Check out the new USENIX Web site.
11th USENIX Security Symposium, August 5-9, 2002, San Francisco Marriott, San Francisco, California, USA
SEC '02 Home  | Register/Hotel  | Tutorials  | Tech Sessions  | Activities/BoFs  | At a Glance
Works In Progress Session
Session Chair: Kevin Fu


Session Agenda

Time
Title
Speaker
11:00-11:05 Preventing Privilege Escalation Niels Provos
11:05-11:10 Memory Accounting Within a Multitasking Language System Dave Price
11:10-11:15 Semantics-aware Transformation and Anonymization of Network Traces Ruoming Pang
11:15-11:20 Clilets: Web Applications with Private Client-Side Storage Robert Fischer
11:20-11:25 Checking Linux kernel user-space pointer handling with CQual Rob Johnson
11:25-11:30 Segmented Deterministic Packet Marking John-Paul Fryckman
11:30-11:35 Turing: a fast software stream cipher Greg Rose
11:35-11:40 Active Mapping: Resisting NIDS Evasion Without Altering Traffic Umesh Shankar
11:40-11:45 Making Software Resistant to DoS Attacks Through Defensive Programming Xiaohu (Tiger) Qie
11:45-11:50 VFiasco — Towards a fully verified operating-system kernel Michael Hohmuth
11:50-11:55 Wormhole Detection in Ad Hoc Networks Yih-Chun Hu
11:55-12:00 A Snapshot of Global Internet Worm Activity Dug Song
12:00-12:05 Off-the-record Communication Nikita Borisov
12:05-12:10 Plutus - enabling secure sharing of persistent data Erik Riedel
12:10-12:15 A Signature Matching Engine for Bro Robin Sommer
12:15-12:20 Honeyd: A virtual honeypot daemon Niels Provos
12:20-12:25 TBA TBA


Preventing Privilege Escalation

Niels Provos, UMich CITI
provos@citi.umich.edu

Abstract

Many operating system services require special privileges to execute their tasks. A programming error in a privileged service may open the door to system compromise in form of unauthorized acquisition of privileges. In the worst case, a remote attacker may obtain superuser privileges. In this WIP, I discuss the methodology and design of privilege separation, a generic approach that lets parts of an application run without special privileges. Programming errors occurring in these now unprivileged parts of the application can no longer be abused to gain unauthorized privileges. Privilege separation is orthogonal to capability or role-based security systems and may be used to enhance the security of such systems even further.

As a concrete example, the concept of privilege separation has been implemented in OpenSSH. I illustrate how separation of privileges reduces the amount of OpenSSH code that is executed with privileges. Privilege separation would have prevented past security vulnerabilities in OpenSSH including those that were unknown at the time of its implementation.

URL: http://www.citi.umich.edu/u/provos/ssh/privsep.html


Memory Accounting Within a Multitasking Language System

Dave Price, Rice University
dwp@rice.edu

Abstract

In a language runtime that is running many different tasks - applets, servlets, or the like - being able to measure each task's aggregate resource usage is an important part of managing security in such a system. We're designing and implementing a system that determines the heap usage of each task by modifying a garbage collector to measure memory usage as it does its normal work. By processing each task as a separate root set and counting how much memory is reachable from each set, we can gather meaningful information about tasks' memory usage without a significant performance penalty and without changing the manner in which tasks are written and executed.

URL:


Semantics-aware Transformation and Anonymization of Network Traces

Ruoming Pang (Joint work with Vern Paxson), Princeton University and ICSI Center for Internet Research
rpang@cs.princeton.edu

Abstract

Network intrusion detection research suffers from a dearth of publicly available traces of real attacks buried within much larger, real non-attacks. Such traces are invaluable for assessing the operational utility of new detection methods, but traces of actual traffic are almost never made available due to the problem of needing to remove sensitive data in the trace while still preserving non-sensitive packet contents. We observe a key problem is that such trace transformation requires knowledge of the semantics for each data element in the trace; for example, changing "root" when it's a username, but not when it's a filename.

We have developed a "trace rewriter", based on Bro, an intrusion detection system capable of analyzing the semantic structure of a tcpdump trace by converting various protocols into structured data elements. With the semantic structure of a trace exposed, we can then use a script written in Bro's high-level scripting language to transform each data element in a semantics-aware way according to desired policies. The trace rewriter then maps the transformed data back into a new tcpdump trace file, keeping the original packet structure whenever possible. Our experience with a few network protocols suggests that it provides a convenient framework for users to write concise yet powerful trace transformation scripts according to their policies. Because the user scripts deal with structured data fields instead of raw byte streams as input, they needn't worry about the syntax of protocols. The framework also enables other kinds of trace transformations in addition to anonymization. I will also talk about the issues that have come up and design decisions we made, particularly on how we map transformed data fields back to the trace, and offer preliminary thoughts on how to verify the transformation.

URL:


Clilets: Web Applications with Private Client-Side Storage

Robert Fischer, Harvard
citibob@eecs.harvard.edu

Abstract

We present the Clilet system, a novel web application protocol and architecture that allows web applications to store significant amounts of data on the client. Client-side data is kept private: it is never transmitted to the server, even in the face of an adversarial server. This will allow web applications to process data that users do not trust giving to the server.

We implement this security by transmitting executable code to the client (browser). A Multi-Doman Sandbox (a simple kind of multi-level system), combined with textual analysis of HTML, is used to enforce security constraints. The Clilet system is built in Java.

URL:


Checking Linux kernel user-space pointer handling with CQual

Rob Johnson and Sailesh Krishnamurthy (with John Kodumal), Berkeley
rtjohnso@EECS.Berkeley.EDU

Abstract

We have used CQual to check the correct handling of user-space pointers in Linux kernel device drivers. Improper handling of user-space pointers in the kernel can lead to kernel memory corruption and a variety of security vulnerabilities. After analyzing over 1200 files, we had 23 reported errors, one of which was a real bug. This led to a bug fix in Linux 2.4.19.

URL:


Segmented Deterministic Packet Marking

John-Paul Fryckman, Department of Computer Science and Engineering, University of California, San Diego
fryckman@SDSC.EDU

Abstract

Funded by a USENIX Student Research Grant

I would like to present a novel approach to locate sources of spoofed packets called Segmented Deterministic Packet Marking (S-DPM). When coupled with source filtering techniques, S-DPM would greatly mitigate distributed denial of service (DDOS) attacks that employ spoofed packets. S-DPM dynamically constructs a pseudo source based routing table out of packet markings. These markings typically represent Autonomous System (AS) numbers. During a packet's flight, its marking changes to denote the last S-DPM enabled AS that forwarded the packet. Before remarking the packet, an S-DPM router captures the AS number and appends the number to its own source routing table under the prefix of the packet's source IP address. When one suspects that a packet contains a spoofed source address, he queries the upstream AS.denoted by the packet's marking.for its set of observed markings (ASes) belonging to the prefix of the source IP address in this packet. He makes similar queries to these new ASes and continues until he reaches the end, i.e., origins of this particular prefix. Since the process reveals all of the sources for a certain prefix, public routing information and Internet statistics can be employed to isolate the illegitimate origins. This approach neither depends on collecting packets to reconstruct the paths as with contemporary methods nor does it require per packet state.enabling it to scale without regard to a router's forwarding rate.

URL:


Turing: a fast software stream cipher

Greg Rose, Qualcomm Australia
ggr@qualcomm.com

Abstract

Turing is a stream cipher designed to be extremely fast in software, with a small footprint, and amenable to hardware implementation. It is based on an innovative combination of a word-wide Linear Feedback Shift Register, and a block-cipher-like round function with key dependent s-box.

URL:


Active Mapping: Resisting NIDS Evasion Without Altering Traffic

Umesh Shankar, Berkeley
ushankar@cs.berkeley.edu

Abstract

A Network Intrusion Detection System (NIDS) passively monitors a network for activity that signals possible attacks. A critical problem faced by a NIDS is that of \emph{ambiguity}—the NIDS does not always know what traffic reaches a given host nor how that host will interpret the traffic. This problem is fundamental to passive monitors: no amount of careful or thorough coding can resolve TCP/IP-based ambiguities. The threat is real; toolkits have been written to automatically implement evasions based on these ambiguities \cite{fragroute,phrack}. Previous work has proposed addressing the evasion threat using \emph{traffic normalization}, in which traffic streams are modified to remove ambiguities \cite{norm}. We explore another approach, \emph{Active Mapping}, which works by building profiles of the network topology and the TCP/IP policies of hosts on the network by sending specially crafted packets to each host. The NIDS then uses the analysis results to disambiguate the interpretation of the network traffic on a per-host basis. Thus, a major advantage of Active Mapping is that it does not require any interception or modification of the traffic stream.

We developed a prototype implementation of Active Mapping and modified an actual NIDS (Bro) to use Active Mapping data. We found considerable diversity in TCP/IP policy in real-world mapping tests, underscoring the need for this type of disambiguation. There was virtually no runtime cost to AM in the NIDS in offline testing. We are planning to deploy Active Mapping on real networks at LBNL to gather statistics on its effectiveness and performance cost.

URL:


Making Software Resistant to DoS Attacks Through Defensive Programming

Xiaohu (Tiger) Qie (with Ruoming Pang and Larry Peterson), Princeton University
qiexh@CS.Princeton.EDU

Abstract

We believe the lack of a general and effective defense against Denial-of-Service attacks is due to two reasons. First, DoS attacks do not attempt to intrude the target system by breaching security measures. Nor do they rely on software bugs. DoS attacks prevail by abusing legitimate system functionalities, to the extent that the server becomes irresponsive or the quality of its service is seriously damaged. Due to this unique nature, current techniques that offer protection by checking for security violations and buffer overflow bugs are not effective against DoS attacks. Second, many DoS vulnerabilities can be attributed to the separation of software functionality and protection. When developing software, programmers primarily focus on functionality. Protecting code from attacks is often considered the responsibility of the OS, firewalls and intrusion detection systems. As a result, many DoS vulnerabilities are not discovered until the system is attacked and the damage is done.

Instead of reacting to attacks after the fact, we are exploring a more active approach: making the software itself defensive, by which we mean the programmer embeds general protection mechanisms into the software. These mechanisms offer systematic and proactive protection against DoS attacks. In our ongoing work, we are studying common DoS attack characteristics, and have built a toolkit that provides an interface programmers use to annotate their code as a means of specifying a general resource management policy. With compiler assistance, these annotations are translated into runtime sensors and actuators that watch for resource abuse and take appropriate action should abuse be detected. Preliminary results with three widely-deployed network services are promising. We found that several DoS vulnerabilities exist in all test cases and software augmented with the annotation toolkit are more resilient under attacks.

URL:


VFiasco — Towards a fully verified operating-system kernel

Michael Hohmuth, Dept. of Computer Science, Operating Systems Group, TU Dresden
hohmuth@inf.tu-dresden.de

Abstract

The VFiasco project aims at the mechanical verification of security-relevant properties of the L4-compatible Fiasco microkernel. The goal of the project is an operating-system kernel that provides verified security guarantees. Such a kernel could be used as a basis for building applications with high-level security requirements. Verification is very expensive (both in man power and time); for success it is crucial to minimize the size of the system. Huge bug-afflicted monolithic kernels are outside the scope of current verification technologies. On the other hand, microkernels are the smallest kernels that provide an anchor for building secure systems: separate protected address spaces. Therefore, they are the best choice for constructing a verified secure system.

To our knowledge, the VFiasco project is unique in scope and intended thoroughness. We aim at modeling all of the kernel's source code in very fine grain, and we intend to ``run'' this software model on a hardware model that closely resembles real hardware. These qualities are meant to establish an as-yet unseen level of confidence in our software. Our formal-verification approach exceeds even what is necessary to fulfill the development requirements of the Common Criteria's highest assurance level, EAL7 (equivalent to Orange Book level A1, or European ITSEC level E6).

URL: www.vfiasco.org


Wormhole Detection in Ad Hoc Networks

Yih-Chun Hu, CMU
yihchun@cs.cmu.edu

Abstract

Neighbor detection forms the basis of any network routing protocol. In ad hoc networks, secure neighbor detection becomes particularly difficult, because neighbor detection messages can be wormholed: that is, a message from one part of the network can be received by an attacker, transmitted to another location in the network, and retransmitted there. In this work, we introduce the concept of a leash, which is an authenticated value that bounds the distance the packet can travel to a legitimate node. We describe two kinds of leashes: temporal leashes and location leashes.

URL: http://monarch.cs.rice.edu/papers.html


A Snapshot of Global Internet Worm Activity

Dug Song, Arbor Networks, Inc.
dugsong@arbor.net

Abstract

In this talk, we present the results of 6 months' monitoring of an unused class A network (from September 2001 to April 2002), bearing witness to the rise of Nimda, the death of CodeRedII, and the periodic resurrection of CodeRed, as well as other network flotsam and jetsam.

URL: http://www.monkey.org/~dugsong/talks/first02/


Off-the-record Communication

Nikita Borisov (with Ian Goldberg and Eric Brewer), Berkeley
nikitab@cs.berkeley.edu

Abstract

The Internet is frequently used for private communications, and cryptography is a natural mechanism to protect them. However, most commonly used systems use long-lived encryption keys (subject to compromise) for confidentiality, and digital signatures (which provide strong, and in some jurisdictions, legal, proof of authorship) for authenticity.

We claim that most social communications online should have just the opposite of the above two properties; namely, they should have perfect forward secrecy and repudiability. We have developed a protocol for secure instant messaging called ``off-the-record messaging'' which has properties better suited for casual conversation than systems like PGP or S/MIME; a prototype implementation is currently in development. We are also working on a solution for use with email and other forms of Internet communications.

URL:


Plutus - enabling secure sharing of persistent data

Erik Riedel, Seagate Research
erik.riedel@seagate.com

Abstract

Joint work with Kevin Fu, Mahesh Kallahalla, Ram Swaminathan, and Qian Wang while at HP Labs, Palo Alto, CA.

Storage security, the problem of protecting stored data, is a key problem in security research today. The problem of securely sharing data between multiple users presents a number of challenges different from those addressed in traditional network security. In this paper, we introduce a series of novel uses of cryptographic primitives to solve problems particular to the protecting and sharing of long-term persistent data. We detail mechanisms that allow an untrusted server to authorize file writes, distinguish data read and write access using the encryption itself, manage the number of cryptographic keys in the system using filegroups, and efficiently handle user revocation. These primitives form the basis of a new secure storage system that we are building, which does not rely on trusted servers and is highly scalable in key management while allowing individual users to retain direct control over access to their data.

URL: http://www.hpl.hp.com/SSP/papers/#Security


A Signature Matching Engine for Bro

Robin Sommer, TU Munich (Germany), ICIR
robin@icir.org

Abstract

A common approach to network intrusion detection is to match a given set of attack signatures against observed network traffic. We are working on an efficient and powerful implementation of a signature matching engine for the IDS Bro. We use regular expressions as our basic tool for pattern matching, and we make use of the large amount of state information that is already provided by Bro.

During implementation and evaluation of our engine, we have come across several issues that give us interesting insights into various aspects of signature matching in general (tradeoffs between resources, benchmarking peculiarities, variations in the quality of widely-deployed signatures).

This is joint work with Vern Paxson (ICIR). I am a Ph.D. student at the Technical University of Munich, Germany. I am currently spending an internship at ICIR, Berkeley, CA.

URL:


Honeyd: A virtual honeypot daemon

Niels Provos, UMich CITI
provos@citi.umich.edu

Abstract

Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their TCP personality can be adapted so that they appear to be running certain versions of operating systems. Honeyd enables a single host to claim multiple addresses on a LAN for network simulation.

URL: http://www.citi.umich.edu/u/provos/honeyd/


?Need help? Use our Contacts page.
Last changed: 12 Aug 2002 aw
Events calendar
USENIX home