Date: 6 June 2007

 

Speaker: Maryanne McCormick

 

Title: Demand response energy systems:  security, privacy and policy

 

Abstract:

In the wake of the California energy crisis of 2000-2001, the California Energy Commission (CEC) and California Public Utilities Commission (CPUC) are aggressively pursuing “demand response” (DR) energy programs aimed at reducing peak energy demand. Demand response systems convey information about market conditions through pricing or reliability signals to customers, who in turn, hopefully, alter their electricity consumption choices. Technologies to enable the demand response system, including advanced metering research and development [OpenAMI] and sensor and control technologies development [DRETD], are under development. These technologies will be coupled with a communication and network infrastructure that supports the multicast of  real-time pricing information, and the aggregation of energy usage and  billing information.

Over the next years these meters may be replaced by digital meters that collect data at frequent intervals, store it for many days, and transmit it wirelessly to the utility. Meters likely to be installed are expected to contain a data collection module that will enable hourly readings and wireless transmittal of these readings to the utilities. The changes in the frequency, format, contents, storage and transmission of data about electricity consumption that are integral to the planned demand response infrastructure raise interesting questions about the ongoing viability of maintaining, as a technical, practical and legal matter, the privacy of activities occurring within the home.

 

Bio:

Maryanne McCormick is the Associate Director of Policy and Outreach, Senior Attorney at the Samuelson Law, Technology and Public Policy Clinic, Berkeley Center for Law and Technology. Maryanne joined Berkeley from the Molecular Sciences Institute, an interdisciplinary genomics research laboratory where she was Counsel and Director of Outreach. Prior to MSI, she spent over a decade at the intersection of technology and public policy, serving in the office of Senator Daniel Patrick Moynihan, managing public policy for Corning Incorporated, working at the Federal Communications Commission, and representing the California Small Business Roundtable. She is a member of the California bar.

 

 

Date: 30 May 2007

 

Speaker: Des Cahill

 

Title: Habeas, Inc. a Reputation Service Provider for Email

 

Abstract:

Habeas is a mid stage startup in Mountain View California that is a "reputation service provider" for email. We identify legitimate email streams and spammers and publish that information to the world. Habeas maintains a database which "scores" 500M IP addresses and domains sending email. This database has multiple applications in anti-spam, marketing, e-commerce and online advertising contexts. The presentation will introduce Habeas, it's business model, technology and examine the evolving world of email authentication and reputation and implications for continued health of email.

 

Bio:

Des Cahill is CEO of Habeas, a member of the board of directors and is responsible for all company operations. Cahill is a technology industry veteran and serial entrepeneur, bringing extensive executive-level experience in marketing, sales and operations from some of America's best-known technology companies — Apple Computer, America Online, Netscape — and from some successful startups — Autonomy, BridgeSpan and eFax.com.

 

Date: 16 May 2007

 

Speaker: Ben Pfaff

 

Title: Extreme Paravirtualization

 

Abstract:

Since the origin of virtual machine monitors in the 1960s, virtual hardware has often been designed with an ``impure'' interface that differs from physical hardware. Paravirtualization, as this is now termed, is often used to simplify VMMs and boost VM performance.

This paper explores tradeoffs in a rarely seen form of paravirtual interface, where the virtual interface operates at a higher level of abstraction than the common hardware interface. We in particular examine the effects of providing a BSD socket-like interface to a VM instead of an Ethernet interface, and the effects of providing a file system interface instead of a block device interface.

Our experiments show that higher-level (``extreme'') paravirtualization has direct benefits for sharing, security, and modularity. Modularity, in turn, has potential for indirect benefits of the same kinds often ascribed to modular microkernel-based systems.  We also show that our approach requires little or no change to existing VMMs and operating systems.  Finally, given the availability of processor cores, it has minimal performance cost: 3\% or less in every case for our paravirtual network stack, and under 4\% for file system macro-benchmarks.  In special cases, we even demonstrate speed-ups.

 

Date: 9 May 2007

 

Speaker: Nickolai Zeldovich

 

Title: Information Flow Control in a Distributed System

 

Abstract:

News of yet another attacker compromising a web site and gaining access to thousands of social security and credit card numbers does not surprise anyone today.  This sad state of affairs in part comes from poorly-tested and complex site-specific application code being trusted to enforce security policies.  This is equivalent to trusting every Unix program to ensure that each user can only access their own files, an unthinkable proposition that has become the norm on the web.

One solution may be to enforce the security policy separately from the application code.  Recent work on operating systems, such as Asbestos and HiStar, has shown that it is practical to specify and enforce an overall security policy in terms of what can happen to the data. For example, a web site can protect private user information by by ensuring that one user's private data cannot be sent to another user's browser.  However, an operating system can only enforce such an information flow policy on a single physical machine.  In contrast, web applications are often distributed over many physical machines, making it difficult to enforce an overall information flow policy.

 

This talk will discuss the design of a distributed and decentralized system that can enforce an overall information flow policy.  A central problem we solve is deciding whether it is safe to communicate with another machine, without any fully-trusted central authority: any communication with that machine may in itself reveal secret information to an attacker.  Using our system, we build a scalable distributed web server that minimizes the trust placed in any single component.  In most cases, even a fully-compromised kernel on one web server machine cannot subvert the security of all users.

 

Date: 2 May 2007

 

Speaker: Tal Garfinkel

 

Title: Compatibility is Not Transparency: VMM Detection Myths and Realities

 

Abstract:

Work on applications ranging from building realistic honeypots to stealthy VMM rootkits has speculated about building transparent  VMMs -- VMMs that are indistinguishable from native hardware, even to a dedicated adversary. In this talk I will discuss anomalies between real and virtual hardware and consider methods for detecting  such anomalies, as well as possible countermeasures. I will argue that building a transparent VMM is fundamentally infeasible, as well as impractical from a performance and engineering standpoint.

 

Date: 25 April 2007

 

Speaker: Dilys Thomas

 

Title: Algorithms and Architectures for Data Privacy

 

Abstract:

The explosive progress in networking, storage, and processor technologies has resulted in an unprecedented volume of digital data. In concert with this escalating increase in digital data, concerns about privacy of personal information have emerged globally. The ease at which data can be collected automatically, stored in databases and queried efficiently over the internet has worsened the privacy situation, and has raised numerous ethical and legal concerns. Problems arising from private data falling into malicious hands include identity theft, spam and embarassment. Privacy enforcement today is being handled primarily through legislation. We aim to provide technological solutions to achieve a tradeoff between data privacy and data utility.  We focus on three problems in the area of database privacy in this thesis.

The first problem is that of data sanitization before publication. There are two main reasons for data sanitization before publication. Publishing health and financial information for research purposes requires the data be anonymized so that the privacy of individuals in the database is protected. This anonymized information can be used as is or can be combined with another (anonymized) dataset for analysis. We explore both these scenarios in this thesis. Another reason for sanitization is to give the data to an out-sourced software developer for software development without the out-sourced data handler learning information about its client. We briefly explain such a tool in this thesis.

The second part of the thesis is auditing query logs for privacy. Given certain forbidden views of a database that must be kept confidential, a batch of SQL queries that were posed over this database, and a definition of suspiciousness, we study the problem to determine whether the batch of queries is suspicious with respect to the forbidden views.

The third part of the thesis deals with distributed architectures for data privacy. The advent of databases as an out-sourced service has resulted in privacy concerns on the part of the client storing data with third party database service providers. Previous approaches to enabling such a service have been based on data encryption, causing a large overhead in query processing.  In this thesis we provide a distributed architecture for secure database services as a solution to this problem. We then develop algorithms for partitioning columns for these distributed architectures.

 

Date: 18 April 2007

 

Speaker: Gergei Bana

 

Title: Computational Semantics for Basic Protocol Logic

 

Abstract:

We present a new way of relating formal and computational models of cryptography in case of active adversaries when formal security analysis is done with first order logic. We present this via considering a simple example of such a formal model, the Basic Protocol Logic by K. Hasebe and M. Okada, but the technique is suitable for extensions to more complex situations. Our idea is to make use of the usual mathematical treatment of stochastic processes, hence be able to treat arbitrary probability distributions, non-negligible probability of collision, causal dependence or independence, and so on. 

 

Bio:

Gergei Bana received his PhD in mathematics from the University of Pennsylvania, and he is now a post-doctoral researcher at the University of California, Davis. His primary interest is the relationship between formal and computational methods of cryptography. 

 

Date: 11 April 2007

 

Speaker: Collin Jackson

 

Title:

 

Abstract: