spring 2001 class on Electronic Commerce. [Word] [HTML] [PDF]