Computer Security Papers from the Project


In addition to the papers below, there are a number of kernelSec papers under anonymous submission which we are unable to list. Papers are listed in chronolgical order by topic. The papers are in the following areas

Ethos operating system

  • Authentication in Ethos, June, 2013 (W. Michael Petullo, Jon A. Solworth).

    Ethos's mechanisms for both local and network authentication. Authentication is inescapably integrated at the system level, and all authentication is performed by Ethos, not applications.

  • MinimaLT: Minimal-latency Networking Through Better Security, May, 2013 (W. Michael Petullo, Xu Zhang, Jon A. Solworth, Daniel W. Bernstein, Tanja Lange).

    Faster than TCP/IP, simpler than TLS, public-key authentication, with extensive privacy and denial of service protections.

  • Ethos's Distributed Types, June, 2013 (W. Michael Petullo, Wenyuan Fei, Patrick Gavlin, Jon A. Solworth).

    Operating systems which have traditionally incorporated user-space typing have done so around a single programming language or runtime. We describe here Ethos' typing which is multi-programming language, safe for distributed systems, and ensures that user-space programs never see illformed data.

  • Digital Identity Security Architecture in Ethos, Worshop on Digitial Identity Management, CCS, Oct, 2011 (W. Michael Petullo, Jon A. Solworth).

    The strongest form of authentication is certificates since it is possible to tie an action to to a users. This paper describes how such certificates are created in Ethos, and Ethos's protections against attack on this mechanism.

  • Simple-to-use, Secure-by-design Networking in Ethos, European Conference on System Security (EUROSEC'13), a EuroSys workshop, Apr, 2013 (W. Michael Petullo, Jon A. Solworth).

    A short overview on Ethos neworking with a focus on network authorization.

  • The lazy kernel hacker and application programmer, ReSoLve'13, an ASPLOS workshop, Mar, 2013 (W. Michael Petullo, Jon A. Solworth).

    Building a new operating system is an enormous undertaking. If you are going to do it you need to have either an enormous budget or to find ways to reduce the work involve. Here are some of the things we have done to make it feasible to build Ethos.

SayI---a global authentication infrastructure

  • SayI: Trusted User Authentication at Internet Scale, June, 2013 (Jon A. Solworth, Wenyuan Fei).

    SayI is a global public key infrastructure whose primary function is to provide name-to-public-key bindings. SayI is an open, global scale and efficient mechanism based on groups, which enables relying parties to control who can provide name-to-public-key bindings.



  • What can you say? and what does it mean? IEEE Workshop on Trusted Collaboration, November, 2006 (Jon A. Solworth).

    This paper examines the role of authentication, certificates, and certificate processing. It considers authentication very widely, not just in its traditional use of identification, but more generally in terms of a authenticating a document. In particular, it considers the role fo certificates to make informal statements and how they might be formally processed.

  • Instant Revocation EuroPKI, 2008 (Jon A. Solworth).

    To protect the private key that a Certificate Authority uses for signing certificates, the key is kept offline. This means that signing is relatively infrequent, and hence the certificate inforation can become stale and then the ceritificate needs to be revoked. At CSAW, Ravi Sandhu defined "instant revocation" as revocations which take place within a second or two. Peter Guttman has called PKI revocation a "grand challenge problem". Existing techniques do not achieve timely and efficient revocations. In this paper, we show how to achieve instant revocation which is hundreds to thousands of times more Internet bandwidth efficient than existing tecnhiques.

  • NetAuth: Supporting User-Based Network Services Usenix Security, 2008 (Manigandan Radhakrishnan and Jon A. Solworth).

    Distributed authentication typically is an afterthought in applications. It is rarely done well, and hence is subject to attack. And it is difficult surprisingly difficult to do. In this paper, we show a very simple API for combining authentication with traditional network sockets. This scheme is very easy to program and enables service processes to be specialized by user. We then port dovecot (a IMAP/POP mail delivery agent). The port results in the elimination of some 37\% of the code in dovecot and the reduction in the number of process types from 4 to 1.


  • A Layered Design of Discretionary Access Controls with Decidable Safety Properties, in IEEE Symposium Security and Privacy '04 (Oakland'04), (Jon A. Solworth and Robert Sloan).

    This is the paper at Oakland which caused such a big fuss one year after it was published. In it we show that a taxonomy for Discretionary Access Controls (DACs) due to Osborn-Sandhu-Munawer could be implemented in a decidable general-purpose access control model. It is the first access control model which was known to be both non-monotonic and decidable.

    A paper by Li and Tripunitara in the 2005 Oakland conference claimed that our result is wrong since it cannot represent the invariant of single owner under change of ownership. Their claim is erroneous, the technical details are here.

  • Security Property-Based Access Controls, in European Symposium on Research in Security 2004 (ESORICS'04) (Jon A. Solworth and Robert Sloan).

    This paper describes two information flow security properties, information flow confidentiality and information flow integrity. It describes a general purpose access control model, based on our DAC model in Oakland, which allows these properties to hold selectively (which we call expressibility) and which allows the permissions to change in a controlled way (which we call robustness). This paper shows that our administrative controls are well formed; in particular they show that it is decidable what approvals are needed (and whether such approval is possible) to create a new flow.

  • Decidable Administrative Controls based on Security Properties, submitted for publication (Jon A. Solworth and Robert Sloan).

    This is an earlier version of a paper we have currently submitted. Our ESORICS'04 paper showed that the result of a single administrative action was decidable. This paper shows that the result of an arbitrary number of administrative actions was descidable; that is, that the system could bound any evolution of the privileges to determine what is and is not possible in our system. This is the MAC analogue to the DAC decidability result at Oakland'04.

  • Application Support in the Operating System Kernel, in ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS'06) (Mangandan Radhakrishnan and Jon A. Solworth).

    This paper describes how an operating system authorization system can be be made sufficiently flexible to adapt the the needs of the application base on the application history. Support is shown for dynamic separation of duty, information flow, and other mandatory access controls.

  • Approvability, in ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS'06) (Jon A. Solworth).

    This paper shows a method for modelling dynamic separation of duty which enables loops and alternative outcomes to be described. Lower bound on dynamic separation of duty scheduling are given, conditions are developed which ensure that a task does not get stuck if there are sufficient number of users, and different schedule mechanisms are given to ensure that a task does not get stuck.

  • Factoring High Level Information Flow Specifications into Low Level Access Controls, IEEE Workshop of Information Assurance,Royal Holloway, UK, April 2006. (Kevin Kahley, Manigandan Radhakrishnan and Jon A. Solworth).

    Access matrix based descriptions provide an efficient implementation for reference monitors to determine whether a given access model is allowed or denied. But the access matrix is unwieldy to specify and modify, particularly as the number of properties enforced increases. To enable easier specification, a higher level model is very desirable which is composable, stateless, and succinct. We show how a simple higher level model can be automatically translated to into an access matrix level description in kernelSec.

  • Quarantining Untrusted Entities: Dynamic Sandboxing using LEAP Annual Computer Security Applications Conference (ACAC), December, 2007. (Manigandan Radhakrishnan and Jon A. Solworth).

    Sandboxes (also called jails) are invoked by applications such as mail user agents and browsers in order to isolate untrusted entities from the rest of the system. But it is also possible to evade the sandbox protections by copying such untrusted entities out of the sandbox. We describe dyanmic sandboxes, in which the sandbox is invoked automatically on reading untrusted data. Moreover, information flow based controls ensured copied data maintains its label.

Secure Systems

  • Robustly Secure Computer Systems: A new security paradigm of system discontinuity New Security Paradigms Workshop, 2007 (Jon A. Solworth).

    In Fall 2006 I became alarmed at the grow of botnets, and the uses to which they were put. The existing computing base is so riddled with security holes that I believe that its replacement is both essential and inevitable. But new operating systems have traditionally not been successful, and are inordinately expensive to build. This paper considers how we will build a new generation of system software and make it secure. This is the kickoff paper for the Ethos project.


  • In revision. An annotated computer systems security bibliography (Jon A. Solworth, ed.)

    Working in security means spanning a large range of techniques and (for computer science) a long period of time. Some of these papers are difficult to find and may be confusing to read because of changing terminology. The above bibliography attempts to provide some organization to these ideas, and these papers are almost all available at UIC.