News
Safeguarding the Internet and Defending Civil Rights
We don’t often think about what happens when we hit “Send,” but the internet’s architecture determines whether our emails end up where we want them to go. And it’s easier than you might think to mess with that architecture.
The internet is made up of tens of thousands of independently operated networks (a large employer might be one network; Verizon, another) interconnected via the Border Gateway Protocol (BGP). Every computer in every network has a unique Internet Protocol (IP) address, like every phone has a number. In the absence of a central internet authority, the system functions on trust: there’s no way to prevent networks from lying about the addresses they own, so one network can hijack another’s traffic just by claiming its addresses—it’s almost as if you told the post office you owned your neighbor’s house and asked it to deliver all the mail for that address to you. Developing fixes for insecurities like this one can be like patching a dam—plug one hole and the pressure shifts, forcing water out of a new one.
Sharon Goldberg specializes in anticipating and resolving the negative side effects of these fixes. With funding from the NSF, Cisco Systems, and Verisign Labs, she recently partnered with Leonid Reyzin, a CAS professor of computer science, to write a paper revealing how a flaw in one proposed solution to routing insecurity—the Resource Public Key Infrastructure (RPKI)—would challenge the fundamental openness of the internet.
RPKI is a certification system that would prevent one network from masquerading as another to hijack its traffic. If the owner of a network—ranging from internet service providers to universities to medium-size companies—does not have the right certificate, the network would not be able to connect to the internet. The trouble, Reyzin and Goldberg found, is that this system would put a lot of power in the hands of large multinational and national network owners, like governments, and would create a new avenue for censorship. The controlling organizations would have the power to disconnect portions of the internet they found objectionable. A government would be able to take networks—for example, those hosting content it doesn’t like, such as a journalist’s blog—off-line. Reyzin and Goldberg have suggested modifications to the proposal that would alert networks to suspicious structural changes that could affect routing.
Although these structural maneuverings enable the routing of our communications, “it’s unlikely the end user will even know this is happening,” Goldberg says. We typically notice structural issues only when there is an internet outage, when the internet connection fails, or when traffic is hijacked. “This is like internet plumbing,” she says. “You don’t think about the plumbing until it stops working.”
Cloud Security Reaches Silicon
In the last 10 years, computer security researchers have shown that malicious hackers don’t need to see your data in order to steal your data. From the pattern in which your computer accesses its memory banks, adversaries can infer a shocking amount about what’s stored there.
The risk of such attacks is particularly acute in the cloud, where you have no control over whose applications are sharing server space with yours. An antagonist could load up multiple cloud servers with small programs that do nothing but spy on other people’s data.
Two years ago, researchers in the group of MIT’s Srini Devadas, the Edwin Sibley Webster Professor in MIT’s Department of Electrical Engineering and Computer Science, proposed a method for thwarting these types of attacks by disguising memory-access patterns. Now, they’ve begun to implement it in hardware.
In March, at the Architectural Support for Programming Languages and Operating Systems conference, they presented the layout of a custom-built chip that would use their scheme, which is now moving into fabrication. And at the IEEE International Symposium on Field-Programmable Custom Computing Machines in May, they will describe some additional improvements to the scheme, which they’ve tested on reconfigurable chips.
The principle behind the scheme is that, whenever a chip needs to fetch data from a particular memory address, it should query a bunch of other addresses, too, so that an adversary can’t determine which one it’s really interested in.
MOC Helps Increase Cloud Computing Popularity
As governments across the country are beginning to embrace cloud computing, Boston University’s Massachusetts Open Cloud (MOC) project is recognized for its potential.
Initiatives like the MOC hope to spur public-private sector innovation by creating a marketplace for customized infrastructure and platform services. Led by Boston University in collaboration with other area universities, including Harvard, MIT, and Northeastern, the goal is to create a shared infrastructure that will allow researchers, government agencies and industry to create cloud-based, data-driven innovations. Azer Bestavros, director of the Rafik B. Hariri Institute for Computing and Computational Science & Engineering at Boston University, says, “Just as a shopping mall provides a shared infrastructure and amenities for a variety of retailers, the MOC creates a marketplace where developers can innovate services for many different customers, from research institutions, healthcare providers, government agencies and non-profits as well as for profit organizations, and taxpayers are the beneficiary.” To date, the Commonwealth of Massachusetts has provided $3 million to fund the initiative, and matching funds from a mix of federal, industry and philanthropic sources are expected to exceed $20 million.
Bestavros believes we’re just at the beginning. He points to work being done between the MOC and Children’s Hospital. Clinicians there have long wanted the ability to conduct fetal MRI, something that until the advent of open cloud super-computing resources, was prohibitively complicated and expensive. That project is now in development.
Why the Massachusetts Open Cloud Project Is a Big Deal
A project team of academia and industry experts is making headway on a multimillion-dollar cloud computing initiative announced by Massachusetts Gov. Deval Patrick in April.
If all goes as planned, the three-year project, known as the Massachusetts Open Cloud (MOC), will pave the way for cloud consumers to customize infrastructure and platform services to best meet their needs. Patrick is hopeful that MOC’s public cloud computing infrastructure will spur Big Data innovation in the state.
Boston University leads the MOC project team. The MOC project received $3 million in state funding, according to Azer Bestavros. “We have commitments of up to $20 million from universities and industry.” MOC is an architecture and a model for other governments, he adds.
Cisco, Intel, Red Hat and Juniper Networks are among the growing number of companies partnering with the MOC project. Academia partners include Northeastern University, University of Massachusetts, Harvard University and the Massachusetts Institute of Technology.
Jan Mark Holzer, a senior consulting engineer at Red Hat, says his company is helping MOC build the cloud infrastructure around OpenStack. Red Hat has moved some hardware into the MOC-designated data center and will continue to install hardware and software for at least the next six months. Hozer stressed that the MOC and its member partners are not interested in promoting a particular vendor or product. It's an open project.
Hozer says he is hopeful that MOC will be open for research use fairly soon, which could mean months, rather than years.
It’s too early to say how much the MOC services will cost, but the price points have to be competitive because agencies aren’t required to use the services.
Read more at StateTech Magazine
MOC Featured at MIT Cloud Workshop
“Open Innovation” was a strong theme running through the MIT Cloud Workshop held on September 29, 2014. Hosted by The Industry-Academia Partnership (IAP), the event featured talks on a range of nascent initiatives including the Massachusetts Open Cloud Initiative and IBM’s OpenPower Ecosystem.
“Today’s clouds are owned, operated, and controlled by a single provider, and those companies -- you know who they are -- are highly secretive about how they do their innovation,” said Orran Krieger, founding director of the Center for Cloud Innovation (CCI) at Boston University.
The consequences, he said, are severe. “We can’t innovate. Performance-sensitive applications are locked out because one can’t analyze what’s in the funnel. Worse yet, because these companies all have their own data platforms, when people try to innovate above the cloud data platform their stuff performs terribly, because they can’t optimize across these layers.”
Security is another beast.
“In the area of healthcare privacy, for example, existing cloud providers say, 'If there is a breech in this layer we will pay the cost, but if there is penetration above this layer you pay,' ” said Krieger. “That’s not the best security practice. Ideally, you want to audit the entire stack, but today there’s very little insight into how they are operating.”
Stakes are high in the cloud arena because a lot of people believe that in the future on-demand access to inexpensive computational capacity -- i.e., paying for what you use -- will be the model that dominates, potentially eliminating the need for personal computers.
Frustrated at what they see as a cloud model that stifles innovation, Krieger and fellow BU professor Azer Bestavros envision a new model -- a kind of public cloud marketplace they call the Open Cloud eXchange (OCX) in which an ecosystem of companies would jointly participate in implementing and operating the cloud.
“The idea seemed really naïve when I first thought about it,” said Krieger. “How would we build a model whereby each service provider determines how to charge for their services, operational data would be visible among stakeholders, customers can select and move between services, and academics and researchers could freely innovate?”
Naïve, possibly. But their idea is now one step closer to reality, through the Massachusetts Open Cloud (MOC) project. Founding vendor partners include Cisco, EMC, Red Hat, Juniper Networks, Dell, and Mathworks.
The first big technical challenge will be in building up that infrastructure. “We want people to use what they want to use, but the way things work today is based on the assumption that one landlord stands up the whole cloud,” said Krieger. “We have to find a model whereby different partners own different pieces of the cloud.”
At the conclusion of the talk, an attendee asked whether the OCX cloud framework would provide better insight on operational data, so that his company could perform more analytics on the data.
“That’s why I created OCX,” said Kreiger. “If all this computing is going to the cloud, and we can’t actually see inside of it, then a lot of our research becomes irrelevant.”
Read more at EE Times
Research Team that Includes CSAIL’s Devadas Receives Major NSF Award
A research group that includes Srini Devadas of MIT's Computer Science and Artificial Intelligence Lab (CSAIL) has received a National Science Foundation (NSF) Frontier Award, as part of nearly $75 million that the NSF’s Secure and Trustworthy Cyberspace program will spend on cybersecurity projects across the country, the foundation announced yesterday. Read More...
Securing the Cloud
The Massachusetts Open Cloud (MOC), a one-of-a-kind marketplace model for customizable public cloud offerings now being built a team of researchers from BU and several other universities, may soon claim another first: a modular cybersecurity system built from smaller, separate functional components, each asserting its own security individually. As a result, the security of the system as a whole will be derived from the security of its components, rather than from a single firewall, as is currently the case with most cloud systems.
The cutting-edge approach will be designed by researchers from Boston University, MIT, the University of Connecticut, and Northeastern University with funding from a five-year, $10 million Frontier grant from the National Science Foundation, $5.3 million of which will go to BU. The effort, known as the Modular Approach to Cloud Security (MACS), will be led by Ran Canetti, professor of computer science at the College of Arts & Sciences and director of the BU Center for Reliable Information Systems and Cyber Security.
“Our goal is to build a cloud with clear and transparent security properties,” says Canetti. “If successful, this project will transform the way we currently build and argue about secure systems.” Canetti says the goal involves more than developing hardware and software: it depends on understanding new ideas. Still, he says “we hope to build an actual system.”
Azer Bestavros, a CAS professor of computer science and the founding director of the Rafik B. Hariri Institute for Computing and Computational Science & Engineering, says that, to date, people have talked about modular security in a theoretical sense, but making it a practical reality remains “a dream.”
“The problem with typical security on a cloud is that there is no way to check everything,” says Bestavros. “The systems are too big, and there are too many different technologies. Trying to secure the whole thing is a lost cause.”
To understand the MACS modular approach, says Bestavros, imagine making a house secure by securing every room and then combining all of the secure pieces. “It’s a very difficult problem,” he says. “We hope to take it from theory to practice in a real cloud.”
NSF announces two Frontier-scale projects
Today, the National Science Foundation's (NSF) Secure and Trustworthy Cyberspace (SaTC) program announced two new center-scale "Frontier" awards to support large, multi-institution projects that address grand challenges in cybersecurity science and engineering with the potential for broad economic and scientific impact.
One Frontier grant was awarded to the Modular Approach to Cloud Security (MACS) project, which aims to build information systems for the cloud with meaningful multi-layered security. In the project, researchers will design and test a modular approach to cybersecurity. The project will build the cybersecurity system from smaller, separate functional components, each asserting its own security individually. As a result, the security of the system as a whole will be derived from the security of its components.
"Our goal is to build a cloud with clear and transparent security properties," said Ran Canetti, a professor of computer science at Boston University and lead researcher on the project. "Furthermore, we intend to make it modular, thus enabling the construction of cloud services from basic components in a security-preserving way. If successful, this project will transform the way we currently build and argue about secure systems."
The team--made up of researchers from Boston University, Massachusetts Institute of Technology, the University of Connecticut and Northeastern University--comprises experts in different aspects of information security and cryptography.
A key component of the MACS project is its integration into the Massachusetts Open Cloud, which provides the research team with a testbed for deploying and testing the mechanisms they develop at reasonable scale. The project continues NSF's commitment to support the transition of great ideas from research to practice. Read More...