Self Securing Devices
Better Security
via Smarter Devices
Security compromises are a fact of life with crackers, e-mail viruses,
self-propagating worms, and DoS attacks. Since no single defense is
adequate, security functionality should be distributed among physically
distinct components. Inspired by siege warfare, individual devices erect
their own security perimeters and defend their own critical resources
(e.g., network link or storage media).
Together with conventional OS and firewall defenses, such self-securing
devices promise greater flexibility for security administrators
dealing with intrusions. By having each device erect an independent
security perimeter, the network environment gains many outposts from
which to act when under attack. Devices not only protect their own resources,
but they can observe, log,
and react to the actions of other nearby devices. Infiltration of one
security perimeter will compromise only a small fraction of the environment
-- other devices can work to dynamically identify the problem, alert
still-secured devices about the compromised components, raise the security
levels of the environment, and so forth.
More Information
People
FACULTY
Greg Ganger
David Nagle
STAFF
Stan Bielski
Gregg Economou
STUDENTS
Garth Goodson
John Griffin
Andy Klosterman
Chris Lumb
Adam Pennington
Jiri Schindler
Craig Soules
John Strunk
Publications
SELF SECURING DEVICES
- Storage-Based Intrusion Detection. Adam G. Pennington, John Linwood Griffin, John S. Bucy, John D. Strunk, Gregory R. Ganger. ACM Transactions on Information and System Security, Vol. 13, No. 4, Article 30, Pub. date: December 2010.
Abstract / PDF [333K]
- Design and Implementation of Self-Securing Network Interface Applications. Stanley M. Bielski. M.S. Thesis. Electrical and Computer Engineering, Carnegie Mellon University. December 2005.
Abstract / PDF [211K]
- Empirical Analysis of Rate Limiting Mechanisms. Cynthia Wong, Stan Bielski, Ahren Studer, Chenxi Wang. 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), September 7-9, 2005, Seattle, Washington. Supercedes Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-05-103, March 2005.
Abstract / PDF [207K]
- A Study of Mass-mailing Worms. Cynthia Wong, Stan Bielski, Jonathan M. McCune, Chenxi Wang. WORM’04, October 29, 2004, Washington, DC, USA.
Abstract / PDF [192K]
- Better Security via Smarter Devices. Gregory R. Ganger and
David F. Nagle. Appears in HotOS-VIII (IEEE Workshop on Hot Topics
in Operating Systems), May 2001.
Abstract / Postscript [1.1M] PDF [245K]
- Enabling Dynamic Security Management of via Device-Embedded Security. Gregory R. Ganger and David F. Nagle. CMU SCS Technical Report CMU-CS-00-174,
December 2000.
Abstract / PDF [607K]
SELF SECURING STORAGE
- The Safety and Liveness Properties of a Protocol Family for Versatile Survivable Storage Infrastructures. Garth R. Goodson, Jay J. Wylie, Gregory R. Ganger, Michael K. Reiter. Carnegie Mellon University Parallel Data Laboratory Technical Report CMU-PDL-03-105. March 2004.
Abstract / Postscript [922K] / PDF [227K]
- On the Feasibility of Intrusion Detection Inside Workstation
Disks. John Linwood Griffin, Adam Pennington, John S. Bucy, Deepa
Choundappan, Nithya Muralidharan, Gregory R. Ganger. Carnegie Mellon
University Parallel Data Lab Technical Report CMU-PDL-03-106. December,
2003.
Abstract / Postscript [1.12M] / PDF [215K]
- Efficient Consistency for Erasure-coded Data via Versioning Servers.
Garth R. Goodson, Jay J. Wylie, Gregory R. Ganger, Michael K. Reiter.
Carnegie Mellon University Technical Report CMU-CS-03-127, April 2003.
Abstract / Postscript [290K] / PDF [160K]
- Storage-based Intrusion
Detection: Watching Storage Activity For Suspicious Behavior
Adam Pennington,
John Strunk, John Griffin, Craig Soules, Garth Goodson & Greg
Ganger. 12th USENIX Security Symposium, Washington, D.C., Aug 4-8,
2003. Also available as Carnegie Mellon University Technical Report
CMU-CS-02-179, September 2002.
Abstract / Postscript [727K] / PDF [138K]
- Metadata Efficiency in a Comprehensive Versioning File System. Craig A. N. Soules, Garth R. Goodson, John D. Strunk, Gregory R. Ganger.
2nd USENIX Conference on File and Storage Technologies, San Francisco,
CA, Mar 31 - Apr 2, 2003. Also available as CMU SCS Technical Report
CMU-CS-02-145, May 2002.
Abstract / Postscript [817K] / PDF [178K]
- Intrusion Detection, Diagnosis, and Recovery with Self-Securing
Storage. John D. Strunk, Garth R. Goodson, Adam G. Pennington,
Craig A.N. Soules, Gregory R. Ganger. CMU SCS Technical Report CMU-CS-02-140,
May 2002.
Abstract / Postscript [1.1M] / PDF [119K]
- Self-Securing Storage: Protecting Data in Compromised Systems. Strunk, J.D., Goodson, G.R., Scheinholtz, M.L., Soules, C.A.N. and
Ganger, G.R. Appears in Proc. of the 4th Symposium on Operating Systems
Design and Implementation, 2000.
Abstract / Postscript [345K] / PDF [294K]
SELF SECURING NICS
- Dynamic Quarantine of Internet Worms. Cynthia Wong, Chenxi Wang, Dawn Song, Stan Bielski, Gregory R. Ganger. Proceedings of the International Conference on Dependable Systems and Networks (DSN-2004). Palazzo dei Congressi, Florence, Italy. June 28th - July 1, 2004. Supercedes Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-03-108, December 2003.
Abstract / Postscript [1.4M] / PDF [224K]
- Finding and Containing Enemies Within the Walls with Self-securing
Network Interfaces. Gregory R. Ganger, Gregg Economou, Stanley
M. Bielski. Carnegie Mellon University Technical Report CMU-CS-03-109,
January 2003.
Abstract / Postscript [963K] / PDF [118K]
- Self-Securing Network Interfaces: What, Why and How. Gregory
R. Ganger, Gregg Economou, Stanley M. Bielski. CMU SCS Technical Report
CMU-CS-02-144, May 2002.
Abstract / Postscript [952K] / PDF [472K]
- Building Firewalls with Intelligent Network
Interface Cards. David Friedman and David Nagle. CMU SCS Technical
Report CMU-CS-00-173, May 2001.
Abstract / Postscript [540K] / PDF [229K]
BIOMETRIC-ENHANCED AUTHENTICATION
- Position Summary: Authentication Confidences. Gregory R.
Ganger. Appears in HotOS-VIII (IEEE Workshop on Hot Topics in Operating
Systems), May 2001.
Abstract / Postscript [66K] PDF [16K]
- Authentication Confidences Gregory R. Ganger. CMU SCS Technical
Report CMU-CS-01-123, May 2001.
Abstract / Postscript [335K] PDF [42K]
- Secure Continuous Biometric-Enhanced Authentication Andrew
J. Klosterman and Gregory R. Ganger. CMU SCS Technical Report CMU-CS-00-134,
May 2000.
Abstract / Postscript [1.1M] PDF [245K]
Acknowledgements
This material is based on research sponsored by the Air Force Research
Laboratory, under agreement number F49620-01-1-0433. The U.S. Government
is authorized to reproduce and distribute reprints for Governmental
purposes notwithstanding any copyright notation thereon. The views and
conclusions contained herein are those of the authors and should not be
interpreted as necessarily representing the official policies or
endorsements, either expressed or implied, of the Air Force Research
Laboratory or the U.S. Government.
We thank the members and companies of the PDL Consortium: Amazon, Bloomberg, Datadog, Google, Honda, Intel Corporation, IBM, Jane Street, Meta, Microsoft Research, Oracle Corporation, Pure Storage, Salesforce, Samsung Semiconductor Inc., Two Sigma, and Western Digital for their interest, insights, feedback, and support.