March 1, 2019 –
Presenter: Reza Curtmola, Associate Professor, New Jersey Institute of Technology
Date: Friday, March 1
Location: HBL Video Theatre 2
On the security of cloud storage systems and software supply chains
In this presentation, we review two of our recent projects. First, we consider the security of cloud storage systems, a topic that was identified as a top concern due to the untrusted nature of cloud storage providers. Such systems lack a basic guarantee: Proving data possession upon a user's request. We introduce a model for remote data integrity checking (RDIC) which allows a client that has stored data at an untrusted server to verify that the server possesses the original data. We present provably-secure RDIC schemes that have low (or even constant) overhead at the server and and minimize network communication by transmitting a small, constant, amount of data for every challenge/response. This revolutionizes the ability of users to outsource large data sets by providing a previously-unattainable degree of performance and scalability in verifying the health of external data repositories. In subsequent work, we refined this initial result by extending it from a single-server to a more realistic multiple-server distributed setting, and by minimizing the involvement of the data owner whenever damaged data needs to be repaired.
We then turn our attention to the security of software supply chains, a topic that is dramatically overlooked today despite numerous recent incidents which show that attacks can happen at any point in the software chain. We have designed and implemented in-toto, a novel framework that provides end-to-end guarantees about a software supply chain and, at the same time, provides insights about processes that occurred in the various steps of the chain. in-toto is the first security mechanism that protects software from the point when the developer commits the code until the end user installs it. in-toto is currently being deployed into several real-world open source and commercial systems. In addition to addressing the security of a software supply chain as a whole, we have also worked on improving the security of individual steps of the chain. We discuss two such examples, one that targets the popular Git version control system, and the other targeting Web-based Git hosting services such as GitHub.
Reza Curtmola is a Computer Science professor and Co-director of the Cybersecurity Research Center at the New Jersey Institute of Technology (NJIT). His research interests are in information and network security, software security, applied cryptography, and cybersecurity education. He is the recipient of the NSF CAREER award for research in securing cloud services. His research has been funded by the NSF and DARPA. He holds a PhD degree in Computer Science and an MS degree in Security Informatics, both from the Johns Hopkins University. He led the effort of certifying NJIT as a Center of Academic Excellence in Cyber Defense Education by the NSA/DHS, and brought to NJIT as co-PI the NSF Cybercorps Scholarship for Service program.