David Naylor Architectural Support for Managing Privacy Tradeoffs in the Internet Degree Type: Ph.D. in Computer Science Advisor(s): Peter Steenkiste Graduated: August 2017 Abstract: Using a communication network entails an inherent privacy risk: packets cross an infrastructure maintained by several parties other than the sender and receiver, each of which has the opportunity to observe the packets as they are processed and forwarded. This poses a risk because packets carry information that users might rather keep private, namely: (1) the source address, which exposes the sender, (2) the destination address, which exposes the recipient, and (3) the body, which can expose user data. Beyond the information explicitly carried by the packet, observers can also learn sensitive things merely from the fact that a packet happened to be in a certain place at a certain time. All of this information is o en divided into two categories: data (the actual message being communicated, e.g., the contents of an email) and metadata (information about the communication, e.g., "A emailed B at 12:07 today"). Fortunately, we have tools, widely used in practice, to protect this information. Unfortunately, these tools tend to make aggressive trade-offs, sacrificing other desirable properties for the sake of privacy. For example, to protect data, the use of encryption is widespread–on the Web, for instance, many sites have switched from HTTP to HTTPS. Unfortunately, encryption blinds middleboxes, which can lead to a loss of functionality, performance, and even security. And to protect metadata, anonymous communication systems like Tor reduce accountability by preventing network operators from learning who sent a packet and also often introduce performance overheads. These "privacy vs. X" tussles seem fundamental, because privacy requires hiding information like source addresses and payloads, while the other properties–performance, accountability, functionality, and security–require exposing that information. How can we do both? In this thesis, we argue first that a practical balance is possible if we carefully control access to packet data and metadata and second that this requires architectural support from the network. We make this argument in two parts. First, we show how to keep in-flight data private while at the same time allowing middleboxes like caches, compression proxies, and intrusion detection systems to operate. We motivate, design, and evaluate two protocols for secure communication that includes middleboxes, each one granting data access only to middleboxes explicitly trusted by an endpoint and also limiting the scope of what those middleboxes can do with that data. With fully-functional implementations, we show that these protocols are deployable and have minimal performance overhead. Second, we show how re-thinking the way the network treats source addresses can enable a balance between privacy and accountability that is not possible today. We present the design of a new network architecture that separates source addresses into distinct "accountability" and "return" addresses and show with trace-driven analysis that the performance overhead is reasonable. In order to compare our new architecture to related work, we also develop an evaluation methodology for quantifying "how private" a network architecture is. Thesis Committee: Peter Steenkiste (Chair) Vyas Sekar Srini Seshan Dave Oran (Network Systems Research & Design, MIT Media Lab) Adrian Perrig (ETH Zürich) Frank Pfenning, Head, Computer Science Department Andrew W. Moore, Dean, School of Computer Science Keywords: Networks, privacy, anonymity, secrecy, accountability, TLS, HTTPS, encryption, middleboxes, trusted computing, SGX CMU-CS-17-116.pdf (19.54 MB) ( 206 pages) Copyright Notice