• Undergraduate
• Graduate
• Online Programs
• Research
• Stories
• Research Areas
• Related Research Units
• PhD Theses
• Tech Reports
• Directory
• About Us
• Awards
• Alumni
• Corporate Relations
• Outreach/Diversity
• Calendar
• In the News
• Search

High noon for security research

Carl Gunter

Not a day goes by when you can't learn about a security breach in a computer system in the news. Gone are the days when we could protect our computers from unauthorized access with cute passwords. Gone are the days when all Internet users were honest techies. Gone are the days when spam simply referred to a canned meat. The good news is that researchers are moving closer to beating the perpetrators-from the annoying Viagra spammer to the sinister member of a crime cell-at their own game.

Carl Gunter is leading the Department of Computer Science at Illinois into becoming a cyber-security powerhouse. Having arrived a little more than a year ago from University of Pennsylvania, Gunter said that he came to Illinois because "the potential for security research at UIUC is enormous. There are lots of different projects that have connections to security, and dozens of people are working in this area. We just need to draw these people together."

The recent hiring by Illinois of researchers like Carl Gunter and the launching of the Information Trust Institute (ITI), of which he is a member of the steering committee, has given Illinois to a great start. Within ITI, Gunter joins about 40 faculty members on campus in an interdisciplinary effort to research and develop trustworthy and secure information systems.

Working in security is a lot like a Hollywood action movie that pits good against evil-the lone and outgunned hero against all odds, with nothing but his ingenuity and wits to save himself and hence the world. It's an area of computer science Gunter relishes. "It's intriguing in terms of human nature. One of the more sinister and interesting aspects is the relationship between spammers and virus writers. The recent German attack is a probable instance of using large numbers of machines to disguise a political statement. In this case, there is an advertising motive, but it is not economic." This was the Sober mass-mailing worm that barraged inboxes last May with politically-themed messages in German.

Three security projects in particular that Gunter is involved with and that have generated a lot of momentum in the computer science department are AMPol, LocFlow, and Contessa. "The underlying theme of my research is to look for things people don't do because of security, and if we solved the security issue, we can still do them without the privacy risk," he said.

AMPol - Adaptive Messaging Policy - Help is on the way for out-of-control email

Email is fraught with problems, from spam to mysteriously bounced messages, and existing email systems are not sufficiently adaptive to cope with them. With messaging in distributed systems, like the Internet, diverse communication policies exist because of changing requirements and security threats. Trust must be established between unacquainted entities, and most messaging systems are based on fixed protocols. AMPol addresses this problem by providing a way for potential recipients to advertise policies and for senders to adapt to these policies to enable communication.

There is a filtering layer between the sender and recipient of an email message that looks at the criteria set by the recipient's inbox. These criteria (e.g., size of file, type of file, whether it contains a required digital signature) determine whether the message will be accepted, and in what form (its entirety or modified). The problem is that there is no way for the sender to know what the acceptance criteria are until the message is sent. For example, suppose you want to receive email from a company that you do business with, but because the email contains financial data, you want to require a digital signature to prove that the email is truly from that company. How would the company know this? Even if it were communicated to the proper entity at the company, they may not have a way to adapt to the requirement. There are many good ideas for how to improve email, but many of these solutions are not deployed because they require widespread acceptance before they are useful. AMPol aims to address this deployment problem. This will enable a variety of new strategies including some intriguing ways to thwart spammers and ways to process email with knowledge of its purpose.

The puzzle solution - making the spammer pay

Why don't we receive so much spam in our physical mailboxes? The simple answer is that it is not cost effective to the spammer. So can you make someone pay to send you email-like using digital postage stamps? Yes, but if we charged everyone, say, a penny per email, who would control the money? One technological solution is to require that emails to be paid for in CPU cycles, via something called a puzzle solution. The idea is this: "If I don't know you and you want to send me an email, you must prove to me that you've expended a certain amount of effort in sending me this particular message." The effort in this case is the solving of a puzzle posed by the potential recipient. Some puzzle approaches require the sender to prove that a human is in the loop while others require the sender to use cycles on his computer. Gunter is looking at advanced systems for dynamic deployment to make such puzzles easy to use for ordinary users while being costly for spammers..

Semantic Email - Making your email do more work

Semantic implies meaning, and semantic email is loosely based on the notion of the semantic web. For example, a web page might contain a price list for a set of dishes. The bowl is listed for $7, which is easy for a human to understand. All a machine would understand is that on the page the word "bowl" appears somewhere near the word "$7." Without a semantic structure, a software agent can't know that the two are associated with each other, let alone that "bowl" is the item, and "$7" is the price. If a semantic structure was in place, a machine could figure out the relationship. This notion can be extended to email.

Gunter is exploring email messaging formats that are more semantically understandable to processing units, whereby the email itself becomes more like a form with buttons to press rather than a bunch of flat text messages. With the exception of generic header fields associated with an email message, a message itself typically does not contain semantic features. The idea behind semantic email is to give meaning to the content in a way that is understandable to a software tool. In a sense, semantic email is a deliberate transformation of the content of the email message into a machine-readable form that can be used for automated information gathering.

For example, in a typical centralized management system of an office, an employee may want to purchase an item. One way to do this is to send an email to his supervisor asking permission to buy the item. The supervisor replies that, yes, it's okay. This information is then forwarded to the business office, perhaps in another email, and the order is placed. This process is routine and tedious. Wouldn't it be nice if the original requesting email simply had an Approve and Disapprove button? The supervisor could click on the Approve button and the order automatically gets sent to the business office, triggering the order.

LocFlow - Location Flow - Making sense of where things are

Gunter described a future in which we will have the ability to do fine-grain tracking of objects and people, especially inside buildings. Even now, a cell phone can give a rough approximation of where it is. We can see where people are using wireless devices or conducting transactions by card swipe. Radio-frequency identification (RFID) tags are becoming more common. How are we going to use these technologies to improve efficiency in the workplace, and how do we manage personal privacy issues?

Computer tracking can be used to observe the workflow in a building by monitoring tagged objects and people. In a hospital scenario, location flow tracking can be used to see when a particular patient, nurse, and piece of medical equipment are in the same room. How can this information be used? You'd like to structure rules into the system and look at higher level events. For instance, you can see that Fred brought a respirator out of the supply room and into the hallway. This is a low level event that really doesn't tell you much. What you'd like to know, in addition, is: Is it okay for Fred to do this? "You'd like to take an abstraction of activity in a building and use it to monitor workflow. The topic to look at then is how you're going to use this to improve efficiency in the workplace." said Gunter. "We need to take a double-pronged approach: One is to advance the technology for tracking, and the other is to control how it is used."

The notion of using tracking to allow people to find you is being explored in the Siebel Center, home of the computer science department, which is equipped with sensors throughout-some detect motion, some are activated by card swipe. A professor may want his or her graduate students to know where they are (or not). "We need to come up with ways to control the technology so that people can regulate the ways in which they're monitored to their benefit. The name of the game is to understand the balance between knowledge and privacy."

Another way to track people is to track where and when they are using a wireless device. The wireless link inside a laptop computer can be used to track someone within 100 meters. The IBM Socializer is a commercial example of a wearable device that identifies people and makes them aware of each other in a self-defined social circle. The idea is that you can be notified when one of your buddies comes within a certain distance of you, provided they've allowed themselves to be found. Finding out which bar your friends have chosen to gather for happy hour is a useful application of this type of tracking. The use of E911 data, which allows the tracking of 911 calls made by cell phones, and telematics, which allows tracking of GPS units in cars, raise issues that pit safety against security. Location information can help an ambulances identify a clear route to the hospital, but it can also be used by a stalker or domestic abuser.

Contessa - Context Sensitive System Assurance - a Jujitsu approach against hackers

Contessa is a multi-institutional effort headed by computer science professor Jose Meseguer. This network security project can be broadly described as a system that adapts to where it is. Techniques to prevent denial of service attacks is one of the pieces that Gunter is working on, and it is related to his work with email in the sense that spam can be thought of as high-level denial of service. "It is like someone talking while I'm talking so I can't be heard," he explained. "Or someone is silencing me with so much garbage I can't get any work done. In the same way, computers can be silenced if you make them work too hard."

A Web site can be brought to its knees simply by overloading the Web server with unwanted network traffic thereby preventing legitimate users from getting in. One way to do this is to bombard a Web site's servers with fake packets of requests for information. This is a denial of service attack. Headlines were made in 2000 when major Internet sites like Buy.com, eBay, Amazon, Yahoo, E*Trade, and CNN were plagued with denial of service attacks in a flood of related cases perpetrated by hackers.

One solution Gunter proposes is to partition the network into different areas and require different security measures to get past area boundaries according to context. Another approach is based on probabilistic techniques, which Gunter refers to as the "protocol Jujitsu." Jujitsu is a martial art in which a fighter turns the tables against his opponent, using his own force against himself. "You must channel a stronger opponent's power into achieving your ends," he said. "There is often an asymmetry between you and them. The idea is to exploit the asymmetry against the adversary." For example, the valid user wants to perform an expensive operation occasionally, whereas an attacker wants to perform the expensive operation frequently. The attacker makes illegitimate requests for an operation so frequently that it overcomes your machine's ability to process them all. The idea is to limit when you are going to process these requests. For instance, if you flip a coin, half the time you'll do it, half the time you won't. The result will be that the attacker is going to have his hit rate reduced by 50 percent. For the valid user, when this happens, he might put in his request twice instead of once. The probabilities show that this results in a net decrease of wasted effort by the server under attack while adding little extra cost to senders.

Written by Judy Tolliver, November 14, 2005

--
Last Modified August 07 2006 08:56:43.