Biblio

Filters: Author is Skowyra, Richard  [Clear All Filters]
2022-08-02
Jero, Samuel, Furgala, Juliana, Pan, Runyu, Gadepalli, Phani Kishore, Clifford, Alexandra, Ye, Bite, Khazan, Roger, Ward, Bryan C., Parmer, Gabriel, Skowyra, Richard.  2021.  Practical Principle of Least Privilege for Secure Embedded Systems. 2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS). :1—13.

Many embedded systems have evolved from simple bare-metal control systems to highly complex network-connected systems. These systems increasingly demand rich and feature-full operating-systems (OS) functionalities. Furthermore, the network connectedness offers attack vectors that require stronger security designs. To that end, this paper defines a prototypical RTOS API called Patina that provides services common in featurerich OSes (e.g., Linux) but absent in more trustworthy μ -kernel based systems. Examples of such services include communication channels, timers, event management, and synchronization. Two Patina implementations are presented, one on Composite and the other on seL4, each of which is designed based on the Principle of Least Privilege (PoLP) to increase system security. This paper describes how each of these μ -kernels affect the PoLP based design, as well as discusses security and performance tradeoffs in the two implementations. Results of comprehensive evaluations demonstrate that the performance of the PoLP based implementation of Patina offers comparable or superior performance to Linux, while offering heightened isolation.

2017-08-22
Skowyra, Richard, Bauer, Kevin, Dedhia, Veer, Okhravi, Hamed.  2016.  Have No PHEAR: Networks Without Identifiers. Proceedings of the 2016 ACM Workshop on Moving Target Defense. :3–14.

Network protocols such as Ethernet and TCP/IP were not designed to ensure the security and privacy of users. To protect users' privacy, anonymity networks such as Tor have been proposed to hide both identities and communication contents for Internet traffic. However, such solutions cannot protect enterprise network traffic that does not transit the Internet. In this paper, we present the design, implementation, and evaluation of a moving target technique called Packet Header Randomization (PHEAR), a privacy-enhancing system for enterprise networks that leverages emerging Software-Defined Networking hardware and protocols to eliminate identifiers found at the MAC, Network, and higher layers of the network stack. PHEAR also encrypts all packet data beyond the Network layer. We evaluate the security of PHEAR against a variety of known and novel attacks and conduct whole-network experiments that show the prototype deployment provides sufficient performance for common applications such as web browsing and file sharing.