ACSAC 2002 (www.acsac.org): FORUM - Themes and Highlights of the New Security Paradigms Workshop 2002

FORUM - Themes and Highlights of the New Security Paradigms Workshop 2002

Co-Chair: Cristina Serban, AT&T Labs, USA
Co-Chair: O. Sami Saydjari, Cyber Defense Agency, USA
Michael Franz, UC Irvine, USA
Sal Stolfo, Columbia University, USA
V.N. Venkatakrishnan, SUNY Stony Brook, USA
Mary Ellen Zurko, IBM Corp., USA

Abstract

This panel highlights a selection of the most interesting and provocative papers from the 2002 New Security Paradigms Workshop. This workshop was held September 2002 - the URL for more information is http://www.nspw.org. The panel consists of authors of the selected papers, and the session is moderated by the workshop's general chairs. We present selected papers focusing on exciting major themes that emerged from the workshop. These are the papers that will provoke the most interesting discussion at ACSAC.

Panel Theme

This panel presents a selection of the best, most interesting, and most provocative work from the ACM-sponsored New Security Paradigms Workshop 2002. For eleven years, the New Security Paradigms Workshop (NSPW) has provided a productive and highly interactive forum for innovative new approaches to computer security. This year's workshop brought a record number of new security paradigms. This reflects the dramatic increase of interest and research in our field.

NSPW is an invitational workshop of deliberately small size, in order to facilitate deep, meaningful discussions of new ideas. Authors are encouraged to present work that might seem risky in other settings. All participants are charged with providing constructive feedback. The resulting brainstorming environment has proven to be an excellent medium for the furthering of "far out" and visionary ideas. Our philosophy is to look for significantly new paradigms and shifts from previous thinking, and facilitate the debate within a constructive environment of experienced researchers and practitioners along with newer participants in the field. In keeping with the NSPW philosophy, this panel challenges many of the dominant paradigms in information security. You can definitely expect it to be highly interactive; in the NSPW tradition, look forward to lively exchanges between the panelists and the audience. So come prepared with an open mind and ready to question and comment on what our panelists present!

Past NSPW conference panels have dealt with a wide variety of subjects including the following. Software engineering of secure systems; penetration tolerance; new directions in cryptography and steganography; alternative models of trust and authorization; user-centered security and end-user defenses; new models for securing "boundless networks"; deficiencies in traditional definitions of security, secrecy, and integrity; security in PDA devices; attack modeling; and offensive information warfare. The last NSPW panel was held at ACSAC 2001 and was well received, very lively and highly praised by the audience, ACSAC organizers and panelists alike.

Here are some of the latest ideas to emerge from NSPW, aside from those you will hear from the rest of the panelists.

The idea that defensive information warfare will always fail, and that offensive information warfare is necessary.
Optimistic security as an access control paradigm, where in certain situations (e.g., hospitals) users are permitted to violate standard access control paradigms in the interests of safety.
An examination of the way market forces may drive the use of protection profiles in the Common Criteria. Protocol analysis paradigms enlarging their assumptions to include environment and context.
A case was made that we must reconsider our approach to information security from the ground up if we are to deal effectively with the problem of information risk.
A discussion as to the nature and definition of the old security paradigms due to the view that it is necessary to define the old paradigms before the novelty of ``new'' ones can be considered with anything approaching scientific rigor.
A new system integrity model that is implementation independent.
A new method of downgrading that uses decision trees to avoid the inference problem.
A new approach to helping applications defend themselves, while disarming hosts via the use of filters.
Since bugs are ubiquitous, a new paradigm called bug tolerance that enhances the survivability of flawed systems post hoc.

The panel will consist of four authors of papers selected by the NSPW 2002 General and Program Chairs, and it will be chaired by the general chair. After the panel chair's introductory remarks, each panelist will then give a 10 to 15 minute presentation. The floor will then be opened for audience questions and discussions. This format has worked extremely well in the past, and we plan to continue the tradition. So come to our panel and discover this year's new paradigms! You'll either immediately like them or dislike them - and you'll get the chance to say so!

Panelists Positions

Michael Franz, UC Irvine: The Source is the Proof

Security guarantees for mobile code are easier to reason about at the source-language level. However, the two major mobile code techniques, bytecode and proof-carrying code and its variants, take a low-level view of mobile code. We argue that the large semantic gap between high-level source and low-level mobile code creates inefficiencies both in reasoning about security properties of the code, as well as its performance.

Our alternative mobile code representation encodes programs at a level much closer to source. It is much easier to transport source-level semantics in our encoding than in the prevalent low-level approaches. Our encoding also provides safety by construction, as illegal programs cannot even be expressed in it. Other advantages of our encoding are an excellent compression factor, and the ability to safely transport performance-enhancing annotations.

Salvatore J. Stolfo, Columbia University: Behavior-Based Computer Security

The Malicious Email Tracking (MET) system is a "behavior-based" security system that defends and protects email users by way of email profiling and anomaly detection techniques that detect deviations from a system's or user's normal email behavior. The Email Mining Toolkit (EMT) is an offline data analysis system designed to assist a security analyst compute, visualize and test models of email behavior for use in MET.

We believe MET and EMT exemplify a new generation of computer security systems based upon behavior profiles that aim to detect attacks, as well as attackers, thus providing a deterrent system for the first time on the internet. EMT computes information about email flows and aggregate statistical information from content fields of emails without revealing those contents. The range of models computed by EMT include the "social cliques" associated with an email account. Clique violations are useful in detecting many errant misuses of email. These misuses can include malicious email attachments, SPAM email, and email security policy violations. Of special interest is opportunity to detect polymorphic virii that are designed to avoid detection by signature-based methods, but which may likely be detected via their behavior, i.e., the manner in which they violate the victim's email profile while propagating.

V.N. Venkatakrishnan, SUNY Stony Brook: Empowering Mobile Code Using Expressive Security Policies

Existing approaches for mobile code security tend to take a conservative view that mobile code is inherently risky, and hence focus on confining it. Such confinement is usually achieved using access control policies that restrict mobile code from taking any action that can potentially be used to harm the host system. While such policies can be helpful in keeping ``bad applets'' in check, they preclude a large number of useful applets. We therefore take an alternative view of mobile code security, one that is focused on empowering mobile code rather than disabling it. We propose an approach wherein highly expressive security policies provide the basis for such empowerment, while greatly mitigating the risks posed to the host system by such code. Our policy language is based on a logic over sequences of events such as function calls, method invocations, and exceptions. These policies are compiled into an extended finite state automata (a generalization of the finite-state automata to permit the use of variables) that can enforce these policies efficiently. We have built a prototype implementation of our approach for Java. Our implementation is based on rewriting Java byte code so that security-relevant events are intercepted and forwarded to the enforcement automata before they are executed. Early experimental results indicate that such expressive, enabling policies can be supported with overheads that are quite competitive with those reported for the simpler security policies currently supported for Java.

Mary Ellen Zurko, IBM (for Matthias Schunter, IBM Zurich Research Lab): From Privacy Promises to Privacy Management: A New Approach for Enforcing Privacy Throughout an Enterprise

Regulations and consumer backlash force many organizations to re-evaluate the way they manage personal data that is collected from individuals. As a first step, organizations publish privacy promises as text or formalized in the P3P standard of W3C. Unfortunately, these promises are not backed up by privacy technology that enforces the promises throughout the enterprise. Privacy tools cover fractions of the problem while leaving this main challenge unanswered.

We describe a new approach towards enterprise-wide enforcement of the privacy promises made. Its core is a new framework for managing collected personal data in a sensitive, trustworthy way. The framework enables enterprises to publish clear privacy promises, to collect and manage user preferences and consent, and to enforce the privacy promises throughout the enterprise. One of the foundations of this framework is the ``sticky policy paradigm'' that defines a customer centric model for managing policies, preferences, and consent.