Sean Smith

Sean Smith
Dartmouth College · Department of Computer Science

About

180
Publications
14,661
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
4,589
Citations

Publications

Publications (180)
Chapter
As people design and use systems, security and privacy challenges are tethered to humans, particularly humans’ mental models and how those mental models differ from other conceptions of the world, for example, a representation within a computer system. Capturing this link between humans and the systems they interact with is key to understanding rea...
Article
This article reviews several exploits of input-handling vulnerabilities and categorizes these vulnerabilities based on their root causes. We describe the language-theoretic security paradigm and discuss how it can be used to tackle these categories of vulnerabilities.
Chapter
Mismorphisms—instances where predicates take on different truth values across different interpretations of reality (notably, different actors’ perceptions of reality and the actual reality)—are the source of weird instructions. These weird instructions are tiny code snippets or gadgets that present the exploit programmer with unintended computation...
Chapter
Human understanding of protocols is central to protocol security. The security of a protocol rests on its designers, its implementors, and, in some cases, its users correctly conceptualizing how it should work, understanding how it actually works, and predicting how others will think it works. Ensuring these conceptualizations are correct is diffic...
Chapter
Intent lies at the heart of technology design, development, and use. As such, intent is a secure design primitive. We posit that securing a technology requires enforcing the various actors' intents throughout the technology's lifecycle. This tenet of secure design is particularly relevant for the Internet of Things (IoT) context, where intent viola...
Conference Paper
Publish-Subscribe protocols such as the Message Queuing Telemetry Transport (MQTT) protocol are considered scalable, lightweight, and one-size-fits-all solutions for the Internet-of-Things (IoT) networking. MQTT has been widely adopted in the Industrial IoT to automate distributed power grid equipment such as smart meters and sensors. Such protocol...
Conference Paper
Full-text available
The addition of synchrophasors to the power grid to improve observability comes at the cost of an increased attack surface: the wide area measurement system. A common source of zero-days, that can be used to exploit the system, is improper input validation. The strict availability and timing requirements of the grid make it critical that input vali...
Conference Paper
Full-text available
The addition of synchrophasors to the power grid to improve observability comes at the cost of an increased attack surface: the wide area measurement system. A common source of zero-days, that can be used to exploit the system, is improper input validation. The strict availability and timing requirements of the grid make it critical that input vali...
Conference Paper
From March 29, 2038, to April 6, 2038, the world observed the North American Blackout of 2038. The blackout left upwards of 300 million people without power, ravaged the world economy, and devastated the global internet. By many accounts, it was the most devastating blackout ever witnessed. That said, its occurrence should not be surprising. While...
Conference Paper
Recent efforts to harden hosts against malicious USB devices have focused on the higher layers of the protocol. We present a domain-specific language (DSL) to create a bit-level model of the USB protocol, from which we automatically generate software components that exhaustively validate the bit-level syntax of protocol messages. We use these gener...
Conference Paper
We present an assurance methodology for producing significantly more secure implementations of SCADA/ICS protocols, and describe our case study of applying it to DNP3, in the form of a filtering proxy that deeply and exhaustively validates DNP3 messages. Unlike the vast majority of deployed proprietary DNP3 implementations, our code demonstrates re...
Conference Paper
Agent-based modeling can serve as a valuable asset to security personnel who wish to better understand the security landscape within their organization, especially as it relates to user behavior and circumvention. In this paper, we argue in favor of cognitive behavioral agent-based modeling for usable security, report on our work on developing an a...
Article
Focusing on malicious attacks on the current infrastructure might be distracting us from another looming challenge: the risk to emerging infrastructure due to carelessness.
Article
Conventional wisdom is that the textbook view describes reality, and only bad people (not good people trying to get their jobs done) break the rules. And yet it doesn't, and good people circumvent.
Conference Paper
Although software exploitation historically started as an exercise in coaxing the target's execution into attacker-supplied binary shellcode, it soon became a practical study in pushing the limits of unexpected computation that could be caused by crafted data not containing any native code. We show how the ABI metadata that drives the creation of a...
Conference Paper
Trust Analysis, i.e. determining that a system will not execute some class of computations, typically assumes that all computation is captured by an instruction trace. We show that powerful computation on ×86 processors is possible without executing any CPU instructions. We demonstrate a Turing-complete execution environment driven solely by the IA...
Article
Full-text available
Dartmouth College's Institute for Security, Technology, and Society conducted three workshops on securing information technology in healthcare, attended by a diverse range of experts in the field. This article summarizes the workshops.
Article
As information technology permeates healthcare (particularly provider-facing systems), maximizing system effectiveness requires the ability to document and analyze tricky or troublesome usage scenarios. However, real-world health IT systems are typically replete with privacy-sensitive data regarding patients, diagnoses, clinicians, and EMR user int...
Article
Security vulnerabilities typically start with bugs: in input validation, and also in deeper application logic. Fuzz-testing is a popular security evaluation technique in which hostile inputs are crafted and passed to the target software in order to reveal such bugs. However, for SCADA software used in critical infrastructure, the widespread use of...
Conference Paper
Traditional Unix tools operate on sequences of characters, bytes, fields, lines, and files. However, modern practitioners often want to manipulate files in terms of a variety of language-specific constructs--C functions, Cisco IOS interface blocks, and XML elements, to name a few. These language-specific structures quite often lie beyond the regula...
Conference Paper
In theory, access control is a solved problem. In practice, large real-world enterprises still report trouble: de facto policy becomes unmanageable; users circumvent controls. These issues can be particularly critical in medical IT, such as emerging EMR and EHR, where access control errors can have serious repercussions. In this paper, we investiga...
Article
The power grid depends on embedded control systems or SCADA systems to function properly. Securing these systems presents unique challenges—in addition to the resource restrictions inherent to embedded devices, SCADA systems must accommodate strict timing requirements that are non-negotiable, and their massive scale greatly amplifies costs such as...
Article
Managing the security of complex cloud and networked computing environments requires craft-ing security policy—ranging from natural-language text to highly-structured configuration rules, sometimes multi-layered—specifying correct system behavior in an adversarial environment. Since environments change and evolve, managing security requires managin...
Conference Paper
Full-text available
The present and future smart grid has a large number of devices that produce an avalanche of data. Our research explores whether we can channel this avalanche to drive more efficient NERC CIP audits. The power industry has both high-level, natural-language NERC CIP policies and low-level data sources such as router configuration files, Windows regi...
Article
Security will be critical for the wireless interface offered by soon-to-be-ubiquitous smart meters -- since if not secure, this technology will provide an remotely accessible attack surface distributed throughout many homes and businesses. However, history shows that new network interfaces remained brittle and vulnerable (although believed otherwis...
Conference Paper
In the envisioned smart grid, massive numbers of computational devices will need to authenticate to each other. For scalability, this technology will probably rest on public-key infrastructure (PKI). However, deploying PKI on an entity population this large-and doing the kinds of things we envision the smart grid doing-itself raises many scalabilit...
Chapter
The mechanics of hot patching (the process of upgrading a program while it executes) remain understudied, even though it offers capabilities that act as practical benefits for both consumer and mission-critical systems. A reliable hot patching procedure would serve particularly well by reducing the downtime necessary for critical functionality or s...
Conference Paper
Most existing intrusion detection systems take a passive approach to observing attacks or noticing exploits. We suggest that active intrusion detection (AID) techniques provide value, particularly in scenarios where an administrator attempts to recover a network infrastructure from a compromise. In such cases, an attacker may have corrupted fundame...
Article
Anonymizing networks such as Tor allow users to access Internet services privately by using a series of routers to hide the client's IP address from the server. The success of such networks, however, has been limited by users employing this anonymity for abusive purposes such as defacing popular Web sites. Web site administrators routinely rely on...
Conference Paper
Security vulnerabilities typically arise from bugs in input validation and in the application logic. Fuzz-testing is a popular security evaluation technique in which hostile inputs are crafted and passed to the target software in order to reveal bugs. However, in the case of SCADA systems, the use of proprietary protocols makes it difficult to appl...
Conference Paper
Securing embedded control systems presents a unique challenge. In addition to the resource restrictions inherent to embedded devices, embedded control systems must accommodate strict, non-negotiable timing requirements, and their massive scale greatly increases other costs such as power consumption. These constraints render conventional host-based...
Chapter
One of the most successful working examples of virtual organizations, computational Grids need authentication mechanisms that inter-operate across domain boundaries. Public Key Infrastructures (PKIs) provide sufficient flexibility to allow resource managers to securely grant access to their systems in such distributed environments. However, as PKIs...
Article
Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user’s privac...
Article
TPM-based trusted computing aspires to use hardware and cryptography to provide a remote relying party with assur-ances about the trustworthiness of a computing environ-ment. However, standard approaches to trusted comput-ing are hampered in the areas of scalability, expressiveness, and flexibility. This paper reports on our research project to add...
Article
How can Agnes trust a computation C occurring at Boris's computer? In particular, how can Agnes can trust that C is occurring without Boris even being able to observe its internal state? One way is for Agnes to house C in a strong tamper-protected secure coprocessor at Boris's site. However, this approach is not scalable: neither in terms of comput...
Conference Paper
Full-text available
Authenticating human users using public key cryptography provides a number of useful security properties, such as being able to authenticate to remote party without giving away a secret. However, in many scenarios, users need to authenticate from a number of client machines, of varying degrees of trustworthiness. In previous work, we proposed an ap...
Article
Virtualization has seen a rebirth for a wide variety of uses; in our field, systems security researchers routinely use it as a standard tool for providing isolation and introspection. Researchers' use of virtual machines has reached a level of orthodoxy that makes it difficult for the collective wisdom to consider alternative approaches to protecti...
Article
Broad adoption of secure programming primitives such as the TPM can be hurt by programmer confusion regarding the nature and representation of failures when using a primitive. Conversely, a clear understanding of the primitive's failure modes is essential for both debugging and reducing the attack surface in the mechanisms built on it. In particula...
Article
Effective security requires looking at an entire system, as this department has noted in many previous installments. Looking at only one piece leads to security trouble—and this dangerous reductionism extends to looking at only what traction representing these complex policies in formal computer terms, the infosec research community approached the...
Article
Full-text available
The mechanics of hot patching the process of upgrading a program while it executes remain understudied, even though it offers capabilities that act as practical benefits for both consumer and mission-critical systems. A reliable hot patching procedure would serve particularly well by reducing the downtime necessary for critical functionality or sec...
Article
Public-key cryptography can uniquely enable trust within distributed settings. Employing it usually requires deploying a set of tools and services collectively known as a public key infrastructure (PKI). PKIs have become a central asset for many organizations, due to distributed IT and users. Even though the usage of PKIs in closed and controlled e...
Conference Paper
Natural-language policies found in X.509 PKI describe an organization's stated policy as a set of requirements for trust. The widespread use of X.509 underscores the importance of understanding these requirements. Although many review processes are defined in terms of the semantic structure of these policies, human analysts are confined to working...
Conference Paper
Message authentication with low latency is necessary to ensure secure operations in legacy industrial control networks such as those in the power grid. Previous authentication solutions that examine single messages incur noticeable latency. This paper describes Predictive YASIR, a bump-in-the-wire device that reduces the latency by considering broa...
Conference Paper
Despite advances in software modularity, security, and reliability, offline patching remains the predominant form of updating or protecting commodity software. Unfortunately, the mechanics of hot patching (the process of upgrading a program while it executes) remain understudied, even though such a capability offers practical benefits for both cons...
Article
Full-text available
Several credential systems have been proposed in which users can authenticate to service providers anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a Trusted Third Party (TTP). The ability of the TTP to revoke a user’s privac...
Article
Full-text available
All economic exchange entails some uncertainty, but uncertainty is exacerbated in periods of social change that disrupt conventional patterns and modes of exchange. The increasing reliance on the Internet as a medium for exchange has greatly increased uncertainty, raising particular problems of trust between parties. In this study, we examine how i...
Conference Paper
Prior work in psychology shows that introspection inhibits intuition: asking human users to analyze judgements they make can cause them to be quantitatively worse at making those judgments. In this paper, we explore whether this seemingly contradictory phenomenon also occurs when humans craft privacy policies for a Facebook-like social network. Our...
Article
Components of commodity OS kernels typically execute at the same privilege level. Consequently, the compromise of even a single component undermines the trustworthiness of the entire kernel and its ability to enforce separation between user-level processes. Reliably containing the extent of a compromised kernel component is a problem to which few p...
Conference Paper
The trustworthiness of any Public Key Infrastructure (PKI) rests upon the expectations for trust, and the degree to which those ex- pectations are met. Policies, whether implicit as in PGP and SDSI/SPKI or explicitly required as in X.509, document expectations for trust in a PKI. The widespread use of X.509 in the context of global e-Science infras...
Conference Paper
Current PKI-based email systems (such as X.509 S/MIME and PGP/ MIME) potentially enable a recipient to determine a name and organizational affiliation of the sender. This information can suffice for a trust decision when the recipient already knows the sender--but how can a recipient decide whether or not trust email from a new correspondent? Curre...
Article
Full-text available
An important organizational innovation enabled by the revolution in information technologies is 'open source' production which converts private commodities into essentially public goods. Similar to other public goods, incentives for reputation and group identity appear to motivate contributions to open source projects, overcoming the social dilemma...
Article
In Blockwise On-line Encryption, encryption and decryption return an output block as soon as the next input block is received. In this paper, we introduce Authenticated Streamwise On-line Encryption (ASOE), which operates on plaintexts and ciphertexts as streams of arbitrary length (as opposed to fixed-sized blocks), and thus significantly reduces...
Article
Full-text available
One of the most successful working examples of virtual organizations, computational grids need authentication mechanisms that inter-operate across domain boundaries. Public Key Infrastructures (PKIs) provide sufficient flexibility to allow resource managers to securely grant access to their systems in such distributed environments. However, as PKIs...
Chapter
The basic technological building blocks of the TCG architecture seem to be stabilizing. As a result, we believe that the focus of the Trusted Computing (TC) discipline must naturally shift from the design and implementation of the hardware root of trust (and the subsequent trust chain) to the higher-level application policies. Such policies must bu...
Conference Paper
Full-text available
Several anonymous authentication schemes allow servers to revoke a misbehaving user's ability to make future accesses. Traditionally, these schemes have relied on powerful TTPs capable of deanonymizing (or linking) users' connections. Recent schemes such as Blacklistable Anonymous Creden- tials (BLAC) and Enhanced Privacy ID (EPID) support \privacy...
Conference Paper
Users often log in to Internet sites from insecure comput- ers and more recently have started divulging their email passwords to social-networking sites, thereby putting their private communications at risk. We propose and evaluate TwoKind Authentication, a simple and eective technique for limiting access to private information in untrustworthy env...
Conference Paper
We question current trends that attempt to leverage virtualization techniques to achieve security goals. We suggest that the security role of a virtual machine centers on being a policy interpreter rather than a resource provider. These two roles (security reference mon- itor and resource emulator) are currently conflated within the con- text of vi...
Article
The guest editors of the special issue on virtualization introduce the topic.
Chapter
Much research on mitigating threat posed by insiders focuses on detection. In this chapter, we consider the prevention of attacks using access control While recent work and development in this space are promising, our studies of technologists in financial, health care, and other enterprise environments reveal a disconnect between what “real world”...
Conference Paper
Precomputation dramatically reduces the execution latency of many cryptographic algo- rithms. To sustain the reduced latency over time during which these algorithms are routinely invoked, however, a pool of precomputation results must be stored and be readily available. While precomputation is an old and well-known technique, how to securely and ye...
Conference Paper
How to distribute resource locators is a fundamental problem in PKI. Our PKI Resource Query Protocol (PRQP), recently presented at IETF, provides a standard method to query for PKI resources locators. However the distribution of locators across PKIs is still an unsolved problem. In this paper, we propose an extension to PRQP in order to distribute...
Conference Paper
In the pursuit of authentication schemes that balance user privacy and accountability, numerous anonymous credential systems have been constructed. However, existing systems assume a client-server architecture in which only the clients, but not the servers, care about their privacy. In peer-to-peer (P2P) systems where both clients and servers are p...
Article
The systems we worry about securing include the people who use them. In everyday offline life, an average person's "security policy" consists of a few simple, intuitive rules. We believe that the majority of users continuously employ risk analysis heuristics to plan both their online and offline actions; the overwhelming problem of online security...
Article
In the pursuit of authentication schemes that balance user privacy and accountability, nu-merous anonymous credential systems have been constructed. However, existing systems assume a client-server architecture in which only the clients, but not the servers, care about their pri-vacy. In peer-to-peer (P2P) systems where both clients and servers are...
Conference Paper
Full-text available
One of the most successful working examples of virtual organizations, computational grids need authentication mechanisms that inter-operate across domain boundaries. Public Key Infrastructures (PKIs) provide sufficient flexibility to allow resource managers to securely grant access to their systems in such distributed environments. However, as PKIs...
Conference Paper
Cryptographic puzzles can be used to mitigate spam and denial-of-service (DoS) attacks, as well as to implement timed-release cryptography. However, existing crypto puzzles are impractical because: (1) solving them wastes computing resources and/or human time, (2) the time it takes to solve them can vary dramatically across computing platforms, and...
Conference Paper
The security of the standard TCG architecture depends on whether the values in the PCRs match the actual platform configuration. However, this design admits potential for time-of-check time-of-use vulnerabilities: a PCR reflects the state of code and data when it was measured, not when the TPM uses a credential or signs an attestation based on that...
Book
Insider Attack and Cyber Security: Beyond the Hacker defines the nature and scope of the insider attack problem as viewed by the financial industry. This edited volume is based on the first workshop on Insider Attack and Cyber Security, IACS 2007. The workshop was a joint effort from the Computer Science Departments of Columbia University and Dartm...
Conference Paper
Large financial firms with thousands of employees face many chal- lenges ensuring workers have access to the right information, yet controlling access to unneeded data. We examine the problems of role lifecycle manage- ment and entitlement review processes in the context of large financial institu- tions. We describe observations from field study r...
Conference Paper
Pairing-based cryptography (PBC) has enabled the construction of many cryptographic protocols. However, there are scenarios when PBC is too heavyweight to use, such as when the computing devices are resource-constrained. Pairing delegation introduced in [19] provides a solution by offloading the computation to more powerful entities. In this paper,...
Conference Paper
Full-text available
Several credential systems have been proposed in which users can authenticate to services anonymously. Since anonymity can give users the license to misbehave, some variants allow the selective deanonymization (or linking) of misbehaving users upon a complaint to a trusted third party (TTP). The ability of the TTP to revoke a user's pri- vacy at an...
Conference Paper
The ease with which a malicious third party can obtain a user's password when he or she logs into Internet sites (such as bank or email accounts) from an insecure computer cre- ates a substantial security risk to private information and transactions. For example, a malicious administrator at a cybercafe, or a malicious user with sucient access to i...
Conference Paper
The central goal of Public Key Infrastructure (PKI) is to enable trust judgments between distributed users. Although certificates play a central role in making such judgments, a PKI’s users need more than just knowledge of certificates. Minimally, a relying party must able to locate critical parameters such the certificate repositories and certific...
Conference Paper
Anonymizing networks such as Tor allow users to access Internet ser- vices privately using a series of routers to hide the client's IP address from the server. Tor's success, however, has been limited by users employing this anonymity for abusive purposes, such as defacing Wikipedia. Website administrators rely on IP- address blocking for disabling...
Conference Paper
Whether a particular computing installation meets its security goals depends on whether the administrators can create a policy that expresses these goals—security in prac- tice requires effective policy engineering. We have found that the reigning SELinux model fares poorly in this regard, partly because typical isolation goals are not directly sta...
Conference Paper
In this paper, we present the design and prototype of a new approach to cookie management: if a server deposits a cookie only after authenticating itself via the SSL handshake, the browser will return the cookie only to a server that can authenticate itself, via SSL, to the same keypair. This approach can enable usable but secure client authenticat...
Article
We have built attribute based, usefully secure email (ABUSE), a system that leverages users by enabling them to build a decentralized, nonhierarchical public key infrastructure (PKI) to express their trust relationships with each other, and then use this PKI to manage their trust in people with whom they correspond via secure email. Our design puts...
Conference Paper
With Hidden Credentials Alice can send policy- encrypted data to Bob in such a way that he can decrypt the data only with the right combination of credentials. Alice gains no knowledge of Bob's credentials in the process, and hence the name "Hidden Credentials." Research on Hidden Credential systems has focused on messages sent to single recipients...
Article
Currently, work on malware attack and defense focuses pri-marily on PCs. However, as lightweight computing devices with embedded operating systems become more ubiquitous, they present a new and very disturbing target for botnet de-velopers; and as embedded devices become more integrated and networked with general-purpose computing, they can easily...
Article
The security-mediated approach to PKI offers several advantages, such as instant revocation and compatibility with standard RSA tools. In this paper, we present a design and prototype that addresses its trust and scalability problems. We use trusted computing platforms linked with peer-to-peer networks to create a network of trustworthy mediators a...
Conference Paper
Establishing trust on certificates across multiple domains requires an efficient certification path discovery algorithm. Previously, small exmap les are used to analyze the performance of certification path discovery. In this w ork, we propose and implement a simulation framework and a probability search tree model for systematic performance evalua...
Conference Paper
As evidenced by the proliferation of phishing attacks and keystroke loggers, we know that human beings are not well-equipped to make trust decisions about when to use their passwords or other personal credentials. Public key cryptography can reduce this risk of attack, because authentication using PKI is designed to not give away sensitive data. Ho...
Article
How does one block an anonymous user hiding be-hind an anonymous routing network? In this paper, we outline a security protocol that uses resource-constrained trusted hardware to facilitate anony-mous IP-address blocking in anonymizing networks such as Tor. Tor allows users to access Internet ser-vices privately by using a series of Tor routers to...
Article
Many security protocols refer to a trusted third party (TTP) as an ideal way of handling computation and data with conflicting stakeholders. Subsequent discussion usually dismisses a TTP as hypothetical or impractical. However, the last decade has seen the emergence of hardware-based devices like the IBM 4758 that, to high assurance, can carry out...
Article
To a large extent, computing systems are useful only to the degree in which they're embedded in the processes that constitute human society. This embedding makes effective system security extremely important, but achieving it requires a strong look at the human side of the picture - the computers themselves are only part of the system. IEEE Securit...
Conference Paper
The Border Gateway Protocol (BGP) controls inter-domain routing in the Internet. BGP is vulnerable to many attacks, since routers rely on hearsay information from neighbors. Secure BGP (S-BGP) uses DSA to provide route authentication and mitigate many of these risks. However, many performance and deployment issues prevent S-BGP's real-world deploym...
Conference Paper
As multiple types of traffic converge onto one network, frequently wireless, enterprises face a tradeoff between effectiveness and security. Some types of traffic, such as voice-over-IP (VoIP), require certain quality of service (QoS) guarantees to be effective. The end client platform is in the best position to know which packets deserve this spec...
Article
The Trustworthy Interfaces for Passwords and Personal Information workshop brought security and user interface professionals together to determine ways to improve authentication methods so that users won't be tricked by phishers into giving away personal information. The authors consider some of the themes discussed at TIPPI, including the nature o...

Network

Cited By