WORK-IN-PROGRESS REPORTS (WIPS)

Accepted WiPs

The following WiPs will be presented on Friday, August 1, 2008, 2:00 p.m.–3:30 p.m., in the Regency Ballroom.

Detecting Injected TCP Reset Packets
Nicholas Weaver and Robin Sommer, ICSI; Vern Paxson, University of California, Berkeley and ICSI

Recently, injected TCP Resets (RSTs) have gotten considerable attention for their use in both censorship and traffic management. We have developed an efficient passive detector for TCP Reset packets in Click, based on observing packet race conditions. We operated this detector on the border of multiple sites, where we were able to observe and fingerprint sources of injected RST packets to determine how our users were affected.

We were able to both detect and fingerprint RST injectors, including the dynamic P2P blocking by Comcast, Cox, and other ISPs, gain new insight into the behavior of the Great Firewall of China (which appears to use at least four distinct devices, with multiple devices apparently along the same path), and observe apparent spam and malcode blocking using injected RST packets.

ROFL: Routing as the Firewall Layer
Steve Bellovin, Columbia University

We propose a firewall architecture that treats port numbers as part of the IP address. Hosts permit connectivity to a service by advertising the IPaddr:port/48 address; they block connectivity by ensuring that there is no route to it. This design, which is especially well-suited to MANETs, provides greater protection against insider attacks than do conventional firewalls, but drops unwanted traffic far earlier than distributed firewalls do.

A Web Without the Same Origin Policy
Francis Hsu, Steven Crites, and Hao Chen, University of California, Davis

The Same Origin Policy (SOP) has served as the de facto security policy for web browsers since 1996. However, as web applications grow more complex such as with mashups, the policy doesn't allow for the cross-domain communication desired by those authors. Furthermore, exploits such as Cross-Site Request Forgery can bypass the intended SOP isolation. We propose a policy for web browsers that disallows all access to a document unless explicitly granted. We treat web documents as objects and allow communication between objects only via their declared public interfaces. This policy can provide the trust relationships needed by mashup authors while also securing web documents previously susceptible to attacks under the SOP.

The Cost of Free Calls: Identifying English Accents in Encrypted Skype Traffic
Paul DiOrio, Rachel Lathbury, and David Evans, University of Virginia

With over 309 million users registered on its peer-to-peer network Skype is one of the most popular Voice over IP (VoIP) clients world-wide. Due to privacy concerns, VoIP calls made over the Internet should be encrypted, especially on a peer-to-peer framework. Despite encryption, prior techniques developed at Johns Hopkins University exploit bandwidth-saving Variable Bit Rate (VBR) audio encoding in VoIP clients to gain information on the underlying speech [2, 3]. Our work-in-progress demonstrates that Skype's current encryption does not protect users to the extent that they may expect. Because Skype audio is encoded using VBR methods, we are able to extract valuable information from encrypted calls. Specifically, we attempt to uncover which accent of English is spoken during a Skype session by observing the stream of packet lengths in transit. Our preliminary analysis of seven English accents yields encouraging results. With only short audio samples for any given language pair, our early binary classifier (e.g., ?Does this speaker have an Arabic or Cantonese accent??) achieves greater than 50% accuracy in 90% of cases. The average accuracy for all language pairs is 73%. We are working on analyzing how well the attack can be improved when longer audio samples are available, in particular, if it is possible to detect specific speakers.

Mementos, a Secure Platform for Batteryless Pervasive Computing
Benjamin Ransford, University of Massachusetts Amherst

I will discuss Mementos, a new general-purpose platform for secure computation on batteryless computers. Batteryless computers, such as those we call computational RFIDs (for example, the WISP tag from Intel Research), work on harvested energy and cannot depend on a constantly available power supply. This means that, unlike computations on PCs, computations on batteryless computers must tolerate disruption because loss of power is the common case. I will discuss preliminary results indicating that our approach, which combines checkpointing and measurement strategies, is feasible.

The Debian OpenSSL Bug and Its Effect on SSL
Hovav Shacham and Brandon Enright, University of California, San Diego; Eric Rescorla, RTFM, Inc.; Stefan Savage, University of California, San Diego

In 2006, a changed was introduced to the OpenSSL package included in Debian and Debian-derived distributions that eliminated all but a small amount of entropy from the PRNG used for key generation and other cryptographic tasks.

We have been studying the effect of this bug on SSL use on the Internet, using a daily survey of the the X.509 certificates of a large number of popular https sites.

In this talk I will present some of our major findings and preliminary conclusions.

An Enhancement of Windows Device Driver Debugging Mechanism for VMM-based Live Forensics
Ando Ruo, NICT, Japan

Live forensics is growing concern. VMM based observation is also hot topic. However, currently Windows has no means to VMM of notify incidents and transfer detailed information to control domain. We are improving Windows device driver debugging mechanism for VMM based live forensics. There are three mechanisms to improve for VMM based live forensics. We insert debug register operation into DLL injection, IDT modification and filter driver based API hooking. Also, DR register handler of VMM is modified. There are two ways to receive information from our improved Windows device driver mechanism. First, an enhancement of snapshot utilities makes it possible to transfer information between guest windows and control domain. Second, memory of virtualized windows in VMM module can be transferred by mmap() to memory space of control domain. Finally, we are improving copy-on-write utility of VMM to prevent illegal disk writing. Proposed system enables live forensics of Windows and makes it possible to detect illegal file write without (before) committing changes of hard disk.

Botnet Enumeration: The Nugache Case
Sven Dietrich, Stevens Institute of Technology; David Dittrich, University of Washington

We present a series of long-term enumeration experiments on the Nugache botnet. Nugache is a pure P2P bot using encrypted P2P for all its C&C communications. The current results show the problem of counting bots in P2P botnets, and as well as some regular patterns in the size of the botnet.