Despite all efforts to secure execution and storage, security breaches are a fact of life. Systems are regularly penetrated: code is vulnerable, servers may be physically insecure, and defenses are subject to human error. The traditional solution of confining data and computation within one trust domain makes security breaches harder but does not protect from using invalid data and computation once the system is compromised. Protection becomes even more important once a system spreads across multiple trust domains effectively creating extended trust domains, with even weaker guarantees. Desktop operating systems, programs running in a hosting center, and large scale web services - all share the same vulnerabilities introduced by the insufficient perimeter defense of trust domains.
In this project we address the issue of accountability - the ability to
undeniably detect incorrect computational results and tampered data, either
at the time a request completes (immediate) or at a later time
(auditable). We require that applications present clients with evidence of
the correctness of their operations. Explicit evidence verification can
then be used to validate the integrity of data and computation. Our goal is
to construct and evaluate mechanisms to provide and enforce
accountability. To attack the problem we develop a model that captures the
actions and internal organization of networked services. We use the model
to reason about and address the possible security threats in execution
scenarios with different trust assumptions. Our preliminary analysis
suggests that accountability is costly and in certain settings might be
possible only in a probabilistic sense.