Flux Research Group / School of Computing

security people

Eric Eide
Eric Eide
Faculty
Anton Burtsev
Anton Burtsev
Affiliated Faculty
Sneha Kumar Kasera
Sneha Kumar Kasera
Affiliated Faculty
Zvonimir Rakamaric
Zvonimir Rakamaric
Affiliated Faculty
John Regehr
John Regehr
Affiliated Faculty
Mike Hibler
Mike Hibler
Research staff
David Johnson
David Johnson
Research staff
Min Du
Min Du
PhD student
David Hancock
David Hancock
PhD student
Cai (Richard) Li
Cai (Richard) Li
PhD student
Zirak Zaheer
Zirak Zaheer
PhD student
Anand Tripathi
Anand Tripathi
Masters student
Anmol Vatsa
Anmol Vatsa
Masters student

security projects

A3 A3

The A3 project applies virtualization, record-and-replay, introspection, repair, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.

TCloud TCloud

In the TCloud project we are developing a self-defending, self-evolving, and self-accounting trustworthy cloud platform. Our approach in realizing TCloud holds to the following five tenets: defense in depth, least authority, explicit orchestration of security function, moving-target defense, and verifiable accountability.

XCap XCap

We are creating XCap, a secure environment for least-authority execution of applications and system services. Unmodified, untrusted, off-the-shelf applications, running on untrusted operating systems, are isolated by a virtual machine manager. XCap brings the power of a capability-based security system to Xen, building on two principles: strong isolation and secure collaboration.

SDN End-to-end Application Containment SDN End-to-end Application Containment

We are developing an SDN End-to-end Application Containment ArchitecTure (SeaCat).

Our approach involves extending SDN primitives into end-points, adapting existing mechanisms for end-point application containment and orchestrating the creation of these contexts based on policies associated with specific health care applications.

CloudLab CloudLab

Many of the ideas that drive modern cloud computing, such as server virtualization, network slicing, and robust distributed storage, arose from the research community. Despite this success, today’s clouds have become environments that are unsuitable for moving this research agenda forward—they have particular, unmalleable implementations of these ideas “baked in.” CloudLab will not be a cloud; it will be large-scale, distributed scientific infrastructure on top of which many different clouds can be built.

OpenEdge: Open Service Edge Network OpenEdge: Open Service Edge Network

 

High performance edge networks, such as fiber-to- the-premises (FTTP), are increasingly being deployed by municipalities and communities to support advanced services and applications. The complexity of operating these networks often means that their full potential is not being reached and they are relegated to being fast access pipes to the Internet. In this work we are developing a dynamic and secure open service edge network architecture, called OpenEdge. OpenEdge provides a control architecture that automates the configuration of the edge network in a cloud-like manner to simplify the introduction of new network services and applications.

 

CapNet: Capability Enabled Networking

CapNet, will provide a practical platform for enforcing strong isolation for scientific workflows. Fine-grained nature of CapNet provides support for the principle of least authority. Individual scientific workflows, and even their tasks will run with a minimal set of privileges required for completing their goals, but not more. The basis for CapNet’s design is (1) strong isolation of network activities with the mechanisms of software defined networks (SDN) and (2) mediation of all communication between network hosts by a capability access control model.

 

Deker: Decomposing Kernels for Verification Deker: Decomposing Kernels for Verification

Deker is a framework for decomposing and verifying commodity operating system kernels. Deker turns a de-facto standard commodity operating system kernel into a collection of strongly isolated subsystems suitable for verification.

NetSecOps : Network Security Operations NetSecOps : Network Security Operations

University campus infrastructures count among the most complex and sophisticated information technology (IT) deployments; often combining a mix of enterprise, academic, research, and healthcare environments, each having their own distinct security, privacy, and priority policies. In this project we address these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that attempts to assist IT security teams by automating many of the operational steps that are tedious, error-prone, and otherwise problematic in current campus networks.

recent security publications (see all)