Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bunker: A Tamper Resistant Platform for Network Tracing Stefan Saroiu University of Toronto.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Bunker: A Tamper Resistant Platform for Network Tracing Stefan Saroiu University of Toronto."— Presentation transcript:

1 Bunker: A Tamper Resistant Platform for Network Tracing Stefan Saroiu University of Toronto

2 Motivation Today’s tracing help build tomorrow’s systems ISPs view raw network traces as a liability Traces can compromise user privacy Protecting users’ privacy increasingly important Trace anonymization mitigates these issues

3 Offline Anonymization Trace anonymized after raw data is collected Privacy risk until raw data is deleted Today’s traces require deep packet inspection Headers insufficient to understand phishing or P2P Payload traces pose a serious privacy risk Risk to user privacy is too high Two universities rejected offline anonymization

4 Offline’s Privacy Vulnerabilities Two types of attacks: 1. Traditional: Network intrusion attacks 2. New: Raw data can be subpoenaed Both universities required that subpoenas would not affect privacy

5 Online Anonymization Trace anonymized while tracing Raw data resides in RAM only Difficult to meet performance demands Extraction and anonymization must be done at line speeds Code is frequently buggy and difficult to maintain Low-level languages (e.g. C) + “Home-made” parsers Small bugs cause large amounts of data loss Introduces consistent bias against long-lived flows

6 Simple Tasks can be Very Slow Regular expression for phishing: " ((password)|(<form)|(<input)|(PIN)|(username)|(<script)| (user id)|(sign in)|(log in)|(login)|(signin)|(log on)| (sign on)|(signon)|(passcode)|(logon)|(account)|(activate)|(verify)| (payment)|(personal)|(address)|(card)|(credit)|(error)|(terminated)| (suspend))[^A-Za-z]” libpcre: 5.5 s for 30 M = 44 Mbps max

7 Online Anonymization Trace anonymized while tracing Raw data resides in RAM only Difficult to meet performance demands Extraction and anonymization must be done at line speeds Code is frequently buggy and difficult to maintain Low-level languages (e.g. C) + “Home-made” parsers Small bugs cause large amounts of data loss Introduces consistent bias against long-lived flows

8 Our solution: Bunker Combines best of both worlds Same privacy benefits as online anonymization Same engineering benefits as offline anonymization Pre-load analysis and anonymization code Lock-it and throw away the key (tamper-resistance)

9 Threat Model Accidental disclosure: Risk is substantial whenever humans are handling data Subpoenas: Attacker has physical access to tracing system Subpoenas force researcher and ISPs to cooperate As long as cooperation is not “unduly burdensome” Implication: Nobody can have access to raw data

10 Is Developing Bunker Legal?

11 It Depends on Intent of Use Developing Bunker is like developing encryption Must consider purpose and uses of Bunker Developing Bunker for user privacy is legal Misuse of Bunker to bypass law is illegal

12 Outline Motivation Design of our platform System evaluation Case study: Phishing Conclusions

13 Logical Design capture Anon. Key Online Offline assemble parse anonymize One-Way Interface (anon. data) Capture Hardware

14 capture Anon. Key Online Offline Capture Hardware Closed-box VM assemble parse anonymize Hypervisor encrypt decrypt Enc. Key Encrypted Raw Data One-Way Socket VM-based Implementation Open-box NIC

15 Open-box VM save trace logging maintenance capture Anon. Key Online Offline Capture Hardware Closed-box VM assemble parse anonymize Hypervisor encrypt decrypt Enc. Key Encrypted Raw Data One-Way Socket VM-based Implementation

16 Benefits Strong privacy properties Raw trace and other sensitive data cannot be leaked Trace processing done offline Can use your favorite language! Parsing can be done with off-the-shelf components

17 Key Technologies “Closed-box” VM protects sensitive data Contains all raw trace data & processing code No interactive access to closed-box (e.g. no console) Encryption protects on-disk data Randomly generated key held in volatile memory Data cannot be decrypted upon reboot “Safe-on-reboot” VM mitigates hardware attacks

18 Outline Motivation Design of our tool System evaluation Case study: Phishing Conclusions

19 Software Engineering Benefits One order of magnitude btw. online and offline Development time: Bunker - 2 months, UW/Toronto - years

20 Work Deferral Don’t do now what you can do later

21 Error Recovery Small bugs lead to small errors in the trace -- not huge gaps

22 Outline Motivation Design of our tool System evaluation Case study: Phishing Conclusions

23 Phishing is Bad Costs U.S. economy hundreds of millions Affects 1+ million U.S. Internet users 2004 - mid 2006: # of phishing sites grew 10x Banks claim phishing is #1 source of fraud Phishing messages now personalized Harder to filter

24 Two Day Hotmail Trace Tues Jan 29/08 11:15am - Thurs Jan 31 11:23am, University of Toronto at Mississauga Hotmail Users3,062 # of E-mails Received13,438 # of From Addresses7,422 # of To Addresses25,456 Median # of Words in E-mail Body130

25 Questions How often are URLs present in e-mails? How often do people click on links in e-mails? Do people verify an e-mail for legitimacy before clicking on a link?

26 Links in Email

27 Conclusions Today’s tracing experiments need to look “deep” into network activity IP-level trace vs. email and browse history Serious privacy concerns Physical security isn’t enough: subpoenas Bunker provides the safety of online anonymization the simplicity of offline anonymization

28 Acknowledgments Andrew Miklas (U. of Toronto) Alec Wolman (Microsoft Research) Angela Demke Brown (U. of Toronto)

29 Questions? http://www.cs.toronto.edu/~stefan

30 Design Open-box VM XEN Hypervisor (DomainU) Untrusted Software Online Software Closed-box VM (Domain0) Anon. Key Enc. Key Capture NIC Encrypted Raw Trace Open NIC One-Way Interface Offline Software

31 Phishy Mail Leaks through Filters

32 capture Anon. Key Online Offline Anonymized Trace Capture Hardware assemble parse anonymize

33 Commodity VM save trace logging maintenance capture Anon. Key Online Offline Anonymized Trace Capture Hardware Inaccessible VM assemble parse anonymize Hypervisor One-Way Socket

34 Commodity VM save trace logging maintenance capture Anon. Key Online Offline Anonymized Trace Capture Hardware Inaccessible VM assemble parse anonymize Hypervisor encrypt decrypt Enc. Key Encrypted Raw Trace One-Way Socket

35 Overall Privacy Goal Goal: Ensure that user’s privacy is “no worse off” when a trace is in progress Time Tracing Starts Tamper Attack Data Protected Data Exposed

Download ppt "Bunker: A Tamper Resistant Platform for Network Tracing Stefan Saroiu University of Toronto."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Operating System Security

Operating System Security
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.

Michelle J. Gosselin, Jennifer Schommer Guanzhong Wang.
Database Administration and Security Transparencies 1.

Database Administration and Security Transparencies 1.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.

E-Commerce Security Issues. General E-Business Security Issues Any E-Business needs to be concerned about network security. The Internet is a “ public.
 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.

 Max Planck Institute for Software Systems Towards trusted cloud computing Nuno Santos, Krishna P. Gummadi, and Rodrigo Rodrigues MPI-SWS.
ITrustPage: Pretty Good Phishing Protection Stefan Saroiu, Troy Ronda, and Alec Wolman University of Toronto and Microsoft Research.

ITrustPage: Pretty Good Phishing Protection Stefan Saroiu, Troy Ronda, and Alec Wolman University of Toronto and Microsoft Research.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.

User studies. Why user studies? How do we know security and privacy solutions are really usable? Have to observe users! –you may be surprised by what.
Towards Eradicating Phishing Attacks Stefan Saroiu University of Toronto.

Towards Eradicating Phishing Attacks Stefan Saroiu University of Toronto.
Computer Security 1 Keeping your computer safe. Computer Security 1 Computer Security 1 includes two lessons:  Lesson 1: An overview of computer security.

Computer Security 1 Keeping your computer safe. Computer Security 1 Computer Security 1 includes two lessons:  Lesson 1: An overview of computer security.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Similar presentations

Ads by Google