|Citation||Ph.D. Thesis, Stanford University, 2007
It is commonly believed that systems that are not designed
with security aspects in mind are difficult to secure later. This
thesis argues that there are many situations in which security aspects
can be retrofitted into such systems without significant effort, or
impact to users of these systems.
In support of this thesis we consider three broad computer system areas: data communication, addressing (name lookup), and data storage. These aspects are by no means new, and in fact are core components of any networked computer system.
First, we present Datagram Transport Security Layer (DTLS), a protocol that can be used for securing unreliable datagram transport such as UDP. Prior to DTLS, the standard options available to a system designer were SSL/TLS or IPsec, neither of which are well suited for securing delay sensitive applications such as Internet telephony. DTLS is based on the TLS protocol and consequently provides a familiar programming model. DTLS was adopted by the IETF as RFC~4347.
Second, we present Churro, a registrar-free name service. Traditional name services, such as DNS, are centralized in two important respects: (1) authority---the question of who gets assigned a name, and (2) distribution---the question of how a name database is distributed. Both of these aspects have been receiving scrutiny---authority because ICANN (the governing body overseeing DNS) is seen to have too much influence over the running of DNS, and distribution following denial of service attacks on the DNS root servers. Churro runs over a distributed hash table and allows names to be multiply registered. Conflicts are resolved via a resolution algorithm that, in most situations, is capable of determining the earliest registration.
Finally, we present the design of SiRiUS, a secure filesystem. SiRiUS enables users to store data on a remote untrusted server, without requiring modification to server software or configuration. The data thus stored can be shared between groups of the owner's choosing without relying on the server to enforce access control. Previous secure filesystems have either placed trust in the remote file server, or if not, fail to provide mechanisms for sharing files.
Back to publications
Back to previous page