special focus issue: security · the normal user: don’t get or look at it. for the government,...
TRANSCRIPT
THE MAGAZINE OF USENIX amp SAGENovember 2001 bull Volume 26 bull Number 7
insideCONFERENCE REPORTS
10th USENIX Security Symposium
The Advanced Computing Systems Association amp
The System Administrators Guild
amp
Special Focus Issue SecurityGuest Editor Rik Farrow
4 Vol 26 No 7 login
conference reports10th USENIX Security SymposiumWASHINGTON DCAUGUST 13ndash17 2001KEYNOTE
WEB-ENABLED GADGETS CAN WE TRUST THEM
Richard M Smith CTO The PrivacyFoundation
Summarized by George M Jones
Richard Smith started off by saying thatwhat he primarily does is ldquocause prob-lemsrdquo mostly for companies that havenot thought through the security impli-cations of products that they havereleased They often ldquodiscover unin-tended consequences that companiesdonrsquot like to talk aboutrdquo The three mainareas they consider are security privacyand control
He stated thatldquoconsumerscare moreabout thesecurity ofcell phonesthan aboutWeb serversrdquobecause cellphones arepersonaldevices with
which consumers have immediate con-nections Application developers andcompanies are more concerned withfunctionality than security Productssuch as consumer devices based on real-time operating systems tend to havelower concerns for security
Smith said that DirecTV was the firstconsumer device that got his interestabout privacy issues It had a phone jackWhat information was it sending backLater a call to customer service on a dif-ferent issue revealed that the customerservice people were able to send com-mands (via satellite) to turn his TV on
Is this a good thing Still another timethe company apparently chose to ldquoadver-tiserdquo new services by causing the TV totune to a soft-porn channel which hehad not subscribed to or selected
Earlier this year just before the SuperBowl the company downloaded a pro-gram to all DirecTV boxes The goal wasto disable black market devices used topirate programming It succeeded Butwhat if they had made a mistake Whatif they had disabled service for legiti-mate customers Who in fact owns theboxes DirecTV clearly did not own theblack-market devices Did the com-panyrsquos actions constitute ldquohackingrdquo Didthe terms of service allow them to repro-gram the legitimate boxes
It turns out that DirecTV was not send-ing back ldquoNielsenrdquo information just a lotof information about the temperatureinside the box Their competitor Tivodoes send in ldquoNielsenrdquo info You have toexplicitly opt out by calling customerservice
Wersquore entering a brave new world ofconnected devices A company calledSports Barn sold a strap-on device thatmonitored your daily exerciseand thenuploaded it via phone to their Web siteto create a ldquopersonal profilerdquo (which ofcourse would never be used for market-ing or other) purposes One could havegotten the same effect by uploading to aPC without disclosing personal informa-tion and there are inexpensive stand-alone devices available at sports shopsthat do similar things But to maintain arecord you might have to (gasp) writethings on paper the price of privacyOh the company just went out of busi-ness Many formerly happy customersnow have worthless devices Similarthings could never happen with sub-scription software licensing could itSoftware companies never go out ofbusiness get bought out refocus onnewer products or have turnover or lossof support staff
This issuersquos reports are on the 10thUSENIX Security Symposium
OUR THANKS TO THE SUMMARIZERS
TAKEAKI CHIJIIWA
SAMEH ELNIKETY
KEVIN FU
RACHEL GREENSTADT
YONG GUAN
ANCA IVAN
GEORGE M JONES
STEFAN KELM
DAVID RICHARD LAROCHELLE
ROSS OLIVER
EVAN SARMIENTO
COLE TUCKER
MIKE VERNAL
SAM WEILER
Richard M Smith
Ever considered plugging your pictureframes into the phone Kodak wants youto so that you can ldquoregisterrdquo your digitalpictures Of course yoursquoll pay a recur-ring subscription fee to do so Andtheyrsquoll never share your private pictureswith anyone either their servers neverget hacked and all their employees areintimately familiar with their informa-tion security policies and actively makeit their top priority each day to followthem
Want free wireless Internet access Seethe Global Access Wireless Database athttpwwwshmoocomgawd Want tosee what your neighbors and coworkersare doing 80211 is your friend At leastone non-USENIX conference personwas observed using the USENIX wirelessnetwork at the symposium
Convergence is a good thing rightFewer devices more functionality lowercost but do you really want someoneusing the cell phone API in your combophonepalm pilot to run a program that(1) turns off the speaker (2) places acall and (3) turns on the microphoneYour phone is now a bugging device inaddition to a tool for pinpointing yourlocation at all times Personally Irsquoll stickwith dumb one-way pagers and onlyturn my phone on when I want to makea call (and announce my location)
Do you ever store personallow-sensitiv-ity data and businesshigh-sensitivityinformation on say a palm pilot a lap-top computer or a home computer con-nected to public networks Mudge andKingpin of stake pointed out in a latertalk (dressed in bathrobes to protesttheir 9 am speaking slot) that PalmOShas serious security problems Cablemodem providers do not generally pro-vide securityfirewall services Laptopsare routinely stolen (the laptop that wasbeing used as the gatewayrouter for theconference terminal room disappearedovernight and one of the terminal-roomattendants stopped someone who
5November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sattempted to walk out with its replace-ment in broad daylight) Informationsecurity management issues that wereonce handled by trained security profes-sionals in controlled centralized envi-ronments are now the problem of yourgrandmother Joe Six-pack and yourCEO
Do you ever speed in a rental car In theQampA session Rik Farrow noted that atleast one person has been fined by therental car company for doing so Thecompany installed GPS devices in all itrsquoscars that enable it to track down stolencarsand tell how fast you go Anyguesses how long it will be before lawenforcement and insurance companiespush for legislation requiring suchdevices in all new cars
Steve Bellovin noted that during the talkthere had been multiple nmaps of thewireless net and an ongoing battle foraddress of the default router (Dug Songof dsniff fame was in the room)
And lastly true confessions mdash Smithadmitted that he has not turned on WEPon his own wireless net at home
And the beat goes on
INVITED TALKS
A MAZE OF TWISTY LITTLE STATUTES ALL
ALIKE THE ELECTRONIC COMMUNICATIONS
PRIVACY ACT OF 1986 (AND ITS APPLICA-TION TO NETWORK SERVICE PROVIDERS)
Mark Eckenwiler US Department ofJustice
Summarized by Cole Tucker
The Electronic Communications PrivacyAct of 1986 has a reputation for com-plexity Mark Eckenwiler gave an expres-sive overview of the law primarily fromthe viewpoint of a system administra-torprovider Basically the act covers the relationship between providers andcustomers and providers and the gov-ernment It tries to allow for communi-cation privacy while keeping in mind
that online records are the key to prose-cuting network criminals
The law distinguishes four types of envi-ronments based on whether the data iscontent or transactional in nature andwhether itrsquos being intercepted in realtime or after itrsquos been stored The classthat receives the most protection real-time content has a very basic rule forthe normal user donrsquot get or look at itFor the government the rule is nearly assimple donrsquot get it without a wiretaporder Providers arenrsquot supposed to lookat it unless theyrsquore in the process of pro-tecting their rights and property So ifyoursquore a regular user donrsquot run an unau-thorized sniffer If yoursquore representing aprovider under Eckenwilerrsquos interpreta-tion feel free to run an IDS or even akeystroke logger in real time you can beproactive in defending yourself Otherexceptions are made for publicly accessi-ble systems such as IRC or if all partiesconsent say in a system that has a ban-ner stating that use implies consent tomonitoring As a provider if you have alegitimate need to monitor therersquos noreason to worry
The second class of data consists oftransactional records being interceptedin real time For providers and users therules remain nearly the same hands offfor the latter and have a good reason forthe former The standards have beenlowered for the government so thisinformation is essentially ldquoless privaterdquoFor access to this data the governmentsimply needs a court order Examples ofdata that fall under this are addressesattached to incoming emails and infor-mation on where users are connectingfrom and whether they are online
Next comes stored content Eckenwilerreferred to this section as ldquoDichotomieslsquoRrsquo Usrdquo basically each situation has dif-ferent rules that apply with way toomany to generalize here
Finally there are stored transactionalrecords Users hands off Providers are
allowed to reveal this information toanyone they like except for the govern-ment In respect to the governmentthere are two classes of data basic userdata and non-contact info Basic userdata (things like name address andphone number) is accessible with a sub-poena and thus not strongly protectedEverything else requires a 2703(d) war-rant to access but providers can be senta court order requiring they hold on tothe data for a specified amount of timeusually in expectation of a warrant beingserved in the near future
LOANING YOUR SOUL TO THE DEVIL INFLU-ENCING POLICY WITHOUT SELLING OUT
Matt Blaze ATampT Labs-Research
Summarized by George M Jones
Matt Blaze commented on the publicdebate over cryptology thatrsquos taken placeover the past 10 years or so He includedamusing stories of ldquohacker tourismrdquoincluding nine cryptography experts allindependently trying to score ldquocoolrdquopoints by stealing stationery from secretcongressional briefing rooms and NOTopening a red folder marked ldquoTOPSECRET Presidentrsquos Daily NationalSecurity Briefingrdquo when left alone in aconference room in the old executiveoffice building
What can a scientisttechie contribute tothe public policy debate His mainadvice is ldquostick to what you knowrdquo (sci-encetechnology) ldquoYou are listened tobecause people believe you have objec-tivityThe basic purpose of science andengineering is to expand understandingof realitytruth with no compromisesrdquoYou are not there to comment on philos-ophy politics or constitutional law
He gave an amazingly insightful list ofthe contrasting values of science andpolitics)
Science is interested in findingtruth Politics is about balancinginterests
6 Vol 26 No 7 login
In science people are rewarded fornew discoveries Disruptiveness isconsidered good In politics peopleare rewarded for making other peo-ple happy Disruptiveness is consid-ered bad
In science uncompromising peopleare admired in politics uncompro-mising people are considered fools
In science ldquohonestyrdquo means admit-ting mistakes in politics it meanskeeping promises
In science challenging someoneshows interest in politics a chal-lenge is an attack
In science there is no ldquodress coderdquoin politics even suits can be consid-ered ldquocasualrdquo (and thus cause younot to be taken seriously)
The policy options range from discour-agingforbidding its use allowing lim-ited strength crypto allowing use ofstrong modern cryptographic methodsand encouraging use In the last fewyears the US has moved mostly from thefirst to the third stage
The tone of thedebate has alsochanged andincludes more actualdialogue We nolonger have one sideyelling ldquoYoursquore abunch of long-haired hippiesrdquo andthe other yellingldquoYoursquore a bunch of
jack-booted thugsrdquo Now itrsquos just ldquoyoursquorea bunch of hippiesrdquo vs ldquoyoursquore a bunchof thugsrdquo See for instance ldquoThou shaltuse skipjackclipperrdquo vs the process forselecting AES
ldquoWashington DC is another planet aclosed systemrdquoldquoMuch of what happenshere is for showrdquoldquoAny meeting with apolicy maker involves a little conspiracyto make each other feel importantrdquoldquoMeetings with congressional staffers
always end with the question lsquoWhat doyou suggest we dorsquordquo Stick to what youknow
COPS ARE FROM MARS SYSADMINS ARE
FROM PLUTO DEALING WITH LAW ENFORCE-MENT
Tom Perrine San Diego SupercomputerCenter
Summarized by Ross Oliver
Tom Perrine described some of his expe-riences with law enforcement peopleand discussed his recommendations forother sysadmins who may need to inter-act with law enforcement
Like system administration law enforce-ment is a culture as well as an occupa-tion with its own lingo inside jokes etcThere are also many different lawenforcement agencies federal state citycounty military and customs Evenschools and universities often have theirown police force
Throughout the talk Perrine empha-sized the importance of trust in individ-uals rather than organizations Just as inany large organization there are ldquoclue-fulrdquo and not ldquocluefulrdquo members andbuilding personal relationships is keyAlso realize that the goals and prioritiesof law enforcement may be differentfrom yours
Because they are ldquoagents of the govern-mentrdquo law enforcement officers havemany legal constraints on their actionsthat may not apply to private citizensSysadmins can take advantage of ldquoISPexemptionsrdquo in the law to take ldquoany stepsnecessary to protect the communica-tions systemrdquo
Perrine recommends that sysadminsbecome familiar with applicable laws(both federal and state) before the needto apply them arises Advice of qualifiedlegal counsel is strongly recommendedAlso make sure your organizationrsquos poli-cies are suitable and adhere to themduring any investigation
Matt Blaze
READING BETWEEN THE LINES LESSONS
FROM THE SDMI CHALLENGE
Summarized by Rachel Greenstadt
Scott A Craver Min Wu and Bede LiuPrinceton University Adam Stubble-field Ben Swartzlander and Dan SWallach Rice University Drew Deanand Edward W Felten Princeton Uni-versity
Program Chair Dan Wallach introducedthis talk as being a long time in the mak-ing and mentioned that he was pleasedto have it here However he stressed thatthis first section would be a normal bor-ing technical talk THEN there would bea panel discussion where policy ques-tions would be allowed Matt Blazeasked when the subpoenas would beserved however despite the large massof press and lawyers that joined theUSENIX attendees there was no last-minute withdrawal of the talk this timeand no FBI agents came to cart ScottCraver away as he gave his talk
Craver began by describing the chal-lenge which took place during threeweeks in September and October of2000 SDMI (Secure Data Music Initia-tive) invited ldquohackersrdquo otherwise knownas the general public to crack six of theirproposed technologies labeled Athrough F There were four watermark-ing technologies and two others SDMIoffered a cash prize for the successfuldefeat of one of their technologies butthis required the winners to sign a Non-Disclosure Agreement so the Feltengroup decided to forego the prize infavor of publishing their findings
SDMI is an organization an initiativeand the technology for that initiative Atthe time of the challenge that technol-ogy was watermarking and related tech-nologies The watermarks (technologiesA B C and F) were composed of arobust and a fragile component therobust part of which would survivealtered music Through a missing water-mark in the fragile component such as
7November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sif it had been mp3 compressed anSDMI device could perhaps determine ifa CD track was ever an mp3 in the pastperhaps illegally downloaded The othertechnologies (D and E) were used tosign tables of contents supposedly tocontrol the propagation of CDs withmixed tracks
For the watermarking technologies therewere three samples given (1) a soundclip without a watermark (2) the samesample with a watermark and (3) a dif-ferent sound clip with a watermark Thechallenge was to remove the watermarkfrom the third sound clip SDMI pro-vided no actual embedders or detectorsThere was an online oracle to which youcould submit a sound clip and get aresponse There was no description ofthe algorithms used and no details orreasons were given when an oraclerejected a clip The challenge lasted onlythree weeks and the oracle had a turn-around time in hours As such adaptiveoracle attacks which would be possibleif the system were deployed were notfeasible
There were several approaches usedagainst the marks (1) brute force attacksnot specific to the algorithm used andwhich mostly consisted of adding noiseand filtering (2) slight brute forceattacks loosely based on supposeddetails of the algorithms and (3) full-blown reverse engineering
For technologies B and C the groupnoticed that there was a narrow bandsignal added to the clip By the slightlybrute method of filtering at the fre-quency and adding narrow-band noisethey were able to foil the oracle
In their analysis of technology A the-group noticed a slight warping in thetime domain as though the signal wasslowly advancing or decreasing Theydetermined that this phase shifting waspre-processing and not the actual water-mark since the oracle did not admit the
sample when the distortion wasremoved However removing this dis-tortion in technology F was able to makethat watermark undetectable (quicksomebody call the FBI)
Another approach to defeating technol-ogy A would have been to try reinstatingthe fragile component However therewas no way to test this type of attackusing the oracle
The group noticed a ripple in the fre-quency domain which led them tobelieve that technology A used some sortof echo hiding technique consisting ofdeliberate but inaudible echoes whichmeant that there was a signal which wasdelayed and then added back into themusic They tried a filtering approach toreduce the audibility of the echo suffi-cient to remove the watermark Wantingto discover more they decided to do apatent search figuring correctly that thiswas a proprietary algorithm with apatent They found a patent belongingto Aris corporation which became Ver-ance one of the SDMI companies Thismade them feel like they were on theright track They also discovered that itwas a simple echo every fiftieth of a sec-ond and that a delayed version wasadded or subtracted every fifteenthinterval To further analyze the signalthey used the auto-kepstral techniquefor echo hiding combining techniquesto estimate the echo Theyrsquove come upwith better echo hiding detection soft-ware subsequent to the challenge Scottdemonstrated a program that was colorcoded to detect the echo
For technologies D and E SDMI pre-sented table-of-contents files for 100CDs and signature tracks The challengewas to create a new table of contents andsuccessfully forge a signature for it Fortechnology D they found that all theenergy was concentrated in a small fre-quency band of 80 frequency bins whichonly actually used a 16-bit signal
repeated five times with constant shuf-fling Since there were only 16 bits ofoutput a user should be able to acquiremany authenticators as there were twohash collisions among the CDs givenHowever it was difficult to get furtherthan this analysis because the oracle forD didnrsquot work it would always returnldquoinvalidrdquo regardless of input Technology
E however didnrsquot have any data to ana-lyze at all You could submit a mail say-ing yoursquod try mixing this track and thattrack and yoursquod get a reply saying thatyou couldnrsquot do that
The speaker concluded by saying thatmany claimed that this was a system toldquokeep honest people honestrdquo Howeverthough the Felten group felt that the sys-tem was too complex for that theywouldnrsquot claim any type of strong secu-rity The systems require trusted clientsin a hostile environment but if deployedthey would be broken quickly No spe-cial EECS knowledge is needed andthere are no dirty secrets Anyone withreasonable expertise could do thisWatermarking can be useful but not inthis situation The weakness is in theoverall concept not the specific technol-ogy One main lesson learned is thatsecurity through obscurity STILL doesnrsquot work This is particularly thecase for secret algorithms which arepatented and therefore public
Peter Honeyman asked about the possi-bility of a secure watermark Scottreplied that he personally thinks that
8 Vol 26 No 7 login
watermarking wonrsquot work for activelyenforcing a usage policy since doing thisprovides all targets an oracle that theycan use He is pessimistic about the useof watermarking for copyright controlHe clarified that they broke accordingto the oracle technologies A B C and Fbut that D and E had no valid responsesHe also clarified that only technology Aused echo hiding and that though theydonrsquot know what the criteria for the ora-cle was it appeared to make a decisionbased on detectability and quality Heexplained that some areas where water-marking might prove useful is in fragilewatermarks which provide tamper evi-dence in digital photographs and in pre-venting duplication of currency Thesetechnologies have a different threatmodel Someone asked about copy pro-tected CDs Scott replied that that was acompletely different approach doneentirely at the hardware level Peoplewondered why honest people would notwant a complex copy protection schemeScott answered that complex schemeshave higher rates of failure and highercost Someone asked how this was rele-vant to detecting steganographic infor-mation and Scott answered that theywere basically the same and that theinformation about echo detection wouldbe useful
PANEL DISCUSSION ON SDMIDMCA
Moderator Dan Wallach Rice Univer-sity Panelists Edward W FeltenPrinceton University Cindy Cohn EFFand Peter Jaszi American UniversityCollege of Law
The three panelists spoke about the legaland social questions surrounding theSDMIDMCA issue Dan Wallach men-tioned that if there were any representa-tives from the record company the panelwould love to have someone from theother side come speak he doubtedhowever that they would be here
Peter Jaszi then presented a detaileddescription of the Digital Millennium
Copyright Act (DMCA) section 1201He explained the difference between theDMCA and copyright law Copyrightlaw has been developed and refined overa few hundred years and maintains adelicate balance between owners andusersrsquo privileges To that end it has beenrelatively successful It is important tounderstand that the DMCA is not copy-right law but rather a supplement tocopyright law or para-copyright legisla-tion As such it has the potential to over-
ride thecopyrightdefault protec-tions which hadbeen carefullylaid out overtime He soughtto explain theseoverrides andmentioned thatthe risk the
DMCA poses to the fundamental copy-right system isnrsquot news and wasnrsquot newswhen it was passed As a result somelimitations to the DMCA were built inbut most of these exceptions are notvery functional
The fundamental commandment of theDMCA is ldquoThou shall not circumventfor accessrdquo The fact that it was accessand not use was a compromise intendedto limit the DMCA However it limitedthe legislation less than some imaginedit would since there is a great deal ofconfusion between access and use Thereare also secondary prohibitions concern-ing making goods and services whichcan be used for circumvention availableSection 1201(b)(1) can be interpretedbroadly and it was under this provisionthat the threats from SDMI to theauthors of the paper were made
Section 1201(c) presents a fair-useexception in wonderful ringing lan-guage however it is completely irrele-vant since it references fair use as adefense of copyright and the DMCA isnot copyright
Q amp A Scott Craver amp Dan Wallach
Prof Peter Jaszi
The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye
There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg
Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase
Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In
9November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Saddition most press organizations wishto be seen as nonpartisan and objective
Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability
There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap
Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values
Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling
Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the
DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them
Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand
[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml
CHANGES IN DEPLOYMENT OF
CRYPTOGRAPHY AND POSSIBLE CAUSES
Eric Murray SecureDesign
Summarized by Takeaki Chijiiwa
A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers
The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01
There were several noteworthy changesbetween the results from the surveys in2000 and 2001
What got better
A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
4 Vol 26 No 7 login
conference reports10th USENIX Security SymposiumWASHINGTON DCAUGUST 13ndash17 2001KEYNOTE
WEB-ENABLED GADGETS CAN WE TRUST THEM
Richard M Smith CTO The PrivacyFoundation
Summarized by George M Jones
Richard Smith started off by saying thatwhat he primarily does is ldquocause prob-lemsrdquo mostly for companies that havenot thought through the security impli-cations of products that they havereleased They often ldquodiscover unin-tended consequences that companiesdonrsquot like to talk aboutrdquo The three mainareas they consider are security privacyand control
He stated thatldquoconsumerscare moreabout thesecurity ofcell phonesthan aboutWeb serversrdquobecause cellphones arepersonaldevices with
which consumers have immediate con-nections Application developers andcompanies are more concerned withfunctionality than security Productssuch as consumer devices based on real-time operating systems tend to havelower concerns for security
Smith said that DirecTV was the firstconsumer device that got his interestabout privacy issues It had a phone jackWhat information was it sending backLater a call to customer service on a dif-ferent issue revealed that the customerservice people were able to send com-mands (via satellite) to turn his TV on
Is this a good thing Still another timethe company apparently chose to ldquoadver-tiserdquo new services by causing the TV totune to a soft-porn channel which hehad not subscribed to or selected
Earlier this year just before the SuperBowl the company downloaded a pro-gram to all DirecTV boxes The goal wasto disable black market devices used topirate programming It succeeded Butwhat if they had made a mistake Whatif they had disabled service for legiti-mate customers Who in fact owns theboxes DirecTV clearly did not own theblack-market devices Did the com-panyrsquos actions constitute ldquohackingrdquo Didthe terms of service allow them to repro-gram the legitimate boxes
It turns out that DirecTV was not send-ing back ldquoNielsenrdquo information just a lotof information about the temperatureinside the box Their competitor Tivodoes send in ldquoNielsenrdquo info You have toexplicitly opt out by calling customerservice
Wersquore entering a brave new world ofconnected devices A company calledSports Barn sold a strap-on device thatmonitored your daily exerciseand thenuploaded it via phone to their Web siteto create a ldquopersonal profilerdquo (which ofcourse would never be used for market-ing or other) purposes One could havegotten the same effect by uploading to aPC without disclosing personal informa-tion and there are inexpensive stand-alone devices available at sports shopsthat do similar things But to maintain arecord you might have to (gasp) writethings on paper the price of privacyOh the company just went out of busi-ness Many formerly happy customersnow have worthless devices Similarthings could never happen with sub-scription software licensing could itSoftware companies never go out ofbusiness get bought out refocus onnewer products or have turnover or lossof support staff
This issuersquos reports are on the 10thUSENIX Security Symposium
OUR THANKS TO THE SUMMARIZERS
TAKEAKI CHIJIIWA
SAMEH ELNIKETY
KEVIN FU
RACHEL GREENSTADT
YONG GUAN
ANCA IVAN
GEORGE M JONES
STEFAN KELM
DAVID RICHARD LAROCHELLE
ROSS OLIVER
EVAN SARMIENTO
COLE TUCKER
MIKE VERNAL
SAM WEILER
Richard M Smith
Ever considered plugging your pictureframes into the phone Kodak wants youto so that you can ldquoregisterrdquo your digitalpictures Of course yoursquoll pay a recur-ring subscription fee to do so Andtheyrsquoll never share your private pictureswith anyone either their servers neverget hacked and all their employees areintimately familiar with their informa-tion security policies and actively makeit their top priority each day to followthem
Want free wireless Internet access Seethe Global Access Wireless Database athttpwwwshmoocomgawd Want tosee what your neighbors and coworkersare doing 80211 is your friend At leastone non-USENIX conference personwas observed using the USENIX wirelessnetwork at the symposium
Convergence is a good thing rightFewer devices more functionality lowercost but do you really want someoneusing the cell phone API in your combophonepalm pilot to run a program that(1) turns off the speaker (2) places acall and (3) turns on the microphoneYour phone is now a bugging device inaddition to a tool for pinpointing yourlocation at all times Personally Irsquoll stickwith dumb one-way pagers and onlyturn my phone on when I want to makea call (and announce my location)
Do you ever store personallow-sensitiv-ity data and businesshigh-sensitivityinformation on say a palm pilot a lap-top computer or a home computer con-nected to public networks Mudge andKingpin of stake pointed out in a latertalk (dressed in bathrobes to protesttheir 9 am speaking slot) that PalmOShas serious security problems Cablemodem providers do not generally pro-vide securityfirewall services Laptopsare routinely stolen (the laptop that wasbeing used as the gatewayrouter for theconference terminal room disappearedovernight and one of the terminal-roomattendants stopped someone who
5November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sattempted to walk out with its replace-ment in broad daylight) Informationsecurity management issues that wereonce handled by trained security profes-sionals in controlled centralized envi-ronments are now the problem of yourgrandmother Joe Six-pack and yourCEO
Do you ever speed in a rental car In theQampA session Rik Farrow noted that atleast one person has been fined by therental car company for doing so Thecompany installed GPS devices in all itrsquoscars that enable it to track down stolencarsand tell how fast you go Anyguesses how long it will be before lawenforcement and insurance companiespush for legislation requiring suchdevices in all new cars
Steve Bellovin noted that during the talkthere had been multiple nmaps of thewireless net and an ongoing battle foraddress of the default router (Dug Songof dsniff fame was in the room)
And lastly true confessions mdash Smithadmitted that he has not turned on WEPon his own wireless net at home
And the beat goes on
INVITED TALKS
A MAZE OF TWISTY LITTLE STATUTES ALL
ALIKE THE ELECTRONIC COMMUNICATIONS
PRIVACY ACT OF 1986 (AND ITS APPLICA-TION TO NETWORK SERVICE PROVIDERS)
Mark Eckenwiler US Department ofJustice
Summarized by Cole Tucker
The Electronic Communications PrivacyAct of 1986 has a reputation for com-plexity Mark Eckenwiler gave an expres-sive overview of the law primarily fromthe viewpoint of a system administra-torprovider Basically the act covers the relationship between providers andcustomers and providers and the gov-ernment It tries to allow for communi-cation privacy while keeping in mind
that online records are the key to prose-cuting network criminals
The law distinguishes four types of envi-ronments based on whether the data iscontent or transactional in nature andwhether itrsquos being intercepted in realtime or after itrsquos been stored The classthat receives the most protection real-time content has a very basic rule forthe normal user donrsquot get or look at itFor the government the rule is nearly assimple donrsquot get it without a wiretaporder Providers arenrsquot supposed to lookat it unless theyrsquore in the process of pro-tecting their rights and property So ifyoursquore a regular user donrsquot run an unau-thorized sniffer If yoursquore representing aprovider under Eckenwilerrsquos interpreta-tion feel free to run an IDS or even akeystroke logger in real time you can beproactive in defending yourself Otherexceptions are made for publicly accessi-ble systems such as IRC or if all partiesconsent say in a system that has a ban-ner stating that use implies consent tomonitoring As a provider if you have alegitimate need to monitor therersquos noreason to worry
The second class of data consists oftransactional records being interceptedin real time For providers and users therules remain nearly the same hands offfor the latter and have a good reason forthe former The standards have beenlowered for the government so thisinformation is essentially ldquoless privaterdquoFor access to this data the governmentsimply needs a court order Examples ofdata that fall under this are addressesattached to incoming emails and infor-mation on where users are connectingfrom and whether they are online
Next comes stored content Eckenwilerreferred to this section as ldquoDichotomieslsquoRrsquo Usrdquo basically each situation has dif-ferent rules that apply with way toomany to generalize here
Finally there are stored transactionalrecords Users hands off Providers are
allowed to reveal this information toanyone they like except for the govern-ment In respect to the governmentthere are two classes of data basic userdata and non-contact info Basic userdata (things like name address andphone number) is accessible with a sub-poena and thus not strongly protectedEverything else requires a 2703(d) war-rant to access but providers can be senta court order requiring they hold on tothe data for a specified amount of timeusually in expectation of a warrant beingserved in the near future
LOANING YOUR SOUL TO THE DEVIL INFLU-ENCING POLICY WITHOUT SELLING OUT
Matt Blaze ATampT Labs-Research
Summarized by George M Jones
Matt Blaze commented on the publicdebate over cryptology thatrsquos taken placeover the past 10 years or so He includedamusing stories of ldquohacker tourismrdquoincluding nine cryptography experts allindependently trying to score ldquocoolrdquopoints by stealing stationery from secretcongressional briefing rooms and NOTopening a red folder marked ldquoTOPSECRET Presidentrsquos Daily NationalSecurity Briefingrdquo when left alone in aconference room in the old executiveoffice building
What can a scientisttechie contribute tothe public policy debate His mainadvice is ldquostick to what you knowrdquo (sci-encetechnology) ldquoYou are listened tobecause people believe you have objec-tivityThe basic purpose of science andengineering is to expand understandingof realitytruth with no compromisesrdquoYou are not there to comment on philos-ophy politics or constitutional law
He gave an amazingly insightful list ofthe contrasting values of science andpolitics)
Science is interested in findingtruth Politics is about balancinginterests
6 Vol 26 No 7 login
In science people are rewarded fornew discoveries Disruptiveness isconsidered good In politics peopleare rewarded for making other peo-ple happy Disruptiveness is consid-ered bad
In science uncompromising peopleare admired in politics uncompro-mising people are considered fools
In science ldquohonestyrdquo means admit-ting mistakes in politics it meanskeeping promises
In science challenging someoneshows interest in politics a chal-lenge is an attack
In science there is no ldquodress coderdquoin politics even suits can be consid-ered ldquocasualrdquo (and thus cause younot to be taken seriously)
The policy options range from discour-agingforbidding its use allowing lim-ited strength crypto allowing use ofstrong modern cryptographic methodsand encouraging use In the last fewyears the US has moved mostly from thefirst to the third stage
The tone of thedebate has alsochanged andincludes more actualdialogue We nolonger have one sideyelling ldquoYoursquore abunch of long-haired hippiesrdquo andthe other yellingldquoYoursquore a bunch of
jack-booted thugsrdquo Now itrsquos just ldquoyoursquorea bunch of hippiesrdquo vs ldquoyoursquore a bunchof thugsrdquo See for instance ldquoThou shaltuse skipjackclipperrdquo vs the process forselecting AES
ldquoWashington DC is another planet aclosed systemrdquoldquoMuch of what happenshere is for showrdquoldquoAny meeting with apolicy maker involves a little conspiracyto make each other feel importantrdquoldquoMeetings with congressional staffers
always end with the question lsquoWhat doyou suggest we dorsquordquo Stick to what youknow
COPS ARE FROM MARS SYSADMINS ARE
FROM PLUTO DEALING WITH LAW ENFORCE-MENT
Tom Perrine San Diego SupercomputerCenter
Summarized by Ross Oliver
Tom Perrine described some of his expe-riences with law enforcement peopleand discussed his recommendations forother sysadmins who may need to inter-act with law enforcement
Like system administration law enforce-ment is a culture as well as an occupa-tion with its own lingo inside jokes etcThere are also many different lawenforcement agencies federal state citycounty military and customs Evenschools and universities often have theirown police force
Throughout the talk Perrine empha-sized the importance of trust in individ-uals rather than organizations Just as inany large organization there are ldquoclue-fulrdquo and not ldquocluefulrdquo members andbuilding personal relationships is keyAlso realize that the goals and prioritiesof law enforcement may be differentfrom yours
Because they are ldquoagents of the govern-mentrdquo law enforcement officers havemany legal constraints on their actionsthat may not apply to private citizensSysadmins can take advantage of ldquoISPexemptionsrdquo in the law to take ldquoany stepsnecessary to protect the communica-tions systemrdquo
Perrine recommends that sysadminsbecome familiar with applicable laws(both federal and state) before the needto apply them arises Advice of qualifiedlegal counsel is strongly recommendedAlso make sure your organizationrsquos poli-cies are suitable and adhere to themduring any investigation
Matt Blaze
READING BETWEEN THE LINES LESSONS
FROM THE SDMI CHALLENGE
Summarized by Rachel Greenstadt
Scott A Craver Min Wu and Bede LiuPrinceton University Adam Stubble-field Ben Swartzlander and Dan SWallach Rice University Drew Deanand Edward W Felten Princeton Uni-versity
Program Chair Dan Wallach introducedthis talk as being a long time in the mak-ing and mentioned that he was pleasedto have it here However he stressed thatthis first section would be a normal bor-ing technical talk THEN there would bea panel discussion where policy ques-tions would be allowed Matt Blazeasked when the subpoenas would beserved however despite the large massof press and lawyers that joined theUSENIX attendees there was no last-minute withdrawal of the talk this timeand no FBI agents came to cart ScottCraver away as he gave his talk
Craver began by describing the chal-lenge which took place during threeweeks in September and October of2000 SDMI (Secure Data Music Initia-tive) invited ldquohackersrdquo otherwise knownas the general public to crack six of theirproposed technologies labeled Athrough F There were four watermark-ing technologies and two others SDMIoffered a cash prize for the successfuldefeat of one of their technologies butthis required the winners to sign a Non-Disclosure Agreement so the Feltengroup decided to forego the prize infavor of publishing their findings
SDMI is an organization an initiativeand the technology for that initiative Atthe time of the challenge that technol-ogy was watermarking and related tech-nologies The watermarks (technologiesA B C and F) were composed of arobust and a fragile component therobust part of which would survivealtered music Through a missing water-mark in the fragile component such as
7November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sif it had been mp3 compressed anSDMI device could perhaps determine ifa CD track was ever an mp3 in the pastperhaps illegally downloaded The othertechnologies (D and E) were used tosign tables of contents supposedly tocontrol the propagation of CDs withmixed tracks
For the watermarking technologies therewere three samples given (1) a soundclip without a watermark (2) the samesample with a watermark and (3) a dif-ferent sound clip with a watermark Thechallenge was to remove the watermarkfrom the third sound clip SDMI pro-vided no actual embedders or detectorsThere was an online oracle to which youcould submit a sound clip and get aresponse There was no description ofthe algorithms used and no details orreasons were given when an oraclerejected a clip The challenge lasted onlythree weeks and the oracle had a turn-around time in hours As such adaptiveoracle attacks which would be possibleif the system were deployed were notfeasible
There were several approaches usedagainst the marks (1) brute force attacksnot specific to the algorithm used andwhich mostly consisted of adding noiseand filtering (2) slight brute forceattacks loosely based on supposeddetails of the algorithms and (3) full-blown reverse engineering
For technologies B and C the groupnoticed that there was a narrow bandsignal added to the clip By the slightlybrute method of filtering at the fre-quency and adding narrow-band noisethey were able to foil the oracle
In their analysis of technology A the-group noticed a slight warping in thetime domain as though the signal wasslowly advancing or decreasing Theydetermined that this phase shifting waspre-processing and not the actual water-mark since the oracle did not admit the
sample when the distortion wasremoved However removing this dis-tortion in technology F was able to makethat watermark undetectable (quicksomebody call the FBI)
Another approach to defeating technol-ogy A would have been to try reinstatingthe fragile component However therewas no way to test this type of attackusing the oracle
The group noticed a ripple in the fre-quency domain which led them tobelieve that technology A used some sortof echo hiding technique consisting ofdeliberate but inaudible echoes whichmeant that there was a signal which wasdelayed and then added back into themusic They tried a filtering approach toreduce the audibility of the echo suffi-cient to remove the watermark Wantingto discover more they decided to do apatent search figuring correctly that thiswas a proprietary algorithm with apatent They found a patent belongingto Aris corporation which became Ver-ance one of the SDMI companies Thismade them feel like they were on theright track They also discovered that itwas a simple echo every fiftieth of a sec-ond and that a delayed version wasadded or subtracted every fifteenthinterval To further analyze the signalthey used the auto-kepstral techniquefor echo hiding combining techniquesto estimate the echo Theyrsquove come upwith better echo hiding detection soft-ware subsequent to the challenge Scottdemonstrated a program that was colorcoded to detect the echo
For technologies D and E SDMI pre-sented table-of-contents files for 100CDs and signature tracks The challengewas to create a new table of contents andsuccessfully forge a signature for it Fortechnology D they found that all theenergy was concentrated in a small fre-quency band of 80 frequency bins whichonly actually used a 16-bit signal
repeated five times with constant shuf-fling Since there were only 16 bits ofoutput a user should be able to acquiremany authenticators as there were twohash collisions among the CDs givenHowever it was difficult to get furtherthan this analysis because the oracle forD didnrsquot work it would always returnldquoinvalidrdquo regardless of input Technology
E however didnrsquot have any data to ana-lyze at all You could submit a mail say-ing yoursquod try mixing this track and thattrack and yoursquod get a reply saying thatyou couldnrsquot do that
The speaker concluded by saying thatmany claimed that this was a system toldquokeep honest people honestrdquo Howeverthough the Felten group felt that the sys-tem was too complex for that theywouldnrsquot claim any type of strong secu-rity The systems require trusted clientsin a hostile environment but if deployedthey would be broken quickly No spe-cial EECS knowledge is needed andthere are no dirty secrets Anyone withreasonable expertise could do thisWatermarking can be useful but not inthis situation The weakness is in theoverall concept not the specific technol-ogy One main lesson learned is thatsecurity through obscurity STILL doesnrsquot work This is particularly thecase for secret algorithms which arepatented and therefore public
Peter Honeyman asked about the possi-bility of a secure watermark Scottreplied that he personally thinks that
8 Vol 26 No 7 login
watermarking wonrsquot work for activelyenforcing a usage policy since doing thisprovides all targets an oracle that theycan use He is pessimistic about the useof watermarking for copyright controlHe clarified that they broke accordingto the oracle technologies A B C and Fbut that D and E had no valid responsesHe also clarified that only technology Aused echo hiding and that though theydonrsquot know what the criteria for the ora-cle was it appeared to make a decisionbased on detectability and quality Heexplained that some areas where water-marking might prove useful is in fragilewatermarks which provide tamper evi-dence in digital photographs and in pre-venting duplication of currency Thesetechnologies have a different threatmodel Someone asked about copy pro-tected CDs Scott replied that that was acompletely different approach doneentirely at the hardware level Peoplewondered why honest people would notwant a complex copy protection schemeScott answered that complex schemeshave higher rates of failure and highercost Someone asked how this was rele-vant to detecting steganographic infor-mation and Scott answered that theywere basically the same and that theinformation about echo detection wouldbe useful
PANEL DISCUSSION ON SDMIDMCA
Moderator Dan Wallach Rice Univer-sity Panelists Edward W FeltenPrinceton University Cindy Cohn EFFand Peter Jaszi American UniversityCollege of Law
The three panelists spoke about the legaland social questions surrounding theSDMIDMCA issue Dan Wallach men-tioned that if there were any representa-tives from the record company the panelwould love to have someone from theother side come speak he doubtedhowever that they would be here
Peter Jaszi then presented a detaileddescription of the Digital Millennium
Copyright Act (DMCA) section 1201He explained the difference between theDMCA and copyright law Copyrightlaw has been developed and refined overa few hundred years and maintains adelicate balance between owners andusersrsquo privileges To that end it has beenrelatively successful It is important tounderstand that the DMCA is not copy-right law but rather a supplement tocopyright law or para-copyright legisla-tion As such it has the potential to over-
ride thecopyrightdefault protec-tions which hadbeen carefullylaid out overtime He soughtto explain theseoverrides andmentioned thatthe risk the
DMCA poses to the fundamental copy-right system isnrsquot news and wasnrsquot newswhen it was passed As a result somelimitations to the DMCA were built inbut most of these exceptions are notvery functional
The fundamental commandment of theDMCA is ldquoThou shall not circumventfor accessrdquo The fact that it was accessand not use was a compromise intendedto limit the DMCA However it limitedthe legislation less than some imaginedit would since there is a great deal ofconfusion between access and use Thereare also secondary prohibitions concern-ing making goods and services whichcan be used for circumvention availableSection 1201(b)(1) can be interpretedbroadly and it was under this provisionthat the threats from SDMI to theauthors of the paper were made
Section 1201(c) presents a fair-useexception in wonderful ringing lan-guage however it is completely irrele-vant since it references fair use as adefense of copyright and the DMCA isnot copyright
Q amp A Scott Craver amp Dan Wallach
Prof Peter Jaszi
The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye
There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg
Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase
Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In
9November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Saddition most press organizations wishto be seen as nonpartisan and objective
Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability
There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap
Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values
Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling
Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the
DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them
Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand
[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml
CHANGES IN DEPLOYMENT OF
CRYPTOGRAPHY AND POSSIBLE CAUSES
Eric Murray SecureDesign
Summarized by Takeaki Chijiiwa
A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers
The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01
There were several noteworthy changesbetween the results from the surveys in2000 and 2001
What got better
A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
Ever considered plugging your pictureframes into the phone Kodak wants youto so that you can ldquoregisterrdquo your digitalpictures Of course yoursquoll pay a recur-ring subscription fee to do so Andtheyrsquoll never share your private pictureswith anyone either their servers neverget hacked and all their employees areintimately familiar with their informa-tion security policies and actively makeit their top priority each day to followthem
Want free wireless Internet access Seethe Global Access Wireless Database athttpwwwshmoocomgawd Want tosee what your neighbors and coworkersare doing 80211 is your friend At leastone non-USENIX conference personwas observed using the USENIX wirelessnetwork at the symposium
Convergence is a good thing rightFewer devices more functionality lowercost but do you really want someoneusing the cell phone API in your combophonepalm pilot to run a program that(1) turns off the speaker (2) places acall and (3) turns on the microphoneYour phone is now a bugging device inaddition to a tool for pinpointing yourlocation at all times Personally Irsquoll stickwith dumb one-way pagers and onlyturn my phone on when I want to makea call (and announce my location)
Do you ever store personallow-sensitiv-ity data and businesshigh-sensitivityinformation on say a palm pilot a lap-top computer or a home computer con-nected to public networks Mudge andKingpin of stake pointed out in a latertalk (dressed in bathrobes to protesttheir 9 am speaking slot) that PalmOShas serious security problems Cablemodem providers do not generally pro-vide securityfirewall services Laptopsare routinely stolen (the laptop that wasbeing used as the gatewayrouter for theconference terminal room disappearedovernight and one of the terminal-roomattendants stopped someone who
5November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sattempted to walk out with its replace-ment in broad daylight) Informationsecurity management issues that wereonce handled by trained security profes-sionals in controlled centralized envi-ronments are now the problem of yourgrandmother Joe Six-pack and yourCEO
Do you ever speed in a rental car In theQampA session Rik Farrow noted that atleast one person has been fined by therental car company for doing so Thecompany installed GPS devices in all itrsquoscars that enable it to track down stolencarsand tell how fast you go Anyguesses how long it will be before lawenforcement and insurance companiespush for legislation requiring suchdevices in all new cars
Steve Bellovin noted that during the talkthere had been multiple nmaps of thewireless net and an ongoing battle foraddress of the default router (Dug Songof dsniff fame was in the room)
And lastly true confessions mdash Smithadmitted that he has not turned on WEPon his own wireless net at home
And the beat goes on
INVITED TALKS
A MAZE OF TWISTY LITTLE STATUTES ALL
ALIKE THE ELECTRONIC COMMUNICATIONS
PRIVACY ACT OF 1986 (AND ITS APPLICA-TION TO NETWORK SERVICE PROVIDERS)
Mark Eckenwiler US Department ofJustice
Summarized by Cole Tucker
The Electronic Communications PrivacyAct of 1986 has a reputation for com-plexity Mark Eckenwiler gave an expres-sive overview of the law primarily fromthe viewpoint of a system administra-torprovider Basically the act covers the relationship between providers andcustomers and providers and the gov-ernment It tries to allow for communi-cation privacy while keeping in mind
that online records are the key to prose-cuting network criminals
The law distinguishes four types of envi-ronments based on whether the data iscontent or transactional in nature andwhether itrsquos being intercepted in realtime or after itrsquos been stored The classthat receives the most protection real-time content has a very basic rule forthe normal user donrsquot get or look at itFor the government the rule is nearly assimple donrsquot get it without a wiretaporder Providers arenrsquot supposed to lookat it unless theyrsquore in the process of pro-tecting their rights and property So ifyoursquore a regular user donrsquot run an unau-thorized sniffer If yoursquore representing aprovider under Eckenwilerrsquos interpreta-tion feel free to run an IDS or even akeystroke logger in real time you can beproactive in defending yourself Otherexceptions are made for publicly accessi-ble systems such as IRC or if all partiesconsent say in a system that has a ban-ner stating that use implies consent tomonitoring As a provider if you have alegitimate need to monitor therersquos noreason to worry
The second class of data consists oftransactional records being interceptedin real time For providers and users therules remain nearly the same hands offfor the latter and have a good reason forthe former The standards have beenlowered for the government so thisinformation is essentially ldquoless privaterdquoFor access to this data the governmentsimply needs a court order Examples ofdata that fall under this are addressesattached to incoming emails and infor-mation on where users are connectingfrom and whether they are online
Next comes stored content Eckenwilerreferred to this section as ldquoDichotomieslsquoRrsquo Usrdquo basically each situation has dif-ferent rules that apply with way toomany to generalize here
Finally there are stored transactionalrecords Users hands off Providers are
allowed to reveal this information toanyone they like except for the govern-ment In respect to the governmentthere are two classes of data basic userdata and non-contact info Basic userdata (things like name address andphone number) is accessible with a sub-poena and thus not strongly protectedEverything else requires a 2703(d) war-rant to access but providers can be senta court order requiring they hold on tothe data for a specified amount of timeusually in expectation of a warrant beingserved in the near future
LOANING YOUR SOUL TO THE DEVIL INFLU-ENCING POLICY WITHOUT SELLING OUT
Matt Blaze ATampT Labs-Research
Summarized by George M Jones
Matt Blaze commented on the publicdebate over cryptology thatrsquos taken placeover the past 10 years or so He includedamusing stories of ldquohacker tourismrdquoincluding nine cryptography experts allindependently trying to score ldquocoolrdquopoints by stealing stationery from secretcongressional briefing rooms and NOTopening a red folder marked ldquoTOPSECRET Presidentrsquos Daily NationalSecurity Briefingrdquo when left alone in aconference room in the old executiveoffice building
What can a scientisttechie contribute tothe public policy debate His mainadvice is ldquostick to what you knowrdquo (sci-encetechnology) ldquoYou are listened tobecause people believe you have objec-tivityThe basic purpose of science andengineering is to expand understandingof realitytruth with no compromisesrdquoYou are not there to comment on philos-ophy politics or constitutional law
He gave an amazingly insightful list ofthe contrasting values of science andpolitics)
Science is interested in findingtruth Politics is about balancinginterests
6 Vol 26 No 7 login
In science people are rewarded fornew discoveries Disruptiveness isconsidered good In politics peopleare rewarded for making other peo-ple happy Disruptiveness is consid-ered bad
In science uncompromising peopleare admired in politics uncompro-mising people are considered fools
In science ldquohonestyrdquo means admit-ting mistakes in politics it meanskeeping promises
In science challenging someoneshows interest in politics a chal-lenge is an attack
In science there is no ldquodress coderdquoin politics even suits can be consid-ered ldquocasualrdquo (and thus cause younot to be taken seriously)
The policy options range from discour-agingforbidding its use allowing lim-ited strength crypto allowing use ofstrong modern cryptographic methodsand encouraging use In the last fewyears the US has moved mostly from thefirst to the third stage
The tone of thedebate has alsochanged andincludes more actualdialogue We nolonger have one sideyelling ldquoYoursquore abunch of long-haired hippiesrdquo andthe other yellingldquoYoursquore a bunch of
jack-booted thugsrdquo Now itrsquos just ldquoyoursquorea bunch of hippiesrdquo vs ldquoyoursquore a bunchof thugsrdquo See for instance ldquoThou shaltuse skipjackclipperrdquo vs the process forselecting AES
ldquoWashington DC is another planet aclosed systemrdquoldquoMuch of what happenshere is for showrdquoldquoAny meeting with apolicy maker involves a little conspiracyto make each other feel importantrdquoldquoMeetings with congressional staffers
always end with the question lsquoWhat doyou suggest we dorsquordquo Stick to what youknow
COPS ARE FROM MARS SYSADMINS ARE
FROM PLUTO DEALING WITH LAW ENFORCE-MENT
Tom Perrine San Diego SupercomputerCenter
Summarized by Ross Oliver
Tom Perrine described some of his expe-riences with law enforcement peopleand discussed his recommendations forother sysadmins who may need to inter-act with law enforcement
Like system administration law enforce-ment is a culture as well as an occupa-tion with its own lingo inside jokes etcThere are also many different lawenforcement agencies federal state citycounty military and customs Evenschools and universities often have theirown police force
Throughout the talk Perrine empha-sized the importance of trust in individ-uals rather than organizations Just as inany large organization there are ldquoclue-fulrdquo and not ldquocluefulrdquo members andbuilding personal relationships is keyAlso realize that the goals and prioritiesof law enforcement may be differentfrom yours
Because they are ldquoagents of the govern-mentrdquo law enforcement officers havemany legal constraints on their actionsthat may not apply to private citizensSysadmins can take advantage of ldquoISPexemptionsrdquo in the law to take ldquoany stepsnecessary to protect the communica-tions systemrdquo
Perrine recommends that sysadminsbecome familiar with applicable laws(both federal and state) before the needto apply them arises Advice of qualifiedlegal counsel is strongly recommendedAlso make sure your organizationrsquos poli-cies are suitable and adhere to themduring any investigation
Matt Blaze
READING BETWEEN THE LINES LESSONS
FROM THE SDMI CHALLENGE
Summarized by Rachel Greenstadt
Scott A Craver Min Wu and Bede LiuPrinceton University Adam Stubble-field Ben Swartzlander and Dan SWallach Rice University Drew Deanand Edward W Felten Princeton Uni-versity
Program Chair Dan Wallach introducedthis talk as being a long time in the mak-ing and mentioned that he was pleasedto have it here However he stressed thatthis first section would be a normal bor-ing technical talk THEN there would bea panel discussion where policy ques-tions would be allowed Matt Blazeasked when the subpoenas would beserved however despite the large massof press and lawyers that joined theUSENIX attendees there was no last-minute withdrawal of the talk this timeand no FBI agents came to cart ScottCraver away as he gave his talk
Craver began by describing the chal-lenge which took place during threeweeks in September and October of2000 SDMI (Secure Data Music Initia-tive) invited ldquohackersrdquo otherwise knownas the general public to crack six of theirproposed technologies labeled Athrough F There were four watermark-ing technologies and two others SDMIoffered a cash prize for the successfuldefeat of one of their technologies butthis required the winners to sign a Non-Disclosure Agreement so the Feltengroup decided to forego the prize infavor of publishing their findings
SDMI is an organization an initiativeand the technology for that initiative Atthe time of the challenge that technol-ogy was watermarking and related tech-nologies The watermarks (technologiesA B C and F) were composed of arobust and a fragile component therobust part of which would survivealtered music Through a missing water-mark in the fragile component such as
7November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sif it had been mp3 compressed anSDMI device could perhaps determine ifa CD track was ever an mp3 in the pastperhaps illegally downloaded The othertechnologies (D and E) were used tosign tables of contents supposedly tocontrol the propagation of CDs withmixed tracks
For the watermarking technologies therewere three samples given (1) a soundclip without a watermark (2) the samesample with a watermark and (3) a dif-ferent sound clip with a watermark Thechallenge was to remove the watermarkfrom the third sound clip SDMI pro-vided no actual embedders or detectorsThere was an online oracle to which youcould submit a sound clip and get aresponse There was no description ofthe algorithms used and no details orreasons were given when an oraclerejected a clip The challenge lasted onlythree weeks and the oracle had a turn-around time in hours As such adaptiveoracle attacks which would be possibleif the system were deployed were notfeasible
There were several approaches usedagainst the marks (1) brute force attacksnot specific to the algorithm used andwhich mostly consisted of adding noiseand filtering (2) slight brute forceattacks loosely based on supposeddetails of the algorithms and (3) full-blown reverse engineering
For technologies B and C the groupnoticed that there was a narrow bandsignal added to the clip By the slightlybrute method of filtering at the fre-quency and adding narrow-band noisethey were able to foil the oracle
In their analysis of technology A the-group noticed a slight warping in thetime domain as though the signal wasslowly advancing or decreasing Theydetermined that this phase shifting waspre-processing and not the actual water-mark since the oracle did not admit the
sample when the distortion wasremoved However removing this dis-tortion in technology F was able to makethat watermark undetectable (quicksomebody call the FBI)
Another approach to defeating technol-ogy A would have been to try reinstatingthe fragile component However therewas no way to test this type of attackusing the oracle
The group noticed a ripple in the fre-quency domain which led them tobelieve that technology A used some sortof echo hiding technique consisting ofdeliberate but inaudible echoes whichmeant that there was a signal which wasdelayed and then added back into themusic They tried a filtering approach toreduce the audibility of the echo suffi-cient to remove the watermark Wantingto discover more they decided to do apatent search figuring correctly that thiswas a proprietary algorithm with apatent They found a patent belongingto Aris corporation which became Ver-ance one of the SDMI companies Thismade them feel like they were on theright track They also discovered that itwas a simple echo every fiftieth of a sec-ond and that a delayed version wasadded or subtracted every fifteenthinterval To further analyze the signalthey used the auto-kepstral techniquefor echo hiding combining techniquesto estimate the echo Theyrsquove come upwith better echo hiding detection soft-ware subsequent to the challenge Scottdemonstrated a program that was colorcoded to detect the echo
For technologies D and E SDMI pre-sented table-of-contents files for 100CDs and signature tracks The challengewas to create a new table of contents andsuccessfully forge a signature for it Fortechnology D they found that all theenergy was concentrated in a small fre-quency band of 80 frequency bins whichonly actually used a 16-bit signal
repeated five times with constant shuf-fling Since there were only 16 bits ofoutput a user should be able to acquiremany authenticators as there were twohash collisions among the CDs givenHowever it was difficult to get furtherthan this analysis because the oracle forD didnrsquot work it would always returnldquoinvalidrdquo regardless of input Technology
E however didnrsquot have any data to ana-lyze at all You could submit a mail say-ing yoursquod try mixing this track and thattrack and yoursquod get a reply saying thatyou couldnrsquot do that
The speaker concluded by saying thatmany claimed that this was a system toldquokeep honest people honestrdquo Howeverthough the Felten group felt that the sys-tem was too complex for that theywouldnrsquot claim any type of strong secu-rity The systems require trusted clientsin a hostile environment but if deployedthey would be broken quickly No spe-cial EECS knowledge is needed andthere are no dirty secrets Anyone withreasonable expertise could do thisWatermarking can be useful but not inthis situation The weakness is in theoverall concept not the specific technol-ogy One main lesson learned is thatsecurity through obscurity STILL doesnrsquot work This is particularly thecase for secret algorithms which arepatented and therefore public
Peter Honeyman asked about the possi-bility of a secure watermark Scottreplied that he personally thinks that
8 Vol 26 No 7 login
watermarking wonrsquot work for activelyenforcing a usage policy since doing thisprovides all targets an oracle that theycan use He is pessimistic about the useof watermarking for copyright controlHe clarified that they broke accordingto the oracle technologies A B C and Fbut that D and E had no valid responsesHe also clarified that only technology Aused echo hiding and that though theydonrsquot know what the criteria for the ora-cle was it appeared to make a decisionbased on detectability and quality Heexplained that some areas where water-marking might prove useful is in fragilewatermarks which provide tamper evi-dence in digital photographs and in pre-venting duplication of currency Thesetechnologies have a different threatmodel Someone asked about copy pro-tected CDs Scott replied that that was acompletely different approach doneentirely at the hardware level Peoplewondered why honest people would notwant a complex copy protection schemeScott answered that complex schemeshave higher rates of failure and highercost Someone asked how this was rele-vant to detecting steganographic infor-mation and Scott answered that theywere basically the same and that theinformation about echo detection wouldbe useful
PANEL DISCUSSION ON SDMIDMCA
Moderator Dan Wallach Rice Univer-sity Panelists Edward W FeltenPrinceton University Cindy Cohn EFFand Peter Jaszi American UniversityCollege of Law
The three panelists spoke about the legaland social questions surrounding theSDMIDMCA issue Dan Wallach men-tioned that if there were any representa-tives from the record company the panelwould love to have someone from theother side come speak he doubtedhowever that they would be here
Peter Jaszi then presented a detaileddescription of the Digital Millennium
Copyright Act (DMCA) section 1201He explained the difference between theDMCA and copyright law Copyrightlaw has been developed and refined overa few hundred years and maintains adelicate balance between owners andusersrsquo privileges To that end it has beenrelatively successful It is important tounderstand that the DMCA is not copy-right law but rather a supplement tocopyright law or para-copyright legisla-tion As such it has the potential to over-
ride thecopyrightdefault protec-tions which hadbeen carefullylaid out overtime He soughtto explain theseoverrides andmentioned thatthe risk the
DMCA poses to the fundamental copy-right system isnrsquot news and wasnrsquot newswhen it was passed As a result somelimitations to the DMCA were built inbut most of these exceptions are notvery functional
The fundamental commandment of theDMCA is ldquoThou shall not circumventfor accessrdquo The fact that it was accessand not use was a compromise intendedto limit the DMCA However it limitedthe legislation less than some imaginedit would since there is a great deal ofconfusion between access and use Thereare also secondary prohibitions concern-ing making goods and services whichcan be used for circumvention availableSection 1201(b)(1) can be interpretedbroadly and it was under this provisionthat the threats from SDMI to theauthors of the paper were made
Section 1201(c) presents a fair-useexception in wonderful ringing lan-guage however it is completely irrele-vant since it references fair use as adefense of copyright and the DMCA isnot copyright
Q amp A Scott Craver amp Dan Wallach
Prof Peter Jaszi
The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye
There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg
Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase
Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In
9November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Saddition most press organizations wishto be seen as nonpartisan and objective
Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability
There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap
Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values
Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling
Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the
DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them
Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand
[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml
CHANGES IN DEPLOYMENT OF
CRYPTOGRAPHY AND POSSIBLE CAUSES
Eric Murray SecureDesign
Summarized by Takeaki Chijiiwa
A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers
The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01
There were several noteworthy changesbetween the results from the surveys in2000 and 2001
What got better
A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
allowed to reveal this information toanyone they like except for the govern-ment In respect to the governmentthere are two classes of data basic userdata and non-contact info Basic userdata (things like name address andphone number) is accessible with a sub-poena and thus not strongly protectedEverything else requires a 2703(d) war-rant to access but providers can be senta court order requiring they hold on tothe data for a specified amount of timeusually in expectation of a warrant beingserved in the near future
LOANING YOUR SOUL TO THE DEVIL INFLU-ENCING POLICY WITHOUT SELLING OUT
Matt Blaze ATampT Labs-Research
Summarized by George M Jones
Matt Blaze commented on the publicdebate over cryptology thatrsquos taken placeover the past 10 years or so He includedamusing stories of ldquohacker tourismrdquoincluding nine cryptography experts allindependently trying to score ldquocoolrdquopoints by stealing stationery from secretcongressional briefing rooms and NOTopening a red folder marked ldquoTOPSECRET Presidentrsquos Daily NationalSecurity Briefingrdquo when left alone in aconference room in the old executiveoffice building
What can a scientisttechie contribute tothe public policy debate His mainadvice is ldquostick to what you knowrdquo (sci-encetechnology) ldquoYou are listened tobecause people believe you have objec-tivityThe basic purpose of science andengineering is to expand understandingof realitytruth with no compromisesrdquoYou are not there to comment on philos-ophy politics or constitutional law
He gave an amazingly insightful list ofthe contrasting values of science andpolitics)
Science is interested in findingtruth Politics is about balancinginterests
6 Vol 26 No 7 login
In science people are rewarded fornew discoveries Disruptiveness isconsidered good In politics peopleare rewarded for making other peo-ple happy Disruptiveness is consid-ered bad
In science uncompromising peopleare admired in politics uncompro-mising people are considered fools
In science ldquohonestyrdquo means admit-ting mistakes in politics it meanskeeping promises
In science challenging someoneshows interest in politics a chal-lenge is an attack
In science there is no ldquodress coderdquoin politics even suits can be consid-ered ldquocasualrdquo (and thus cause younot to be taken seriously)
The policy options range from discour-agingforbidding its use allowing lim-ited strength crypto allowing use ofstrong modern cryptographic methodsand encouraging use In the last fewyears the US has moved mostly from thefirst to the third stage
The tone of thedebate has alsochanged andincludes more actualdialogue We nolonger have one sideyelling ldquoYoursquore abunch of long-haired hippiesrdquo andthe other yellingldquoYoursquore a bunch of
jack-booted thugsrdquo Now itrsquos just ldquoyoursquorea bunch of hippiesrdquo vs ldquoyoursquore a bunchof thugsrdquo See for instance ldquoThou shaltuse skipjackclipperrdquo vs the process forselecting AES
ldquoWashington DC is another planet aclosed systemrdquoldquoMuch of what happenshere is for showrdquoldquoAny meeting with apolicy maker involves a little conspiracyto make each other feel importantrdquoldquoMeetings with congressional staffers
always end with the question lsquoWhat doyou suggest we dorsquordquo Stick to what youknow
COPS ARE FROM MARS SYSADMINS ARE
FROM PLUTO DEALING WITH LAW ENFORCE-MENT
Tom Perrine San Diego SupercomputerCenter
Summarized by Ross Oliver
Tom Perrine described some of his expe-riences with law enforcement peopleand discussed his recommendations forother sysadmins who may need to inter-act with law enforcement
Like system administration law enforce-ment is a culture as well as an occupa-tion with its own lingo inside jokes etcThere are also many different lawenforcement agencies federal state citycounty military and customs Evenschools and universities often have theirown police force
Throughout the talk Perrine empha-sized the importance of trust in individ-uals rather than organizations Just as inany large organization there are ldquoclue-fulrdquo and not ldquocluefulrdquo members andbuilding personal relationships is keyAlso realize that the goals and prioritiesof law enforcement may be differentfrom yours
Because they are ldquoagents of the govern-mentrdquo law enforcement officers havemany legal constraints on their actionsthat may not apply to private citizensSysadmins can take advantage of ldquoISPexemptionsrdquo in the law to take ldquoany stepsnecessary to protect the communica-tions systemrdquo
Perrine recommends that sysadminsbecome familiar with applicable laws(both federal and state) before the needto apply them arises Advice of qualifiedlegal counsel is strongly recommendedAlso make sure your organizationrsquos poli-cies are suitable and adhere to themduring any investigation
Matt Blaze
READING BETWEEN THE LINES LESSONS
FROM THE SDMI CHALLENGE
Summarized by Rachel Greenstadt
Scott A Craver Min Wu and Bede LiuPrinceton University Adam Stubble-field Ben Swartzlander and Dan SWallach Rice University Drew Deanand Edward W Felten Princeton Uni-versity
Program Chair Dan Wallach introducedthis talk as being a long time in the mak-ing and mentioned that he was pleasedto have it here However he stressed thatthis first section would be a normal bor-ing technical talk THEN there would bea panel discussion where policy ques-tions would be allowed Matt Blazeasked when the subpoenas would beserved however despite the large massof press and lawyers that joined theUSENIX attendees there was no last-minute withdrawal of the talk this timeand no FBI agents came to cart ScottCraver away as he gave his talk
Craver began by describing the chal-lenge which took place during threeweeks in September and October of2000 SDMI (Secure Data Music Initia-tive) invited ldquohackersrdquo otherwise knownas the general public to crack six of theirproposed technologies labeled Athrough F There were four watermark-ing technologies and two others SDMIoffered a cash prize for the successfuldefeat of one of their technologies butthis required the winners to sign a Non-Disclosure Agreement so the Feltengroup decided to forego the prize infavor of publishing their findings
SDMI is an organization an initiativeand the technology for that initiative Atthe time of the challenge that technol-ogy was watermarking and related tech-nologies The watermarks (technologiesA B C and F) were composed of arobust and a fragile component therobust part of which would survivealtered music Through a missing water-mark in the fragile component such as
7November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sif it had been mp3 compressed anSDMI device could perhaps determine ifa CD track was ever an mp3 in the pastperhaps illegally downloaded The othertechnologies (D and E) were used tosign tables of contents supposedly tocontrol the propagation of CDs withmixed tracks
For the watermarking technologies therewere three samples given (1) a soundclip without a watermark (2) the samesample with a watermark and (3) a dif-ferent sound clip with a watermark Thechallenge was to remove the watermarkfrom the third sound clip SDMI pro-vided no actual embedders or detectorsThere was an online oracle to which youcould submit a sound clip and get aresponse There was no description ofthe algorithms used and no details orreasons were given when an oraclerejected a clip The challenge lasted onlythree weeks and the oracle had a turn-around time in hours As such adaptiveoracle attacks which would be possibleif the system were deployed were notfeasible
There were several approaches usedagainst the marks (1) brute force attacksnot specific to the algorithm used andwhich mostly consisted of adding noiseand filtering (2) slight brute forceattacks loosely based on supposeddetails of the algorithms and (3) full-blown reverse engineering
For technologies B and C the groupnoticed that there was a narrow bandsignal added to the clip By the slightlybrute method of filtering at the fre-quency and adding narrow-band noisethey were able to foil the oracle
In their analysis of technology A the-group noticed a slight warping in thetime domain as though the signal wasslowly advancing or decreasing Theydetermined that this phase shifting waspre-processing and not the actual water-mark since the oracle did not admit the
sample when the distortion wasremoved However removing this dis-tortion in technology F was able to makethat watermark undetectable (quicksomebody call the FBI)
Another approach to defeating technol-ogy A would have been to try reinstatingthe fragile component However therewas no way to test this type of attackusing the oracle
The group noticed a ripple in the fre-quency domain which led them tobelieve that technology A used some sortof echo hiding technique consisting ofdeliberate but inaudible echoes whichmeant that there was a signal which wasdelayed and then added back into themusic They tried a filtering approach toreduce the audibility of the echo suffi-cient to remove the watermark Wantingto discover more they decided to do apatent search figuring correctly that thiswas a proprietary algorithm with apatent They found a patent belongingto Aris corporation which became Ver-ance one of the SDMI companies Thismade them feel like they were on theright track They also discovered that itwas a simple echo every fiftieth of a sec-ond and that a delayed version wasadded or subtracted every fifteenthinterval To further analyze the signalthey used the auto-kepstral techniquefor echo hiding combining techniquesto estimate the echo Theyrsquove come upwith better echo hiding detection soft-ware subsequent to the challenge Scottdemonstrated a program that was colorcoded to detect the echo
For technologies D and E SDMI pre-sented table-of-contents files for 100CDs and signature tracks The challengewas to create a new table of contents andsuccessfully forge a signature for it Fortechnology D they found that all theenergy was concentrated in a small fre-quency band of 80 frequency bins whichonly actually used a 16-bit signal
repeated five times with constant shuf-fling Since there were only 16 bits ofoutput a user should be able to acquiremany authenticators as there were twohash collisions among the CDs givenHowever it was difficult to get furtherthan this analysis because the oracle forD didnrsquot work it would always returnldquoinvalidrdquo regardless of input Technology
E however didnrsquot have any data to ana-lyze at all You could submit a mail say-ing yoursquod try mixing this track and thattrack and yoursquod get a reply saying thatyou couldnrsquot do that
The speaker concluded by saying thatmany claimed that this was a system toldquokeep honest people honestrdquo Howeverthough the Felten group felt that the sys-tem was too complex for that theywouldnrsquot claim any type of strong secu-rity The systems require trusted clientsin a hostile environment but if deployedthey would be broken quickly No spe-cial EECS knowledge is needed andthere are no dirty secrets Anyone withreasonable expertise could do thisWatermarking can be useful but not inthis situation The weakness is in theoverall concept not the specific technol-ogy One main lesson learned is thatsecurity through obscurity STILL doesnrsquot work This is particularly thecase for secret algorithms which arepatented and therefore public
Peter Honeyman asked about the possi-bility of a secure watermark Scottreplied that he personally thinks that
8 Vol 26 No 7 login
watermarking wonrsquot work for activelyenforcing a usage policy since doing thisprovides all targets an oracle that theycan use He is pessimistic about the useof watermarking for copyright controlHe clarified that they broke accordingto the oracle technologies A B C and Fbut that D and E had no valid responsesHe also clarified that only technology Aused echo hiding and that though theydonrsquot know what the criteria for the ora-cle was it appeared to make a decisionbased on detectability and quality Heexplained that some areas where water-marking might prove useful is in fragilewatermarks which provide tamper evi-dence in digital photographs and in pre-venting duplication of currency Thesetechnologies have a different threatmodel Someone asked about copy pro-tected CDs Scott replied that that was acompletely different approach doneentirely at the hardware level Peoplewondered why honest people would notwant a complex copy protection schemeScott answered that complex schemeshave higher rates of failure and highercost Someone asked how this was rele-vant to detecting steganographic infor-mation and Scott answered that theywere basically the same and that theinformation about echo detection wouldbe useful
PANEL DISCUSSION ON SDMIDMCA
Moderator Dan Wallach Rice Univer-sity Panelists Edward W FeltenPrinceton University Cindy Cohn EFFand Peter Jaszi American UniversityCollege of Law
The three panelists spoke about the legaland social questions surrounding theSDMIDMCA issue Dan Wallach men-tioned that if there were any representa-tives from the record company the panelwould love to have someone from theother side come speak he doubtedhowever that they would be here
Peter Jaszi then presented a detaileddescription of the Digital Millennium
Copyright Act (DMCA) section 1201He explained the difference between theDMCA and copyright law Copyrightlaw has been developed and refined overa few hundred years and maintains adelicate balance between owners andusersrsquo privileges To that end it has beenrelatively successful It is important tounderstand that the DMCA is not copy-right law but rather a supplement tocopyright law or para-copyright legisla-tion As such it has the potential to over-
ride thecopyrightdefault protec-tions which hadbeen carefullylaid out overtime He soughtto explain theseoverrides andmentioned thatthe risk the
DMCA poses to the fundamental copy-right system isnrsquot news and wasnrsquot newswhen it was passed As a result somelimitations to the DMCA were built inbut most of these exceptions are notvery functional
The fundamental commandment of theDMCA is ldquoThou shall not circumventfor accessrdquo The fact that it was accessand not use was a compromise intendedto limit the DMCA However it limitedthe legislation less than some imaginedit would since there is a great deal ofconfusion between access and use Thereare also secondary prohibitions concern-ing making goods and services whichcan be used for circumvention availableSection 1201(b)(1) can be interpretedbroadly and it was under this provisionthat the threats from SDMI to theauthors of the paper were made
Section 1201(c) presents a fair-useexception in wonderful ringing lan-guage however it is completely irrele-vant since it references fair use as adefense of copyright and the DMCA isnot copyright
Q amp A Scott Craver amp Dan Wallach
Prof Peter Jaszi
The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye
There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg
Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase
Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In
9November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Saddition most press organizations wishto be seen as nonpartisan and objective
Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability
There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap
Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values
Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling
Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the
DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them
Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand
[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml
CHANGES IN DEPLOYMENT OF
CRYPTOGRAPHY AND POSSIBLE CAUSES
Eric Murray SecureDesign
Summarized by Takeaki Chijiiwa
A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers
The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01
There were several noteworthy changesbetween the results from the surveys in2000 and 2001
What got better
A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
READING BETWEEN THE LINES LESSONS
FROM THE SDMI CHALLENGE
Summarized by Rachel Greenstadt
Scott A Craver Min Wu and Bede LiuPrinceton University Adam Stubble-field Ben Swartzlander and Dan SWallach Rice University Drew Deanand Edward W Felten Princeton Uni-versity
Program Chair Dan Wallach introducedthis talk as being a long time in the mak-ing and mentioned that he was pleasedto have it here However he stressed thatthis first section would be a normal bor-ing technical talk THEN there would bea panel discussion where policy ques-tions would be allowed Matt Blazeasked when the subpoenas would beserved however despite the large massof press and lawyers that joined theUSENIX attendees there was no last-minute withdrawal of the talk this timeand no FBI agents came to cart ScottCraver away as he gave his talk
Craver began by describing the chal-lenge which took place during threeweeks in September and October of2000 SDMI (Secure Data Music Initia-tive) invited ldquohackersrdquo otherwise knownas the general public to crack six of theirproposed technologies labeled Athrough F There were four watermark-ing technologies and two others SDMIoffered a cash prize for the successfuldefeat of one of their technologies butthis required the winners to sign a Non-Disclosure Agreement so the Feltengroup decided to forego the prize infavor of publishing their findings
SDMI is an organization an initiativeand the technology for that initiative Atthe time of the challenge that technol-ogy was watermarking and related tech-nologies The watermarks (technologiesA B C and F) were composed of arobust and a fragile component therobust part of which would survivealtered music Through a missing water-mark in the fragile component such as
7November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sif it had been mp3 compressed anSDMI device could perhaps determine ifa CD track was ever an mp3 in the pastperhaps illegally downloaded The othertechnologies (D and E) were used tosign tables of contents supposedly tocontrol the propagation of CDs withmixed tracks
For the watermarking technologies therewere three samples given (1) a soundclip without a watermark (2) the samesample with a watermark and (3) a dif-ferent sound clip with a watermark Thechallenge was to remove the watermarkfrom the third sound clip SDMI pro-vided no actual embedders or detectorsThere was an online oracle to which youcould submit a sound clip and get aresponse There was no description ofthe algorithms used and no details orreasons were given when an oraclerejected a clip The challenge lasted onlythree weeks and the oracle had a turn-around time in hours As such adaptiveoracle attacks which would be possibleif the system were deployed were notfeasible
There were several approaches usedagainst the marks (1) brute force attacksnot specific to the algorithm used andwhich mostly consisted of adding noiseand filtering (2) slight brute forceattacks loosely based on supposeddetails of the algorithms and (3) full-blown reverse engineering
For technologies B and C the groupnoticed that there was a narrow bandsignal added to the clip By the slightlybrute method of filtering at the fre-quency and adding narrow-band noisethey were able to foil the oracle
In their analysis of technology A the-group noticed a slight warping in thetime domain as though the signal wasslowly advancing or decreasing Theydetermined that this phase shifting waspre-processing and not the actual water-mark since the oracle did not admit the
sample when the distortion wasremoved However removing this dis-tortion in technology F was able to makethat watermark undetectable (quicksomebody call the FBI)
Another approach to defeating technol-ogy A would have been to try reinstatingthe fragile component However therewas no way to test this type of attackusing the oracle
The group noticed a ripple in the fre-quency domain which led them tobelieve that technology A used some sortof echo hiding technique consisting ofdeliberate but inaudible echoes whichmeant that there was a signal which wasdelayed and then added back into themusic They tried a filtering approach toreduce the audibility of the echo suffi-cient to remove the watermark Wantingto discover more they decided to do apatent search figuring correctly that thiswas a proprietary algorithm with apatent They found a patent belongingto Aris corporation which became Ver-ance one of the SDMI companies Thismade them feel like they were on theright track They also discovered that itwas a simple echo every fiftieth of a sec-ond and that a delayed version wasadded or subtracted every fifteenthinterval To further analyze the signalthey used the auto-kepstral techniquefor echo hiding combining techniquesto estimate the echo Theyrsquove come upwith better echo hiding detection soft-ware subsequent to the challenge Scottdemonstrated a program that was colorcoded to detect the echo
For technologies D and E SDMI pre-sented table-of-contents files for 100CDs and signature tracks The challengewas to create a new table of contents andsuccessfully forge a signature for it Fortechnology D they found that all theenergy was concentrated in a small fre-quency band of 80 frequency bins whichonly actually used a 16-bit signal
repeated five times with constant shuf-fling Since there were only 16 bits ofoutput a user should be able to acquiremany authenticators as there were twohash collisions among the CDs givenHowever it was difficult to get furtherthan this analysis because the oracle forD didnrsquot work it would always returnldquoinvalidrdquo regardless of input Technology
E however didnrsquot have any data to ana-lyze at all You could submit a mail say-ing yoursquod try mixing this track and thattrack and yoursquod get a reply saying thatyou couldnrsquot do that
The speaker concluded by saying thatmany claimed that this was a system toldquokeep honest people honestrdquo Howeverthough the Felten group felt that the sys-tem was too complex for that theywouldnrsquot claim any type of strong secu-rity The systems require trusted clientsin a hostile environment but if deployedthey would be broken quickly No spe-cial EECS knowledge is needed andthere are no dirty secrets Anyone withreasonable expertise could do thisWatermarking can be useful but not inthis situation The weakness is in theoverall concept not the specific technol-ogy One main lesson learned is thatsecurity through obscurity STILL doesnrsquot work This is particularly thecase for secret algorithms which arepatented and therefore public
Peter Honeyman asked about the possi-bility of a secure watermark Scottreplied that he personally thinks that
8 Vol 26 No 7 login
watermarking wonrsquot work for activelyenforcing a usage policy since doing thisprovides all targets an oracle that theycan use He is pessimistic about the useof watermarking for copyright controlHe clarified that they broke accordingto the oracle technologies A B C and Fbut that D and E had no valid responsesHe also clarified that only technology Aused echo hiding and that though theydonrsquot know what the criteria for the ora-cle was it appeared to make a decisionbased on detectability and quality Heexplained that some areas where water-marking might prove useful is in fragilewatermarks which provide tamper evi-dence in digital photographs and in pre-venting duplication of currency Thesetechnologies have a different threatmodel Someone asked about copy pro-tected CDs Scott replied that that was acompletely different approach doneentirely at the hardware level Peoplewondered why honest people would notwant a complex copy protection schemeScott answered that complex schemeshave higher rates of failure and highercost Someone asked how this was rele-vant to detecting steganographic infor-mation and Scott answered that theywere basically the same and that theinformation about echo detection wouldbe useful
PANEL DISCUSSION ON SDMIDMCA
Moderator Dan Wallach Rice Univer-sity Panelists Edward W FeltenPrinceton University Cindy Cohn EFFand Peter Jaszi American UniversityCollege of Law
The three panelists spoke about the legaland social questions surrounding theSDMIDMCA issue Dan Wallach men-tioned that if there were any representa-tives from the record company the panelwould love to have someone from theother side come speak he doubtedhowever that they would be here
Peter Jaszi then presented a detaileddescription of the Digital Millennium
Copyright Act (DMCA) section 1201He explained the difference between theDMCA and copyright law Copyrightlaw has been developed and refined overa few hundred years and maintains adelicate balance between owners andusersrsquo privileges To that end it has beenrelatively successful It is important tounderstand that the DMCA is not copy-right law but rather a supplement tocopyright law or para-copyright legisla-tion As such it has the potential to over-
ride thecopyrightdefault protec-tions which hadbeen carefullylaid out overtime He soughtto explain theseoverrides andmentioned thatthe risk the
DMCA poses to the fundamental copy-right system isnrsquot news and wasnrsquot newswhen it was passed As a result somelimitations to the DMCA were built inbut most of these exceptions are notvery functional
The fundamental commandment of theDMCA is ldquoThou shall not circumventfor accessrdquo The fact that it was accessand not use was a compromise intendedto limit the DMCA However it limitedthe legislation less than some imaginedit would since there is a great deal ofconfusion between access and use Thereare also secondary prohibitions concern-ing making goods and services whichcan be used for circumvention availableSection 1201(b)(1) can be interpretedbroadly and it was under this provisionthat the threats from SDMI to theauthors of the paper were made
Section 1201(c) presents a fair-useexception in wonderful ringing lan-guage however it is completely irrele-vant since it references fair use as adefense of copyright and the DMCA isnot copyright
Q amp A Scott Craver amp Dan Wallach
Prof Peter Jaszi
The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye
There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg
Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase
Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In
9November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Saddition most press organizations wishto be seen as nonpartisan and objective
Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability
There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap
Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values
Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling
Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the
DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them
Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand
[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml
CHANGES IN DEPLOYMENT OF
CRYPTOGRAPHY AND POSSIBLE CAUSES
Eric Murray SecureDesign
Summarized by Takeaki Chijiiwa
A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers
The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01
There were several noteworthy changesbetween the results from the surveys in2000 and 2001
What got better
A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
repeated five times with constant shuf-fling Since there were only 16 bits ofoutput a user should be able to acquiremany authenticators as there were twohash collisions among the CDs givenHowever it was difficult to get furtherthan this analysis because the oracle forD didnrsquot work it would always returnldquoinvalidrdquo regardless of input Technology
E however didnrsquot have any data to ana-lyze at all You could submit a mail say-ing yoursquod try mixing this track and thattrack and yoursquod get a reply saying thatyou couldnrsquot do that
The speaker concluded by saying thatmany claimed that this was a system toldquokeep honest people honestrdquo Howeverthough the Felten group felt that the sys-tem was too complex for that theywouldnrsquot claim any type of strong secu-rity The systems require trusted clientsin a hostile environment but if deployedthey would be broken quickly No spe-cial EECS knowledge is needed andthere are no dirty secrets Anyone withreasonable expertise could do thisWatermarking can be useful but not inthis situation The weakness is in theoverall concept not the specific technol-ogy One main lesson learned is thatsecurity through obscurity STILL doesnrsquot work This is particularly thecase for secret algorithms which arepatented and therefore public
Peter Honeyman asked about the possi-bility of a secure watermark Scottreplied that he personally thinks that
8 Vol 26 No 7 login
watermarking wonrsquot work for activelyenforcing a usage policy since doing thisprovides all targets an oracle that theycan use He is pessimistic about the useof watermarking for copyright controlHe clarified that they broke accordingto the oracle technologies A B C and Fbut that D and E had no valid responsesHe also clarified that only technology Aused echo hiding and that though theydonrsquot know what the criteria for the ora-cle was it appeared to make a decisionbased on detectability and quality Heexplained that some areas where water-marking might prove useful is in fragilewatermarks which provide tamper evi-dence in digital photographs and in pre-venting duplication of currency Thesetechnologies have a different threatmodel Someone asked about copy pro-tected CDs Scott replied that that was acompletely different approach doneentirely at the hardware level Peoplewondered why honest people would notwant a complex copy protection schemeScott answered that complex schemeshave higher rates of failure and highercost Someone asked how this was rele-vant to detecting steganographic infor-mation and Scott answered that theywere basically the same and that theinformation about echo detection wouldbe useful
PANEL DISCUSSION ON SDMIDMCA
Moderator Dan Wallach Rice Univer-sity Panelists Edward W FeltenPrinceton University Cindy Cohn EFFand Peter Jaszi American UniversityCollege of Law
The three panelists spoke about the legaland social questions surrounding theSDMIDMCA issue Dan Wallach men-tioned that if there were any representa-tives from the record company the panelwould love to have someone from theother side come speak he doubtedhowever that they would be here
Peter Jaszi then presented a detaileddescription of the Digital Millennium
Copyright Act (DMCA) section 1201He explained the difference between theDMCA and copyright law Copyrightlaw has been developed and refined overa few hundred years and maintains adelicate balance between owners andusersrsquo privileges To that end it has beenrelatively successful It is important tounderstand that the DMCA is not copy-right law but rather a supplement tocopyright law or para-copyright legisla-tion As such it has the potential to over-
ride thecopyrightdefault protec-tions which hadbeen carefullylaid out overtime He soughtto explain theseoverrides andmentioned thatthe risk the
DMCA poses to the fundamental copy-right system isnrsquot news and wasnrsquot newswhen it was passed As a result somelimitations to the DMCA were built inbut most of these exceptions are notvery functional
The fundamental commandment of theDMCA is ldquoThou shall not circumventfor accessrdquo The fact that it was accessand not use was a compromise intendedto limit the DMCA However it limitedthe legislation less than some imaginedit would since there is a great deal ofconfusion between access and use Thereare also secondary prohibitions concern-ing making goods and services whichcan be used for circumvention availableSection 1201(b)(1) can be interpretedbroadly and it was under this provisionthat the threats from SDMI to theauthors of the paper were made
Section 1201(c) presents a fair-useexception in wonderful ringing lan-guage however it is completely irrele-vant since it references fair use as adefense of copyright and the DMCA isnot copyright
Q amp A Scott Craver amp Dan Wallach
Prof Peter Jaszi
The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye
There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg
Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase
Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In
9November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Saddition most press organizations wishto be seen as nonpartisan and objective
Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability
There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap
Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values
Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling
Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the
DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them
Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand
[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml
CHANGES IN DEPLOYMENT OF
CRYPTOGRAPHY AND POSSIBLE CAUSES
Eric Murray SecureDesign
Summarized by Takeaki Chijiiwa
A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers
The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01
There were several noteworthy changesbetween the results from the surveys in2000 and 2001
What got better
A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye
There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg
Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase
Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In
9November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Saddition most press organizations wishto be seen as nonpartisan and objective
Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability
There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap
Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values
Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling
Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the
DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them
Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand
[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml
CHANGES IN DEPLOYMENT OF
CRYPTOGRAPHY AND POSSIBLE CAUSES
Eric Murray SecureDesign
Summarized by Takeaki Chijiiwa
A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers
The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01
There were several noteworthy changesbetween the results from the surveys in2000 and 2001
What got better
A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize
The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)
What got worse
The number of expired certificatesincreased from 31 to 37
Self-signed certificates increasedfrom 08 to 20
The results presented raised many ques-tions from the audience
Question Why do you think there wasan increase in the number of self-signedcertificates
Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites
Question Did you retest the serversfrom last yearrsquos survey
Answer No This was a new list andtherefore a completely new survey
Question Is the raw data available
Answer You can email ericmlnecomfor private requests
Question Which browsers do you usefor personal use
Answer Linux and Netscape
REVERSING THE PANOPTICON
Deborah Natsios cartomeorg JohnYoung cryptomeorg
Summarized by Mike Vernal
Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national
10 Vol 26 No 7 login
surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete
John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful
Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July
An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-
sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader
Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state
DESIGNS AGAINST TRAFFIC ANALYSIS
Paul Syverson US Naval ResearchLaboratory
Summarized by Yong Guan
Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference
Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis
Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth
Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis
The security goal of traffic-analysis-resistant systems is to hide one or moreof the following
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
Sender activity that a site is sendinganything
Receiver activity that a site isreceiving anything
Sender content that a sender sentspecific content
Receiver content that a receiverreceived specific content
Source-destination linking that aparticular source is sending to aparticular destination
Channel linking identifying theendpoints of a channel
Some systems were described
Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver
Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod
There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is
selected at random by the sender fromthe available mixes
Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden
Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-
11November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship
Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak
Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers
which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes
Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes
Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed
Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random
Paul Syverson
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
For more information visit httpwwwonion-routernet andhttpwwwsyversonorg
Question Who manages the onionrouters Are they managed independ-ently
Answer Yes The onion routers can bedistributed anywhere and be managedby different groups
Question Do you believe that thelonger the path the safer the anony-mous communication system
Answer I am not sure
COUNTERING SYN FLOOD
DENIAL-OF-SERVICE (DOS) ATTACKS
Ross Oliver Tech Mavens
Summarized by David RichardLarochelle
SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this
He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server
12 Vol 26 No 7 login
The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then
have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned
to normal 3ndash10 minutes after the attackceased
Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack
AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP
This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients
How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible
REAL STATEFUL TCP PACKET FILTERING WITH
IP FILTER
Guido van Rooij Eindhoven Universityof Technology
Summarized by Evan Sarmiento
Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up
Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals
Ross Oliver
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
Conclusions made by the enginemust be provable
All kinds of TCP behavior must betaken into account
The number of blocked packetsmust be minimized
Blocking of packets must never leadto hanging connections
Opportunities for abuse should bemade as small as possible
The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal
However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason
Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection
REFEREED PAPERS
SESSION DENIAL OF SERVICE
Summarized by Stefan Kelm
USING CLIENT PUZZLES TO PROTECT TLS
Drew Dean Xerox PARC Adam Stub-blefield Rice University
Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic
13November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods
The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection
Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds
The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code
For more information contact astubblericeedu
INFERRING INTERNET DENIAL-OF-SERVICE
ACTIVITY
David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego
This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity
David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on
Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)
In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
attacks since it is not good at distin-guishing between attackers
During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered
For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter
MULTOPS A DATA-STRUCTURE FOR
BANDWIDTH ATTACK DETECTION
Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT
Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address
The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too
14 Vol 26 No 7 login
The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP
Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline
For more information contact thomerlcsmitedu
SESSION HARDWARE
Summarized by Anca Ivan
DATA REMANENCE IN SEMICONDUCTOR
DEVICES
Peter Gutmann IBM TJ WatsonResearch Center
Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues
Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered
Hot carriers during operation thedevice heats up and its characteris-tics change considerably
Ionic contamination this is nolonger an issue and its effects are nolonger significant
Radiation-induced charging itfreezes the circuit into a certainstate
The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two
Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)
Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it
In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry
Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment
STACKGHOST HARDWARE-FACILITATED
STACK PROTECTION
Mike Frantzen CERIAS Mike ShueyPurdue University
The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value
The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways
Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs
Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive
Encryptdecrypt the return pointerthis method seems to be the mostexpensive
Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly
15November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)
IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS
Mark Lindemann IBM TJ Watson
Research Center Sean W Smith
Dartmouth College
While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways
Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed
Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond
Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good
Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond
Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond
Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved
Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond
From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
were simpler always distrust folkloreand think if and how people will useyour product before designing it
SESSION FIREWALLSINTRUSION
DETECTION
Summarized by Stefan Kelm and YongGuan
ARCHITECTING THE LUMETA FIREWALL
ANALYZER
Avishai Wool Lumeta
ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo
Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine
The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages
Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and
16 Vol 26 No 7 login
cannot therefore detect tunneling prob-lems
For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml
TRANSIENT ADDRESSING FOR RELATED
PROCESSES IMPROVED FIREWALLING BY
USING IPV6 AND MULTIPLE ADDRESSES PER
HOST
Peter M Gleitz and Steven M BellovinATampT Labs-Research
The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses
Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6
For more information contactpmgleitnetscapenet
NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END
PROTOCOL SEMANTICS
Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen
This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)
As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all
Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon
In the QampA session Steven Bellovinwanted to know whether normalization
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
would not be needed at the applicationlayer as well The presenter answered inthe affirmative
For more information contactvernaciriorg
SESSION OPERATING SYSTEMS
Summarized by Mike Vernal
SECURITY ANALYSIS OF THE PALM OPERATING
SYSTEM AND ITS WEAKNESSES AGAINST
MALICIOUS CODE THREATS
Kingpin and Mudge stake Inc
Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan
The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious
17November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible
The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa
With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices
SECURE DATA DELETION FOR LINUX
FILE SYSTEMS
Steven Bauer and Nissanka B Priyan-tha MIT
Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem
Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted
In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times
This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system
The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion
Kingpin and Mudge
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
SESSION MANAGING CODE
Summarized by Sameh Elnikety
STATICALLY DETECTING LIKELY BUFFER
OVERFLOW VULNERABILITIES
David Larochelle and David Evans Uni-versity of Virginia
Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking
Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment
The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities
The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams
The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-
18 Vol 26 No 7 login
ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities
LCLint source code and binaries areavailable from httplclintcsvirginiaedu
FORMATGUARD AUTOMATIC PROTECTION
FROM PRINTF FORMAT STRING
VULNERABILITIES
Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN
In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams
The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process
FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-
tion pointer that has the address ofprintf then it evades the macro expan-sion
FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg
DETECTING FORMAT STRING VULNERABILITIES
WITH TYPE QUALIFIERS
Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley
Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed
Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted
The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute
Cqual is available at httpbanecsberkeleyeducqual
SESSION AUTHORIZATION
Summarized by Rachel Greenstadt
CAPABILITY FILE NAMES SEPARATING
AUTHORIZATION FROM USER MANAGEMENT
IN AN INTERNET FILE SYSTEM
Jude T Regan consultant Christian DJensen Trinity College
On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal
Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files
The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name
The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible
19November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites
KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL
Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan
There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request
The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice
DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB
Kevin Fu Emil Sit Kendra Smith and
Nick Feamster MIT
[This paper received the Best StudentPaper Award]
Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes
Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)
In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-
tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it
adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-
Kevin Fu
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable
In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password
Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary
In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu
SESSION KEY MANAGEMENT
Summarized by Sameh Elnikety
SC-CFS SMARTCARD SECURED
CRYPTOGRAPHIC FILE SYSTEM
Naomaru Itoi CITI University of Michigan
Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS
20 Vol 26 No 7 login
implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation
When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory
SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key
The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds
SECURE DISTRIBUTION OF EVENTS IN
CONTENT-BASED PUBLISH SUBSCRIBE
SYSTEMS
Lukasz Opyrchal and Atul Prakash University of Michigan
Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage
Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize
The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster
The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions
A METHOD FOR FAST REVOCATION OF
PUBLIC KEY CERTIFICATES AND SECURITY
CAPABILITIES
Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University
The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message
The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part
21November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption
The authors implemented the systemusing OpenSSL and provided a client
API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-
mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet
The implementation of the system isavailable athttpsconceicsuciedusucses
The SEM Eudora plug-in is available athttpcryptostanfordedusemmail
SESSION MATH ATTACKS
Summarized by Kevin Fu
PDM A NEW STRONG PASSWORD-BASED
PROTOCOL
Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories
A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server
Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password
PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges
PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six
PDM strives not to leak information andavoids timing attacks by properly order-
Gene Tsudik
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges
Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber
Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed
Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security
DETECTING STEGANOGRAPHIC CONTENT ON
THE INTERNET
Niels Provos CITI University of Michigan
Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files
22 Vol 26 No 7 login
The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions
How to automatically detectsteganographic content
How to find a source of images withpotentially steganographic content
How to determine whether animage contains hidden content
Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not
necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed
There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content
On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack
Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is
as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims
Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch
Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message
One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software
Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing
Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages
For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg
Niels Provos
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH
Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley
Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50
The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation
The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow
Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the
23November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character
One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic
Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns
Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists
When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case
Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization
WORKS IN PROGRESS
Summarized by Sam Weiler and DavidRichard Larochelle
USING THE FLUHRER MANTIN AND SHAMIR
ATTACK TO BREAK WEP
Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch
The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools
For more information visithttpwwwcsriceedu~astubblewep
SRMAIL ndash THE SECURE REMAILER
Cory Cohen CERT
SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys
VOMIT ndash VOICE OVER MISCONFIGURED
INTERNET TELEPHONES
Niels Provos CITI University of Michigan
Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon
For more information visithttpwwwmonkeyorg~provosvomit
VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT
Matthias Bauer Institut fuumlr Informatik
Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols
For more information visit httpwww1informatikunierlangende~bauernewv2vhtml
DETECTING MANIPULATED REMOTE CALL
STREAMS
Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin
In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion
A QUANTITATIVE ANALYSIS OF ANONYMOUS
COMMUNICATIONS
Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity
This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear
For more information visit httpnetcamocstamuedu
DISTRIBUTED AUTHORIZATION WITH
HARDWARE TOKENS
Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg
24 Vol 26 No 7 login
The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion
For more information visithttpwwwwieseckeldeibutton_smartcardhtml
MOVING FROM DETECTION TO RECOVERY
AND ANALYSIS
George Dunlap University of Michigan
Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
DIGITAL CONTENT PROTECTION (HDCP)SYSTEM
Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University
HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk
for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis
TRUST SERVERS AND CLIENTS
Sean Smith Dartmouth University
WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it
Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion
For more information visithttpwwwcsdartmouthedu~pkilab
SOURCE ROUTER APPROACH TO DDOSDEFENSE
Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles
The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios
For more information visit httpfmg-wwwcsuclaeduddos
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up
SAVE SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL
Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles
SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery
For more information visit httpfmg-wwwcsuclaeduadas
CODE RED THE SECOND COMING mdash FROM
WHENCE DIURNAL CYCLES
Colleen Shannon and David MooreCAIDA
Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers
For more information visithttpwwwcaidaorganalysissecuritycode-red
FAST-TRACK SESSION ESTABLISHMENT FOR
TLS
Hovav Shacham and Dan Boneh Stan-ford University
The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent
25November 2001 login SECURITY 2001
C
ON
FERE
NC
ERE
PORT
Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices
For more information visithttpcryptostanfordedu
ELECTROMAGNETIC ATTACKS ON CHIP CARDS
Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research
Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details
For more information visithttpwwwresearchibmcomintsec
PASSWORD AUTHENTICATION
Philippe Golle Stanford University
Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites
For more information visithttpcryptostanfordedu~pgolle
A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK
Josh Gentry Southwest Cyberport
Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl
hashes The command line client canquery that data locally or over the net-work
For more information visithttpwwwsystemstabilityorg
OPEN SOURCE IMPLEMENTATION OF 8021X
Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland
Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed
For more information visithttpwwwmisslcsumdedu1x
[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]
Will the real Peter Honeyman please stand up