Preventing Theft of Quality of Service on Open Platforms Kwang-Hyun Baek and Sean W. Smith Department of Computer Science Dartmouth College

This Talk Goal: Prevent insider’s theft of QoS while still permitting the user to be root Motivation: Dartmouth’s plan for traffic convergence Summary  Overview of threat model and Diffserv  Our solution Make end nodes trustworthy  Trusted hardware and high assurance OS  Network authentication Distribute Diffserv classifier and marker to end nodes  Security and performance discussions  Future work

Threat Model End node user with root account and physical access  Authenticated and authorized  Can install/modify hardware Can modify network driver, firmware, ROM  Can install/modify software, including kernel Can modify outgoing packets Can modify a program’s packet generation Can use arbitrary port for applications Can spoof MAC address and IP address

Background: Diffserv Differentiated Services At the Ingress/Egress nodes  Classify packets via packet inspection  Meter the temporal state of the packet (i.e., rate)  Mark the packets’ Diffserv Code Point (DSCP) according to its class  Shape the packets (drop or delay) At other nodes, Per-Hop Behavior (PHB) is applied based on DSCP  Assured Forwarding  Expedited Forwarding Problem  End nodes are not trusted  Network can gain only limited knowledge

End Node Class Platinum (Video streaming) layer-3: UDP application: RTP ip set DSCP 46 Class Best Effort ip set DSCP 0 Ingress Network Node Hacked File Sharing app Video Streaming Misbehaving Application

Misbehaving End Node End Node MAC: 00:00:00:00:00:00 Spoofed MAC: 00:04:00:00:00:00 Class Platinum (Priority Client) source MAC 00:04:00:00:00:00 ip set DSCP 46 Class Best Effort ip set DSCP 0 Ingress Network Node File Sharing Malware

Our Solution Apply trusted computing to QoS  Move Diffserv classifier and marker to each end node Network’s QoS rule: hash of program binary and DSCP  Use high assurance OS to create a configuration that classifies and marks the packets according to the network’s rule  Use trusted hardware to bind the configuration to authentication secret If classifying and marking is modified, access to the authentication secret is denied  Accessing the network  classifying and marking according to the network’s QoS rule

Building Block: Trusted Platform Module (TPM) Designed by Trusted Computing Group (TCG) Measures the hardware and software configuration of the host  Platform Configuration Registers Attests the host’s configuration to a remote party Stores RSA keys Binds the stored RSA keys to a configuration Problem  Root can spy on memory used by the TPM  Bound keys need to be changed too often if the configuration includes programs that need frequent updates  Root can change code after the TPM has measured it  Need for high assurance OS with restricted access control and integrity protection

Building Block: High Assurance OS SELinux Linux Security Module (NSA)  Role-based mandatory access control Compartmentalization blocks memory spying Robust access control over devices, memories, files, socket structures Enforcer LSM (Marchesini, et al)  Makes TPM-bound keys more usable Long term (hardware, OS, Admin’s public key, SELinux policy) protected by TPM-bound key Medium term (programs, kernel modules, libraries, linkers) protected by the LSM and Security Admin—a third party who issues signed database of trustworthy applications  Integrity Protection (modification results in TPM lock or kernel panic) Short term (data, configuration) protected by encrypted file system

Distributed Classifier and Marker QoS Admin  Issues signed database of program binary’s hash and the DSCP it should receive Modified LSM  The kernel keeps track of which opened socket belongs to which program (Socket monitor)  The kernel marks each packet’s DSCP at the kernel’s IP layer using Netfilter (standard Linux firewall) hooks, according to the QoS Admin’s signed database (DSCP marker)

Socket Monitor Is App X in Security Admin's Policy? App X calls socket syscall Is App X found in QoS Admin's Policy? Log and return (will be dropped) YES NO Record socket, h(X), default DSCP NO Record socket, h(X), DSCP

DSCP Marker Is the packet coming from a recorded socket? Outgoing packet enters IP Layer Modify the packet's DSCP to the recorded value YES Drop NO

Adding Client Authentication Uses TPM-bound key (EAP-TLS)  EAP-TLS authentication requires the knowledge of the private key During certification, the CA checks the long term configuration of the host To access the TPM-bound private key to authenticate itself to the network, an end node must do the following:  Be in the long term configuration to which the key is bound to Run Enforcer LSM, SELinux, and our socket monitor and DSCP marker Run valid Security Admin and QoS Admin’s databases (their signature is validated) SELinux is using a known, trustworthy SELinux policy  Have not modified important medium term configuration

Stopping Misbehaving Application Class Platinum Linphone Gnomemeeting ip set DSCP 46 Class Best Effort ip set DSCP 0 Hacked File Sharing End Node Linphone (VoIP) Class Blacklist Drop

Stopping Misbehaving End Node Hacked Wireless Driver and its firmware to gain better QoS End Node Configuration mismatch results in TPM lock or kernel panic Cannot access the authentication private key! Class Platinum Linphone Gnomemeeting ip set DSCP 46 Class Best Effort ip set DSCP 0 Class Blacklist Drop

Performance evaluation IBM T40, Pentium M 1.3 GHz, 256 MB Overhead caused by socket monitor  4.86 ms average delay for linphone Overhead caused by DSCP marking  ms average delay for linphone ITU recommends maximum delay of 150 ms for voice system  The Overhead is easily absorbed

Security Considerations Forked children inherit sockets  QoS Admin’s job to control the QoS level of the programs that fork and exec other programs  Another option: least privilege principle for shared socket SELinux should prohibit low-privileged programs from piping packets to high-privileged programs Hardware spying on TPM  No Plug-and-Play, USB/Firewire devices should be disabled at the kernel level EAP-TLS results in session keys for encryption and integrity protection  Compartmentalize to block spying on session keys  No man-in-the-middle attack between ingress node and end node

Future Work Attestable, cleaner, easy-to-understand policies for SELinux Migratable QoS and Security Admin database Database version check and automatic update  Boot-time generation of attribute certificate containing the policy version, signed by the TPM-bound key  Quarantined database updating using VLAN Bigger scale testing Performance evaluation depending on system loads Code will be available at  Or me until then for the kernel patch

Thanks We thank our sponsors—Mellon Foundation, Cisco, Intel, and the Office for Domestic Preparedness (U.S. Dept of Homeland Security)

Questions?