Network Operations and Internet Security @ Princeton

Leave a comment

Software Defined Security: Data Leak Prevention System to Appear at ACSAC

Yogesh Mundada and Anirudh Ramachandran‘s SilverLine system was accepted to the 2013 Annual Computer Security Applications Conference (ACSAC).  SilverLine is an SDN-based system that protects against data leaks from multi-tier Web applications that access sensitive data but are nonetheless vulnerable to various attacks such as SQL injection and insecure direct object reference that might ultimately leak sensitive data.

SilverLine Architecture

In SilverLine, an application developer who writes a Web application can apply security labels to data in a database.  When a Web application issues a query against the database to retrieve data, the query is rewritten so that the records include security labels.  All network connections associated with that result are also associated with both labels and the intended recipient of the data.  A declassifier (a special SDN controller) inspects the security labels associated with each flow and determines whether to allow the flow based on the recipient of the data and the security labels associated with that flow.

SilverLine is one of the first systems to step into the space of Software Defined Security.  Congratulations to Yogesh and Anirudh on this pioneering effort!  An abstract of the work is below.

SilverLine: Preventing Data Leaks from Compromised Web Applications 
Yogesh Mundada, Anirudh Ramachandran, Nick Feamster
Web applications can have vulnerabilities that result in server- side data leaks. Securing sensitive data from Web applications while ensuring reasonable performance and without requiring developers to rewrite applications is challenging. We present SilverLine, which prevents data leaks from compromised Web applications. SilverLine uses login information to associate a user with each Web session; it then taints each file and database record applies information-flow tracking to the data associated with each session to ensure that application data is released only to sessions of authorized users. We have implemented SilverLine on Linux; our implementation demonstrates that SilverLine can protect a PHP-based Web application from many of the most common server-side Web application attacks, with only minor application modifications and reasonable performance overhead.

Leave a comment

New Measurement/Policy Brief: Mobile and Fixed Broadband in South Africa

How do mobile and fixed broadband stack up in South Africa?

Unlike in more developed nations, where fixed-line broadband connectivity is the predominant form of broadband access, in South Africa, mobile broadband is predominant. Mobile broadband connectivity is also both cheaper and faster than fixed-line connectivity.   Unfortunately, our study using a BISmark testbed deployment in South Africa shows that wireless is inherently less stable than fixed broadband technologies such as XDSL and fibre and the implications of not having ubiquitous, reliable always-on high-speed connectivity for the economy and global competitiveness are serious.

For a detailed description about the methods applied for measuring broadband performance, download the policy paper draft that we co-authored with Research ICT Africa for comments on investigating broadband performance in South Africa 2013. (Comments welcome!)