Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Case for Network Witnesses Wu-chang Feng Travis Schluessler Supported by:

Published byElla Thomas Modified over 9 years ago

Similar presentations

Presentation on theme: "The Case for Network Witnesses Wu-chang Feng Travis Schluessler Supported by:"— Presentation transcript:

1 The Case for Network Witnesses Wu-chang Feng Travis Schluessler Supported by:

2 Internet protocol design (1970s) Programmers and users cooperative Limited semiconductor capabilities Public-key cryptography in a nascent state Result –Simple design –Quickly deployed –Immensely successful –But, was ultimately and tragically insecure

3 Fast forward to 2008 Programmer and user are not trusted –Denial-of-service, Botnets, Spam –Phishing, DNS poisoning, TCP RST attacks, IP spoofing –Cheating in on-line games, Rootkits Semiconductor technology explosion –Moore’s law over 30+ years Widespread use of public-key cryptography –Web transactions, IPSec, VPNs, SSL accelerators –Trusted hardware and software platforms PS3, Xbox 360 game consoles IBM Trusted Platform Modules (TPM) Intel AMT and TXT Windows Vista

4 A clean-slate approach What if we revisited Internet protocol design in today’s landscape? –Users are untrusted –Semiconductor technology can support high-speed cryptographic operations in the data-path

5 Network Witness Tamper-resistant, trusted third party at end-host –Our take on Shai Halevi’s “Angel in the Box” Functions –Provide authenticated measurements of host activity –Enforce protocol rules and requirements

6 Characteristics of a Network Witness Reliable introspection –Can measure the state of the host and its network usage Attestation –Can report such measurements in an authenticated manner to other witnesses in the network Isolation –Measurements are not unduly influenced by host Trusted execution –Only executes code cryptographically signed by a trusted third party (e.g. the IETF or the manufacturer) Tamper-resistance –Cost of tampering exceeds value of the witness service

7 An example witness Intel’s Active Management Technology platform –Introduced in 2005 Now, a commodity component on all Intel motherboards –Trusted processor in memory controller (iAMT2) Sees all network traffic Sees all peripheral activity Has access to all memory locations OOB channel to communicate across the network

8 An example witness Intel’s Active Management Technology platform –Tamper-resistant operation Can not be tampered with from host processor’s software stack Only runs code signed by Intel Equipped with keys to authentically sign host measurements for transmission over the network

9 Intel AMT with Cisco NAC Network access control based on host integrity –Measured “security posture” of the running OS and applications determine level of access Infected system DHCP request Q: What is the state of the host A: Windows XP with unknown drivers loaded and anti-virus software disabled DHCP reply: VLAN = Quarantined

10 Intel AMT and On-line Games On-line game access based on valid host operation –Measure that the keyboard/mouse event the game gets Schluessler et. al. “Is a Bot at the Controls?”, NetGames 2007. Q: Do the keyboard/mouse events given to the game client match those coming in over the USB bus? A:They don’t match. Input fabrication detected! Quake game protocol Aimbot Disconnect and ban

11 Generalizing the approach Observation –Trusted third parties greatly simplify network security protocols How might this approach be applied to a range of network protocol problems?

12 Cheating in on-line games Use network witness to attest to human activity and game process integrity –“Stealth Measurements for Cheat Detection in On-line Games”, NetGames 2008. Q: Keyboard/ mouse mileage in the last minute? List of code page hashes of running game? Stack frame trace of running game? A: No measurable activity over the USB bus. Modified code pages, Unknown stack frame Game protocol Cheater Disconnect and ban

13 Sybil attacks Use network witness to attest to human activity and prior web account signup or on-line voting activity Q: Keyboard/mouse mileage in the last minute? Visits to httpa://yahoo.com/signup last month? Visits to httpa://poll-daddy.com/vote.cgi last day? A: No measurable activity over USB bus. 1000 visits to link in last month 1 visit to link in last day Sybil attacker httpa://yahoo.com/signup httpa://poll-daddy.com/vote.cgi Deny request

14 Spam, denial-of-service, botnets Use network witness to attest to human activity and prior network usage Q: Keyboard/mouse mileage in the last minute? Aggregate port 25/80 activity in last day? A: No measurable activity over USB bus. 1GB of port 25/80 packets in last day SMTP messages, Web requests Spammer Bot Deny request

15 Port scanning Use network witness to attest to the ratio of TCP SYN packets sent to TCP SYN/ACK packets received Q: TCP work weight over the last day? A: 100:1 Scanner TCP SYN Drop packets from Scanner

16 Protocol enforcement Use network witness to ensure packets from the host do not violate protocol rules A B a.com Protocol molester TCP RST from A to B Auth DNS reply for a.com TCP Xmas packet TCP Optimistic ACK TCP stealth scan IP spoofing flood with address not obtained via DHCP

17 Towards new protocols Network witnesses can address problems in existing protocols –Seems like a waste of our brand new super powers –Can we use it to do new things besides cleaning up after an elderly protocol (i.e. TCP)? –Maybe…

18 Public proof-of-work Use witness to prevent requests with invalid or missing proof-of-work from leaving the end-host –“The Case for Public Work”, Global Internet 2007. –“Portcullis … ”, SIGCOMM 2007.

19 Scheduled transmission and reception Use witness to ensure –Host does not send anything to a site until a scheduled time –Host does not receive particular data until a scheduled time A B a.com Do not reveal this data to the host until after Christmas Only allow packets to me from this host between 5pm-6pm PDT

20 More half-baked ideas in the paper Attestation-assisted congestion control Attested tit-for-tat for peer-to-peer networks Data exfiltration prevention Execute-once protocols

21 That was fun, but… Devil in the details Issues with Network Witnesses –Location –Measurement fidelity –Storage issues –Privacy and usability issues –Deployment issues

22 Location Network witness location (as defined here) directly determines mitigated threats –Current placement in memory controller Drives adversaries (cheaters) into peripherals –Placement in end hosts Drives adversaries into the network

23 Accuracy Does the network witness have 20/20 vision? –A blind witness can’t attest to much –Intel’s ME runs at a fraction of the speed of the FSB Can not implement a “memory watchpoint” to prevent information exposure cheating in on-line games Might not be able to accurately measure what it is asked to attest

24 Storage issues Witness will not have an “elephant file system” for its measurements –What happens when witness is unable to attest to the desired measurement due to space limitation?

25 Privacy and usability How can users trust network witnesses not to measure and give away arbitrary data? –Attesting all keyboard activity would be a disaster –Attesting inter-key timings would also be bad –Attesting aggregate keyboard/mouse mileage?

26 Deployment incentives Must give the user some benefit –Be able to play on-line games with other players that you can verify are not cheating? –Remove CAPTCHA tests for those willing to use hardware that attests keyboard/mouse activity? –Others?

27 Conclusion A half-baked approach for building networks around the notion of “network witnesses” An approach increasingly being pushed by industry Hopefully, we as researchers can influence how industry fully bakes it

Download ppt "The Case for Network Witnesses Wu-chang Feng Travis Schluessler Supported by:"

Similar presentations

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
Stealth Measurements for Cheat Detection in On-line Games Ed Kaiser Wu-chang Feng Travis Schluessler.

Stealth Measurements for Cheat Detection in On-line Games Ed Kaiser Wu-chang Feng Travis Schluessler.
Cryptography and Network Security

Cryptography and Network Security
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
Computer Basics 1 Computer Basic 1 includes two lessons:

Computer Basics 1 Computer Basic 1 includes two lessons:
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.

1 CCNA 2 v3.1 Module 8. 2 TCP/IP Suite Error and Control Messages CCNA 2 Module 8.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement

Similar presentations

Ads by Google