Gene Tsudik - US grants

This proposal will investigate, design and deploy a suite of novel
multicast protocols aimed primarily at ad hoc networks. The investigators
maintain that, due to the inherent broadcast capability, wireless networks
are well suited for multicast communication. The contributions of the
proposed suite of multicast packet routing and forwarding protocols (IMAHN)
can be summarized as follows: (1) design, evaluation, prototyping and
deployment of a suite of multicast routing and packet forwarding protocols
for ad hoc networks, and (2) development of an integrated multicast
routing solution for the mixed-media internetwork of the future; this
includes investigation, evaluation, prototyping, and deployment of
mechanisms providing seamless multicast service.

IMAHN will emphasize the following: (1) robustness vs efficiency: many
existing multicast routing approaches rely on state in routers to keep
track of multicast group members. This, coupled with the high volume of
routing information exchanges and slow convergence, makes traditional
multicast approaches untenable in highly dynamic ad hoc networks (AHNs)
composed of anemic (low-power, low storage capacity) hosts. We propose a
new technique, adaptive flooding, that stresses rapid and robust delivery.
IMAHN will consist of a suite of adaptive protocols addressing a range of
AHNs and mobility patterns. In constantly changing AHNs, redundant
broadcasting may be appropriate, while, in less dynamic AHNs, a range of
more bandwidth-efficient multicast protocols will be considered; (2)
adaptability: hosts should be able to (and will) migrate freely among ad
hoc, fixed-infrastructure mobile, and traditional wired networks. In order
to function appropriately -- when faced with changes in the underlying
infrastructure -- hosts need switch on-the-fly among multiple multicast
mechanisms; (3) unlimited mobility: some existing solutions are geared
towards discrete mobility where periods of movement are interspersed with
periods of rest. Others assume certain limits on direction, speed and
number of simultaneously moving hosts. In contrast, we stress universal,
unlimited mobility of all network components; (4) integrated multicast:
multicast solutions for AHNs will most likely differ substantially from
those for fixed networks (one of the main reasons is the marked difference
in transmission rates). In order to offer seamless and integrated multicast
service for the mixed-media internetwork of the future, IMAHN will develop
novel mechanisms for inter-operation of fixed and wireless multicast
solutions.

The Principle Investigators of this proposal propose to organize a PI meeting for the Networking Research Programs (Networking Research Program and Special Projects in Networking) in the ANIR Division of NSF. The PI meeting will be held over a two-day period in addition to an opening night reception. The reception will be Wednesday evening, November 1, 2000 with two full days of technical sessions, Thursday, November 2, and Friday, November 3. The PI meeting will facilitate the exchange of research ideas among the PIs with active NSF awards from the Networking Research Programs and NSF program directors.

Rapid advances in networking and Internet technologies has fueled the emergence of the "software as a service" model for enterprise computing that enables organizations to outsource many Information Technology (IT) services. This model allows organizations to concentrate on their core business instead of sustaining large investments in IT. IT outsourcing results in savings from the economies of scale due to leveraging of hardware, software, personnel, as well as maintenance and upgrade costs. Outsourcing is a common practice in Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) domains and it is gaining popularity in basic services such as email, storage and disaster protection.

This research will explore the data privacy challenges that arise in outsourcing data management services. Data management systems are among the most common, expensive, and complex software systems used by almost all types of organizations. In the envisioned "database as a service" (DAS) model, the client's data resides on the premises of the service provider and is accessed using SQL queries. Since clients' data as a very valuable asset, the service provider must implement sufficient security measures to guarantee data privacy. The research will explore the resulting challenges: (1) Privacy protection from malicious outsiders: protecting service providers from theft of customer data (e.g., hackers breaking into a provider's site and scanning all disks). (2) Privacy protection from database service providers: assuring that clients' encrypted data cannot be decrypted at the service provider. Thus, techniques to evaluate queries over encrypted data at the service provider need to be developed. (3) Ensuring Integrity of the Results: developing scalable techniques to ensure that the service provider returns exactly the right answer set to the client's query.

The SFS Scholarship Program at the University of California Irvine is working to attract, recruit, mentor and graduate talented domestic PhD students in Information Assurance (IA), and to foster their careers in the national service. The program emphasizes the recruitment of women and students from under-represented groups into the doctoral program.

The School of Information and Computer Sciences at UC Irvine is home to an exceptionally broad and well-rounded set of dedicated and world-renowned IA faculty members who have a track record of comprehensive training and successful post-degree placement of IA PhD students. This program is providing the support to expand the number of domestic students at ICS who are interested in national service. The inter-disciplinary nature of the ICS graduate IA track exposes students not only to topics Computer and Information Sciences, but also to topics in Mathematics and Ethics/Law.

As the first SFS scholarship program focused solely on doctoral students, UC Irvine is producing IA experts who will serve as ambassadors of academic research and will help build new, and strengthen existing, bridges between academic institutions and the federal sector. This will engender increased collaboration, exchange of ideas and innovations as well as faster technology transfer from the purely academic to the real-world setting.

The popularity of personal gadgets opens up many new services for ordinary users. Many everyday usage scenarios involve two or more devices "working together". (Emerging scenarios are beginning to involve sensors and personal RFID tags.) Before working together, devices must be securely "paired" to enable secure and private communication.

However, the human-imperceptible nature of wireless communication prompts the very real threat of Man-in-the-Middle (MiTM) attacks. Another challenge arises due to the lack of a global security infrastructure. Consequently, traditional cryptographic means alone are unsuitable, since unfamiliar devices have no prior security context and no common point of trust. Therefore, some human involvement in secure device pairing is unavoidable. At the same time, most devices have limited hardware and/or user interfaces, thus complicating human involvement.

This project?s goals are three-fold: (1) design a set of pairing methods suitable for most common devices and a general user population, based on comprehensive and comparative usability studies, (2) develop secure pairing techniques for personal RFID tags, and (3) construct a set of user-friendly, scalable and secure methods for sensor initialization.

Benefits of this project will include accumulation of valuable expertise in designing truly usable security methods. Notably, the project expects to experimentally assess the value of usable security with respect to the general population. Furthermore, the need for, and the utility of, user-centric secure control of personal RFID tags and sensors will be demonstrated. Since device pairing is one of the very few areas where security directly involves and affects the average user, the greatest impact of proposed research is expected to be the broader participation in security practices and better appreciation of security and its benefits. The project also emphasizes industry outreach and technology transfer by working with manufacturers and industrial consortia.

In addition, students taking part in the project are expected to acquire currently uncommon skills at the cusp of Human-Computer Interaction, Usability and Cyber Trust.

This project is focused on a potentially transformational research study involving the simultaneous investigation of usability and security/privacy technologies for location-based geo-social applications, with the objective of studying the usability, feasibility, and scalability of privacy-preserving and secure location-aware geo-social networking platforms for mobile devices. The approach is based on a belief that usability and security/privacy are addressed properly and most effectively from the start. In particular, the project will study the usability of privacy-agile secure location-based communication and associated supporting protocols that scale to large numbers of users and accommodate various privacy levels suitable for different application domains. By studying the usability of location-aware protocols, the investigators propose methods that provide seamless connectivity and functionality over different networking technologies, without sacrificing the user experience. The investigators also plan to address other security issues in privacy-preserving operation, including authentication, access control and accountability. This project envisions a wide range of future applications with three unifying factors: (1) a geo-social undertone, i.e., applications that combine social groups and locality, (2) lack of, or desire to avoid using, fixed infrastructure facilities, and (3) need for both security and privacy. Although progress is starting on technologies for supporting such applications, there has been precious little work done on the study of usability factors with respect to the privacy and security users expect with their small-device location-based applications. The proposed project therefore has an ambitious goal: to study the usability of privacy-preserving geo-social technologies, including the user models, perceptions, interfaces, and feasible communication/computation technologies for supporting futuristic geo-social applications on portable mobile devices in the aforementioned setting. Methods employed may include interviews, focus groups, and cognitive walkthroughs. One key feature of the approach is to study methods that shield location from identity, thereby allowing for location-based services and geo-social applications while also protecting user privacy, and, most importantly, to do so in a way that is most usable and effective from the user?s point of view.

Technologies using location and small devices are growing at a rapid rate, while techniques considering security and location and identity privacy are only now being addressed. Thus, usable systems that protect location-sensitive privacy concerns could have a major impact on society. The tools developed in this project will enable important and economically beneficial technologies to be developed for location-aware geo-social networks preserving privacy rights for the individuals using such services. In addition, a vital part of this project involves graduate-student participation in research. Thus, this project has the potential of bringing expanded research opportunities for developing the next generation of information technology researchers. Likewise, it also includes an important educational component.

While the Internet has far exceeded expectations, it has also stretched initial assumptions, often creating tussles that challenge its underlying communication model. Users and applications operate in terms of content, making it increasingly limiting and difficult to conform to IP's requirement to communicate by discovering and specifying location. To carry the Internet into the future, a conceptually simple yet transformational architectural shift is required, from today's focus on where ? addresses and hosts ? to what ? the content that users and applications care about.
This project investigates a potential new Internet architecture called Named Data Networking (NDN). NDN capitalizes on strengths ? and addresses weaknesses ? of the Internet's current host-based, point-to-point communication architecture in order to naturally accommodate emerging patterns of communication. By naming data instead of their location, NDN transforms data into a first-class entity. The current Internet secures the data container. NDN secures the contents, a design choice that decouples trust in data from trust in hosts, enabling several radically scalable communication mechanisms such as automatic caching to optimize bandwidth. The project studies the technical challenges that must be addressed to validate NDN as a future Internet architecture: routing scalability, fast forwarding, trust models, network security, content protection and privacy, and fundamental communication theory. The project uses end-to-end testbed deployments, simulation, and theoretical analysis to evaluate the proposed architecture, and is developing specifications and prototype implementations of NDN protocols and applications.

Pervasive computing, such as sensors in smartphones, buildings, automobiles and cities, result in increased sharing of sensor data, whether initiated by users or by other authorities such as service providers, government entities, interest groups, and individuals. Embedded in this data is information which others, even using sophisticated data mining algorithms, can fuse to construct a virtual biography of our activities, revealing private behaviors and lifestyle patterns. Researchers in this project are devising computational methods to let users exercise privacy control over their personal sensory data that is shared.

Intellectual Merit: The project is developing a user-configurable cryptographically-secure ?privacy shield? to run on smartphones and act upon sensor information flowing to other users, apps, and services. To make privacy understandable, the user is presented with a higher level abstraction for expressing privacy and sharing in terms of rich inferences and contexts drawn from sensor measurements. The user can designate some inferences and contexts as private. To provide privacy while ensuring the quality of service provided by the recipients of the sensory information, the system also incorporates algorithms which, over time, learn a personalized model of the privacy risk from sharing an inference. The theoretical concepts and the system realization are being validated via user studies in mobile health and personal sensing.

Broader Impacts: By providing better understanding of the behavioral privacy problem and risks inherent in sharing seemingly innocuous data, results from this project will lead to a more educated and informed citizenry, regulators, and policy makers, and provide effective tools for privacy management to those who share sensory information.

User errors or delays while performing security-critical tasks can lead to undesirable or even disastrous consequences. The impact of both accidental and intentional distractions on users in such situations has received little investigation. In particular, it is unclear whether and how sensory stimuli (e.g., sound or light) influence users' behavior and trigger mistakes. Better understanding of the effects of such distractions can lead to increased user awareness and countermeasures. Preliminary studies suggest somewhat surprising effects of auditory distractions; this project develops an unattended study allowing more rigorous evaluation of the impact of distractions.

The project conducts controlled user studies to examine the effects of different sound variations on participants' speed and accuracy when logging into a computer network, controlling for participants' awareness of the distraction event. Existing theory suggests auditory distractions can both improve and degrade performance; this will be carefully evaluated to determine how various stimuli impact security actions. The experiments will be conducted in a fully automated manner, which makes large-scale studies feasible and also avoids any potential experimenter bias.

This project focuses on developing effective and efficient methods for detection of vulnerable devices in an IoT network, as well as mitigation techniques, as a reaction to identified vulnerabilities. The vision for the scientific impact of this project is a comprehensive set of tools for securing networked IoT devices throughout their lifecycle, coupled with the requirement to co-exist with inherently vulnerable or legacy devices. The project aims to achieve this vision by focusing on three phases of an IoT device's lifecycle:

1. Birth: identify vulnerable devices when they are first introduced into an IoT network.
2. Life: verify the configuration and operation of devices during their normal operation and updating firmware even in resource-constrained devices.
3. Repurposing: infer changes in device ownership (including disposal) and perform secure deletion of sensitive data whenever ownership change is confirmed.

All of the above will be achieved with a strong emphasis on assuring that new security techniques are meaningful and usable by a wide range of users.

Research outcomes of this project are expected to benefit society in addressing important IoT security problems before manufacturers saturate the market with ostensibly useful and innovative gadgets that lack sufficient security features, thus being vulnerable to attacks and malware infestations, which can turn them into rogue agents. PhD students involved in the project will benefit from unique opportunities for developing valuable research skills in the important emerging area of IoT security, as well as collaborating with international partners, thus exposing them to new research perspectives. One aspect of anticipated impact is in training the next generation of information security experts who, beyond understanding and appreciating security and privacy concerns in IoT, are also sufficiently skilled to address them. Another aspect of this project's impact will be achieved by transferring our results into prototypes, which can be turned into products and services.

Over the last decade, public and private clouds emerged as de facto platforms for computationally intensive scientific tasks. Today, huge volumes of many types of scientific data are routinely uploaded to the cloud. A large fraction of this data is privacy and/or security sensitive. Unfortunately, despite numerous advances in network and enterprise security, modern clouds remain inherently insecure. Recent experience shows that well-funded, targeted attacks manage to breach network perimeters of both public and private clouds.

Horizon is a novel cloud architecture aimed at providing data and computation security within a scientific cloud. Horizon builds upon three premises: (1) strong isolation on end-hosts, (2) fine-grained isolation in the cloud network, and (3) cloud-wide information flow control. To protect the end-hosts, Horizon develops a new layered hypervisor, and disaggregated virtualization stack with key features of: language safety, software fault isolation, and integrated software verification. To provide secure cloud network environment, Horizon relies on a new network architecture and implements a distributed network firewall, where all network communication and exchange of rights are mediated and controlled by the rules of the object capability system. To protect the cloud data, Horizon develops a set of abstractions and mechanisms to enforce cloud-wide information flow control. In Horizon all data is labeled. The hypervisor mediates all communication of each virtual machine and enforces propagation of labels and security checks for each cloud computation.

Horizon aims to provide a practical foundation for developing secure cloud infrastructure suitable for large-scale research workflows that require both speed and security. Horizon will be developed using entirely open-source components, and will be openly available to a broad community of scientists in academia and industry.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.