Self Securing Devices

Better Security via Smarter Devices

Security compromises are a fact of life with crackers, e-mail viruses, self-propagating worms, and DoS attacks. Since no single defense is adequate, security functionality should be distributed among physically distinct components. Inspired by siege warfare, individual devices erect their own security perimeters and defend their own critical resources (e.g., network link or storage media).

Together with conventional OS and firewall defenses, such self-securing devices promise greater flexibility for security administrators dealing with intrusions. By having each device erect an independent security perimeter, the network environment gains many outposts from which to act when under attack. Devices not only protect their own resources, but they can observe, log,
and react to the actions of other nearby devices. Infiltration of one security perimeter will compromise only a small fraction of the environment -- other devices can work to dynamically identify the problem, alert still-secured devices about the compromised components, raise the security levels of the environment, and so forth.

More Information

• Extended Overview
• 6 page white paper, HotOS VIII 2001 (pdf)
  
  

People

FACULTY

Greg Ganger
David Nagle

STAFF

Stan Bielski
Gregg Economou

STUDENTS

Garth Goodson
John Griffin
Andy Klosterman
Chris Lumb
Adam Pennington
Jiri Schindler
Craig Soules
John Strunk

Publications

SELF SECURING DEVICES

• Storage-Based Intrusion Detection. Adam G. Pennington, John Linwood Griffin, John S. Bucy, John D. Strunk, Gregory R. Ganger. ACM Transactions on Information and System Security, Vol. 13, No. 4, Article 30, Pub. date: December 2010.
  Abstract / PDF [333K]
  
  
• Design and Implementation of Self-Securing Network Interface Applications. Stanley M. Bielski. M.S. Thesis. Electrical and Computer Engineering, Carnegie Mellon University. December 2005.
  Abstract / PDF [211K]
  
  
• Empirical Analysis of Rate Limiting Mechanisms. Cynthia Wong, Stan Bielski, Ahren Studer, Chenxi Wang. 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), September 7-9, 2005, Seattle, Washington. Supercedes Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-05-103, March 2005.
  Abstract / PDF [207K]
  
  
• A Study of Mass-mailing Worms. Cynthia Wong, Stan Bielski, Jonathan M. McCune, Chenxi Wang. WORM’04, October 29, 2004, Washington, DC, USA.
  Abstract / PDF [192K]
  
  
• Better Security via Smarter Devices. Gregory R. Ganger and David F. Nagle. Appears in HotOS-VIII (IEEE Workshop on Hot Topics in Operating Systems), May 2001.
  Abstract / Postscript [1.1M] PDF [245K]
  
  
• Enabling Dynamic Security Management of via Device-Embedded Security. Gregory R. Ganger and David F. Nagle. CMU SCS Technical Report CMU-CS-00-174, December 2000.
  Abstract / PDF [607K]
  
  

SELF SECURING STORAGE

• The Safety and Liveness Properties of a Protocol Family for Versatile Survivable Storage Infrastructures. Garth R. Goodson, Jay J. Wylie, Gregory R. Ganger, Michael K. Reiter. Carnegie Mellon University Parallel Data Laboratory Technical Report CMU-PDL-03-105. March 2004.
  Abstract / Postscript [922K] / PDF [227K]
  
  
• On the Feasibility of Intrusion Detection Inside Workstation Disks. John Linwood Griffin, Adam Pennington, John S. Bucy, Deepa Choundappan, Nithya Muralidharan, Gregory R. Ganger. Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-03-106. December, 2003.
  Abstract / Postscript [1.12M] / PDF [215K]
  
  
• Efficient Consistency for Erasure-coded Data via Versioning Servers. Garth R. Goodson, Jay J. Wylie, Gregory R. Ganger, Michael K. Reiter. Carnegie Mellon University Technical Report CMU-CS-03-127, April 2003.
  Abstract / Postscript [290K] / PDF [160K]
  
  
• Storage-based Intrusion Detection: Watching Storage Activity For Suspicious Behavior
  Adam Pennington, John Strunk, John Griffin, Craig Soules, Garth Goodson & Greg Ganger. 12th USENIX Security Symposium, Washington, D.C., Aug 4-8, 2003. Also available as Carnegie Mellon University Technical Report CMU-CS-02-179, September 2002.
  Abstract / Postscript [727K] / PDF [138K]
  
  
• Metadata Efficiency in a Comprehensive Versioning File System. Craig A. N. Soules, Garth R. Goodson, John D. Strunk, Gregory R. Ganger. 2nd USENIX Conference on File and Storage Technologies, San Francisco, CA, Mar 31 - Apr 2, 2003. Also available as CMU SCS Technical Report CMU-CS-02-145, May 2002.
  Abstract / Postscript [817K] / PDF [178K]
  
  
• Intrusion Detection, Diagnosis, and Recovery with Self-Securing Storage. John D. Strunk, Garth R. Goodson, Adam G. Pennington, Craig A.N. Soules, Gregory R. Ganger. CMU SCS Technical Report CMU-CS-02-140, May 2002.
  Abstract / Postscript [1.1M] / PDF [119K]
  
  
• Self-Securing Storage: Protecting Data in Compromised Systems. Strunk, J.D., Goodson, G.R., Scheinholtz, M.L., Soules, C.A.N. and Ganger, G.R. Appears in Proc. of the 4th Symposium on Operating Systems Design and Implementation, 2000.
  Abstract / Postscript [345K] / PDF [294K]
  
  

SELF SECURING NICS

• Dynamic Quarantine of Internet Worms. Cynthia Wong, Chenxi Wang, Dawn Song, Stan Bielski, Gregory R. Ganger. Proceedings of the International Conference on Dependable Systems and Networks (DSN-2004). Palazzo dei Congressi, Florence, Italy. June 28th - July 1, 2004. Supercedes Carnegie Mellon University Parallel Data Lab Technical Report CMU-PDL-03-108, December 2003.
  Abstract / Postscript [1.4M] / PDF [224K]
  
  
• Finding and Containing Enemies Within the Walls with Self-securing Network Interfaces. Gregory R. Ganger, Gregg Economou, Stanley M. Bielski. Carnegie Mellon University Technical Report CMU-CS-03-109, January 2003.
  Abstract / Postscript [963K] / PDF [118K]
  
  
• Self-Securing Network Interfaces: What, Why and How. Gregory R. Ganger, Gregg Economou, Stanley M. Bielski. CMU SCS Technical Report CMU-CS-02-144, May 2002.
  Abstract / Postscript [952K] / PDF [472K]
  
  
• Building Firewalls with Intelligent Network Interface Cards. David Friedman and David Nagle. CMU SCS Technical Report CMU-CS-00-173, May 2001.
  Abstract / Postscript [540K] / PDF [229K]
  
  

BIOMETRIC-ENHANCED AUTHENTICATION

• Position Summary: Authentication Confidences. Gregory R. Ganger. Appears in HotOS-VIII (IEEE Workshop on Hot Topics in Operating Systems), May 2001.
  Abstract / Postscript [66K] PDF [16K]
  
  
• Authentication Confidences Gregory R. Ganger. CMU SCS Technical Report CMU-CS-01-123, May 2001.
  Abstract / Postscript [335K] PDF [42K]
  
  
• Secure Continuous Biometric-Enhanced Authentication Andrew J. Klosterman and Gregory R. Ganger. CMU SCS Technical Report CMU-CS-00-134, May 2000.
  Abstract / Postscript [1.1M] PDF [245K]
  
  

Acknowledgements

This material is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-01-1-0433. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force Research Laboratory or the U.S. Government.

We thank the members and companies of the PDL Consortium: Amazon, Bloomberg LP, Datadog, Google, Intel Corporation, Jane Street, LayerZero Research, Meta, Microsoft Research, Oracle Corporation, Oracle Cloud Infrastructure, Pure Storage, Salesforce, Samsung Semiconductor Inc., and Western Digital for their interest, insights, feedback, and support.