M. Hicks and A. Keromytis. A Secure PLAN. In Int'l Conf. on Active Networks, volume 1653, pages 307--314, 1999.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....them, and to establish secret keys to permit secure communication. The firmware in the nodes is modified to provide a Trusted Computing Base. Security in PLAN is achieved by restricting the namespace of services available to a PLAN program according to the capabilities that it carries [Hicks99b] The services available through 32 the namespace are implemented in a general purpose programming language, thus requiring verification before installation. Under the PLAN security scheme, a firewall may be implemented by encapsulating a PLAN chunk (see Section 2.2.2) in a function call that ....

....Rcane does not mandate any one particular security framework, and detailed discussion of such is beyond the scope of this dissertation. Possible frameworks suitable for specifying and implementing security policies in a programmable network environment are presented in [Blaze99, Hayton96, Hicks99b] The second aspect of security that needs to be considered is that the untrusted mobile code may itself not trust the server. The server has total control over the environment in which the mobile code executes; the server is at liberty to examine or corrupt any of the client s code or data, ....

[Article contains additional citation context not shown here]

Michael Hicks and Angelos D. Keromytis. A Secure PLAN. In Proceedings of the First International Working Conference on Active Networks (IWAN '99), volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, July 1999. (pp 32, 60, 64)

....goal is to accelerate network services and to provide rapid and dynamic reconfiguration of the network infrastructure for the provision of Quality of Service. In contrast to the traditional networks, active networks can be customized and reconfigured on the fly in the presence of congestion [9] [15]. On the other hand, active networks inherently exposures the underlying system to many security threats. Some of these threats include allowing malicious code to be injected into the network and granting resource access to unauthorized users that could result in denial of service to authorized ....

M. Hicks and Angelos. D. Keromytis. A Secure PLAN. In International Working Conference on Active Networks, 1999.

....these capabilities. Execution environments like PLAN [12] ANTS [21] and others strive to control the tradeo between security and exibility by limiting the programming interface available to active network agents. This strategy can be applied quite exibly. For instance, Hicks and Keromytis [10] describe an active rewall where outsiders passing through are allowed to use active network capabilities but only on a limited interface available to visitor packets. In particular, the rewall places wrappers on visitor packets that limit the symbol table of the packet when it evaluates on a ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307-314. Springer-Verlag, June 1999.

.... as OSbased approaches such as Nemesis [LMB 96] ExoKernels [EKO94] and SPIN [BSP 95] Trust management combined with module thinning in ANs was introduced in the Secure Active Network Environment [AHK 98] The combination of trust management and AN code loading was also discussed in [HK99] An exhaustive discussion of these projects is beyond the scope of this paper. In short, the OKE provides a more complete safety model than SFI which is simpler than PCC and distinguishes itself from such approaches as Nemesis, Exokernels and SPIN in that it is implemented on a commonly used OS. ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn.edu/ switchware/papers/secureplan.ps.

....In the OKE we try to pay more attention to these aspects of safety as well. Furthermore, an important distinction between the OKE and the other systems is that we look at a very commonly used OS, namely Linux. Trust management and code loading in active networks were first discussed in [HK99] A high level type safe language (PLAN) was used, to provide restrictions of a packet s service environment based on its level of privilege. Although the OKE was one of the first implementations that allowed restrictions (based on privileges) to be placed on a common low level programming ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn.edu/ switchware/papers/secureplan.ps.

.... par ticularO arular y code supplied by enduserS to execute in their nodes.User haveconcerfl about the e#ect of the infrELLWfl7)W) computations on the data theyar tryfl)WRR ting thrflRO the networW Despite significantener( devoted tosecurL yr)RL0E h in active networL [2] 3] 4] 5] 6] 7] [8], the issues ofsecur0 yar by no means solved. This paper attempts todescrS e thesecurW y rL0SWfl7SP ts in active networ0 and the challenges of meeting thoseroseflSE ents (Section 2) Wedescrfl eour own implementation of a solution to a subset of those challenges (Section 3) WeprWRL t a securfl ....

....policy of a domain, the authentication policy of a domainor thesecurL y context of a domain . addor rfl vecr00L0fl aphicprcflLL(O(fl touser data 6 0 7803 7064 3 01 10.00 (C) 2001 IEEE IEEE OPENARCH 2001 V. Related Work AndConclusi on The Switchwar pr ject s apprsfl h tosecur0 y [2] 3] [8] is two fold. Fird. their languagefor active code, called PLAN, has rflOOO(fl7P functionality to safe functions that ar defined as being available to anyone . InparPWfl7P(S the language isguar) teed toterRWSSfl andther ar no featur for interORW ket communication. Hence, many PLAN packets have ....

Michael Hicks and Angelos D. Keromytis, "A Secure PLAN," in Proceedings of the First International Working Conference on Active Networks (IWAN '99). July 1999, vol. 1653 of Lecture Notes in Computer Science, pp. 307--314, SpringerVerlag, available online at http://www.cis.upenn.edu/ switchware /papers/secureplan.ps.

....a basic level of control ow safety, memory safety, and stack safety. 39 The SwitchWare active network architecture [AAH 98] strati es the enforcement mechanism into two levels. At the top level, agents carried by SwitchWare packets are written in the PLAN programming language [HKM 98, HK99] and are checked against a type system that ensures basic type safety and termination. PLAN programs are also permitted to invoke more general service routines that are written in a dialect of Objective Caml. Service routines are checked against a type system, and the visibility of sensitive ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Active Networks: First International Working Conference, Proceedings, volume 1653 of Lecture Notes in Computer Science, Berlin, Germany, June 1999.

....from dynamic extensibility within the broader perspective of active networking. In this direction, techniques that are well understood in the active networking context apply directly to the design of an extensible monitoring system. For example, fine grained security and resource control models [22, 3] can safely extend the application range of the system, thus opening the infrastructure for third parties to perform monitoring functions. The trade offs between flexibility, security and performance have been studied extensively in active networks [2] and experimentation has shown that these ....

Mike Hicks and Angelos D. Keromytis. A Secure PLAN. In International Working Conference on Active Networks (IWAN), 1999.

....above. However, PLAN programs can also call service routines which are written in general purpose languages. This constitutes a potential threat to the safety and security of the system. To make service calls safe, the pure part of PLAN has been complemented with a system of trust management [74]. According to this system, each node administrator creates a policy which restricts the use of unsafe services to selected users through a process of authorisation. Packets are then required to authenticate themselves before accessing the priviliged services. The technique employed by PLAN, which ....

M. Hicks and A. D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of LNCS, pages 307--314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn.edu/~switchware/papers/ secureplan.ps.

....A third variant of QCM was built to run on top of the PLANet active network [13] In this implementation QCM carries out network communication using PLAN [14] active packets. Hicks and Keromytis have used this system as part of a security infrastructure for access control of PLANet services [12]. The examples in this paper run under each of our implementations, and we have developed a number of other small QCM programs to help us understand how well our query optimization works and to test how expressive the policy language can be. We have also implemented a graphical user interface for ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In International Working Conference on Active Networks, Berlin, July 1999.

....for programming the network routing elements which forward packets in an internet. Internets that support such programmability are called active networks. PLAN allows QCM to provide access control policies for functions on active routers invoked by PLAN packets. This capability has been applied [13] to the development of an active network firewall, that is, an active network router that examines packets to provide security for a portion of a network. The second application [17] provides ACL maintenance for a test bed of computers for active networks known as the ABONE [1] The ABONE uses a ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn.edu/~switchware/papers/ secureplan.ps.

....these capabilities. Execution environments like PLAN [12] ANTS [21] and others strive to control the tradeoff between security and flexibility by limiting the programming interface available to active network agents. This strategy can be applied quite flexibly. For instance, Hicks and Keromytis [10] describe an active firewall where outsiders passing through are allowed to use active network capabilities but only on a limited interface available to visitor packets. In particular, the firewall places wrappers on visitor packets that limit the symbol table of the packet when it evaluates on ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999.

....for coarse grained access control such as the ABONE rather than fine grained access control like the policy of a reference monitor in an operating system. An interface for using QCM for access control in the PLAN EE [10] was developed by Hicks [8] and used to develop an active firewall application [9]. In this case, QCM was used to determine policies about which network services various agents were allowed to use. Efficiency was enhanced by caching information about QCM verification decisions. Another interesting problem with QCM is the threat of circular dependencies such as a situation in ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307-- 314. Springer-Verlag, June 1999. Extended version at http://www.cis. upenn.edu/~switchware/papers/secureplan.ps.

....Unfortunately, it is difficult to know how to set this bound, and there is currently no provision for preventing the bound being set unreasonably high when the packet is first injected. Finally, PLAN s service namespace may be dynamically restricted or expanded based upon cryptographic credentials [12]. Efficiency. Hicks et al. implemented an active internetwork in OCaml [17] PLANet [13] in which all of the packets contain PLAN programs and data. PLANet was able to sustain 48 Mbps of routing throughput 2 , through the use of a special routing function pointer in each packet which ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Proceedings of the First International Working Conference on Active Networks, June 1999.

....protocol on your network to sniff your packets, it will be impossible for him to spoof the name of the protocol you are using and substitute his own: his program will have a different hash and will not be used by your packets. A more explicit example is a recent work on active network firewalls [12] where outsiders passing through a firewall are allowed to use active network capabilities but only on a limited interface available to visitor packets. In particular, the the firewall places wrappers on visitor packets that limit the symbol table of the packet when it evaluates on a router. To ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Proceedings of the First International Workshop on Active Networks, 1999. To appear.

No context found.

M. Hicks and A. D. Keromytis. A secure PLAN. In S. Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999.

No context found.

M. Hicks and A. D. Keromytis, "A secure plan," in Proc. 1st Int. Workshop Active Networks, vol. 1653, S. Covnci, Ed., Springer-Verlag, June 1999, pp. 307--314.

No context found.

M. Hicks and A. D. Keromytis. A secure PLAN. In S. Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999.

....only to trusted capsules. The first property allows the PPI to evolve as the need for new services arises. The second property, while useful in itself, necessarily follows from the first: if general purpose code can be installed on the node, there must be some way to secure that installation [10]. While its current implementation does not support these features, ANTS could be extended to include them. Performance A drawback of the basic capsule architecture is that capsules carry their code with them, consuming space in the packet and thus reducing the amount of useful payload. In ANTS, ....

....table. Once all the fragments arrive, the chunk is reassembled and then evaluated, just as if the original capsule had been sent whole across the network [17] F. Active Firewalls Capsules have been used to implement firewalls that go significantly beyond the basic filtering done today [10]. The idea is that rather than permit or deny packets from entering the trusted network, the firewall encapsulates (using chunks perhaps) the incoming guest packet in a special escort capsule and sends it on to its destination. When the escort capsule executes on the destination, it sets up an ....

Michael Hicks and Angelos D. Keromytis, "A secure PLAN," in Proceedings of the First International Workshop on Active Networks, Stefan Covaci, Ed. June 1999, vol. 1653 of Lecture Notes in Computer Science, pp. 307--314, Springer-Verlag.

....Most researchers agree that an e ective approach should focus on controlling the physical resources of the network: node CPU time, memory and disk space, and network bandwidth. Furthermore, a number of projects have examined techniques for enforcing resource usage, including namespace management [1, 12], runtime access control [7] limited expressibility [11, 17] certi cation [24] and negrained resource accounting [15, 6] Some work has also been done in policy speci cation [20] but without concrete demonstration. We believe that the central outstanding problem in e ective resource ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307-314. Springer-Verlag, June 1999. Extended version at http://www.cis. upenn.edu/~switchware/papers/secureplan.ps.

....customizability for applications. Indeed, this exibility has been used to implement a variety of applications, such as application speci c routing [3] transparent redirection of web requests to nearby caches [6] distributed on line auctions [7] reliable multicast [8] mobile code rewalls [2], and reduced network management trac [15] Existing active packet systems have made di erent tradeo s between safety, exibility, usability, and performance. In this paper, we consider two di erent active packet schemes, PLAN (Packet Language for Active Networks) 4] and SNAP (Safe and Nimble ....

M. Hicks and A. D. Keromytis. A secure PLAN. In International Working Conference on Active Networks (IWAN), June 1999.

....can be used to improve application performance and functionality. Examples of active packet applications include application specific routing [9] transparent redirection of web requests to nearby caches [12] distributed on line auctions [13] reliable multicast [14] mobile code firewalls [8], and reduced network management traffic [21] Unfortunately, most of the active packet platforms have either restricted themselves to the control plane [21] had unacceptably low performance [25] 9] or have achieved reasonable performance only by sacrificing safety and security [17] None has ....

....We have seen how restrictions to SNAP s flexibility imply several important safety properties. To demonstrate that SNAP still retains enough expressibility to be useful, we developed a compiler that translates PLAN into SNAP. PLAN s flexibility is well documented in the literature [6] 7] [8], 9] our compiler thus ensures that SNAP remains useful. Indeed, of the six active applications mentioned in the introduction, two are currently implemented in PLAN, while at least three others could be. 3 Perhaps PLAN s most important application is its internetwork, PLANet [9] In PLANet, ....

M. Hicks and A. D. Keromytis. A secure PLAN. In International Working Conference on Active Networks (IWAN), June 1999.

....is its dynamicity. That is, each time load is called, the type interface returned is the most permissive for the program. Then, a policy determined at runtime can thin that environment depending on the privilege of the user loading code. This general approach is taken in a number of systems, e.g. HK99, AHI 00] Even more dynamic approaches are possible. We could provide functions that allow the direct construction of masks by adding bindings. For example, we could provide the function add binding, that takes a mask, a type name, and a type representation, and returns the mask with the ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn. edu/~switchware/papers/secureplan.ps.

No context found.

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307-314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn.edu/~switchware/papers/secureplan.ps.

....security. That is, certain services may contain private information that should not be made available to other services. However, if complete access to those services is available to all new or updated code, then there can be no privacy. Both problems may be avoided via module thinning [3, 11], a technique whereby new code may access old code commensurate with its level of privilege. For example, a routing table service in the node may allow anyone to read the table, but only certain individuals to write to it. This can be controlled by thinning the table writing function from the ....

Michael Hicks and Angelos D. Keromytis. A secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307--314. Springer-Verlag, June 1999.

....only to trusted capsules. The first property allows the PPI to evolve as the need for new services arise. The second property, while useful in itself, necessarily follows from the first: if generalpurpose code can be installed on the node, there must be some way to secure that installation [9]. While its current implementation does not support these features, ANTS could easily be extended to include them. Performance A drawback of the basic capsule architecture is that capsules carry their code with them, consuming space in the packet and thus reducing the amount of useful payload. In ....

Michael Hicks and Angelos D. Keromytis, "A secure PLAN," in Proceedings of the First International Workshop on Active Networks, Stefan Covaci, Ed. June 1999, vol. 1653 of Lecture Notes in Computer Science, pp. 307--314, Springer-Verlag.

....of the running program s code is not required. In combination, these properties allow updates to originate from multiple sources. Security Loading new or replacement code is an explicit, controllable operation. This allows programmers to formulate strategies, such as module thinning [31, 42], for securing updates. Intuitively, a dynamic update to a program is valid if the program behaves as expected following the update. We will develop requirements for achieving update validity and provide guidelines for ensuring that updates meet these requirements. Active networks are an ....

....information security. That is, certain services may contain private information that should not be made available to other services. However, if complete access those services is available to all new or updated code, then there can be no privacy. Both problems may be avoided via module thinning [4, 31, 42], a technique whereby new code may access old code commensurate with its level of privilege. For example, a routing table service in the node may allow anyone to read the table, but only certain individuals to write to it. This can be controlled by thinning the table writing function from the ....

[Article contains additional citation context not shown here]

Michael Hicks and Angelos D. Keromytis. A Secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Workshop on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307-314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn.edu/~switchware/papers/ secureplan.ps.

....node CPU time, memory , disk space and network bandwidth. Some work has also been done in policy speci cation in general [3] and without concrete demonstration for Active Networks [20] Finally, some projects have examined techniques for enforcing resource usage, including namespace management [1, 12], runtime access control [7] limited expressibility [11, 17] certi cation [24] and ne grained resource accounting [14, 6] We believe that the central outstanding question in e ective resource management is question 4, the speci cation of scalable policies. In this paper, we present a ....

Michael Hicks and Angelos D. Keromytis. A Secure PLAN. In Stefan Covaci, editor, Proceedings of the First International Working Conference on Active Networks, volume 1653 of Lecture Notes in Computer Science, pages 307-314. Springer-Verlag, June 1999. Extended version at http://www.cis.upenn.edu/ ~switchware/papers/secureplan.ps.

....are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the U.S. Government. nearby caches [12] distributed on line auctions [13] reliable multicast [14] mobile code firewalls [8], and reduced network management traffic [21] Unfortunately, most of the active packet platforms have either restricted themselves to the control plane [21] had unacceptably low performance [25] 9] or have achieved reasonable performance only by sacrificing safety [17] None has done an ....

M. Hicks and A. D. Keromytis. A secure PLAN. In International Working Conference on Active Networks (IWAN), June 1999.

....some straightforward alterations to the language, including one presented in [12] We are currently researching the effects of such alterations and whether they are, in fact, enough, or whether further restriction is necessary. Additional security mechanisms for PLANet are considered in [11] and [13]. Scalability. So far, we have only experimented with small topologies, thus far avoiding problems of scalability. One area of needed improvement is in the lack of organization of service namespaces. Currently, all services exist in a flat namespace with the effect that newly installed services ....

....older ones with the same name. While this is a useful property, since changes in technology or circumstance might necessitate upgrades of the service library, namespace organization is essential to make this process less ad hoc. Namespaces may also be used as a source of security, as described in [13]. Abstractions like Java packages or ML modules present possible solutions to this problem. It should also be noted that while the services suffer from this problem, PLAN programs themselves do not, as they are self contained and may not interfere with each other. Performance. Our performance ....

Michael Hicks and Angelos D. Keromytis. A Secure PLAN. In International Workshop on Active Networks, 1999. Submitted; available at http://www.cis.upenn.edu/ ~switchware/ papers/ secureplan.ps.

No context found.

M. Hicks and A. Keromytis. A Secure PLAN. In Int'l Conf. on Active Networks, volume 1653, pages 307--314, 1999.

No context found.

M. Hicks and A. Keromytis. A Secure PLAN. In Proceedings of the First International Working Conference on Active Networks (IWAN'99), June/July 1999.

No context found.

M. Hicks and A. D. Keromytis. A secure PLAN. In International Working Conference on Active Networks (IWAN), 1999.

No context found.

M. Hicks and A. D. Keromytis. A secure PLAN. In S. Covaci, editor, Active Networks, First International Working Conference, IWAN '99, Berlin, Germany, June 30 -- July 2, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC