Search For:

Displaying 1-29 out of 29 total
Bickering In-Depth: Rethinking the Composition of Competing Security Systems
Found in: IEEE Security and Privacy
By Michael E. Locasto, Sergey Bratus, Brian Schulte
Issue Date:November 2009
pp. 77-81
A wide variety of security software competes for control of desktops, servers, and handhelds. Competition for control over a system's security posture can leave systems mired in a performance tar pit and subvert the very security they were meant to provide...
 
The Hidden Difficulties of Watching and Rebuilding Networks
Found in: IEEE Security and Privacy
By Michael E. Locasto, Angelos Stavrou
Issue Date:March 2008
pp. 79-82
Network protection can be difficult even for experienced IT staff and security researchers. In this installment of Secure Systems, the authors focus on two areas of network defense that are particularly troublesome to manage: network intrusion recovery and...
 
A Failure-Based Discipline of Trustworthy Information Systems
Found in: IEEE Security and Privacy
By Michael E. Locasto,Matthew C. Little
Issue Date:July 2011
pp. 71-75
The complexity of most systems, including those involving a digital information system, has surpassed the point at which we can consider failures as abnormal events. We must plan for failure and design strong response and recovery mechanisms.
 
On the General Applicability of Instruction-Set Randomization
Found in: IEEE Transactions on Dependable and Secure Computing
By Stephen W. Boyd, Gaurav S. Kc, Michael E. Locasto, Angelos D. Keromytis, Vassilis Prevelakis
Issue Date:July 2010
pp. 255-270
We describe Instruction-Set Randomization (ISR), a general approach for safeguarding systems against any type of code-injection attack. We apply Kerckhoffs' principle to create OS process-specific randomized instruction sets (e.g., machine instructions) of...
 
Katana: A Hot Patching Framework for ELF Executables
Found in: Availability, Reliability and Security, International Conference on
By Ashwin Ramaswamy, Sergey Bratus, Sean W. Smith, Michael E. Locasto
Issue Date:February 2010
pp. 507-512
Despite advances in software modularity, security, and reliability,offline patching remains the predominant form of updating or protecting commodity software. Unfortunately, the mechanics of hot patching (the process of upgrading a program while it execute...
 
Helping Students 0wn Their Own Code
Found in: IEEE Security and Privacy
By Michael E. Locasto
Issue Date:May 2009
pp. 53-56
It's a difficult mental exercise to simultaneously envision how a system could be forced to fail while you're busy designing how it's meant to work. At George Mason University, instructors give their students practice at this skill by requiring them to wri...
 
Highlights from the 2005 New Security Paradigms Workshop
Found in: Computer Security Applications Conference, Annual
By Simon Simon Foley, Abe Singer, Michael E. Locasto, Stelios Sidiroglou, Angelos D. Keromytis, John McDermott, Julie Thorpe, Paul van Oorschot, Anil Somayaji, Richard Ford, Mark Bush, Alex Boulatov
Issue Date:December 2005
pp. 393-396
This panel highlights a selection of the most interesting and provocative papers from the 2005 New Security Paradigms Workshop. This workshop was held September 2005 - the URL for more information is http://www.nspw.org. The panel consists of authors of th...
   
Casting out Demons: Sanitizing Training Data for Anomaly Sensors
Found in: Security and Privacy, IEEE Symposium on
By Gabriela F. Cretu, Angelos Stavrou, Michael E. Locasto, Salvatore J. Stolfo, Angelos D. Keromytis
Issue Date:May 2008
pp. 81-95
The efficacy of Anomaly Detection (AD) sensors depends heavily on the quality of the data used to train them. Artificial or contrived training data may not provide a realistic view of the deployment environment. Most realistic data sets are dirty; that is,...
 
// TODO: Help students improve commenting practices
Found in: 2012 IEEE Frontiers in Education Conference (FIE)
By Peter J. DePasquale,Michael E. Locasto,Lisa Kaczmarczyk,Mike Martinovic
Issue Date:October 2012
pp. 1-6
One implicit purpose of writing software code is to communicate ideas. Commenting source code helps explain these ideas and provides background on the semantics of a program. Yet, enabling students to acquire good commenting practices remains difficult. In...
 
SSARES: Secure Searchable Automated Remote Email Storage
Found in: Computer Security Applications Conference, Annual
By Adam J. Aviv, Michael E. Locasto, Shaya Potter, Angelos D. Keromytis
Issue Date:December 2007
pp. 129-139
The increasing centralization of networked services places user data at considerable risk. For example, many users store email on remote servers rather than on their lo- cal disk. Doing so allows users to gain the benefit of reg- ular backups and remote ac...
 
ShieldGen: Automatic Data Patch Generation for Unknown Vulnerabilities with Informed Probing
Found in: Security and Privacy, IEEE Symposium on
By Weidong Cui, Marcus Peinado, Helen J. Wang, Michael E. Locasto
Issue Date:May 2007
pp. 252-266
In this paper, we present ShieldGen, a system for automatically generating a data patch or a vulnerability signature for an unknown vulnerability, given a zero-day attack instance. The key novelty in our work is that we leverage knowledge of the data forma...
 
Security and privacy considerations in digital death
Found in: Proceedings of the 2011 workshop on New security paradigms workshop (NSPW '11)
By Michael E. Locasto, Michael Massimi, Peter J. DePasquale
Issue Date:September 2011
pp. 1-10
Death is an uncomfortable subject for many people, and digital systems are rarely designed to deal with this event. In particular, the wide array of existing digital authentication infrastructure rarely deals with gracefully retiring credentials in a unifo...
     
Teaching security using hands-on exercises (abstract only)
Found in: Proceedings of the 45th ACM technical symposium on Computer science education (SIGCSE '14)
By Elizabeth Hawthorne, Jens Mache, Justin Cappos, Michael E. Locasto, Richard Weiss
Issue Date:March 2014
pp. 736-736
We see teaching information security through hands-on, interactive exercises as a way to engage students. Some of the exercises that we have tried require significant preparation on the part of the instructor. Having a community makes it easier to share ex...
     
Hands-on cybersecurity exercises in the EDURange framework (abstract only)
Found in: Proceedings of the 45th ACM technical symposium on Computer science education (SIGCSE '14)
By Jens Mache, Michael E. Locasto, Richard Weiss, Vincent Nestler
Issue Date:March 2014
pp. 746-746
Cybersecurity is a topic of growing interest for CS educators. The goal of this workshop is to provide faculty with tools and interactive exercises that would facilitate adding this topic to their curriculum. We will introduce the EDURange framework for de...
     
Hands-on cybersecurity exercises and the rave virtual environment (abstract only)
Found in: Proceeding of the 44th ACM technical symposium on Computer science education (SIGCSE '13)
By Brian Hay, Jens Mache, Michael E. Locasto, Richard Weiss, Vincent Nestler
Issue Date:March 2013
pp. 759-759
This workshop is intended for anyone who would like to use hands-on exercises in cybersecurity for a variety of classes including Networking, OS, Computer Security and Software Engineering. It has received increased attention nationally in the proposed ACM...
     
Teaching security using hands-on exercises (abstract only)
Found in: Proceeding of the 44th ACM technical symposium on Computer science education (SIGCSE '13)
By Blair Taylor, Elizabeth Hawthorne, Jens Mache, Michael E. Locasto, Richard Weiss
Issue Date:March 2013
pp. 754-754
We see teaching cybersecurity through hands-on, interactive exercises as a way to engage students. Some of the exercises that we have seen require significant preparation on the part of the instructor. Having a community makes it easier to share exercises,...
     
LoSt: location based storage
Found in: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop (CCSW '12)
By Gaven J. Watson, Michael E. Locasto, Mohsen Alimomeni, Reihaneh Safavi-Naini, Shivaramakrishnan Narayan
Issue Date:October 2012
pp. 59-70
For certain types of sensitive data (such as health records) it is important to know the geographic location of the file, e.g. that it is stored on servers within the USA. This is particularly important for determining applicable laws and regulations. In t...
     
Babel: a secure computer is a polyglot
Found in: Proceedings of the 2012 ACM Workshop on Cloud computing security workshop (CCSW '12)
By Chris Jarabek, Daniel Medeiros Nunes de Castro, John Aycock, Michael E. Locasto
Issue Date:October 2012
pp. 43-54
Why should a user's computer be trusted at all? We propose a new model of the computer, Babel, that makes a user's computer appear as it normally would, but is actually untrusted to the point where it cannot run the code installed on it. Each computer, eac...
     
Hacking and the security curriculum: building community (abstract only)
Found in: Proceedings of the 43rd ACM technical symposium on Computer Science Education (SIGCSE '12)
By Jens Mache, Michael E. Locasto, Richard S. Weiss
Issue Date:February 2012
pp. 680-680
Incorporating information security into the undergraduate curriculum continues to be a topic of interest to SIGCSE attendees. The purpose of this BOF is to help sustain the existing community of educators and researchers interested in bringing ethical hack...
     
Identifying effective pedagogical practices for commenting computer source code (abstract only)
Found in: Proceedings of the 43rd ACM technical symposium on Computer Science Education (SIGCSE '12)
By Lisa C. Kaczmarczyk, Michael E. Locasto, Peter J. DePasquale
Issue Date:February 2012
pp. 678-678
Few, if any, pedagogical practices exist for helping students embrace best practices in writing software documentation, particularly source code comments. Although instructors often stress the importance of good commenting, two problems exist. First, it ca...
     
The ephemeral legion: producing an expert cyber-security work force from thin air
Found in: Communications of the ACM
By Angelos Stavrou, Anup K. Ghosh, Michael E. Locasto, Sushil Jajodia
Issue Date:January 2011
pp. 129-131
Seeking to improve the educational mechanisms for efficiently training large numbers of information security workers.
     
VM-based security overkill: a lament for applied systems security research
Found in: Proceedings of the 2010 workshop on New security paradigms (NSPW '10)
By Ashwin Ramaswamy, Michael E. Locasto, Sean W. Smith, Sergey Bratus
Issue Date:September 2010
pp. 51-60
Virtualization has seen a rebirth for a wide variety of uses; in our field, systems security researchers routinely use it as a standard tool for providing isolation and introspection. Researchers' use of virtual machines has reached a level of orthodoxy th...
     
Teaching the principles of the hacker curriculum to undergraduates
Found in: Proceedings of the 41st ACM technical symposium on Computer science education (SIGCSE '10)
By Anna Shubina, Michael E. Locasto, Sergey Bratus
Issue Date:March 2010
pp. 122-126
The "Hacker Curriculum" exists as a mostly undocumented set of principles and methods for learning about information security. Hacking, in our view, is defined by the ability to question the trust assumptions in the design and implementation of computer sy...
     
The cake is a lie: privilege rings as a policy resource
Found in: Proceedings of the 1st ACM workshop on Virtual machine security (VMSec '09)
By Ashwin Ramaswamy, Michael E. Locasto, Peter C. Johnson, Sean W. Smith, Sergey Bratus
Issue Date:November 2009
pp. 33-38
Components of commodity OS kernels typically execute at the same privilege level. Consequently, the compromise of even a single component undermines the trustworthiness of the entire kernel and its ability to enforce separation between user-level processes...
     
Keep your friends close: the necessity for updating an anomaly sensor with legitimate environment changes
Found in: Proceedings of the 2nd ACM workshop on Security and artificial intelligence (AISec '09)
By Angelos Stavrou, Gabriela F. Cretu-Ciocarlie, Michael E. Locasto, Salvatore J. Stolfo
Issue Date:November 2009
pp. 39-46
Large-scale distributed systems have dense, complex code-bases that are assumed to perform multiple and inter-dependent tasks while user interaction is present. The way users interact with systems can differ and evolve over time, as can the systems themsel...
     
Traps, events, emulation, and enforcement: managing the yin and yang of virtualization-based security
Found in: Proceedings of the 1st ACM workshop on Virtual machine security (VMSec '08)
By Ashwin Ramaswamy, Michael E. Locasto, Sean W. Smith, Sergey Bratus
Issue Date:October 2008
pp. 53-62
We question current trends that attempt to leverage virtualization techniques to achieve security goals. We suggest that the security role of a virtual machine centers on being a policy interpreter rather than a resource provider. These two roles (security...
     
Self-healing: science, engineering, and fiction
Found in: Proceedings of the 2007 Workshop on New Security Paradigms (NSPW '07)
By Michael E. Locasto
Issue Date:September 2007
pp. 43-48
Most attacks on computing systems occur rapidly enough to frustrate manual defense or repair. It appears, therefore, that defense systems must include some degree of autonomy. Recent advances have led to an emerging interest in self-healing software as a s...
     
Dark application communities
Found in: Proceedings of the 2006 workshop on New security paradigms (NSPW '06)
By Angelos D. Keromytis, Angelos Stavrou, Michael E. Locasto
Issue Date:September 2006
pp. 11-18
In considering new security paradigms, it is often worthwhile to anticipate the direction and nature of future attack paradigms. We identify a class of attacks based on the idea of a "Dark" Application Community (DAC) - a collection of bots and zombie mach...
     
Speculative virtual verification: policy-constrained speculative execution
Found in: Proceedings of the 2005 workshop on New security paradigms (NSPW '05)
By Angelos D. Keromytis, Michael E. Locasto, Stelios Sidiroglou
Issue Date:September 2005
pp. 119-124
A key problem facing current computing systems is the inability to autonomously manage security vulnerabilities as well as more mundane errors. Since the design of computer architectures is usually performance-driven, hardware often lacks primitives for ta...
     
 1