Abstract

In a language runtime that is running many different tasks - applets, servlets, or the like - being able to measure each task's aggregate resource usage is an important part of managing security in such a system. We're designing and implementing a system that determines the heap usage of each task by modifying a garbage collector to measure memory usage as it does its normal work. By processing each task as a separate root set and counting how much memory is reachable from each set, we can gather meaningful information about tasks' memory usage without a significant performance penalty and without changing the manner in which tasks are written and executed.

URL:

Abstract

Network intrusion detection research suffers from a dearth of publicly available traces of real attacks buried within much larger, real non-attacks. Such traces are invaluable for assessing the operational utility of new detection methods, but traces of actual traffic are almost never made available due to the problem of needing to remove sensitive data in the trace while still preserving non-sensitive packet contents. We observe a key problem is that such trace transformation requires knowledge of the semantics for each data element in the trace; for example, changing "root" when it's a username, but not when it's a filename.

We have developed a "trace rewriter", based on Bro, an intrusion detection system capable of analyzing the semantic structure of a tcpdump trace by converting various protocols into structured data elements. With the semantic structure of a trace exposed, we can then use a script written in Bro's high-level scripting language to transform each data element in a semantics-aware way according to desired policies. The trace rewriter then maps the transformed data back into a new tcpdump trace file, keeping the original packet structure whenever possible. Our experience with a few network protocols suggests that it provides a convenient framework for users to write concise yet powerful trace transformation scripts according to their policies. Because the user scripts deal with structured data fields instead of raw byte streams as input, they needn't worry about the syntax of protocols. The framework also enables other kinds of trace transformations in addition to anonymization. I will also talk about the issues that have come up and design decisions we made, particularly on how we map transformed data fields back to the trace, and offer preliminary thoughts on how to verify the transformation.

URL:

Abstract

We present the Clilet system, a novel web application protocol and architecture that allows web applications to store significant amounts of data on the client. Client-side data is kept private: it is never transmitted to the server, even in the face of an adversarial server. This will allow web applications to process data that users do not trust giving to the server.

We implement this security by transmitting executable code to the client (browser). A Multi-Doman Sandbox (a simple kind of multi-level system), combined with textual analysis of HTML, is used to enforce security constraints. The Clilet system is built in Java.

URL:

Abstract

We have used CQual to check the correct handling of user-space pointers in Linux kernel device drivers. Improper handling of user-space pointers in the kernel can lead to kernel memory corruption and a variety of security vulnerabilities. After analyzing over 1200 files, we had 23 reported errors, one of which was a real bug. This led to a bug fix in Linux 2.4.19.

URL:

Abstract

Funded by a USENIX Student Research Grant

I would like to present a novel approach to locate sources of spoofed packets called Segmented Deterministic Packet Marking (S-DPM). When coupled with source filtering techniques, S-DPM would greatly mitigate distributed denial of service (DDOS) attacks that employ spoofed packets. S-DPM dynamically constructs a pseudo source based routing table out of packet markings. These markings typically represent Autonomous System (AS) numbers. During a packet's flight, its marking changes to denote the last S-DPM enabled AS that forwarded the packet. Before remarking the packet, an S-DPM router captures the AS number and appends the number to its own source routing table under the prefix of the packet's source IP address. When one suspects that a packet contains a spoofed source address, he queries the upstream AS.denoted by the packet's marking.for its set of observed markings (ASes) belonging to the prefix of the source IP address in this packet. He makes similar queries to these new ASes and continues until he reaches the end, i.e., origins of this particular prefix. Since the process reveals all of the sources for a certain prefix, public routing information and Internet statistics can be employed to isolate the illegitimate origins. This approach neither depends on collecting packets to reconstruct the paths as with contemporary methods nor does it require per packet state.enabling it to scale without regard to a router's forwarding rate.

URL: