special focus issue: security · the normal user: don’t get or look at it. for the government,...

THE MAGAZINE OF USENIX amp SAGENovember 2001 bull Volume 26 bull Number 7

insideCONFERENCE REPORTS

10th USENIX Security Symposium

The Advanced Computing Systems Association amp

The System Administrators Guild

amp

Special Focus Issue SecurityGuest Editor Rik Farrow

4 Vol 26 No 7 login

conference reports10th USENIX Security SymposiumWASHINGTON DCAUGUST 13ndash17 2001KEYNOTE

WEB-ENABLED GADGETS CAN WE TRUST THEM

Richard M Smith CTO The PrivacyFoundation

Summarized by George M Jones

Richard Smith started off by saying thatwhat he primarily does is ldquocause prob-lemsrdquo mostly for companies that havenot thought through the security impli-cations of products that they havereleased They often ldquodiscover unin-tended consequences that companiesdonrsquot like to talk aboutrdquo The three mainareas they consider are security privacyand control

He stated thatldquoconsumerscare moreabout thesecurity ofcell phonesthan aboutWeb serversrdquobecause cellphones arepersonaldevices with

which consumers have immediate con-nections Application developers andcompanies are more concerned withfunctionality than security Productssuch as consumer devices based on real-time operating systems tend to havelower concerns for security

Smith said that DirecTV was the firstconsumer device that got his interestabout privacy issues It had a phone jackWhat information was it sending backLater a call to customer service on a dif-ferent issue revealed that the customerservice people were able to send com-mands (via satellite) to turn his TV on

Is this a good thing Still another timethe company apparently chose to ldquoadver-tiserdquo new services by causing the TV totune to a soft-porn channel which hehad not subscribed to or selected

Earlier this year just before the SuperBowl the company downloaded a pro-gram to all DirecTV boxes The goal wasto disable black market devices used topirate programming It succeeded Butwhat if they had made a mistake Whatif they had disabled service for legiti-mate customers Who in fact owns theboxes DirecTV clearly did not own theblack-market devices Did the com-panyrsquos actions constitute ldquohackingrdquo Didthe terms of service allow them to repro-gram the legitimate boxes

It turns out that DirecTV was not send-ing back ldquoNielsenrdquo information just a lotof information about the temperatureinside the box Their competitor Tivodoes send in ldquoNielsenrdquo info You have toexplicitly opt out by calling customerservice

Wersquore entering a brave new world ofconnected devices A company calledSports Barn sold a strap-on device thatmonitored your daily exerciseand thenuploaded it via phone to their Web siteto create a ldquopersonal profilerdquo (which ofcourse would never be used for market-ing or other) purposes One could havegotten the same effect by uploading to aPC without disclosing personal informa-tion and there are inexpensive stand-alone devices available at sports shopsthat do similar things But to maintain arecord you might have to (gasp) writethings on paper the price of privacyOh the company just went out of busi-ness Many formerly happy customersnow have worthless devices Similarthings could never happen with sub-scription software licensing could itSoftware companies never go out ofbusiness get bought out refocus onnewer products or have turnover or lossof support staff

This issuersquos reports are on the 10thUSENIX Security Symposium

OUR THANKS TO THE SUMMARIZERS

TAKEAKI CHIJIIWA

SAMEH ELNIKETY

KEVIN FU

RACHEL GREENSTADT

YONG GUAN

ANCA IVAN

GEORGE M JONES

STEFAN KELM

DAVID RICHARD LAROCHELLE

ROSS OLIVER

EVAN SARMIENTO

COLE TUCKER

MIKE VERNAL

SAM WEILER

Richard M Smith

Ever considered plugging your pictureframes into the phone Kodak wants youto so that you can ldquoregisterrdquo your digitalpictures Of course yoursquoll pay a recur-ring subscription fee to do so Andtheyrsquoll never share your private pictureswith anyone either their servers neverget hacked and all their employees areintimately familiar with their informa-tion security policies and actively makeit their top priority each day to followthem

Want free wireless Internet access Seethe Global Access Wireless Database athttpwwwshmoocomgawd Want tosee what your neighbors and coworkersare doing 80211 is your friend At leastone non-USENIX conference personwas observed using the USENIX wirelessnetwork at the symposium

Convergence is a good thing rightFewer devices more functionality lowercost but do you really want someoneusing the cell phone API in your combophonepalm pilot to run a program that(1) turns off the speaker (2) places acall and (3) turns on the microphoneYour phone is now a bugging device inaddition to a tool for pinpointing yourlocation at all times Personally Irsquoll stickwith dumb one-way pagers and onlyturn my phone on when I want to makea call (and announce my location)

Do you ever store personallow-sensitiv-ity data and businesshigh-sensitivityinformation on say a palm pilot a lap-top computer or a home computer con-nected to public networks Mudge andKingpin of stake pointed out in a latertalk (dressed in bathrobes to protesttheir 9 am speaking slot) that PalmOShas serious security problems Cablemodem providers do not generally pro-vide securityfirewall services Laptopsare routinely stolen (the laptop that wasbeing used as the gatewayrouter for theconference terminal room disappearedovernight and one of the terminal-roomattendants stopped someone who

5November 2001 login SECURITY 2001

C

ON

FERE

NC

ERE

PORT

Sattempted to walk out with its replace-ment in broad daylight) Informationsecurity management issues that wereonce handled by trained security profes-sionals in controlled centralized envi-ronments are now the problem of yourgrandmother Joe Six-pack and yourCEO

Do you ever speed in a rental car In theQampA session Rik Farrow noted that atleast one person has been fined by therental car company for doing so Thecompany installed GPS devices in all itrsquoscars that enable it to track down stolencarsand tell how fast you go Anyguesses how long it will be before lawenforcement and insurance companiespush for legislation requiring suchdevices in all new cars

Steve Bellovin noted that during the talkthere had been multiple nmaps of thewireless net and an ongoing battle foraddress of the default router (Dug Songof dsniff fame was in the room)

And lastly true confessions mdash Smithadmitted that he has not turned on WEPon his own wireless net at home

And the beat goes on

INVITED TALKS

A MAZE OF TWISTY LITTLE STATUTES ALL

ALIKE THE ELECTRONIC COMMUNICATIONS

PRIVACY ACT OF 1986 (AND ITS APPLICA-TION TO NETWORK SERVICE PROVIDERS)

Mark Eckenwiler US Department ofJustice

Summarized by Cole Tucker

The Electronic Communications PrivacyAct of 1986 has a reputation for com-plexity Mark Eckenwiler gave an expres-sive overview of the law primarily fromthe viewpoint of a system administra-torprovider Basically the act covers the relationship between providers andcustomers and providers and the gov-ernment It tries to allow for communi-cation privacy while keeping in mind

that online records are the key to prose-cuting network criminals

The law distinguishes four types of envi-ronments based on whether the data iscontent or transactional in nature andwhether itrsquos being intercepted in realtime or after itrsquos been stored The classthat receives the most protection real-time content has a very basic rule forthe normal user donrsquot get or look at itFor the government the rule is nearly assimple donrsquot get it without a wiretaporder Providers arenrsquot supposed to lookat it unless theyrsquore in the process of pro-tecting their rights and property So ifyoursquore a regular user donrsquot run an unau-thorized sniffer If yoursquore representing aprovider under Eckenwilerrsquos interpreta-tion feel free to run an IDS or even akeystroke logger in real time you can beproactive in defending yourself Otherexceptions are made for publicly accessi-ble systems such as IRC or if all partiesconsent say in a system that has a ban-ner stating that use implies consent tomonitoring As a provider if you have alegitimate need to monitor therersquos noreason to worry

The second class of data consists oftransactional records being interceptedin real time For providers and users therules remain nearly the same hands offfor the latter and have a good reason forthe former The standards have beenlowered for the government so thisinformation is essentially ldquoless privaterdquoFor access to this data the governmentsimply needs a court order Examples ofdata that fall under this are addressesattached to incoming emails and infor-mation on where users are connectingfrom and whether they are online

Next comes stored content Eckenwilerreferred to this section as ldquoDichotomieslsquoRrsquo Usrdquo basically each situation has dif-ferent rules that apply with way toomany to generalize here

Finally there are stored transactionalrecords Users hands off Providers are

allowed to reveal this information toanyone they like except for the govern-ment In respect to the governmentthere are two classes of data basic userdata and non-contact info Basic userdata (things like name address andphone number) is accessible with a sub-poena and thus not strongly protectedEverything else requires a 2703(d) war-rant to access but providers can be senta court order requiring they hold on tothe data for a specified amount of timeusually in expectation of a warrant beingserved in the near future

LOANING YOUR SOUL TO THE DEVIL INFLU-ENCING POLICY WITHOUT SELLING OUT

Matt Blaze ATampT Labs-Research


Matt Blaze commented on the publicdebate over cryptology thatrsquos taken placeover the past 10 years or so He includedamusing stories of ldquohacker tourismrdquoincluding nine cryptography experts allindependently trying to score ldquocoolrdquopoints by stealing stationery from secretcongressional briefing rooms and NOTopening a red folder marked ldquoTOPSECRET Presidentrsquos Daily NationalSecurity Briefingrdquo when left alone in aconference room in the old executiveoffice building

What can a scientisttechie contribute tothe public policy debate His mainadvice is ldquostick to what you knowrdquo (sci-encetechnology) ldquoYou are listened tobecause people believe you have objec-tivityThe basic purpose of science andengineering is to expand understandingof realitytruth with no compromisesrdquoYou are not there to comment on philos-ophy politics or constitutional law

He gave an amazingly insightful list ofthe contrasting values of science andpolitics)

Science is interested in findingtruth Politics is about balancinginterests

6 Vol 26 No 7 login

In science people are rewarded fornew discoveries Disruptiveness isconsidered good In politics peopleare rewarded for making other peo-ple happy Disruptiveness is consid-ered bad

In science uncompromising peopleare admired in politics uncompro-mising people are considered fools

In science ldquohonestyrdquo means admit-ting mistakes in politics it meanskeeping promises

In science challenging someoneshows interest in politics a chal-lenge is an attack

In science there is no ldquodress coderdquoin politics even suits can be consid-ered ldquocasualrdquo (and thus cause younot to be taken seriously)

The policy options range from discour-agingforbidding its use allowing lim-ited strength crypto allowing use ofstrong modern cryptographic methodsand encouraging use In the last fewyears the US has moved mostly from thefirst to the third stage

The tone of thedebate has alsochanged andincludes more actualdialogue We nolonger have one sideyelling ldquoYoursquore abunch of long-haired hippiesrdquo andthe other yellingldquoYoursquore a bunch of

jack-booted thugsrdquo Now itrsquos just ldquoyoursquorea bunch of hippiesrdquo vs ldquoyoursquore a bunchof thugsrdquo See for instance ldquoThou shaltuse skipjackclipperrdquo vs the process forselecting AES

ldquoWashington DC is another planet aclosed systemrdquoldquoMuch of what happenshere is for showrdquoldquoAny meeting with apolicy maker involves a little conspiracyto make each other feel importantrdquoldquoMeetings with congressional staffers

always end with the question lsquoWhat doyou suggest we dorsquordquo Stick to what youknow

COPS ARE FROM MARS SYSADMINS ARE

FROM PLUTO DEALING WITH LAW ENFORCE-MENT

Tom Perrine San Diego SupercomputerCenter

Summarized by Ross Oliver

Tom Perrine described some of his expe-riences with law enforcement peopleand discussed his recommendations forother sysadmins who may need to inter-act with law enforcement

Like system administration law enforce-ment is a culture as well as an occupa-tion with its own lingo inside jokes etcThere are also many different lawenforcement agencies federal state citycounty military and customs Evenschools and universities often have theirown police force

Throughout the talk Perrine empha-sized the importance of trust in individ-uals rather than organizations Just as inany large organization there are ldquoclue-fulrdquo and not ldquocluefulrdquo members andbuilding personal relationships is keyAlso realize that the goals and prioritiesof law enforcement may be differentfrom yours

Because they are ldquoagents of the govern-mentrdquo law enforcement officers havemany legal constraints on their actionsthat may not apply to private citizensSysadmins can take advantage of ldquoISPexemptionsrdquo in the law to take ldquoany stepsnecessary to protect the communica-tions systemrdquo

Perrine recommends that sysadminsbecome familiar with applicable laws(both federal and state) before the needto apply them arises Advice of qualifiedlegal counsel is strongly recommendedAlso make sure your organizationrsquos poli-cies are suitable and adhere to themduring any investigation

Matt Blaze

READING BETWEEN THE LINES LESSONS

FROM THE SDMI CHALLENGE

Summarized by Rachel Greenstadt

Scott A Craver Min Wu and Bede LiuPrinceton University Adam Stubble-field Ben Swartzlander and Dan SWallach Rice University Drew Deanand Edward W Felten Princeton Uni-versity

Program Chair Dan Wallach introducedthis talk as being a long time in the mak-ing and mentioned that he was pleasedto have it here However he stressed thatthis first section would be a normal bor-ing technical talk THEN there would bea panel discussion where policy ques-tions would be allowed Matt Blazeasked when the subpoenas would beserved however despite the large massof press and lawyers that joined theUSENIX attendees there was no last-minute withdrawal of the talk this timeand no FBI agents came to cart ScottCraver away as he gave his talk

Craver began by describing the chal-lenge which took place during threeweeks in September and October of2000 SDMI (Secure Data Music Initia-tive) invited ldquohackersrdquo otherwise knownas the general public to crack six of theirproposed technologies labeled Athrough F There were four watermark-ing technologies and two others SDMIoffered a cash prize for the successfuldefeat of one of their technologies butthis required the winners to sign a Non-Disclosure Agreement so the Feltengroup decided to forego the prize infavor of publishing their findings

SDMI is an organization an initiativeand the technology for that initiative Atthe time of the challenge that technol-ogy was watermarking and related tech-nologies The watermarks (technologiesA B C and F) were composed of arobust and a fragile component therobust part of which would survivealtered music Through a missing water-mark in the fragile component such as


C

ON

FERE

NC

ERE

PORT

Sif it had been mp3 compressed anSDMI device could perhaps determine ifa CD track was ever an mp3 in the pastperhaps illegally downloaded The othertechnologies (D and E) were used tosign tables of contents supposedly tocontrol the propagation of CDs withmixed tracks

For the watermarking technologies therewere three samples given (1) a soundclip without a watermark (2) the samesample with a watermark and (3) a dif-ferent sound clip with a watermark Thechallenge was to remove the watermarkfrom the third sound clip SDMI pro-vided no actual embedders or detectorsThere was an online oracle to which youcould submit a sound clip and get aresponse There was no description ofthe algorithms used and no details orreasons were given when an oraclerejected a clip The challenge lasted onlythree weeks and the oracle had a turn-around time in hours As such adaptiveoracle attacks which would be possibleif the system were deployed were notfeasible

There were several approaches usedagainst the marks (1) brute force attacksnot specific to the algorithm used andwhich mostly consisted of adding noiseand filtering (2) slight brute forceattacks loosely based on supposeddetails of the algorithms and (3) full-blown reverse engineering

For technologies B and C the groupnoticed that there was a narrow bandsignal added to the clip By the slightlybrute method of filtering at the fre-quency and adding narrow-band noisethey were able to foil the oracle

In their analysis of technology A the-group noticed a slight warping in thetime domain as though the signal wasslowly advancing or decreasing Theydetermined that this phase shifting waspre-processing and not the actual water-mark since the oracle did not admit the

sample when the distortion wasremoved However removing this dis-tortion in technology F was able to makethat watermark undetectable (quicksomebody call the FBI)

Another approach to defeating technol-ogy A would have been to try reinstatingthe fragile component However therewas no way to test this type of attackusing the oracle

The group noticed a ripple in the fre-quency domain which led them tobelieve that technology A used some sortof echo hiding technique consisting ofdeliberate but inaudible echoes whichmeant that there was a signal which wasdelayed and then added back into themusic They tried a filtering approach toreduce the audibility of the echo suffi-cient to remove the watermark Wantingto discover more they decided to do apatent search figuring correctly that thiswas a proprietary algorithm with apatent They found a patent belongingto Aris corporation which became Ver-ance one of the SDMI companies Thismade them feel like they were on theright track They also discovered that itwas a simple echo every fiftieth of a sec-ond and that a delayed version wasadded or subtracted every fifteenthinterval To further analyze the signalthey used the auto-kepstral techniquefor echo hiding combining techniquesto estimate the echo Theyrsquove come upwith better echo hiding detection soft-ware subsequent to the challenge Scottdemonstrated a program that was colorcoded to detect the echo

For technologies D and E SDMI pre-sented table-of-contents files for 100CDs and signature tracks The challengewas to create a new table of contents andsuccessfully forge a signature for it Fortechnology D they found that all theenergy was concentrated in a small fre-quency band of 80 frequency bins whichonly actually used a 16-bit signal

repeated five times with constant shuf-fling Since there were only 16 bits ofoutput a user should be able to acquiremany authenticators as there were twohash collisions among the CDs givenHowever it was difficult to get furtherthan this analysis because the oracle forD didnrsquot work it would always returnldquoinvalidrdquo regardless of input Technology

E however didnrsquot have any data to ana-lyze at all You could submit a mail say-ing yoursquod try mixing this track and thattrack and yoursquod get a reply saying thatyou couldnrsquot do that

The speaker concluded by saying thatmany claimed that this was a system toldquokeep honest people honestrdquo Howeverthough the Felten group felt that the sys-tem was too complex for that theywouldnrsquot claim any type of strong secu-rity The systems require trusted clientsin a hostile environment but if deployedthey would be broken quickly No spe-cial EECS knowledge is needed andthere are no dirty secrets Anyone withreasonable expertise could do thisWatermarking can be useful but not inthis situation The weakness is in theoverall concept not the specific technol-ogy One main lesson learned is thatsecurity through obscurity STILL doesnrsquot work This is particularly thecase for secret algorithms which arepatented and therefore public

Peter Honeyman asked about the possi-bility of a secure watermark Scottreplied that he personally thinks that

8 Vol 26 No 7 login

watermarking wonrsquot work for activelyenforcing a usage policy since doing thisprovides all targets an oracle that theycan use He is pessimistic about the useof watermarking for copyright controlHe clarified that they broke accordingto the oracle technologies A B C and Fbut that D and E had no valid responsesHe also clarified that only technology Aused echo hiding and that though theydonrsquot know what the criteria for the ora-cle was it appeared to make a decisionbased on detectability and quality Heexplained that some areas where water-marking might prove useful is in fragilewatermarks which provide tamper evi-dence in digital photographs and in pre-venting duplication of currency Thesetechnologies have a different threatmodel Someone asked about copy pro-tected CDs Scott replied that that was acompletely different approach doneentirely at the hardware level Peoplewondered why honest people would notwant a complex copy protection schemeScott answered that complex schemeshave higher rates of failure and highercost Someone asked how this was rele-vant to detecting steganographic infor-mation and Scott answered that theywere basically the same and that theinformation about echo detection wouldbe useful

PANEL DISCUSSION ON SDMIDMCA

Moderator Dan Wallach Rice Univer-sity Panelists Edward W FeltenPrinceton University Cindy Cohn EFFand Peter Jaszi American UniversityCollege of Law

The three panelists spoke about the legaland social questions surrounding theSDMIDMCA issue Dan Wallach men-tioned that if there were any representa-tives from the record company the panelwould love to have someone from theother side come speak he doubtedhowever that they would be here

Peter Jaszi then presented a detaileddescription of the Digital Millennium

Copyright Act (DMCA) section 1201He explained the difference between theDMCA and copyright law Copyrightlaw has been developed and refined overa few hundred years and maintains adelicate balance between owners andusersrsquo privileges To that end it has beenrelatively successful It is important tounderstand that the DMCA is not copy-right law but rather a supplement tocopyright law or para-copyright legisla-tion As such it has the potential to over-

ride thecopyrightdefault protec-tions which hadbeen carefullylaid out overtime He soughtto explain theseoverrides andmentioned thatthe risk the

DMCA poses to the fundamental copy-right system isnrsquot news and wasnrsquot newswhen it was passed As a result somelimitations to the DMCA were built inbut most of these exceptions are notvery functional

The fundamental commandment of theDMCA is ldquoThou shall not circumventfor accessrdquo The fact that it was accessand not use was a compromise intendedto limit the DMCA However it limitedthe legislation less than some imaginedit would since there is a great deal ofconfusion between access and use Thereare also secondary prohibitions concern-ing making goods and services whichcan be used for circumvention availableSection 1201(b)(1) can be interpretedbroadly and it was under this provisionthat the threats from SDMI to theauthors of the paper were made

Section 1201(c) presents a fair-useexception in wonderful ringing lan-guage however it is completely irrele-vant since it references fair use as adefense of copyright and the DMCA isnot copyright

Q amp A Scott Craver amp Dan Wallach

Prof Peter Jaszi

The law enforcement exception is actu-ally sweeping and robust it applies to allthe provisions of the act The reverseengineering exception is not half bad itrefers to the whole range of prohibitionsalthough it is still narrower in scopethan the protections under copyrightlaw Sections 1201(g) and (j) presentlimited exceptions for encryptionresearch and security testing which areuncertain in scope Section 1201(h)presents a small but robust exception toallow adults to circumvent in order tofrustrate a minorrsquos attempt to achieveprivacy in a Web environment Section1201(i) allows ordinary people to pro-tect their privacy but it is only a conductexception you need to make your owntools and not distribute them There isless to all these limitations and excep-tions than meets the eye

There are risks posed by this legislationto the traditional balance of interest incopyright law which calls for a push-back against legislative excess To thisend Jaszi is forming a new access coali-tion They have a Web site athttpwwwipclinicorg

Cindy Cohn from the EFF said thatPeter had already said everything aboutsection 1201 but stressed that the EFFwas ldquopushback centralrdquo and explainedways in which people could get involvedin this effort The EFF has been involvedin this issue even before the cases involv-ing 2600 Magazine Felten and theUSENIX presentation of the SDMIpaper and the California trade secretscase

Thomas Greene from the Register won-dered why the mainstream press hasnrsquotrealized their stake in this and what itimplies about freedom of the pressCindy replied that they were gettingincreased press support with the Sky-larov arrest speaking speculatively shealso mentioned that the mainstreampress is owned by content holders In


C

ON

FERE

NC

ERE

PORT

Saddition most press organizations wishto be seen as nonpartisan and objective

Someone asked about dual use tech-nologies such as echo detection TheDMCA takes this into account but thelanguage doesnrsquot give much comfortThere are a series of criteria which willgive you liability

There was a question about potentialconnections between the lawsuit and theSkylarov case Cindy answered that instrictly legal terms there was no overlap

Someone asked what to do in Feltenrsquossituation what lessons had they learnedFelten responded that they learned agreat deal responding to the threatsregarding the paper He said to talk topeople whorsquove been there and keep inmind your goals and values

Someone brought up the question ofwhether a person would be at risk forsummarizing the session Cindy saidthat the letter they received only per-tained to the particular paper butbecause the paper can be publishedprosecuting for summarizing would behard Peter suggested that if you weregoing to synthesize the talk (uhthis isstarting to sound disturbingly famil-iar) and discuss strengths and weak-nesses theoretically you could be introuble Especially if you implementsomething based on the presentationFelten mentioned that the fact that thisquestion has no simple answer is telling

Someone suggested widespread civil dis-obedience as the only way to effectchange Cindy responded that she neveradvises people to break the law Thoughshe feels that if the law is out of stepwith what people believe their rights arethe law should be changed Peter addedthat copyright law has functioned wellbased on shared social investment Likethe tax code it works not because it ispoliced but because there is a highdegree of collective buy in to its prem-ises The most corrosive thing about the

DMCA is that the basic assumptions itmakes about people are dark and pes-simistic We need to question thoseassumptions and what flows from them

Someone asked for some insight intowhy the industry wouldnrsquot want thisresearch since it would allow them tobuild better protection schemes Feltenresponded that to us the question is isthis technology weak We didnrsquot make itweak and we think it should be fixedThe industryrsquos concern is not whetherthe technology is strong or weak somuch as whether people believe it isstrong or weak They think that if thepublic reaches a consensus that the tech-nology is strong that will be enoughMany of us find this hard to understand

[More information and photographscan be found at httpwwwusenixorgeventssec01indexhtml

CHANGES IN DEPLOYMENT OF

CRYPTOGRAPHY AND POSSIBLE CAUSES

Eric Murray SecureDesign

Summarized by Takeaki Chijiiwa

A survey of cryptography deploymentwas conducted last year (2000) by EricMurray and a similar survey was con-ducted in 2001 to measure changes inthe deployment of SSL (Secure SocketLayer) and TLS (Transport Layer Secu-rity) Web servers

The results of the 2000 survey showed10381 unique hostname and port num-ber combinations compared to 12630 in2001 Detailed results are available athttpwwwlnecomusenix01

There were several noteworthy changesbetween the results from the surveys in2000 and 2001

What got better

A 14 increase 5 decrease and8 decrease among servers catego-rized as Strong Medium and Weakrespectively

The number of servers supporting1024-bit key size increased by 10while a decrease of 8 was seen forsupport of less than 512-bit keysize

The protocol adoption saw a shiftfrom SSL v2 (3 decrease) towardTLS (5 increase)

What got worse

The number of expired certificatesincreased from 31 to 37

Self-signed certificates increasedfrom 08 to 20

The results presented raised many ques-tions from the audience

Question Why do you think there wasan increase in the number of self-signedcertificates

Answer This may be due to people play-ing around with OpenSSL or the surveymay have picked up servers used forinternal use Furthermore the increasein the number of expired certificatesmay have been a result of study errorandor the inclusion of abandoned Websites

Question Did you retest the serversfrom last yearrsquos survey

Answer No This was a new list andtherefore a completely new survey

Question Is the raw data available

Answer You can email ericmlnecomfor private requests

Question Which browsers do you usefor personal use

Answer Linux and Netscape

REVERSING THE PANOPTICON

Deborah Natsios cartomeorg JohnYoung cryptomeorg

Summarized by Mike Vernal

Deborah Natsios described the missionof cartomeorg and cryptomeorg as anattempt to reverse the one-way flow ofinformation controlled by the national

10 Vol 26 No 7 login

surveillance state Based upon theassumption that information is powerNatsios likened the work of cartomeorgand cryptomeorg to that of Ariadne inthe myth of Theseus and the MinotaurBy reversing the flow of informationcartomeorg and cryptomeorg hope toempower those who may be caught inthe labyrinth of the security state muchas Ariadne empowered Theseus with atrail of silk thread through the labyrinthof Crete

John Young continued by explainingthat cryptomeorg welcomed the sub-mission of proprietary or classified doc-uments and trade secrets from anynation or corporation Young describeda few such documents and the unfavor-able responses they had received TheBritish government objected to one doc-ument and attempted to have cryp-tomeorgrsquos Internet service provider shutthe site down Another documentprompted diplomatic requests from theJapanese government for its removal Allattempts to shut the site down have thusfar been rebuffed but Young imaginesthat someone will eventually be success-ful

Other information cryptomeorg hasreceived and published include proofsthat American corporations used USintelligence to stay ahead of foreigncompetitors the names of over 8000CIA informants and currently the pro-grams and keys associated with Russianprogrammer Dmitri Skylarovrsquos crack ofAdobersquos E-book system for which hewas arrested in July

An audience member asked what typesof material cryptomeorg would notpublish Young explained that cryp-tomeorg is open to any kind of publica-tion but they have refused to publishchild pornography documents andinformation related to biological war-fare They also feel that personal prerog-ative takes precedence over the publicrsquosright to know so they will remove per-

sonal information and documents ifrequested by the person in questionThey also reminded the audience thatthey do not verify the authenticity of theinformation they publish ndash they leavethat to the interested reader

Young repeatedly stressed what hebelieved to be the transitory nature ofcryptomeorg He assured the audiencethat at some point cryptomeorg willeither be silenced or it will simplymature away from the cutting edgeWhen that finally happens Young isconfident that someone else will emergeat the vanguard of the quest to reversethe Panopticon state

DESIGNS AGAINST TRAFFIC ANALYSIS

Paul Syverson US Naval ResearchLaboratory

Summarized by Yong Guan

Paul Syverson used a pseudonym ldquoPeterHoneymanrdquo on his talk a joke whichpervaded the rest of the conference

Although the encryption of networkpackets ensures privacy of the payload ina public network packet headers iden-tify recipients packet routes can betracked and volume and timing signa-tures are exposed Since encryption does not hide routing information pub-lic networks are vulnerable to trafficanalysis

Traffic analysis can reveal for examplewho is searching a public database whatWeb sites are surfed which agencies orcompanies are collaborating where youremail correspondents are what sup-pliesquantities you are ordering andfrom whom and so forth

Knowing traffic properties can help anadversary decide where to spendresources for decryption and penetra-tion Therefore it is important todevelop countermeasures to preventtraffic analysis

The security goal of traffic-analysis-resistant systems is to hide one or moreof the following

Sender activity that a site is sendinganything

Receiver activity that a site isreceiving anything

Sender content that a sender sentspecific content

Receiver content that a receiverreceived specific content

Source-destination linking that aparticular source is sending to aparticular destination

Channel linking identifying theendpoints of a channel

Some systems were described

Dining Cryptographers (DC) ndash net-works in which each participant sharessecret coin flips with other pairs andannounces the parity of the flips theparticipant has seen to all other partici-pants and the receiver

Chaum mixes ndash a network of mix nodesin which messages are wrapped in mul-tiple layers of public-key encryption bythe sender one for each node in a routeMost widely used anonymous commu-nication systems use the Chaum mixmethod

There are two kinds ofroutes for the messagesmix cascade where allmessages from anysource move through afixed-order ldquocascaderdquo ofmixes and randomroute where the routeof any message is

selected at random by the sender fromthe available mixes

Remailers mainly used for emailanonymity employ rerouting of anemail through a sequence of multiplemail remailers before the email reachesthe recipient so that the true origin ofthe email can be hidden

Anonymizer and SafeWeb provide fastanonymous interactive communicationservices They are essentially Web prox-


C

ON

FERE

NC

ERE

PORT

Sies that filter out the identifying headersand source addresses from Webbrowsersrsquo requests Instead of the userrsquostrue identity (eg IP address) a Webserver can only learn the identity of theWeb proxy Both offer encrypted links totheir proxy (SSL or SSH) Anonymizer isa single point of failure whereasSafeWeb is a double point of failureSafeWeb offers additional protectionfrom censorship

Crowds aims at protecting usersrsquo Web-browsing anonymity Like Onion Rout-ing the Crowds protocol uses a series ofcooperating proxies (called jondo) tomaintain anonymity within the groupUnlike Onion Routing the sender doesnot determine the whole path Insteadthe path is chosen randomly on a hop-by-hop basis At each hop a decision ismade whether to submit the requestdirectly to the end server or to forward itto another randomly chosen memberaccording to forwarding probability Theexpected path length is controlled by theforwarding probability Cycles areallowed on the path The receiver isknown to any intermediate node on theroute Once a path out of a crowd ischosen it is used for all the anonymouscommunication from the sender to thereceiver within a 24-hour periodCrowds does not have a single point offailure and is a more lightweight cryptothan mix-based systems HoweverCrowds has limitations all users mustrun Perl code users have to have long-running high-speed Internet connec-tions an entirely new network graph isneeded for a new or reconnecting Crowdmember connection anonymity isdependent on data anonymity andresponder protection is weak

Onion Routing provides anonymousInternet connection services The OnionRouting network operates on top ofexisting TCPIP networks such as theInternet It builds a rerouting pathwithin a network of onion routers

which in turn are similar to real-timeChaum mixes In Onion Routing thedata packet is broken into fixed-sizecells and each cell is encrypted multipletimes (once for each onion router on thepath) Thus a recursively layered datastructure called an onion is constructedAn onion is the packet transmitted alongthe rerouting path The fixed size of anonion limits a route to a maximum of 11nodes in the current implementationOnions can be tunneled to producearbitrary length routes

Onion Routing I (Proof-of-concept)uses a network of five Onion Routingnodes operating at the Naval ResearchLaboratory It forces a fixed length (fivehops ie five intermediate onionrouters) for all routes

Onion Routing II can support a networkof up to 50 core onion routers For eachrerouting path through an Onion Rout-ing network each hop is chosen at ran-dom The rerouting path may containcycles although only cycles with one ormore intermediate nodes are allowed

Freedom Network also aims at provid-ing anonymity for Web browsing Fromthe userrsquos point of view Freedom is verysimilar to Onion Routing Freedom con-sists of a set of nodes (called Anony-mous Internet Proxy) which run on topof the existing Internet infrastructureTo communicate with a Web server theuser first selects a series of nodes to forma rerouting path and then uses this pathto forward the requests to its destina-tion The Freedom Route Creation Pro-tocol allows the sender to randomlychoose the path but the path length isfixed to be three The Freedom client-user interface does not allow the user tospecify a path-containing cycle TheFreedom client must either have all theintermediate nodes in the path chosenor choose a preferred first node and lastnode and the intermediary nodes arepicked at random

Paul Syverson

For more information visit httpwwwonion-routernet andhttpwwwsyversonorg

Question Who manages the onionrouters Are they managed independ-ently

Answer Yes The onion routers can bedistributed anywhere and be managedby different groups

Question Do you believe that thelonger the path the safer the anony-mous communication system

Answer I am not sure

COUNTERING SYN FLOOD

DENIAL-OF-SERVICE (DOS) ATTACKS

Ross Oliver Tech Mavens

Summarized by David RichardLarochelle

SYN flood attacks are a nasty DoSattack The attacker sends a SYN packetbut does not complete the three-wayhandshake This is hard to defendagainst because SYN packets are part ofnormal traffic and unlike ping attacksyou canrsquot firewall them Since SYN pack-ets are small the attack can be done withlimited bandwidth Finally the attacksare difficult to trace because source IPaddresses can be faked Ross Oliverstressed that itrsquos up to you to defendyourself (law enforcement is unable todeal with attacks as they occur if theycan deal with them at all) and suggestedthat firewalls employing SYN flooddefenses are the best way of doing this

He reviewed four such products PIX byCisco Firewall-1 by CheckpointNetscreen 100 by Netscreen and App-Safe (previously called AppSwitch) byTopLayer To test these products heplaced a Web server behind the firewalland used a machine with a script whichcalled wget repeatedly to request Webpages to represent the legitimate clienttraffic An attacking machine threw SYNpackets with forged source addresses atthe Web server


The Cisco PIX used a threshold tech-nique which allowed a set number ofincomplete connections and droppedadditional SYN packets The testsshowed no significant improvementover no firewall The Firewall-1 faredslightly better It lets SYN packets reachthe Web server and then sends an ACKpacket to the Web server to complete thethree-way handshake Under a SYNflood attack the Web server will then

have a bunch of com-pleted connectionsinstead of half-openones Firewall-1 pro-tected up to 500 SYNsper second but withdegraded response timeThe Web server returned

to normal 3ndash10 minutes after the attackceased

Netscreen and AppSafe had the bestresults If these firewalls detect a SYNflood attack they proxy the incomingconnections and only send the Webserver the SYN and ACK packets if thehandshake is completed by the clientNetscreen detects SYN floods by lookingat the number of incomplete connec-tions It protected up to 14000 SYNssecwith acceptable response times and con-tinued to function at higher SYN ratesbut with increasing delays The serverresponded normally immediately afterthe attack

AppSafe used a more elaborateapproach It determined whether toproxy a connection request based on thesource IP address SYN packets from IPaddresses which had recently behavedlegitimately were let through to the Webserver immediately Only connectionsfrom previously unseen or malicious IPaddresses were proxied AppSafe waseffective up to 22000 SYNssec whichwas the most traffic that the attackingmachine could produce in this testHowever it was pointed out that in thetest the client machine used only one IP

This technique may not work as well in asituation in which there are new connec-tions from previously unseen clients

How much protection you need dependson what type of attack you expect Anattacker with a Cable or DSL connectioncan produce 200 SYNssec An attackerwith a T1 can produce 2343 SYNssecAccording to the paper ldquoInferring Inter-net Denial-of-Service Activityrdquo pre-sented the previous day 46 of DoSattacks involved more than 500SYNssec but only 24 were above14000 SYNssec This level can be han-dled with a single firewall Multiple ordistributed attacks may require multipleparallel firewalls Because of the widerange of performance between devicesOliver stressed the importance of testingand advised testing the devices yourselfif possible

REAL STATEFUL TCP PACKET FILTERING WITH

IP FILTER

Guido van Rooij Eindhoven Universityof Technology

Summarized by Evan Sarmiento

Old firewall implementations used to fil-ter TCP sessions using addresses andports only creating an interesting prob-lem The administrator would have toguess the source port of the packet inorder to filter it correctly In order tosolve this a new trend in firewalls is tointroduce stateful packet filtering State-ful packet filters remember and onlyallow through addresses and ports ofconnections that are currently set up

Even before Guido van Rooijrsquos work IPFilter did have stateful packet filteringbut it was implemented in the wrongway IP Filter does take sequence ACKand window values into account but itmakes the wrong assumption that pack-ets seen by the filter host will also beseen by the final destination Thisassumption caused IP Filter to droppackets in certain situations The newstate engine for IP Filter encompassesthe following goals

Ross Oliver

Conclusions made by the enginemust be provable

All kinds of TCP behavior must betaken into account

The number of blocked packetsmust be minimized

Blocking of packets must never leadto hanging connections

Opportunities for abuse should bemade as small as possible

The new state engine includes 20 bytesper state entry and about 40 lines of Ccode without loops thus the perfor-mance overhead is minimal

However even the new state engine isnot always successful even though it is agreat improvement Occasionallyblocked FIN and ACK packets causeproblems in the state timeout handlingfor TCP half-closed sessions IP Filterdrops packets coming from a few Win-dows NT workstations for a strange andas yet unknown reason

Guido then outlined some future addi-tions to IP Filter He would like to beable to fix fragment handling add sup-port for sessions entering the state tableafter establishment and check validity ofa session if a packet comes in from themiddle of the connection

REFEREED PAPERS

SESSION DENIAL OF SERVICE

Summarized by Stefan Kelm

USING CLIENT PUZZLES TO PROTECT TLS

Drew Dean Xerox PARC Adam Stub-blefield Rice University

Adam Stubblefield presented their workon a DoS protection technique namelythe use of client puzzles within the TLSprotocol Even though client puzzleshave been supposed to be a solution toDoS attacks Stubblefield pointed outthe lack of actual implementations Thechoice of TLS as the protocol to protectagainst DoS seems obvious but TLS issubject to DoS attacks because of thecomputing-expensive cryptographic


C

ON

FERE

NC

ERE

PORT

Soperations performed at both the clientand the server side A server howeverhas to perform the more expensive RSAdecrypt operations during the sessionhandshake thus any small number ofclients could easily overload a TLS serverby flooding the server with TLS hand-shake messages The goal of this work isto prevent this using cheap methods

The idea of TLS-based cryptographicpuzzles is to first let the client do thework and subsequently the server If theserver is under a heavy load it sends aso-called ldquopuzzle requestrdquo to the clientThe client in turn has to compute anumber of operations which it then usesto send a ldquopuzzle solutionrdquo back to theserver Thus the server will not need tocontinue the TLS handshake unless theclient has proven its intent to really opena TLS connection

Client puzzles are surprisingly easy toimplement on both the client and theserver side Stubblefield used modifiedOpenSSL and mod_ssl source code totest the implementation The implemen-tation uses a metric which tracks unfin-ished RSA decrypt requests in order todecide whether or not the server isassumed to be under attack Sinceadding more latency to the TLS protocolwas not a goal of this work the serveronly sends a puzzle request back to theclient if it really has to This is imple-mented by using variable thresholds

The author concluded that they are ableto protect against certain denial-of-ser-vice attacks at not much cost and with agood user experience Moreover theproposed solution can be implementedusing already existing code

For more information contact astubblericeedu

INFERRING INTERNET DENIAL-OF-SERVICE

ACTIVITY

David Moore CAIDA Geoffrey MVoelker and Stefan Savage Universityof California San Diego

This paper awarded the best paperaward tried to answer the question ofhow prevalent denial-of-service attacksin the Internet currently are Theauthors ran a test over a period of threeweeks trying to come up with an esti-mate of worldwide DoS activity

David Moore presented the so-calledldquobackscatter analysisrdquo as their key ideaand outlined the basic technique sinceattackers normally use spoofed source IPaddresses the ldquoreal ownersrdquo of those IPaddresses regularly receive responsepackets from the systems being attacked(Moore called these ldquounsolicitedresponsesrdquo) By monitoring these unso-licited responses one is able to detectdifferent kinds of DoS attacks Further-more by observing a huge number ofdifferent IP addresses over a longerperiod of time sampling the results canprovide an overview of attacks going on

Moore presented some interestingresults and displayed a number of fig-ures and tables showing the number ofattacks the attacks over time the attackcharacterization the attack duration dis-tribution and the attack rate distribu-tion Moorersquos team observed a numberof minor DoS attacks (described as ldquoper-sonal vendettasrdquo) as well as some victimsunder repeated attack Classifying thevictims by TLD showed countries likeRomania and Brazil being attacked farmore often than most other TLDs Thepresenterrsquos hypothesis was that eitherthose countries host ISPs that attackeach other or there simply are morehackers located in Romania and Brazil(this was later denied by someone in theaudience stating that Romania has reallynice people)

In conclusion the authors observedsome very large DoS attacks thoughmost attacks seem to be short in dura-tion Another result showed the majorityof attacks being TCP based To clarifythis technique is not good at distin-guishing between DoS and DDoS

attacks since it is not good at distin-guishing between attackers

During the QampA session one questionwas on why the analysis showed noattacks on the mil domain Theresponse given was that either mil is notunder attack (unlikely) or that backscat-ter packets are being filtered

For more information contactdmoorecaidaorg or see httpwwwcaidaorgoutreachpapersbackscatter

MULTOPS A DATA-STRUCTURE FOR

BANDWIDTH ATTACK DETECTION

Thomer M Gil Vrije UniversiteitMITMassimiliano Poletto MIT

Thomer Gil proposed a heuristic as wellas a new data structure to be used byrouters and similar network devices todetect (and possibly eliminate) denial-of-service attacks Most DoS attacksshow disproportional packet rates with ahuge number of packets being sent tothe victim and only very few packetsbeing sent by the victim in response Thenew data structure called MULTOPS(Multi-Level Tree for Online Packet Sta-tistics) monitors certain Internet trafficcharacteristics and is able to drop pack-ets based on either the source or the des-tination address

The main implementation challengeswith MULTOPS have been and still arethe precise identification of maliciousaddresses athe achievement of a smallmemory footprint and a low overheadon forwarding ldquorealrdquo traffic as opposedto DoS-based traffic MULTOPS isimplemented as a memory-efficient treeof nodes which contains packet-rate sta-tistics and which dynamically grows andshrinks with the traffic being observedAt the current implementation packetsare dropped based on either a variablepacket rate or a ratio Since it usually isimpossible to identify an attacker(because of IP spoofing) packets can bedropped based on the victimrsquos IP too


The authors succeeded in simplifyingmemory management and the mecha-nism that keeps track of packets Gilpointed out that their solution is suc-cessfully being used by a network com-pany They are currently trying to focuson the behavior of different TCP imple-mentations as well as protocols otherthan TCP

Someone brought up the question ofdifferentiating DoS traffic from trafficthat normally shows disproportionalpacket flows eg video traffic The replysuggested the possibility of buildingsome kind of knowledge base A livelydiscussion on random class A addresseswithin MULTOPS subsequently arosebut was taken offline

For more information contact thomerlcsmitedu

SESSION HARDWARE

Summarized by Anca Ivan

DATA REMANENCE IN SEMICONDUCTOR

DEVICES

Peter Gutmann IBM TJ WatsonResearch Center

Peter Gutmann explained the dangers ofdeleting data in semiconductors Every-one knows that deleting data from mag-netic media is very hard but not toomany realize that the same problemexists for semiconductors especiallysince there are so many ways of buildingsemiconductors each with its own set ofproblems and solutions After giving ashort background introduction in semi-conductors and circuits (n-type p-typeSRAM DRAM) Peter described some ofthe most important issues

Electromigration because of highcurrent densities metal atoms aremoved in the opposite direction ofthe normal current flow The conse-quence is that the operating proper-ties of the device are stronglyaltered

Hot carriers during operation thedevice heats up and its characteris-tics change considerably

Ionic contamination this is nolonger an issue and its effects are nolonger significant

Radiation-induced charging itfreezes the circuit into a certainstate

The first phenomenon enables attackersto recover partial information from spe-cial-purpose devices (eg cryptographicsmartcards) The next two can be usedto recover data deleted from memory Inorder to avoid long- and short-term dataretention from semiconductors (a DESkey was recovered in the lsquo80s)researchers developed a series of solu-tions that use various semiconductorforensic techniques including the fol-lowing two

Short-term retention probably thesafest way to defend against it is notto keep the same values in the samememory cells for too long (maxi-mum a few minutes)

Long-term retention in 1996 someresearchers proposed periodicallyflipping the stored bits In this wayno cell holds the same bit value forlong enough to ldquorememberrdquo it

In the end Peter talked about how allthe problems cited above extend to flashmemory For example random genera-tors can generate strings of 1s when thepool is empty or information can beleaked into adjacent cells into shared cir-cuitry

Even though the entire presentationscared at least one person in the audi-ence (guess who) Peter assured us thatreality is not that gloomy In fact theonly problem is the lack of a standardEvery time people decide to choose oneimplementation method they shouldalso choose which solutions are best forit Answering a question Peter told usthat personal computers are not affected

by those problems but that most special-ized devices like airplane black boxescan leak information if analyzed withvery sophisticated equipment But thenagain who has such equipment

STACKGHOST HARDWARE-FACILITATED

STACK PROTECTION

Mike Frantzen CERIAS Mike ShueyPurdue University

The authors presented a software solu-tion to the return-pointer hijackingproblem The most important step inthe function-call process is when thecaller saves the return pointer beforegiving the control to the called functionMany attacks are based on changing thispointer When the callee finishes thereturn pointer dictates which functiontakes control next StackGhost is a pieceof software that automatically and trans-parently saves the return pointer andreplaces it with another number Whenthe called function completes Stack-Ghost verifies the integrity of that num-ber (catching in this way possibleattacks) and reinstalls the correctpointer value

The security of StackGhost depends onhow it modifies the return pointer tocatch attacks the authors have tried sev-eral ways

Per kernel XOR with a 13-bit signedcookie the main problem is that anattacker can find out the cookie bystarting several arbitrary programs

Per process XOR with a 32-bitcookie this is safer than the previ-ous method but more expensive

Encryptdecrypt the return pointerthis method seems to be the mostexpensive

Return-address stack this methodreplaces the return pointer withanother number and saves thepointer into a return-address stackHowever this would impede otherapplications from running correctly


C

ON

FERE

NC

ERE

PORT

SAfter making performance measure-ments for all techniques the authorsnoticed that the chances of StackGhostnot catching an attack were 1 in 3 forXOR cookies and 1 in 232 for the return-address stack The conclusion was thatStackGhost was offering protectionagainst return-pointer overriding to allprocesses in the system (which might beseen as a disadvantage)

IMPROVING DES COPROCESSOR THROUGH-PUT FOR SHORT OPERATIONS

Mark Lindemann IBM TJ Watson

Research Center Sean W Smith

Dartmouth College

While the first two talks in this sessionwere at opposite poles (one deeply hard-ware and one purely software) the thirdone was somehow in the middle Thepresenter Sean Smith is one the fathersof the cryptographic card developed atIBM and presently working at Dart-mouth College Everything started in avery optimistic fashion with the usualintroduction we would have expectedfrom an IBM representative trying to sellus this device ldquoIt is secure it is fast it is reliablerdquo All the buzzwords werethere However with the next slide thischanged to ldquoIt is not as secure fast as we thoughtrdquo For example the specifi-cation promised the DES speed to be 20megabytessecond when in reality afriend obtained less than two kilobytessecond in a database application Wherewas the discrepancy coming from Themain intuition was that the specificationgives the performance for operations onmegabytes of input The real speed ismuch slower if the data is shipped to thecard in small chunks The differencebetween specs and reality was too bignot to be studied and Lindemanndecided to find out the reasons behindit First they built a model that simu-lates the database application and thentried to improve the speed by modifyingthe execution conditions in the follow-ing ways

Reducing card-host interactionldquofolklore in IBMrdquo taught them thatany card-host interaction consumestoo much time Thus they rewrotethe application to minimize thenumber of interactions The speedwent up to 18ndash23 kilobytessecondhowever it was still too far frommegabyte speed

Batching all operations into onechip operation chip resets were tooexpensive The speed became 360kilobytessecond

Batching into multiple chip opera-tions it reduced the number ofLayer 3 ndash Layer 2 switches Thespeed changed to 30ndash290kilobytessecond still not good

Reducing data transfers they did itby using an internal key-table andboosted the speed to 1400 kilo-bytessecond

Using memory-mapped IO thiseliminated the internal ISA bus bot-tleneck The speed went up to 2500kilobytessecond

Batching operation parametersinstead of sending them as separatepackets It increased the speed to5000 kilobytessecond This waseven more than they were expect-ing but the results were incorrectThe client had asked for speed buthadnrsquot mentioned anything aboutcorrectness So was the problemsolved

Not using memory-mapped IO toincrease accuracy they gave up onmemory-mapped IO for initializa-tion vectors and count Unfortu-nately there was a smallperformance cost the speed wasnow 3000 kilobytessecond

From the clientrsquos point of view all ofthese steps showed them that the onlyway to maximize the performance whileusing the secure coprocessor was todesign DES-batched API From thedesignerrsquos point of view the conclusions

were simpler always distrust folkloreand think if and how people will useyour product before designing it

SESSION FIREWALLSINTRUSION

DETECTION

Summarized by Stefan Kelm and YongGuan

ARCHITECTING THE LUMETA FIREWALL

ANALYZER

Avishai Wool Lumeta

ldquoWhat is your firewall doingrdquo AvishaiWool asked the audience at the begin-ning of his presentation therebydescribing the motivation to build LFAthe ldquoLumeta Firewall Analyzerrdquo

Firewalls have been installed by almostall companies connected to the InternetHowever the underlying policy often isfar from being good enough to actuallyprotect the company from outsideattackers Network administrators oftendo not know how to set up a firewallsecurely much less how to test or auditthe firewall configuration Wool pointedout that LFA is the successor of the Fangprototype system built at Bell Labs as afirewall analysis engine

The key idea is not to probe the actualfirewall in any way but to allow testingof the configuration before the firewallis deployed The firewallrsquos routing tableand configuration files are used as inputto the LFA which parses these files andsimulates the behavior of any possiblepacket flow combination (LFA mainlyoffers support for Firewall-1 and PIX)The results are presented to the user asHTML pages

Wool concluded by giving a shortdemonstration As input to the LFA heused a short Firewall-1 policy whichcontained only six rules and explainedwhy even such a short rule set mightlead to problems once the firewall isdeployed During the QampA session heemphasized that the LFA only checkspacket headers not the content and


cannot therefore detect tunneling prob-lems

For more information contactyashacmorg or visit httpwwwlumetacomfirewallhtml

TRANSIENT ADDRESSING FOR RELATED

PROCESSES IMPROVED FIREWALLING BY

USING IPV6 AND MULTIPLE ADDRESSES PER

HOST

Peter M Gleitz and Steven M BellovinATampT Labs-Research

The authors proposed a method to sim-plify firewall decisions By using thelarge address space brought by IPv6they employed a strategy of multiplenetwork addresses per host That is foreach request on the client host an IPv6address is tied to the client process Thefirewall now makes access decisionsbased on transport layer protocol infor-mation (ie filtering is shifted fromports to addresses) Once approved thefirewall allows all traffic between the twopeers to pass to and fro Once the serviceis finished the IPv6 address is discardedThis method is called TARP (transientaddressing for related processes) TARPemploys two different types ofaddresses (fixed) server addresses andprocess group addresses

Gleitz discussed how TARP works withTCP and UDP applications and with thefirewall router domain name serverand IPSEC Employing TARP does notnecessarily affect the routers thoughTARP-aware routers can perform betterMoreover Gleitz pointed out that nomodifications to standard applicationssuch as Telnet SSH FTP Sendmail orTFTP are necessary in order to useTARP He also mentioned briefly someinterop problems with protocols such asDNS and ICMPv6

For more information contactpmgleitnetscapenet

NETWORK INTRUSION DETECTION EVASIONTRAFFIC NORMALIZATION AND END-TO-END

PROTOCOL SEMANTICS

Mark Handley and Vern Paxson ACIRIChristian Kreibich Technische Univer-sitaumlt Muumlnchen

This paper focused on the problem ofnetwork intrusion detection system(NIDS) evasion Attackers usually canfool any NIDS by exploiting certainambiguities in the packet flow beingmonitored by the NIDS ie (1) theNIDS may lack complete analysis of thepacket flow (eg no TCP stream re-assembly) (2) the NIDS may lack end-system knowledge (eg certainapplication vulnerabilities) and (3) theNIDS may lack network knowledge(eg the topology between the NIDSand an end system)

As a solution Paxson proposed thedeployment of a ldquonormalizerrdquo the goalof which would be to observe all packetsbeing sent between two network nodes(he called that a ldquobump-in-the-wirerdquo)and to modify (ldquonormalizerdquo) packetsthat seem to be ambiguous for one rea-son or another As an example theauthor described problems with twooverlapping fragments the normalizerwould re-assemble (and re-fragment ifnecessary) those packets before forward-ing Since re-assembly is a valid opera-tion the normalizer would in thisexample have no impact on the seman-tics at all

Paxson also pointed out some of theproblems with this approach one ofwhich is the ldquocold startrdquo problem(re-)starting the normalizer will showmany valid connections already estab-lished It is difficult to handle those con-nections accordingly (this is also true forthe NIDS itself) The normalizer hasbeen implemented and will be availableat wwwsourceforgenet soon

In the QampA session Steven Bellovinwanted to know whether normalization

would not be needed at the applicationlayer as well The presenter answered inthe affirmative

For more information contactvernaciriorg

SESSION OPERATING SYSTEMS


SECURITY ANALYSIS OF THE PALM OPERATING

SYSTEM AND ITS WEAKNESSES AGAINST

MALICIOUS CODE THREATS

Kingpin and Mudge stake Inc

Kingpin and Mudge began their presen-tation with a bold fashion statementappearing in matching white bathrobesTheir bathrobes aimed to underscore thefact that PDAs can undermine user pri-vacy in a public setting Their effortswere later rewarded with the covetedUSENIX Style Award presented by thereal Peter Honeyman of the Universityof Michigan

The presentation centered on the secu-rity threat posed by the recent ubiquityof Personal Digital Assistants (PDAs)and more specifically devices runningthe Palm Operating System Palmdevices increasingly are being used insecurity-sensitive settings such as hospi-tals and government agencies While thegovernment is now aware of the securitythreat posed by PDAs the corporateworld has remained generally oblivious


C

ON

FERE

NC

ERE

PORT

SThe security threat of the Palm stemsfrom the PalmOSrsquos lack of a well-definedsecurity framework Specific weaknessesenumerated include the direct address-ability of hardware the lack of memoryencryption the lack of ACLs weakobfuscation of passwords and a back-door debug mode that allows for thebypassing of ldquosystem lockoutrdquo Becauseof these and other weaknesses the audi-ence agreed with the assertion thatdeveloping a secure application on topof the PalmOS would be impossible

The presentation suggested thatunscrupulous users could exploit anumber of weaknesses to install mali-cious code including normal applica-tion installation desktop conduitscreator ID replacement wireless com-munications and the Palm DebuggerAnother threat raised by Kingpin andMudge was the possibility of a new set ofcross-pollinating viruses which could beacquired via a Palm and propagatethemselves to desktop computers via theHotSync operation or vice versa

With the growing popularity of PDAsKingpin and Mudge invoked OccamrsquosRazor all other factors being equal thePDA may be the malicious userrsquos easiestpoint of entry into an information net-work The upcoming PalmOS 40reportedly fixes some of the securityconcerns raised In the interim usersshould be made aware of the possiblesecurity threats and restrict or eliminatetheir use of sensitive data and applica-tions on Palm devices

SECURE DATA DELETION FOR LINUX

FILE SYSTEMS

Steven Bauer and Nissanka B Priyan-tha MIT

Steven Bauer presented an implementa-tion of a kernel-level secure data-dele-tion (SDD) mechanism for the ext2 filesystem

Bauer suggested that with the increasingprevalence of public kiosks thin clientsmulti-user computing clusters and dis-tributed file systems users will want toensure that when their data is deletedfrom these systems it is truly and irre-trievably deleted

In 1996 Peter Gutmann of IBM demon-strated that data that had been overwrit-ten on a magnetic disk could berecovered using advanced probing tech-niques While popular lore has suggestedcertain government agencies may beable to recover data overwritten dozensof times no commercial data recoverycompany contacted in conjunction withBauerrsquos research believed that it couldrecover data that had been overwrittenmore than once As such the SDD sys-tem as described probably only needs tooverwrite data a few times

This SDD system was designed to ensurethat all flagged data is deleted even inthe event of system failure The deletionprocess was designed as an asynchro-nous daemon to ensure that it did notinterfere with normal operation andperformance Though implemented forthe ext2 file system Bauer asserts thatthis system should be portable to anyblock-oriented file system

The ext2 implementation used theunused secure-deletion flag settablewith the chattr() function With thismechanism the granularity with whichsecure deletion can be specified rangesfrom an entire device to an individualfile Questions were raised as to the vul-nerability of temporary files that are notflagged in a secure deletion zone Bauerrecommended that for maximum secu-rity the entire device should be flaggedfor secure deletion

Kingpin and Mudge

SESSION MANAGING CODE

Summarized by Sameh Elnikety

STATICALLY DETECTING LIKELY BUFFER

OVERFLOW VULNERABILITIES

David Larochelle and David Evans Uni-versity of Virginia

Buffer overflow attacks account forapproximately half of all security vul-nerabilities Programs written in C areparticularly susceptible to buffer over-flow attacks because C allows directpointer manipulations without anybounds checking

Run-time approaches to mitigate therisks of buffer overflow incur perfor-mance penalties and they turn bufferoverflow attacks into denial-of-serviceattacks by terminating execution of theattacked processes Static checking over-comes these problems by detecting likelyvulnerabilities before deployment

The authors developed a practical light-weight static analysis tool based onLCLint to detect a high percentage oflikely buffer overflow vulnerabilities

The tool exploits semantic comments(annotations) that describe programmerassumptions and intents These annota-tions are treated as regular C commentsby the compiler but are recognized assyntactic entities by LCLint The annota-tions represent preconditions and post-conditions for functions to determinehow much memory has been allocatedfor buffers LCLint uses traditional com-piler data flow analyses with constraintgeneration and resolution Also LCLintuses loop heuristics to efficiently analyzemany loop idioms in typical C pro-grams

The authors used the tool to analyze wu-ftpd which is a popular open sourceFTP server and part of BIND which is aset of domain-name tools and librariesthat is considered the reference imple-mentation of DNS Running LCLint issimilar to running a compiler For wu-


ftpd it took less than one minute forLCLint to analyze all 17000 lines ofunmodified wu-ftpd source code Thisresulted in 243 warnings that showedknown and unknown buffer overflowvulnerabilities

LCLint source code and binaries areavailable from httplclintcsvirginiaedu

FORMATGUARD AUTOMATIC PROTECTION

FROM PRINTF FORMAT STRING

VULNERABILITIES

Crispin Cowan Matt Barringer SteveBeattie Greg Kroah-Hartman WireXCommunications Inc Mike FrantzenPurdue University and Jamie LokierCERN

In June 2000 a major new class of vul-nerabilities called format bugs was dis-covered when a vulnerability inWU-FTP appeared that looked almostlike a buffer overflow but was not It isunsafe to allow potentially hostile inputto be passed directly as the format stringfor calls to printf-like functions Thedanger is that the inclusion of direc-tives especially n in the format stringcoupled with the lack of any effectivetype or argument counting in Crsquosvarargs facility allows the attacker toinduce unexpected behavior in pro-grams

The authors developed FormatGuard asmall patch to glibc It provides generalprotection against format bugs usingparticular properties of the GNU CPPmacro-handling mechanism to extractthe count of actual arguments to printfstatements This is then passed to a safeprintf wrapper The wrapper parses theformat string to determine how manyarguments to expect and if the formatstring calls for more arguments than theactual number of arguments it raises anintrusion alert and kills the process

FormatGuard fails to protect against for-mat bugs under several circumstancesFor example if the program uses a func-

tion pointer that has the address ofprintf then it evades the macro expan-sion

FormatGuard is incorporated in WireXrsquosImmunix Linux distribution and serverproducts It is available as a GPLrsquod patchto glibc at httpimmunixorg

DETECTING FORMAT STRING VULNERABILITIES

WITH TYPE QUALIFIERS

Umesh Shankar Kunal Talwar Jeffrey SFoster and David Wagner Universityof California Berkeley

Systems written in C are difficult tosecure given Crsquos tendency to sacrificesafety for efficiency Format string vul-nerabilities can occur when user input isused as a format specifier One of themost common cases is when the pro-gram uses printf with one argument auser-supplied string assuming that thestring does not contain any directiveThe authors presented a tool (cqual)that automatically detects format stringbugs at compile time using type-theo-retic analysis techniques With this staticanalysis vulnerabilities can be proac-tively identified and fixed before thecode is deployed

Cqual builds an annotated Abstract Syn-tax Tree (AST) Then it traverses theAST to generate a system of type con-straints which is solved online Warn-ings are produced whenever aninconsistent constraint is generatedCqual presents the results of taintinganalysis to the programmer using Pro-gram Analysis Mode for Emacs (PAM)PAM is a GUI that is designed to addhyperlinks and color mark-ups to thepreprocessed text of the program Theinterface shows the taint flow path tohelp programmers determine how avariable becomes tainted

The configuration files makes cqualusable without modifying the sourcecode The authors analyzed four secu-rity-sensitive benchmark programs withthe same standard prelude file and no

direct changes to the applicationsrsquosource code Typically a few application-specific entries were added to the prel-ude file to improve accuracy in thepresence of wrappers around libraryfunctions Cqual reliably finds all knownbugs for the benchmark programs Italso reports few false positives Cqual isfast it usually takes less than a minute

Cqual is available at httpbanecsberkeleyeducqual

SESSION AUTHORIZATION


CAPABILITY FILE NAMES SEPARATING

AUTHORIZATION FROM USER MANAGEMENT

IN AN INTERNET FILE SYSTEM

Jude T Regan consultant Christian DJensen Trinity College

On the Internet there is no reliable wayto establish an identity Flexible user-user collaboration outside of an admin-istered system so that people couldcreate ad hoc work groups and removearbitrary limitations to informationsharing is the authorsrsquo goal

Such a system should be globally accessi-ble easy to use and require as littleintervention by system administrators aspossible This system should integratewith existing systems and applications Itshould have fine granularity so thatusers would not have to use complicatedexport mechanisms to share files

The authors used the concept of a capa-bility a token conveying specified accessrights to a named object in order tomake the identity of the object and theaccess rights inseparable They embed-ded the capability in something everysystem knows ndash the file name

The authors concluded that the systemwas safe from interception and modifi-cation Attackers could forge the clientpart but not the server part of the filenames Service could be interrupted butprotecting against this is impossible


C

ON

FERE

NC

ERE

PORT

Swithout complete control of the net-work Performance was evaluated incomparison to NFS Most of the over-head was in the open statement Readswere slightly slower and writes weremuch slower but they felt this could bealleviated by implementing symmetricwrites

KERBERIZED CREDENTIAL TRANSLATION ASOLUTION TO WEB ACCESS CONTROL

Olga Kornievskaia Peter HoneymanBill Doster and Kevin Coffman CITIUniversity of Michigan

There are two different authenticationmechanisms those used for servicessuch as login AFS and mail for whichKerberos is popular and public key-based mechanisms such as SSL which isused to establish secure connections onthe Web These systems need to be ableto work together to satisfy a request

The authors propose to achieve the bestof both worlds by leveraging Kerberos tosolve PKI key management This will useexisting infrastructures which allowstrong authentication on the Web withSSL and which provide access to Kerber-ized back-end services They propose asystem to provide interoperabilitybetween PKI and Kerberos Their systemconsists of (1) a Certificate Authority(CA) KX509 which creates short-livedcertificates (2) a Web server which actslike a proxy for users by requesting serv-ices from Kerberized back-end servicesand (3) a Kerberized Credential Transla-tor which translates public-key creden-tials to Kerberos They created aprototype of their system called WebAFSusing AFS as an example Kerberized ser-vice

DOS AND DONrsquoTS OF CLIENT AUTHENTICA-TION ON THE WEB

Kevin Fu Emil Sit Kendra Smith and

Nick Feamster MIT

[This paper received the Best StudentPaper Award]

Kevin gave a very amusing presentationwhich illustrated the gap between secu-rity theory and practice He described avariety of Web sites that used insecureclient authentication schemes and pre-sented hints on how to avoid their mis-takes

Client authentication seems like a solvedproblem but many sites continue tocome up with homebrew schemes whichjust donrsquot quite get it right Out of the 27Web sites the cookie eaters group exam-ined they weakened the security on twosites were able to mint authenticatorson eight and on one site were able toobtain the secret key Some of these siteswere high profile such as the Wall StreetJournal (wsjcom) Sprint PCS (sprint-pcscom) and FatBrain (fatbraincom)

In most cases the mistakes made inthese sites were simple By simply look-ing at their cookie files the authors couldquery Web servers and look at headersresponses and create sample authentica-

tors Except forSprint theseattacks involved noeavesdropping atall The schemeswere not evenstrong against whatthe authors termedthe ldquointerrogativeadversaryrdquo Thisadversary has nospecial access but it

adaptively queries a Web server a rea-sonable number of times It just sitsthere and connects to port 80 it cannotdefeat SSL client authentication HTTPbasic or digest authentication The bestsuch an adversary can do against a pass-

Kevin Fu

word sent in the clear is a dictionaryattack However some homebrew cookieschemes are vulnerable

In the case of the Wall Street Journal asite with half a million paid subscriberswho can track their stocks and buy arti-cles the authors found that the makersof the site had misused cryptographyand created an authenticator weakerthan a plaintext password

Some hints provided for client authenti-cation were limit the lifetime of authen-ticators since browsers cannot be trustedto expire cookies expiration dates mustbe cryptographically signed (this wasanother problem with WSJ) Authentica-tors should be unforgeable and cookiesshould not be modifiable by the userThere should be no bypassing of pass-word authentication Digital signaturesare great but you should not allow thethings you sign to be ambiguous Forexample the concatenation of ldquoAlice 21-Aprrdquo and ldquoAlice2 1-Aprrdquo is the sameDelimiters can help solve this problemHe presented a simple scheme for build-ing an authenticator which would workagainst the interrogative adversary

In summary there are many brokenschemes out there even in popular Websites There are even more juicy detailsin the authorsrsquo technical report Cookieschemes are limited live with it or moveon You can join the authors by donatingyour cookies for analysis at httpcookieslcsmitedu

SESSION KEY MANAGEMENT


SC-CFS SMARTCARD SECURED

CRYPTOGRAPHIC FILE SYSTEM

Naomaru Itoi CITI University of Michigan

Storing information securely is one ofthe most important applications ofcomputer systems Secure storage pro-tects the secrecy authenticity andintegrity of the information SC-CFS


implements a secure file system and isbased on Matt Blazersquos CryptographicFile System for UNIX (CFS) SC-CFSuses a smartcard to generate a key foreach file rather than for each directoryThe per-file key encryption counters thepassword-guessing attack and minimizesboth the damage caused by physicalattack compromised media and bugexploitation

When an encrypted file is updated anew key is generated for that file and thefile is re-encrypted for increased secu-rity SC-CFS employs the same authenti-cation mechanism as CFS using anencrypted signature containing both arandom number and a predefinedsequence A signature is stored in eachdirectory When a user starts to access adirectory SC-CFS gets the user key anddecrypts the signature to recover thepredefined sequence If the sequence isnot recovered SC-CFS denies the useraccess to the directory

SC-CFS is more secure than CFSbecause the master key is a randomnumber instead of a password This pre-vents dictionary attacks Also the usermaster key is not exposed to the hostand a stolen file key would reveal onlyone file and then only until that file isupdated and consequently re-encryptedwith a new file key

The author implemented SC-CFS as anextension to CFS then evaluated theperformance of SC-CFS in comparisonwith CFS and a local Linux file system(ext2) using the Andrew Benchmarktest The results show that the perfor-mance of the system is not yet satisfac-tory because smartcard access is thebottleneck of SC-CFS SC-CFS works asefficiently as ext2 and CFS when it doesnot access a smartcard However SC-CFS is significantly slower than CFSwhen it accesses a smartcard because the smartcard generates a key in 031seconds

SECURE DISTRIBUTION OF EVENTS IN

CONTENT-BASED PUBLISH SUBSCRIBE

SYSTEMS

Lukasz Opyrchal and Atul Prakash University of Michigan

Some Internet applications such aswireless delivery services and inter-enterprise supply-chain managementapplications require high scalability aswell as strict security guarantees Thecontent-based publish subscribe para-digm is one of the messaging technolo-gies that facilitate building more scalableand flexible distributed systems In thepublish subscribe model publisherspublish messages and send them to sub-scribers via brokers Each broker man-ages a large number of subscribers Thebroker encrypts every message andbroadcasts it to subscribers The brokerneeds to guarantee the confidentiality ofthe messages so that only a specificgroup of subscribers can read the mes-sage

Each subscriber has an individual sym-metric pair key shared only with its bro-ker A naiumlve way to achieve this secureend-point delivery is for the broker toencrypt each message with a new keyThen the broker sends the new keysecurely to each subscriber in the targetgroup by encrypting the new key withthe symmetric key shared between thebroker and the subscriber The numberof encryptions limits the brokerthroughput and system scalability Forthe naiumlve approach the number ofencryptions is the same as the groupsize

The authors presented four cachingstrategies to reduce the number ofrequired encryptions Simple cacheassumes that many messages will go tothe same subset of subscribers Simplecache creates a separate key for eachgroup and caches it Build-up cache isbased on the observation that manygroups are subsets of other largergroups Build-up cache uses a heuristic

to select some groups to cover the targetgroup Clustered cache uses a muchsmaller cache size by dividing the sub-scribers into clusters Then it uses thesimple-cache method to send a messageto the target subgroup in each clusterClustered-popular cache maintains botha simple cache and a clustered cacheWhen a new message arrives clustered-popular cache searches for the targetgroup in the simple cache If the groupis not found it uses the clustered cacheto send the message to the appropriatesubgroup in each cluster

The authors analyzed the four cachingstrategies to find the average number ofrequired encryptions and ran a numberof simulations to confirm the theoreticalresults They found that clustering thesubscribers can substantially reduce thenumber of encryptions which can befurther reduced by adding a simplecache to clustered cache Build-up cachehowever has little effect on the numberof required encryptions

A METHOD FOR FAST REVOCATION OF

PUBLIC KEY CERTIFICATES AND SECURITY

CAPABILITIES

Dan Boneh Stanford University XuhuaDing and Gene Tsudik University ofCalifornia Irvine Chi Ming WongStanford University

The authors presented a new approachto fast certificate revocation using anonline semi-trusted mediator (SEM)Suppose an organization has a PublicKey Infrastructure that allows users toencrypt and decrypt messages and todigitally sign the messages If an adver-sary compromises the private key of auser then the organization needs toimmediately prevent the adversary fromsigning or decrypting any message

The overall architecture of the system ismade up of three components First thecentral Certificate Authority (CA) gen-erates a public key and a private key foreach user The private key consists oftwo parts The CA gives the first part


C

ON

FERE

NC

ERE

PORT

Sonly to the user and the other part onlyto the SEM Second the SEM respondsto user requests with short tokens Thetokens reveal no information to otherusers Third the user contacts the SEMin case he wants to generate a digital sig-nature or to decrypt a message The sys-tem uses the MRSA encryptiontechnique which is similar to RSA in away that is transparent to peer usersThe encryption process is identical tostandard RSA For the decryptionprocess the SEM does part of thedecryption and the user does theremaining part Both the SEM and theuser must perform their share to decrypta message Digital signatures are gener-ated in a similar way to performingdecryption

The authors implemented the systemusing OpenSSL and provided a client

API and server daemonsThe performance meas-urements showed thatsignature and encryptiontimes are essentiallyunchanged from theuserrsquos perspective Theauthors also imple-

mented a plug-in for Eudora thatenables users to sign their emails usingthe SEM This approach achieves imme-diate revocation of public key certifi-cates and security capabilities formedium-size organizations rather thanthe global Internet

The implementation of the system isavailable athttpsconceicsuciedusucses

The SEM Eudora plug-in is available athttpcryptostanfordedusemmail

SESSION MATH ATTACKS

Summarized by Kevin Fu

PDM A NEW STRONG PASSWORD-BASED

PROTOCOL

Charlie Kaufman Iris Associates RadiaPerlman Sun Microsystems Laboratories

A bright and cheery Radia Perlmantalked about Password-Derived Moduli(PDM) a protocol useful for bothmutual authentication and securelydownloading credentials PDMrsquos notablefeatures and improvements over existingprotocols include unencumberance bypatents better overall server perfor-mance and better performance whennot storing password-equivalent data onthe server

Despite the promise of smartcards pass-words are still important for authentica-tion Demonstrating this importancePerlman cited her own habit of misplac-ing any hardware token given to herHowever she can remember a password

PDM deterministically generates aprime from a userrsquos password and saltsuch as the username To generate aprime the user Alice fills out chunks ofthe right size with the hash of (ldquoAlicerdquopassword constant) PDM then searchesfor a safe ldquoSophie Germainrdquo prime (p) Aprime is Sophie Germain if (p-1)2 isalso a prime PDM then uses this primeas the modulus in Diffie-Hellmanexchanges

PDM is potentially fast on a server andtolerably slow on a client Although 512-bit Diffie-Hellman moduli are withinthe realm of breakability a dictionaryattack against PDM requires a Diffie-Hellman exponentiation per passwordguess This places a lot of computationalburden on an adversary Using 512-bitmoduli instead of 1024-bit moduliimproves performance on the server by afactor of six

PDM strives not to leak information andavoids timing attacks by properly order-

Gene Tsudik

ing cryptographic operations PDM canalso avoid storing password-equivalentdata on the server If the server is com-promised the userrsquos password canremain safe Other protocols avoid pass-word equivalence by having extra Diffie-Hellman exchanges

Deriving a 512-bit prime from a pass-word is computationally expensiveTen seconds on a reasonably modernmachine is not uncommon Howeverthere are simple improvements Perl-manrsquos son improved the client perfor-mance by a factor of three by using asieve instead of division If a user pro-vides a hint in addition to the passwordthe generation of the prime can finish ina fraction of a second The hint could be the first few bits of the prime easilyencoded as a single character to remem-ber

Then came questions Asked about thedistribution of primes derived frompasswords Perlman answered that theprimes are uniformly distributed in therange of possible primes For all possiblepasswords this is uniformly distributed

Asked why PDM depends on a strongSophie Germain prime Radia explainedthat the base 2 is then guaranteed to be agenerator if the prime is also congruentto 3 mod 8 If 2 were not a generatorthen 2 would generate a smaller sub-group ndash reducing security

DETECTING STEGANOGRAPHIC CONTENT ON

THE INTERNET

Niels Provos CITI University of Michigan

Because Slashdot had just discussed aldquotheoreticalrdquo system to detect stegano-graphic content on the Internet Nielsdecided it was time to discuss a systemalready doing this Instead of talkingabout methods to defend against statisti-cal steganalysis Niels talked about hissoftware to find hidden messages inJPEG files


The popular press claims that terroristslike Osama bin Laden use steganogra-phy Of course this is totally unsubstan-tiated Hence Niels sought answers tothree questions

How to automatically detectsteganographic content

How to find a source of images withpotentially steganographic content

How to determine whether animage contains hidden content

Steganography is the art and science ofhiding the fact that communication ishappening In modern steganographyone should only be able to detect thepresence of hidden information byknowing a secret key The goal of anadversary is to detect steganography not

necessarily to recoverthe message One mustselect a cover medium toembed a hidden mes-sage Bits are changed toembed a message Theoriginal cover mediumis then destroyed

There are many systems to hide mes-sages in images JSteg JPHide and NielsrsquoOutguess All of these systems cause dif-ferent distortions in images Niels wrotethe ldquostegdetectrdquo program to detectimages modified by JSteg JPHide andOutguess The program gives a notion ofhow likely it is that an image containshidden content

On a 1200MHz Pentium III stegbreakprocesses 15000 wordssec for JPHide47000 wordssec for Outguess and112000 wordssec for JSteg Because asingle fast machine can only process somuch Niels wrote the ldquodisconcertrdquo pro-gram to mount a distributed dictionaryattack

Niels has sorted through over 2 millionJPEG images from eBay Although17000 images came up positive no gen-uine steganography was found There is

as yet no final conclusion on whetherthe underworld uses steganography inthis way The popular press will have tocontinue with unsubstantiated claims

Asked if one can determine the qualitymetric used to create a JPEG Niels saidthis is possible but will not revealwhether there is steganographic contentbecause modifications of DCT coeffi-cients do not modify quality of imagesmuch

Another person asked for advice on howto hide messages while minimizing dis-tortion Niels explained that hiding justone bit is easy Otherwise it is importantto realign the statistical properties of theimage after embedding a message

One audience member suggested thatterrorists might use homebrew stegano-graphic software In such a case will thesame statistical tests help detect hiddenmessages Niels said that with certaingeneric assumptions maybe One wouldneed to know the statistical signaturecommon to the software

Another audience member asked if Nielshas searched for JPEGs on sites otherthan eBay Niels responded that he hasonly considered eBay because the popu-lar press mentioned auctions as the per-fect venue So far the press seems to befantasizing

Finally a participant asked if the num-ber of false positives fit any hypothesisNiels answered no The images vary inquality and size So from the beginningmany images are mischaracterized bythe statistical tests Niels did run hissoftware against a test set though It cor-rectly detected the hidden messages

For more information see httpwwwcitiumicheduuprovos orhttpwwwoutguessorg

Niels Provos

TIMING ANALYSIS OF KEYSTROKES AND

TIMING ATTACKS ON SSH

Dawn Xiaodong Song David Wagnerand Xuqing Tian University of California Berkeley

Dawn Song explained how two trafficanalysis vulnerabilities in the SSH proto-col can leak damaging amounts of infor-mation By eavesdropping on an SSHsession Song demonstrated the ease ofrecovering confidential data such as rootpasswords typed over an SSH connec-tion Songrsquos group then built the Herbi-vore attacker system which tries to learnusersrsquo passwords by monitoring SSH ses-sions Herbivore can speed up bruteforce password searches by a factor of50

The SSH protocol has largely replacedinsecure Telnet Ideally SSH shouldwithstand attacks by eavesdroppersAlas SSH leaks information about theapproximate length of data Moreovereach key press generates a separatepacket The length can indicate when auser is about to enter a password duringan established SSH session By watchingthe inter-keystroke events an eavesdrop-per can make educated guesses aboutpasswords and other confidential infor-mation

The most startling example is that of thesu command typed over an SSH sessionwhich results in a very recognizable traf-fic signature Simply by looking at thelengths of requests and responses aneavesdropper can detect the transmis-sion of a password Song noted that sudisables echo mode The resulting asym-metric traffic indicates that a passwordwill follow

Once an eavesdropper knows that asequence of packets corresponds to apassword the inter-keystroke timingscan reveal characteristics of the pass-word Herbivore looks at the frequencydistribution of a given character pairFor instance one may type vo with alter-nating hands while typing vb with the


C

ON

FERE

NC

ERE

PORT

Ssame hand The latency between eachkeypress is distinguishing For randomlychosen passwords inter-keystroke tim-ings leak about 12 bits per character

One countermeasure against this attackwould be to hide inter-keystroke timingsby using a constant packet rate in activetraffic

Next a slew of people raced to themicrophone One person asked whethertaking many samples of a single userwould reduce the password search spaceeven more Song responded that thistechnique has diminishing returns

Asked about the effect this work has onpasswords typed over a wireless net-work Song reported that her group didnot test real usersrsquo passwords Each testsubject used an assigned password Allthe test subjects were touch typists

When one audience member asked whynot set TCPNODELAY right before typ-ing passwords another audience mem-ber said that is already the case

Song also explained that randomlyinserting a delay in traffic will not helpmuch An eavesdropper can obtain yourtyping of passwords many times to filterout the randomization

WORKS IN PROGRESS

Summarized by Sam Weiler and DavidRichard Larochelle

USING THE FLUHRER MANTIN AND SHAMIR

ATTACK TO BREAK WEP

Adam Stubblefield Rice UniversityJohn Ioannidis and Avi Rubin ATampTResearch

The authors implemented a recentlypublished attack against WEP the link-layer security protocol for 80211 net-works Exploiting WEPrsquos improper useof RC4 initialization vectors they recov-ered a 128-bit key from a productionnetwork using a passive attack Forassorted legal and moral reasons theyrsquorenot planning to release the code butothers are developing similar tools

For more information visithttpwwwcsriceedu~astubblewep

SRMAIL ndash THE SECURE REMAILER

Cory Cohen CERT

SRMail allows groups of people whomay not share common crypto methodsto communicate It can generateencrypted form letters and convertbetween encryption formats when usedas a remailer SRMail will be used atCERT to allow several people to mas-querade as CERT and generate docu-ments signed with CERTrsquos keys withoutrequiring them to have direct access tothose keys

VOMIT ndash VOICE OVER MISCONFIGURED

INTERNET TELEPHONES


Vomit converts a Cisco IP phone conver-sation into a wave file allowing users toplay a call directly from the network orfrom a tcpdump output file Vomit canalso insert wave files into ongoing tele-phone conversations Provos suggestedthat Vomit can be used as a networkdebugging tool a speaker phone and soon

For more information visithttpwwwmonkeyorg~provosvomit

VILLAIN-TO-VICTIM (V2V) PROTOCOLS ANEW THREAT

Matthias Bauer Institut fuumlr Informatik

Bauer amused us with several ways totransport or temporarily store data oncorrectly configured machines withoutthe consent of the owner (ie in Webguest books in ICMP-echo-requestdatagrams sent over connections withlong RTTs or in SMTP messages sentvia open relays to domains that refuse toaccept the messages for several days) Inaddition to providing an unreliablebackup medium these methods can beused to build an unobservable channelHe proposes that these theft-of-serviceattacks should be called ldquovillain-to-

victimrdquo computing because some of theengineering problems of P2P can besolved by V2V protocols

For more information visit httpwww1informatikunierlangende~bauernewv2vhtml

DETECTING MANIPULATED REMOTE CALL

STREAMS

Jonathon Giffin Bart Miller and SomeshJha University of Wisconsin

In a distributed grid computing envi-ronment remotely executing processessend call requests back to the originatingmachine A hostile user may manipulatethese streams of calls This techniquestatically analyzes the processrsquos binarycode at dispatch time and generates amodel of all possible call sequences Ascalls come back during executiontheyrsquore checked against the modelwhich detects some types of manipula-tion

A QUANTITATIVE ANALYSIS OF ANONYMOUS

COMMUNICATIONS

Yong Guan Xinwen Fu Riccardo Bet-tati and Wei Zhao Texas AampM Univer-sity

This probabilistic analysis of reroutingsystems found that longer paths donrsquotnecessarily provide better protectionagainst sender identification They alsofound that path complexity doesnrsquot havea significant impact on the probabilityof identifying a sender Additionally theease of identifying a sender increases asthe number of compromised nodes inthe system increases but that growth issublinear

For more information visit httpnetcamocstamuedu

DISTRIBUTED AUTHORIZATION WITH

HARDWARE TOKENS

Stefan Wieseckel and Matthias BauerFriedrich-Alexander-University Erlan-gen-Nuernberg


The authors have written a PAM modulefor user authentication to workstationsbased on RSA credentials stored on aDallas Semiconductor Java-iButtonThey use the KeyNote policy engine tomake authorization decisions whichallows for complex trust relationshipsand delegation of authority They do notpresently address user or token revoca-tion

For more information visithttpwwwwieseckeldeibutton_smartcardhtml

MOVING FROM DETECTION TO RECOVERY

AND ANALYSIS

George Dunlap University of Michigan

Dunlap proposed a mechanism of roll-back and selective replay of networkevents to aid in intrusion analysis andrecovery Being able to answer questionslike ldquoWhat if this packet had not beendeliveredrdquo or ldquoWhat if this TCP sessionhadnrsquot happenedrdquo should facilitatedebugging forensic analysis and intru-sion detection signature development

A CRYPTANALYSIS OF THE HIGH-BANDWIDTH

DIGITAL CONTENT PROTECTION (HDCP)SYSTEM

Rob Johnson Dawn Song and DavidWagner University of California atBerkeley Ian Goldberg Zero Knowl-edge Systems and Scott CrosbyCarnegie Mellon University

HDCP is a proposed identity-basedcryptosystem for use over the DigitalVisual Interface bus a consumer videobus already in widespread use Theauthors found serious design flaws inHDCP which allow one to eavesdrop onHDCP communications clone HDCPdevices and build an HDCP-compliantdevice that cannot be disabled viaHDCPrsquos Key Revocation facilitiesBecause of the DMCA mess (see page 7the summary of ldquoReading Between theLines Lessons from the SDMI Chal-lengerdquo particularly the question regard-ing whether a person would be at risk

for summarizing the session) they arenrsquotreleasing the full details of their crypt-analysis

TRUST SERVERS AND CLIENTS

Sean Smith Dartmouth University

WebALPS extends an SSL connectioninto a tamper-resistant coprocessor Byusing the coprocessor as a trusted thirdparty sensitive information is protectedfrom rogue server operators Credit cardinformation for example can be sentfrom the coprocessor via encryptedemail to a merchant with the web host-ing provider never having access to it

Additionally Smith described how SSLconnections can be spoofed and pre-sented an impressive demo in which Javascript and DHTML were used to spoofthe URL the SSL warning windows theSSL icon and the certificate informa-tion

For more information visithttpwwwcsdartmouthedu~pkilab

SOURCE ROUTER APPROACH TO DDOSDEFENSE

Jelena Mirkovic and Peter Reiher Uni-versity of California Los Angeles

The authors propose a system to preventa network from participating in a DDoSattack Located at the source networkrouter the system watches for a drop-offin reverse traffic from a particular desti-nation with heavy outgoing traffic Itthen throttles all traffic to that destina-tion while attempting to identify attack-ing flows and machines The system issimilar to MULTOPS but its source sideonly and its traffic models donrsquot dependon packet ratios

For more information visit httpfmg-wwwcsuclaeduddos

SAVE SOURCE ADDRESS VALIDITY

ENFORCEMENT PROTOCOL

Jun Li Jelena Mirkovic MengqiuWang Peter Reiher and Lixia ZhangUniversity of California Los Angeles

SAVE is a new protocol for buildingincoming address tables at routers evenin the face of asymmetric routes Thosetables can be used to filter out packetswith spoofed IP source addresses buildmulticast trees debug network prob-lems etc To build the tables SAVEsends valid source address informationdownstream along the paths used fordelivery

For more information visit httpfmg-wwwcsuclaeduadas

CODE RED THE SECOND COMING mdash FROM

WHENCE DIURNAL CYCLES

Colleen Shannon and David MooreCAIDA

Using the same system presented in theDenial of Service session on Wednesdaymorning CAIDA analyzed the secondround of Code Red They observed thatmany of the infected hosts were usingdynamic addressing suggesting that theowners were not intentionally runningIIS The data also showed a clear diurnalpattern ndash one-third to one-half ofinfected machines were being turned onand off daily ndash again suggesting thatthese machines were not running pro-duction Web servers

For more information visithttpwwwcaidaorganalysissecuritycode-red

FAST-TRACK SESSION ESTABLISHMENT FOR

TLS

Hovav Shacham and Dan Boneh Stan-ford University

The authors describe a new ldquofast-trackrdquohandshake mechanism for TLS A fast-track client caches a serverrsquos publicparameters and certain client-servernegotiated parameters in the course ofan initial enabling handshake theseneed not be present on subsequent


C

ON

FERE

NC

ERE

PORT

Shandshakes The new mechanismreduces both network traffic and flowsand requires no additional server stateThe bandwidth savings are particularlyrelevant to wireless devices

For more information visithttpcryptostanfordedu

ELECTROMAGNETIC ATTACKS ON CHIP CARDS

Bruce Archambeault Josyula R Raoand Pankaj Rohatgi IBM Research

Chip cards and other devices leak sub-stantially more information throughelectromagnetic emanations thanthrough other side-channels such aspower consumption and timing analysisAdditionally the countermeasures forthe other side-channel attacks are ofteninsufficient to protect from electromag-netic attacks Because of the sensitivenature of this work the authors areworking with interested parties to securevulnerable devices prior to disclosingcomplete details

For more information visithttpwwwresearchibmcomintsec

PASSWORD AUTHENTICATION

Philippe Golle Stanford University

Philippe Golle proposed a scheme forauthenticating to a large number of Websites with different passwords whilerequiring the client to remember only asingle master password The schemecan be adapted to master passwords asshort as 40 bits and can resist coalitionsof up to three Web sites

For more information visithttpcryptostanfordedu~pgolle

A TRAFFIC CAPTURE AND ANALYSIS FRAME-WORK

Josh Gentry Southwest Cyberport

Josh Gentry presented some Perl toolsfor collecting network statistics Thecapture engine uses libpcap to collecttraffic does some pattern matching andanalysis and stores the results in Perl

hashes The command line client canquery that data locally or over the net-work

For more information visithttpwwwsystemstabilityorg

OPEN SOURCE IMPLEMENTATION OF 8021X

Arunesh Mishra Maryland Informationand Systems Security Lab University ofMaryland

Lib1x is an open source implementationof 8021x a port-based authenticationmechanism for wireless networks thatrsquosintended to be an alternative to 80211WEP (see the WiP by Adam Stubblefieldet al above for details on why an alter-native is needed) Contributions are wel-comed

For more information visithttpwwwmisslcsumdedu1x

[Photographs of the Symposium can befound at httpwwwusenixorgeventssec01indexhtml]

Will the real Peter Honeyman please stand up

4 Vol 26 No 7 login

conference reports10th USENIX Security SymposiumWASHINGTON DCAUGUST 13ndash17 2001KEYNOTE

WEB-ENABLED GADGETS CAN WE TRUST THEM

Richard M Smith CTO The PrivacyFoundation


Richard Smith started off by saying thatwhat he primarily does is ldquocause prob-lemsrdquo mostly for companies that havenot thought through the security impli-cations of products that they havereleased They often ldquodiscover unin-tended consequences that companiesdonrsquot like to talk aboutrdquo The three mainareas they consider are security privacyand control

He stated thatldquoconsumerscare moreabout thesecurity ofcell phonesthan aboutWeb serversrdquobecause cellphones arepersonaldevices with

which consumers have immediate con-nections Application developers andcompanies are more concerned withfunctionality than security Productssuch as consumer devices based on real-time operating systems tend to havelower concerns for security

Smith said that DirecTV was the firstconsumer device that got his interestabout privacy issues It had a phone jackWhat information was it sending backLater a call to customer service on a dif-ferent issue revealed that the customerservice people were able to send com-mands (via satellite) to turn his TV on

Is this a good thing Still another timethe company apparently chose to ldquoadver-tiserdquo new services by causing the TV totune to a soft-porn channel which hehad not subscribed to or selected

Earlier this year just before the SuperBowl the company downloaded a pro-gram to all DirecTV boxes The goal wasto disable black market devices used topirate programming It succeeded Butwhat if they had made a mistake Whatif they had disabled service for legiti-mate customers Who in fact owns theboxes DirecTV clearly did not own theblack-market devices Did the com-panyrsquos actions constitute ldquohackingrdquo Didthe terms of service allow them to repro-gram the legitimate boxes

It turns out that DirecTV was not send-ing back ldquoNielsenrdquo information just a lotof information about the temperatureinside the box Their competitor Tivodoes send in ldquoNielsenrdquo info You have toexplicitly opt out by calling customerservice

Wersquore entering a brave new world ofconnected devices A company calledSports Barn sold a strap-on device thatmonitored your daily exerciseand thenuploaded it via phone to their Web siteto create a ldquopersonal profilerdquo (which ofcourse would never be used for market-ing or other) purposes One could havegotten the same effect by uploading to aPC without disclosing personal informa-tion and there are inexpensive stand-alone devices available at sports shopsthat do similar things But to maintain arecord you might have to (gasp) writethings on paper the price of privacyOh the company just went out of busi-ness Many formerly happy customersnow have worthless devices Similarthings could never happen with sub-scription software licensing could itSoftware companies never go out ofbusiness get bought out refocus onnewer products or have turnover or lossof support staff

This issuersquos reports are on the 10thUSENIX Security Symposium

OUR THANKS TO THE SUMMARIZERS

TAKEAKI CHIJIIWA

SAMEH ELNIKETY

KEVIN FU

RACHEL GREENSTADT

YONG GUAN

ANCA IVAN

GEORGE M JONES

STEFAN KELM

DAVID RICHARD LAROCHELLE

ROSS OLIVER

EVAN SARMIENTO

COLE TUCKER

MIKE VERNAL

SAM WEILER

Richard M Smith






C

ON

FERE

NC

ERE

PORT






INVITED TALKS




















6 Vol 26 No 7 login




















Matt Blaze









C

ON

FERE

NC

ERE

PORT














8 Vol 26 No 7 login












Prof Peter Jaszi






C

ON

FERE

NC

ERE

PORT

















What got better




What got worse













































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT



























C

ON

FERE

NC

ERE

PORT






INVITED TALKS




















6 Vol 26 No 7 login




















Matt Blaze









C

ON

FERE

NC

ERE

PORT














8 Vol 26 No 7 login












Prof Peter Jaszi






C

ON

FERE

NC

ERE

PORT

















What got better




What got worse













































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT






























6 Vol 26 No 7 login




















Matt Blaze









C

ON

FERE

NC

ERE

PORT














8 Vol 26 No 7 login












Prof Peter Jaszi






C

ON

FERE

NC

ERE

PORT

















What got better




What got worse













































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT






























C

ON

FERE

NC

ERE

PORT














8 Vol 26 No 7 login












Prof Peter Jaszi






C

ON

FERE

NC

ERE

PORT

















What got better




What got worse













































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT


























8 Vol 26 No 7 login












Prof Peter Jaszi






C

ON

FERE

NC

ERE

PORT

















What got better




What got worse













































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT



























C

ON

FERE

NC

ERE

PORT

















What got better




What got worse













































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT
























What got worse













































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT




































C

ON

FERE

NC

ERE

PORT








Paul Syverson





















IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT










































IP FILTER





Ross Oliver









REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT






























REFEREED PAPERS







C

ON

FERE

NC

ERE

PORT







ACTIVITY


















SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT


































SESSION HARDWARE



DEVICES














STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT
























STACK PROTECTION









C

ON

FERE

NC

ERE

PORT





Dartmouth College












DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT
























DETECTION



ANALYZER

Avishai Wool Lumeta











HOST






PROTOCOL SEMANTICS

















C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT

































C

ON

FERE

NC

ERE

PORT





FILE SYSTEMS







Kingpin and Mudge
















VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT





































VULNERABILITIES


























C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT



































C

ON

FERE

NC

ERE

PORT








Nick Feamster MIT







Kevin Fu


















SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT







































SYSTEMS









CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT


























CAPABILITIES





C

ON

FERE

NC

ERE

PORT










PROTOCOL







Gene Tsudik






THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT



























THE INTERNET




















Niels Provos









C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT






























C

ON

FERE

NC

ERE

PORT







WORKS IN PROGRESS



ATTACK TO BREAK WEP





Cory Cohen CERT



INTERNET TELEPHONES










STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT

























STREAMS




COMMUNICATIONS





HARDWARE TOKENS






AND ANALYSIS




























TLS




C

ON

FERE

NC

ERE

PORT

































TLS




C

ON

FERE

NC

ERE

PORT






















special focus issue: security · the normal user: don’t get or look at it. for the government,...

Documents