Yanfei Fan,Yixin Jiang,Haojin Zhu,Jiming Chen,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/twc.2011.122010.100087

IF: 10.4

2010-01-01

IEEE Transactions on Wireless Communications

Abstract:Privacy threat is one of the critical issues in multi-hop wireless networks, where attacks such as traffic analysis and flow tracing can be easily launched by a malicious adversary due to the open wireless medium. Network coding has the potential to thwart these attacks since the coding/mixing operation is encouraged at intermediate nodes. However, the simple deployment of network coding cannot achieve the goal once enough packets are collected by the adversaries. On the other hand, the coding/mixing nature precludes the feasibility of employing the existing privacy-preserving techniques, such as Onion Routing. In this paper, we propose a novel network coding based privacy-preserving scheme against traffic analysis in multi-hop wireless networks. With homomorphic encryption on Global Encoding Vectors (GEVs), the proposed scheme offers two significant privacy-preserving features, packet flow untraceability and message content confidentiality, for efficiently thwarting the traffic analysis attacks. Moreover, the proposed scheme keeps the random coding feature, and each sink can recover the source packets by inverting the GEVs with a very high probability. Theoretical analysis and simulative evaluation demonstrate the validity and efficiency of the proposed scheme.

Yaoxue Zhang,Laurence Tianruo Yang,Yuezhi Zhou,Wenyuan Kuang

DOI: https://doi.org/10.3233/wia-2010-0187

2010-01-01

Abstract:The rapid development of computer network technologies and social informationalization has brought many new opportunities and challenges in information security. With improved information and service sharing enjoyed by more and more people, how to strengthen the information security has become an increasingly critical issue. In this paper, we propose a new network security mechanism based on a novel computing paradigm, i.e., transparent computing, which is based on the extended von Neumann architecture. This paradigm separates the program storage and execution, which is implemented in the network environment. It is realized by a new generation server and client BIOS, namely EFI BIOS, and coordinated with the MetaOS management platform and related switching and input/ouput devices of transparent computing. Through the interface between hardware and software, it conducts effective control, monitoring and management of data and instructions in a block-streaming way for the operating system and the application programs above it. At the same time, it adopts a security protection mechanism to prevent and remove prevalent malicious software such as worm and Trojan horse. Several demonstrated examples are described in detail to illustrate the attractive and promising security features and advantages.

Haiwei Xue,Yiqi Dai

DOI: https://doi.org/10.1504/ijcc.2012.049768

2012-01-01

International Journal of Cloud Computing

Abstract:Transparent computing system provides services, including OS, applications, data, etc., for end users, in which users can request the computing and storages resources according to their requirement. It is important to protect the data in transparent computing system, especially to enhance the privacy protection. In some cases, security threats are not only from malicious users or viruses but also include inside leaks, which cannot be prevented by current security systems. We proposed system-based privacy protection model for transparent computing systems in this paper. Our model is based from mandatory access control and we use formal methods to analysis the privacy protection problem. Our model is a state machine model, which have five state transition rules and all these rules can be proved to be safe by formally description method. So if we use these rules in transparent computing system, and make sure that the initial state is secure, the transparent computing system is always keep state secure.

X Zhou,HH Pang,KL Tan

DOI: https://doi.org/10.1109/icde.2004.1320028

2004-01-01

Abstract:To support ubiquitous computing, the underlying data have to be persistent and available anywhere - anytime. The data thus have to migrate from devices local to individual computers, to shared storage volumes that are accessible over open network. This potentially exposes the data to heightened security risks. We propose two mechanisms, in the context of a steganographic file system, to mitigate the risk of attacks initiated through analyzing data accesses from user applications. The first mechanism is intended to counter attempts to locate data through updates in between snapshots - in short, update analysis. The second mechanism prevents traffic analysis - identifying data from I/O traffic patterns, We have implemented the first mechanism on Linux and conducted experiments to demonstrate its effectiveness and practicality. Simulation results on the second mechanism also show its potential for real world applications.

Xiaosong Zhang,Fei Liu,Ting Chen,Hua Li

DOI: https://doi.org/10.1109/cis.2009.107

2009-01-01

Abstract:Traditional data leakage prevention strategies encompass access control, audit logon and authority management. They have some effects on preventing sensitive information from leakage, while the system’ s availability may be degraded seriously by their limitation. To solve this problem, a novel model based on Windows file system filter driver is proposed in this paper, in which system encrypts files automatically according to encryption strategies. Leaking confidential information out of enterprise environment, intentionally or unintentionally, will be prevented effectively. Moreover, it has the characteristic of mandatory and transparent encryption, which can compromise the contradiction between data security and user flexibility.

Yuxia Cheng,Qing Wu,Wenzhi Chen,Bei Wang

DOI: https://doi.org/10.1016/j.jpdc.2018.07.014

IF: 4.542

2018-01-01

Journal of Parallel and Distributed Computing

Abstract:Transmissible cyber threats have become one of the most serious security issues in cyberspace. Many techniques have been proposed to model, simulate and identify threats’ sources and their propagation in large-scale distributed networks. Most techniques are based on the analysis of real networks dataset that contains sensitive information. Traditional in-memory analysis of these dataset often causes data leakage due to system vulnerabilities. If the dataset itself is compromised by adversaries, this threat cost would be even higher than the threat being analysed. In this paper, we propose a new distributed shielded execution framework (Disef) for cyber threats analysis. The Disef framework enables efficient distributed analysis of network dataset while achieves security guarantees of data confidentiality and integrity. In-memory dataset is protected by using a new encrypted key–value format and could be efficiently transferred into Intel SGX enabled enclaves for shielded execution. Our experimental results showed that the proposed framework supports secure in-memory analysis of large network dataset and has comparable performance with systems that have no confidentiality and integrity guarantees.

Yaoxue Zhang

DOI: https://doi.org/10.1109/EUC.2008.188

2008-01-01

Abstract:In this talk, we present some new research results about our Transparent Computing which is a new computing paradigm for service sharing. Rapid development in computer networks let people easily share the hardware and software resources, however, because the slow progress in Operating system technologies and few changes in computer architectures in several decades, it is still not easy to share services from different software and hardware platforms for users. Transparent Computing paradigm separates the storages and executions of software programs and data including what of operating systems in different computers connecting with communication networks. In this paradigm, data and programs are stored in the storage servers and they are executed in either clients or execution servers according to the required services, respectively. We propose a new mechanism called Meta OS to manage this separation. This mechanism extends the Neumann architecture special-temporally, so that a sequentially virtual computing can be effectively obtained and the individual service sharing can be easily performed underlying different Operating System platforms. We will introduce the idea, the mechanism and algorithms of proposed Meta OS for the separation of the programs and data including what of Operating Systems. Moreover, we also present some examples about the applications of this computing paradigm.

Hai Jin,Guofu Xiang,Deqing Zou,Feng Zhao,Min Li,Chen Yu

DOI: https://doi.org/10.1016/j.camwa.2010.01.007

IF: 3.218

2010-01-01

Computers & Mathematics with Applications

Abstract:The file system becomes the usual target of malicious attacks because it contains lots of sensitive data, such as executable programs, configuration and authorization information. File integrity monitoring is an effective approach to discover aggressive behavior by detecting modification actions on these sensitive files. Traditional real-time integrity monitoring tools, which insert hooks into the OS kernel, are easily controlled and disabled by malicious software. Such existing methods, which insert kernel module into OS, are hard to be compatible because of the diversity of OS. In this paper, we present a non-intrusive real-time file integrity monitoring method in virtual machine-based computing environment, which is transparent to the monitored system. The monitor is isolated from the monitored system, since it observes the state of the monitored system from the outside. This method brings two benefits: detecting file operations in real time and being invisible to malicious attackers in the monitored system. Furthermore, a kind of file classification algorithm based on file security level is proposed to improve efficiency in this paper. The proposed file integrity monitoring method is implemented in the full-virtualization mode supported by the Xen platform. The experimental results show that the method is effective with acceptable overhead.

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Yu Tai,Wei Hu,Dejun Mu,Baolei Mao,Lu Zhang

DOI: https://doi.org/10.1109/ACCESS.2017.2780254

IF: 3.9

2018-01-01

IEEE Access

Abstract:Computing hardware has become an attractive attack surface due to the globalization of semi-conductor design and supply chain, and the wide integration of third-party intellectual property cores. Recently, gate-level information flow tracking (GLIFT) has been proposed to monitor the flow of information in secure hardware design by associating data objects with sensitivity labels and tracking the flow of labeled data. GLIFT can be used to model and verify security-related properties, such as confidentiality and integrity. However, existing work in this realm only considers binary labels. These are inadequate for understanding simultaneous information flow behaviors and the root source information flows. In this paper, we propose a precise multi-bit GLIFT method to perform simultaneous multi-bit flow tracking for understanding exactly which bits are affecting a data object at the same time. The proposed method provides more detailed insights into simultaneous information flow behaviors and thus allows proof of quantitative information flow data properties. We compare the complexity and verification performance for different information flow models using primitive gates, IWLS benchmarks, several cryptographic cores, and trust HUB benchmarks. Experimental results have demonstrated that our method can reason about multi-bit information flow behaviors and identify potential security flaws.

Chong Wang,Nasro Min-Allah,Bei Guan,Yu-Qi Lin,Jing-Zheng Wu,Yong-Ji Wang

DOI: https://doi.org/10.1007/s11390-019-1979-8

IF: 1.871

2019-01-01

Journal of Computer Science and Technology

Abstract:Covert channels have been an effective means for leaking confidential information across security domains and numerous studies are available on typical covert channels attacks and defenses. Existing covert channel threat restriction solutions are based on the threat estimation criteria of covert channels such as capacity, accuracy, and short messages which are effective in evaluating the information transmission ability of a covert (storage) channel. However, these criteria cannot comprehensively reflect the key factors in the communication process such as shared resources and synchronization and therefore are unable to evaluate covertness and complexity of increasingly upgraded covert storage channels. As a solution, the anti-detection criterion was introduced to eliminate these limitations of cover channels. Though effective, most threat restriction techniques inevitably incur high performance overhead and hence become impractical. In this work, we avoid such overheads and present a restriction algorithm based on the anti-detection criterion to restrict threats that are associated with covert storage channels in virtual machines while maintaining the resource efficiency of the systems. Experimental evaluation shows that our proposed solution is able to counter covert storage channel attacks in an effective manner. Compared with Pump, a well-known traditional restriction algorithm used in practical systems, our solution significantly reduces the system overhead.

Yuan Gao,Yaoxue Zhang,Yuezhi Zhou

DOI: https://doi.org/10.1109/csss.2012.581

2012-01-01

Abstract:Transparent computing separates computation and storage in different machines with a storage virtualization mechanism. In existing implementation, the user operating system needs to be modified to achieve storage virtualization. This paper presents a virtual machine-based network storage system for transparent computing, which uses a virtualized device model in service operating system to redirect device I/O requests in user operating system over networks to be serviced by the server. As a result, heterogeneous operating systems and applications can run on-demand without any modification in a transparent computing environment. The method enables users to focus on the needed computing without consideration of the technical issues or management. A prototype system implemented based on Xen and Intel VT verifies the feasibility and effectiveness of the method.

Guangbin Xu,Yaoxue Zhang,Yuezhi Zhou,Wenyuan Kuang

DOI: https://doi.org/10.1109/iccit.2007.137

2007-01-01

Abstract:Transparent computing is a novel, pervasive computing applied paradigm in which users can transparently utilize operating systems and upper software resource as a disposable resource while obtaining a full desktop computing experience. This paper presents the implement architecture of Transparent Computing, which will be implemented as a platform that can provide on-demand the full functionality of desktop computing over networks. All the user-needed software programs and data are centralized on servers, and when demanded by the users of client devices, the needed software resource is transparently downloaded from servers and executed locally as computing services. In our view, this design is a feasible approach to provide on-demand desktop computing in a pervasive computing environment.Transparent Computing [1] is a novel, pervasive computing applied paradigm in which users can transparently utilize operating systems and upper software resource as a disposable resource while obtaining a full desktop computing experience. This paper presents the implement architecture of Transparent Computing, which will be implemented as a platform that can provide on-demand the full functionality of desktop computing over networks. All the user-needed software programs and data are centralized on servers, and when demanded by the users of client devices, the needed software resource is transparently downloaded from servers and executed locally as computing services. In our view, this design is a feasible approach to provide on-demand desktop computing in a pervasive computing environment.

YAOXUE ZHANG,YUEZHI ZHOU,LAURENCE TIANRUO YANG

2007-01-01

Abstract:With the rapid improvements in hardware, software and networks, the computing paradigm has also shifted from mainframe computing to ubiquitous or pervasive computing, in which users can get their desired services anytime, anywhere and any means. However, the emergence of ubiquitous or pervasive computing has brought many challenges, one of which is that it is hard to allow users to freely obtain desired services, such as heterogeneous OSes and applications via different light-weight embedded devices. We have proposed a new paradigm by extending the von Neumann architecture spatio-temporally, called Transparent Computing, to store and manage the commodity programs including OS codes centrally, while streaming them to be run in nonstate clients. This leads to a service-centric computing environment, in which users can select the desired services on demand, without concerning these services’ administrations, such as their installation, maintenance, management, upgrade, and so on. In this paper, we introduce a novel concept, namely Meta OS, to support such program streaming through a distributed 4VP+ platform. Based on this platform, a pilot system has been implemented and it supports Windows and Linux environments. We verify the effectiveness of the platform through both real deployments and testbed experiments. The evaluation results suggest that 4VP+ platform is a feasible and promising solution of the future computing infrastructure for ubiquitous or pervasive services.

Yaoxue Zhang,Yuezhi Zhou

DOI: https://doi.org/10.1007/11833529_1

2006-01-01

Abstract:Due to the research and technological advances, ubiquitous or pervasive computing is emerging rapidly as an exciting new discipline to provide computing and communication services all the time and everywhere. While with many ongoing initiatives, it is too far to achieve the vision that Mark Weiser described. After a comprehensive analysis on traditional paradigms, we argue that, not users-friendly, i.e., users can not get services from computer easily, is one of the main reasons. In this paper, a new computing paradigm, i.e., Transparent Computing will be presented to solve this problem partially. Accordingly, we propose and develop a pilot system, which runs in a network environment and operates at the assembler instruction level. This system lets users demand heterogeneous OSes and applications upon them from centered simple servers, similar to choose different TV channels in daily life. We also present some primitive real and experimental results to show that it is a feasible and efficient solution for future computing infrastructure.

He Hongjun,Luo Li,Cao Sihua,Feng Tao,Pan Li,Zou Zhiji

DOI: https://doi.org/10.1007/bf02831788

2006-01-01

Abstract:The paper points out that the deep reason why modern computer system fails to defense malware lies in that user has no right to control the access of information, and proposes an explicit authorization mechanism. Its basic idea is that user explicitly authorizes program the file set it can access, and monitor all file access operations; once program requests to access file out of the authorized file set, refuse it, and this means that the program is malicious or has design errors. Computers based on this novel mechanism can protect information from attacking reliably, and have good software and hardware compatibility. A testing system is presented to validate our theory.

Yaoxue Zhang,Kehua Guo,Ju Ren,Yuezhi Zhou,Jianxin Wang,Jianer Chen

DOI: https://doi.org/10.1109/mcse.2017.17

2017-01-01

Computing in Science & Engineering

Abstract:With the emergence of cloud computing, big data, and mobile networks, the computing paradigm and related technologies have experienced significant development over the past 10 years. Concomitantly, the prevalence of smartphones, wearable devices, and mobile applications has been constantly changing our daily lives. Terminals are evolving toward lightweight, intelligent, highly secure, and convenient devices. As an emerging computing paradigm, cloud computing focuses primarily on providing services through servers and networks but without addressing the inherent challenges and concerns of user terminals, such as energy efficiency, security, and cross-platform compatibility. Consequently, these challenges remain in the era of cloud computing and big data. In this article, the authors present a review to a promise computing paradigm: transparent computing. Similar to cloud computing, transparent computing stores software and user data at specific servers. More specifically, it extends the bus transmission in traditional computer architecture to the network. User interruptions at a terminal are redirected to a specific server through a network connection to request the corresponding instructions and data, which are subsequently executed at the terminal in a page-streaming pattern. By adopting this computing paradigm, user terminals are becoming more lightweight (nearly bare) with enhanced security (dumping after using), improved energy efficiency (no terminal storage), and cross-platform capability (low layer compatibility). This article presents a comprehensive survey and indicates future directions of transparent computing, from traditional terminals to mobile devices.

Yongzhi Wang,Yu Zou,Yulong Shen,Yao Liu

DOI: https://doi.org/10.1109/tc.2021.3122903

IF: 3.183

2021-01-01

IEEE Transactions on Computers

Abstract:Program control flow reflects the algorithm of that program and may reveal implementation vulnerabilities. Thus its confidentiality needs to be protected, especially in a cloud setting. However, most existing control flow obfuscation methods are software-based, which cannot offer high confidentiality while maintaining low performance overhead. In this paper, we propose CFHider, a hardware-assisted solution. By performing program transformation and leveraging Trusted Execution Environments (Intel SGX), CFHider moves branch statement conditions to an opaque and trusted memory space during the program execution. We proved that by generating Obfuscation Invariants, CFHider is able to provide provable control flow confidentiality protection. Based on the design of CFHider, we also developed a prototype system for Java applications. Our security analysis and experimental results indicate that CFHider is effective in protecting control flow confidentiality and incurs a much reduced performance overhead than existing software-based solutions (by a factor of 18.1).

engineering, electrical & electronic,computer science, hardware & architecture

Yuezhi Zhou

DOI: https://doi.org/10.1109/itime.2012.6291234

2012-01-01

Abstract:Summary form only given. Traditional computer systems, such as PCs, are facing several challenges, such as complex maintenance & management, low security, and less mobility. With the increasing demands for service and mobility, the computing infrastructure is looking for new technologies and practices to find solution to this problem. We proposed the concept of transparent computing, in which the software and hardware are decoupled where computation are carried out in client machines, but the storage of software, data, and status are centralized on the central servers and delivered on demand to clients in a streaming way. To implement such a system, we use two key technologies: bare-metal and asymmetric virtual machine monitor (AVMM) and Internet virtual disk. AVMM is dedicatedly designed as a light-weighted partitioning system to enable client virtualization and computation with very little virtualization overhead, especially in support of graphic-intensive applications. The Internet virtual disk whose content is stored on the server and delivered to the client as a traditional block-based hard disk interface via network is used to support back-compatibility and then enable client mobility and service. In this talk, I will start with the concept of transparent computing and then focus on the detailed designs of AVMM. Then, I will give some performance evaluation of our implemented prototype, and compare it with other similar approaches.

Sung-Hwa Han,Daesung Lee

DOI: https://doi.org/10.3390/electronics11121871

IF: 2.9

2022-06-15

Electronics

Abstract:Obfuscation and cryptography technologies are applied to malware to make the detection of malware through intrusion prevention systems (IPSs), intrusion detection systems (IDSs), and antiviruses difficult. To address this problem, the security requirements for post-detection and proper response are presented, with emphasis on the real-time file access monitoring function. However, current operating systems provide only file access control techniques, such as SELinux (version 2.6, Red Hat, Raleigh, NC, USA) and AppArmor (version 2.5, Immunix, Portland, OR, USA), to protect system files and do not provide real-time file access monitoring. Thus, the service manager or data owner cannot determine real-time unauthorized modification and leakage of important files by malware. In this paper, a structure to monitor user access to important files in real time is proposed. The proposed structure has five components, with a kernel module interrelated to the application process. With this structural feature, real-time monitoring is possible for all file accesses, and malicious attackers cannot bypass this file access monitoring function. By verifying the positive and negative functions of the proposed structure, it was validated that the structure accurately provides real-time file access monitoring function, the monitoring function resource is sufficiently low, and the file access monitoring performance is high, further confirming the effectiveness of the proposed structure.

engineering, electrical & electronic,computer science, information systems,physics, applied