Your search keyword '"David Lazar"' showing total 4 results

1. What's a Little Leakage Between Friends?

Author

Sebastian Angel, David Lazar, and Ioanna Tzialla

Subjects

FOS: Computer and information sciences, 060201 languages & linguistics, Computer Science - Cryptography and Security, Computer science, Compromise, media_common.quotation_subject, Answering Machine, 06 humanities and the arts, 02 engineering and technology, Adversary, Root cause, Computer security, computer.software_genre, Metadata, Intersection, 0602 languages and literature, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Center (algebra and category theory), Leakage (economics), Cryptography and Security (cs.CR), computer, media_common

Abstract

This paper introduces a new attack on recent messaging systems that protect communication metadata. The main observation is that if an adversary manages to compromise a user's friend, it can use this compromised friend to learn information about the user's other ongoing conversations. Specifically, the adversary learns whether a user is sending other messages or not, which opens the door to existing intersection and disclosure attacks. To formalize this compromised friend attack, we present an abstract scenario called the exclusive call center problem that captures the attack's root cause, and demonstrates that it is independent of the particular design or implementation of existing metadata-private messaging systems. We then introduce a new primitive called a private answering machine that can prevent the attack. Unfortunately, building a secure and efficient instance of this primitive under only computational hardness assumptions does not appear possible. Instead, we give a construction under the assumption that users can place a bound on their maximum number of friends and are okay leaking this information., Appears in WPES 2018. This update contains a minor clarification in Section 4 (last paragraph) and Section 4.1 (first paragraph) over the published version

Published

2018

2. Vuvuzela

Author

Matei Zaharia, Jelle van den Hooff, David Lazar, and Nickolai Zeldovich

Subjects

Traffic analysis, business.industry, Computer science, Encryption, Computer security, computer.software_genre, Metadata, Server, Scalability, Key (cryptography), Differential privacy, The Internet, business, computer

Abstract

Private messaging over the Internet has proven challenging to implement, because even if message data is encrypted, it is difficult to hide metadata about who is communicating in the face of traffic analysis. Systems that offer strong privacy guarantees, such as Dissent [36], scale to only several thousand clients, because they use techniques with superlinear cost in the number of clients (e.g., each client broadcasts their message to all other clients). On the other hand, scalable systems, such as Tor, do not protect against traffic analysis, making them ineffective in an era of pervasive network monitoring.Vuvuzela is a new scalable messaging system that offers strong privacy guarantees, hiding both message data and metadata. Vuvuzela is secure against adversaries that observe and tamper with all network traffic, and that control all nodes except for one server. Vuvuzela's key insight is to minimize the number of variables observable by an attacker, and to use differential privacy techniques to add noise to all observable variables in a way that provably hides information about which users are communicating. Vuvuzela has a linear cost in the number of clients, and experiments show that it can achieve a throughput of 68,000 messages per second for 1 million users with a 37-second end-to-end latency on commodity servers.

Published

2015

3. Mjölnir

Author

Jelle van den Hooff, David Lazar, and James Mickens

Subjects

medicine.medical_specialty, Web development, Web 2.0, business.industry, Computer science, Web application security, computer.software_genre, World Wide Web, Server, medicine, Web application, Mashup, Web service, business, computer, Web modeling

Abstract

Conventional wisdom suggests that rich, large-scale web applications are difficult to build and maintain. An implicit assumption behind this intuition is that a large web application requires massive numbers of servers, and complicated, one-off back-end architectures. We provide empirical evidence to disprove this intuition. We then propose new programming abstractions and a new deployment model that reduce the overhead of building and running web services.

Published

2015

4. Why does cryptographic software fail?

Author

David Lazar, Xi Wang, Nickolai Zeldovich, and Haogang Chen

Subjects

Cryptographic primitive, Computer science, business.industry, Cryptography, Cryptographic protocol, Computer security, computer.software_genre, Software, Weak key, Static key, business, Cryptographic key types, Key management, computer

Abstract

Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.

Published

2014