Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shadow: Scalable Simulation for Systems Security Research CrySP Speaker Series on Privacy University of Waterloo January 20 th, 2016 Rob Jansen U.S. Naval.

Published byPhillip Dennis Modified over 9 years ago

Similar presentations

Presentation on theme: "Shadow: Scalable Simulation for Systems Security Research CrySP Speaker Series on Privacy University of Waterloo January 20 th, 2016 Rob Jansen U.S. Naval."— Presentation transcript:

1 Shadow: Scalable Simulation for Systems Security Research CrySP Speaker Series on Privacy University of Waterloo January 20 th, 2016 Rob Jansen U.S. Naval Research Laboratory rob.g.jansen@nrl.navy.mil @robgjansen

2 Talk Outline ● Shadow and how it works ● Tor research case study: Kernel-Informed Socket Transport ● Future directions 2

3 Why should you care? ● Expedite research and development ● Evaluate software mods or attacks without harming real users ● Understand holistic effects before deployment ● Shadow supports simulation for new applications 3

4 EXPERIMENTATION OPTIONS Thread 0 4

5 Desirable Properties Goal! Scalable Reproducible Accurate Controllable 5

6 Network Research Methods 6

7 Simulation vs Emulation ● Time (simulation wins) – Real time vs “as-fast-as-possible” execution – Emulation time must advance in synchrony with wall- clock time, or the virtual environment may become “sluggish” or unresponsive – Easier to slow down than to speed up execution! ● Realism (emulation wins) – Uses host OS kernel, protocols, applications – Can run anything that runs on OS 7

8 SHADOW Thread 1 8

9 What is Shadow? ● Parallel discrete-event network simulator ● Models routing, latency, bandwidth ● Simulates time, CPU, OS – TCP/UDP, sockets, queuing, threading ● Emulates POSIX C API on Linux ● Directly executes apps as plug-ins 9

10 Simulation Environment 10 Hosts Logical processing units with independent state

11 Simulation Environment 11 HostsNetwork Routing elements (nodes, links) and attributes (bandwidth, latency, packet loss)

12 Simulation Environment 12 Holds current virtual time (distinct from physical time) HostsNetwork Global Clock

13 Simulation Environment 13 Processing task for a host at a specific time HostsNetwork Global Clock Event

14 Simulation Environment 14 Holds events sorted by time (min heap) HostsNetwork Global Clock Event Event Queue

15 Discrete Event Engine 15 Facilitate communication: exchange events between hosts through the network “as-fast-as-possible” execution

16 Discrete Event Engine 16  While !end  Get next event  Update clock  Process event  Enqueue events Facilitate communication: exchange events between hosts through the network “as-fast-as-possible” execution

17 Parallel Discrete Event Engine 17 Host workloads split among physical threads Each physical thread has event queue Synchronization problem!

18 Conservative Synchronization ● Ensure causality – events must occur in correct order (not in the past) 18 Time barrier Safe execution interval (min latency) Future Global time Local times

19 Virtual Network Routing ● Network graph model 19 Latency and packet loss Host connection points (IPs)  If complete:  Lookup link  Get latency  Else  Compute shortest path  Sum link latencies  Cache result

20 Executing Applications on Hosts ● Load programs as dynamic shared object libraries 20 Compile with Clang, extract state addresses with LLVM pass AddrVal 0xA0 0xB0 …… Each program loaded only once per thread

21 Virtual Process Management Save default values on initial load AddrVal 0xA0 0xB0 …… AddrVal 0xA15 0xB87 …… AddrVal 0xA22 0xB62 …… AddrVal 0xA33 0xB85 …… AddrVal 0xA5 0xB59 …… Copy state for each virtual process 21

22 Virtual Process Management AddrVal 0xA0 0xB0 …… AddrVal 0xA15 0xB87 …… AddrVal 0xA22 0xB62 …… AddrVal 0xA33 0xB85 …… AddrVal 0xA5 0xB59 …… Swap state into/out of memory as virtual processes are switched 22

23 Virtual Thread Management 23 Reentrant portable threads (rpth) async. thread-safe, user-land non-preemptive cooperative threading Uses make/set/get/swapcontext() magic to jump program stacks when EWOULDBLOCK Virtual thread layer

24 Virtual Thread Management Shadow thread Each virtual process has a private rpth instance 24

25 Virtual Thread Management Shadow thread “main” thread Spawns an rpth thread to call the program main() function 25

26 Virtual Thread Management Shadow thread “main” thread spawned threads Program may spawn auxiliary threads 26

27 rpth scheduler (prog ctx) Execution Flow with rpth Swap in virtual process and rpth state Swap out virtual process and rpth state Return to Shadow thread when all spawned rpth threads would block: 27

28 LD_PRELOAD=libpreload.so (socket, write, pthread_create, …) Function Interposition 28 App Libraries (libc, …) rpth scheduler (prog ctx) Function calls are redirected to simulated counterpart

29 Simulating a Kernel ● Sockets and queuing ● Network protocols – TCP, UDP ● Threading (pthread) ● Randomization (maintain determinism) ● CPU usage 29

30 KERNEL INFORMED SOCKET TRANSPORT Thread 2 With John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson 30

31 Anonymous Communication: Tor 31

32 This Talk ● Where is Tor slow? – Measure public Tor and private Shadow-Tor networks – Identify circuit scheduling and socket flushing problems ● Design KIST: Kernel-Informed Socket Transport – Use TCP snd_cwnd to limit socket writes ● Evaluate KIST Performance and Security – Reduces kernel and end-to-end circuit congestion – Throughput attacks unaffected, speeds up latency attacks 32

33 Outline ● Background ● Instrument Tor, measure congestion ● Analyze causes of congestion ● Design and evaluate KIST – Performance – Security 33

34 Relay Overview 34

35 Relay Overview TCP Tor circuits are multiplexed over a TCP transport 35

36 Relay Overview TCP 36

37 Relay Internals Kernel InputKernel OutputTor InputTor Output Tor Circuits Opportunities for traffic management 37

38 Outline ● Background ● Instrument Tor, measure congestion ● Analyze causes of congestion ● Design and evaluate KIST – Performance – Security 38

39 Live Tor Congestion - libkqtime Kernel InputKernel OutputTor InputTor Output Tor Circuits 39

40 Live Tor Congestion - libkqtime Kernel InputKernel OutputTor InputTor Output Tor Circuits tag match tag match 40

41 Live Tor Congestion - libkqtime Kernel InputKernel OutputTor InputTor Output Tor Circuits tag match tag match track cells 41

42 Shadow Network Simulation ● Enhanced Shadow with several missing TCP algorithms – CUBIC congestion control – Retransmission timers – Selective acknowledgements (SACK) – Forward acknowledgements (FACK) – Fast retransmit/recovery ● Designed largest known private Tor network – 3600 relays and 12000 simultaneously active clients – Internet topology graph: ~700k nodes and 1.3m links 42

43 Track the UID Shadow-Tor Congestion – UIDs UID Track the UID 43

44 Track the UID Shadow-Tor Congestion – UIDs UID Track the UID Kernel InputKernel Output Tor Input Tor Output Tor Circuits 44

45 Tor and Shadow-Tor Congestion Congestion occurs almost exclusively in outbound kernel buffers Shadow-TorLive-Tor 45

46 Outline ● Background ● Instrument Tor, measure congestion ● Analyze causes of congestion ● Design and evaluate KIST – Performance – Security 46

47 Analyzing Causes of Congestion Kernel OutputTor Output Tor Circuits Queuing delays in kernel output buffer 47

48 Analyzing Causes of Congestion Kernel OutputTor Output Tor Circuits Queuing delays in kernel output buffer Problem 1: Circuit scheduling Problem 2: Flushing to Sockets 48

49 Problem 1: Circuit Scheduling Kernel OutputTor Output Tor Circuits Libevent schedules one connection at a time 49

50 Problem 1: Circuit Scheduling Kernel OutputTor Output Tor Circuits Libevent schedules one connection at a time Tor only considers a subset of writable circuits 50

51 Problem 1: Circuit Scheduling Kernel OutputTor Output Tor Circuits Libevent schedules one connection at a time Tor only considers a subset of writable circuits Circuits from different connections are not prioritized correctly 51

52 Problem 2: Flushing to Sockets Kernel OutputTor Output Tor Circuits Queuing delays in kernel output buffer FIFO 52

53 Problem 2: Flushing to Sockets Kernel OutputTor Output Tor Circuits Worse priority traffic (high throughput flows) FIFO 53

54 Problem 2: Flushing to Sockets Kernel OutputTor Output Tor Circuits Better priority traffic (low throughput flows) Worse priority traffic (high throughput flows) FIFO 54

55 Problem 2: Flushing to Sockets Kernel OutputTor Output Tor Circuits Better priority traffic (low throughput flows) Must wait for kernel to flush socket to network (blocked on TCP cwnd) Worse priority traffic (high throughput flows) FIFO 55

56 Problem 2: Flushing to Sockets Kernel OutputTor Output Tor Circuits Better priority traffic (low throughput flows) Reduces effectiveness of circuit priority Worse priority traffic (high throughput flows) FIFO 56

57 Outline ● Background ● Instrument Tor, measure congestion ● Analyze causes of congestion ● Design and evaluate KIST – Performance – Security 57

58 Ask the kernel, stupid! ● Utilize getsockopt and ioctl syscalls socket_space = sndbufcap – sndbuflen tcp_space = (cwnd – unacked) * mss sndbuflen sndbufcap unacked cwnd 58

59 Kernel-Informed Socket Transport ● Don’t write it if the kernel can’t send it; bound kernel writes by: – Socket: min(socket_space, tcp_space) – Global: upstream bandwidth capacity Solution to Problem 2 59

60 Kernel-Informed Socket Transport ● Don’t write it if the kernel can’t send it; bound kernel writes by: – Socket: min(socket_space, tcp_space) – Global: upstream bandwidth capacity ● Choose globally from all writable circuits Solution to Problem 1 60

61 Kernel-Informed Socket Transport ● Don’t write it if the kernel can’t send it; bound kernel writes by: – Socket: min(socket_space, tcp_space) – Global: upstream bandwidth capacity ● Choose globally from all writable circuits ● Try to write again before kernel starvation 61

62 KIST Reduces Kernel Congestion 62

63 KIST Increases Tor Congestion 63

64 KIST Reduces Circuit Congestion 64

65 KIST Improves Network Latency 65

66 Outline ● Background ● Instrument Tor, measure congestion ● Analyze causes of congestion ● Design and evaluate KIST – Performance – Security 66

67 Traffic Correlation: Latency Hopper et.al. CCS’07 Goal: narrow down potential locations of the client on a target circuit 67

68 Traffic Correlation: Latency Hopper et.al. CCS’07 -Inject redirect or javascript -Start timer 68

69 Traffic Correlation: Latency GET Hopper et.al. CCS’07 Request redirected page or embedded object 69

70 Traffic Correlation: Latency GET Hopper et.al. CCS’07 -Stop timer -Estimate latency 70

71 Latency Attack | estimate – actual | 71

72 Latency Attack num pings until best estimate 72

73 Traffic Correlation: Throughput Mittal et.al. CCS’11 Goal: find guard relay of the client on a target circuit 73

74 Traffic Correlation: Throughput Mittal et.al. CCS’11 Probe throughput of all guard relays 74

75 Traffic Correlation: Throughput Mittal et.al. CCS’11 Correlate throughput between exit and probes 75

76 Throughput Attack Results 76

77 think like an adversary shadow.github.io github.com/shadow robgjansen.com, @robgjansen rob.g.jansen@nrl.navy.mil Summary/Conclusion ● Shadow ● Where is Tor slow? – KIST complements other performance enhancements, e.g. circuit priority ● Future work – Optimize Shadow threading algorithms – Distribute Shadow across processes/machines

Download ppt "Shadow: Scalable Simulation for Systems Security Research CrySP Speaker Series on Privacy University of Waterloo January 20 th, 2016 Rob Jansen U.S. Naval."

Similar presentations

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Distributed System Architectures.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Distributed System Architectures.
Jaringan Komputer Lanjut Packet Switching Network.

Jaringan Komputer Lanjut Packet Switching Network.
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.

On Traffic Analysis in Tor Guest Lecture, ELE 574 Communications Security and Privacy Princeton University April 3 rd, 2014 Dr. Rob Jansen U.S. Naval Research.
Router Architecture : Building high-performance routers Ian Pratt

Router Architecture : Building high-performance routers Ian Pratt
Chapter 7 Protocol Software On A Conventional Processor.

Chapter 7 Protocol Software On A Conventional Processor.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
ECE 526 – Network Processing Systems Design Software-based Protocol Processing Chapter 7: D. E. Comer.

ECE 526 – Network Processing Systems Design Software-based Protocol Processing Chapter 7: D. E. Comer.
Chapter 5 Processes and Threads Copyright © 2008.

Chapter 5 Processes and Threads Copyright © 2008.
Nick McKeown CS244 Lecture 6 Packet Switches. What you said The very premise of the paper was a bit of an eye- opener for me, for previously I had never.

Nick McKeown CS244 Lecture 6 Packet Switches. What you said The very premise of the paper was a bit of an eye- opener for me, for previously I had never.
GridFlow: Workflow Management for Grid Computing Kavita Shinde.

GridFlow: Workflow Management for Grid Computing Kavita Shinde.
Spring 2002CS 4611 Router Construction Outline Switched Fabrics IP Routers Tag Switching.

Spring 2002CS 4611 Router Construction Outline Switched Fabrics IP Routers Tag Switching.
4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.

4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.
10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.

10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.
I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)

I/O Hardware n Incredible variety of I/O devices n Common concepts: – Port – connection point to the computer – Bus (daisy chain or shared direct access)
3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.

3.5 Interprocess Communication Many operating systems provide mechanisms for interprocess communication (IPC) –Processes must communicate with one another.
3.5 Interprocess Communication

3.5 Interprocess Communication
Networks 1 CS502 Spring 2006 Network Input & Output CS-502 Operating Systems Spring 2006.

Networks 1 CS502 Spring 2006 Network Input & Output CS-502 Operating Systems Spring 2006.

Similar presentations

Ads by Google