DOCSLIB.ORG

A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker) The following paper was originally published in the Proceedings of the Sixth USENIX UNIX Security Symposium San Jose, California, July 1996. A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker) Ian Goldberg, David Wagner, Randi Thomas, and Eric Brewer Computer Science Division University of California, Berkeley For more information about USENIX Association contact: 1. Phone: 510 528-8649 2. FAX: 510 548-5738 3. Email: [email protected] 4. WWW URL: http://www.usenix.org A Secure Environment for Untruste d Help er Applications Con ningtheWilyHacker Ian Goldb erg David Wagner Randi Thomas Er ic A. Brewer fiang,daw,randit,[email protected] University of California, Berkeley cious programs to spawn pro ce ss e s andto read or Ab stract wr iteanunsusp ecting us er's le s [15,18,19,34,36]. Whatisnee ded in thi s new environment, then, i s Manypopular programs, suchasNetscap e, us e un- protection for all re source s on a us er's system f rom trusted help er applications to pro ce ss data f rom the thi s threat. network. Unfortunately,theunauthenticated net- workdatathey interpret could well have b een cre- Our aim i s tocon netheuntrusted software anddata ated byanadversary,andthehelp er applications are by monitor ingand re str ictingthe system calls it p er- 1 usually to o complex to b e bug-f ree. Thi s rai s e s s ig- forms. We builtJanus , a s ecure environment for ni cant s ecur ity concer ns. Therefore, it i s de s irable untrusted help er applications, bytaking advantage to create a s ecure environmenttocontain untrusted of the Solar i s pro ce ss tracing f acility. Our pr imary help er applications. Wepropose toreduce therisk goals for the prototyp e implementation includese- of a s ecur ity breachby re str ictingthe program's ac- cur ity,versatility,and con gurability. Our proto- ce ss totheoperating system. In particular, weinter- typeismeanttoserve as a pro of-of-concept, andwe cept and lter dangerous system calls via the Solar i s b elieveourtechnique s may havea wider application. pro ce ss tracing f acility. Thi s enable d us to build a s imple, clean, us er-mo de implementationofa secure environment for untrusted help er applications. Our 2 Motivation implementationhas negligible p erformance impact, and can protect pre-exi stingapplications. 2.1 Thethre atmodel Before we can di scuss p oss ible approaches tothe 1 Intro duction problem, wenee d tostart by clar ifyingthethreat mo del. Webbrows ers and .mailcap le s makeit Over the past s everal years theInter net environment convenient for us ers to view information in a wide has change d drastically. Thi s network, whichwas var iety of formatsbyde-multiplexingdocumentsto once p opulate d almost exclus ively bycooperatingre- help er applicationsbasedonthedocumentformat. s earchers whoshare d trusted software anddata, i s For example, when a us er downloads a Postscr ipt now inhabited bya much larger andmoredivers e do cument f rom a remotenetworksite, it may b e group that include s pranksters, crackers, andbusi- automatically handle d by ghostview. Since that ne ss comp etitors. Since the software anddata ex- downloaded data could b e under adversar ial control, change d on theInter net i s very often unauthentic- it i s completely untrustworthy. We are concer ned ate d, it could eas ily have b een created byanad- thatanadversary could s endmalicious datathatsub- versary. vertsthedocument viewer (through someunsp eci e d s ecur ity bug or mi sfeature), compromi s ingthe us er's Web brows ers are an increas ingly p opular tool for s ecur ity.Therefore weconsider help er applications retr ievingdatafromtheInter net. They often rely untrusted, andwishto place them outsidethehost's on help er applications to pro ce ss var ious kinds of trust p er imeter. information. These help er applications are s ecur ity- cr itical, as they handle untrusted data, butthey are 1 Janus is theRoman go d of entrance s and exits, whohad not particularly trustworthythems elve s. Older ver- twoheads andeternally kept watchover do orways andgate- ways to keep out intruders. s ions of ghostscript, for example, allowed mali- We b elievethatthisisaprudentlevel of para- thesadtaleofthe sendmail \bug of themonth" noia. Manyhelp er programs were initially envi- [1,2,3,4,8,9,10,11, 12, 13,14,16]. In anyevent, s ione d as a viewer for a f r iendly us er andwere not attemptsto build s ecur ity directly intothemany de s igne d withadversar ial inputsinmind. Further- help er applications would require each program to more, ghostscript implements a full programming be considere d s eparately|not an easy approachto language, with completeaccesstothe le system; get r ight. For now, wearestuckwithmanyuse- manyother help er applications are also very gen- ful programs which o er only minimal assurance s of eral. Wors e still, the s e programs are generally big s ecur ity; therefore whatwe require i s a general, ex- and bloated, and large complex programs are notor i- ter nal protection mechani sm. 2 ously ins ecure. Secur ity vulnerabilitie s have b een Adding new protection features into the exp os e d in these applications [15,18, 19, 34, 36]. OS: We reject thi s design for several reasons. First, it i s inconvenient. Developmentand install- ation b oth require mo di cations totheker nel. Thi s 2.2 The dicultie s approach, therefore, has little chance of b ecoming widely us e d in practice. Second, wary us ers may What s ecur ity requirements are demande d f rom a wi sh to protect thems elves withoutnee dingtheas- succe ssful protection mechani sm? Simply put, an sistance of a system admini strator topatchand outsider whohas control over thehelp er application recompile theoperating system. Third, s ecur ity- must not b e able to compromis e the con dentiality, cr itical ker nel mo di cations are very r i sky: a bug integr ity,oravailabilityoftherestofthe system, could endupallowingnew remoteattacks or al- includingthe us er's le s or account. Anydamage low a compromis e d application tosubvert theen- must b e limited tothehelp er application's di splay tire system. Thechance s of exacerbatingthe current window, temp orary le s andstorage, and asso ciated situation are to o high. Better to nd a us er-level short-live d ob jects. In other words, we ins i st on the mechani sm so that us ers can protect thems elves, and Pr inciple of Least Pr ivilege: thehelp er application so that pre-exi sting acce ss controls can s erveasa should b e granted the most re str ictive collection of backup; even in theworst cas e, s ecur ity cannot de- capabilitie s require d to p erform itslegitimatedutie s, creas e. and no more. Thi s ensure s thatthedamage a com- promised application can caus e i s limited bythere- The pre-existing reference monitor: The str icted environmentinwhich it executes. In con- traditional operatingsystem's monolithic reference monitor cannot protect against attacks on help er ap- trast, an unprotecte d Unix application thatiscom- plications directly.At most, it could preventapen- promised will have all the pr ivilege s of the account f rom whichitisrunning, whichisunacceptable. etration f rom spreadingtonew accounts once the brows er us er's accounthas b een compromi s e d, but Imp os ing a re str icted execution environmenton bythen thedamage has already b een done. In prac- help er applications i s more dicultthan it might tice, against a motivated attacker most op eratingsys- s eem. Many traditional paradigms suchasthe refer- tems f ail to preventthe spread of p enetration; once ence monitor andnetwork rewall are insucienton oneaccounthas b een subverted, thewhole system their own, as di scuss e d b elow. In order todemon- typically f alls in rapid succession. stratethe dicultyofthi s problem andappreciate thenee d for a novel solution, we explore s everal p os- The conventional network firewall: Packet s ible approaches. lters cannot di stingui sh b etween di erenttypes of HTTP trac, let aloneanalyze thedata for s ecur ity Building security directly into each helper threats. A proxy could, butitwould b e hard-pre ss e d application: Takingthings tothe extreme, we tounderstand all p oss ible le formats, interpret the could ins i st all help er applications b e rewr itten in a often-complex application language s, and squelchall s imple, s ecure form. We reject thi s as completely un- dangerous data. Thi s would makefora very complex reali stic; it i s s imply too muchworkto re-implement andthus untrustworthyproxy. them. More practically,we could adopt a react- ive philosophy, recognizingindividual weaknesses as Wetherefore s ee thenee d for a new, s imple, and eachapp ears andengineer ing s ecur itypatches one general us er-level protection mechani sm thatdoes ata time. Hi stor ically,thi s has b een a los ingbattle, not require mo di cation of exi stinghelp er applica- at least for large applications: for instance, explore tions or operating systems. The usual technique s andconventional paradigms do not workwell in thi s 2 For instance, ghostscript is more than 60,000 lines of C; situation. Wehope thatthe dicultyofthe problem and mpeg play is more than 20,000 line s long. andthepotential utility of a solution should help to application should haveaccess,ortowhichhostsit motivateintere st in our pro ject. should b e allowed toop en a TCP connection. In f act, our program oughtto b e con gurable in thi s way even on a p er-us er or p er-application bas i s.
Load more

Recommended publications
  • Consensgx: Scaling Anonymous Communications Networks With
    Proceedings on Privacy Enhancing Technologies ; 2019 (3):331–349 Sajin Sasy* and Ian Goldberg* ConsenSGX: Scaling Anonymous Communications Networks with Trusted Execution Environments Abstract: Anonymous communications networks enable 1 Introduction individuals to maintain their privacy online. The most popular such network is Tor, with about two million Privacy is an integral right of every individual in daily users; however, Tor is reaching limits of its scala- society [72]. With almost every day-to-day interaction bility. One of the main scalability bottlenecks of Tor and shifting towards using the internet as a medium, it similar network designs originates from the requirement becomes essential to ensure that we can maintain the of distributing a global view of the servers in the network privacy of our actions online. Furthermore, in light to all network clients. This requirement is in place to of nation-state surveillance and censorship, it is all avoid epistemic attacks, in which adversaries who know the more important that we enable individuals and which parts of the network certain clients do and do not organizations to communicate online without revealing know about can rule in or out those clients from being their identities. There are a number of tools aiming to responsible for particular network traffic. provide such private communication, the most popular In this work, we introduce a novel solution to this of which is the Tor network [21]. scalability problem by leveraging oblivious RAM con- Tor is used by millions of people every day to structions and trusted execution environments in order protect their privacy online [70].
    [Show full text]
  • Doswell, Stephen (2016) Measurement and Management of the Impact of Mobility on Low-Latency Anonymity Networks
    Citation: Doswell, Stephen (2016) Measurement and management of the impact of mobility on low-latency anonymity networks. Doctoral thesis, Northumbria University. This version was downloaded from Northumbria Research Link: http://nrl.northumbria.ac.uk/30242/ Northumbria University has developed Northumbria Research Link (NRL) to enable users to access the University’s research output. Copyright © and moral rights for items on NRL are retained by the individual author(s) and/or other copyright owners. Single copies of full items can be reproduced, displayed or performed, and given to third parties in any format or medium for personal research or study, educational, or not-for-profit purposes without prior permission or charge, provided the authors, title and full bibliographic details are given, as well as a hyperlink and/or URL to the original metadata page. The content must not be changed in any way. Full items must not be sold commercially in any format or medium without formal permission of the copyright holder. The full policy is available online: http://nrl.northumbria.ac.uk/policies.html MEASUREMENT AND MANAGEMENT OF THE IMPACT OF MOBILITY ON LOW-LATENCY ANONYMITY NETWORKS S.DOSWELL Ph.D 2016 Measurement and management of the impact of mobility on low-latency anonymity networks Stephen Doswell A thesis submitted in partial fulfilment of the requirements of the University of Northumbria at Newcastle for the degree of Doctor of Philosophy Research undertaken in the Department of Computer Science and Digital Technologies, Faculty of Engineering and Environment October 2016 Declaration I declare that the work contained in this thesis has not been submitted for any other award and that it is all my own work.
    [Show full text]
  • Threat Modeling and Circumvention of Internet Censorship by David Fifield
    Threat modeling and circumvention of Internet censorship By David Fifield A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the Graduate Division of the University of California, Berkeley Committee in charge: Professor J.D. Tygar, Chair Professor Deirdre Mulligan Professor Vern Paxson Fall 2017 1 Abstract Threat modeling and circumvention of Internet censorship by David Fifield Doctor of Philosophy in Computer Science University of California, Berkeley Professor J.D. Tygar, Chair Research on Internet censorship is hampered by poor models of censor behavior. Censor models guide the development of circumvention systems, so it is important to get them right. A censor model should be understood not just as a set of capabilities|such as the ability to monitor network traffic—but as a set of priorities constrained by resource limitations. My research addresses the twin themes of modeling and circumvention. With a grounding in empirical research, I build up an abstract model of the circumvention problem and examine how to adapt it to concrete censorship challenges. I describe the results of experiments on censors that probe their strengths and weaknesses; specifically, on the subject of active probing to discover proxy servers, and on delays in their reaction to changes in circumvention. I present two circumvention designs: domain fronting, which derives its resistance to blocking from the censor's reluctance to block other useful services; and Snowflake, based on quickly changing peer-to-peer proxy servers. I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements.
    [Show full text]
  • Changing of the Guards: a Framework for Understanding and Improving Entry Guard Selection in Tor
    Changing of the Guards: A Framework for Understanding and Improving Entry Guard Selection in Tor Tariq Elahi†, Kevin Bauer†, Mashael AlSabah†, Roger Dingledine‡, Ian Goldberg† †University of Waterloo ‡The Tor Project, Inc. †{mtelahi,k4bauer,malsabah,iang}@cs.uwaterloo.ca ‡[email protected] ABSTRACT parties with anonymity from their communication partners as well Tor is the most popular low-latency anonymity overlay network as from passive third parties observing the network. This is done for the Internet, protecting the privacy of hundreds of thousands by distributing trust over a series of Tor routers, which the network of people every day. To ensure a high level of security against cer- clients select to build paths to their Internet destinations. tain attacks, Tor currently utilizes special nodes called entry guards If the adversary can anticipate or compel clients to choose com- as each client’s long-term entry point into the anonymity network. promised routers then clients can lose their anonymity. Indeed, While the use of entry guards provides clear and well-studied secu- the client router selection protocol is a key ingredient in main- rity benefits, it is unclear how well the current entry guard design taining the anonymity properties that Tor provides and needs to achieves its security goals in practice. be secure against adversarial manipulation and leak no information We design and implement Changing of the Guards (COGS), a about clients’ selected routers. simulation-based research framework to study Tor’s entry guard de- When the Tor network was first launched in 2003, clients se- sign. Using COGS, we empirically demonstrate that natural, short- lected routers uniformly at random—an ideal scheme that provides term entry guard churn and explicit time-based entry guard rotation the highest amount of path entropy and thus the least amount of contribute to clients using more entry guards than they should, and information to the adversary.
    [Show full text]
  • Effective Attacks and Provable Defenses for Website Fingerprinting
    Effective Attacks and Provable Defenses for Website Fingerprinting Tao Wang, University of Waterloo; Xiang Cai, Rishab Nithyanand, and Rob Johnson, Stony Brook University; Ian Goldberg, University of Waterloo https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/wang_tao This paper is included in the Proceedings of the 23rd USENIX Security Symposium. August 20–22, 2014 • San Diego, CA ISBN 978-1-931971-15-7 Open access to the Proceedings of the 23rd USENIX Security Symposium is sponsored by USENIX Effective Attacks and Provable Defenses for Website Fingerprinting Tao Wang1 Xiang Cai2 Rishab Nithyanand2 Rob Johnson2 Ian Goldberg1 1University of Waterloo 2Stony Brook University t55wang,iang @cs.uwaterloo.ca xcai,rnithyanand,rob @cs.stonybrook.edu { } { } Abstract When a client browses the web, she reveals her desti- Website fingerprinting attacks allow a local, passive nation and packet content to intermediate routers, which eavesdropper to identify a user’s web activity by lever- are controlled by ISPs who may be susceptible to ma- aging packet sequence information. These attacks break licious attackers, eavesdroppers, and legal pressure. To the privacy expected by users of privacy technologies, protect her web-browsing privacy, the client would need including low-latency anonymity networks such as Tor. to encrypt her communication traffic and obscure her In this paper, we show a new attack that achieves sig- destinations with a proxy such as Tor. Website finger- nificantly higher accuracy than previous attacks in the printing refers to the set of techniques that seek to re- same field, further highlighting website fingerprinting as identify these clients’ destination web pages by passively a genuine threat to web privacy.
    [Show full text]
  • D6.2 Altcoins – Alternatives to Bitcoin and Their Increasing Presence In
    Ref. Ares(2018)1599225 - 22/03/2018 RAMSES Internet Forensic platform for tracking the money flow of financially-motivated malware H2020 - 700326 D6.2 Altcoins: Alternatives to Bitcoin and their increasing presence in Malware-related Cybercrime Lead Authors: Darren Hurley-Smith (UNIKENT), Julio Hernandez-Castro (UNIKENT) With contributions from: Edward Cartwright (UNIKENT), Anna Stepanova (UNIKENT) Reviewers: Luis Javier Garcia Villalba (UCM) Deliverable nature: Report (R) Dissemination level: Public (PU) (Confidentiality) Contractual delivery date: 31/08/2017 Actual delivery date: 31/08/2017 Version: 1.0 Total number of pages: 36 Keywords: Cryptocurrency, altcoin, malware, darknet market, privacy Abstract Bitcoin is a relatively well-known cryptocurrency, a digital token representing value. It uses a blockchain, a distributed ledger formed of blocks which represent a network of computers agreeing that transactions have occurred, to provide a ledger of sorts. This technology is not unique to Bitcoin, many so-called ‘altcoins’ now exist. These alternative coins provide their own services, be it as a store of value with improved transactions (lower fees, higher speed), or additional privacy. Malware and Dark Net Market (DNM) operators have used Bitcoin to facilitate pseudo-anonymous extraction of value from their victims and customers. However, several high-profile arrests have been made using Bitcoin transaction graphing methods, proving that the emphasis is on the pseudo part of pseudo-anonymity. Altcoins specialising in masking the users’ identity – Monero, ZCash, and Dash – are therefore of interest as the next potential coins of choice for criminals. Ethereum, being the second largest crypto-currencies and imminently implementing its own privacy features, is also of interest.
    [Show full text]
  • Deniable Key Exchanges for Secure Messaging
    Deniable Key Exchanges for Secure Messaging Nik Unger Ian Goldberg Cheriton School of Computer Science Cheriton School of Computer Science University of Waterloo, University of Waterloo, Waterloo, ON, Canada Waterloo, ON, Canada [email protected] [email protected] ABSTRACT the lack of security and privacy in our messaging tools and spurred In the wake of recent revelations of mass government surveillance, demand for better solutions [20]. A widespread weakness in cur- secure messaging protocols have come under renewed scrutiny. A rent secure messaging tools is the lack of strong deniability proper- widespread weakness of existing solutions is the lack of strong ties [28]. Deniable secure messaging schemes allow conversation deniability properties that allow users to plausibly deny sending participants to later plausibly deny sending messages, or even par- messages or participating in conversations if the security of their ticipating in a conversation, while still providing authentication to communications is later compromised. Deniable authenticated key the participants at the time of the conversation. This notion was exchanges (DAKEs), the cryptographic protocols responsible for popularized in the secure messaging context with the release of providing deniability in secure messaging applications, cannot cur- Off-the-Record Messaging (OTR) a decade ago [3]. Unfortunately, rently provide all desirable properties simultaneously. the OTR protocol is not well suited to modern settings such as mo- We introduce two new DAKEs with provable
    [Show full text]
  • Walking Onions: Scaling Anonymity Networks While Protecting Users Chelsea H
    Walking Onions: Scaling Anonymity Networks while Protecting Users Chelsea H. Komlo, University of Waterloo; Nick Mathewson, The Tor Project; Ian Goldberg, University of Waterloo https://www.usenix.org/conference/usenixsecurity20/presentation/komlo This paper is included in the Proceedings of the 29th USENIX Security Symposium. August 12–14, 2020 978-1-939133-17-5 Open access to the Proceedings of the 29th USENIX Security Symposium is sponsored by USENIX. Walking Onions: Scaling Anonymity Networks while Protecting Users Chelsea H. Komlo Nick Mathewson Ian Goldberg University of Waterloo The Tor Project University of Waterloo Abstract Anonymity networks in practice [13] have prevented these Scaling anonymity networks offers unique security chal- attacks by requiring all participants to share a globally consis- lenges, as attackers can exploit differing views of the net- tent view of the entire state of the network, and giving clients work’s topology to perform epistemic and route capture at- complete control over selecting relays for their paths. While tacks. Anonymity networks in practice, such as Tor, have this approach prevents the described attacks, requiring a glob- opted for security over scalability by requiring participants ally consistent view results in quadratic bandwidth growth as to share a globally consistent view of all relays to prevent the number of clients increases [26], because the number of these kinds of attacks. Such an approach requires each user relays must also increase to provide more capacity, and all to maintain up-to-date information about every relay, causing parties must download information about all relays. While the total amount of data each user must download every epoch today’s Tor network requires only approximately half a per- to scale linearly with the number of relays.
    [Show full text]
  • SIGCHI Conference Proceedings Format
    What’s the deal with privacy apps? A comprehensive exploration of user perception and usability Hala Assal Stephanie Hurtado Ahsan Imran School of Computer Science School of Computer Science School of Computer Science Carleton University Carleton University Carleton University [email protected] [email protected] [email protected] Sonia Chiasson School of Computer Science Carleton University [email protected] ABSTRACT Statistics show that the number of global mobile users sur- We explore mobile privacy through a survey and through us- passed the number of desktop users in 2014, with an increas- ability evaluation of three privacy-preserving mobile appli- ing number of people switching to mobile devices for their cations. Our survey explores users’ knowledge of privacy daily online activities [15]. risks, as well as their attitudes and motivations to protect In this paper, we present a comprehensive look at the topic their privacy on mobile devices. We found that users have of mobile privacy. We particularly focus on three privacy as- incomplete mental models of privacy risks associated with pects: private/secure messaging, privacy-aware photosharing, such devices. And, although participants believe they are and anonymity. First, we seek to assess users’ knowledge of primarily responsible for protecting their own privacy, there mobile privacy and determine whether users rely on privacy- is a clear gap between their perceived privacy risks and the preserving applications (apps henceforth) to protect their pri- defenses they employ. For example, only 6% of participants vacy. Second, for users who do not, we discern whether they use privacy-preserving applications on their mobile devices, are consciously rejecting the use of such apps.
    [Show full text]
  • Submission Data for 2020-2021 CORE Conference Ranking Process Privacy Enhancing Technologies Symposium (Was International Workshop of Privacy Enhancing Technologies)
    Submission Data for 2020-2021 CORE conference Ranking process Privacy Enhancing Technologies Symposium (was International Workshop of Privacy Enhancing Technologies) Shaanan Cohney, Matthew Wright, Aaron Johnson, Veelasha Moonsamy Conference Details Conference Title: Privacy Enhancing Technologies Symposium (was International Workshop of Privacy Enhancing Technologies) Acronym : PETS Rank: B Requested Rank Rank: A Recent Years Proceedings Publishing Style Proceedings Publishing: journal Link to most recent proceedings: https://dblp.org/db/journals/popets/popets2020.html Further details: PETS papers are published in the journal Proceedings on Privacy Enhancing Technologies (PoPETs). PoPETs is an open-access journal published by Sciendo, part of the De Gruyter publishing house. PoPETs has four issues per year, and all papers that appear in PoPETs are full papers and are presented at the PETS conference. PoPETs builds on the scholarly tradition initiated by PETS in July 2000. The membership of the Editorial Board and Program Committee, as well as the high-quality publications, make PoPETs a premier venue for scholarship in the area of privacy and technology. Regarding Google Scholar Metrics, PoPETs is listed. However, the PoPETs journal only started in 2015, and Google Scholar Metrics doesn’t include the 2000âĂŞ2014 PETS proceedings published in Springer LNCS. Therefore, rankings are inaccurate that use metrics dependings on papers published before 2015 (e.g. h5-index). Most Recent Years Most Recent Year Year: 2019 URL: https://petsymposium.org/cfp19.php
    [Show full text]
  • A Pseudonymous Communications Infrastructure for the Internet by Ian
    A Pseudonymous Communications Infrastructure for the Internet by Ian Avrum Goldberg B.Math. (University of Waterloo) 1995 M.Sc. (University of California at Berkeley) 1998 A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the GRADUATE DIVISION of the UNIVERSITY of CALIFORNIA at BERKELEY Committee in charge: Professor Eric Brewer, Chair Professor Doug Tygar Professor Hal Varian Fall 2000 The dissertation of Ian Avrum Goldberg is approved: Chair Date Date Date University of California at Berkeley Fall 2000 A Pseudonymous Communications Infrastructure for the Internet Copyright Fall 2000 by Ian Avrum Goldberg 1 Abstract A Pseudonymous Communications Infrastructure for the Internet by Ian Avrum Goldberg Doctor of Philosophy in Computer Science University of California at Berkeley Professor Eric Brewer, Chair As more and more of people’s everyday activities are being conducted online, there is an ever-increasing threat to personal privacy. Every communicative or commercial transac- tion you perform online reveals bits of information about you that can be compiled into large dossiers, often without your permission, or even your knowledge. This work presents the design and analysis of a Pseudonymous Communications In- frastructure for the Internet, which we call a Pseudonymous IP Network, or PIP Network. This system allows parties to communicate in real time over the Internet without being forced to reveal their identities, thus forming the basis for communications and electronic commerce systems that respect the privacy of the individual. This work also presents the Nymity Slider, an abstraction that can be useful when talking about how much personally identifying information a given transaction reveals, 2 and when designing privacy-friendly technologies.
    [Show full text]
  • Blockchain Distributed Ledger Technology and Designing the Future
    FinTech Blockchain Distributed ledger technology and designing the future November 2019 Third Edition Blockchain Distributed ledger technology and designing the future 1 ©2019 Reed Smith LLP The information presented in this document may constitute lawyer advertising and should not be the basis of the selection of legal counsel. Information contained in this publication is believed to be accurate and correct but this document does not constitute legal advice. The facts of any particular circumstance determine the basis for appropriate legal advice, and no reliance should be made on the applicability of the information contained in the document to any particular factual circumstance. No attorney-client relationship is established or recognized through the communication of the information contained in this document. Reed Smith and the authors disclaim all liability for any errors in or omissions from the information contained in this publication, which is provided “as-is” without warranties of any kind either express or implied. 2 Blockchain Distributed ledger technology and designing the future Contents Foreword by the Chamber of Digital Commerce v Chapter 1 The mysterious origins of blockchain 1 Introduction 1 Chapter 2 Blockchain 101 3 How it works 3 Digital currencies and “cryptocurrencies” 5 Advantages of blockchain / DLT 5 Disadvantages of blockchain / DLT 6 Open vs. closed blockchains 7 Proof of work vs. proof of stake 8 Summary 8 Chapter 3 Smart contracts 10 What are they? 10 Smart contract code 10 Advantages of smart contracts on blockchains 11 Disadvantages of smart contracts on the blockchain 11 Smart contracts and derivatives 12 ISDA’s approach 13 Smart contracts, derivatives, and regulation 14 Use cases 15 Smart contracts - going forward 15 Chapter 4 Applications of DLT 16 Tokens 16 Blockchain Distributed ledger technology and designing the future i Chapter 5 U.S.
    [Show full text]