Jump to Content
Michael Vrable

Michael Vrable

Authored Publications
Google Publications
Other Publications
Sort By
  • Title
  • Title, desc
  • Year
  • Year, desc
    Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud
    Joe Gibbs Politz
    Úlfar Erlingsson
    Ankur Taly
    Mark Lentczner
    Network and Distributed System Security Symposium, Internet Society (2014)
    Preview abstract Controlled sharing is fundamental to distributed systems; yet, on the Web, and in the Cloud, sharing is still based on rudimentary mechanisms. More flexible, decentralized cryptographic authorization credentials have not been adopted, largely because their mechanisms have not been incrementally deployable, simple enough, or efficient enough to implement across the relevant systems and devices. This paper introduces macaroons: flexible authorization credentials for Cloud services that support decentralized delegation between principals. Macaroons are based on a construction that uses nested, chained MACs (e.g., HMACs) in a manner that is highly efficient, easy to deploy, and widely applicable. Although macaroons are bearer credentials, like Web cookies, macaroons embed caveats that attenuate and contextually confine when, where, by who, and for what purpose a target service should authorize requests. This paper describes macaroons and motivates their design, compares them to other credential systems, such as cookies and SPKI/SDSI, evaluates and measures a prototype implementation, and discusses practical security and application considerations. In particular, it is considered how macaroons can enable more fine-grained authorization in the Cloud, e.g., by strengthening mechanisms like OAuth2, and a formalization of macaroons is given in authorization logic. View details
    BlueSky: a cloud-backed file system for the enterprise
    Stefan Savage
    Geoffrey M. Voelker
    Proceedings of the 10th USENIX conference on File and Storage Technologies, USENIX Association, Berkeley, CA, USA (2012), pp. 19-19
    Difference engine: harnessing memory redundancy in virtual machines
    Diwaker Gupta
    Sangmin Lee
    Stefan Savage
    Alex C. Snoeren
    George Varghese
    Geoffrey M. Voelker
    Amin Vahdat
    Commun. ACM, vol. 53 (2010), pp. 85-93
    Neon: system support for derived data management
    Qing Zhang
    John Mccullough
    Justin Ma
    Nabil Schear
    Amin Vahdat
    Alex C. Snoeren
    Geoffrey M. Voelker
    Stefan Savage
    VEE (2010), pp. 63-74
    Cumulus: Filesystem Backup to the Cloud
    Stefan Savage
    Geoffrey M. Voelker
    Proceedings of the 7th USENIX Conference on File and Storage Technologies, USENIX Association, Berkeley, CA, USA (2009)
    Difference Engine: Harnessing Memory Redundancy in Virtual Machines
    Diwaker Gupta
    Sangmin Lee
    Stefan Savage
    Alex C. Snoeren
    George Varghese
    Geoffrey M. Voelker
    Amin Vahdat
    OSDI (2008), pp. 309-322
    XFI: Software Guards for System Address Spaces
    Úlfar Erlingsson
    Mihai Budiu
    George C. Necula
    OSDI (2006), pp. 75-88
    Brief announcement: the overlay network content distribution problem
    Alex C. Snoeren
    Amin Vahdat
    Joseph Pasquale
    PODC (2005), pp. 98
    Scalability, fidelity, and containment in the potemkin virtual honeyfarm
    Justin Ma
    Jay Chen
    David Moore
    Erik Vandekieft
    Alex C. Snoeren
    Geoffrey M. Voelker
    Stefan Savage
    SOSP (2005), pp. 148-162