Smith, Jonathan M

Email Address
ORCID
Disciplines
Computer and Systems Architecture
Digital Communications and Networking
Library and Information Science
OS and Networks
Software Engineering
Systems Architecture
Systems and Communications
Research Projects
Organizational Units
Position
Faculty Member
Introduction
Research Interests

Filters

70
53116
Reset filters

Settings

Search Results

Now showing 1 - 10 of 70
  • Publication
    The Price of Safety in an Active Network
    (1999) Alexander, D. Scott; Anagnostakis, Kostas G.; Arbaugh, William A; Keromytis, Angelos D; Smith, Jonathan M
    Lack of security is a major threat to "Active Networking," as programmability creates numerous opportunities for mischief. The point at which programmability is exposed, e.g., through the loading of code into network elements, must therefore be carefully crafted to ensure security. This paper makes two contributions. First, it describes the implementation of a solution, the Secure Active Network Environment (SANE), which is intended to operate on an active network router. The SANE architecture provides a secure bootstrap process, which includes cryptographic certificate exchange and results in execution of a module loader for introducing new code, as well as a packet execution environment. SANE thus permits a direct comparison of security implications of active packets (such as "capsules") with active extensions (used for "flows" of packets). The second contribution of the paper is a performance study using a combination of execution traces and end-to-end throughput measurements. The example code performs an "active ping" and allows us to break down costs into categories such as authentication. In our SANE implementation on 533 Mhz Alpha PCs, securing active packets effectively increases the time required to process a packet by a third. This result implies that the majority of packets must remain unauthenticated in high performance active networking solutions. We discuss some solutions which preserve security.
  • Publication
    MAGICCARPET: Verified Detection and Recovery for Hardware-based Exploits
    (2015-03-01) Sturton, Cynthia; Hicks, Matthew; King, Samuel T.; Smith, Jonathan M
    Abstract—MAGICCARPET is a new approach to defending systems against exploitable processor bugs. MAGICCARPET uses hardware to detect violations of invariants involving security-critical processor state and uses firmware to correctly push software’s state past the violations. The invariants are specified at run time. MAGICCARPET focuses on dynamically validating updates to security-critical processor state. In this work, (1) we generate correctness proofs for both MAGICCARPET hardware and firmware; (2) we prove that processor state and events never violate our security invariants at runtime; and (3) we show that MAGICCARPET copes with hardware-based exploits discovered post-fabrication using a combination of verified reconfigurations of invariants in the fabric and verified recoveries via reprogrammable software. We implement MAGICCARPET inside a popular open source processor on an FPGA platform. We evaluate MAGICCARPET using a diverse set of hardware-based attacks based on escaped and exploitable commercial processor bugs. MAGICCARPET is able to detect and recover from all tested attacks with no software run-time overhead in the attack-free case.
  • Publication
    The QoS Broker
    (1994) Nahrstedt, Klara; Smith, Jonathan M
    Many networked multimedia applications are delay-sensitive, and hence desire services with guarantees of resouce availability and timeliness. For networks such as those based on Asynchronous Transfer Mode (ATM), these services are specified through Quality of Service (QoS) parameters. Delivering end-to-end QoS implies complex resource management at the end-points (e.g., computer workstation hosts), as well as in the underlying network. In this paper, we describe a model for an end-point entity, which we have designed and implemented, called the QoS Broker. The broker orchestrates resources at the end-points, cooperating with resource management in the underlying ATM network. The broker, as an intermediary, hides implementation details from applications and resource managers. We motivate the concept and particulars of our design, including services such as translation, admission and negotiation which the broker uses to properly configure the system to application needs. We treat the QoS negotiation as a 'deal' between the user ("buyer") and the network ("seller") for the setup of a customized connection. The key concept is that the broker is an active intermediary which isolates cooperating entities from operational details of other entities.
  • Publication
    QuanTM: A Quantitative Trust Management System
    (2009-03-01) West, Andrew G; Aviv, Adam J; Chang, Jian; Prabhu, Vinayak S; Blaze, Matthew A; Kannan, Sampath; Lee, Insup; Smith, Jonathan M; Sokolsky, Oleg
    Quantitative Trust Management (QTM) provides a dynamic interpretation of authorization policies for access control decisions based on upon evolving reputations of the entities involved. QuanTM, a QTM system, selectively combines elements from trust management and reputation management to create a novel method for policy evaluation. Trust management, while effective in managing access with delegated credentials (as in PolicyMaker and KeyNote), needs greater flexibility in handling situations of partial trust. Reputation management provides a means to quantify trust, but lacks delegation and policy enforcement. This paper reports on QuanTM’s design decisions and novel policy evaluation procedure. A representation of quantified trust relationships, the trust dependency graph, and a sample QuanTM application specific to the KeyNote trust management language, are also proposed.
  • Publication
    Automated Recovery in a Secure Bootstrap Process
    (1997-08-01) Arbaugh, William A; Keromytis, Angelos D; Farber, David J; Smith, Jonathan M
    Integrity is rarely a valid presupposition in much systems architecture, yet it is necessary to make any security guarantees. To address this problem, we have designed a secure bootstrap process, AEGIS, which presumes a minimal amount of integrity, and which we have prototyped on the Intel x86 architecture. The basic principle is sequencing the bootstrap process as a chain of progressively higher levels of abstraction, and requiring each layer to check a digital signature of the next layer before control is passed to it. A major design decision is the consequence of a failed integrity check. A simplistic strategy is to simply halt the bootstrap process. However, as we show in this paper, the AEGIS bootstrap process can be augmented with automated recovery procedures which preserve the security properties of AEGIS under the additional assumption of the availability of a trusted repository. We describe a variety of means by which such a repository can be implemented, and focus our attention on a network accessible repository. The recovery process is easily generalized to applications other than AEGIS, such as standardized desktop management and secure automated recovery of network elements such as routers or "Active Network" elements.
  • Publication
    The Influence of ATM on Operating Systems
    (2002-11-01) Smith, Jonathan M
    The features of ATM offered many attractions to the application community, such as fine-grained multiplexing and high-throughput links. These created considerable challenges for the O.S. designer, since a small protocol data unit size (the 48 byte "cell") and link bandwidths within a (binary) order of magnitude of memory bandwidths demanded considerable rethinking of operating system structure. Using an historical and personal perspective, this paper describes two aspects of that rethinking which I participated in directly, namely, those of new event signalling and memory buffering schemes. Ideas and techniques stemming from ATM network research influenced first research operating systems and then commercial operating systems. The positive results of ATM networking, although indirect, have benefitted applications and systems far beyond the original design goals.
  • Publication
    Active networking : one view of the past, present, and future
    (2004-02-01) Smith, Jonathan M; Nettles, Scott M.
    All distributed computing systems face the architectural question of the location (and nature) of programmability in the telecommunications networks, computers, and other peripheral devices comprising them. The perspective of this paper is that network elements should be as programmable as possible, to enable the most flexible distributed computing systems. There has been a persistent confluence among operating systems, programming languages, networking and distributed systems. We demonstrate how these interactions led to what is called "active networking", and in the spirit of "vox audita perit, littera scripta manet" (the spoken word perishes, but the written word remains), include an account of how it was made to happen. Lessons are drawn both from the broader research agenda, and the specific goals pursued in the SwitchWare project. We speculate on likely futures for active networking.
  • Publication
    A Secure Active Network Environment Architecture
    (1997) Alexander, D. Scott; Arbaugh, William A.; Keromytis, Angelos D; Smith, Jonathan M
    Active Networks are a network infrastructure which is programmable on a per-user or even per-packet basis. Increasing the flexibility of such network infrastructures invites new security risks. Coping with these security risks represents the most fundamental contribution of Active Network research. The security concerns can be divided into those which affect the network as a whole and those which affect individual elements. It is clear that the element problems must be solved first, as the integrity of network-level solutions will be based on trust of the network elements. In this paper, we describe the architecture and implementation of a Secure Active Network Environment (SANE1), which we believe provides a basis for implementing secure network-level solutions. We guarantee that a node begins operation in a trusted state with the AEGIS secure bootstrap architecture. We guarantee that the system remains in a trusted state by applying dynamic integrity checks in the network element's run time system, a novel naming system, and applying node-node authentication when needed. The SANE implementation is for x86 architectures, currently those running one of several varieties of UNIX.
  • Publication
    Exploiting Parallelism in Hardware Implementation of the DES
    (1993-02-01) Broscious, Albert G; Smith, Jonathan M
    The Data Encryption Standard algorithm has features which may be used to advantage in parallelizing an implementation. The kernel of the algorithm, a single round, may be decomposed into several parallel computations resulting in a structure with minimal delay. These rounds may also be computed in a pipelined parallel structure for operations modes which do not require cryptext feedback. Finally, system I/O may be performed in parallel with the encryption computation for further gain. Although several of these ideas have been discussed before separately, the composite presentation is novel.
  • Publication
    Design, Implementation and Experiences of the OMEGA End-Point Architecture
    (1995) Nahrstedt, Klara; Smith, Jonathan M
    New cell-switched network technologies and multimedia peripherals enable distributed applications with strict real-time requirements such as remote control with feedback. Time-bounded network communications services are necessary, but not sufficient, to meet application-to-application real-time requirements. Real-time communication must be coupled with real-time computing support at the network end-points. An end-point architecture for the computation/communications coupling must be flexible and robust to support a diversity of applications. The OMEGA architecture, when coupled with cell-switched networks (or others which can make bandwidth and delay guarantees), can approximate the behavior of dedicated microcontrollers connected by dedicated circuits in support of an application. The essence of the OMEGA architecture is resource reservation and management within the set of multimedia endpoints. Communications is preceded by a call set-up period where requirements, expressed in terms of Quality of Service (QoS) parameters, are negotiated, and guarantees are made at several logical levels, such as between applications and the network subsystem, applications and the operating system, and the network subsystem and the operating system. This establishes customized connections and allocation of resources appropriate to the application requirements and OS/network capabilities. To facilitate this resource management process, a new paradigm called the 'QoS Brokerage' is used. This paradigm requires new services and protocols across all layers of the protocol stack (i.e., the higher layers of B-ISDN), as well as re-architecting the application/network interface. A prototype of OMEGA has been implemented and tested with a master/slave telerobotics application using a dedicated 155 Mbps ATM LAN. This application employs media with highly diverse QoS requirements and therefore provides a good platform for testing how closely one can approximate a dedicated circuit and controller with workstation hosts and cell-switching. Experience with this implementation has helped to identify new challenges to extending these techniques to a larger domain of applications and systems, and raises several new research questions.