Computer Sciences Dept.

Computer Security and Cryptography Reading Group
December 2005 List

Date &
Location
Reading
Thursday, December 1, 2005
3 PM - 4 PM
7331 CS

S. Son

M. Livny
S. Son, B. Allcock, M. Livny
UW / Argonne
CODO: firewall traversal by cooperative on-demand opening
HPDC 2005

URL: http://www.cs.wisc.edu/~sschang/papers/CODO-hpdc.pdf

Firewalls and network address translators (NATs) cause significant connectivity problems along with benefits such as network protection and easy address planning. Connectivity problems make nodes separated by a firewall/NAT unable to communicate with each other. Due to the bidirectional and multiorganizational nature of grids, they are particularly susceptible to connectivity problems. These problems make collaboration difficult or impossible and cause resources to be wasted. This paper presents a system, called CODO, which provides applications end-to-end connectivity over firewalls/NATs in a secure way. CODO allows applications authorized through strong security mechanisms to traverse firewalls/NATs, while blocking unauthorized applications. This paper also formalizes the firewall/NAT traversal problem and clarifies how a traversal system fits in the overall security policy enforcement by a firewall/NAT.

Thursday, December 15, 2005
3 PM - 4 PM
7331 CS

N. Feamster

H. Balakrishnan

D. Karger
N. Feamster, M. Balazinska, G. Harfst, H. Balakrishnan, D. Karger
MIT
Infranet: Circumventing Web Censorship and Surveillance
Security'02

URL: http://www.usenix.org/publications/library/proceedings/sec02/feamster.html

An increasing number of countries and companies routinely block or monitor access to parts of the Internet. To counteract these measures, we propose Infranet, a system that enables clients to surreptitiously retrieve sensitive content via cooperating Web servers distributed across the global Internet. These Infranet servers provide clients access to censored sites while continuing to host normal uncensored content. Infranet uses a tunnel protocol that provides a covert communication channel between its clients and servers, modulated over standard HTTP transactions that resemble innocuous Web browsing. In the upstream direction, Infranet clients send covert messages to Infranet servers by associating meaning to the sequence of HTTP requests being made. In the downstream direction, Infranet servers return content by hiding censored data in uncensored images using steganographic techniques. We describe the design, a prototype implementation, security properties, and performance of Infranet. Our security analysis shows that Infranet can successfully circumvent several sophisticated censoring techniques.

Thursday, December 29, 2005
3 PM - 4 PM
7331 CS

M. Swift
M. M. Swift, C. Van Dyke, P. Brundrett, P. Garg, A. Hopkins, M. Goertzel, S. Chan, G. Jensensworth
Microsoft
Improving the Granularity of Access Control in Windows NT
SACMAT'01

URL: http://www.cs.washington.edu/homes/mikesw/papers/win2kacl.pdf

This paper presents the access control mechanisms in Windows 2000 that enable fine-grained protection and centralized management. These mechanisms were added during the transition from Windows NT 4.0 to support the Active Directory, a new feature in Windows 2000. We first extended entries in access control lists to allow rights to apply to just a portion of an object. The second extension allows centralized management of object hierarchies by specifying more precisely how access control lists are inherited. The final extension allows users to limit the rights of executing programs by restricting the set of objects they may access. These changes have the combined effect of allowing centralized management of access control while precisely specifying which accesses are granted to which programs.


< Back to the Sec & Crypto reading group page
Created and maintained by Mihai Christodorescu (http://www.cs.wisc.edu/~mihai)
Created: Fri Feb 04 16:32:13 2005
Last modified: Fri Sep 30 13:59:39 Central Daylight Time 2005
 
Computer Science | UW Home