projects

Current Projects

Runtime Kernel Integrity Monitoring

One of the fundamental goals of computer security is to ensure the integrity of system resources. Because all user applications rely on the integrity of the kernel and core system utilities, the compromise of any one part of the system can result in a complete lack of reliability in the system as a whole. Particularly in the case of commodity operating systems, the ability to place assurance on the numerous and complex parts of the system is exceedingly difficult. The most important pieces of this complex system reside in the core of the kernel itself. This research focuses on the development of monitoring techniques for detecting data and code modifications to operating system kernels at runtime.

Volatile Memory Forensics

For the purposes of incident response and analysis, volatile system memory represents a valuable yet challenging medium for the collection of digital evidence. While traditional digital forensic techniques have focused on disk drives and other more lasting data sources, system memory can provide a great deal of information about the system's runtime state at the time of, or just after, an incident. Details such as running processes, loaded libraries, logged-in users, listening network sockets, and open files are all available in system memory. This information can provide a great deal of context, particularly when used in conjunction with traditional forensic data sources. Additionally, recent advances in real-world threats have shown a trend towards memory-only modification whenever possible, thereby rendering traditional post-mortem analysis techniques blind to the existence of intruders. While the need for access to forensic data extracted from volatile memory has been demonstrated, a number of barriers make this access difficult. This research focuses on developing a comprehensive framework for analyzing system memory in the wake of an incident.

Previous Projects

Wireless Security

As wireless networks were becoming increasingly prevalent, researchers identified a range of design and implementation problems with those networks ranging from cryptographic weaknesses to insufficient authentication and access control mechanisms. Our work focused on analyzing various protocols used in wireless LANs to understand the fundamental issues underlying those networks. Our analysis of IEEE 802.11, IEEE 802.1X, and (IETF) EAP allowed us to identify problems with protocol interactions in the wireless environment and help effect protocol changes to address those issues. Additional work, led by Arunesh Mishra and Minho Shin, focused on the design and implementation of fast, secure handoffs in wireless networks.

Open1X

The first Open Source implementation of the IEEE 802.1X specification was started by Arunesh Mishra, Bryan Payne, and myself. It is now excellently maintained by Chris Hessing and Terry Simons. See open1x.org.

IETF EAP Working Group

I was active in the Extensible Authentication Protocol Working group and am co-author of the EAP State Machine Informational RFC. That group is doing good work and more information can be found here.