Candidate: Nahid Juma
Title: Problems in Cloud Security, Access Control and Logic Locking
Date: June 25, 2020
Time: 10:30 AM
Place: REMOTE PARTICIPATION
Supervisor(s): Tripunitara, Mahesh
In this thesis, we study problems related to security in three different contexts: cloud scheduling, forensic analysis for access control, and logic locking to protect digital ICs.
The first set of problems relates to security in cloud computing. Prior work suggests that scheduling, with security as a consideration, can be effective in minimizing information leakage, via side-channels, that can exist when virtual machines (VMs) co-reside in clouds . We analyze the overhead that is incurred by such an approach. We first pose and answer a fundamental question: is the problem tractable? We show that the seemingly simpler sub-cases of initial placement and migration across only two equal-capacity servers are both intractable (NP-hard). However, a decision version of the general problem to which the optimization version is related polynomially is in NP. With these results as the basis, we make several other contributions. We revisit recent work that proposes a greedy algorithm for this problem, called Nomad. We establish that if P /= NP, then there exist infinitely many classes of input, each with an infinite number of inputs, for which a decrease in information leakage is possible, but Nomad provides none, let alone minimize it. We establish also that a mapping to Integer Linear Programming (ILP) in prior work is deficient in that the mapping can be inefficient (exponential-time), and therefore does not accurately convey the overhead of such an approach that actually decreases information leakage. We present our efficient reductions to ILP and boolean satisfiability in conjunctive normal form (CNF-SAT). We have implemented these approaches and conducted an empirical assessment using the same ILP solver as prior work, and a SAT solver. Our analytical and empirical results more accurately convey the overhead that is incurred by an approach that actually provides security (decrease in information leakage).
The second set of problems relates to access control. We pose and study forensic analysis in the context of access control systems. Forensics seeks to answer questions about past states of a system, and thereby provides important clues and evidence in the event of a security incident. Access control deals with who may perform what action on a resource and is an important security function. We argue that access control is an important context in which to consider forensic analysis, and observe that it is a natural complement of safety analysis, which has been considered extensively in the literature. We pose the forensic analysis problem for access control systems abstractly, and instantiate it for three schemes from the literature: a well-known access matrix scheme, a role-based scheme, and a discretionary scheme. In particular, we ask what the computational complexity of forensic analysis is, and compare it to the computational complexity of safety analysis for each of these schemes. We observe that in the worst-case, forensic analysis lies in the same complexity class as safety analysis. We consider also the notion of logs, i.e., data that can be collected over time to aid forensic analysis. We present results for sufficient and minimal logs that render forensic analysis for the three schemes efficient. This motivates discussions on goal-directed logging, with the explicit intent of aiding forensic analysis. We carry out a case-study in the realistic setting of a serverless cloud application, and observe that goal-directed logging can be highly effective. Our work makes contributions at the foundations of information security, and its practical implications.
The third set of problems relates to logic locking to protect digital ICs against untrusted semiconductor foundries. We make two sets of complementary contributions, all rooted in foundations and bolstered by implementations and empirical results. Our first set of contributions regards observations about prior schemes and attacks, and our second is a new security notion. Towards the former, we make two contributions. (a) We revisit a prior approach called XOR-locking that has been demonstrated to be susceptible, in practice, to a particular attack called the SAT attack. We establish that (i) there exist circuits that are invulnerable to the SAT attack when XOR-locked with even a 1-bit key, and, (ii) there is a particular property that is inherent to benchmark circuits that explains why the SAT attack is successful against XOR-locked versions of those. Both (i) and (ii) are rooted in computing foundations: for (i), one-way functions; for (ii), distributional computational complexity, specifically, the class distP. (b) We revisit a state-of-art logic locking approach called TTLock whose generalization called SFLL-HD has been argued to be “provably secure” in prior work. We devise a new, probabilistic attack against TTLock. We explain, from foundations, why benchmark circuits that are locked using TTLock are susceptible to our new attack. Our observations (a) and (b), and prior work on attacks, informs our second contribution, which is a new security notion. We prove that our notion is at least as strong as the property that underlies the SAT attack.