Check out the new USENIX Web site.

10th USENIX Security Symposium - Works In Progress Session

Session Chair: Patrick McDaniel


Session Agenda

Note: Matt Blaze will have a few comments on the upcoming Financial Cryptography Conference prior to the beginning of the technical WIP session.

Speakers: There will be overhead and laptop projectors available for use during the talk. Please arrive at least 20 minutes prior to beginning of the session for setup. Also, please email me at pdmcdan@pdmcdan.com if you have any corrections to talk details below.

Time
Title
Speaker
11:00-11:05 Using the Fluhrer, Mantin, and Shamir Attack to Break WEP Adam Stubblefield
11:05-11:10 SRMail - The Secure Remailer Cory Cohen
11:10-11:15 VOMIT - Voice Over Misconfigured Internet Telephones Niels Provos
11:15-11:20 Villain-to-Victim (V2V) Protocols, a New Threat Matthias Bauer
11:20-11:25 Securing Remote Execution Jonathon Giffin
11:25-11:30 A Quantitative Analysis of Anonymous Communications Yong Guan
11:30-11:35 Distributed Authorization with Hardware Tokens Stefan Wieseckel
11:35-11:40 Moving from Detection to Recovery and Analysis George Dunlap
11:40-11:45 A Cryptanalysis of the High-bandwidth Digital Content Protection System Rob Johnson
11:45-11:50 Trust, Servers, and Clients Sean Smith
11:50-11:55 Source Router Approach to DDoS Defense Jelena Mirkovic
11:55-12:00 SAVE: Source Address Validity Enforcement Protocol Jelena Mirkovic
12:00-12:05 Code Red, the Second Coming - From Whence Diurnal Cycles David Moore
12:05-12:10 Fast-Track Session Establishment for TLS Hovav Shacham
12:10-12:15 Electromagnetic attacks on Chip Cards Josyula R. Rao
12:15-12:20 Password Authentication Philippe Golle
12:20-12:25 A Traffic Capture and Analysis Framework Josh Gentry
12:25-12:30 Opensource Implementation of 802.1x Arunesh Mishra

Using the Fluhrer, Mantin, and Shamir Attack to Break WEP

Adam Stubblefield and Avi Rubin, AT&T Research
astubble@rice.edu

Abstract

We implemented an attack against WEP, the link-layer security protocol for 802.11 networks. The attack was described in a recent paper by Fluhrer, Mantin, and Shamir. With our implementation, and permission of the network administrator, we were able to recover the 128 bit secret key used in a production network, with a passive attack. The WEP standard uses RC4 IVs improperly, and the attack exploits this design failure.

URL: http://www.cs.rice.edu/~astubble/wep/


SRMail - The Secure Remailer

Cory Cohen, CERT
cfc@cert.org

Abstract

SRMail is a program designed to facilitate encrypted communications between groups of people. It encrypts and decrypts messages by calling a variety of encryption programs such as GnuPG. It can generate signed or encrypted form letters, help manage contact information and encryption keys, or when used in a remailer mode, even convert one encryption format to another (e.g. PGP to X509). SRMail is particularly well suited to the needs of incident response teams and organizations with encrypted mailing lists.

URL:


VOMIT - Voice Over Misconfigured Internet Telephones

Niels Provos, Center for Information Technology Integration, University of Michigan
provos@citi.umich.edu

Abstract

The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players. The phone conversation can either be played directly from the network or from a tcpdump output file. Vomit is also capable of inserting wavefiles into ongoing telephone conversations. Vomit can be used as a network debugging tool, a speaker phone, etc ...

URL: http://www.monkey.org/~provos/vomit/


Villain-to-Victim (V2V) Protocols, a New Threat

Matthias Bauer, Institut fŸr Informatik
matthiasb@acm.org

Abstract

Misconfigured systems have been used as means of storage and communication, even in offical software products (e.g. sharesniffer.com). This talk will present some methods which use features of standard TCP/IP protocols to transport or temporarily store data on correctly configured machines without the consent of the administrator. This amounts to a kind of Theft-of-Service computing, which I would like to call Villain-to-Victim computing, because some of the engineering problems of P2P can be solved by V2V protocols.

URL: http://www1.informatik.uni-erlangen.de/~bauer/new/v2v.html


Securing Remote Execution

Jonathon Giffin, Bart Miller and Somesh Jha, University of Wisconsin
giffin@cs.wisc.edu

Abstract

In a distributed grid computing environment, certain system calls often must be executed by the machine that originated the remote process. The process may not have permission to access the local filesystem of the compute host, for example. The Condor remote execution system, deployed at thousands of sites worldwide, uses this model. Other systems, such as Java applets communicating with their home servers, likewise require a call path back to a machine servicing remote calls.

These streams of remote calls are subject to manipulation. Without verification of the authenticity of call requests, the servers might execute any arbirtrary sequence of system calls within the permissions of the process. An attacker with access to the wire may simply inject new calls into the network stream. Similarly, a hostile process on the compute machine may attach to the remote job and initiate false call requests.

We are developing techniques to detect such manipulation. Before deploying the remote process, the binary code is statically analyzed. Control flow analysis yields a nondeterministic finite automaton (NFA) defining a language of accepted sequences of system calls. Data flow analysis reduces the acceptable variability in call arguments. Our methods, extending the work of Wagner and Dean, complement and strengthen existing sandboxing techniques.

We have implemented the control flow analysis, the NFA construction, and preliminary data flow analysis. To further constrain the language of accepted system calls, we plan to approximate a regular language with a push down automaton with bounded stack. Construction of regular expressions precisely defining the forms of acceptable arguments may also be investigated.

URL:


A Quantitative Analysis of Anonymous Communications

Yong Guan, Xinwen Fu, Riccardo Bettati, and Wei Zhao, Texas A&M University
yguan@cs.tamu.edu

Abstract

This paper aims to quantitatively analyze anonymous communication systems with regard to anonymity properties. Various anonymous communication systems have been designed and implemented. However, there are few formal and quantitative analyses on how these systems perform. System developers often informally argued the security goals which their systems can achieve. Such results were likely vague and not persuasive. In this paper, we use a probabilistic method to investigate the anonymity behavior of anonymous communication systems. In particular, we study the probability that the true identity of a sender can be discovered in an anonymous communication system given that some nodes have been compromised. It is through this analysis that we can identify a number of design guidelines for systems aimed at providing communication anonymity. For example, contrary to what one would intuitively expect, our analytic results show that the probability that the true identity of a sender can be discovered may not always decrease as the length of communication path increases. We also found that the complexity of path topology does not have significant impact in terms of anonymity behavior.

URL: http://netcamo.cs.tamu.edu/


Distributed Authorization with Hardware Tokens

Stefan Wieseckel and Matthias Bauer, Friedrich-Alexander-University Erlangen-Nuernberg
stefan.wieseckel@fen-net.de

Abstract

User-administration in mid-range and large systems (e.g. via NIS) may be a curse for the administrators. One central problem is a distributed user-database. The project to be presented doesn't need any special network services like RPC. It's based on a smart-card as a hardware token that users carry along with them. On the token, data is stored in so-called 'credentials' which are locally checked on a workstation with the help of a policy decision engine (here: KeyNote). The engine checks for compliance with a local policy. A credential permits trust-relations between public keys (we use RSA) that can be very complex and may delegate authorizations over many entities. I integrated this concept into the login-mechanism via a PAM-module.

URL: http://www.wieseckel.de/ibutton_smartcard.html


Moving from Detection to Recovery and Analysis

George Dunlap, University of Michigan
dunlapg@umich.edu

Abstract

Researchers have explored ways to prevent intrusions and misuse, and ways to detect intrusions that have happened, but to our knowledge, little research has been done on the problem of automated analysis or recovery once the intrusion has been detected.

Adding a mechanism to rollback and selectively replay events to a system will allow us to answer the question, "What may have happened had this event not been delivered?" This ability is useful for several reasons. First, if we know which event was crucial to the attack -- the packet which triggered a buffer overflow, for instance -- we can replay the stream of events without that packet, and see the difference the attack made, helping us to recover. Moreover, if we have an a posteriori intrusion detector, we can use the replay system to experimentally identify which events were crucial to the intrusion. This identification is useful for debugging, for forensic analysis, and for firewall signature development.

URL:


A Cryptanalysis of the High-bandwidth Digital Content Protection System

Rob Johnson, Dawn Song, and David Wagner (Univeristy of California at Berkeley), Ian Goldberg (Zero Knowledge Systems), and Scott Crosby (CMU).
rtjohnso@cs.berkeley.edu, dawnsong@eecs.Berkeley.edu, daw@cs.berkeley.edu, ian@cypherpunks.ca, crosby@qwes.math.cmu.edu

Abstract

We describe a practical attack on the High Bandwidth Digital Content Protection (HDCP) scheme. HDCP is a proposed identity-based cryptosystem for use over the Digital Visual Interface bus, a consumer video bus used in digital VCRs, camcorders, and personal computers. Public/private key pairs are assigned to devices by a trusted authority, which possesses a master secret. If an attacker can recover 40 public/private key pairs that span the module of public keys, then the authority's master secret can be recovered in a few seconds. With the master secret, an attacker can eavesdrop on communications between any two devices and can spoof any device, both in real time. Additionally, the attacker can produce new key pairs not on any key revocation list. Thus the attacker can completely usurp the trusted authority's power. Furthermore, the protocol is still insecure even if all devices' keys are signed by the central authority.

URL:


Trust, Servers, and Clients

Sean Smith, Dartmouth University
sws@cs.dartmouth.edu

Abstract

Why should a user trust what happens at a remote Web server? How do they know they should trust this?

  1. WebALPS Trusted Third Parties

    SSL protects data in transit, but not what happens at the other end. Using Apache, OpenSSL, and the IBM 4758, we've built a Web server that brings the SSL session all the way into an armored co-server, which protects sensitive computation even from rogue server operators. As a practical demo, we're currently preparing a campus e-commerce server.

    The programmability and outbound authentication of the 4758 will make this work deployable in the real world.

  2. Web Spoofing

    Technology #1 requires that users be able to verify the existence of an SSL session and the identity of the server with whom they're connecting. We examined this issue (starting with Felten 1996), and can demonstrate how, for common platforms, an adversarial server can spoof the url, the SSL warning windows, the SSL icon, and the certificate information.

URL: http://www.cs.dartmouth.edu/~pkilab


Source Router Approach to DDoS Defense

Jelena Mirkovic and Peter Reiher, University of California, Los Angeles
{sunshine,reiher}@cs.ucla.edu

Abstract

A system is proposed that monitors the two-way traffic at the exit router of a given network and detects and suppresses DDoS flows originating at this network. It uses built-in models and online statistics to separate normal flows from attacking flows. It then throttles malicious traffic, alleviating the damage to the victim of the attack. Steps are further taken to discover and shut down attacking machines. This approach prevents malicious flows from entering the Internet and consuming resources.

URL: http://fmg-www.cs.ucla.edu/ddos


SAVE: Source Address Validity Enforcement Protocol

Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher and Lixia Zhang, University of California, Los Angeles
{lijun,sunshine,wangmq,reiher,lixia}@cs.ucla.edu

Abstract

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirkovic, Mengqiu Wang, Peter Reiher and Lixia Zhang {lijun,sunshine,wangmq,reiher,lixia}@cs.ucla.edu http://fmg-www.cs.ucla.edu/adas

The SAVE protocol associates routers' incoming links with range of addresses that are allowed to generate traffic arriving on these links. This information can be used to filter packets with spoofed source addresses or to enhance existing protocols such as multicast or fair queuing. SAVE reacts quickly to routing changes and is independent of underlying routing protocol. It does not incur large memory or bandwidth overhead. Partial deployment strategies and security of the protocol are still being

URL: http://fmg-www.cs.ucla.edu/adas/


Code Red, the Second Coming - From Whence Diurnal Cycles

Colleen Shannon and David Moore, CAIDA
dmoore@caida.org, cshannon@caida.org

Abstract

The first round of severe code red infection on July 19th was completed in less than 24 hours due to programming design of code red. However, the second round which began on Aug 1st can continue to spread until Aug 19th (and October for CR-II). One expecation for the second round would have been for a sharp exponential growth and then a flattening off as most machines were infected, and then a continued decline in the number of infected hosts at any moment (as they were repaired). However, the data clearly show a diurnal pattern (albeit perhaps non-obvious one) to the number of currently infected hosts.

By mapping infected IP addresses to geographic locations and then examining the number of infected hosts in specific timezones, a clear diurnal pattern arises. It can be seen that between one third and one half of code red machines in the second round are being turned on and off every day, roughly following business hours in their local timezone. This suggests that the owners of these machines have no idea they are running a service.

Many of the machines being turned on and off seem to be on dialup or broadband connections. By examining subnets (/24s) and counting the number of unique addresses seen over two weeks and the maximum number of addresses active in any 2 hour period within those subnets, we are able to estimate the prevalance of dynamic IP address assignment among the second round code red infected hosts. Our estimates put the number of infected _machines_ to be approximately 180k, while the number of _IP addresses_ seen over the two weeks is 4 million. This suggests that studies of infection, where the population includes dynamic IP addresses, must be careful to distinquish between IP addresses and actual machines.

URL: http://www.caida.org/analysis/security/code-red/


Fast-Track Session Establishment for TLS

Hovav Shacham and Dan Boneh, Stanford University
hovav@cs.stanford.edu

Abstract

We describe a new, ``fast-track'' handshake mechanism for TLS. A fast-track client caches a server's public parameters and certain client-server negotiated parameters in the course of an initial, enabling handshake; these need not be resent on subsequent, fast-track ones. The new mechanism reduces both network traffic and flows, and requires no additional server state. The network savings are particularly relevant to wireless, bandwidth-limited devices.

URL: http://crypto.stanford.edu/


Electromagnetic attacks on Chip Cards

Bruce Archambeault, Josyula R. Rao and Pankaj Rohatgi, IBM Research
jrrao@us.ibm.com

Abstract

We have been investigating leakage of compromising information from electromagnetic emanations from chipcards and other devices. Our findings show that the EM leakage is substantially more than leakages from other side-channels such as power consumption and timing analysis. In addition to get much more compromising information about computations, this additional leakage is sufficient in many cases to defeat the protection afforded by countermeasures to the other side-channel attacks. In view of our findings, we feel that a methodical review of the vulnerabilities of sensitive devices to EM information leakage is warranted. Given the sensitive nature of this work, we are working with interested parties for securing vulnerable devices prior to disclosing complete details of our findings.

URL: http://www.research.ibm.com/intsec


Password Authentication

Philippe Golle, Stanford University
pgolle@Theory.Stanford.EDU

Abstract

A growing number of Internet services, such as email or stock-trading, require client authentication. Clients typically authenticate themselves to a website with a login and password. To prevent impersonation attacks, a different password must be chosen for each website. This approach to client authentication scales poorly. It is difficult for clients to choose, let alone remember, a large number of good passwords. In this talk, we propose an authentication scheme which allows a client to authenticate herself to a large number of websites, while remembering only a single master password. The master password is shared among the websites in a scheme akin to secret sharing. Unlike secret sharing however, our scheme degrades gracefully as the size of the coalition increases. We propose both a randomized construction and a deterministic construction. Unlike other solutions to the problem of multiple authentication, our scheme does not assume that the master password is secure against exhaustive search. Our scheme is information-theoretically secure and well adapted to master passwords as short as 40 bits.

URL: http://crypto.stanford.edu/pgolle


A Traffic Capture and Analysis Framework

Josh Gentry, Southwest Cyberport
jgentry@swcp.com

Abstract

A two component architecture to provide near real-time network traffic statistics to third parties. The first component is a traffic capture engine written in Perl, that uses libpcap to capture all traffic that hits the network interface. The protocol headers are pulled apart, and the information stored in Perl hashes.

The second component is a command-line client for querying the traffic capture engine. Because it is a command-line utility, it can easily be used by other applications, in the great tradition of command-line tools. Thus applications could use the traffic data for a wide variety of purposes, including security considerations such as anomaly detection.

URL: http://www.systemstability.org/


Opensource Implementation of 802.1x

Arunesh Mishra, University of Maryland
arunesh@cs.umd.edu

Abstract

The 802.11 WEP has a very weak authentication mechanism which relies on MAC address and shared secret key. IEEE 802.1x provides a port-based authentication mechanism ideally applicable to future wireless networks with support to be available only in Windows XP and Mac OS X.It is to this end that such an effort is being made here at the Maryland Information and Systems Security Lab. Organized effort and support is requested.

URL: http://www.missl.cs.umd.edu/1x/



Last modified: Mon Aug 27 10:25:02 EDT 2001