Umesh Shankar's Research page

Go back to my home page

Publications and Additional Materials including Source Code

Cloud Computing

Cloud Data Protection for the Masses. Offering strong data protection to cloud users while enabling rich applications is a challenging task. We explore a new cloud platform architecture called Data Protection as a Service, which dramatically reduces the per-application development effort required to offer data protection, while still allowing rapid development and maintenance.

Browser Security and Privacy

Locked same-origin policies to combat dynamic pharming. Dynamic pharming is a DNS poisoning attack that lets an adversary bypass web authentication by waiting until authentication is complete, then modifying the DNS record to hijack the user's session. A locked same-origin policy in the browser can prevent this attack for SSL-enabled servers by exploiting the fact that the adversary does not have the server's private key. By adding a bit to the same-origin check depending on the validity of the SSL certificate chain, interaction between attacker-generated content and legitimate content is eliminated, even though both are nominally served from the same domain.
A Usability Study of Doppelganger, A Tool for Better Browser Privacy.  We conducted a lab study of the usability and effectiveness of Doppelganger (below), measuring how hard it was for people to complete tasks and how well they preserv privacy while doing so.
Doppelganger: Better Browser Privacy Without the Bother.  Doppelganger represents a new way of thinking about and managing browser cookies, focusing on the privacy-functionality tradeoff and eliminating the need for users to have to think about individual cookies. It automatically explores multiple cookie policies, in many cases making choices without any user interaction. When choices are made, they are graphical left-or-right choices, and the system has a one-click error recovery mechanism. 

Ph.D. dissertation

Bridging the Gap between People and Policies in Security and Privacy. Read the abstract

Trusted Computing

PRIMA: Policy-Reduced Integrity Measurement Architecture. Previous work defined an integrity measurement architecture, which uses a trusted hardware module to generate a  chain of trust (from an code integrity perspective) from boot through application and data loads. This allows a machine to attest to what is running on it to a remote party. In this paper, we extend that idea to allow attestations of interactions (information flows) between programs, in particular the CW-Lite property introduced in out NDSS 2006 paper.

Preventing Secret Leakage. In a privilege-separated application, a trusted process forks an untrusted one and may inadvertently leak secrets or file handles containing sensitive data. This paper details the many ways that can happen and proposes solutions---most notably a combined control-flow and dataflow static analysis---to eliminate the threat.
CW-Lite. OS security policies can be difficult to configure, and hard to verify as secure. We define a useful secure information-flow property, which we term CW-Lite, that says that untrusted processes should not be able to send unfiltered inputs to trusted processes. This is a basic security concern which can lead to system compromise, but it is unverified on most systems today because there is no effective, easy way to do the verification. A big advantage of our approach is that system administrators can perform a completely automated verification of CW-Lite using our tools, making it easier to integrate into a system.

Side effects are not sufficient to authenticate software
. In 2003, a scheme called "Genuinity" for verifying trusted software on remote clients --- without using trusted hardware --- was proposed. It used a piece of checksum code which incorporated side-effects (e.g., TLB miss count) of its own computation into the checksum. We describe an attack on the scheme's main checksum primitive as well as larger scale attacks. We also show that the scheme is quite impractical and give both technical and economic reasons why similar schemes are likely to fail.

Sensor and Ad-hoc Networks

Security for Demand-Response / Sensor Nets. I worked with a group of researchers from CS, EE, and the law school on security issues in the proposed "demand-response" system, which would impose tiered pricing for electrical power in the State of California. The idea behind demand-response is to cut peak load on the grid, which is the source of problems like blackouts and very high costs of generation, by raising the price during peak times. Part of this solution involves responding to price changes and sensor nets were proposed to do that. This report addresses technical and legal issues surrounding DR, and, to that end, sensor network security as well. Secure Location Verification is about securely verifying that a wireless (probably sensor network-like) node is where it claims to be. This  enables access control based solely on location and not any knowledge of secrets. Our protocol is called the Echo Protocol; it is very lightweight, not requiring prearranged key setup or time synchronization.
For a more in-depth summary, see Naveen Sastry's page
Self-Tuning Energy-Aware Multichannel (STEAM) Scheduling is a system for scheduling tree-based communication on sensor networks to minimize the energy used. The scheme is self-tuning, meaning that it automatically adapts so as to converge to a minimum-energy configuration with low protocol overhead. Scheduling is done in a distributed fashion using only local information, so the number of state exchange messages is kept low. Scheduling is done over the time and frequency domains, which precludes the use of overhearing; our system does not rely on hearing any messages not destined for it. We present analytic results and simulation results.

Intrusion Detection

Active Mapping is work I did with Vern Paxson on trying to eliminate ambiguities in TCP/IP streams that make it possible to evade Network Intrusion Detection Systems. The system can send carefully crafted packets to an end host to determine how that host handles corner cases or invalid packet sequences; differences among hosts make it easier to mount attacks undetected. Once the host behavior database has been compiled (it takes only seconds per host) it can be used to make accurate decisions in the intrusion detection system without any measurable runtime cost.
Stepping-Stone Detection using wavelet analysis. The problem is that an attacker uses a series of machines on the way to attacking a target; you'd like to know if a given machine is being used as a stepping stone. This is trying to see if an outgoing stream corresponds to an incoming one looking just at the network, when the output may have been altered in an attempt to disguise the traffic.

Static Analysis

Automatic Detection of Format-String Bugs is a paper describing the use of type qualifiers to catch format-string bugs in C programs automatically. Format string bugs arise when you says sprintf(buf, "%s") and the argument is user-supplied input; an attacker may overflow the buffer and take control of the process. We leverage the CQUAL system for adding user-defined types to C in order to perform a "taint analysis" that detects this bug with only a small number of user annotations.


"A Survey of Security in Online Credit Card Payments" with Miriam Walker. For a Spring 2001 class on Electronic Commerce. [Word] [HTML] [PDF]