Application-Defined Decentralized Access Control.

DCAC is a practical OS-level access control system that supports application-defined principals. It allows normal users to perform administrative operations within their privilege, enabling isolation and privilege separation for applications. It does not require centralized policy specification or management, giving applications freedom to manage their principals while the policies are still enforced by the OS. DCAC uses hierarchically-named attributes as a generic framework for user-defined policies such as groups defined by normal users. For both local and networked file systems, its execution time overhead is between 0%-9% on file system microbenchmarks, and under 1% on applications. This paper shows the design and implementation of DCAC, as well as several real-world use cases, including sandboxing applications, enforcing server applications' security policies, supporting NFS, and authenticating user-defined sub-principals in SSH, all with minimal code changes.

InkTag: Secure Applications on an Untrusted Operating System.

InkTag is a virtualization-based architecture that gives strong safety guarantees to high-assurance processes even in the presence of a malicious operating system. InkTag advances the state of the art in untrusted operating systems in both the design of its hypervisor and in the ability to run useful applications without trusting the operating system. We introduce paraverification, a technique that simplifies the InkTag hypervisor by forcing the untrusted operating system to participate in its own verification. Attribute-based access control allows trusted applications to create decentralized access control policies. InkTag is also the first system of its kind to ensure consistency between secure data and metadata, ensuring recoverability in the face of system crashes.

Anon-Pass: Practical Anonymous Subscriptions.

We present the design, security proof, and implementation of an anonymous subscription service. Users register for the service by providing some form of identity, which might or might not be linked to a real-world identity such as a credit card, a web login, or a public key. A user logs on to the system by presenting a credential derived from information received at registration. Each credential allows only a single login in any authentication window, or epoch. Logins are anonymous in the sense that the service cannot distinguish which user is logging in any better than random guessing. This implies unlinkability of a user across different logins. We find that a central tension in an anonymous subscription service is the service provider's desire for a long epoch (to reduce server-side computation) versus users' desire for a short epoch (so they can repeatedly "re-anonymize" their sessions). We balance this tension by having short epochs, but adding an efficient operation for clients who do not need unlinkability to cheaply re-authenticate themselves for the next time period. We measure performance of a research prototype of our protocol that allows an independent service to offer anonymous access to existing services. We implement a music service, an Android-based subway-pass application, and a web proxy, and show that adding anonymity adds minimal client latency and only requires 33 KB of server memory per active user.

Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels.

Modern systems keep long memories. As we show in this paper, an adversary who gains access to a Linux system, even one that implements secure deallocation, can recover the contents of applications' windows, audio buffers, and data remaining in device drivers-long after the applications have terminated. We design and implement Lacuna, a system that allows users to run programs in "private sessions." After the session is over, all memories of its execution are erased. The key abstraction in Lacuna is an ephemeral channel, which allows the protected program to talk to peripheral devices while making it possible to delete the memories of this communication from the host. Lacuna can run unmodified applications that use graphics, sound, USB input devices, and the network, with only 20 percentage points of additional CPU utilization.

Predictors of acceptance of hepatitis B vaccination in an urban sexually transmitted diseases clinic.

BACKGROUND: Individuals who use sexually transmitted disease (STD) clinics are at high risk for hepatitis B virus (HBV). While HBV vaccine is frequently offered to clients in this setting, reported vaccination rates are low. More information is needed about HBV vaccine knowledge, attitudes, beliefs, and behavior among high risk populations. The current study assesses these issues at an urban STD clinic. METHODS: A survey assessing knowledge, attitudes, and beliefs concerning HBV vaccine was administered to individuals seeking services at an STD clinic before seeing the physician. Immediately after the clinical visit these individuals were interviewed and asked whether they had accepted vaccination and their reasons for acceptance or rejection. RESULTS: Fifty percent of unvaccinated study subjects elected to receive an HBV vaccine dose at the current visit. Significant predictors in a multiple logistic regression model for choosing to be vaccinated were: having a vaccinated acquaintance, perceived risk of disease, perceived healthfulness of vaccine, and clinician's recommendation. Knowledge regarding hepatitis B risks and outcomes was not related to vaccine choices. Patients expressed concern about vaccine safety and provider motivation. CONCLUSIONS: The role of acquaintances and the physician are central to the decision to be vaccinated, as are risk perception and familiarity with the vaccine. Mistrust of the medical establishment and of vaccines is a barrier to acceptance of HBV vaccine.