Using Architecture and Abstractions to Design a Security Layer for TLS

Monday, January 28, 2019 - 12:00 pm12:30 pm

Daniel Zappala, Brigham Young University


TLS is the primary protocol used to provide security and privacy for Internet traffic. Sadly, there is abundant evidence that developers do not use TLS correctly, due to a morass of poorly-designed APIs, lack of security expertise, and poor adherence to best practices. In this talk, we argue this is a problem of architecture and abstraction. We first demonstrate how a security layer fits into the Internet architecture, between applications and TCP, and how the POSIX socket API is both a convenient and simple abstraction for a TLS interface. We then discuss ramifications for developers, administrators, and OS vendors, focused on two major benefits: (1) developers have a centralized, well-tested service to easily create a secure application in minutes, and (2) system administrators and OS vendors have policy to ensure all applications on a device use best practices. We finish by illustrating how this new abstraction and architecture can simplify two of the most complex parts of TLS—certificate validation and client authentication. We are releasing code for the security layer, including both operating system services and application examples, to stimulate developer and industry interest in this approach.

Daniel Zappala, Brigham Young University

Daniel Zappala is the director of the Internet Research Lab at BYU. He is primarily interested in network security and usable security, particularly anywhere that people have to interact with cryptography. Daniel’s recent research includes developing a security layer for TLS, designing better usability for secure messaging apps, and studying mental models of encryption. His students recently won second place in the Facebook Internet Defense Prize and Honorable Mention for Distinguished Paper at SOUPS. Daniel has taught classes on Internet Programming, Networking, Security, Usability, Web Programming, and Western Civilization. He is currently serving on the organizing committees of ACSAC and SOUPS, and on the program committees of USENIX Security and PeTS. Daniel earned his Ph.D. in Computer Science at the University of Southern California and his B.S. in Electrical Engineering at Stanford University. If you visit him, Daniel will make you some great pizza.

@conference {226355,
author = {Daniel Zappala},
title = {Using Architecture and Abstractions to Design a Security Layer for {TLS}},
year = {2019},
address = {Burlingame, CA},
publisher = {USENIX Association},
month = jan

Presentation Video