Year 1: Research – Education – Outreach
Overview
John Mitchell and Janos Sztipanovits
TRUST, Berkeley Site Visit, April 26-28, 2006
Research Goals

Address pressing issues of the day
–
Why are computer systems vulnerable to attack?


–
How can we make systems more secure?

–
Medical applications? Manage energy and natural resources?
Deep and lasting scientific progress
–
–
–

In ways that are acceptable and desirable to their users?
What new problems of societal significance can be solved?


Will Internet fraud, worms, viruses … be with us forever?
Can malicious groups take down critical infrastructures?
Advance the science of computer security
Understand its intersection with system design
Recognize and utilize interdependence w/ other disciplines
Leverage the scale of the TRUST center effectively
–
Collaboration, education, develop career paths
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
2
Research Organization

Five research projects +
Web authentication and online identity theft
– Electronic medical records
– Sensor nets and embedded systems
– Trustworthy systems
– Network security and defenses
+ Education (managed through same process)
–

Each research project combines
–
–
–

Faculty and students from several (3-5) sites
Security, Systems and Software, Social Sciences
Education and outreach activities
Some activities contribute to several projects
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
3
TRUST Research Vision
Societal Challenges
Privacy
Computer and
Network Security
Critical
Infrastructure
TRUST will address
social, economic and
legal challenges
Integrative Efforts
Identity Theft
Project
Secure Networked
Embedded Systems
Electronic Medical
Records
Component Technologies
Software
Security
Trusted
Platforms
Network
Security
Complex Inter Dependency mod.
Secure Info Mgt.
Software Tools
Secure Network
Embedded Sys
Applied Crypto graphic Protocols
Model -based
Security Integration.
Secure Compo nent platforms
Year 1 Research Overview
Specific systems that
represent these social
challenges.
Details
have
changed
but spirit
of this
vision
remains
Econ., Public Pol. Soc.
Chall.
Forensic
and Privacy
Component technologies
that will provide solutions
HCI and
Security
TRUST, Berkeley Site Visit, April 26-28, 2006
4
Problem 1: Online Identity Theft

Password phishing
–
–

Password theft
–

Keyloggers steal passwords, product activation codes, etc.
Botnets
–

Criminals break into servers and steal password files
Spyware
–

Forged email and fake web sites steal passwords
Passwords used to withdraw money, degrade trust
Networks of compromised end-user machines spread SPAM, launch
attacks, collect and share stolen information
Magnitude
–
–
$$$ Hundreds of millions in direct loss per year
Significant Indirect loss in brand erosion


–
Loss of confidence in online transactions
Inconvenience of restoring credit rating, identity
Challenge for critical infrastructure protection
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
5
TRUST team





Stanford
–
D Boneh, J Mitchell, D Dill, M Rosenblum, Jennifer Granick (Law School)
–
A Bortz, N Chou, C Jackson, N Miyake, R Ledesma, B Ross, E Stinson, Y
Teraguchi, …
Berkeley
–
D Tygar, R Dhamija, ,,,
–
Deidre Mulligan (UC Berkeley Law), Erin Jones, Steve Maurer, …
CMU
–
A Perrig, D Song
–
B Parno, C Kuo
Partners and collaborators
–
US Secret Service, DHS/SRI Id Theft Tech Council, RSA Securities, …
–
R Rodriguez, D Maughan, …
And growing …
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
6
TRUST ID Theft Team (+ more)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
7
Phishing Attack
Sends email: “There is a problem
with your eBuy account”
Password sent
to bad guy
password?
User clicks on email link
to www.ebuj.com.
User thinks it is ebuy.com, enters
eBuy username and password.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
8
SpoofGuard browser extension

SpoofGuard is added to IE tool bar
–
–
User configuration
Pop-up notification as method of last resort
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
9
Berkeley: Dynamic Security Skins


Automatically customize secure windows
Visual hashes
–
–
–
–
Random Art - visual hash algorithm
Generate unique abstract image for each
authentication
Use the image to “skin” windows or web content
Browser generated or server generated
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
10
CMU Phoolproof prevention



Eliminates reliance on perfect user behavior
Protects against keyloggers, spyware.
Uses a trusted mobile device to perform
mutual authentication with the server
password?
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
11
Tech Transfer

SpoofGuard
–
–

Some SpoofGuard heuristics now used in
eBay toolbar and Earthlink ScamBlocker.
Very effective against basic phishing attacks.
PwdHash
–
Collaboration with RSA Security to implement PwdHash on
one-time RSA SecurID passwords.



New browser extensions for privacy
–

RSA SecurID passwords vulnerable to online phishing
PwdHash helps strengthen SecurID passwords
SafeCache and SafeHistory
Client-side architecture for spyware resistance
–
SpyBlock: virtualization, browser extension, trusted agent
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
12
Botnets: detect and disable

Botnet - Collection of compromised hosts
–
–
Spread like worms and viruses
Platform for many attacks


Unique characteristic: “rallying”
–
–

Spam forwarding, Keystroke logging , denial of service attacks
Bots spread like worms and trojans
Centralized control of botnet is characteristic feature
Current efforts
–
–
Spyware project with Stanford Law School
CMU botnet detection

–
Stanford host-based bot detection

–
Based on methods that bots use to hide themselves
Taint analysis, comparing network buffer and syscall args
Botnet and spyware survival

Spyblock: virtualization and containment of pwd
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
13
Research Spotlight
Lisa
Schwartz
Stanford
Cyberlaw Clinic
Spyware
Litigation
Project
Henry
Huang
Law, CS faculty,
Law students,
Many CS grad,
undergrad
students
Jennifer Granick
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
14
Cyberlaw Clinic: PacerD

Backdoor Trojan spyware
–
–

Users’ computers transformed
into “marketing machines”
–

–
CS team creates videos depicting
PacerD installation, …, removal
Rootkits detected inside PacerD
Dec. ’05 – Feb. ‘06
–

CS team sets up testing environment
Nov. ’05
–

Seychelles P.O. box, Seattle
voice mail number, Russian ISPs
Oct. ’05
–

Up to 7 pop-ups/minute, …
Who is behind PacerD?
–

distributed via misleading pop-up
installed even if user clicked the
pop-up’s “close” button
Cyberlaw Clinic drafts lawsuit
Spyware bundle will install unless
user takes complex or difficult action
“Pyramid of
Deception”
CPM Media
KVM Media
PacerD
March – April ‘06
–
–
Over 300 PacerD victims contacted
Litigation plan being developed
Year 1 Research Overview
Exfol
TRUST, Berkeley Site Visit, April 26-28, 2006
15
Cyberlaw Clinic: Enternet

Enternet Media (EM)
–

Internet ad firm in CA
EliteBar a.k.a. Elite Toolbar
–
–
–
–
distributed through websites
no notice of installation
prevents uninstallation
collects personal information

EULA: unconscionable terms

Enternet hides EULA and
uninstaller:
Gov’t Suits Against Enternet

FTC filed against Enternet 11/4/05
–
–

City of L.A. also sued Enternet
–

Uninstaller purposely fails to
remove EliteBar
Year 1 Research Overview

injunction froze assets
stopping distribution of EliteBar
alleging unfair competition, deception
Criminal charges: In LA, March 2006
–
Incl false advertising, consumer fraud
TRUST, Berkeley Site Visit, April 26-28, 2006
16
ID Theft: Future challenges

Criminals become increasingly sophisticated
–

Increasing interest at server side
–

Basic science can be applied to solve problem: challengeresponse, two-factor auth, …
Social awareness, legal issues, and human factors
–

Protect assets from crimeware
Need improved web authentication
–

Losses are significant
Need improved platform security
–

“In 25 years of law enforcement, this is the closest thing I’ve
seen to the perfect crime” – Don Wilborn
Studies with Law Clinics; user studies, how are users fooled?
Technology transfer
–
More free software, RSA Security, …
Multi-campus project developing technology, evaluation, social impact
Project meetings this spring. Public workshop at Stanford in June.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
17
Problem 2: Healthcare Information

Rise in mature population
–
–
–

New types of technology
–
–
–

Electronic Patient Records
Telemedicine
Remote Patient Monitoring
Table compiled by the U.S. Administration on
Aging based on data from the U.S. Census
Bureau.
2050
Empower patients:
–
–
–

Population of age 65 and older with
Medicare was 35 million for 2003 and
35.4 million for 2004
Access to own medical records
Control the information
Monitor access to medical data
Regulatory compliance
Percentage of Population over 60 years old
Global Average = 21%
United Nations ▪ “Population Aging ▪ 2002”
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
18
Privacy and regulatory issues

Health Insurance Portability and Accountability Act of 1996
(HIPAA)
–
HIPAA Privacy Rule (2003): gives US citizens


–
HIPAA Security Rule (2005): requires healthcare organizations to


Protect for person-identifiable health data that is in electronic format
Complexity of privacy
–
–

Right to access their medical records
Right to request amendments, accounting of disclosures, etc.
Variable levels of sensitivity; “sensitive” in the eye of multiple
beholders
No bright line between person-identifiable and “anonymous” data
Complexity of access rights and policies
–
–
Simple role-based access control is insufficient
Governing principles: “need-to-know” and “minimum disclosure”
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
19
Healthcare Information Access Roles
Community Support
Internal QA
External
accreditation
orgs
Primary care
Friends
Legally Authorized
Reps
Specialists
Ancillaries
Clinical
Trials
Sponsors
Immediate
Extended
Family
Family
Patient
Admin.
Provider
Staff
Claims
Fraud DetectionProcessors
Payer
Subcontractors
Public Health
Society
State Licensure
Boards
Clearinghouses
Medical
Information
Bureau
Insurers
Business
Consultants
Year 1 Research Overview
Law
Enforcement
Bioterrorism
Detection
National
Security
From: Dan Masys:
“The nature of biomedical data”
TRUST, Berkeley Site Visit, April 26-28, 2006
20
TRUST and MyHealth Teams (Faculty)

Vanderbilt
–

Stanford
–

–
M Reiter, D Song
Cornell
–

R Bajcsy, S Sastry, M Eklund
Deidre Mulligan (UC Berkeley Law)
CMU
–

J Mitchell, H Garcia-Molina, R Motwani
Berkeley
–

J Sztipanovits, G Karsai, A Ledeczi
J Gehrke, S Wicker, F Schneider
VU Medical Center Collaborators
–
D Masys, M Frisse, D Giuse, J Jirjis, M Johnson, N Lorenzi,
D Mays,
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
21
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
22
Patient Portal Project


Vanderbilt MyHealth Patient Portal
– Enrolled 8000 patients and grows at the rate of over 1000 new
enrollees per month
– Secure messaging, access to medical records, appointments
Include real-time monitoring of
congestive heart failure patients
– Heterogeneous sensor
network for monitoring
–

Data integrated into
[email protected]
Berkeley ITALH Testbed:
seniors in Sonoma
– Stationary sensors:
Motion detectors,
Camera systems
– Wearable sensor:
Fall sensors,
Heart rate or pulse monitors
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
23
Technical Challenges (1/2)

Access Control
Unique problems:
–
–
–

Policy languages
Policy validation
Distributed policy enforcement
Data Privacy
Unique problems:
–
–
–
–
–
Learning from data while keeping individual data private
Publishing data without possibility to link back to individuals
Information flow through data access: “leaking secret data”
Incorporating background knowledge
Interaction between privacy and policy languages
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
24
Technical Challenges (2/2)

Distributed trust management
Unique problems:
–

Information architecture modeling and analysis
Unique problems:
–
–
–

Technical and organizational heterogeneity
Major role of legacy systems
Scale and complexity
Benchmarking
–
–

Maintaining trust across multiple players with conflicting
interests and policies
Creation of synthetic patient data
Real-life patient data
Societal Impact of Patient Portals
–
What privacy policy would make patients comfortable with
contributing data to research study?
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
25
Approaches

What solutions are possible? Some examples:
–
–
–
–
–

Policy languages (Stanford)
Data privacy (Cornell, Stanford)
Information architecture modeling and analysis
(VU, Berkeley)
Distributed trust management (Cornell, Stanford)
Societal impact (Berkeley)
Use MyHealth (VU) as demo system
–
Put TRUST research thrusts in MyHealth contexts
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
26
Initial Steps

Discussions with VU Medical Center in September, 2005
–
–

Design Workshop for Integrative Project on Patient Portals
–
–

December 16, 2005 at Vanderbilt Center for Better Health
(http://dbmi.mc.vanderbilt.edu/trust/#Output)
Identified two project candidates and a joint White Paper topic.
Detailed project planning between TRUST and VU MyHealth
–

Prof. Bill Stead, Director, Informatics Center
Prof. Dan Masys, Chair, Department of Biomedical Informatics
We have a joint memo of collaboration management structure and
research agenda for the next year
Workshop on Trust and Privacy in Electronic Medical Records
–
April 28th at Berkeley
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
27
Meeting at Vanderbilt
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
28
Milestones (Year 1)

Policy languages
–

Data Privacy
–

–

Assemble sample medical database for evaluating privacy
mechanisms, other mechanisms
Information architecture modeling and analysis
–

HIPAA policy representation and validation
Modeling aspects and language specifications
MyHealth architecture modeling and analysis methods
Distributed trust management
Societal impact
–
–
Organizational impacts, changes in the decision processes
Unintended consequences study
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
29
Research Spotlight
Mike Eklund
Berkeley
ITALH Testbed
Electronic
Medical
Record
Project
EECS Faculty,
Grad, Undergrad,
and SUPERB
students
Year 1 Research Overview
Ruzena Bajcsy
Tanya Roosta
Marci Meingast
Edgar Lobotan
Shankar Sastry
Adeeti Ullal
Rustom Dessai
Willy Cheung
Albert Chang
TRUST, Berkeley Site Visit, April 26-28, 2006
30
Berkeley ITALH Testbed

Biomedical sensor systems
–
–

–
Terminal, WLAN
Internet
and/or
telephone
Mobile Phone
Fall Detector
Integrated
Camera
RS-232
E.g. Bluetooth
Sender
Berkeley
Mote
RS-232
Berkeley
Motes
Berkeley
Mote
Sensors
Potential very useful
Currently ad-hoc and manually
performed
Home Health
System
Zigbee
ITALH/EMR Development
Development and testing of fall
sensor system joint with Tampere,
Finland and Aarhus, Denmark
Use Berkeley Motes,
Fall sensors with
accelerometers
Commitment from Telecon Italia
Evaluation of EMR system for
integration in Sonoma
Apr – May ‘06
–

E.g. Bluetooth
Sender
Mobile Gateway
Hospital
Mar – Apr ‘06
–
–

Sensors
Oct ’05 – Mar ’06
–

Access Control
Privacy
Data Aggregation
Security
Storage in medical record
–

ITALH
System
Can monitor for acute and
chronic conditions and
emergency events
Can be kept locally or
transmitted to healthcare
professional and EMRs
Preparation of lab for experimentation
and EMR integration
Jun – Jul ‘06
–
SUPERB program focus
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
31
Berkeley ITALH Testbed

–
–
–

Daily Activity
Identification:
Sitting, standing,
walking
Initial Focus: Fall Detection
Falls are the leading cause of
fatal and nonfatal injuries to
older people in the U.S.
Each year, more than 11 million
people over 65 fall – one of
every three senior citizens
Treatment of the injuries and
complications associated with
these falls costs the U.S. over 20
billion annually
Secondary Foci:
–
–
–

The devices reveal significant
information about the user
This provides significant
additional opportunities for
health monitoring
It also creates a potential threat
to the users privacy
Year 1 Research Overview
Requirements of such a system:
–
–
–
Privacy of data and user
activity, location, etc
Accuracy and robustness
Interoperability as it will form
only one component of a
broader system
TRUST, Berkeley Site Visit, April 26-28, 2006
32
Berkeley ITALH Testbed

Being able to measure and
analyze a patients activity,
enables:
–
Accurate feedback for at home
treatment,

–


e.g. osteoporosis, where a
clear negative correlation has
been shown between activity
level and bone density loss
–
–
Rapid and automated response
to critical and emergency
situations
Data acquisition is at least
semi-autonomous
The data can be guaranteed to
be accurate
The system is secure
Year 1 Research Overview
–
–
This benefit can only be had on
a societal scale if such devices
can be integrated in the EMR
systems, so that:
–
Protocols and policies must be
established for the inclusion of
automated data collection
A test system is being
developed to integrate the
ITALH testbed with an open
source EMR system
This will be integrated with the
Vanderbilty myHealth system
following initial development
ITALH/EMR Development
Target
implementation
Development
and testing
TRUST, Berkeley Site Visit, April 26-28, 2006
33
Summary




Excellent integrative project candidate
Strong interest inside TRUST and in the
medical community
We have teamed up with VUMC, which has
the strongest research program and
operational testbed
Rapid start-up
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
34
Problem 3: Embedded Secure Sensor
Networks

TRUST is engaged in the development of
embedded secure sensor networks
–
Integrated center R&D at all levels





Sensor Technology
Networks
Applications
Policy/Legal Issues
Activity at all TRUST sites + collaborators
–
Oak Ridge National Laboratory, …
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
35
Societal Relevance



Health Care
Urban Infrastructure
Utilities
–
–

Search and Rescue
–

Disaster response
Heavy Industry Process Control
–
–

Energy production and transport (e.g. SCADA)
Energy utilization monitoring in homes
Oil refineries, chemical, etc.
Chevron is an interested player
Border Control and Monitoring
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
36
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
37
Sensor Technology - The Mote
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
38
Sensor Technology Example:
Sensors for Bio-Defense

Bi-layer lipid membrane
used to create designer biosensors
–



When target analyte binds
to protein, ion channel
conductivity increases.
Currently considering use in
water supply protection.
Sensor performance
statistics used to define
networking requirements.
Outside Player: NY Dept of
Health/ Wadsworth
Laboratories
Year 1 Research Overview
Ion channe
l
cis c om par tm ent
li pid
bil ayer
trans c om par tm ent
m e ta l li c g a te
TRUST, Berkeley Site Visit, April 26-28, 2006
39
Sensor Platform Technologies

CU Asynchronous
Processor
–

Clockless logic
–
–

Event-driven execution is
ideal for sensor platforms
Spurious signal
transitions (wasted
power) eliminated
Hardware only active if it
is used for the
computation
MIPS: highperformance
–
24pJ/ins and 28 MIPS @
0.6V
Year 1 Research Overview
Processor
Bus
Year
E/op
Ops/sec
Atmel
8
200?
1-4 nJ
4 MIPS
StrongARM
32
200?
1.9 nJ
130 MIPS
MiniMIPS
32
1998
2.3 nJ*
22 MIPS
Amulet3i
32
2000
1.6 nJ*
80 MIPS
80C51 (P)
8
1998
1 nJ**
4 MIPS
Lutonium
8
2003
43 pJ
4 MIPS
SNAP
16
2003
24 pJ
28 MIPS
TRUST, Berkeley Site Visit, April 26-28, 2006
40
Designer OS for Sensor Networks

Tiny OS
–
–
–
–
MagnetOS
Rewriter

MagnetOS: Provide a unifying singlesystem image abstraction
–
–
–
Year 1 Research Overview
Large, active open source community:
500 research groups worldwide
OEP for DARPA Network Embedded Systems
Technology
Thousands of active implementations - the
world’s largest (distributed)sensor testbed
The entire network looks like a single Java
virtual machine
MagnetOS performs automatic partitioning
 Converts applications into distributed
components that communicate over a
network
MagnetOS provides transparent component
migration
 Moves application components within the
network to improve performance metrics
TRUST, Berkeley Site Visit, April 26-28, 2006
41
Sextant: Node Localization

Use of large numbers of randomly distributed nodes
creates need to discover geographic location
–

Set up a set of geographic constraints and solve it in
a distributed fashion
–
–

GPS is bulky, expensive, power-hungry
Aggressively extract constraints
Use just a few landmarks (e.g. GPS nodes) to anchor the
constraints
Can determine node location with good accuracy,
without GPS or other dedicated hardware
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
42
SHARP: Hybrid Routing Protocol

Two extremes in routing
–
–


Neither are optimal for dynamic sensor
networks
SHARP adaptively finds the balance point
between reactive and proactive routing
–
–
Year 1 Research Overview
Proactive: disseminate routes regardless of
need
Reactive: discover routes when necessary
Enables multiple nodes in the network to
optimize the routing layer for different
metrics
Outperforms purely reactive and proactive
approaches across a range of network
conditions
TRUST, Berkeley Site Visit, April 26-28, 2006
43
Securing the Sensor Network
Security issues
–
Develop Taxonomy of Attacks


–
Characterizing Worst-Case Results

–
Statistical learning proposed as a means for determining what can be
inferred from data
Evaluate privacy concerns


Attacks with and without defined defenses
Generic basis on which to evaluate new networks
Ties into privacy road map
Security thrusts
–
Secure building blocks




–
–
–
–
–
–
Secure key distribution
Secure node-to-node and broadcast communication
Secure routing
Secure information aggregation
Real-time aspects and security
Secure middleware
Secure information processing
Sensing biometrics
Sensor database processing
Internet-scale sensor networks
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
44
Application Projects (Examples)

Patient Monitoring
–
–

Museum Project
–

Expressive AI projects using sensors to monitor
patrons at public demonstrations
Home Sensor Network Development
–
–

Remote monitoring of cardiac patients
See Vanderbilt/Cornell/Berkeley poster
Energy monitoring beyond metering
Opportunities for local information fusion
LA Water Supply Protection
–
BioSensors + Networking + Civil Infrastructure
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
45
Research Spotlight
Yuan Xue
ISIS-VU
TRUST-ORNL
TuFNet
Federated
Sensor
Networks
Project
Akos
Ledeczi
ISIS-VU
TRUST researchers,
graduate students,
ORNL
researchers
ORNL
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
46
Dirty Bomb Detection
Demo in VU Stadium April 20, 06
Outside the window
Jumbotron/Screen: Tracking info inside Google Earth
Jumbotron: automatic camera feed
Year 1 Research Overview
 Security is guard walking around the stadium with a cell-phone
connected radiation detector and an XSM mote.
 His position is continuously tracked using a radio interferometric
technique running on the motes.
 A camera automatically tracks his position using the geolocation
info from the mote network.
 When the radiation level crosses a threshold the detector sends
an alarm and the camera zooms in on the position.
TRUST, Berkeley Site Visit, April 26-28, 2006
47
System Vulnerabilities
Sensor network vulnerabilities
Tracking service
and
user interface
Mote network
Rad detector,
mobile phone
mote
Nextel/
Internet
Rad level servlet
and camera glue
code
Internet
VGA to NTSC
adapter
Camera control
node (Linux)
Jumbotron
controller
• Packet dropping
• Mis-forwarding
• ID spoofing
• Forging routing
Information
• Disclosing/modifying
/replaying tracking results
Network
• MAC DoS
• Eavesdropping
Traditional network/system vulnerabilities
• Denial of Service Attack
• Information disclosing/modification/replaying
• Address Spoofing
• etc..
Year 1 Research Overview
• Bogus tracking results
• Tracking command
Spoofing
• Battery consumption
attack Application/Service
Mac/Link
• Jamming
TRUST, Berkeley Site Visit, April 26-28, 2006
Physical
48
Security Support Implemented


Security Support Overview
–

Jamming Attack
Ranging and Tracking using Multiple
Frequencies
Group-based Peer Authentication
–

–
–


Bogus Tracking Result
Majority-based Voting to Filtering
outrange result
Peer Authentication among Sensors




–
–

False Tracking Command
Injection of Tracking Result from
Spoofed Sensors
Peer Authentication among Sensors
Year 1 Research Overview
–


Objective
Provide efficient, effective, and flexible peer sensor
authentication
Solution
Symmetric-key based (SkipJack in TinySec)
Each sensor node has a different set of keys
through a pre-key distribution scheme
Multiple MACs are generated for each message
from a sensor node
MACs are verified at the receiver sensor using its
common keys with the sender
Results
computation: 5.3 ms;
verification: 2.5 ms (2 common keys), 1.3~1.4ms
(1 shared key), < 0.1 (no keys in common)
TRUST, Berkeley Site Visit, April 26-28, 2006
49
Privacy Issues


Policy instruments often lag technology development
Proposed development of Privacy Road Map that will
frontload policy development
–
–
–

Map sensor capabilities and network mission into deployment
and data use rules
Key near-term: RFIDs, broad-based visual surveillance
Raises issue of impact of network configuration and
heterogeneity on road map
Approach: Extend fair information practices to cover
sensor nets at regulatory or legislative level
–
Consent enablement is an important issue
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
50
Economic Issues

Consider standards for transactions between
sensor network owners/operators
–

Open platforms enhance markets, range of
products, efficiency
–

market creation, bargaining, trading rules for
passing data, avoiding monopolies
Software for computers vs. software for cell
phones
Significant literature on economic costs of
privacy decision making
–
Cost of inadvertent disclosure
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
51
Further Development


Integrate cross-cutting security, privacy, and
economic issues into ongoing project
development.
Try to stay as generic as possible, while
developing technology/policy amenable to
evaluation.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
52
Problem 4: Trustworthy Systems

Important problems in the public eye
–
Why are computer systems vulnerable to attack?

–
How can we make systems more secure?


Many security vulnerabilities are software bugs
Better human factors, security science and engineering practices
Four core areas
–
Robust software

–
Security policy

–
What actions should be allowed? How to express, enforce policy?
Platform integrity

–
Including: static, dynamic analysis methods for detecting vulnerabilities
Including: hardware attestation, software-based isolation, virtualization
Intrusion-tolerant systems

System architectures and implementation techniques so that systems
will resist and survive attacks
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
53
Subarea 1. Robust software

Computer attacks are serious problem
–
–

Scripts for exploiting known vulnerabilities
Techniques and tools for creating new exploits
Many possible targets
–
–
Widely used UNIX programs: sendmail, BIND, etc.
Various server-type programs



–
ftp, http
pop, imap
irc, whois, finger
(Web server and file transfer)
(Email server)
(Other applications, services)
Mail clients (overrun filenames for attachments)


Netscape mail (7/1998)
MS Outlook mail (11/1998)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
54
Research Spotlight

Monica
Lam
Automated
Software
Analsys
Find errors that
can lead to
vulnerabilities
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
55
Static Analysis

D. Wagner - Detection of Buffer
Overrun Vulnerabilities
–
–
–
Integer range analysis problem
Sendmail: 4 bugs/44 warnings
Features necessary to achieve
better precision



Flow sensitivity
Pointer analysis
M. Lam – Combine and
improve previous results
–
–
–
–
Interprocedural methods
Strategically leverage more
precise aliasing analysis
Standard architecture for
combining methods
Today: B Livshits poster
Year 1 Research Overview

A. Aiken - Format String
Vulnerabilities Type Qualifiers
–
–
“Tainted” annotations, requires
some, infers the rest
Features necessary to achieve
better precision
 Context sensitivity

Field sensitivity
Program
IP
SSA Data flow
easy to
write tools
Can add
new
analyses
Buffer
overruns
Format
violations
NULL
deref’s
Error
traces
…others…
TRUST, Berkeley Site Visit, April 26-28, 2006
56
Example: Tainting Violation in muh
muh.c:839
0838
0839
0840
0841
0842
0843
0844
0845
s = ( char * )malloc( 1024 );
while( fgets( s, 1023, messagelog ) ) {
if( s[ strlen( s ) - 1 ] == '\n' ) s[ strlen( s )...
irc_notice( &c_client, status.nickname, s );
}
FREESTRING( s );
irc_notice( &c_client, status.nickname, CLNT_MSGLOGEND );
irc.c:263
257 void irc_notice(connection_type *connection, char nickname[], char *format,
... )
258 {
259
va_list va;
260
char buffer[ BUFFERSIZE ];
261
262
va_start( va, format );
263
vsnprintf( buffer, BUFFERSIZE - 10, format, va );
264
va_end( va );
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
57
Example: Buffer Overrun in gzip
gzip.c:593
0589
0590
0591
0592
0593
gzip.c:716
0704 local void treat_file(iname)
0705
char *iname;
0706 {
0716
gzip.c:1009
if (to_stdout && !test && !list && (!decompress || ...
SET_BINARY_MODE(fileno(stdout));
}
while (optind < argc) {
treat_file(argv[optind++]);
...
if (get_istat(iname, &istat) != OK) return;
0997 local int get_istat(iname, sbuf)
0998
char *iname;
0999
struct stat *sbuf;
1000 {
...
1009
Need to have a
model of strcpy
strcpy(ifname, iname);
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
58
Sample Experimental Results

Monica Lam study: 7 server-type programs
Program Total
Buffer
Format
False
Number
name
number of overruns string
positives of
warnings
violations
sources
lhttpd
bftpd
trollftpd
man
cfingerd
muh
gzip
1
2
1
1
1
1
1
Program Version #
lhttp
bftpd
trollftpd
man
cfingerd
muh
gzip
0.1
1.0.11
1.26
1.5h1
1.4.3
2.05d
1.2.4
1
1
1
1
20 (w/o preds)
1
1
1
1
LOC
888
2,946
3,584
4,139
5,094
5,695
8,162
Year 1 Research Overview
Procedures
21
47
48
83
66
95
93
Number Definitions Proce
Tool's
of
spanned dures
runtime
sinks
spanned sec
4
5
4
3
4
3
3
1
2
1
1
1
1
1
7
5,7
23
6
10
7
7
4
1,3
5
4
4
3
5
7.08
2.34
8.52
9.67
7.44
7.52
2.03
Other studies (Engler, Wagner, etc.) achieve
similar results for other kinds of errors
Significant bugs found using automated tools
TRUST challenge: compare and combine
methods developed by different campuses
TRUST, Berkeley Site Visit, April 26-28, 2006
59
Larger Picture

Goal: New techniques for improving the security of our software
–
Many complementary approaches:

–
Many exciting uses:


Static analysis of source code; Dynamic analysis with symbolic execution; Taint
and information flow tracking; Inline reference monitors; Proof-carrying code;
Logical decision procedures; Semantics and foundations of programming
languages
Detection of security bugs; Automatic generation of signatures for intrusion
detection or virus scanning; Verification of security properties
TRUST Collaboration
–
–
Many cross-institution collaborations underway / recently initiated
Challenge applications to demonstrate our methods:



–
Hardening the security of open source software
Protect network services/servers against data-driven remote attacks
Improving the quality of electronic voting software
Shared benchmarks:




Apache (including core, plug-ins, PHP scripts, …)
TCP/IP stacks
Network servers?
One or two key industrial applications?
(Productivity software? Medical? E-commerce? Internet services?)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
60
Partner: Coverity, Inc
Stanford, Symantec, Coverity, DHS
Open Source Software Quality Project
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
61
Subarea 2. Security policy

Access policy
–
–

How to express, enforce policy?
Policy lifecycle management (debugger, etc)
Enforcement
–
Control access and propagation


–
E.g., Java stack inspection
What code to trust?
How to enforce end-to-end policy?


e.g., information I cannot be transmitted to output O
Access control mechanisms are necessary, access
control policies are insufficient
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
62
Enforcing language-based security

Programs are
annotated with
security policies

Compiler checks,
possibly transforms
program to ensure
that all executions
obey rules

Loader, run-time
system validates
program policy
against system
policies
Year 1 Research Overview
Source Code Policy
Target Code
?
Policy
System
Policy
Executable code
TRUST, Berkeley Site Visit, April 26-28, 2006
63
Subarea 3. Platform integrity

Trusted platforms and attestation
–
–

“Trusted platforms” refers to platforms in which the running
software has been authenticated as having desirable
attributes
“Attestation” refers to authenticating the software running on
a node remotely
Example projects
–
–
–
–
–
Nexus OS implementing new trustworthy computing
abstractions (Cornell)
Privacy-preserving attestation (Stanford)
TERRA attestation of full virtual machines (Stanford)
Software attestation (CMU)
Trusted user input/output (CMU, Stanford)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
64
Subarea 4. Intrusion-tolerant systems

Sample direction: distributed trust
–

Implement services in a distributed fashion so that no one
component is trusted
Example projects
–
In P2P systems that mask node misbehaviors (Cornell)



–
–
–
–
–
Prevents injecting a name into CODONS (a DNS replacement)
Prevents injecting a page into Cobweb (Akamai-like web cache)
Prevents injecting bad info into Corona (news system for web)
In certificate authorities and single sign-on (Cornell)
In storage systems (Stanford, CMU)
Underlying protocols for service deployment, access (CMU)
Formal verification of distributed trust protocols (Cornell)
Implementing default-disconnect in LANs (Stanford)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
65
Problem 5: Network Security

Networked applications are susceptible to attack
–
Develop secure methods for resisting network attacks


–

New applications raise new challenges, e.g. VoIP
Network infrastructure is susceptible to attack
–
–
–

Cryptography is powerful, but requires key management
Examples: SSL/TLS, VPN, key management for IPSEC
DoS, Virus and worm propagation flood network, blocks traffic
Authenticated access to wireless network
Isolation (traffic shaping, firewalls), Intrusion detection
Goals include:
–
–
–
Improve security of networks and applications that use them
Collaborate on next-generation networking
Improve educational resources on network security
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
66
Example True SCADA Scenarios

Port of Houston, 20 Sept 2001
–
–
–
–

Ohio's Davis-Besse nuclear power plant, offline, Jan 2003
–
–

>1 billion containers (2000), 6,400 ships (2002), $11 billion revenue (2002)
$15 billion petrochemical complex: largest in nation, second in the world
Web site disabled by denial of service attack
19 year old UK teenage member of a group called Allied Haxor Elite trying to get
back at a girl he met in a chatroom (Found not guilty)
Slammer worm penetrated a private computer network and disabled a safety
monitoring system for ~5 hours
Penetrated unsecured network of an unnamed Davis-Besse contractor, then
squirmed through a T1 line bridging that network and Davis-Besse's corporate
network
Northeast power outage, 50 million people, August 2003
–
MSBlaster worm crippled key detection systems and delayed response during a
critical time: “significantly worsened the effect of the outage”
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
67
General Network Threats

Worms/Viruses – Propagation

Hackers/Intruders – Infiltration

Compromised Machines – Botnets

Insider Threat – Exfiltration
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
68
Research Spotlight
Worm/DoS
Defense
One slice of
network security
research in
TRUST
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
69
Can We Build a “DOS Firewall”?
[Collins & Reiter]
Trained on
attack & normal
traffic
Trained on normal
traffic only
Year 1 Research Overview
Example of
the efficacy
of published
DoS filters
TRUST, Berkeley Site Visit, April 26-28, 2006
70
Egress Limiting for Worm Containment
[Wong, Studer, Bielski & Wang]
Detection: Large fan-out, increased failures, no DNS translations
Containment: Rate limiting
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
71
Internet Indirection Infrastructure (i3)
[Stoica]
data id
Sender
Receiver (R)
data R
id R

Use backup triggers on
other i3 nodes to
mitigate DoS attacks
trigger
id V
Victim (V)
Attacker
(A)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
72
Ingress Rate Limiting w/ Client Puzzles
[Wang & Reiter]
Server
Adversary
Legitimate client

Designing puzzle mechanisms to defend against
–
–
Connection depletion attacks (TCP)
Bandwidth exhaustion attacks (IP)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
73
PI Marking
[Yaar, Perrig, Song]

Queue-based marking
–

Marks can be used to filter …
–

Routers “push” marking into IP Identification field
Unaffected by source address spoofing
… or returned to source to use as a capability
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
74
Sting: Auto Worm Defense System
[Brumley, Newsome, Song]
!
Exploit
Detected!
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
75
TrafficComber
[Blum, Gibbons, Kissner, Song, Venkataraman]


Distributed high-speed network monitoring system
–
Efficiently detect new (global) traffic behavior
–
Accurately identify malicious IP addresses & attack patterns
Focuses & components
–
Streaming algorithms design


–
–
Fast memory-efficient algorithms for high-speed links
New streaming algorithms for superspreader detection
Machine learning, graph theory techniques

Traffic correlation & anomaly detection

Stepping-stone detection
Privacy-preserving information sharing

New cryptographic algorithms/protocols

Privacy-preserving set operations
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
76
Finding the Source of Worms
[Sekar, Xie, Maltz, Reiter, Zhang]
t1
B
t2
C
t4
t3
E
t5
D
t6
F
t7
H
G
Host contact graph
Host attack tree
Attack Reconstruction: identify communications
that carry attack forward
Attacker Identification: pinpoint attack source(s)
 Are these possibly feasible?
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
77
DETER (http://www.deterlab.net/)

Background
–
–

Lack of large-scale experimental infrastructure
Missing objective test data, traffic and metrics
Goals
–
Facilitate scientific experimentation



–
Establish baseline for validation of new approaches
Scientifically rigorous testing frameworks/methodologies
Attack scenarios/simulators, topology generators,
background traffic, monitoring/visualization tools
Provide an open safe platform for experimental
approaches that involve breaking the network

“Real systems, Real code, Real attacks!”
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
78
User
Internet
UCB Cluster
ISI Cluster
User
files
FW
FW
‘User’
Server
Backup
‘Boss’
Backup
‘User’
‘Boss’
Server
Node Serial
Line Server
Node Serial
Line Server
IPsec
Control Network
PC
PC
…
Cisco SW
Year 1 Research Overview
PC
Power
Cont’ler
Control
Network
Power
Cont’ler
PC
…
PC
IPsec
trunk
trunk
Foundry SW
TRUST, Berkeley Site Visit, April 26-28, 2006
79
Example DETER Topologies
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
80
DETER Testbed Status

201 nodes now available!
–

Experimental node OS:
–
–
–

Standard OS: RedHat Linux 7.3 or FreeBSD 4.9
New: Windows XP
Users can load arbitrary code, in fact
User has root access to all allocated nodes
–
–

Expect to double in 2006
Secure process replaces OS after each experiment
Adding support to scrub disks after experiments
Funded by NSF CISE and DHS HSARPA
–
Open to all researchers: gov’t, industrial, and academic
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
81
Network protocol analysis

Protocol analysis methods
–
–

Case studies
–
–
–

–
–

802.11i Wireless networking
IKE for IPSEC
VoIP – security additions to SIP
Work with standards organizations
–

Model checking, automated tools
Logical proof methods
IEEE: contributed to 802.11i standard
IETF/IEEE: 802.16e metro area networking
Wi-Fi Alliance: wireless access point registration
Education: course development, materials
Research challenges
–
–
–
Extend applicability of tools, improve usability
Fundamental science: protocol analysis and crypto
Clean slate network design: what are better designs?
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
82
Network Security

Huge field
–
–
Many challenges
Lots of different kinds of work


Outstanding opportunities
–
–
–

From network protocols to routing, congestion control
GENI initiative for Internet redesign
DETER testbed, Industrial collaboration
Network researchers at all TRUST sites
Drinking from a firehose
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
83
Education
Sigurd Meldal (SJSU)
Janos Sztipanovits (Vanderbilt)
TRUST, Berkeley Site Visit, April 26-28, 2006
Education Vision

Trust education
–
–

Trust education integrates domains
–

trust solutions = policy options + technology options
Trust education within domains
–

part of technological and social literacy
central to technological and policy-making professional
competency
From engineering to the social sciences
Trust education cuts across education levels
–
K-12, undergraduate programs, profession-oriented masters
programs, research-oriented doctoral programs
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
85
Education Implementation

Main Activities
–
–
–
–
Education Community Development (EDC)
The TRUST Academy Online (TAO)
Curriculum Development and Refinement
TRUST Workshops
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
86
Participants in the Ecosystem
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Quic kT ime™ and a
T IFF (Unc ompres s ed) decompres s or
are needed to see this picture.
Q uic k Tim e ™ a n d a
T IFF ( Un c o mp r e ss e d) d e co m pr e s so r
a r e n e ed e d to s ee th is p ic tu r e .
Q uic k Tim e™ and a
TIFF (LZW) dec ompres s or
are needed to s ee this pic ture.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Year 1 Research Overview
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
TRUST, Berkeley Site Visit, April 26-28, 2006
87
Knowledge Certification
Standardized knowledge units:
 National Information Assurance Training
Standards (CNSS)
 NIETP Centers for Academic Excellence in IA
Education
Assist in the broad adoption of such curricula.
Evaluate, adapt or substitute units or standards
as indicated by domain requirements
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
88
Learning Technology Infrastructure

Established strong relationship between
TRUST and VaNTH*
–
–


Assessment Methods and Technology
Learning Technology
Challenge-based courses (design and
delivery methods)
Adaptive learning and course delivery
strategies, development of adaptive expertise
* Vanderbilt-Northwestern-Texas-Harvard/MIT
Year 1 Research Overview
Engineering Research Center
TRUST, Berkeley Site Visit, April 26-28, 2006
89
Education Spotlight
Larry Howard
ISIS-VU
Simon Shim
SJSU
TRUST
Academy On-Line
TRUST
Repository
Project
Xiao Su
SJSU
TRUST researchers,
graduate students,
VaNTH researchers
Weider Yu
SJSU
Year 1 Research Overview
Sigurd Meldal
SJSU
TRUST, Berkeley Site Visit, April 26-28, 2006
Yuan Xue
ISIS-VU
90
TRUST Academy On-line

Aspects of support
–
–
–
–

Collaborative, evolutionary
design of adaptive learning
experiences
Instrumented enactment of
designs with learners
Design reflection by educators
Online dissemination
Principal components
–
Visual integrated design
environment (CAPE)

–
–
Design and content repository
Interoperable delivery
platform (eLMS)
Dissemination Portal (TAO)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
91
TAO Content
WEB-based dissemination
portal/content management system for



classroom resources: syllabi, lecture
notes, readings, assessment
materials, and instructor guides
re-targetable learning modules
on-line learning resources: direct
access to courseware for evaluation
Network Security Course Modules

How bad guys work
Network Security Courseware


–
Yuan Xue (Vanderbilt),
Xiao Su (SJSU)
Sources
–
–
–

Year 1 Research Overview
Cryptography
–
Vanderbilt’s CS291 (Network Security)
Stanford’s CS259 (Security Analysis
of Network Protocols)
SJSU’s CmpE209 (Network Security)

Secret key, public key, hash functions
Authentication protocols
–

Attacks from hackers’ perspective
Key exchange protocols
Network security standards
–
Wireless security, IP security, SSL, ..
TRUST, Berkeley Site Visit, April 26-28, 2006
92
General Steps






Content creation
Presentation & Packaging
Learning Strategy Formalization
Delivery methods
Evangelization and dissemination
Challenges
–
–
–
Bringing in the policy-oriented educators
Bringing in the non-CS engineering disciplines
Evangelizing
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
93
Undergraduate Curriculum
Refinement & Development




Develop (new) material for (new) domains
Collect course material and teaching
experiences from the TRUST partners
Identify knowledge units – generate
retargetable learning modules
Define appropriate taxonomic structures
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
94
Facilitate Adoption of New Material

Security science (incremental, integrative, learning modules)
–
–
–

Social sciences (incremental, integrative, learning modules)
–
–

TRUST as a core competency for the educated person
Systems science (new capstone courses)
–

In-discipline: Privacy, information management and security, economics,
organization theory, IP
Cross-discipline: Fundamentals of security technologies, technology
awareness
General Education
–

In-discipline: operating systems, programming languages, cryptography,
secure networking, hardware architectures…
Canonical security courses
Cross-discipline: Social impact, law, privacy, organizational roles,
infrastructure
Case studies as vehicle for learning modules
Cross-discipline: Design and analysis of complex systems
Courseware repository
–
Web-deliverable courseware – VaNTH/eLMS
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
95
Graduate Curriculum
Refinement & Development

New courses will be jointly developed:
–
–


Advanced graduate seminars
Computer and system security laboratory
–

Design and Analysis of Secure Systems.
Integrative Systems Science
Team competitions
New courses designed for engineering
audience; joint offering across partners using
web-cast technology
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
96
Repository Content

Retargetable Learning Modules
–

Elements of the learning process
Courses
–
Teach security in a context
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
97
Learning Module Repository

Facilitate efficient reuse of courseware
–
–
–

Organized into small modules
–

May be incorporated into other courses
Example:
The RSA module may be used in an algorithms class
Easy to adapt to different audiences
–
–

Lectures
Projects
Homework assignments
Same topics covered by different instructors in different
courses at different universities
Example: cryptography
Facilitate designing course architectures
–
The Lego approach to coursework design
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
98
Course Repository

Implement Course Repository in CAPE
–
–
–
–
Specify taxonomy
Define course learning objectives
Simulate learning process via sequencing of course modules
Include relevant resources in a course module




Lecture notes, Presentation slides
Home assignments, Projects
Exams, Quizzes
Web-based Delivery System
–
–
Hosted by VaNTH from Vanderbilt University
https://try.elms.vanth.org
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
99
Ongoing Work
Pilot module sets:
 Network security
 Introductory upper-division topics
 Security in chemical processing systems
Pilot experiment:
 Design a course on the basis of the repository
Establishing a broader community:
 Invite CERT, SEI, other IA institutions and initiatives to
make use of the repository and authoring tools.
 Establish a CSU-wide consortium for security
curriculum development
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
100
TRUST Education Workshops
Engaging the broader teaching community
 Work with CERT, the IA Capability Building effort and
minority serving institutions.
Immediate expectations:
 A TRUST/CERT sponsored participation in education
conferences (proposal with CMU, UC Berkeley,
Vanderbilt and SJSU to the annual FIE Conference
series)
 A TRUST/SEI symposium following up on the SEI IA
Education Summer Schools and the TRUST Summer
Schools (proposal with SJSU and CMU/SEI under the
NSF IACBP)

Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
101
TRUST Workshops



Sensor Networking Workshop, Cornell and
New York Department of Health - Tuesday,
October 11, 2005.
Cornell-Tsinghua Workshop on Information
Technology, November 18, Tsinghua
University, Beijing, China. TRUST
Workshop on Social Security Numbers (jointly
with PORTIA), Stanford – May 2006.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
102
OUTREACH Strategy
We are engaged in two kinds of outreach
activities:
 Local, in which each local groups have their
own outreach activities tailored to the local
conditions.
 Overall Center activities which engage the
community at large. Here, we are most
concerned how to disseminate our knowledge
to the widest diverse population.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
104
Local Activities

BFOIT - Berkeley Foundation for Opportunities in Information
Technology http://www.bfoit.org/
(Nurturing underrepresented high school students and their teachers in
TRUST areas. Prof. Bajcsy, personal participation and fund raising.)

SUPERB-IT - Summer Undergraduate Program in Engineering
Research at Berkeley - Information Technology
http://www.eecs.berkeley.edu/Programs/ugrad/superb/superb.ht
ml
(Increased number of underrepresented students by 4)

SIPHER - Summer Internship Program in Hybrid and Embedded
Software Research
http://fountain.isis.vanderbilt.edu/fountain/Teaching/
(Increased number of underrepresented students by 2)

Pennsylvania Area HBCU Outreach - Historically Black Colleges
and Universities http://is.hss.cmu.edu/summer.html
(Increased number of underrepresented students by 5)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
105
Center Activities: WISE

Women’s Institute in Summer Enrichment (WISE) is a residential
summer program on the University of California, Berkeley
campus that brings together women (but it is not restricted to
women only!) from all disciplines that are interested in TRUSTed
systems in Science and Technology and all of the social, political,
and economical ramifications that are associated with these
systems.

Professors from across the country come to Berkeley to teach
power courses in several disciplines, including computer
science, economics, law, and electrical engineering. The oneweek program includes rigorous classes in the morning, and
allows participants to explore through hands-on experiments and
team-based projects in the afternoons.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
106
Application for the WISE program

Applications for summer 2006 are available on this website on
the Application page (we shall shortly set this up). Our tuition fee
for summer 2006 will be $1,500 -- applicants with financial need
may request a fee waiver on the application form.

20 participants was selected from a nationwide applicant pool of
young women and men who have demonstrated outstanding
academic talent. No prior experience in computer programming,
law, or engineering is required, but we expect students to be able
to handle college-level material at a rapid pace. 19 out of the 20
participants are women (graduate students and junior faculty)
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
107
The currently signed up faculty for
WISE
Name
Institution
Cynthia Dwork
Microsoft Palo Alto
Cynthia Irvine
Naval Postgraduate School
Gail Kaiser
Columbia University
Jeanette Wing
CMU
Joan Feigenbaum
Yale University
John Mitchell
Stanford University
Klara Nahrstedt
UIUC
Rebecca Wright
Stephen Institute of Technology
Sonia Fahmy
Purdue University
Stephen Mauer
UC Berkeley
Steve Weber
UC Berkeley
Yuan Xue
Vanderbilt
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
108
WISE Schedule



The workshop will be held at UC Berkeley
Campus starting on July 5th ,06 until July
11th,06 included.
The summer school will be organized into two
parts:
Mornings 3 hours lectures;
Afternoons 3 hours exercises.
The lectures will be given by the teachers
listed above, the exercises will be supervised
by graduate students.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
109
Center Activities: National Visibility

Participation in National Conferences to build
contacts and “get the word out”:
–
Dr. W.Robinson from Vanderbilt University
attended the NSF Joint Annual Meeting HER, on
March 16-17th, 2006 in Washington, DC.,see :
http://www.edjassociates.com/jam06
–
Meltem Erol from UCB attended HBCU
conference in February, 2006 in Baltimore, Md.
See: http://www.hbcu-upconference.com/
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
110
Visiting positions



Cornell has funded Judy Cardell from Smith college
to be engaged in the TRUST Sensor Networking
project
TRUST funded Weider Yu from SJSU to participate in
CMU’s Information Assurance Capacity Building
Program (IACPB)
Stanford will host this summer professor Mario Garcia
from Texas A&M University –Corpus Christi. This visit
is sponsored by NSF Quality Education for Minorities
(QEM) Program
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
111
Center Activities: National Visibility

Joint projects:
–
Professor Bajcsy together with Prof. Nahrsted from
UIUC, Prof. Wymur (UCB) and prof. Katherine
Mezure form Mills college are building
cyberinfrastructure for distributed dance
performances in the Cyberspace
–
Professor Xue from Vanderbilt and Professor Xiao
Su at SJSU worked on a pilot project on designing
network security courseware repository
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
112
Other OUTREACH plans



Organize regular TRUST seminars, weekly
from a speaker pool (Researchers engaged in
cyber security agenda)
Reach out to collaborate with the National
Laboratories
Recruit diverse population of students as
graduate students interested in TRUST
agenda.
Year 1 Research Overview
TRUST, Berkeley Site Visit, April 26-28, 2006
113
Descargar

Year 1: Research – Education – Outreach Overview