my home page
Publications and Additional Materials including
Cloud Data Protection for the
Offering strong data protection to cloud users while
enabling rich applications is a challenging task. We explore
a new cloud platform architecture called Data Protection as a Service,
which dramatically reduces the per-application development effort
required to offer data protection, while still allowing rapid
development and maintenance.
- The published article, which appeared as a cover feature in the January 2012 issue of Computer magazine: Dawn Song, Elaine Shi, Ian Fischer, Umesh Shankar, "Cloud Data Protection for the Masses," Computer, vol. 45, no. 1, pp. 39-45, Jan. 2012, doi:10.1109/MC.2012.1
[On the IEEE Computer site]
[Bibtex for published article]. The published version is copyright IEEE, 2012.
- Preprint: [PDF]
Locked same-origin policies to combat
dynamic pharming. Dynamic pharming
is a DNS poisoning
attack that lets an adversary bypass web authentication by waiting
until authentication is complete, then modifying the DNS record to
hijack the user's session. A locked same-origin policy
browser can prevent this attack for SSL-enabled servers by exploiting
the fact that the adversary does not have the server's private key. By
adding a bit to the same-origin check depending on the validity of the
SSL certificate chain, interaction between attacker-generated content
and legitimate content is eliminated, even though both are nominally
served from the same domain.
A Usability Study of Doppelganger, A Tool for Better Browser Privacy.
- The paper: Chris Karlof, Umesh Shankar, J. D. Tygar and David Wagner.
"Dynamic pharming attacks and the locked same-origin policies for web browsers".
In Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007), November 2007.
We conducted a lab study of the usability and effectiveness of Doppelganger (below), measuring how hard it was for people to complete tasks and how well they preserv privacy while doing so.
Without the Bother
- The paper: Chris Karlof and Umesh Shankar.
Technical Report UCB/EECS-2007-116, University of California at Berkeley, September 2007.
Doppelganger represents a new way of thinking about and managing
browser cookies, focusing on the privacy-functionality tradeoff and
eliminating the need for users to have to think about individual
cookies. It automatically explores multiple cookie policies, in many
cases making choices without any user interaction. When choices are
made, they are graphical left-or-right choices, and the system has a
one-click error recovery mechanism.
- Project homepage, with downloadable code: http://www.umeshshankar.com/doppelganger
- The paper: Umesh Shankar and Chris Karlof.
"Doppelganger: Better Browser Privacy
Without the Bother". In Proceedings
of the 13th ACM Conference on Computer and Communications Security
(CCS 2006), October 2006. [PDF] [Bibtex]
Bridging the Gap between People and Policies in Security and
Privacy. Read the abstract
- Download it:
Umesh Shankar. Bridging the Gap Between People and Policies in Security and Privacy. Ph.D. dissertation, Technical Report No. UCB/EECS-2006-191, EECS Department, University of California, Berkeley, December, 2006.
. Previous work defined an integrity measurement architecture
which uses a trusted hardware module to generate a chain of trust
(from an code integrity perspective) from boot through application and
data loads. This allows a machine to attest to what is running on it to
a remote party. In this paper, we extend that idea to allow
attestations of interactions (information flows) between programs, in
particular the CW-Lite property introduced in out NDSS 2006 paper.
- The paper: PRIMA: Policy-Reduced
Measurement Architecture. Trent Jaeger, Reiner Sailer, and
Shankar. In Proceedings
of the 11th ACM Symposium on Access Control Models and Technologies
(SACMAT 2006), June 2006. [PDF][Bibtex]
privilege-separated application, a trusted process forks an untrusted
one and may inadvertently leak secrets or file handles containing
sensitive data. This paper details the many ways that can happen and
proposes solutions---most notably a combined control-flow and dataflow
static analysis---to eliminate the threat.
Umesh Shankar and David Wagner. "Preventing
Secret Leakage from fork():
Securing Privilege-Separated Applications." In Proceedings
of the 2006 IEEE International Conference on Communications
(Network Security and Information Assurance Symposium at ICC 2006),
June 2006. [Postscript][PDF][Bibtex]
OS security policies
can be difficult to configure, and hard to verify as secure. We define
a useful secure information-flow property, which we term CW-Lite, that
says that untrusted processes should not be able to send unfiltered
inputs to trusted processes. This is a basic security concern which can
lead to system compromise, but it is unverified on most systems today
because there is no effective, easy way to do the verification. A big
advantage of our approach is that system administrators can perform a
completely automated verification of CW-Lite using our tools, making it
easier to integrate into a system.
- The paper: Umesh Shankar, Trent Jaeger, and Reiner Sailer. "Toward
Information-Flow Integrity Verification for Security-Critical
Applications." In Proceedings
of the 13th Network and Distributed System Security Symposium
(NDSS 2006), February 2006. [Postscript][PDF] [Bibtex]
effects are not sufficient to
. In 2003, a scheme called
verifying trusted software on remote clients --- without using trusted
hardware --- was proposed. It used a piece of checksum code which
incorporated side-effects (e.g., TLB miss count) of its own computation
into the checksum. We describe an attack on the scheme's main checksum
primitive as well as larger scale attacks. We also show that the scheme
is quite impractical and give both technical and economic reasons why
similar schemes are likely to fail.
Monica Chew, J. D. Tygar. "Side effects are not sufficient to
authenticate software." In Proceedings of the 13th USENIX
Security Symposium, August 2004. [Postscript]
- The code: Genuinity
+ attack implementation. Be sure to read the README.
report containing a
response to a critique of our paper by the Genuinity authors:
Monica Chew, J. D. Tygar. "Side effects are not sufficient to
authenticate software." UC Berkeley EECS Technical Report
Sensor and Ad-hoc Networks
Security for Demand-Response / Sensor Nets.
I worked with a group of researchers from CS, EE, and the law school on security issues in the proposed "demand-response" system, which would impose tiered pricing for electrical power in the State of California.
The idea behind demand-response is to cut peak load on the grid, which is the source of problems like blackouts and very high costs of generation, by raising the price during peak times. Part of this solution involves responding
to price changes and sensor nets were proposed to do that. This report addresses technical and legal issues surrounding DR, and, to that end, sensor network security as well.
Secure Location Verification
P.A.Subrahmanyam, David Wagner, Umesh Shankar, Deirdre K.
Mulligan, Erin Jones, Jack Lerner. Network
Security Architecture for Demand Response/Sensor
Networks, Technical report, On behalf
of California Energy Commission, Public Interest Energy
Research Group, January, 2005. [PDF][Bibtex]
is about securely
verifying that a
sensor network-like) node is where it claims to be. This
control based solely on location and not
Our protocol is called the Echo Protocol
; it is
not requiring prearranged key setup or time synchronization.
For a more in-depth summary, see Naveen
- The paper: Naveen Sastry,
Shankar, David Wagner.
"Secure verification of Location Claims." ACM Workshop on Wireless
Security (WiSe 2003). September 19, 2003. [Postscript] [PDF][Bibtex]
in RSA Labs' Spring 2004 CryptoBytes publication (vol. 6, no.
- Older version: Tech Report
Umesh Shankar, David Wagner. "Secure Verification of Location Claims."
Tech Report. University of California, Berkeley. June 2003. [Postscript] [PDF]
is a system for scheduling tree-based
communication on sensor networks to minimize the energy used. The
scheme is self-tuning, meaning that it automatically adapts so as to
converge to a minimum-energy configuration with low protocol overhead.
Scheduling is done in a distributed fashion using only local
information, so the number of state exchange messages is kept low.
Scheduling is done over the time and frequency domains, which precludes
the use of overhearing; our system does not rely on hearing any
messages not destined for it. We present analytic results and
UCB//04-1300: Umesh Shankar. "Self-Tuning Energy-Aware Multichannel
(STEAM) Scheduling." Tech Report. University of California, Berkeley.
March 2004. [Postscript] [PDF][Bibtex]
is work I did with Vern Paxson on
ambiguities in TCP/IP streams that make it possible to evade Network
Detection Systems. The system can send carefully crafted packets to an
end host to determine how that host handles corner cases or invalid
packet sequences; differences among hosts make it easier to mount
attacks undetected. Once the host behavior database has been compiled
(it takes only seconds per host) it can be used to make accurate
decisions in the intrusion detection system without any measurable
- The paper: Umesh Shankar and
Paxson. "Active Mapping:
Resisting NIDS Evasion Without Altering Traffic." In Proceedings
of the 2003 IEEE Symposium on Security and Privacy, May 2003. [PDF][Postscript][Bibtex].
- My master's thesis (slightly older than IEEE
version, but with
more explanation): Tech Report UCB//CSD-2-03-1246. "Active
NIDS Evasion Without Altering Traffic." University of California,
Berkeley. December, 2002. [PDF] [Postscript][Bibtex]
- The code: The
Active Mapper code is available. No warranties etc.
The problem is that an attacker uses a series of machines on the way to
attacking a target; you'd like to know if a given machine is being used
as a stepping stone. This is trying to see if an outgoing stream
corresponds to an incoming one looking just at the network, when the
output may have been altered in an attempt to disguise the traffic.
paper: David L. Donoho, Ana
Umesh Shankar, Vern Paxson, Jason Coit, and Stuart Staniford.
Stepping-Stone Detection: Detecting Pairs of Jittered Interactive
by Exploiting Maximum Tolerable Delay." Recent
Detection, 5th International Symposium. In Lecture
Science 2516, Wespi et al., eds., Springer, New York. 2002. [PDF]
Automatic Detection of Format-String Bugs
the use of type qualifiers to catch format-string bugs in C programs
automatically. Format string bugs arise when you says
and the argument is user-supplied input; an attacker
overflow the buffer and take control of the process. We leverage the CQUAL
user-defined types to C in order to perform a "taint analysis" that
detects this bug with only a small number of user annotations.
- The paper: Umesh Shankar, Kunal
Jeffrey S. Foster,
and David Wagner. "Automated Detection of Format-String Vulnerabilities
Using Type Qualifiers," in Proceedings of the 10th USENIX
August 2001. [HTML] [PDF][Bibtex].
- The code: "Percent-S" is a tool for
format-string security holes in C programs. It's available as part of the CQual
"A Survey of Security in Online Credit Card
Miriam Walker. For a Spring 2001 class on Electronic Commerce. [Word] [HTML] [PDF]