Transcript SIIS Laboratory Research

SIIS Laboratory Overview
Patrick McDaniel
October 4, 2004
Computer Science and Engineering
Pennsylvania State University
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 1
Mission
“The SIIS Laboratory promotes student
and scientific advancement through the
investigation of emerging technologies
upon which computer, network, and
information security is based.”
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 2
Current Focus Areas
Network Security
OS Security
Security Policy
Applied Cryptography
Privacy
• Current projects span
broad topic areas in
general systems security.
• Actively expanding
interests to other fields
and applications
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 3
Interdomain Routing Security
• Organizational exchange of prefixes
and path vectors to converge on global
routing tables (BGP)
– Associates address ranges (prefixes)
with parent organizations (autonomous
systems)
– Builds global forwarding tables for IP
traffic
• Highly vulnerable -- low and slow
attacks or mis-configuration can
remove continents
• Ongoing work
– Security/Threat models for IDR
– Efficient cryptographic constructions
• Origin authentication
• Path Authentication
• Control-plane security
Protocol Attacks
Attacks Against BGP
Path Removal- remov e a path
f rom BGP UPDATE stream
Any
Prefix Removal- remov e a
pref ix adv ertisement f rom BGP
UPDATE stream
Any
Modif y ing Withdrawn Routes
f ield in UPDATE
Any
Policy Removal- remov e a
policy f rom BGP UPDATE
message
Any
UPDATE removal - remov e an
update message f rom the
UPDATE stream
Any
Modify Path - add, remov e,
modif y hops in the BGP path Any
AS_PATH attribute
modification- modif y this f ield
in the UPDATE message
Any
NEXT_HOP atribute modif ication
- can cause routing changes
Any
Modify Policy- change the
policy such that the route
becomes more or less desirable.Any
MULTI_EXIT_DISC modif ication
can harm routing inside AS
Any
LOCAL_PREF modif ication can
harm routing inside AS
Any
Path forgery- create a f orged
UPDATE with a bogus path f or a
known pref ix.
Any
Modif y ing the NLRI f ield of the
UPDATE message
Any
Prefix hijacking- create a
f orged UPDATE claiming to be
origin of some pref ix
Any
ATOMIC_AGGREGATE
modif ication can cause
deaggregation of routes
Any
UPDATE eavesdrop - read the
update f rom the UPDATE
stream.
Any
Policy eavesdrop- read a
policy in an UPDATE.
Any
Whack-a-mole ASes - create a
bogus AS using a unused AS
number.
Any
AS impersonation- claim to be
an AS y ou are not.
Any
Route Flooding- f lood a BGP
speaker with more UPDATEs
than it can handle.
Any
Speaker death - shut down
(process lay er) or isolate
(network wise) the BGP speak
such that the BGP session
closes.
Any
Sy ntax error in message header will close a BGP connection
Any
Forged OPEN message during
BGP session
Any
Bogus OPEN connection when
router is waiting to establish
connection
Any
OPEN message arriv es while
OpenDelay timer in Open_Sent
state
Any
Sy ntax error in OPEN message
will close connection
Any
Sending KEEPALIVE when
peering connection in Connect,
Activ e or OpenSent state
Any
Receiv ing NOTIFICATION
message brings down
connection
Any
Modif y ing Unf easible Routes
Length, Total Path Attribute
Length attributes in UPDATE
message
Any
Incorrect modif ication of Path
Attributes can cause session
f ailure
Any
Malf ormed UPDATE message
will close connection
Any
Any
Delete
Specif ication
Data
Av ailability ,
Timeliness,
Integrity ,
Accuracy ,
Conf identiality Precision
Any
Delete
Specif ication
Data
Cause pref ix to be unav ailable
Spoof
Specif ication
Any
Delete
Specif ication
Av ailability
Av ailability ,
Integrity ,
Sy stem, Data Conf identiality
Av ailability ,
Integrity ,
Data
Conf identiality
Timeliness,
Accuracy
Any
Accuracy ,
Precision
Timeliness,
Accuracy ,
Precision
By modif y ing with Withdrawn Routes f ield, the attacker can eliminate legitimate
routes f rom the routing table, and can repeatedly do so by replay ing the attack.
May cause suboptimal/incorrectroute to be selected. If used to mess with routing,
then timeliness and accuracy are perf ormanceef f ects. If used to reroute toward
controlled AS, could be used as conf identiality ef f ect.
Any
Delete
Specif ication
Sy stem, Data (see notes)
Any
Modif y
Specif ication
Data
Any
Modif y
Specif ication
Any
Modif y
Specif ication
Av ailability ,
Conf identiality
Av ailability ,
Integrity ,
Sy stem, Data Conf identiality
Av ailability ,
Integrity ,
Sy stem, Data Conf identiality
(see notes)
Timeliness,
Accuracy ,
Precision
Timeliness,
Accuracy ,
Precision
Timeliness,
Accuracy ,
Precision
Can cause the path, pref ix, policy remov al behav ior. This can occur either at the
BGP protocol or TCP lay ers.
May cause suboptimal/incorrectroute to be selected. If used to mess with routing,
then timeliness and accuracy are perf ormanceef f ects. If used to reroute toward
controlled AS, could be used as conf identiality ef f ect.
AS_PATH with an incorrect origin AS can play hav oc with routing, causing
blackholes. AS_PATH can be shortened, making the route appear more f av ourable
to peers.
Changing the NEXT_HOP in conjunction with path modif ication can cause an
attacking router to control and engineer traf f ic patterns.
Any
Modif y
Specif ication
Sy stem
Av ailability
Timeliness,
Accuracy
Any
Modif y
Specif ication
Sy stem
Av ailability
Timeliness,
Accuracy
May cause suboptimal/incorrectroute to be selected. If used to mess with routing,
then timeliness and accuracy are perf ormanceef f ects. If used to reroute toward
controlled AS, could be used as conf identiality ef f ect.
The multi exit discriminator (MED) is a way of determining which external link to
progagate updates on, based on inf ormation f rom the peer. Modif ication of this can
cause suboptimal routing within a peer AS.
The local pref erence is a metric that helps determine which external link to pref er
f or giv en pref ixes. Manipulation of this v alue can cause suboptimal routing within
the af f ected AS.
Any
(Forgery ?)
Specif ication
Data
Any
Spoof
Specif ication
Sy stem
Av ailability ,
Integrity
Av ailability ,
Integrity ,
Conf identiality
Timeliness,
Accuracy
Timeliness,
Accuracy ,
Precision
It really does not matter if the pref ix is being adv ertised by some known AS. Whacka-mole Ases (see below) are really good f or creating a stream of these.
By changing the network lay er reachability inf ormation in the UPDATE message,
routing can be disrupted through the sy stem, since the actual routing
adv ertisements can be f orged.
Any
(Forgery ?)
Specif ication
Data
Av ailability ,
Integrity
Timeliness,
Accuracy
Any
Spoof
Specif ication
Sy stem
Av ailability
Accuracy
Any
Read
Specif ication
Data
Conf identiality None
Any
Read
Specif ication
Data
Conf identiality None
Any
Spoof
Specif ication
Data
Av ailability ,
Integrity
Timeliness,
Accuracy
Timeliness,
Accuracy ,
Precision
Any
Modif y
Specif ication
Data
Av ailability ,
Timeliness,
Integrity ,
Accuracy ,
Conf identiality Precision
May cause suboptimal/incorrectroute to be selected. If used to mess with routing,
then timeliness and accuracy are perf ormanceef f ects. If used to reroute toward
controlled AS, could be used as conf identiality ef f ect.
This is the problem that origin authentication is really getting at.
The ATOMIC_AGGREGATE f ield is set by routers to prev ent deaggregation of
routes. By allowing deaggregation, incorrect routing of more specif ic pref ixes within
the aggregate can result.
This is a hard one to nail down. BGP UPDATES are generally considered public
inf ormation (because they are f looded), but UPDATEs trav ersing priv ate networks
may be f iltered or aggregated bef ore being passed on.
BGP policy of ten is local to some community (hence the name community string),
and is f iltered in some cases. Exposure of this inf ormation will tell the adv ersary
something about the organizations and relationships in the network.
Spammers use these when nobody else will transit their traf f ic. These are
particularly bad because they introduce a lot of noise into the global BGP update
stream, and indirectly cause instability .
Any
Spoof
Data
Av ailability ,
Integrity
Any
Flood (Single
Source)
Specif ication
Sy stem
Av ailability
Timeliness
Any
Termination
Specif ication
Sy stem
Av ailability
Accuracy
Any
Termination
Specif ication
Sy stem
Av ailability
Timeliness,
Accuracy
Any
Termination
Specif ication
Sy stem
Av ailability
Timeliness,
Accuracy
Timeliness,
Accuracy
If the BGP speaker is in the Connect, Activ e or Established state, this message will
f orce the connection to be closed, with the same ef f ects as discussed abov e.
If the router is in the OpenSent state, an OPEN message will cause the connection
to be conf irmed. When the real router sends an OPEN, the connection will be
closed because of connection collision.
The router should not be in the OPEN_SENT state if the Delay Open timer is sent,
but an implementation error with the f inite state machine can cause this. An
attacker f amiliar with the implementaion could bring down the connection this way .
OPEN message sy ntax errors, such as errors in paramters or unsupported v ersion
numbers, will close a connection.
Specif ication
This is really a problem because y ou only need to conv ince one AS (out of the
currently 16,000) that y ou are the claimed AS.
This occurs naturally by table resets, and can be caused by f orged TCP RST
packets, or by f orged BGP session termination messages.
This can be caused by f orged TCP RST packets, or by f orged BGP session
termination messages. If the speaker comes back, this can cause f looding (both
locally and globally ).
Sy ntax errors cause the BGP speaker to close the connection and delete all routes
associated with the connection, causing the router to reprocess inf ormation to
determine how to now route those pref ixes. This can cause a cascade ef f ect with
connected peer
Any
Spoof
Specif ication
Sy stem
Av ailability
Any
Termination
Implementation Sy stem
Av ailability
Any
Termination
Specif ication
Sy stem
Av ailability
Timeliness,
Accuracy
Timeliness,
Accuracy
Any
Termination
Specif ication
Sy stem
Av ailability
Timeliness,
Accuracy
Av ailability
Timeliness,
Accuracy
In any of these states, the BGP speaker mov es into the Idle state and will not
establish a connection with the intended peer.
Receiv ing NOTIFICATION message will cause BGP speaker to bring down the
connection, and release and recalculate routes. This can cascade through to other
routers.
Any
Termination
Specif ication
Sy stem
Any
Termination
Specif ication
Av ailability ,
Sy stem, Data Integrity
Timeliness,
Accuracy
Modif y ing these parts of the UPDATE message will cause a NOTIFICATION
message to be sent, terminating the connection.
Any
Termination
Specif ication
Av ailability ,
Sy stem, Data Integrity
Timeliness,
Accuracy
Any
Termination
Specif ication
Sy stem
Timeliness,
Accuracy
If the attributes are incorrectly modif ied, a parse error will occur, resulting in a
NOTIFICATION message being sent and the connection being terminated.
Sending an UPDATE message that contains errors will bring down the connection
with the peer and cause all routes learned to be deleted and require recalculation.
This can cascade to other routers.
Implementation Sy stem
Av ailability
Attacks against TCP
Timeliness,
Accuracy
If the attacker sends a SY N to a BGP speaker, the real peer's SY N would look like
a second connection. If the attacker keeps the connection aliv e by guessing the
correct SY N ACK, a collision between the two connections could occur, dropping
the legitimate
SY N f loods are discussed in http://www.cert.org/adv isories/CA-1996-21.html - by
not responding to the SY N ACK, but opening a new TCP connection, the attacker
can f ill the buf f er of av ailable open connections to the router, prev enting legitimate
connection
By responding to a SY N set up during a legitimate connection between two BGP
peers, an attacker can send a SY N-ACK. If timed correctly , the legitimate peer's
SY N-ACK will cause the TCP connection to be terminated, which brings down the
BGP session in the
Spoof ing a TCP RST by guessing the correct sequence number will cause a TCP
(and theref ore BGP) connection to terminate. The attack works against the FIN as
well, but there would be notif ication that the connection was closing.
Av ailability ,
Integrity
Timeliness,
Accuracy
Timeliness,
Accuracy ,
Precision
Gaining control of the router through an attack like the SNMP buf f er ov erf low
exploit (eg. http://www.security f ocus.com/bid/1901) could allow the attacker to
remotely shut down the router.
Gaining control of the router could allow the attacker to modif y the KeepAliv e, Hold,
or OpenDelay timers, causing peers to consider the connection unresponsiv e and
terminate it.
Av ailability
Timeliness,
Accuracy
Described in http://www.research.att.com/~smb/papers/reroute.pdf , link cutting can
take the f orm of the backhoe attack, ping of death or DoS of a giv en link. If the
attacker knows the network topology , he or she can f orce packets to go through the
paths t
Av ailability ,
Timeliness,
Integrity ,
Accuracy ,
Conf identiality Precision
TCP SYN forgery
Any
Any
Spoof
SYN flooding
Any
Any
Flood (Single
Source)
Implementation Sy stem
Av ailability
Timeliness,
Accuracy
TCP SYN ACK hijacking
Any
Any
Spoof
Implementation Sy stem
Av ailability ,
Integrity ,
Timeliness,
Conf identiality Accuracy
TCP RST/FIN attack
Any
Any
Spoof
Implementation Sy stem
Av ailability
Any
Any
Termination
Implementation Sy stem
Av ailability
Any
Spies,
Terrorists,
Prof essional
Link Cutting-hampering
Criminals,
connectiv ity through making theIndustrial
network link inaccessible
Espionage
Spies,
Terrorists,
Prof essional
Physical destruction of routerCriminals
Any
Spoof
Implementation Sy stem
Any
Termination
Implementation Sy stem
Human
Termination
Implementation Sy stem
MD5 authentication attack
Any
Authenticate
Implementation Sy stem
Other attacks
Gaining control of router and
causing a manual reset
Gaining control of router and
altering timers
Network Security
Systems and Internet Infrastructure Security Laboratory (SIIS)
Any
Timeliness,
Av ailability
Accuracy
Av ailability ,
Integrity ,
Conf identiality Accuracy
Phy sically disabling the router by destroy ing the interf aces or the machine itself is a
possible attack. Phy sical sercurity of important network elements is alway s critical.
While MD5 protection between peers can mitigate many of the abov e threats,
attacking the authentication could y ield way s to attack the protocol.Brute f orce and
hash collision attacks are possible.
Page 4
Origin Data Mining and Analysis
Origin (prefix ownership)
•
•
•
Data (August 2002-July 2003) 6,898,383 origin transitions, 16,474
prefixes
Generally stable for most prefixes,
constant AS
Most origin AS holding times are
exponential, some Pareto (caused by
edge effects)
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Path (routing stability)
•
•
•
•
Data (January 2003 - April 2004) - 2.55
billion route updates worldwide, 150
prefixes, thousands of routers
Most prefixes are very stable, reachable by
a few paths
AS topology is relatively stable, most ASes
reachable by a few paths
Paths restricted to simple “path sets”
Network Security
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 5
Artifact Authentication in IR
Origin Authentication
•
•
•
Validating the authenticity of ownership
claims of address usage
Semantic definition for address use
Approximated delegation hierarchy
from route advertisements
– 16 organization delegate 80% of
address space, 3-10%
movement/month
•
Proposed and simulated vastly
improved cryptographic proof systems
(feasible)
UPDATES
Prefix
ASN
IANA
12.0.0.0/8
12.0.0.0/8
12.1.83.0/24
12.1.96.0/24
12.1.226.80/29
12.1.241.128/26
12.1.245.0/24
7018
14787
23306
2386
2386
11521
AT&T
AS7018
•
•
•
12.1.83.0/24
12.0.0.0/8
12.1.226.80/29
Path Authentication
12.1.245.0/24
12.1.96.0/24
AT&T
Data
Modus
Plastipak
Guardian
12.1.226.80/29
12.1.245.0/24
12.1.96.0/24
12.1.83.0/24
AS2386
AS11521
AS23306
AS14787
Network Security
Systems and Internet Infrastructure Security Laboratory (SIIS)
•
•
Validating the authenticity of transient
routes in Internet paths
Semantics of path advertisement
Stability study that the set of paths
than AS advertises is relatively small
– Use cryptographic proof systems,
led to efficient structures
Simulations reduce common solutions
by 96.5% over S-BGP
First feasible system demonstration
Page 6
Detecting Spy-ware
• Spy-ware implements some
valuable function, and at the same
time exposes sensitive data or
resource (KaZaa)
• Problem: How do we detect the
execute of Spy-ware code in a
running program?
• Solution: use dynamic slicing to
reconstruct dependencies from
event traces (sys calls, Win API)
toward, find privacy violations
– Policy language used to describe
policy violations, state
– Implemented and benchmarked
– Caught leakage in KaZaa
– 0.05% additional system call cost
for interactive program
Operating Systems Security
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 7
Antigone
•
Policy Languages
–
–
–
–
•
Provisioning policy vs. authorization policy
Composition is fundamentally intractable
General purpose policy: Ismene
Enforcement separation
Antigone System build to compose large
collections of diverse policies in single
infrastructure.
–
–
–
–
Policy Compiler
Enforcement Infrastructure
Dozen of security mechanisms
75,000+ lines of code
Ismene
Policy
Compiler
Local
Policies
Group
Policy
•
Policy
Instantiation
Application
Confidentl/DES
Integrity/HMAC
KeyMgmt/LKH
Policy
Engine
–
Antigone
Group
API
Security Services
Applications
–
–
•
Transport Services
•
AMirD - general purpose replication
platform
Highly flexible Transport layer security
Security for squad level hand held
communications
In permanent demonstration exhibit at
Fort Monmouth, NJ (ARMY)
Winner of DARPA’s Bang for the Buck
award in Dynamic Coalition program
Security Policy
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 8
Forward Secure Signatures
• Advanced cryptographic construction
used to mitigate future key compromise.
– Signing key “lost” once signature made
– Intractable to obtain signing key with future
private key
• Implementation of FSS
– Search parameter space
– Evaluate key size/memory tradeoffs
– Community service
• Constructed calculus for determine
optimally of FSS solutions
– RSA not necessarily better
• Bottom line: like many constructions
– Good or bad, be careful
– 1 to 4 if properly used
– 3+ OOM worse if not
– RSA/DSA/ECC are appropriate for
different environments (trade-offs)
Applied Cryptography
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 9
Searching for privacy …
• Recently, the Internet
community has demanded
more information about how
websites deal with Privacy
• P3P is an automated system
for specifying site machine
readable privacy policies
• P3Poogle
– Caches/evaluates P3P /wrt a
user privacy policy
– Privacy violations are visually
indicated with site
– integrates the Google API with
caching of P3P
• Implementation complete
Privacy
Systems and Internet Infrastructure Security Laboratory (SIIS)
– Working HCI study at CMU
– Reasonable performance
Page 10
The future?
• Security is about often applications
… it should be about environments.
• The ad hoc nature in which security is defined
and achieved across and between systems is
a central source of vulnerability.
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 11
Environmental Security
1. Articulating
Intent
2. Enforcing across
platforms and
services
3. Understanding
evolving
compliance
… must start
with some
trustable core
(e.g., network)
Systems and Internet Infrastructure Security Laboratory (SIIS)
Composition
ENFORCEMENT
Page 12
The SIIS Laboratory …
• Systems and Internet Infrastructure Laboratory
– Launched 9/04 at CSE/PSU
• Committed to the investigation and development of
environment-oriented security solutions, e.g.,
– Infrastructure Security (routing, OS, DRM, etc.)
– Policy (authorization, provisioning)
– Security service analysis
• Current support: ARPA, Symantec, and NSF
• View papers and documentation of activites at:
http://siis.cse.psu.edu/
Systems and Internet Infrastructure Security Laboratory (SIIS)
Page 13