Information Security Reading List

This page contains an annotated exploration of information security and assurance papers, primarily from academic research groups. It is suitable for use by a reading group interested in information security topics, including systems security, network security, applied cryptography, privacy, and information assurance. PLEASE NOTE that the analysis and opinions offered here in summaries of papers is the work of students and researchers at various stages of expertise attempting to grapple with the ideas in each paper and learn more about systems and information security. If we've gotten it wrong, please send us a correction or short note via email to clarify our understanding. While you can post a response on the wiki itself, we'd prefer to engage directly to limit misunderstandings. This page is a learning tool, not Zagat. Thanks!

Information security is a large and growing field. The page will eventually have categories (e.g., "Classic", "Systems", "Networks", "Intrusion Detection", "Applied Cryptography", "Web", "Privacy", "Usable Security") and reading weeks organized by specific topics. For now, it contains a record of a small exploration of the field. The papers that appear below only do so as a result of informal personal discussions about interesting topics rather than a master plan.

Week Topics
After each week, we will write 1 or 2 paragraphs reviewing each paper, its context, its primary contribution, and noting any limitations or flaws we perceive.

Week 1: (Classic Protection; Web Security)
Dates: (2 Nov 2010 - 9 Nov 2010)


 * 1) "Protection" by Butler W. Lampson (Butler's publication site)
 * 2) "Protection in Operating Systems" by Michael A. Harrison, Walter L. Ruzzo, and Jeffrey D. Ullman (ACM Digital Library, available via U of C with appropriate network address)
 * 3) "ConScript: Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser" by Leo Meyerovich and Benjamin Livshits (Oakland 2010)
 * 4) "The Ghost in the Browser: Analysis of Web-Based Malware" by Niels Provos et al. (USENIX link to the paper)

Paper Summaries


 * 1) Summary of "Protection"
 * 2) Summary of "Protection in Operating Systems"
 * 3) Summary of "ConScript"
 * 4) Summary of "Ghost in the Browser"

Week 2 (Virtualization and Isolation)
(9 Nov 2010 - 16 Nov 2010)


 * 1) "Hype and Virtue" by Timothy Roscoe, ETH Zürich; Kevin Elphinstone and Gernot Heiser, National ICT Australia (2007)
 * 2) "Compatibility Is Not Transparency: VMM Detection Myths and Realities" by Tal Garfinkel, Stanford University; Keith Adams, VMware; Andrew Warfield, University of British Columbia/XenSource; Jason Franklin, Carnegie Mellon University (2007)
 * 3) "SLIC: An Extensibility System for Commodity Operating Systems" by Douglas P. Ghormley, University of California, Berkeley; David Petrou, Carnegie Mellon University; Steven H. Rodrigues, Network Appliance, Inc.; Thomas E. Anderson, University of Washington (1998)
 * 4) "Dealing With Disaster: Surviving Misbehaved Kernel Extensions" by Margo I. Seltzer, Yasuhiro Endo, Christopher Small, Keith A. Smith (1996)

Paper Summaries


 * 1) Summary of "Hype and Virtue"

Through this paper, the authors state that although VMs have plenty of uses and applications in the short term, it is very important to review their usage in the long term in the context of OS research. A clear idea pops up frequently throughout the work: hypervisors are not a world changing development and in fact harm kernel research when abused as middleware. Virtualization is a good stepping stone when trying to maintain compability with older programs. The idea being that if we isolate them they should behave just as expected. However, the added complexity, including the communication and hardware virtualization problems, turn the efforts into a labor that would be better invested in modifying the guest OS. Following this conclusion, it's proposed that future research on both monolithic and microkernels should be oriented towards some backwards compatibility built in - which doesn't mean just support for a VMM -, and development that provides APIs for future work. That way academic research on the long term can really progress.


 * 1) Summary of "VMM Myths"

VMM detection, querying the system to determine if it's a virtual machine, is a problem that is being sought to be eliminated through the invisibility property. The goal being to emulate the system and its hardware thoroughly so malware can't potentially detect the trickery and stop executing to avoid being monitored. The authors state that not only invisibility is infeasible, but that it's not a really essential property of VMs. The paper goes through a list of possible methods for detection, all of them exploiting inherent features of a virtual machine. Although ways to overcome these are proposed with them, it closes saying that the added complexity is not only harmful to the system emulation, but a unsteady facade that comes crashing down easily. True invisibility is deemed infeasible given the lack of difficulty found in devising new methods for detection. However, the authors state that this discovery is not a reason for worry. Given the growth of the application of VM in all areas in recent years, they declare that a malware limiting itself is either a minor annoyance for most systems, or chooses to continue working even in VM environments, thereby rendering the invisibility problem a non-issue.


 * 1) Summary of "SLIC"

An older paper, it establishes a prototype for an extension framework that allows to add features to an OS without having to get into the expensive and complex effort of rewriting the kernel from the ground up. Their goal was to provide a way for third party developers to create code and add it to the running operative system with a minimum performance cost. The prototype, named SLIC by the authors, works through interposition, a basic concept but that gets applied in an impressive manner. The system intercepts calls to different functions of the system and reroutes them to the installed extensions as required, so they may execute the desired code. However, it is not without its flaws. The paper betrays its age, being mostly based around Solaris for one. This added to the fact that it requires that any extension has to be trusted, otherwise potentially harmful code is being added to the kernel. Yet, the fact that examples are not only proposed but implemented, adding features that could should have been in the kernel in the first place, leaves it in a very high place. One could say that it is one of the building blocks for the base of our current OS paradigms, based around Loadable Kernel Modules and other modifications to any OS without having to delve down to the kernel itself.


 * 1) Summary of "VINO"

"VM-based Security Overkill: A Lament for Applied Systems Security Research" by Bratus, Sergey; Locasto, Michael; Ramaswamy, Ashwin; Smith, Sean. (2010) Summary:

This paper has a clear-cut goal: to question the orthodoxy of the use of virtual machine monitoring in computer security. It explores the actual cost of adding a hypervisor layer to a kernel, arriving to the conclusion that it adds too much complexity to the system. Although it has plenty of applications, it cannot be considered the sole solution to all problems and as such, solutions not based on isolation and virtualization can't be so easily dismissed as they tend to be in the industry. Furthermore, it states that the added complexity will make the system less secure than on its own, and just as secure at best. As a case study, it analyzes same-layer monitoring solutions, specifically facing the biggest issue with self monitoring: the fear of modification by foreign code, thus rendering the results corrupted and untrustworthy. However, the authors state that this is a problem that has been approached before and solved to a degree, by way of detection of modification of protected page. Corruption would be detected before the monitor is compromised. Overall, the paper seeks to engage on a discussion on the overuse of VMM solutions and the continued research on alternatives instead of their dismissal.

Future Topics

 * Multi-level security, access control, classic security models; Biba, Clark-Wilson, Bell-LaPadula; lattices
 * Virtualization and Security, Applications of
 * Network Anomaly Detection
 * Host Anomaly Detection
 * Software and host hardening and protection
 * Automated Diversity (Intrusion countermeasures)
 * Language security
 * Policy-based security
 * DoS, Network DDoS, Algorithmic Complexity DoS
 * Self-healing and Automated Repair
 * Intrusion Detection
 * Rootkits
 * Cloud Security
 * Attack Graphs
 * Firewalls
 * Routing Security
 * Usable Security and Authentication
 * Privacy
 * Security assessment / metrics
 * Trust Management
 * File system security
 * Forensics
 * Anonymity mechanisms

TO READ

 * http://dev.laptop.org/git/security/tree/bitfrost.txt

Paper Reading Tips

 * A 1 to 2 hour perusal of each paper should suffice.
 * Suggested reading approach:
 * read the abstract
 * read the conclusion (do they match? are claims supported?)
 * skim the rest of the paper (read fast, gloss over details...just get a sense of the whole paper)
 * go back and read the evaluation or proof section in detail
 * if you have time, re-read the paper from start to finish slowly to gather the detail you missed on your first pass
 * Suggested analysis approach
 * identify the threat model that the authors claim in the paper
 * identify the research methods section (how they designed the experiments and data collection procedures)
 * identify the claimed contributions
 * distinguish how these contributions differ from related work
 * identify any limitations or caveats (both those the authors identify and those they don't)

Contributors

 * Raul Gonzalez
 * Michael E. Locasto