Publications

Refine Results

(Filters Applied) Clear All

Bootstrapping and Maintaining Trust in the Cloud(469.63 KB)

Date:
December 5, 2016
Published in:
Proceedings of the 32nd Annual Computer Security Applications Conference, ACSAC 2016
Type:
Conference Paper

Summary

Today's infrastructure as a service (IaaS) cloud environments rely upon full trust in the provider to secure applications and data. In this paper we introduce keylime, a scalable trusted cloud key management system. Keylime provides an end-to-end solution for both bootstrapping hardware rooted cryptographic identities for IaaS nodes and for system integrity monitoring of those nodes via periodic attestation.

Leveraging Data Provenance to Enhance Cyber Resilience(273.48 KB)

Date:
November 3, 2016
Published in:
Proceedings of 1st IEEE Cybersecurity Development Conference (SecDev'16), Boston, Mass.
Type:
Conference Paper

Summary

Creating bigger and better walls to keep adversaries out of our systems has been a failing strategy. The recent attacks against Target and Sony Pictures, to name a few, further emphasize this. Data provenance is a critical technology in building resilient systems that will allow systems to recover from attackers that manage to overcome the “hard-shell” defenses. In this paper, we provide background information on data provenance, details on provenance collection, analysis, and storage techniques and challenges.

Spyglass: Demand-Provisioned Linux Containers for Private Network Access(1.26 MB)

Author:
Date:
November 8, 2015
Published in:
Proceedings of the 29th Large Installation System Administration conference (LISA15), Washington D.C.
Type:
Conference Paper

Summary

System administrators have super-user access to the low level infrastructure of the systems and networks they maintain. Given the typical administrator’s breadth of access to this infrastructure, administrators or the client devices they use are a prime target for compromise by a motivated adversary. In this paper, we describe Spyglass, a tool for managing, securing, and auditing administrator access to private or sensitive infrastructure networks by creating on-demand bastion hosts inside of Linux containers.

Demand-Provisioned Linux Containers for Private Network Access(43.42 KB)

Date:
November 9, 2014
Published in:
Proceedings of the 28th Large Installation System Administration conference (LISA14)
Type:
Abstract

Summary

System Administrators often need to have remote access to restricted networks that are separated for security reasons. The most common solution to this problem is to use a virtual private network (VPN), but this exposes the restricted network directly to a potentially compromised client host. To mitigate this risk, we have created an architecture that supports self-service provisioning of non-persistent bastion containers that are unique to each user.

Showing Results

1-4 of 4