Today’s operating systems, word processors, web browsers, and other common software take no measures to promptly remove data from memory. Consequently, sensitive data, such as passwords, social security numbers, and confidential documents, often remains in memory indefinitely, significantly increasing the risk of exposure. We present a strategy for reducing the lifetime of data in memory called secure deallocation. With secure deallocation we zero data either at deallocation or within a short, predictable period afterward in general system allocators (e.g. user heap, user stack, kernel heap). This substantially reduces data lifetime with minimal implementation effort, negligible overhead, and without modifying existing applications. We demonstrate that secure deallocation generally clears data immediately after its last use, and that without such measures, data can remain in memory for days or weeks, even persisting across reboots. We further show that secure deallocation promptly eliminates sensitive data in a variety of important real world applications. 1

As virtual machines become pervasive users will be able to create, modify and distribute new “machines ” with unprecedented ease. This flexibility provides tremendous benefits for users. Unfortunately, it can also undermine many assumptions that today’s relatively static security architectures rely on about the number of hosts in a system, their mobility, connectivity, patch cycle, etc. We examine a variety of security problems virtual computing environments give rise to. We then discuss potential directions for changing security architectures to adapt to these demands. 1

While sensor network deployment is becoming more commonplace in environmental, business, and military applications, security of these networks emerges as a critical concern. Without proper security, it is impossible to completely trust the results reported from sensor networks deployed outside of controlled environments. Much of the current research in sensor networks has focused on protocols and authentication schemes for protecting the transport of information. However, all of those schemes are useless if an attacker can obtain a node from the network and extract the appropriate information, such as security keys, from it. We focus our research on the area of secure systems. In this paper we demonstrate the ease with which nodes can be compromised as well as show exactly what information can be obtained and how it can be used to disrupt, falsify data within, or eavesdrop on sensor networks. We then suggest mechanisms to detect intrusions into individual sensor nodes. Finally, we come up with security measures that can be implemented in future generation nodes to improve security. 1.

We present Bump in the Ether (BitE), an approach for preventing user-space malware from accessing sensitive user input and providing the user with additional confidence that her input is being delivered to the expected application. Rather than preventing malware from running or detecting already-running malware, we facilitate user input that bypasses common avenues of attack. User input traverses a trusted tunnel from the input device to the application. This trusted tunnel is implemented using a trusted mobile device working in tandem with a host platform capable of attesting to its current software state. Based on a received attestation, the mobile device verifies the integrity of the host platform and application, provides a trusted display through which the user selects the application to which her inputs should be directed, and encrypts those inputs so that only the expected application can decrypt them. We describe the design and implementation of BitE, with emphasis on both usability and security issues. 1

We study the remote detection of virtual machine monitors (VMMs) across the Internet, and devise fuzzy benchmarking as an approach that can successfully detect the presence or absence of a VMM on a remote system. Fuzzy benchmarking works by making timing measurements of the execution time of particular code sequences executing on the remote system. The fuzziness comes from heuristics which we employ to learn characteristics of the remote system’s hardware and VMM configuration. Our techniques are successful despite uncertainty about the remote machine’s hardware configuration.

Databases that preserve a historical record of activities and data offer the important benefit of system accountability: past events can be analyzed to detect breaches and maintain data quality. But the retention of history can also pose a threat to privacy. System designers need to carefully balance the need for privacy and accountability by controlling how and when data is retained by the system and who will be able to recover and analyze it. This paper describes the technical challenges faced in enhancing database systems so that they can securely manage history. These include: first, assessing the unintended retention of data in existing database systems that can threaten privacy; second, redesigning system components to avoid this unintended retention; and third, developing new system features to support accountability when it is desired. 1.

The layered design of the Linux operating system hides the liveness of file system data from the underlying block layers. This lack of liveness information prevents the storage system from discarding blocks deleted by the file system, often resulting in poor utilization, security problems, inefficient caching, and migration overheads. In this paper, we define a generic “purge ” operation that can be used by a file system to pass liveness information to the block layer with minimal changes in the layer interfaces, allowing the storage system to discard deleted data. We present three approaches for implementing such a purge operation: direct call, zero blocks, and flagged writes, each of which differs in their architectural complexity and potential performance overhead. We evaluate the feasibility of these techniques through a reference implementation of a dynamically resizable copy on write (COW) data store in User Mode Linux (UML). Performance results obtained from this reference implementation show that all these techniques can achieve significant storage savings with a reasonable execution time overhead. At the same time, our results indicate that while the direct call approach has the best performance, the zero block approach provides the best compromise in terms of performance overhead and its semantic and architectural simplicity. Overall, our results demonstrate that passing liveness information across the file system-block layer interface with minimal changes is not only feasible but practical. 1.

Every organisation depends critically on reliable high-performance storage. Driven by the high costs of maintaining and managing multiple local storage systems, there is a trend towards virtualised multi-tier storage infrastructures. The main limitation of such centralised solutions is their inability to guarantee application-level Quality of Service (QoS) without extensive and ongoing human intervention. This intervention is necessary since delivered QoS can vary extensively both across and within storage tiers, and also depends on the access profile of the data. This paper presents the first steps towards the concrete realisation of a self-managing virtualised storage system which automatically allocates and migrates data throughout its lifecycle guided by user-provided QoS hints. Specifically, we use the Logical Volume Manager (LVM) to create a virtualised multi-tier storage infrastructure with variable performance and reliability profiles. On to that, we place an enhanced (but backwardscompatible) Linux Extended 3 Filesystem which we call ext3ipods and which supports QoS metadata. We describe the kernel modifications necessary to quantify the QoS provided by a given data layout, thus enabling the subsequent development of intelligent data placement and migration algorithms. 1

Confidential data storage through encryption is becoming increasingly important. Designers and implementers of encryption methods of storage media must be aware that storage has different usage patterns and properties compared to securing other information media such as networks. In this paper, we empirically demonstrate two-time pad vulnerabilities in storage that are exposed via shifting file contents, in-place file updates, storage mechanisms hidden by layers of abstractions, inconsistencies between memory and disk content, and backups. We also demonstrate how a simple application of Bloom filters can automatically extract plaintexts from two-time pads. Further, our experience sheds light on system research directions to better support cryptographic assumptions and guarantees.

As the amount of digital data grows, so does the theft of sensitive data through the loss or misplacement of laptops, thumb drives, external hard drives, and other electronic storage media. Sensitive data may also be leaked accidentally due to improper disposal or resale of storage media. To protect the secrecy of the entire data lifetime, we must have confidential ways to store and delete data. This survey summarizes and compares existing methods of providing confidential storage and deletion of data in personal computing environments. 1.