WORK-IN-PROGRESS REPORTS (WIPS)
Accepted WiPs
The following WiPs will be presented on Friday, August 1, 2008, 2:00 p.m.3:30 p.m., in the Regency Ballroom.
Detecting Injected TCP Reset Packets
Nicholas Weaver and Robin Sommer, ICSI;
Vern Paxson, University of California, Berkeley and ICSI
Recently, injected TCP Resets (RSTs) have gotten considerable
attention for their use in both censorship and traffic management. We
have developed an efficient passive detector for TCP Reset packets in
Click, based on observing packet race conditions. We operated this
detector on the border of multiple sites, where we were able to
observe and fingerprint sources of injected RST packets to determine
how our users were affected.
We were able to both detect and fingerprint RST injectors, including
the dynamic P2P blocking by Comcast, Cox, and other ISPs, gain new
insight into the behavior of the Great Firewall of China (which
appears to use at least four distinct devices, with multiple devices
apparently along the same path), and observe apparent spam and malcode
blocking using injected RST packets.
ROFL: Routing as the Firewall Layer
Steve Bellovin, Columbia University
We propose a firewall architecture that treats port numbers as part
of the IP address. Hosts permit connectivity to a service by
advertising the IPaddr:port/48 address; they block connectivity by
ensuring that there is no route to it. This design, which is
especially well-suited to MANETs, provides greater protection against
insider attacks than do conventional firewalls, but drops unwanted
traffic far earlier than distributed firewalls do.
A Web Without the Same Origin Policy
Francis Hsu, Steven Crites, and Hao Chen,
University of California, Davis
The Same Origin Policy (SOP) has served as the de facto security
policy for web browsers since 1996. However, as web applications grow
more complex such as with mashups, the policy doesn't allow for the
cross-domain communication desired by those authors. Furthermore,
exploits such as Cross-Site Request Forgery can bypass the intended
SOP isolation. We propose a policy for web browsers that disallows all
access to a document unless explicitly granted. We treat web documents
as objects and allow communication between objects only via their
declared public interfaces. This policy can provide the trust
relationships needed by mashup authors while also securing web
documents previously susceptible to attacks under the SOP.
The Cost of Free Calls: Identifying English Accents in Encrypted Skype Traffic
Paul DiOrio, Rachel Lathbury, and David Evans,
University of Virginia
With over 309 million users registered on its peer-to-peer network
Skype is one of the most popular Voice over IP (VoIP) clients
world-wide. Due to privacy concerns, VoIP calls made over the Internet
should be encrypted, especially on a peer-to-peer framework. Despite
encryption, prior techniques developed at Johns Hopkins University
exploit bandwidth-saving Variable Bit Rate (VBR) audio encoding in
VoIP clients to gain information on the underlying speech [2, 3]. Our
work-in-progress demonstrates that Skype's current encryption does not
protect users to the extent that they may expect. Because Skype audio
is encoded using VBR methods, we are able to extract valuable
information from encrypted calls. Specifically, we attempt to uncover
which accent of English is spoken during a Skype session by observing
the stream of packet lengths in transit. Our preliminary analysis of
seven English accents yields encouraging results. With only short
audio samples for any given language pair, our early binary classifier
(e.g., ?Does this speaker have an Arabic or Cantonese accent??)
achieves greater than 50% accuracy in 90% of cases. The average
accuracy for all language pairs is 73%. We are working on analyzing
how well the attack can be improved when longer audio samples are
available, in particular, if it is possible to detect specific
speakers.
Mementos, a Secure Platform for Batteryless Pervasive Computing
Benjamin Ransford,
University of Massachusetts Amherst
I will discuss Mementos, a new general-purpose platform for secure
computation on batteryless computers. Batteryless computers, such as
those we call computational RFIDs (for example, the WISP tag from
Intel Research), work on harvested energy and cannot depend on a
constantly available power supply. This means that, unlike
computations on PCs, computations on batteryless computers must
tolerate disruption because loss of power is the common case. I will
discuss preliminary results indicating that our approach, which
combines checkpointing and measurement strategies, is feasible.
The Debian OpenSSL Bug and Its Effect on SSL
Hovav Shacham and Brandon Enright, University of California, San Diego; Eric Rescorla, RTFM, Inc.; Stefan Savage, University of California, San Diego
In 2006, a changed was introduced to the OpenSSL package included
in Debian and Debian-derived distributions that eliminated all but
a small amount of entropy from the PRNG used for key generation
and other cryptographic tasks.
We have been studying the effect of this bug on SSL use on the
Internet, using a daily survey of the the X.509 certificates of a
large number of popular https sites.
In this talk I will present some of our major findings and
preliminary conclusions.
An Enhancement of Windows Device Driver Debugging Mechanism for VMM-based Live Forensics
Ando Ruo, NICT, Japan
Live forensics is growing concern. VMM based observation is also hot
topic. However, currently Windows has no means to VMM of notify
incidents and transfer detailed information to control domain. We are
improving Windows device driver debugging mechanism for VMM based live
forensics. There are three mechanisms to improve for VMM based live
forensics. We insert debug register operation into DLL injection, IDT
modification and filter driver based API hooking. Also, DR register
handler of VMM is modified. There are two ways to receive information
from our improved Windows device driver mechanism. First, an
enhancement of snapshot utilities makes it possible to transfer
information between guest windows and control domain. Second, memory
of virtualized windows in VMM module can be transferred by mmap() to
memory space of control domain. Finally, we are improving
copy-on-write utility of VMM to prevent illegal disk writing. Proposed
system enables live forensics of Windows and makes it possible to
detect illegal file write without (before) committing changes of hard
disk.
Botnet Enumeration: The Nugache Case
Sven Dietrich,
Stevens Institute of Technology; David Dittrich, University of Washington
We present a series of long-term enumeration experiments on the
Nugache botnet. Nugache is a pure P2P bot using encrypted P2P for all
its C&C communications. The current results show the problem of
counting bots in P2P botnets, and as well as some regular patterns in
the size of the botnet.
|