Series
School of Computer Science Technical Report Series

Permanent Link
https://hdl.handle.net/1853/71007
Series Type
Publication Series
Description
Associated Organization(s)
Associated Organization(s)
Organizational Unit
Organizational Unit

Filters

2008 - 2009 1 2010 - 2011 1
2
2
2
2
Reset filters

Settings
Author: Ramachandran, Anirudh × Author: Tariq, Mukarram Bin × search.filters.applied.f.isOrgUnitOfPublicationTitle: College of Computing × search.filters.applied.f.isOrgUnitOfPublicationTitle: School of Computer Science × search.filters.applied.f.isSeriesOfPublicationTitle: College of Computing Technical Report Series × search.filters.applied.f.isSeriesOfPublicationTitle: School of Computer Science Technical Report Series ×

Publication Search Results

Now showing 1 - 2 of 2
  • Thumbnail Image
    Item
    Practical Data-Leak Prevention for Legacy Applications in Enterprise Networks
    (Georgia Institute of Technology, 2011) Mundada, Yogesh ; Ramachandran, Anirudh ; Tariq, Mukarram Bin ; Feamster, Nick
    Organizations must control where private information spreads; this problem is referred to in the industry as data leak prevention. Commercial solutions for DLP are based on scanning content; these impose high overhead and are easily evaded. Research solutions for this problem, information flow control, require rewriting applications or running a custom operating system, which makes these approaches difficult to deploy. They also typically enforce information flow control on a single host, not across a network, making it difficult to implement an information flow control policy for a network of machines. This paper presents Pedigree, which enforces information flow control across a network for legacy applications. Pedigree allows enterprise administrators and users to associate a label with each file and process; a small, trusted module on the host uses these labels to determine whether two processes on the same host can communicate. When a process attempts to communicate across the network, Pedigree tracks these information flows and enforces information flow control either at end-hosts or at a network switch. Pedigree allows users and operators to specify network-wide information flow policies rather than having to specify and implement policies for each host. Enforcing information flow policies in the network allows Pedigree to operate in networks with heterogeneous devices and operating systems. We present the design and implementation of Pedigree, show that it can prevent data leaks, and investigate its feasibility and usability in common environments.
  • Thumbnail Image
    Item
    Packets with Provenance
    (Georgia Institute of Technology, 2008) Ramachandran, Anirudh ; Bhandankar, Kaushik ; Tariq, Mukarram Bin ; Feamster, Nick
    Traffic classification and distinction allows network operators to provision resources, enforce trust, control unwanted traffic, and traceback unwanted traffic to its source. Today’s classification mechanisms rely primarily on IP addresses and port numbers; unfortunately, these fields are often too coarse and ephemeral, and moreover, they do not reflect traffic’s provenance, associated trust, or relationship to other processes or hosts. This paper presents the design, analysis, user-space implementation, and evaluation of Pedigree, which consists of two components: a trusted tagger that resides on hosts and tags packets with information about their provenance (i.e., identity and history of potential input from hosts and resources for the process that generated them), and an arbiter, which decides what to do with the traffic that carries certain tags. Pedigree allows operators to write traffic classification policies with expressive semantics that reflect properties of the actual process that generated the traffic. Beyond offering new function and flexibility in traffic classification, Pedigree represents a new and interesting point in the design space between filtering and capabilities, and it allows network operators to leverage host-based trust models to decide treatment of network traffic.