Link to the University of Pittsburgh Homepage
Link to the University Library System Homepage Link to the Contact Us Form

Using secure coprocessors to enforce network access policies in enterprise and ad hoc networks

Xia, Haidong (2008) Using secure coprocessors to enforce network access policies in enterprise and ad hoc networks. Doctoral Dissertation, University of Pittsburgh. (Unpublished)

Primary Text

Download (789kB) | Preview


Nowadays, network security is critically important. Enterprises rely on networks to improvetheir business. However, network security breaches may cause them loss of millions of dollars.Ad hoc networks, which enable computers to communicate wirelessly without the need forinfrastructure support, have been attracting more and more interests. However, they cannotbe deployed effectively due to security concerns.Studies have shown that the major network security threat is insiders (malicious orcompromised nodes). Enterprises have traditionally employed network security solutions(e.g., firewalls, intrusion detection systems, anti-virus software) and network access controltechnologies (e.g., 802.1x, IPsec/IKE) to protect their networks. However, these approachesdo not prevent malicious or compromised nodes from accessing the network. Many attacksagainst ad hoc networks, including routing, forwarding, and leader-election attacks, requiremalicious nodes joining the attacked network too.This dissertation presents a novel solution to protect both enterprise and ad hoc networksby addressing the above problem. It is a hardware-based solution that protects a networkthrough the attesting of a node's configuration before authorizing the node's access to thenetwork. Attestation is the unforgeable disclosure of a node's configuration to another node,signed by a secure coprocessor known as a Trusted Platform Module (TPM).This dissertation makes following contributions. First, several techniques at operatingsystem level (i.e., TCB prelogging, secure association root tripping, and sealing-free attestation confinement) are developed to support attestation and policy enforcement. Second, two secure attestation protocols at network level (i.e., Bound Keyed Attestation (BKA) andBatched Bound Keyed Attestation (BBKA)) are designed to overcome the risk of a man-inthe-middle (MITM) attack. Third, the above techniques are applied in enterprise networks todifferent network access control technologies to enhance enterprise network security. Fourth,AdHocSec, a novel network security solution for ad hoc networks, is proposed and evaluated. AdHocSec inserts a security layer between the network and data link layer of the networkstack. Several algorithms are designed to facilitate node's attestation in ad hoc networks,including distributed attestation (DA), and attested merger (AM) algorithm.


Social Networking:
Share |


Item Type: University of Pittsburgh ETD
Status: Unpublished
CreatorsEmailPitt UsernameORCID
ETD Committee:
TitleMemberEmail AddressPitt UsernameORCID
Committee ChairBrustoloni, Jose'
Committee MemberAmer,
Committee MemberJoshi, James B.D.jjoshi@sis.pitt.eduJJOSHI
Committee MemberMelhem, Ramimelhem@cs.pitt.eduMELHEM
Date: 16 June 2008
Date Type: Completion
Defense Date: 7 April 2008
Approval Date: 16 June 2008
Submission Date: 22 March 2008
Access Restriction: No restriction; Release the ETD for access worldwide immediately.
Institution: University of Pittsburgh
Schools and Programs: Dietrich School of Arts and Sciences > Computer Science
Degree: PhD - Doctor of Philosophy
Thesis Type: Doctoral Dissertation
Refereed: Yes
Uncontrolled Keywords: ad hoc network; enterprise network; network security; policy; security; TCG; TPM
Other ID:, etd-03222008-181915
Date Deposited: 10 Nov 2011 19:32
Last Modified: 15 Nov 2016 13:37


Monthly Views for the past 3 years

Plum Analytics

Actions (login required)

View Item View Item