T-110.5290 Seminar on Network Security P (4 cr)
Topics
Theme:
The theme for the autumn 2010 network security seminar is securing services on the Internet. The implementation of online services is going through a fundamental transition from simple client-server systems to cloud architectures, which promise to reduce cost and improve the scalability of the services but also require rethinking of many engineering aspects including security. Key technologies in this transformation are data centers, virtualization and distributed storage. Research projects also explore advanced architectures for content delivery. Applications are changing from standalone products to ones where functionality is distributed between mobile client devices and online servers. Moreover, applications increasingly take advantage of the social connections and sharing that are possible in the online world. These developments create great opportunities but also risks as the traditional security boundaries disappear and system isolation and data ownership need rethinking. The scalability mechanism needs to take into account denial of service threats, and the distribution of data creates issues with privacy and regulation. The network security seminar this autumn explores a broad range of topics related to the ongoing changes in the way online services are implemented and, ultimately, experienced.
Topics by Markus Miettinen
Challenges in the management of user policies
Using Internet services involves specifying a broad variety of policies that control the security settings and privacy exposure of users. As the number and complexity of these services is increasing, also the amount of security and privacy policies required grows. Many users are overwhelmed with the amount of policy decisions that would be required to set up and maintain a policy set that reflects the user’s security needs and privacy preferences well. There would therefore be a need to make it easier for the user to set up her security and privacy settings. Possible solutions include crafting sensible sets of default policies, or trying to automate the policy decision making. The target of this assignment would be to survey different approaches that have been recently proposed for overcoming the challenges related to the management of security and privacy policies.
References:
1. Danezis, G., Inferring Privacy Policies for Social Networking Services
Proceedings of AISec'09, ACM, 2009, 5-9
2. Edwards, W. K.; Poole, E. S. & Stoll, J., Security automation considered
harmful? NSPW '07: Proceedings of the 2007 Workshop on New Security
Paradigms, ACM, 2008, 33-42
3. Kelley, P. G.; Hankes Drielsma, P.; Sadeh, N. & Cranor, L. F.,
User-controllable learning of security and privacy policies, AISec '08:
Proceedings of the 1st ACM workshop on Workshop on AISec, ACM,
2008, 11-18
Controlling privacy exposure in internet services
When users interact with Internet services and other users on the network, they expose both directly and indirectly information about themselves. In order to protect the users from total erosion of their personal privacy, measures need to be taken to control the amount of information that is revealed. The aim of this assignment would be to look at various ways of how on-line privacy has been modelled and survey some of the techniques that can be used to control user privacy exposure.
References:
1. Beresford, A. R. & Stajano, F., Location privacy in pervasive computing,
Pervasive Computing, IEEE, Jan-Mar 2003, 2, 46-55.
2. Chaum, D. L., Untraceable electronic mail, return addresses, and digital
pseudonyms, Commun. ACM, ACM, 1981, 24, 84-90.
3. Goldschlag, D.; Reed, M. & Syverson, P., Onion routing, Commun. ACM,
ACM, 1999, 42, 39-41.
4. Gruteser, M. & Grunwald, D., Anonymous Usage of Location-Based
Services Through Spatial and Temporal Cloaking, MobiSys ‘03:
Proceedings of the 1st international conference on Mobile systems,
applications and services, ACM, 2003, 31-42.
5. Sweeney, L., k-anonymity: a model for protecting privacy, Int. J. Uncertain.
Fuzziness Knowl.-Based Syst., World Scientific Publishing Co., Inc., 2002,
10, 557-570.
6. Westin, A. F., Privacy and freedom, Atheneum, 1967, (introductory
chapters). Warren, S. D. & Brandeis, L. D., The right to privacy, Harvard
Law Review, 1890, 4, 193-220.
Topics by Yrjö Raivio
Security challenges of hybrid public and private cloud infrastructures
Background:
Cloud technologies are emerging for all ICT areas. On Infrastructure as a Service (IaaS) layer public clouds, such as Amazon Elastic Compute Cloud (EC2), have gained a lot of popularity among startups but also larger web service companies have outsourced their ICT to IaaS providers. At the same time open source based IaaS solutions have been introduced. Two most interesting alternatives are Eucalyptus and Open Nebula that use interoperable APIs with EC2. The fact that private and public clouds use the same APIs, has raised an idea of hybrid systems. This approach can be applied to both product development and the service execution itself. For an example, a company may use private cloud as a testing platform and later port the software to public cloud for deployment, or a company may distribute the product for both private and public clouds.
Research question:
What are the security challenges in the hybrid IaaS approach? You may make a generic study or focus on some specific area.
References:
1. Michael, A., Armando, F., et al.: Above the Clouds: A Berkeley View of
Cloud Computing.
http://nma.berkeley.edu/ark:/28722/bk000471b6t
2. Tianze Xia, Zheng Li, and Nenghai Yu: Research on Cloud Computing
Based on Deep Analysis to Typical Platforms, Springer, CloudCom 2009,
LNCS 5911, pp. 601-608, 2009.
3. Jensen, M., Schwenk, J. O., Gruschka, N. and Iacono, L. L. 2009. On
Technical Security Issues in Cloud Computing.
4. In IEEE International Conference on Cloud Computing (CLOUD-II 2009),
Bangalore, India, September 2009, 109-116.
5. Jan Gabrielsson, Ola Hubertsson, Ig nacio Más and Robert Skog: Cloud
Computing in Telecommunications, Ericsson Review 1/2010.
http://www.ericsson.com/res/thecompany/docs/publications/ericsson_review/2010/cloudcomputing.pdf
6. Peter Mell and Tim Grance: Effectively and Securely Using the Cloud
Computing Paradigm.
http://www.cs.purdue.edu/homes/bb/cs590/handouts/Cloud_NIST.pdf
Privacy challenges of open APIs: case LBS
Background:
Cloud computing and Location Based Services (LBS) are two of the biggest trending topics that concern to the future of the Internet. Location Based Services are a family of context-aware services that make use of the geographical location of mobile devices to provide their functionality. Google Latitude, Yahoo Fire Eagle and lately also Facebook Places utilize location data. Even though LBS offer a number new possibilities, there are also big concerns about the privacy.
Research question:
What are the privacy challenges and especially what are the solutions for the LBS privacy question?
References:
1. A. R. Beresford and F. Stajano. Location privacy in pervasive computing.
IEEE Pervasive Computing, 2(1):46-55, April 2003.
http://www.cl.cam.ac.uk/~arb33/papers/BeresfordStajano-LocationPrivacy-IEEEPervasive2003.pdf.
J. Hong, N. Sadeh, E. Toch, and J. Cranshaw. Empirical Models of
Privacy in Location Sharing. In Ubicomp '10.
3. M. Gruteser and D. Grunwald: Anonymous usage of location-based
services through spacial and temporal cloaking. In Proceedings of the 1st
international conference in mobile systems, pages 31{42. ACM, 2003.
http://portal.acm.org/citation.cfm?id=1189037.
4. Baik Hoh: Protecting location privacy through path confusion. In
SECURECOMM '05: Proceedings of the First International Conference on
Security and Privacy for Emerging Areas in Communications Networks,
pages 194-205, 2005.
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.115.7684.
5. Tobias Kolsch, Lothar Fritsch, Markulf Kohlweiss, and Dogan Kesdogan:
Privacy for profitable location based services. In SPC'05, pages 164-178,
2005.
6. Vincent Lenders, Emmanouil Koukoumidis, Pei Zhang, and Margaret
Martonosi.Location-based trust for mobile user-generated content:
applications, challenges and implementations. In HotMobile '08:
Proceedings of the 9th workshop on Mobile computing systems and
applications, pages 60{64, New York, NY, USA, 2008. ACM.
http://doi.acm.org/10.1145/1411759.1411775.
Data compliancy in cloud services (tentative topic depending on tutor availability)
Background:
Data storage in cloud technologies provides an affordable solution for several industry sectors. However, several industries, such as health care, banks and telecom sector, may have laws relating to the data compliance. This can mean that data must be stored inside the country borders, data must be securely purged after usage, or data must be encrypted.
Research question:
How do you guarantee data compliance in business critical solutions?
References:
1. Richard Chow, Philippe Golle, Markus Jakobsson, Elaine Shi, Jessica
Staddon, Ryusuke Masuoka, and Jesus Molina:
2. Controlling Data in the Cloud: Outsourcing Computation without
Outsourcing Control, Conference on Computer and Communications
Security archive, Proceedings of the 2009 ACM workshop on Cloud
computing security, Chicago, Illinois, USA, pages: 85-90, 2009.
3. Albert Greenberg, James Hamilton, David A. Maltz, and Parveen Patel:
The Cost of a Cloud: Research Problems in Data Center Networks, ACM
SIGCOMM Computer Communication Review, Volume 39, Number 1,
January 2009.
4. Lisa J. Sotto, Bridget C. Treacy, and Melinda L. McLellan: Privacy and
Data Security Risks in Cloud Computing.
http://www.hunton.com/files/tbl_s47Details/FileUpload265/2834/Privacy-Data_Security_Risks_in_Cloud_Computing_2.10.pdf
Topics by Sanna Suoranta
Federated Identity Management in Cloud environment
In cloud environment, services may be assembled from several components that can be even belong to different companies. Federated identity management and single sign-on would benefit this kind of services allowing user to choose her identity provider and sign in only once. Some cloud environments handle the user authentication on services behalf in a centralized manner. The goal of this seminar project is to examine ways in which federated identity management can be integrated into cloud environment.
References:
1. Liang Yan, Chunming Rong, and Gansen Zhao. Strengthen Cloud
Computing Security with Federal Identity Management Using Hierarchical
Identity-Based Cryptography. Proceedings of the 1st International
Conference on Cloud Computing. 2009.
http://www.springerlink.com/content/u78135686475l356/fulltext.pdf
Strong authentication with mobile phones
In Finland, mobile phone network operators are launching a strong authentication service that uses mobile phone SIM cards as storage for mobile certificates. Moreover, phone manufacturers have implemented a secure hardware storage and execution environment in mobile phones that provide platform to implement mobile phone as a secure tokens. Describe how online services service can use the mobile phone based authentication. Compare the different solutions.
References:
1. Kari Kostiainen, Jan-Erik Ekberg, N. Asokan and Aarne Rantala. On-board
credentials with open provisioning. Proceedings of the 4th International
Symposium on Information, Computer, and Communications Security.
2009
http://doi.acm.org/10.1145/1533057.1533074
2. Arjen tietoyhteiskunnan neuvottelukunta, Sähköisen tunnistamisen
kehittämisryhmä, Mobiilitunnistamismentelmät (mobile authentication
methods)
http://www.arjentietoyhteiskunta.fi/file/18/mobiilitunnistamismenetelmat.pdf
3. Arjen tietoyhteiskunnan neuvottelukunta, Sähköisen tunnistamisen
kehittämisryhmä, Vahvan sähköisen tunnistamisen kansalliset linjaukset
Suomessa (strong authentication in Finland)
http://www.arjentietoyhteiskunta.fi/file/89/Sahkoisen_tunnistamisen_kansalliset_linjaukset_080926_lopullinen.pdf
Biometric authentication today
Biometric authentication has found its way to passports, which have digital version of subject photo and fingerprints and other biometric information. Many new laptop computers have fingerprint authentication that can be used to log in instead of passwords. There are many ways to authenticate the user based on what she is. However, biometric authentication has weaknesses, too. For example, fingerprints can be lifted from a surface that the user has touched (e.g. laptop keyboard) and moved to the authentication device. The goal of this seminar project is to survey the state of art in biometric authentication. How is biometric authentication used to authenticate users to online services? What services use biometric authentication today? What kinds of attacks have been implemented against the biometric authentication and how the authentication has been improved after the attacks?
References:
1. Tomi Kinnunen, Filip Sedlak, and Roman Bednarik. Towards
task-independent person authentication using eye movement signals.
Proceedings of the 2010 Symposium on Eye-Tracking Research &
Applications, ACM, 2010.
http://doi.acm.org/10.1145/1743666.1743712
2. Rachid Benlamri, Wael Adi, Ali Al-Qayedi, and Ali Dawood. Secure human
face authentication for mobile e-government transactions. International
Journal of Mobile Communications, Vol 8, Issue 1, 2010.
http://inderscience.metapress.com/media/4gpnxnmqwje1hfpuupvn/contributions/2/7/5/6/27561636q0x66040.pdf
Topics by Andrei Gurtov
Social network security
Social networks are hugely popular nowadays, yet full of security risks such as false identities, spam, and phishing exploits. The goal of the topic is survey existing security threats as well explore an architecture where users could themselves take most of responsiblity for securing the content.
References:
1. http://conferences.sigcomm.org/sigcomm/2010/papers/sigcomm/p363.pdf
2. http://www.cs.helsinki.fi/u/gurtov/papers/web-p2p.pdf
Topics by Boris Nechaev
Security in Distributed Hash Tables
Most popular distributed hash tables (Chord, CAN, Pastry, Tapestry) were proposed in years 2000-2001. These new structured peer-to-peer architectures were a very efficient way to store key-value data pairs in a distributed manner. Though the original designs of the DHTs didn't consider security aspects, and this spawned much research in the area. This study will concentrate on various types of attacks on DHTs, ways of mitigating the attacks, limitations of the proposed solutions and differences between the proposed security measures.
Note: Tutoring will be mostly done remotely.
References:
[1] Sit, E. and Morris, R., Security Considerations for Peer-to-Peer Distributed Hash Tables. In Revised Papers From the First international Workshop on Peer-To-Peer Systems, pages 261-269, March 2002.
[2] Castro, M., Druschel, P., Ganesh, A., Rowstron, A., and Wallach, D. S., Secure routing for structured peer-to-peer overlay networks. ACM SIGOPS Operating Systems Review, vol. 36, pages 299-314, Dec. 2002.
[3] Mudhakar Srivatsa, Ling Liu. Vulnerabilities and security threats in structured overlay networks: a quantitative analysis. Computer Security Applications Conference, pages 252-261, Dec. 2004.
Anonymity with onion routing: advances and vulnerabilities
Onion routing is a popular way of assuring anonymity in the Internet. In onion routing encrypted messages pass through a number of nodes in an unpredictable manner, which makes it difficult for an attacker to determine the sender and the receiver of the message. The most well-known implementation of onion routing is Tor, proposed in 2004. Over the years, a number of vulnerabilities has been found in Tor protocol. However, many enhancements were also proposed. This study will aim at summarizing advances and weak points of onion routing technology.
Note: Tutoring will be mostly done remotely.
References:[1] Roger Dingledine, Nick Mathewson, Paul Syverson. Tor: The Second-Generation Onion Router. 13th USENIX Security Symposium, pages 303–320, August 2004.
[2] Nathan S. Evans, Roger Dingledine, Christian Grothoff. A Practical Congestion Attack on Tor Using Long Paths. 18th USENIX Security Symposium, pages 33–50, August 2009.
[3] Edman, M. and Syverson, P. AS-awareness in Tor path selection. In Proceedings of the 16th ACM Conference on Computer and Communications Security, pages 380-389, November 2009.
CAPTCHAs: new ways of telling computers and humans apart
CAPTCHA is a ubiquitous technique for assuring that the online operation is performed by a human, not a robot crawler. Most commonly CAPTCHAs are images with text and require to recognize and type the text in the verification field. New types of CAPTCHAs are being constantly proposed by the research community. At the same time attacks on old CAPTCHAs types are performed, rendering them useless if successful. This study will focus on categorizing newly proposed CAPTCHA schemes and describing modern ways of attacking CAPTCHAs.
Note: Tutoring will be mostly done remotely.
References:[1] Jeremy Elson, John R. Douceur, Jon Howell, Jared Saul. Asirra: a CAPTCHA that exploits interest-aligned manual image categorization. In Proceedings of the 14th ACM Conference on Computer and Communications Security, pages 366-374, October 2007.
[2] Yan, J. and El Ahmad, A. S. A low-cost attack on a Microsoft CAPTCHA. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 543-554, October 2008.
[3] Ross, S. A., Halderman, J. A., and Finkelstein, A. Sketcha: a CAPTCHA based on line drawings of 3D models. In Proceedings of the 19th international Conference on World Wide Web, pages 821-830, April 2010.
Topics by Juha Sääskilahti
Perimeter protection in the cloud - is there any?
When moving from traditional intranet model to cloud computing model, the traditional network boundaries will change, and perimeters dissolve. In the classical intranet, when you store something on the network drive, you will know where that information will physically be stored, and how that is protected. When you store something in to the cloud, you will have no physical control of the perimeter protection. In fact, you will not have any kind of an idea, where the cloud server is, where it is storing your data, and how will it be protected. In fact, you cannot even be sure, in which country or part of the world your data is stored. What kind of new protection strategies can be applied to protect clouds and data stored in them?Monitoring intrusions and data breaches in highly distributed cloud environments
An IDS (Intrusion Detection System) in traditional environment can relatively effectively detect breaches. For example an IDS sensor in the intranet (network based IDS) can detect suspicious network activity, or a sensor in a server (host based IDS) can detect suspicious activities within or against the server. When a system is virtualized and 'put into the cloud', the clearly defined boundaries will dissolve, and servers will run in virtual environments at arbitrary locations, in arbitrary numbers. Big quantities of the server-server traffic will also go through virtual switches rather than real physical switches. What kinds of security monitoring can be deployed in highly virtualized and distributed computing (cloud) environments?"
Topics by Miika Komu
Crypto Agility
A hash-based cryptographic namespace for IPv6 applications is defined in RFC 4843. This namespace is utilized by Host Identity Protocol (HIP) in the experimental RFC 5201. At the moment, the HIP working group in the IETF is revising the specifications to move HIP from experimental to standards track. A challenge in the revisioning process is to provide crypto agility, i.e. support to introduce new algorithms and deprecate old ones without compromises to security.
In this topic, the students gets familiar with the standards. The student documents background, the problems and different design alternatives. The student verifies the currently chosen approach and tries to finds flaws in it or possibly even a better design. The student is also encouraged to take part in the IETF mailing list discussions.
http://tools.ietf.org/rfc/rfc4843.txt
http://tools.ietf.org/search/rfc5201
http://www.ietf.org/mail-archive/web/hipsec/current/msg02661.html
Grid security and cloud services
The Grid computing environment used in scientific computing has many common features with cloud services: computation and data are distributed across organizational and geographical boundaries, and security mechanisms cannot be allowed to delay the critical business processes. The goal of this seminar project is to learn about Grid (e.g. Globus) security and cloud computing and to answer the question of how well the security mechanisms used in the Grid, such as proxy certificates and XACML, fit into the cloud services implementations.
References:
http://sgs2010.inf.usi.ch/Presentation/22/sgs_lugano_security_v4-Christoph-Witzig.pdf https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework http://www.mcs.anl.gov/uploads/cels/papers/P1537.pdf
Topics by Sandeep Tamrakar
Trustworthy identity management for web authentication
Fighting identity fraud has become one of the major concern in today's Internet. Attacks such as phising and farming uses fake websites that lure users to enter their credentials. There are several browser based password managers that not just create passwords, manage them and auto fill them but also validates the URLs to protect against phishing attacks. However, they are vulnerable to software bassed attacks such as trojans and even man in the browser attacks. The study will focus on usability study as well as different security aspects of identity management systems that store credentials away from the user's machines, such as proxy based architectuers, and identity management systems that are isolated from the user space and protected by trusted hardware.
References:
1. Trusted Infrastructures for Identities (2007) by Barbara Fichtinger ,
Eckehard Hermann , Nicolai Kuntze , Andreas U. Schmidt
http://novalyst-it.com/docs/Trusted_Infrastructure
2. Delegate: A Proxy Based Architecture for Secure Website Access from
an Untrusted Machine (2006) by Ravi Ch , Ra Jammalamadaka ,
Timothy W. Van Der Horst , Sharad Mehrotra Proceedings of 22nd
Annual Computer Security Applications Conference(ACSAC)
http://www.ics.uci.edu/~rjammala/Delegate.pdf
3. TruWallet: trustworthy and migratable wallet-based web authentication
http://portal.acm.org/citation.cfm?id=1655108.1655112
Isolation of critical information processing on smartphones.
Smartphones are becoming more powerful and widely available personal handheld devices. These devices serve multiple functions besides basic telephony. Today the smartphones are in essence very close to personal computers when it comes to openness and feature richness. This enables smartphones to implement wide range of applications and services. Also there is a growing demand of multitasking environment on smartphones. While multitasking, different applications share the smartphone resources such as memory. An application may then access critical information of another application. Thus, it is necessary to isolate processing of critical information such as online transaction in order to protect information from malicious application.
This study will focus on different trusted computing based application isolation used in desktop environment which could be implimented on mobile environment.
References:
1. Trust in a small package: minimized MRTM software implementation for
mobile secure environments http://doi.acm.org/10.1145/1655108.1655111
2. A trusted mobile phone reference architecturevia secure kernel
http://doi.acm.org/10.1145/1314354.1314359
Smart card applications and online services
Smart cards are widely used as hardware security modules for authentication and access control. One of the key characteristics of a smartcard is that it encapsulates some security-sensitive information, such as cryptographic keys or stored value in a physical token. This has been particularly important at a time when data communication networks were not widely available and, for example, private signature keys could not be stored in a online service or user authentication could not be based on an online trusted party. The ubiquitous access to online services puts the role of such offline security modules into question. The goal of this seminar paper is to survey applications where smartcards are deployed and to consider how the role of the smartcard will change with the availability of network connections and online services.
References:
1. Smart Cards - Requirements, Properties, and Applications.
Klaus Vedder, Franz Weikmann
http://portal.acm.org/citation.cfm?id=726915
2. smart card operating systems: Past, Present and Future
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.10.7103&rep=rep1&type=pdf
Small-value online payments
Internet-based micropayments and electronic cash were areas of active research and enthusiastically endorsed by many researchers in the 90s but the technologies developed at that time did not gain any significant adoption. Since then, two things have changed. First, wireless Internet is ubiquitously available and people carry Internet-enable personal device everywhere they go, which means that online payments can be made not only while browsing the web but anywhere where the user roams, which greatly broadens the range of potential applications for the online electronic payments systems. Second, the cost of traditional electronic payments such as credit card transactions and wire transfer has become so low that small, micropayment-size transactions will soon become economical. The student should take a look at the early electronic payment mechanism and their proposed applications based on the literature, and to ask which of them may be worth reviving and what are the fundamental similarities and differences between then and now. The goal is to gain an understanding of why and where electronic payments might succeed now and what can be learned from their previous failure.
References:
1. Electronic Tickets, Smart Cards, and Online Prepayments: When and How
to Advance Sell. Jinhong Xie and Steven M. Shugan
http://www.jstor.org/stable/3181610
2. PayWord and MicroMint: Two simple micropayment schemes
Ronald L. Rivest and Adi Shamir
3.State of the art in electronic payment systems. N. Asokana, P. Jansonb, M.
Steinerb, and M. Waidnerb
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.39.5378&rep=rep1&type=pdf
4. A Mobile Ticket System Based on Personal Trusted Device
Yu-Yi Chen, Chin-Ling Chen and Jinn-Ke Jan
Topics by Billy Brumley
CubeHash Cryptanalysis
In 2008, NIST launched the SHA-3 hash function competition to find a
replacement candidate for SHA-1. 14 functions advanced to round 2 of the
competition. CubeHash is Dan Bernstein's submission:
http://cubehash.cr.yp.to/
It uses something similar to the sponge construction:
http://sponge.noekeon.org/
The goal of this topic is to perform an interesting cryptanalysis of the
CubeHash function, producing at least _some_ non-trivial collision in a
reduced-round variant. There are _many_ variants (some are trivial to
break, others infeasible) and Dan tracks them:
http://cubehash.cr.yp.to/security.html
Bonus: If your analysis is interesting enough, Dan might give you money!
http://cubehash.cr.yp.to/prizes.html
Topics by Jukka Ylitalo
Distributed file system security and lessons for the cloud
Network and distributed file systems have been developed at least since the introduction of NFS by Sun Microsystems in 1985. The aims have variable been combinations of high performance, scalability, fault tolerance and security. Cloud storage systems, such as Amazon S3, Google FS and Apache Hadoop build on lessons from these. The goal of this seminar project is to survey the the “old” distributed file systems, explain how their security mechanisms may or may not be suitable for the cloud, and compare them with the new cloud storage services.
References:
http://www.ime.usp.br/~kon/papers/DFSPaper.ps.gz http://www.coda.cs.cmu.edu/
http://www.moosefs.org/ http://fhgfs.com/cms/
Howard et al., Scale and performance in a distributed file system,
http://portal.acm.org/citation.cfm?doid=35037.35059http://aws.amazon.com/s3/
http://labs.google.com/papers/gfs-sosp2003.pdf
Andrey Lukyanenko
What is the difference between clods and grids?
The cloud computing is a new term of an old known problem. Some say that it is time for an old idea to be implemented. But, we know that previously the scientific world has already been dealing for years with common in some senses idea. In this topic you are asked to study what is common and what is different in the cloud computing compared to the grid computing? Why do a new study required (including security)?
References:
Foster, I.; Yong Zhao; Raicu, I.; Lu, S.; , "Cloud Computing and Grid Computing 360-Degree Compared," Grid Computing Environments Workshop, 2008. GCE '08 , vol., no., pp.1-10, 12-16 Nov. 2008.
Armbrust, Michael; Fox, Armando; Griffith, Rean; Joseph, Anthony D.; Katz, Randy H.; Konwinski, Andrew; Lee, Gunho; Patterson, David A.; Rabkin, Ariel; Stoica, Ion; Zaharia, Matei "Above the Clouds: A Berkeley View of Cloud Computing".
How does reputation may help to construct a more secure cloud?
Cloud is a set of services such as storage, distributed CPU andinterfaces, that allows users to utilize the resources optimally fortheir applications. But as in any massive multi-user system the usersmay start to misbehave in such a system in order to gain money, if thesystem allows it. How does the cloud architectures deal with misbehaviorin sense of rating users? Does they introduce some reputation?
References:
Armbrust, Michael; Fox, Armando; Griffith, Rean; Joseph, Anthony D.;Katz, Randy H.; Konwinski, Andrew; Lee, Gunho; Patterson, David A.;Rabkin, Ariel; Stoica, Ion; Zaharia, Matei "Above the Clouds: A BerkeleyView of Cloud Computing" Resnick, P., Kuwabara, K., Zeckhauser, R., and Friedman, E. 2000.Reputation systems. Commun. ACM 43, 12 (Dec. 2000), 45-48.
Comparing various realizations of the cloud computing paradigm.
Today a set of the cloud computing architectures are publicly availablefor the customers. They can buy the resources and use them through thepublic interfaces. How does they corresponds to each other, and whatsecurities suggest?
References:
Buyya, R.; Chee Shin Yeo; Venugopal, S.; , "Market-Oriented CloudComputing: Vision, Hype, and Reality for Delivering IT Services asComputing Utilities," High Performance Computing and Communications,2008. HPCC '08. 10th IEEE International Conference on , vol., no.,pp.5-13, 25-27 Sept. 2008.
Google App Engine: http://en.wikipedia.org/wiki/Google_App_Engine
Amazon web services: http://en.wikipedia.org/wiki/Amazon_Web_Services
Eucalyptus: http://en.wikipedia.org/wiki/Eucalyptus_%28computing%29
Windows Azure: http://en.wikipedia.org/wiki/Windows_Azure
Topics by Erka Koivunen
Cloud-based locationing services turn users into unvoluntary network scanners?
Widely used locationing services such as Google Maps and Nokia Ovi Maps
utilise not only GPS satellites to determine the users' location. In addition, they also turn the users' devices into trackers that scan for nearby GSM base stations and WIFI hotspots. One can also make rough guesses of the users' location based on their IP address. While these enhanced features have the ability to greatly enhance the accuracy of the locationing and introduce location aware services to devices without GPS, there is arguably an added privacy concern. One that even has security implications. Examine - preferably using empirical methods - what information the devices send to the service providers and what methods current services offer to limit the amount of data emitted. How should a security-conscious end user or a facility owner treat location aware devices and services?
References:
1. Google blog: WiFi data collection: An update
http://googleblog.blogspot.com/2010/05/wifi-data-collection-update.html
http://www.google.com/googleblogs/pdfs/friedberg_sourcecode_analysis_060910.pdf
2. Youssef, A. A. et al., Wireless network-based location approximation,
United States Patent Application 20100020776, January 28, 2010
4. Ovi blog: New Ovi Maps: Faster. Better. Personal
http://blog.ovi.com/2010/05/20/new-ovi-maps-faster-better-personal/
The cloud is too secure for your own good?
Based on media reports, some countries have threatened to prevent their
citizens and visiting foreigners from accessing secure communications services provided by a Canadian company, Research in Motion. Users of
Blackberry mobile devices have an ability to send instant messages to each
others over an encrypted channel which - the story goes - has made the signals intelligence authorities in those upset. At the same time Nokia
Siemens Networks has been heavily criticised for allowing Iranian authorities to access the Lawful Interception features in their network infrastructure acquired from NSN. This clearly demonstrates the need for communications security. Establish a "shopping list" of security features that a security-conscious end user should pay attention when choosing a means to communicate in an environment hostile to communications privacy. Pay special attention to cloud-based services as a potential solution.
References:
1. TR 33.106, Lawful interception requirements
ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_series/33106-310.zip
2. TR 33.107, Lawful interception architecture and functions
ftp://ftp.3gpp.org/Specs/2000-12/R1999/33_series/33107-310.zip
3. http://www.guardian.co.uk/business/2010/aug/02/blackberry-ban-uae-gulf-states
4. http://www.nokiasiemensnetworks.com/news-events/press-room/statement-to-the-public-hearing-on-new-information-technologies-and-human-rights
5. http://www.narus.com/index.php/solutions/intercept
Highly distributed information security incident discovery
Discovering information security incidents efficiently in the internet is a
major challenge. It is not enough to detect that an incident such as denial
of service attack or computer break-in is taking place. Information about an
incident also needs be carried to the affected parties for them to take action to protect them. The information needs to be presented in an actionable form and delivered while still fresh. The internet is a collection of more or less independently operated networks that no single entity can take responsiblity of. Examine various ways that the incidents are currently being reported and handled and extract a recipe for a successful information security incident detection system on an internet scale. Is it clouds?
References
1. Koivunen, E., Effective information sharing for incident respose
coordination, Reporting network and information security incidents and
requesting assistance, Master's thesis, Aalto University 2010
2. http://code.google.com/p/abusehelper/
3. http://www.shadowserver.org/
4. http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=aalto.fi
5. http://www.siteadvisor.com/
6. http://stopbadware.org/
7. http://www.virustotal.com/
Topics by Elena Reshetova
Network coding and DoS resistance
Communications systems based on network coding, such as BitTorrent, are resistant to denial-of-service attacks in the sense that some lost packets or relay nodes will not prevent the receiver from accumulating all the bits of the data it is downloading. The goal of this seminar project is to consider network coding and systems that use it as a potential model for building DoS-resistant systems.References to be provided soon.
References:
http://algo.epfl.ch/~christin/primer.ps
http://home.eng.iastate.edu/~yuzhen/publications/ZhenYu_INFOCOM_2008.pdf
Multipath routing, congestion avoidance and DoS resistance
Multipath routing increases the reliability communications and enables load balancing between different routes. This means that packets will be routed around network failures and congestion, and congestion may be avoided altogether. The goal of this seminar project is to survey multipath routing protocols and to consider them as a potential model for building DoS-resistant communications systems.References to be provided soon.
References:
http://www.cs.princeton.edu/~jrex/papers/multipath08.pdf
http://www.cs.columbia.edu/~angelos/Papers/2006/Stavrou_Keromytis_v3.pdf
Topics by Antero Juntunen
Privacy in e-ticketing
The introduction of electronic ticketing in public transportation has provided numerous benefits for both travelers and transport operators. However, e-ticketing has also introduced a number or privacy concerns. Of particular concern is the confidentiality of the personal information and travel history of users. This issue can be approached and addressed on the level of government regulation as well as on the technical level, which involves the use of RFID technology in the case of contactless e-ticketing.
References:
Heydt-Benjamin, T., Chae, H., Defend, B., Fu, K, Privacy for Public Transportation, Lecture Notes in Computer Science, 2006, Volume 4258/2006, 1-19, DOI: 10.1007/11957454_1.
European Commission Justice, Data Protection. http://ec.europa.eu/justice/policies/privacy/index_en.htm
Sadeghi, A., Visconti, I., Wachsmann, C., User Privacy in Transport Systems Based on RFID E-Tickets, In Proceedings of the 1st International Workshop on Privacy in Location-Based Applications, 2008. http://ftp.informatik.rwth-aachen.de/Publications/CEUR-WS/Vol-397/paper7.pdf