DCS Distinguished Lecture Series -- Fall 2008

Security is never absolute, but rather always with respect to an adversary with particular knowledge and capabilities. An important philosophy of computer security is that one should model an adversary by general classes of possible capabilities, rather than considering security against particular adversary strategies. These classes of adversaries should be powerful enough to capture all reasonable scenarios, yet realistic enough that resources are not spent securing systems unnecessarily.

We have seen repeatedly that new computing technologies and applications introduce new security vulnerabilities. Upon examination, these vulnerabilities suggest a redefinition of the adversary. This naturally suggests the question of whether it is possible to define an adversary model that is robust enough to be reused for multiple applications and technologies. In this talk, I will present a general structure of adversary definitions that has been used for applications ranging from cryptographic-protocol to operating-system penetration analyses. I will also show that adversary definitions can be fragile; i.e., restrictions placed on the adversary behavior in theory can often be circumvented in practice. Fragility is caused by mismatches between the adversary models, which are supposed to be independent of adversary's attack strategies, and the practical realities of large-scale networks, such as the Internet, where different strategies can make a huge difference in the success of an attack.

I illustrate these mismatches with two examples of realistic new adversaries: a "concurrent" and a "network" adversary --- and security breaches they can cause. In the first example, bounds placed on the number of attack queries launched by an adversary against password-based authenticated key exchange protocols, whose security is correctly proven in either the standard or the random oracle models, can be circumvented by multi-threaded, client-server models of computation in the Internet. In the second example, I argue that a polynomially-bounded adversary with access to a large, but bounded, number of different oracles can break encryption schemes that offer provable security in what has been considered to be a very strong security model can be broken with non-negligible probability. I conclude that security proofs must come with "warning labels" regarding the adversary definitions and models assumed and the security vulnerabilities that might arise in practice.

(The first example is based on joint work with Taekyoung Kwon and Ji Sun Shin; the second example is based on joint work with Bryan Parno.)

Bio: Virgil D. Gligor received his B.Sc., M.Sc., and Ph.D. degrees from the University of California at Berkeley. He taught at the University of Maryland between 1976 and 2007, and is currently a Professor of Electrical and Computer Engineering at Carnegie Mellon University. He is currently the Editor-in-Chief of the IEEE Transactions on Dependable and Secure Computing and has also served as an Editorial Board member of the ACM Transactions on Information System Security and several IEEE Transactions. He is currently chair of ACM's Special Interest Group on Security, Audit and Control (SIGACT) and serves on Microsoft's Trusted Computing Academic Advisory Board. Over the past three decades, his research interests ranged from access control mechanisms, penetration analysis, and denial-of-service protection to cryptographic protocols and applied cryptography. He was awarded the 2006 National Information Systems Security Award jointly given by NIST and NSA in the US for his contributions to security research.

Date: 11/06/08
Time: 10am
Location: CoRE Auditorium