Privacy Preserving Attribution & Provenance

The Privacy Preserving Attribution & Provenance project is a joint effort between researchers at UCSD and the University of Washington. The project serves as an umbrella for a number of more specific, focused activites each addressing a particular aspect of the larger problem. The NeTS FIND proposal details the initial scope and direction of the effort.

 

Projects

Clue

Privacy-preserving forensic attribution is a new architectural primitive we propose that allows individual network packets to be attributed, post-hoc, to the physical machines from which they were sent. Importantly, while our architecture allows any network element to verify that a packet has a valid forensic signature, only a trusted authority is able to reveal the sender's identity. In this way, the privacy of individual senders is protected from serendipitous use, while criminal actors cannot presume anonymity. We are developing a prototype implementation, called Clue, to demonstrate the fundamental feasibility of this approach while also illustrating the design challenges and opportunities in integrating this functionality with the network layer.

AHP

In the Address Hiding Protocol project, we argue that network anonymity should be a primitive provided by the network itself, allowing for performance and reliability comparable to default network paths. In contrast to Clue, however, we suggest that Internet Service Providers are well-positioned to incrementally deploy an in-network anonymity service; the key challenge, then, is to address their likely technical and business concerns. We are examining the space of possible solutions, and designing a new protocol that provides both address hiding for users and forensic support for ISPs. We are analyzing our protocol with respect to our security goals, and also attempting to demonstrate both our system's practicality and its composability with existing anonymity systems.

Modern organizations face increasingly complex information management requirements. A combination of commercial needs, legal liability and regulatory imperatives has created a patch-work of mandated policies. Among these, personally identifying customer records must be carefully access-controlled, sensitive files must be encrypted on mobile computers to guard against physical theft and intellectual property must be protected from both exposure and ``poisoning.'' However, enforcing such policies can be quite difficult in practice since users routinely share data over networks and derive new files from these inputs -- incidentally laundering any policy restrictions. We are developing a VMM system called Neon that transparently labels derived data using byte-level ``tints'' and tracks these labels end-to-end across commodity applications, operating systems and networks. We hope to demonstrate that this mechanism allows the enforcement of a variety of data management policies, including data-dependent confinement, intellectual property management, and mandatory I/O encryption. You can find a poster here

Glavlit

Protecting sensitive data is no longer a problem restricted to governments whose national security is at stake. With ubiquitous Internet connectivity, it is challenging to secure a network -- not only to prevent attack, but also to ensure that sensitive data are not released. In this effort, we consider the problem of ensuring that only pre-authorized data leave a network boundary using either overt or covert channels, i.e., preventing exfiltration. We identify the goals of transparency, performance, and simplicity. A system designed to prevent exfiltration should not adversely affect the transfer of authorized data and should work with existing protocols. Key to our approach is: i) separating the process of ve tting authorized objects from line-speed data verification; and ii) employing a restricted, but compliant, HTTP subset to limit covert channels. We hope to show that Glavlit adds little overhead to the operation of a software network bridge.

 

People

Principal Investigators

Alex C. Snoeren, UCSD
Yoshi Kohno, UW

Co-Principal Investigators

Stefan Savage, UCSD
Amin Vahdat, UCSD
Geoffrey M. Voelker, UCSD

Students

Mikhail Afanasyev, UCSD
Justin Ma, UCSD
Gabriel Maganis, UW
John McCullough, UCSD
Barath Raghavan, UCSD
Ryan Roemer, UCSD
Michael Vrable, UCSD
Qing Zhang, UCSD

Alumni

Carmelo Kintana, UCSD (MS)
Nick Murphy, UW
Nabil Schear, UCSD (MS)

 

Publications

Glavlit: Preventing Exfiltration at Wire Speed, Nabil Schear, Carmelo Kintana, Qing Zhang, and Amin Vahdat, Proceedings of the 5th ACM Workshop on Hot Topics in Networks (HotNets-V), Irvine, CA, November 2006.

Privacy-Preserving Attribution and Provenance (Poster), Alex C. Snoeren, Stefan Savage, Amin Vahdat, Geoffrey M. Voelker, and Yoshi Kohno, 4th FIND PI Meeting Poster session, Washington, DC, November 2007.

Putting Network Anonymity in the Network (Poster), Barath Raghavan, Tadayoshi Kohno, Alex C. Snoeren, and David Wetherall, 4th FIND PI Meeting Poster session, Washington, DC, November 2007.

 

Funding

This work is funded by the National Science Foundation through the FIND program under a collaborative research grant No. 0722031 with additional support from the following companies and institutions.

snoeren@cs.ucsd.edu