Archive for April, 2011

BBC on Karsten’s GSM Hacks

Sunday, April 24th, 2011

Karsten Nohl and Sylvain Munaut demonstrated their GSM hack for the BBC: Mobiles fall prey to hack attacks [follow link to see video], BBC News, 20 April 2011.

Who could possibly eavesdrop on your modern, digitally encrypted handset?

It should take the kind of technology and resources only available to the security services.

Yet two men wearing hoodie tops have managed to crack the system.

Karsten Nohl and Sylvain Munaut don’t look like secret agents, sitting behind their fold-out table next to a pile of old Motorola phones.

But these two security researchers have discovered a cheap, relatively simple way of intercepting mobile calls.

“We have been looking at GSM technology for a while and we find it to be pretty much outdated in every aspect of security and privacy,” said Mr Nohl.

GuardRails now available!

Friday, April 22nd, 2011

The first release of the GuardRails source code is now available at https://github.com/guardrails/guardrails. GuardRails was developed by Jonathan Burket, Patrick Mutchler, Michael Weaver, and Muzzammil Zaveri.

GuardRails is a web application framework that extends Ruby on Rails to provide automatic support for data-centric security policies. Developers add annotations to their data models to describe their security policies, and GuardRails performs a source-to-source transformation to enforce those policies throughout the application. There will be a paper at USENIX WebApps 2011, GuardRails: A Data-Centric Web Application Security Framework, available soon, that provides more details.

Talk on “Secure Computation in the Real(ish) World”

Friday, April 22nd, 2011

I’ve posted the slides from my recent talk at CMU:

Secure Computation in the Real(ish) World. CyLab Seminar, Carnegie Mellon University, Pittsburgh, PA. 20 April 2011. [Abstract, PPTX, PDF]

Here’s the abstract:

Alice and Bob meet in a campus bar in 2016. Being typical CMU students, they both have their genomes stored on their mobile devices and, before expending any unnecessary effort in courtship rituals, they want to perform a genetic analysis to ensure that their potential offspring would have strong immune systems and not be at risk for any recessive diseases. But Alice doesn’t want Bob to learn about her risk for Alzheimer’s disease, and Bob is worried a future employer might misuse his propensity to alcoholism. Two-party secure computation provides a way to solve this problem. It allows two parties to compute a function that depends on inputs from both parties, but reveals nothing except the output of the function.

A general solution to this problem have been known since Yao’s pioneering work on garbled circuits in the 1980s, but only recently has it become conceivable to use this approach in real systems. Our group has developed a framework for building efficient and scalable secure computations that achieves orders of magnitude performance improvements over the best previous systems. In this talk, I’ll describe the techniques we use to design scalable and efficient secure computation applications, and report on some example applications including genomic analysis, private set intersection, and biometric matching.

Faster Secure Two-Party Computation Using Garbled Circuits

Thursday, April 21st, 2011

Our paper,

Faster Secure Two-Party Computation Using Garbled Circuits by Yan Huang, David Evans, Jonathan Katz, Lior Malka.

was accepted to USENIX Security. Yan will present the paper at the conference in San Francisco in August. If you would like an advance copy, email me and I will let you know when it is available.

UVERS Poster

Monday, April 4th, 2011

Congratulations to Yan Huang for winning an Honorable Mention at the University of Virginia Engineering Research Symposium (UVERS) for his poster on privacy-preserving biometric matching.

The poster is here: [PDF (13MB)]