Download presentation
Presentation is loading. Please wait.
Published byMaryann Simon Modified over 9 years ago
1
Shadow: Simple HPC for Systems Security Research Invited Talk Kansas State University September 25 th, 2013 Rob Jansen U.S. Naval Research Laboratory rob.g.jansen@nrl.navy.mil
2
Outline ● Experimentation Ideology ● Shadow and its Design ● Use case: – Overview: the Distributed Tor Network – Research: the Sniper Attack Against Tor
3
Outline ● Experimentation Ideology ● Shadow and its Design ● Use case: – Overview: the Distributed Tor Network – Research: the Sniper Attack Against Tor
4
Properties of Experimentation
5
Network Research
6
Testbed Trade-offs Controllable Reproducible Scalable Accuracy Convenient Live NetworkXX PlanetLab? SimulationXXXX EmulationXX ShadowXXX?X
7
Outline ● Experimentation Ideology ● Shadow and its Design ● Use case: – Overview: the Distributed Tor Network – Research: the Sniper Attack Against Tor
8
What is Shadow? ● Discrete event network simulator ● Runs real applications without modification ● Simulates time, network, crypto, CPU ● Models routing, latency, bandwidth ● Single Linux box without root privileges
9
Shadow’s Capabilities
10
Bootstrapping Shadow
11
Virtual Network Configuration
12
Virtual Host Configuration
13
Simulation Engine
14
Program Layout Libraries (libc, …) Shadow Engine (shadow-bin) Shadow Plug-in (application+ wrapper)
15
Plug-in Wrapper Hooks Libraries (libc, …) Shadow Engine (shadow-bin) Shadow Plug-in (application+ wrapper)
16
Function Interposition LD_PRELOAD=/home/rob/libpreload.so Libraries (libc, …) Shadow Engine (shadow-bin) Shadow Plug-in (application+ wrapper) libpreload (socket, write, …)
17
Function Interposition LD_PRELOAD=/home/rob/libpreload.so hooks Libraries (libc, …) Shadow Engine (shadow-bin) Shadow Plug-in (application+ wrapper) libpreload (socket, write, …)
18
Function Interposition libpreload (socket, write, …) LD_PRELOAD=/home/rob/libpreload.so Libraries (libc, …) Shadow Engine (shadow-bin) Shadow Plug-in (application+ wrapper) hooksfopen
19
Function Interposition libpreload (socket, write, …) LD_PRELOAD=/home/rob/libpreload.so socket Libraries (libc, …) Shadow Engine (shadow-bin) Shadow Plug-in (application+ wrapper) hooksfopen
20
Function Interposition libpreload (socket, write, …) LD_PRELOAD=/home/rob/libpreload.so write Libraries (libc, …) Shadow Engine (shadow-bin) Shadow Plug-in (application+ wrapper) hooksfopen
21
Clang/LLVM (custom pass) Virtual Context Switching
23
Shadow-Tor’s Accuracy
24
Shadow-Tor’s Scalability Memory: 20- 30 MiB per virtual Tor host
25
Outline ● Experimentation Ideology ● Shadow and its Design ● Use case: – Overview: the Distributed Tor Network – Research: the Sniper Attack Against Tor
26
The Tor Anonymity Network torproject.org
27
How Tor Works
31
Tor protocol aware
32
Outline ● Experimentation Ideology ● Shadow and its Design ● Use case: – Overview: the Distributed Tor Network – *Research: the Sniper Attack Against Tor *Joint with Aaron Johnson, Florian Tschorsch, Björn Scheuermann
33
Tor Flow Control exit entry
34
Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits exit entry
35
Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits Multiple Application Streams exit entry
36
Tor Flow Control No end-to-end TCP! exit entry
37
Tor Flow Control Tor protocol aware exit entry
38
Tor Flow Control Packaging End Delivery End exit entry
39
Tor Flow Control Packaging End Delivery End exit entry
40
Tor Flow Control 1000 Cell Limit SENDME Signal Every 100 Cells exit entry
41
The Sniper Attack ● Low-cost memory consumption attack ● Disables arbitrary Tor relays ● Anonymous if launched through Tor
42
The Sniper Attack Start Download Request exit entry
43
The Sniper Attack Reply DATA exit entry
44
The Sniper Attack Package and Relay DATA DATA exit entry
45
The Sniper Attack DATA Stop Reading from Connection DATA R exitentry
46
The Sniper Attack DATA R exit entry
47
The Sniper Attack DATA Periodically Send SENDME SENDME R DATA exit entry
48
The Sniper Attack DATA Out of Memory, Killed by OS R DATA exit entry
49
Memory Consumed over Time
50
Mean RAM Consumed, 50 Relays
51
Mean BW Consumed, 50 Relays
52
Sniper Attack Defenses ● Authenticated SENDMEs ● Queue Length Limit ● Adaptive Circuit Killer
53
Circuit-Killer Defense
54
Sniper Attack Implications ● Reduce Tor’s capacity ● Network Denial of Service ● Influence path selection (selective DoS) ● Deanonymization of hidden services
55
Outline ● Experimentation Ideology ● Shadow and its Design ● Use case: – Overview: the Distributed Tor Network – Research: the Sniper Attack Against Tor
56
Questions? shadow.github.io github.com/shadow cs.umn.edu/~jansen rob.g.jansen@nrl.navy.mil think like an adversary
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.