Using secure coprocessors to enforce network access policies in enterprise and ad hoc networks

by Xia, Haidong

Nowadays, network security is critically important. Enterprises rely on networks to improve their business. However, network security breaches may cause them loss of millions of dollars. Ad hoc networks, which enable computers to communicate wirelessly without the need for infrastructure support, have been attracting more and more interests. However, they cannot be deployed effectively due to security concerns. Studies have shown that the major network security threat is insiders (malicious or compromised nodes). Enterprises have traditionally employed network security solutions (e.g., firewalls, intrusion detection systems, anti-virus software) and network access control technologies (e.g., 802.1x, IPsec/IKE) to protect their networks. However, these approaches do not prevent malicious or compromised nodes from accessing the network. Many attacks against ad hoc networks, including routing, forwarding, and leader-election attacks, require malicious nodes joining the attacked network too. This dissertation presents a novel solution to protect both enterprise and ad hoc networks by addressing the above problem. It is a hardware-based solution that protects a network through the attesting of a nodes configuration before authorizing the nodes access to the network. Attestation is the unforgeable disclosure of a nodes configuration to another node, signed by a secure coprocessor known as a Trusted Platform Module (TPM). This dissertation makes following contributions. First, several techniques at operating system level (i.e., TCB prelogging, secure association root tripping, and sealing-free attestation confinement) are developed to support attestation and policy enforcement. Second, two secure attestation protocols at network level (i.e., Bound Keyed Attestation (BKA) and Batched Bound Keyed Attestation (BBKA)) are designed to overcome the risk of a man-inthe- middle (MITM) attack. Third, the above techniques are applied in enterprise networks to different network access control technologies to enhance enterprise network security. Fourth, AdHocSec, a novel network security solution for ad hoc networks, is proposed and evaluated. AdHocSec inserts a security layer between the network and data link layer of the network stack. Several algorithms are designed to facilitate nodes attestation in ad hoc networks, including distributed attestation (DA), and attested merger (AM) algorithm.