The desire for flexible networking services has given rise to the concept of "active networks." Active networks provide a general framework for designing and implementing network-embedded services, typically by means of a programmable network infrastructure. A programmable network infrastructure creates significant new challenges for securing the network infrastructure. This paper

Existing active network architectures depend on using statically typed languages for protection and performance. Unfortunately this limits some of the more dynamic features of an active network. In this paper we present PANTS - a dynamically extensible active network architecture. We describe a new architecture for an active node which does not depend on language based security, but provides the flexibility to perform dynamic changes to the node, and to the capsules. An implementation conforming to this architecture is described and compared with existing active network architectures. Keywords--- Active network, Architecture, Implementation, Dynamic, Extensible I.

Proposals for programmable network infrastructures, such as active networks and open signaling, provide programmers with access to network resources and data structures. The motivation for providing these interfaces is accelerated introduction of new services, but exposure of the interfaces introduces many new security risks. The risks can be reduced or eliminated via appropriate restrictions on the exported interfaces. In this article we describe some of the security issues raised by active networks. We then describe our secure active network environment architecture. SANE was designed as a security infrastructure for active networks, and was implemented in the SwitchWare architecture. SANE restricts the actions loaded modules (including "capsules") can perform by restricting the resources that can be named; this is further extended to remote invocation by means of cryptographic credentials. SANE can be extended to support restricted control of quality of service in a programmable...

Trust is an integral part of the Semantic Web architecture. Most prior work on trust focuses on entity-centered issues such as authentication and reputation and does not take into account the content, i.e. the nature and use of the information being exchanged. This paper defines content trust and discusses it in the context of other trust measures that have been previously studied. We introduce several factors that users consider in deciding whether to trust the content provided by a Web resource. Our goal is to discern which of these factors could be captured in practice with minimal user interaction in order to maximize the quality of the system’s trust estimates. We present results on a study to determine which factors were more important to capture, and describe a simulation environment that we have designed to study alternative models of content trust.

No work the size of this dissertation is done in isolation, and I would like to thank the people who worked with and supported me over the last four years. Harold F. Bower has worked with me on numerous occasions. He found and added the entry points in the BIOS source to call AEGIS. He also served as a sounding board for me in the design of AEGIS, and the AEGIS interrupt service routine (ISR). Hal and I also worked together on a pre-cursor of AEGIS, the Security Enhanced Processor (SEP). The problems encountered with the SEP project lead to AEGIS. Hal is also responsible for RATBAG which is described in Chapter 3. Angelos Keromytis and I jointly designed the protocol used with the AEGIS network recovery and DHCP++. Angelos also served as the ideal person to discuss ideas. He is never shy about telling someone that their idea is nuts. Scott Alexander, Angelos, and I worked together on the design of SANE, Section 7.1. Scott’s contributions are “above the OS”, and mine are “below the OS”. Angelos worked with both Scott and myself, and developed the naming and threat models. Ralph Droms et. al. developed the DHCP authentication scheme described in Section 7.2. I developed the delayed aspect of the authentication mechanism along with the threat model.

This is an overview of work on the SwitchWare active network project, which began two years ago based on ideas about how to improve the #exibility of networks by making the network programmable. The original ideas for active networks as a whole and some comparative analysis of possible architectures are surveyed in #33#. Avariety of technology trends in computing power, communication speeds, programming languages, and securityhave made it worthwhile to investigate network programming interfaces that allow code to be downloaded into routers within the network and invoked by the packets passing through them. At the current time there are at least a dozen AN prototype architectures under development #34,8,22,2,19,35#, a few of whichhave released software. Our SwitchWare perspective was #rst described in #16# and has been considerably re#ned as we gained deeper insightinto active networking. It was the first active network prototype to be publically released, and is implemente

Active networking adds programmability to the network infrastructure to promote service introduction. One approach involves active packets that carry programs rather than standard passive headers. To date, no one has proposed an active packet system that is truly practical: providing added flexibility over passive packet schemes without sacrificing either safety or efficiency. In this work, we propose a new system, SNAP (Safe and Nimble Active Packets), that strikes a useful balance. First, SNAP is safe...

Abstract — Mobile code makes it possible for users to define the processing and protocols used to communicate with a remote node, while still allowing the remote administrator to set the terms of interaction with that node. However, mobile code cannot do anything useful without a rich execution environment, and no administrator would install a rich environment that did not also provide strict controls over the resources consumed and accessed by the mobile code. Based on our experience with ANTS, we have developed Bees, an execution environment that provides better security, finegrained control over capsule propagation, simple composition of active protocols, and a more flexible mechanism for interacting with end-user programs. Bees ’ security comes from a flexible authentication and authorization mechanism, capability-based access to privileged resources, and integration with our custom virtual machine that provides isolation, termination, and resource control. The enhancements to the mobile code environment make it possible to compose a protocol with a number of “helper” protocols. In addition, mobile code can now interact naturally with end-user programs, making it possible to communicate with legacy applications. We believe that these features offer significant improvements over the ANTS execution environment and create a more viable platform for active applications. I.

In this paper we develop a language of mobile agents called uPLAN for describing the capabilities of active (programmable) networks. We use a formal semantics for uPLAN to demonstrate how capabilities provided for programming the network can aect the potential ows of information between users. In particular, we formalize a concept of security against attacks on secrecy by an `outsider' and show how basic protections are preserved in the presence of programmable network functions.

This material is posted here with permission of the IEEE. Such permission of the IEEE does not in any way imply IEEE endorsement of any of the University of Pennsylvania’s products or services. Internal or personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution must be obtained from the IEEE by writing to