THE MAGAZINE OF USENIX & SAGE
December 2002 • volume 27 • number 6
Focus Issue: Security
Guest Editor: Rik Farrow
inside:
CONFERENCE REPORTS
11th USENIX Security Symposium
&
The Advanced Computing Systems Association &
The System Administrators Guild
conference reports
11th USENIX Security tion (’50s); reliable computers, time-
Symposium sharing, and the first “computing com-
OUR THANKS TO THE SUMMARIZERS: munities” (’60s); the advent of the
Akshay Aggarwal
SAN FRANCISCO, CALIFORNIA, USA ARPANET and the loss of all the
Mihai Christodorescu AUGUST 5-9, 2002 (dis)advantages of locality (’70s); dis-
Michael Hohmuth connected, password-less PCs (’80s);
George M. Jones KEYNOTE ADDRESS
Lou Katz
and the Internet brought to all those
INFORMATION SECURITY IN THE password-less PCs (oops), the “comput-
Prem Uppuluri
Haining Wang 21ST CENTURY erization of everything,” and the migra-
Seung Yi Whitfield Diffie, Sun Microsystems tion away from paper (’90s).
Summarized by George M. Jones
Another important focus of information
The opening keynote given by Mr. Diffie security in the 20th century was the
provided a jam-packed overview of efforts to provide secure voice commu-
information security in the 20th century nication, from the ’40s, when exactly
and projections for the 21st century, two people (Roosevelt and Churchill)
interspersed with sage opinions and could communicate securely using
observations. multi-million-dollar 30-ton devices, to
He began by defining security as (1) pre- the STU phones of the ’80s, which
venting adverse consequences from ille- “reached their goals but failed because
gitimate actions of human beings; (2) communications expanded beyond the
protecting yourself against the actions of phone (cell phones, voice over IP, PDAs,
an intelligent opponent; and (3) some- fax, email, WWW).”
thing that gives you the appearance of Diffie outlined some trends and obser-
legitimacy. vations from the 20th century: computer
The history of information security in power keeps increasing, information is
the 20th century was largely dominated now digital, security technology moves
by issues of privacy, with cryptography closer to the user, DES was developed in
being the primary tool to enforce pri- secret, AES was developed in public. In
vacy. While cryptography has been the shift to elliptic-curve cryptography,
around at least since the days of Julius “we’re now moving from using 17th-
Caesar, its importance became crucial century to 19th-century mathematics.”
with the advent of a new communica- Encryption allows networks to be
tions technology: radio. “Radio revolu- defined by who has what keys, not by
tionized warfare. Before radio, a naval topology (à la today’s firewalls). “The
fleet commander sent ships out with minute you begin rolling out crypto, you
orders and could communicate with turn everything into ‘us’ vs. ‘them’.”
them every few weeks or months at best. Some current trends: computer-medi-
With the advent of radio, orders could ated communication, the rise of the
be communicated in, at most, days. But information economy, unification of
since radio is a broadcast medium, communication and delivery channels
everyone could listen – hence the impor- (e.g., Web site download of programs),
tance of cryptography for confidential- mobility, and bandwidth on demand.
ity.” “The driving factor is that better security
Accordingly, WWI saw an increase in the technology draws more valuable traffic,
use of cryptography, and WWII, an and, conversely, more valuable traffic
increase in the use of automation (the requires better security.”
code clerks just could not keep up). Diffie had some insightful observations
Ensuing decades brought computeriza- on privacy: “Privacy is a security policy
64 Vol. 27, No. 6 ;login:
about personal information. If you don’t “The question for the 21st century is, invasive apart from heating up the chil-
CONFERENCE REPORTS
have any way of controlling information ‘Can everyone be secure at the same dren a bit.” Satellite networks, the only
flow, you have no way of enforcing a time?’” alternative to wireless networks, suffer
policy. There is an increasing immediacy from poor upload rates and high latency
Questions and Answers
to information security. It’s important problems. Speaking about the “security”
that people be able to recognize each Q: (Steve Bellovin) Most of the prob- of 802.11b, he pointed to the plethora of
other (authentication) and have private lems we’re seeing are not crypto prob- literature and scripts available for any-
q
conversations (confidentiality). We are lems e.g., buffer overruns, etc. one to break WEP. The end result,
trying to transplant our human culture according to him, is that WEP is now
A: The fact that we can’t implement
into a world of computer-mediated next to worthless.
things right is our Achilles’ heel.
communications.”
According to Byers, open networks exist
Q: (John Ioannidis) What about
On the “open” vs. “closed” development with the aim of providing free Internet
attempts to legislate security out of exis-
approach, he noted that “Some argue to the people. Some important issues
tence?
against this, saying ‘open’ means the ‘bad with open networks are the pushback
guys’ can look at it. Some argue for it, A: My prejudices agree with yours. Secu- from ISPs, with cable companies perse-
saying many eyes mean more security. rity is just one piece in a larger puzzle. cuting NAT users, patchy coverage, and
They both miss the point. ‘Open’ means Information is becoming a commodity. their susceptibility to DDoS attacks. The
you can look at it and satisfy yourself.” Societies have always regulated com- reasons to map these networks included
modities. Decisions made today will the need for a security survey, to find an
In answer to the question “Why is it tak-
shape society for decades. open network to connect to, to provide
ing such a long time to get a working
and assess network coverage, and to
PKI?” he noted that “most of the costs
INVITED TALKS explore the saturation of the free spec-
are up front, but most of the benefits
WIRELESS ACCESS POINT MAPPING trum. To emphasize his point, he gave
accrue once it’s deployed. Unlike PCs,
Simon D. Byers, AT&T Labs–Research the example of a war-driving contest at a
it’s hard to deploy PKI piecemeal.
recently concluded hacker conference
Summarized by Akshay Aggarwal
“Key escrow is like the One Ring in the (and the basic flaws in the contest). He
Lord of the Rings. It is an evil that will be Wireless is appearing almost everywhere then showed slides of his mapping
back . . . though perhaps under different and comes with no strings attached, lit- efforts made while driving around Las
names.” Data recovery keys are valuable erally. Simon Byers spoke about his Vegas and New York.
to data owners to ensure the ability to experiences in wireless access point (AP)
mapping. He started off by pointing out The audience was acquainted with the
recover private data.
the pervasive nature of 802.11b-based hardware needed for WAP mapping. He
“Today, flows of information are con- wireless LANs, stating that they could be showed them 802.11b wireless cards, the
trolled by the movement of people, e.g., found in your neighborhood McDon- various kinds of antennae (yagi, omni,
it’s cheaper to hire away a Microsoft ald’s, Trader Joe’s, or just about any- panel, and dish), and GPS systems and
employee than to gain certain informa- where. Many laptops now come with amplifiers. Then came a tutorial on how
tion by other means.” built-in support for these networks. to build a base station and receiver to
“Executives love it,” said Byers while capture images from X10 wireless cam-
Security is about people. “It is never
illustrating that it was as easy to use eras, deployed with the tagline, “You’ll
independent of point of view. It often
wireless LANs in corporate boardrooms never know what you will see!”
deals with competing interests. It is
never value-neutral. It moves power as in the female restroom of AT&T Labs’ While he was driving around Manhattan
from one group to another.” Florham Park, NJ, facility where he he found approximately 4000 access
works. This property fields wireless points. Of these, 964 had WEP enabled,
In closing, Diffie offered the following LANs as a probable ISP medium, which 156 networks had the default SSID, and
thoughts: “Security should make doing could solve the last-mile problem. many had their addresses as SSIDs. In
business easier, not harder. Nothing is
The wireless LAN protocol uses the free correlation with other data, analysis of
more important than human-factors
2.4GHz range and cannot penetrate this data provides the location of APs
engineering. Quality of security is
stones, leaves, or people, though Tupper- and the comparative reach of the net-
directly proportional to quality of evalu-
ware is unable to stop it. At a speed of works. Techniques used to locate APs
ation.” Simplicity is the essence of evalu-
11Mbps, wireless networks are fast and include max signal-to-noise ratio, trian-
able security design. There are big gains
can be used as access points, relay, or gulation, intersecting spheres, or just the
to be had from putting some functions
in hardware. point-to-point links and are “minimally
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 65
plain old telephone book in cases where and program debuggers have legitimate means (bribery, threat, theft). It does not
SSID was an address. and illegitimate uses. Laws such as the protect what is learned through tinker-
Digital Millennium Copyright Act ing or “obvious” things such as hair
To conclude his talk, Byers discussed the
(DMCA) are making useful tools illegal color.
business application for mapping APs,
without regard to potential legal uses.
which were to set up, manage, and ana- Copyright and patent are intended “to
Tinkering with products by security
lyze a network for use by all. This promote the progress of science and the
researchers benefits the public by dis-
included optimizing the deployment useful Arts,” to maximize total (not indi-
closing flaws in products they rely on.
and mapping the target customers’ foot- vidual/corporate) wealth, and to prevent
Tinkering benefits vendors by giving
print. This information would be outright copying of a product, but not
them the opportunity to fix the flaws.
invaluable to owners of wireless net- to prevent study or discussion. None of
works. “Increasingly, technology [computers] is these should present a barrier to tinker-
controlling access to content. It’s no ing.
FREEDOM TO TINKER longer just you and the book. Now it’s
Edward W. Felten, Princeton University “Our opponents say that the battle is
you and your Web browser, and Google,
between people who are pro-copyright
Summarized by George M. Jones and thousands of Web servers back-
(them) and anti-copyright (us). We
Professor Ed Felten of Princeton spent ended by databases connected to net-
don’t have to accept that. Our position
some time this year thinking about the works,” said Felten. Tinkering with these
should be that we respect the traditional
legal and economic aspects of “The technologies should be protected.
scope of copyright; fair use is important
Right to Tinker.” This follows the pre- Public policy debates often turn on the but is not the issue. Laws such as the
sentation last year of his paper on the understanding of technical issues: for DMCA do harm to people (tinkerers,
SDMI challenge (detecting/removing example, is a large software vendor sim- the general public) who have no inten-
digital watermarks on audio samples), ply designing more efficient programs or tion to violate copyright. It’s about
which followed a lawsuit backed by programs intended to limit competi- maintaining robust, open, competitive
USENIX and EFF to defend his right to tion? Tinkering by independent analysts technology.”
present it. This talk outlines some of his raises understanding and thus raises the
conclusions. For more info, see
level of public debate.
http://www.freedom-to-tinker.com.
“A funny thing’s happened in my career,” 2. Tinkering is economically efficient.
he began. “I’ve gotten involved in legal Questions and Answers
issues, or to put it more accurately, those Most arguments against tinkering boil
Tinkering was needed to facilitate the
issues have gotten involved with me. down to economics, but it is not clear
first question; the audience microphones
Things computer science people have that the arguments are valid when
didn’t work. The techies present fixed
always done are increasingly at risk of applying generally accepted principles of
them, with no help or permission from
becoming illegal. Tinkering benefits economic analysis.
the vendor or Congress.
everyone, not just techies. We need to Tinkering has many positive side effects
sell the idea that the public will lose out Q: What alternative is there to the
(or “externalities”). They include inno-
as the freedom to tinker is eroded.” DMCA (technological or other)? What
vation, education, and competition.
can we do to prevent/deter infringement
“The freedom to tinker,” Felten said, “is If there are barriers to tinkering, such as of copyright?
the freedom to understand, discuss, the DMCA or restrictive End User
repair, and modify technological devices A: The DMCA is the worst of both
License Agreements (EULAs), not
that you own.” worlds. It does not prevent infringement
enough tinkering will occur and the
and punishes those who have no intent
Felten said that three points need to be positive side effects will be missed.
to violate copyright. It goes beyond what
stressed: 3. Tinkering doesn’t conflict with “intel- is needed to prevent infringement. The
1. Tinkering is socially important. lectual property.” main effect of the DMCA has been to
cause collateral damage.
Tinkering is rooted in the basic human “Intellectual property is not a single
need to explore and understand the thing [under US law]. It is a combina- Q: Would you be in favor of building a
world around us and to control our sur- tion of copyright, patent, and trade tool whose sole purpose is to circumvent
roundings. Imagine laws making it ille- secrets.” infringement?
gal to fix your own car. Tools are Trade secrets protect secret material, but A: No.
important to tinkering. Sledgehammers only against disclosure by improper
66 Vol. 27, No. 6 ;login:
Q: Does this change things from civil to to connect the issue to things that con- The International Biometric Association
CONFERENCE REPORTS
criminal? What about the standard of cern the general public (e.g., a better way exists and its members can be found at
evidence? to use your VCR). http://www.ibia.org; the industry is far
from mythical.
A: DMCA increases the number of par- BIOMETRIC AUTHENTICATION TECHNOLOGIES:
ties who can bring a suit. Anybody who HYPE MEETS THE TEST RESULTS 2. “Publicly available, independent eval-
is harmed can bring suit. This is the James L. Wayman, Biometric Test uation of technologies and products is
source of a chilling effect. You as a extremely rare.” Independent evalua-
q
Center, San Jose State University
researcher don’t know who might be tions and standard testing procedures
Summarized by Akshay Aggarwal
offended/harmed/bring suit. The incen- can be found at sites such as
What exactly is hyperbole? Jim Wayman
tive is to do nothing (not to tinker). http://www.biometrics.org,
pointed out that the Merriam-Webster http://www.afb.org.uk.
Q: Are there some circumstances where dictionary defines it as an “extravagant
anti-tinkering terms of use can benefit exaggeration (‘mile-high ice-cream Wayland says, “Hype is factually correct
users? For example, pop-up advertising cones’).” Much of the hype surrounding but leaves an impression that may not be
paying for free network access. Is it OK biometric identification is just that – an accurate.” He agrees with B. Miller’s defi-
to prevent tinkering to turn off pop-up exaggeration of the truth. To illustrate nition of biometric authentication as
advertising? this point further he referred to two Web “automatic authentication or identity
sites and proceeded to expose their exag- verification of a living human individual
A: If your question is how to change the
gerations. based on behavioral and physiological
law and policy to encourage tinkering,
characteristics.”
this (repealing the DMCA) is the only The first Web site belonged to an un-
way. named biometric product vendor. Their Wayman says that some metrics that
claims: should be used to evaluate technical per-
Q: Napster did have legitimate uses.
formance of biometric algorithms are
A: Napster had too much of a role in the 1. “Facial recognition technology is the failure-to-enroll, failure-to-acquire, false
infringement. only biometric capable of identifying positives, and false negatives. Failure-to-
known people at a distance.” This is con- acquire measures how often the device
Q: Do you have suggestions of practical tradictory to the fact that DARPA is fails to recognize a metric, such as when
things that people can do? involved in a project aimed at using iris- a facial-recognition system fails to rec-
scanning technology at a distance. Facial
A: Participate in forums such as this ognize a face against a pale background.
recognition is not the only biometric
[USENIX]. Try to influence/talk to reps. Failure-to-enroll is a more important
available for long-distance recognition,
Get involved with EFF. Be vocal. metric, measuring whether a biometric
though it is one of them. In addition, the
precludes certain groups of people; for
Q: What about obfuscation that raises vendor admits that the range of facial-
example, fingerprint scanners cannot be
the cost of tinkering? recognition technology is currently lim-
effectively used on the old and the very
ited to 10 feet. So what is really meant by
A: What’s really dangerous are mandates young, groups that tend to have a much
distance?
that require people to build in anti-tam- less distinct fingerprint. Thus biometrics
pering devices. 2. “Facial surveillance can yield instant cannot be used on all segments of soci-
results, verifying the identity of a suspect ety equally.
Q: What about EULAs and the Uniform
instantly and checking through millions
Computer Information Transactions Act Current biometric evaluation involves
of records for possible matches quickly,
(UCITA)?” technology, scenario, vulnerability, secu-
automatically, and reliably.” Further-
rity, and operational testing. Cost-bene-
A: UCITA would strengthen EULAs. An more it claims, “These investigative tools
fit analysis, environment testing, human
important step is to say that licenses help to single out known terrorists or
perception response, and user attitude
should not be used to prevent tinkering. criminals.” This implies that the technol-
also need to be evaluated in the future.
ogy is accurate when, in fact, it suffers
Q: Do you see any problem with the use Test results are indicative only of people
from fairly high rates of false positives
of the term “tinkering”? Will people in a particular environment. A hand
and false negatives.
whose primary concerns in life revolve geometry system when tested at the San-
around junk food and big-screen TVs The second was a leading educational dia Labs and the nearby Kirkland Air
take it as a serious issue? Web site. Their claims: Base produced different results in these
two biometric environments.
A: Lots of people like to tinker. Recall 1. “The biometrics industry is mythical.”
the Thomas Edison stories. It’s possible
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 67
Wayman was asked about the methods being seen at the telescope. Analysis of may be revenge attacks of one ISP upon
used to search through the large data- the backscatter could give a quantitative another.
bases; he replied that the databases were measurement of the DoS. Interestingly,
Code Red spread has been charted by
usually partitioned on the basis of crite- the portion of address space monitored
recording machines sending TCP SYN
ria like gender and, further, on some can affect the traffic seen, both positively
to port 80 of nonexistent machines.
biometric characteristics. In response to and negatively, since some types of
Such sending machines are considered
a question about the vulnerability test- events attempt to preferentially use
to be infected; the data show 359,000
ing of such systems, Wayman pointed address spaces adjacent to their source
hosts infected in 24 hours. Characteris-
out that such tests were needed; he gave in order to spread. It is not known how
tics of the infection show that 47% of
the example of the inability of a facial randomly these addresses are chosen. In
infected hosts have no reverse DNS;
recognition system to differentiate the initial operation of the network tele-
there were 136 .mil and 213 .gov hosts
between a human face and a photo- scope, the deployers of the attacks were
infected. Code Red II, by probing local
graph. unaware of the telescope. Later on, there
nets, spreads very rapidly on internal
seemed to be evidence of either deliber-
In conclusion, he reiterated the long nets. Most of the infected hosts were
ate avoidance of the telescope-moni-
road ahead for biometric devices and home/small business machines on cable
tored IP space or of attacks on the
research. modems.
telescopes themselves.
NETWORK TELESCOPES: OBSERVING SMALL The reappearance phase of Code Red
Detecting an event is a function of the
OR DISTANT SECURITY EVENTS was also observed; even though there
size of the monitored network. An /8 tel-
David Moore, CAIDA, San Diego was lots of press coverage – everyone
escope could detect an attack in a
Supercomputer Center should have known it was coming back,
minute or two, while a /24 might take 58
considerable infection occurred. Daily
Summarized by Lou Katz days. A /8 network can track an infec-
fluctuations were plotted by rough nor-
David Moore gave an interesting report tion accurately, but a /16 has a time lag
malization of the IP addresses to time
on experiments with monitoring remote and the shape of the curve is wrong. On
zones. Interestingly enough, at about 9
network events through examination of a log plot, the slope for a /16 is OK but
a.m. every day in every time zone, hosts
unexpected packets on some address the times are wrong. Work on decon-
come up; activity degraded in the
spaces he monitors. This arrangement, a volving a /16 curve into the /8 curve is
evening and on weekends. A great ani-
network telescope, uses a portion of the being pursued.
mated map of the world, which showed
globally routed IP address space on Conclusions reached so far: there are the spread of Code Red as growing red
which little or no legitimate traffic is lots of attacks; some exceed 600,000 splotches, was projected. Really scary to
expected. Monitoring the traffic which packets/sec. Most attacks are short, but see the world mostly turn red in a very
does arrive gives a view of certain there are some that are continuous for short time.
remote events. over a week. The attacks don’t seem to
One of the problems with these mea-
An analogy to monitoring with astro- load the network or major peering
surements is that it is difficult to distin-
nomical telescopes helped convey the points, but some embedded devices
guish computers vs. IP addresses. There
operation and properties of a network (routers, printers, etc.) had servers that
were a maximum of 180,000 unique IP
telescope. In network monitoring, a crashed and had to be rebooted or
addresses infected in a two-hour period
larger address space increases the “lens power-cycled. A steady stream of new
but 2,000,000 in a week. There is a
size” of the network telescope, as does packets into the telescope net has been
DHCP effect over long periods. Old
noncontiguous address spaces. Larger observed at about 20/hr. These are
computers get new addresses. So far they
network telescopes can see shorter time mostly TCP but there are some ICMP
have not been able to get a good handle
durations and lower packet rates, and floods and some evidence of ICMP
on NAT, and it is hard to get a good esti-
have a larger field of view with better black-holing. Eighty percent of attacks
mate.
accuracy for start and end times of last 10 minutes or less. Attacks seem to
events (e.g., Code Red spread at about happen on a human time scale, with The author concludes that network tele-
10 packets/sec). Both Code Red and peaks at 5 minutes, 10 minutes, 30 min- scopes can see and give insight into non-
global DoS attacks could be seen. The utes, and 8 hours (human control inter- local events; you don’t have to be there,
data were collected using a passive tap vals). The victims are mostly but small telescopes can’t see certain
ahead of the net(s) being monitored. commercial businesses, with minor types of small events. This is an example
efforts against home machines. There of surveillance without a known pur-
Attackers spoof source addresses ran-
are odd peaks in .ro and .br space, which pose or target; data are collected first,
domly, and it is this “backscatter” that is
68 Vol. 27, No. 6 ;login:
and then you work backward after an In outlining the characteristics of most increases weaknesses. Exponential
CONFERENCE REPORTS
event. The slides for this presentation flaws, complexity and component inter- growth in transaction volumes means
should be available on http://www.caida.org. actions were among the obvious dan- that unusual transactions are hard to
gers. When the evaluation of the security break out by hand and lead to an
ILLUSIONS OF SECURITY of a software system is to be performed, increased use of computers to do the
Paul Kocher, Cryptography Research, the goal is either to prove that security of recognition and analysis.
Inc. the system is bad by finding a flaw, or
Security is improved when you design
q
Summarized by Lou Katz lacking that, to do an inclusive analysis
for testability, even though testing is
Paul Kocher gave an overview of security to assess the likelihood of additional
expensive. Security design goals to live
evaluated from the point of view of a security problems and to advise whether
by were outlined, and their expense and
company, such as his, which is focused a product is worth deploying. All the
difficulty were not overlooked. Spend
on cryptography, and of the problems while we are faced with the realities that
money rationally; don’t underspend or
faced by high-risk commercial systems attacking is easier than designing or ver-
overspend on security, hire experienced
and big companies. The talk was a ifying; and prevention/testing is hard. A
people, and spend early! Avoid what
review of common problems and mis- very thorough evaluation is expensive,
doesn’t work – e.g., design by commit-
conceptions and an exposition of possi- so the constraints on the evaluation
tee, which is flawed by conflicting objec-
ble rules to live by. process, time, budget, availability and
tives and no responsibility. Utilize
quality of technical information, and
The standard yardstick for measuring committees later, as they seem to be fine
evaluator capabilities, experience, and
cryptographic security, key length, does in keeping a design alive after it is done.
knowledge of the threat model can com-
not really address the problems posed by promise the results. Future directions for improving security
real adversaries, who lack the propriety focus on people. Vendors need to be
to limit themselves to tidy attacks such Paul posited that the best work is done
convinced to spend on prevention. Weak
as brute force, factoring, or differential before the project is started, by careful
systems, which allow profits from fraud,
cryptanalysis. The crux of the problem is definition of the target system’s security
will lead to more crime, which will fund
that in assessing the security infrastruc- objectives and a review of the imple-
more crime. Something needs to be
ture, security implies a zero tolerance for mentation details. A checklist of many
done about the moral hazard that there
flaws in the face of software developer single points of failure should be devel-
is currently little vendor incentive for
acceptance of bugs proportional to com- oped (he showed an extensive chart of
security.
plexity. Since the testing side of system these) along with a long list of review-
development can’t keep up with the able information, such as the open liter- Some of the questions focused on the
complexity of the products, it is often ature, published specs, network and bus time frame for security resistance to
the case that the front door is strong, I/O, timing, power consumption, defec- attack – how long after a system is
but it is easy to break in through the tive computations (errors in computa- deployed is it usually attacked? (Others
window. tion can be used to compromise keys), may be ahead of them in the attack
error messages, failure codes, examina- queue.) Even a flawed system may be
In measuring security one must consider tion of disk and memory contents, swap stronger than an alternative, or it may
the probability of breaking in vs. the cost files, and RNG seed data. Even chip not be economically worth attacking
of the attack. For commercial products imaging should be explored. Of course compared to others – breakable systems
there is a negligible probability of being adversaries might engage in illegal/ques- may still be useful.
very secure against creative attackers, tionable activities such as dumpster div-
especially since systems of exponentially In summary, this useful talk, rather than
ing, so this must also be taken into
increasing complexity are being created, providing any specific insights or giving
account.
aided by Moore’s Law, but security a recipe or checklist for improving secu-
experts are not compensating by becom- What you can include in your checklist rity, highlighted many useful and impor-
ing exponentially smarter. Is there an is to conduct code reviews, which are tant concepts to consider and evaluate in
upper bound or expected/mean resist- useful but boring and hard to do in vol- designing and establishing a system’s
ance? What is the risk curve, and against ume. Code review should include algo- security.
whom are we defending? It is important rithms, usage considerations, and
to evaluate what the resistance against protocol analysis, specific details of
an initial attack might be vs. repeated which were outlined. The increasing
attacks. connectedness and complexity in the
system, a common source of difficulty,
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 69
FORMAL METHODS AND COMPUTER before it runs, it is essential that the veri- but it tends to overlook many things,
SECURITY fier itself is correct and implemented such as initial conditions. On the upside,
John C. Mitchell, Stanford University according to the specification. To prove MSR is accurate: if an error shows up in
Summarized by Mihai Christodorescu the verifier’s correctness, abstract the MSR model, the error is present in
Mr. Mitchell tried to span the existing instructions were used to reduce the the protocol. This means that MSR can
gap between the formal methods and time and space needed in modeling the prove security of a protocol up to a cer-
the computer security communities, verifier. The verification of the verifier tain set of assumptions but that it will
because “theoreticians and coders don’t entailed two phases: verifying the behav- not detect attacks that do not follow
talk to each other.” The talk described ior in the verifier specification, and these assumptions. MSR usually
several applications, the different types checking the verifier implementation employs a common intruder model, the
of formal methods, and their specific against the specification. In the second Dolev-Yao model, that assumes the
strengths and weaknesses. step, the research group led by Mr. adversary is non-deterministic and has
Mitchell discovered several implementa- no partial knowledge (e.g., adversary
A formal method is a technique to ana- tion bugs in the Sun JVM. either has the encryption key or no key
lyze a system from its description, with- at all).
out putting the system in motion. For Another area of application is protocol
example, it means analyzing executable security, which looks at simple network The probabilistic polynomial time
code and trying to ascertain various protocols (SSL, SSH, authentication, (PPoly) formal method applies the con-
properties without actually executing signing) and checks for exploitable cept of observational equivalence: a pro-
the code. In the big picture, formal flaws. Most of these protocols are fairly tocol is secure if the adversary cannot
methods are meant to help to produce simple in their design and involve a lim- distinguish its trace from a trace of some
good software efficiently: formal meth- ited number of steps. The complexity of idealized version of the protocol. This
ods are precise and automatable, and unbounded number of states appears way, PPoly specifies security by compar-
they usually capture previous experi- when several sessions of the protocol are ing the protocol to a zero-knowledge
ence. There are several current weak- considered in parallel: the attacker protocol.
nesses: subtleties are hard to formalize might conduct several parallel sessions
In conclusion, formal methods provide
and the tools are cumbersome to use. and copy messages from one to another.
very powerful tools for verifying certain
Most of the formal-methods work is This area of research created several
security properties. Most useful right
now focused on eliminating these weak- methods, some less formal (crypto-
now is the checking of a not too compli-
nesses. graphic-based proofs, Communicating
cated property about a not too compli-
Turing Machines) and harder to reuse or
The goal in formal methods research is cated protocol or piece of code. The goal
automate, and some formal methods
to reduce the number of unfeasible of formal methods research is to extend
(BAN & related logics, operations
problems and extend the set of problems the range of feasible analysis, while
semantics, automatic theorem proving,
and properties that can be checked. Ini- keeping them automatable.
symbolic search for an attack, exhaustive
tially, formal methods were applied to finite-state analysis). “HOW COME WE STILL DON’T HAVE IPSEC,
hardware verification, as it has a finite DAMMIT?”
number of states. Currently, program Four formal methods were presented in
further detail: model checking, multiset John Ioannidis, AT&T Labs–Research
verification is the focus of most re-
searchers, but it is not as successful as rewriting, probabilistic polynomial time, Summarized by George M. Jones
hardware verification; due to infinite and protocol logic. Model checking was The moderator informed us that “John
state space, it can only verify simple used in proving that contract-signing wants this to be a slugfest . . . so reach
things about programs. Computer secu- protocols were fair, noncoercive, and deep down inside and find your inner
rity is itself a subset of type analysis; a accountable. Examples of such protocols Peter Honeyman.”
well-typed program should not have include Asokan-Shoup-Waidner and
Garay-Jacobson-MacKenzie. John Ioannidis then told us that we were
security flaws. really getting four or five talks for the
One of the applications detailed in the Multiset rewriting (MSR) is related to price of one: this talk would mostly
talk was the verification of the Java Vir- mathematical logic and deals with sets work as “How come we still don’t have
tual Machine verifier, which checks Java of facts known about the system and {PKI, IPv6, Mobile-IP, DNSSec, secure
bytecode after loading into memory and transition (or rewrite) rules that modify email}, dammit?”
before execution. Since the verifier is the system and the facts about the sys-
tem. MSR has a simple tractable model, He started the talk by contradicting his
the only check performed on the code own title: “We sort of do have IPSec . . .
70 Vol. 27, No. 6 ;login:
the question is, why isn’t anyone using Where is IPSec? largest user of IPSec for some time to
CONFERENCE REPORTS
it?” The rest of the talk was structured come. Ubiquitous IPSec would challenge
“Everywhere and nowhere”: *BSD,
around a series of interrogatives. the current firewall model by defining
Linux (Free S/WAN), Solaris, Win2K,
“inside” vs. “outside” with keys, not
What is IPSec? VPNs, remote access, academic research.
topology (see Bellovin paper of two
IPSec is a network layer security proto- How is IPSec? years ago). But none of this is any use in
col for IP. It means different things to the face of buffer overflows and viruses.
The wire protocols are here and work
q
different people. To some, it’s just the What to do?
perfectly. IKE still doesn’t have interop-
wire protocols; to others, it also includes
erability; there are about 8,000 option Questions and answers (“Let the games
key management, GUIs, and tools.
combinations. There are no standard begin.”)
Why IPSec? APIs. Policy support is rudimentary.
Ioannidis got his slugfest, thanks to
IPSec provides end-to-end communica- Why isn’t IPSec? Part II Microsoft (and his own misunderstand-
tions security at the network layer. It ings):
IKE is too complex to implement. The
addresses authentication, integrity, and
docs stink. The configuration of key (Dan Simon, Microsoft Research) Q:
confidentiality. It does not address
management and policy are smooshed Perhaps the problem is in the wine-glass
authorization, privacy, non-repudiation,
together. There is no good remote key model. People want to secure things that
or perfect forward secrecy.
management and distribution. There is IPSec doesn’t secure. IPSec started out
Why network layer? no good evangelizing. Ioannidis in- securing everything and wound up
formed us that “evangelize,” in Greek, securing nothing.
The network layer is the choke-point.
means “to bring a good message,” but do
Putting security in the network layers A: Perhaps we need an N-layer shadow
we have a “good message”?
allows both higher and lower layer pro- security stack with security at each layer
tocols to use it. “The seven-layer model Why isn’t IPSec? Part III . . . but avoid encrypting N times.
is a bit of poison left over from OSI.”
We still have problems integrating with (Dave LeBlanc, Microsoft) Q: We are
What are the benefits of IPSec? RADIUS, Diameter, and Tokens. We using IPSec on thousands of machines.
don’t have a good PKI. Most of the We find it quite manageable. We’re not
Link encryptors become obsolete. IPSec
Internet edge is Windows. going around setting it up on every
provides link security to applications
machine.
“for free.” Applications don’t need to do
their own link security. IPSec allows A: There are these things called stan-
“Trying to configure IPSec for Windows
decoupling of security policies and cen- dards; maybe you’ve never heard of
has been one of the most harrowing
tralization of management. them.
experiences of my life, and I live in
While IPSec . . . NYC!!! There is no good command line LeBlanc: There is a command line inter-
interface for Windows IPSec. What good face, RTFM.
During the decade-long saga of defining
is running a secure protocol on an inse-
and deploying IPSec, other security A: Send me a pointer. I don’t have a lan-
cure operating system?”
technologies sprang up that may not guage problem.
have been necessary if IPSec were de- Whither IPSec?
[Editor’s note: Microsoft uses Active
ployed. Among these were the Clipper
NAT is an abomination. NAT is broken Directory to make this work internally.
chip (1993), SSL (1995), SSH, firewalls
. . . but I can buy a NAT box for less than When I asked Ionnidis months later,
(“bad”), NAT (“very bad”), and layer-4
$100 and plug in lots of hosts with one LeBlanc still had not provided a URL].
re-directors.
IP address now. We need to standardize
Q: Have you heard about IKE2, JFK,
Why isn’t IPSec? Part I remote access. We need to work on the
other work at IBM?
APIs. We need better configuration
It’s taking too long. SSL and SSH
management tools – not just pretty A: Yes. I’m one of the authors. A smaller
removed the urgency. There are many
GUIs but something that scales to thou- protocol with fewer options was one of
incompatible implementations. There is
sands of systems; these tools just don’t the goals and results in fewer lines of
no agreement on key management. “OK,
exist. We need to play nice with other code, fewer bugs, better security; sim-
we’ll just deploy it with IPv6. . . .” Other
protocols and host routing. We should plicity of the spec was the driving force.
IETF working groups “rolled their own.”
work on opportunistic IPSec (Free When you see the doc, we hope it will be
“It’s all a mess.”
S/WAN). VPNs are going to be the unambiguous.
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 71
IMPLICATIONS OF THEDMCA ANTI-CIR- schemes proposed for safeguarding digi- be used to play legally acquired DVDs
CUMVENTION FOR SECURITY, RESEARCH, AND tal music brought up the question of on Linux but can also be used to pirate
INNOVATION whether presenting a result at a confer- DVDs). What is worse, the interoper-
Pam Samuelson, University of Califor- ence is a circumvention device. In the ability clause was almost forgotten, with
nia at Berkeley same case, the exception for crypto- the access control rules overriding any
Summarized by Mihai Christodorescu graphic research could not be applied, as exception – this can lead to legally sanc-
Ms. Samuelson presented an overview of watermarks are not usually considered tioned control of data formats.
the DMCA and its implications for cryptographic research. Thus, Congress
While it is not the “worst law in the
research, focusing specifically on com- might have created an overly narrow
world” (other countries are considering
puter security research. The presentation exception, but in the current form of the
or already have stricter laws), the DMCA
first covered the rules part of the DMCA, DMCA, it is up to the court to decide
is only a stepping stone toward more
followed by actual cases where the what cryptographic research means.
restrictive laws and more restrictive
DMCA was used, and closed with possi- Another point of contention in the technologies (CBDTPA, TCPA, Palla-
ble legal alternatives. The DMCA makes DMCA is the definition of access con- dium). What the research community
illegal the circumvention of technical trols. Tools circumventing access con- can do is to act through established
measures, with several exceptions, and trols are illegal to make or distribute. In channels to influence the lawmakers and
the circumvention of access controls, many cases, the lawyers forced some make its case heard: support EFF, write
with no exceptions (not even for fair technical measures to be considered as your congressional representatives, par-
use). It was noted that Congress enacted access control measures, and thus made ticipate in ACM and IEEE policy-mak-
the DMCA as a blanket law with excep- them illegal to circumvent. For example, ing. There is also an upcoming
tions in place, instead of a less restrictive the region-coding of DVDs or the en- conference on law and policy of digital
law that would enumerate illegal actions. coding of console games for certain rights management at Berkeley, Feb. 27 –
The exceptions are very complex and markets are technical measures meant to Mar. 1, 2003. The Q&A session focused
very narrowly defined. The interoper- control the market – these measures on two topics: how did the content
ability exception, meant to allow data overreach and prevent owners of legal industry manage to get the DMCA
exchange between programs from vari- copies to use them as they wish (a US enacted? By using a catchy slogan –
ous vendors, is present, but with no citizen cannot play games bought in “piracy must stop” – and lots of lobby-
indication whether circumvention to Japan). The effect is not only limiting to ing $$$. The second question was what
gain information useful in attaining users of the technology but also to com- can the computer industry and acade-
interoperability is allowed. The excep- peting technologies. Sony v. Connectix mia do? Rally behind a strong clear
tion for cryptographic research imposes and Sony v. GameMaster illustrated how theme and lobby policy makers.
several burdens on the researcher: he or access controls (e.g., country codes) can
she must be a lawful acquirer of en- be used in an anti-competitive fashion SPECIAL EVENING PANEL ON PALLADIUM
crypted copy, must get permission to to shut down competing products that Lucky Green, Cypherpunks; Peter
research from the copyright owner, and bypass access controls, even without Biddle, Microsoft; Seth Schoen, EFF
must have a Ph.D. allowing piracy. Summarized by Seung Yi
The DMCA bans the making and distri- In the various cases where DMCA was First, Peter Biddle provided a brief
bution of tools that bypass access con- applied (RIAA v. Felten, US v. Sklyarov, overview of Microsoft’s approach for the
trols and copy controls, with the HP v. SnoSoft, Microsoft v. Huan, Edel- trusted computing project named Palla-
exception of reverse-engineering tools men v. N2H2, Sony v. Connectix v. Bleem, dium. Palladium is an architecture to
necessary for building interoperability. Sony v. GameMaster, RealNetworks v. protect software from other software
The problem is in determining the Streambox, Universal v. Corley, DeCSS), (even Windows :) and provide a trusted
boundary between a description of a mixed results have emerged from the computing platform. Palladium is a
technique and a tool implementing that courts’ interpretations of the law. On security architecture that will be
technique. It is unclear whether distrib- one hand, the courts have decided pro- deployed with newer versions of Win-
uting information (through a Web site, grams were protected as speech by the dows running on machines with
for example) on circumventing a given First Amendment, regardless of the form tamper-proof hardware components as
technical measure is “as illegal as” creat- of the program (source or object code). described in TCPA. Based on this trusted
ing and distributing a tool that performs On the downside, fair use rules were not component or Secure Computing Plat-
the circumvention. The Ed Felten vs. considered applicable to tools that allow form (SCP), as Microsoft names it,
RIAA case over the watermarking both good and bad uses (e.g., DeCSS can authenticated booting procedure and
72 Vol. 27, No. 6 ;login:
SCP acts as the core of a security archi- Cypherpunks Web site at Russ Cox emphasized that the main con-
CONFERENCE REPORTS
tecture that even the machine’s owner http://www.cypherpunks.to. tribution of this paper is a simple secu-
cannot bypass. By relying on SCP and rity architecture built on a small trusted
Seth Schoen maintained a somewhat
other trusted software components built code base that is easy to verify, under-
neutral position between Peter Biddle
on top of SCP, there are certain parts of stand, and use. The security architecture
and Lucky Green, pointing out the
the operating system that can be trusted was developed for the Plan 9 operating
potential benefits of the proposed archi-
by third parties, and with this capability system of Lucent Bell Labs.
tectures and some concerns.
q
Microsoft claims to be providing trusted
The authors believe that the main secu-
computing. More details on Palladium One of the biggest concerns expressed
rity concern in a system is not the proto-
can be found in an article by Seth by members of the audience was the
cols or the algorithms. Instead, buggy
Schoen at http://www.activewin.com/ possibility of Palladium being used as a
servers, confusing software, and poor
articles/2002/pd.shtml. Also, Microsoft DRM platform or, even more alarming,
configurations are usually responsible.
has a Q&A on Palladium available at the base platform to implement a 21st-
Hence, the emphasis of the paper is on
http://www.microsoft.com/presspass/ century Big Brother capability. There
the design of a simple security architec-
features/2002/jul02/07-01palladium.asp. were also a couple of questions on what
ture, rather than the algorithms and
part of these proposed architectures is
Lucky Green was our second speaker. He protocols used, though they have been
actually new. Most of the concepts pro-
used his slides to present the concern he described for concreteness.
posed in the architectures were already
had with the proposed TCPA/Palladium
proposed and implemented a couple of The main component of their architec-
architectures. Basically, his points are:
decades ago in trusted computing base ture is an agent called factotum (derived
1. TCPA/Palladium is driven by the ven- efforts like KSOS. from the proverbial servant who has the
dors to make the PC the core of home power to act on his master’s behalf and
For those who wish to learn more about
entertainment by providing a tamper- has all the keys to the master’s posses-
the issue, Ross Anderson provides a nice
proof support for digital rights manage- sions). Factotum is built on the same
FAQ on TCPA/Palladium at http://www.
ment (DRM), although it is carefully idea as an SSH agent – each user has a
cl.cam.ac.uk/~rja14/tcpa-faq.html.
marketed as the solution for trusted factotum process that is responsible for
computing. Steven Levy wrote an article on the issue the user’s keys. A factotum effectively
in MSNBC/Newsweek, which is available takes over responsibilities such as
2. TCPA/Palladium can be used to stifle
at http://cryptome.org/palladium-sl.htm. authentication and security interactions
competition that does not have such
with other processes. It thus “frees”
support. Green gave an example of Win- Panelists also pointed the audience to
other software from dealing with these
dows vs. Linux today. Even though a the discussions on two mailing lists:
issues. Cryptographic code is no longer
user can install Linux on a system, there cryptography@wasabisystems.com and
compiled with programs but is handled
are certain things that can’t be done cypherpunks@lne.com. Archives of these
by the factotum, thus allowing for easy
unless the user also installs Windows. By two mailing lists are available at
updates to crypto software.
the same logic, it will be still possible to http://www.mail-archive.com/
use a TCPA-equipped PC without cryptography@wasabisystems.com/ and An important security consideration is
installing Palladium OS or other similar http://www.inet-one.com/cypherpunks/. the storage of the secure keys. Factotum
operating systems, but the user will not stores the keys in the volatile memory,
be able to access digital music, digital REFEREED PAPERS and so the keys need to be backed up.
movies, or even her/his own Word file OS SECURITY Storing the key encrypted on a shared
protected by TCPA. Green pointed out a Summarized by Prem Uppuluri file system is possible as long as the keys
couple of potential abuses of such sys- are not the authentication keys.
tems, not surprisingly things not men- SECURITY IN PLAN 9 Encrypting the keys with a user pass-
tioned in the Palladium specification. By Russ Cox, MIT; Eric Grosse, Rob Pike, word is also not a good solution. since
invalidating access to Word documents, Sean Quinlan, Bell Labs; Dave Presotto, an attacker can use a dictionary attack to
for example, the vendor can force the Avaya Labs break the key. Hence, the authors
users to buy a newer, accessible version This won the Best Paper award. The describe secstore, which is a file server
of Word. An OS vendor may be able to chair of the session noted, interestingly, for encrypted data. secstore is based on
block certain “undesirable” applications that the three authors who were at an encrypted key exchange called PAK.
from running on any user’s machines. Lucent when the paper was published
Green’s slides are available at the are still at Lucent.
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 73
The paper also describes other security In justifying these design decisions, the Xiaolan Zhang discussed the use of a
issues, such as protecting factotum from authors pointed out that system calls, static analysis tool, CQUAL, in verifying
debuggers. while a natural choice for inter-position- LSM authorization hook placement.
ing, are inefficient and may lead to race This work revealed potential vulnerabili-
Despite its advantages, there were a few
problems. Hence, they decided to go ties in LSM.
problems. A person from Mitre Corpo-
deeper into the kernel. In particular,
ration asked whether choosing a poor Xiaolan first gave a description of a vul-
LSM provides an interface that allows
password made factotum susceptible nerability in the security hook
modules to interact with internal kernel
to a dictionary attack. The speaker security_ops->file_ops->llseek(file) as a
objects. LSM allows a subject to perform
acknowledged that it did. Another issue, convincing reason for the need to verify.
a kernel operation on an internal object
raised by Whitfield Diffie from Sun
by placing hooks in the kernel code just She then described the aim of the work,
Microsystems, was whether the architec-
ahead of the access to a resource through which was to verify the following two
ture could be easily added to UNIX. The
the system call. LSM is restrictive in its problems: complete mediation and com-
authors conceded that it is difficult to
hooks in that a security module inter- plete authorization. For the former, veri-
add to the existing operating systems but
cepting the hooks can either allow the fication involves checking that whenever
presented an argument that the ideas
access or deny it. In order to keep the a user tries to control a resource, some
behind the architecture described can be
design simple and minimally invasive, LSM authorization hook mediates. The
used in other OSes.
the LSM project is limited to supporting latter involves verifying that the set of
LINUX SECURITY MODULES: GENERAL SECU- core access control functions required by requirements necessary for prior media-
RITY S UPPORT FOR THE L INUX K ERNEL the current security projects. Sometimes tion in the authorization process are met
Chris Wright and Crispin Cowan, security policies need to be composed. in all the paths to the operation that
WireX; Stephen Smalley, NAI Labs; The design of LSM forces the decision seeks to control the object.
James Morris, Intercode; Greg Kroah- on how to compose policies on the
In case of complete mediation, the
Hartman, IBM Linux Technology Center modules.
authors label the resource to be accessed
LSMs were designed to compensate for The rest of the as a controlled object and the operation
the poor security provided by the Linux paper describes accessing the resource as a controlled
kernel, which is the same as the classical the implementa- operation. In order to verify that an
UNIX security model, in which root is tion of LSMs. LSM authorization hook is executed on
all-powerful. The main goal of the proj- Finally, the a controlled object, before it is used they
ect is to create a security module API speaker con- first identify the controlled objects as,
that has low overhead (acceptable to cluded that LSM for example, files, inodes, superblocks,
Linus, whom Chris Wright called the is efficient, pro- tasks, or modules. They then use static
“dictator”), is minimally invasive, and ducing about 0–2% overhead in micro- analysis to associate the authorized
satisfies the disparate needs of many benchmarks and 0–0.3% in object with those used in the controlled
security projects. macro-benchmarks. Currently, LSM is operation. In the next step, they identify
LSM started in April 2001 and involves being merged into Kernel 2.5 and the all possible paths to the controlled oper-
over 550 people. It basically provides a interface is being refined as pieces are ation. They use typical C semantics. All
framework to implement access control submitted to Torvalds. The work is avail- inter-procedural paths are defined by
models as pluggable kernel modules. able at http://lsm.immunix.org. call graphs, and among these paths they
identify those that are needed for analy-
The main design issues that were con- There were questions in the audience as
sis.
sidered in the design of LSM included: to whether any sanity checks were per-
(1) interposing at a level deeper than formed for the modules. The speaker The authors use CQUAL, a type-based
system-call level, (2) providing a thin said that code reviews and verification of static analysis tool that helps find bugs
mediation layer called hooks that is modules were being done by others. in C programs. As a first step, the authors
agnostic with respect to the security annotate the data structures in the pro-
USING CQUAL FOR STATIC ANALYSIS OF gram with one of two types: unchecked
model, (3) making LSM restrictive by
AUTHORIZATION HOOK PLACEMENT and checked. In particular, all the con-
allowing a module to either allow or
Xiaolan Zhang, Antony Edwards, Trent trolled objects are initialized to the type
deny an access, and (4) allowing module
Jaeger, IBM T.J. Watson Research unchecked, while all function pointers
stacking. Center
used in a controlled operation are
marked as checked. Authorizations
74 Vol. 27, No. 6 ;login:
upgrade the object’s type to checked. retrieval. The vector space model is used faster. To detect attacks more effectively,
CONFERENCE REPORTS
Since the source code is large, annota- to transform documents into vectors. A the kNN anomaly detection can be eas-
tion by hand was not feasible. Hence the word-by-document matrix A is used for ily integrated with signature verification.
authors extend GCC and use a set of a collection of documents, where each
Perl scripts to annotate the code auto- entry represents the occurrence of a DETECTING MANIPULATED REMOTE CALL
matically. Type errors indicate possible word in a document and can be com- STREAMS
vulnerabilities. puted in several different ways – weight- Jonathon T. Giffin, Somesh Jha, Barton
q
ing, frequency (f) weighting, and term P. Miller, University of Wisconsin,
Using the above techniques they were Madison
frequency–inverse document frequency
able to find a couple of exploitable Jon Giffin’s talk covered how to detect
(tf-idf) weighting. They used as a
CQUAL type errors. They also had a destructive system calls issued by remote
machine-learning method the k-Nearest
large number of false positives. execution systems such as Condor and
Neighbor (kNN) classifier, which calcu-
Asked whether there could be other vul- lates the similarity between an unknown Globus. The detection was based on
nerabilities that may have been missed, document and training samples and the pre-execution static analysis of the
the speaker replied that they had some looks at the class labels of k-nearest binary program, in which specifications
confidence in the result since the neighbors to predict the class of the were automatically generated. A model
approach was generic and wasn’t unknown document. representing all possible remote call
designed to find any one particular streams that the process could generate
To profile a program behavior in a much was built. As the process executes
error. Another question was on whether
more general and efficient way, the remotely, the local machine builds opti-
the flow insensitivity of CQUAL was a
authors treated each system call as a mizations into the model incrementally,
deterrent. The speaker replied that flow
“word” and the set of system calls gener- ensuring that any call received remains
insensitivity only increases false positives
ated by the process as the “document.” within the model.
and does not result in false negatives.
Each process is converted to a vector,
The last question was how the work The model is a finite-state machine –
and the intrusion detection becomes
handled function pointers. This was either a non-deterministic finite-state
text categorization. Based on the kNN
done by manually annotating function automaton (NFA) or a push-down
classifier, the program behavior is classi-
pointers in headers. CQUAL can detect automaton (PDA). The construction of
fied into different categories, which
function pointers that have been the automaton is accomplished in three
determines normal or intrusive. The
assigned to some variables. stages: by (1) deriving the control flow
advantages include limited system-call
vocabulary so that no dimension reduc- graph (CFG) from each procedure in the
INTRUSION DETECTION/ binary program; (2) converting the col-
tion techniques are needed; use of sim-
PROTECTION lections of CFGs into a collection of
ple binary categorization; and, as
Summarized by Haining Wang local automata; (3) composing these
mentioned above, no individual pro-
USING TEXT CATEGORIZATION TECHNIQUES gram profiles to learn. local automata at points of function
FOR I NTRUSION D ETECTION calls internal to the application, and
The experiments for testing the kNN then generating the interprocedural
Yihua Liao and V. Rao Vemuri,
University of California, Davis
classifier were conducted over a 1998 automaton that models the application
DARPA BSM data set, which provided a as the whole.
Yihua Liao presented a new approach to
large sample of network-based attacks
modeling program behavior in intrusion Two metrics determine the usefulness of
embedded in normal background traf-
detection by using text categorization the model: precision and efficiency. To
fic. The performance of kNN classifier
techniques; this approach eliminates the improve precision, null-call insertion
with the tf-idf weighting technique was
need to build pro- and call-site renaming techniques are
measured by the Receiver Operating
gram behavior employed. To improve efficiency, stack
Characteristic (ROC) curve that plots
databases or learn abstractions and null-call insertion are
intrusion detection accuracy against
individual pro- used. During their prototype implemen-
false positive probability. The results
gram profiles. tation, they observed that PDA is more
show that the k=10 is a better choice
In his talk, he than other values for achieving a faster precise than NFA because it provides
briefly described text categorization, in detection rate. Also, they compared the context sensitivity. However, PDA has a
which text documents are grouped into tf-idf with f weighting techniques. state explosion problem – a stack may
predefined categories based on their Although f weighting achieved a higher grow to be unbounded, leading to high
content, and its usage in information initial detection rate, tf-idf weighting overhead. To solve this problem, the
reached the 100% detection rate much
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 75
maximum size of the runtime stack is Their implementation is transparent facts that are required to prove that the
bounded. since source files are unmodified, and client is allowed to access a Web page,
programs are compiled normally using formulated in higher-order logic. In
Finally, Jon summarized his talk by
the supplied makefile in the source dis- addition, the client submits a proof of
highlighting the important ideas of the
tribution. Type table–appended object the propositions that are needed before
paper: (1) specifications are generated
files are compatible with native object it can access the server. This moves the
automatically from binary code analysis;
files. Protected buffers cannot be over- (generally undecidable) problem of
(2) a finite-state machine is built that
flowed or exploited. Moreover, com- proving the propositions from the server
models correct execution; (3) the push-
pared with other approaches, this one is to the client. The server only needs to
down automaton (PDA) is precise but
harder to bypass and faster than com- check the proof (which is decidable),
suffers high overhead; (4) a bounded
prehensive range-checking techniques. and the client can construct the proof
PDA stack and null calls make the use of
using application-specific, decidable
a precise PDA model possible. The limitations of the scheme include
logic.
the following: (1) there are two cases
TYPE-ASSISTED DYNAMIC BUFFER OVERFLOW where they cannot determine the size of In their implementation, the authors
DETECTION automatic buffer: alloca(), or allocated modified a standard Web server using
Kyung-suk Lhee and Steve J. Chapin, buffer, and variable-length arrays; applets for generating propositions and
Syracuse University (2) the scheme is unable to determine for checking client-submitted proofs.
Kyung-suk Lhee gave an introduction to the type of function-scope variables; On the client side, they use an HTTP
buffer overflow attacks, especially the (3) it is vulnerable to attacks that do not proxy that hides all server transactions
well-known stack-smashing attack: the depend on the protected C library func- from the standard Web browser. This
return address of a function is overwrit- tions; and (4) it cannot protect the proxy handles proof challenges from the
ten so that the malicious code is injected parameters of the function that defines a server by trying to construct proofs for
into the stack, and so the control flow is nested (function-scope) function. (The them. If it is missing facts required for
directed to the malicious code when the fourth point was not mentioned in the constructing the proof, they ask fact
function returns. The key idea of the paper.) servers (which are specialized Web
proposed scheme is that a table in the servers). Bauer said the proxy could be
executable file is built at compile time ACCESS CONTROL integrated into the browser as a plug-in,
since the size of the buffer can be known, Summarized by Michael Hohmuth but they wanted it to be as browser-
and the sizes of buffers are checked with independent as possible.
the table at runtime. A GENERAL AND FLEXIBLE ACCESS-
CONTROL SYSTEM FOR THE WEB Bauer presented performance
Kyung-suk presented an overview of Lujo Bauer, Michael A. Schnei- results for their system. As the
their implementation, in which they: der, and Edward W. Felten, performance is bound by the
(1) built the “type table” that holds types Princeton University number of transactions
(sizes) of automatic and static variables; Lujo Bauer presented a new between clients, fact servers,
(2) maintained heap variables in a sepa- access-control system for Web and Web servers, the system
rate table by intercepting malloc(); and services. He said that there are uses caching and speculative
(3) looked up the “type table” to check already many access-control proving to avoid unnecessary
buffer size using wrapper functions for systems that protect an increasing transactions. Clients cache protected
the vulnerable copy functions in the C amount of private data, such as photos URLs and facts and try to guess
library. The prototype was implemented or medical records. The problem with and speculatively prove the server’s
by extending the GNU C compiler on existing solutions is that many imple- challenges before the server actually
Linux. Each object file was augmented ment only a simple, fixed application- generates them. Servers cache proven
with type information, leaving the specific policy, and because of that it is propositions and client-generated lem-
source code intact. To delay making the hard to express more complex policies mas. As a result, the performance over-
“type table” until runtime, each object or to get these mechanisms to interoper- head of the system is promising.
file was given a constructor function ate.
“ctor” to build the type table. The range Bauer concluded the talk with the state-
checking was done by a function in a The authors suggest a new, flexible, and ment that formal tools and methods
shared library. general solution that is application- and have a place in the real world.
policy-independent based on proof-car-
Jonathan Shapiro (Johns Hopkins Uni-
rying authorization (PCA). In this sys-
versity) asked how one would deal with
tem, clients submit to the Web server all
76 Vol. 27, No. 6 ;login:
revocation of facts in the light of project, additional requirements were tory-server key, history disclosure using
CONFERENCE REPORTS
caching. Bauer answered that facts can that the CM system needs to support exposed hash names of previous ver-
have a timeout by including a reference many contributors, but not all of them sions, and separate evolution of database
to the current time. should have write access to the main and client-server protocol schemas. He
repository. Aside from the fact that no proposed solutions or recovery possibili-
Another audience member asked
existing CM system supports all of these ties for each of these problems.
whether submitting endless unfinished
requirements, Shapiro also mentioned
proofs to the server would be a potential Shapiro concluded his talk with a demo
q
the need for a CM system that “actually
DoS attack on the system. Bauer of OpenCM running on his laptop.
worked” and that existing commercial
affirmed but said that a similar attack
offerings did not support the open Petros Maniatis (Stanford) asked
existed with previous systems, and now
source development model very well. whether more than one server can be
that the server does not have to prove
authoritative for a given repository.
access propositions itself, it had, in a OpenCM is designed to protect against
Shapiro answered that OpenCM does
sense, “less to do” than previously. such threats as modifications (of the
not support this mode of operation, as
Another question was whether access source code repository) by unauthorized
distributed updates to a single reposi-
policies have to be stored in the server. users, modifications from compromised
tory would be unfeasibly complex. How-
Bauer answered that was convenient but clients, compromises through the under-
ever, changes can be committed to a
not required. lying operating system, impersonation
(nonauthoritative) replicated repository
of a source repository, and falsification
ACCESS AND INTEGRITY CONTROL IN A PUB- and merged into the authoritative repos-
of repository content. OpenCM reaches
LIC -A CCESS , H IGH -A SSURANCE C ONFIGURA - itory later.
these goals by establishing a chain of
TION M ANAGEMENT S YSTEM
integrity and authorization for each An audience member asked whether
Jonathan S. Shapiro and John change request, and by using transac- changes should be signed. Shapiro
Vanderburgh, Johns Hopkins University
tions to commit changes to the reposi- replied that they shouldn’t, but that the
Jonathan Shapiro presented OpenCM, a tory. subject would be too complex to discuss
new configuration management system as part of his talk. He suggested taking
designed to support high-assurance Shapiro explained that the key idea for
the issue offline.
development in open source projects. meeting the integrity requirement was
to realize that most of the objects a CM Richard Wash (CITI Michigan) asked
Shapiro started his talk with the ques- system stores (such as file contents of a what would happen if two nonidentical
tion: what is configuration management particular revision) never change frozen objects happened to have the
(CM)? He proposed two different (because of its archival character); he same content hash. Shapiro said that a
answers that he deemed too limiting (it referred to these objects as frozen hash collision would be noticed but
keeps track of versions of files or collec- objects. Therefore, the cryptographic could not be recovered from. He said
tions of files) before he presented his hash of a frozen object’s contents also that such a collision would be extremely
answer: a CM system should keep track never changes and can be used as a unlikely, though.
of “lattices of DAGs of attributed name to reference the frozen object.
BLOBs” (i.e., relationships between file- Whenever such a name is de-referenced, HACKS/ATTACKS
version trees) and bindings from file the contents of the object can immedi- Summarized by George M. Jones
versions to names in a workspace, ately be checked for integrity. The
together with file metadata. DEANONYMIZING USERS OF THE SAFEWEB
integrity of mutable objects is ensured ANONYMIZING SERVICE
The authors started developing a new by cryptographic signatures.
David Martin, Boston University;
CM system because they needed support A transacted change to the repository is Andrew Schulman, Software Litigation
for developing an operating system reduced to the addition of new data as Consultant
(EROS) that can be certified by the frozen objects and the atomic revision of This paper pre-
highest of the Common Criteria assur- a single mutable object, the branch to sented an analysis
ance levels, EAL7 (comparable to the which the change is committed. Access of the SafeWeb
former orange-book level A1). This to mutables is controlled using access- anonymous Web
assurance level requires software devel- control lists. browsing service.
opment to be traceable, auditable, repro- The anonymizing
ducible, and access-controlled, and it Shapiro then identified a number of
service was halted in November 2001.
also requires high data integrity. As possible weaknesses of OpenCM: con-
EROS is developed as an open source tent compromise using a stolen reposi-
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 77
The goal of the service was “to help tion without unnecessary disclosure. worms present other fruitful methods of
oppressed international users” who The “most obvious” solution is to keep spreading malicious code. “If you have
wanted to view Web content that their sensitive information in a centralized the entire hit list [vulnerable hosts] and
country/organization/ISP/etc. prohib- database which responsible parties can infected a few and divide up the list,
ited. It also had appeal to corporate and query with their own credentials. then it is possible to infect 1M-10M
home users. Requirements appear to Another option would be to use better hosts in seconds. These time-scales are
have been speed, ease-of-use, unmodi- key management and stronger encryp- way beyond human response.”
fied content, and no client-side modifi- tion for sensitive information. A third
So what’s the answer? A “cyber CDC”
cations or settings. set of options involves various methods
that would identify outbreaks, coordi-
of putting control of sensitive informa-
The main method employed was to dis- nate response, do rapid analysis, help
tion in the user’s hands, departing com-
guise the connection so that all browsing resist infection, watch traffic, set strate-
pletely from the X.509 certificate
was proxied through HTTPS connec- gic direction, and foster research. “This
approach.
tions to SafeWeb.com. Both URL and may sound hard, but what’s the alterna-
contents were encrypted. Possible HOW TO 0WN THE INTERNET IN YOUR SPARE tive?”
attacks were presented. Some involved TIME Q: What are you proposing beyond
sending content (JavaScript) that in- Stuart Staniford, Silicon Defense; Vern CERT/FIRST?
duced the browser to go directly to the Paxson, ICSI Center for Internet
source Web site. SafeWeb’s rewrites were Research; Nicholas Weaver, University A: Automated response, instant analysis.
not perfect. of California at Berkeley Q: How seriously do you take the threat
Some conclusions: SafeWeb took the Paxson gave very plausible visions of of embedding viruses in pictures and
wrong default stance by blocking known Internet attacks to come based on recent other file types?
bad (e.g., java-script) elements and experiences with Code Red and Nimda A: Nonexecutable files are probably not
allowing all else. Its use openly defied and made the case for the creation of a a significant worry.
local policies/laws. “cyber Center for Disease Control
(CDC).” Q: Do we have a need for more central-
VERISIGN CZAG: PRIVACY LEAK IN X.509 ized analysis of worms?
CERTIFICATES “What could you do if you owned a mil-
Scott G. Renfro, Yahoo! lion hosts?” Launch DDoS attacks, wipe A: This is very ripe for research. Open
out disks, rummage through email and community analysis has been very help-
Scott Renfro examined VeriSign’s CZAG
credit card databases, crack passwords, ful . . . but we still don’t know what
extension as an example of embedding
send “trusted” messages, stage cyberwar- Nimda does.
sensitive information into X.509 certifi-
cates. He then considered the general fare between nations or acts of outright Q: Can you comment on the use of
case of sharing certified information terrorism. worms to patch security holes?
with multiple parties. “How do you own a million hosts?” A: That seems like a non-starter. There is
In 1997 VeriSign asked end users to Short answer: worms. The Morris Worm a very large liability issue.
(optionally) include country, zip, age, owned 10% of the Internet. Code Red
and gender (CZAG) information when (2001) peaked at an infection rate of SANDBOXING
registering for class one certificates. 1900 infections/minute. Monitoring of Summarized by Prem Uppuluri
Users assumed that this information two class B networks showed 300,000
infected hosts. The larger the vulnerable SETUID DEMYSTIFIED
would be kept private and only shared
with trusted parties. But there were population [read: IIS install base], the Hao Chen, David Wagner, University of
faster it spreads. Nimda spread itself sev- California at
problems. It was protected only by weak
eral ways, including by looking for back Berkeley; Drew
encryption (XOR), there was no revoca- Dean, SRI Inter-
tion enforcement, it was available in a doors installed by Code Red. “These
national
public LDAP directory, indexed by viruses form an ecosystem.”
Hao Chen
email, and easy to crawl. “We couldn’t resist designing better addressed a crit-
Next, Renfro listed goals, design con- worms,” Paxson said and then outlined ical problem
straints, and possible alternate imple- several methods future worms could use with the use of
mentations for allowing certificate to spread quickly by intelligently split- UID-changing
authorities to share sensitive informa- ting up scans of the IP address space. calls, asserting that setuid and seteuid
Peer-to-peer networks and “contagion” suffer from many flaws. They are poorly
78 Vol. 27, No. 6 ;login:
designed, lack proper documentation, At the end of the paper, they provide and MIT) in order to improve the per-
CONFERENCE REPORTS
are widely misunderstood and, hence, guidelines to the proper use of these sys- formance of the interpreter. In addition
misused by programmers. As an exam- tem calls. For instance, they suggest that they ensured that non-control flow
ple he pointed out that a system-call setesuid be used where available as it has instructions did not get interpreted.
setuid(0) (setuid to root) shows different very explicit and clear semantics and sets They further reduced overhead using
behavior in Linux and BSD. In Linux it the three user IDs independently. They indirect branch lookups.
sets only the UID to 0, whereas in also suggested that users check for errors
To measure the effectiveness of their
q
FreeBSD it may set all the three UIDs – in the return code of system calls. In
approach, they used a set of vulnerable
SUID, UID, and EUID – to 0. Another particular, a good technique to confi-
applications: stunnel, groff, ssh, and
problem he illustrated was that some- dently drop privileges is to first drop the
sudo. They were able to foil all exploits,
times the UID-changing calls may not privilege permanently, try to regain the
with no false positives. Their perfor-
actually succeed. For instance, the sys- privilege, and ensure that the program
mance numbers were also very good,
tem-call seteuid(geteuid()) seems like an cannot regain the privileges. Further
with the overhead around 8% due to
identity function and so is expected to information on their work is at http://
their interpreter.
succeed, but may not necessarily do so. www.cs.berkeley.edu/~hchen/research/
setuid/. Someone asked how this approach dif-
To address such problems, the authors
fered from fault isolation techniques;
studied the kernel sources for these calls SECURE EXECUTION VIA PROGRAM Saman replied that in this approach the
and then compared the precise seman- SHEPHERDING isolation is at a lower level of granular-
tics of the calls across Linux, Solaris, and Vladimir Kiriansky, Derek Bruening, ity.
FreeBSD. They did this by constructing a Saman Amarasinghe, MIT
formal model of user IDs as a finite-state Saman Amarasinghe argued that it is not A FLEXIBLE CONTAINMENT MECHANISM FOR
automaton (FSA). This FSA helped possible to attain zero bugs in code. EXECUTING UNTRUSTED CODE
them find some of the pitfalls of the Thus it is necessary to look at other David S. Peterson, Matt Bishop, and
UID-changing calls and also helped techniques to prevent the bugs from Raju Pandey, University of California at
them identify the semantic differences of being exploited. The key point on which Davis
these calls across the three operating sys- they base their work is that one who David Peterson described a variety of
tems. owns the program counter controls the sandboxing techniques and explained
The authors describe the model-extrac- code. An attacker who is prevented from the design of their framework, which
tion algorithm which constructs an FSA. hijacking the program counter may draws from these different techniques.
The states of the FSA contain the values overwrite data but cannot control the Peterson started by describing the differ-
of UID, SUID, and EUID. A transition is code. Based on this observation, they ent design alternatives available for
labeled with one of the UID-changing described their approach, which they sandbox creations. In particular he
calls. From each state there is one transi- call program shepherding. addressed:
tion labeled with each UID-changing In program shepherding, all control-
call. Each transition leads to a state 1. Representation and organization of
flow transfers during a program execu-
which contains the values of the three privileges in the sandbox. They first
tion are monitored, and security policies
UIDs after the execution of the UID- identified resources that needed to be
are defined to determine allowable
changing call associated with the transi- protected, including device components,
transfers. Program shepherding can be
tion. file systems, network components, and
done in two main ways. One way is to
signal components. When a sandbox is
Using the finite automaton they built, instrument application and library code
created, one or more of the components
they were able to verify a number of prior to execution and to add security
are attached to it. Initially only the sand-
inconsistencies: a man page of RH Linux checks around every branch instantia-
box creator is given privileges for these
7.2 fails to mention setuid capability and tion. They argue, however, that this
components, but privileges to other
a man page of setreuid in FreeBSD 4.4 approach is not viable or applicable. The
processes in the sandbox can be added.
mentions incorrectly that unprivileged approach they took was to use an inter-
users may change real UID to effective preter. 2. Location of enforcement mechanisms.
UID. They were also able to identify that The authors described the various
The naïve approach to interpreting,
the implementations of the calls across choices to insert the enforcement mech-
however, is very slow. Hence they used a
the operating systems were different. anisms: runtime environment, sand-
dynamic optimizer (DynamoRIO base boxed program, user space, and OS
system built in association with HP labs
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 79
kernel. They chose the OS kernel, as it becomes a single point of failure, and This paper won the Best Student Paper
allowed them to use the system-call API. multiple accelerators are only a partial award. Nick Feamster presented
solution since any connection on a failed Infranet, a way to circumvent Web cen-
3. Passive or active monitoring. Passive
accelerator is lost. The real problem with sorship and surveillance that consists of
monitoring involves changing the sys-
SSL is that the user does not know requesters and responders communicat-
tem-call execution such that any
whether the transaction is complete and ing over a covert tunnel. The key idea is
enforcement mechanisms are checked
so is unwilling to re-submit the transac- that the Web browser requests the cen-
before the system call is allowed to pro-
tion. sored content via Infranet requester as a
ceed. This involves modification of the
local proxy, which in turn sends a mes-
system call. Active monitoring requires Eric presented a better approach, a clus-
sage to an Infranet responder. The
that an external process monitors the tered SSL accelerator, in which all nodes
responder retrieves this content from
program. Both these techniques have in the cluster share the connection state.
the appropriate origin Web server and
advantages: active monitoring is flexible, When any node fails, the remaining
returns it to the requester, then the
and passive monitoring introduces low nodes are able to take over all connec-
requester forwards the received content
overhead. The authors decided to use a tions that terminated on that node with
to the browser. The covert communica-
mechanism that allows for either or no interruption in service. Failures are
tion tunnel securely hides the exchange
both of the monitoring techniques. invisible to the end user; this process is
of censored content in normal, innocu-
called active session failover. The design
4. Whether to group sandboxes globally ous Web transactions.
principles of SSLACC are embodied in
or locally.
the three laws of clustering: (1) “all Then he described what kind of censors
5. Whether the access control mecha- nodes must generate the same data,” and people might want to get around, which
nisms must be mandatory or discre- all nodes behave as one virtual device; include restrictive government, corpo-
tionary. Their design provides both (2) “cluster then commit,” which rate firewall, etc. Basically, there are two
options. requires tight control of the TCP stack; classes of attacks mounted by the censor:
and (3) it is safe to transmit unclustered discover attack, where the censor moni-
6. How to guard access to sandbox-
data if you can reproduce it. tors the Web traffic for unusual-looking
related objects.
access attempts and traffic; and disrup-
Note that they do not cluster data but
Peterson discussed many other options tive attack, which blocks communica-
use a clustered TCP relay. Data is auto-
and described the design of their sand- tion between endpoints by preventing
matically buffered by the client. Only
box. The overhead introduced by their access to certain Web sites or attempting
full records can be processed at the
system varied from 0.3 to 4.0%. to block access to circumvention soft-
server, however, and sometimes records
ware. Related systems – e.g., Triangle
An audience member wondered whether are bigger than the TCP window size
Boy, Peekabooty – and their vulnerabili-
they were considering making their sys- (especially during slow-start). The pro-
ties were mentioned.
tem into an LSM module. The reply was posed solution is to ACK a partial
an affirmative. record: cluster the record data read so The design goals of Infranet include:
far and ACK the partial read. (1) deniability for clients – the censor
WEB SECURITY To keep cluster updates as cannot confirm that any client is inten-
Summarized by Haining small as possible, only a mini- tionally downloading information via
Wang mal amount of state is trans- Infranet; (2) statistical deniability for
SSLACC: A CLUSTERED SSL
mitted so that the other nodes clients – the browsing patterns are indis-
ACCELERATOR can reproduce the original tinguishable from innocent clients;
Eric Rescorla, RTFM; Adam
state on failover. In conclusion, (3) covertness for servers – the censor
Cain, Nokia; Brian Korver, the most desirable properties cannot discover a server that is serving
Xythos Software in a clustered accelerator are censored content and so cannot easily
SSL is much more CPU inten- scalability, high availability, block such a server; (4) communication
sive than ordinary TCP communication, and the ability to run on cost-effective robustness – the Infranet channel
because of the cryptographic computa- hardware. should be robust in the presence of cen-
tion, especially the RSA operation in the sorship activities designed to disrupt
INFRANET: CIRCUMVENTING WEB CENSOR- request/transfer of censored content;
SSL handshake. To offload the crypto- SHIP AND S URVEILLANCE
graphic overhead, an accelerating proxy and (5) reasonable performance.
Nick Feamster, Magdalena Balazinska,
is introduced. However, the accelerator Greg Harfst, Hari Balakrishnan, and In the downstream communication,
David Karger, MIT censored data is embedded in images
80 Vol. 27, No. 6 ;login:
and recovered later by shared secret. Besides clearly communicating with the Fabian Monrose, Qi Li, Daniel P.
CONFERENCE REPORTS
However, steganography is not ideal, security-related information, the attrib- Lopresti, and Chilin Shih, Bell Labs,
because it cannot reuse a cover image. utes of the trusted path should include: Lucent Technologies; Michael Reiter,
Web cams, where images are constantly inclusiveness (working on all interfaces), Carnegie Mellon University
changing, would be a better choice. In effectiveness (expressing the security Michael Reiter presented this talk on
the upstream communication (i.e., information in a way the user can easily what he said was fairly speculative
requesting), the requester divides the understand), minimal intrusiveness, and research: the extraction of a key usable
q
hidden message into multiple fragments, minimal user activity. To meet these for cryptographic purposes from a bio-
each of which is translated to a visible requirements, a colored boundary metric such as voice. The main criteria
HTTP request by a modulation func- approach was taken, known as synchro- for a usable system would be that it
tion. The mapping function was a design nized random dynamic (SRD) bound- works reliably and efficiently even with
trade-off between covertness and band- aries. In an SRD environment, all constrained resources such as cell
width consumption. The reasonable per- windows have colored boundaries. A phones, PDAs, and other wearable
formance is achieved by taking advantage blue boundary window (containing devices and that key extraction should
of the asymmetric bandwidth require- server materials) indicates an untrusted be difficult even if an attacker gets access
ments of Web transactions, which window, while an orange boundary win- to the samples of the biometric.
require significantly less upstream band- dow (containing browser materials) In this research, the authors concen-
width than downstream bandwidth. indicates a trusted window. The window trated only on voice, since that is the
boundary has two styles: inset and out- natural interface for many wearables.
TRUSTED PATHS FOR BROWSERS set. At random intervals, the browser Also, voice is a dynamic biometric in
Zishuang (Eileen) Ye, Sean Smith, Dart- would change the styles on all its win-
mouth College that the user can change a “passphrase”
dows. The random pattern of the by speaking a different phrase or chang-
Eileen Ye first pointed out that the boundary style cannot be predicated by ing intonation, and thus can have many
human user is the true client, not the the server, so the server cannot forge a different keys. Reiter stated clearly that
machine; however, the communication window image to impersonate the real he indeed meant voice, not the phrase
between the Web browser and the user is window. recognized and recovered from voice;
a neglected component of the server-
Mozilla was chosen as the base browser the latter would have many fewer
client channel. Simply ensuring that the
for implementing SRD. There are three features and would mean a loss of infor-
machine draws the correct conclusion
steps to implement SRD: (1) add special mation and thus key length when com-
does not suffice if the adversary can craft
boundaries to all browser windows; pared to pure voice.
material that nevertheless fools the
(2) make the boundaries change dynam- Reiter first presented an overview of
human. According to their definition,
Web spoofing is malicious action caus- ically; and (3) make all windows change their system. It works by taking a voice
ing the reality of the browsing session to synchronously. To resolve the address- sample, generating a list of small seg-
be significantly different from the men- blocking problem (i.e., an SSL warning ments through digital signal processing,
tal model a reasonably sophisticated user window blocking other windows), a ref- extracting
has of that session. erence window running in a separate from the seg-
process was introduced. The reference ments a vec-
They tried to reproduce Princeton’s Web window changes its image by random tor of binary
spoofing experimental work done in number to indicate the boundary style. features
1996, but they did not succeed, due to In usability studies, three test scenarios (which Reiter
the advances in Web technology and were included: (1) without reference called feature
browsers’ user interface. So they con- window, (2) a full SRD approach, and descriptors),
ducted their own experiments to (3) a CMW-style approach. The conclu- and, using
demonstrate the weak link between the sions drawn from a user study were: it each feature, selecting a key element
human user and the Web browser. To works! See the paper for additional sug- from a two-columned key table. As not
foil Web spoofing, a trusted path was gestions. each repetition of the passphrase yields
created between the browser and its
exactly the same feature descriptor, the
human user. Through this trusted path, GENERATING KEYS AND TIMESTAMPS
algorithm also needs to reconstruct the
the browser can communicate relevant Summarized by Michael Hohmuth correct feature descriptor by searching
trust signals that the human can easily
TOWARD SPEECH-GENERATED CRYPTO- within a given Hamming distance of the
distinguish from the adversary’s
GRAPHIC K EYS ON R ESOURCE -C ONSTRAINED extracted feature descriptor (key recon-
attempts at spoof and illusion. DEVICES struction).
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 81
Reiter said that he and his colleagues text-to-speech synthesis and diphone SECURE HISTORY PRESERVATION THROUGH
have presented parts of this system ear- cut-and-paste from a huge database of TIMELINE ENTANGLEMENT
lier in other publications (IEEE S&P phrases spoken by the original speaker. Petros Maniatis and Mary Baker,
2001, ACM CCS 1999); in this talk, he Reiter mentioned that an attacker does Stanford University
would focus on the implementation, not need a database as large as theirs; 20 Petros Maniatis started out by referenc-
on the signal-processing part, and on minutes of good-quality recordings of ing Jonathan Shapiro’s talk earlier in the
empirical analysis of the strength of gen- the speaker would contain enough conference. He said that Shapiro was
erated keys. phonemes to synthesize 50 percent of concerned with preserving history of a
the passwords they tried. collection of files; his work has the same
The authors first implemented their sys-
goals, but in a broader context, that of
tem on the Yopi, a Linux PDA powered Interestingly, these impersonation
preserving the sequence of a host of
by a 206MHz StrongARM CPU. This attacks did not yield better results than
events in a large distributed system.
implementation suffered from a low- random guessing. Reiter said he and his
quality microphone built into the device team had expected that these attacks Maniatis said that in this work, history is
and a poor OSS sound-driver imple- would break their system, and they were defined to be the temporal ordering of
mentation. In a second implementation, surprised that they did not. It is unclear system events such as storing a file on a
the authors switched to the iPAQ 3600, why these attacks do not work. Reiter disk or signing a document. Such events
also equipped with a 206MHz speculated that he and his coauthors did can occur in unrelated, distributed com-
StrongARM. not carry out the attacks correctly, or ponents. However, there are circum-
that speech synthesis is too immature, stances in which the order of two such
As an illustration of the harsh realities
but he said that this kind of attack must events is important even if they did not
developers face when using resource-
be expected to become more powerful in occur in the same system, for instance
constrained devices such as these, Reiter
the future. when referencing prior art in patent dis-
explained that silence elimination was
putes.
an important step in their signal-pro- In conclusion, Reiter said that the feasi-
cessing step and showed waveforms of bility of using voice for generating The speaker went on by giving a more
recorded “silence” generated by these strong keys is still unproven, but their elaborate motivating example in which
devices. Instead of silence, the Yopi results indicate that the approach is an investor, Marti, ordered a sell of
recorded static. The iPAQ’s waveform promising and can be implemented. shares of some company. The next day,
was distorted by the device’s automatic something bad happens to the company.
Paul van Oorschot (Cloakware) asked
gain control. Marti’s broker sells the shares a day later,
about the security that can be expected
just before the stock price plummets
Using these devices, key reconstruction if an attacker obtains a recording of the
prior to the bad news becoming public.
currently works practically with a Ham- speaker speaking the passphrase. Reiter
Later, the SEC accuses Marti of insider
ming distance of up to five features (on replied that the authors would make no
trading, and now Marti would like to
future systems, the authors expect to be claims about that case.
prove that he ordered the sell of shares
able to support six features). Based on
Neil Daswani (Stanford University) before the bad event occurred. Maniatis
typical Hamming distances when com-
asked whether their cut-and-paste insisted that this example was purely fic-
paring the feature descriptor originally
attacks included cases in which whole titious, which amused those audience
recorded and a capture of the passphrase
subphrases of the passphrase were con- members who had followed that week’s
spoken by the real speaker, this limits the
catenated. Reiter said that this type of US national news revelations about
number of distinguishing features that
attack was included in the study. MCI/Worldcom’s creative bookkeeping.
can be supported on these platforms to
about 30. Using the best-known attack, Another audience member asked The authors set out to build a system
an adversary that can only randomly whether they tried speech synthesis that is designed to preserve the sequence
guess features needs 2^40 multiplica- using AT&T’s Natural Voices product, of events “long after the ‘historians’
tions to recover the key. released about one year ago, and how it leave,” under the assumption that no
compares to other speech-synthesis party trusts another. In their approach,
The authors also looked at other attacks
products. Reiter said that he does not each component maintains a local his-
on the signal-processing part that they
know of AT&T’s product and hence can- tory and a local view of the global his-
deemed more promising than random
not compare it. tory. Components safeguard the
guessing: another person uttering the
integrity of the portions of history they
same passphrase, and recovery of the
know about and trust only themselves or
original passphrase using the original
information that can be proved. Other
speaker’s voice by way of sophisticated
82 Vol. 27, No. 6 ;login:
requirements on the system were effi- gles every 10 minutes, each PC uses SEMANTICS-AWARE TRANSFORMATION AND
CONFERENCE REPORTS
ciency, scalability, survivability, and about 8% of its resources. ANONYMIZING OF NETWORK TRACES
aggressive decentralization. To address Ruoming Pang (with Vern Paxson),
Matt Blaze (AT&T Labs) asked whether Princeton University and ICSI Center
these requirements, the authors devel-
a possible attack on the proposed system for Internet Research
oped a method for “timeweaving,” inter-
would be to add many histories, making
connecting local histories with each This talk presented work on a way to
entanglement between all of them
other so that a global history can be scrub network traces of private informa-
impractical. Maniatis affirmed, saying
q
reconstructed. tion using the BRO IDS. Stream
that if there was not enough framework
reassembly is done (see work presented
Maniatis explained that each compo- to connect two events, no precedence
by Paxson et al. last year), and users are
nent’s history consisted of a hash chain could be proved.
given the ability to write AWK-like
of commitments of local events. The ele-
scripts that can tag/scrub their data
ments of the chain are called time steps; WORK-IN-PROGRESS REPORTS, AKA
before it is entered into the trace.
they contain the current local time, a QUESTIONS FROM PETER HONEY-
description of the event, and an authen- MAN CLILETS: WEB APPLICATIONS WITH PRIVATE
ticator. The authenticator links the time Summarized by George M. Jones CLIENT-SIDE STORAGE
step to the previous one in the timeline Session Chair: Kevin Fu Robert Fischer, Harvard University
using a one-way hash function. Then, Fischer presented a new system called
At the work-in-progress (WiPs) session,
precedence can be proven by giving “clilets” to implement privacy on the
presenters are given five minutes to talk
enough information for walking a thus- Web. The user sends a request to the
about current work and take questions.
established hash chain. To avoid having Web server, the Web server sends a
Due to the presentation format and
to disclose each and every event between “clilet” to a multi-domain sandbox, the
space limits, these summaries are guar-
two events of interest, the chain includes sandbox sends HTML to HTML verifier,
anteed to contain omissions, gross inac-
special events that reference each other HTML verifier sends HTML to Web
curacies, and misrepresentations of
and that form a skip list for jumping server, which sends it to client. The
presentations on some fine work. You
over a number of other events. server and clilet work together to create
are encouraged to contact the presenters
Timeline entanglement, or timeweaving, for more complete, less sketchy informa- the HTML. Peter Honeyman asked,
works as follows: components regularly tion. Also see http://www.usenix.org/ “This sounds like Java VM – what’s
publish timeline samples for other com- events/sec02/wips.html for the authors’ new?”
ponents to witness, and witnesses com- own abstracts.
mit published samples in their own CHECKING LINUX KERNEL USER-SPACE
PREVENTING PRIVILEGE ESCALATION POINTER HANDLING WITH CQUAL
timeline. Then witnesses send the origi-
nating component an entanglement Niels Provos, CITI, University of Robert Johnson, and Sailesh Krishna-
Michigan murthy (with John Kodumal), University
receipt, which includes a precedency
of California at Berkeley
proof stating that all events in the pub- Provos presented the idea of separating
lisher’s past occurred before all events in applications into two parts, privileged Johnson talked about a system called
the witnesses’ future. and unprivileged, citing the example CQUAL that solves the problem of veri-
implementation in OpenSSH, which he fying correct uses of user and kernel
Maniatis then covered implementation claimed had prevented the “gobbles” pointers in the Linux kernel. The C type
aspects. Here, the challenge was to find a attacks from taking over CITI. system does not support this, but
balance between storage overhead CQUAL does. Using this system, an
needed for storing authenticated hash MEMORY ACCOUNTING WITHIN A MULTI- actual bug was found and fixed in the
chains and the number of disk accesses TASKING L ANGUAGE S YSTEM Linux 2.4.19 kernel.
and computation steps needed to com- Dave Price, Rice University
pute precedence proofs. The authors use SEGMENTED DETERMINISTIC PACKET
Price talked about a solution to the
a new data structure, RBB-Trees, which MARKING
problem of memory accounting in an
bounds the maximal number of disk John-Paul Fryckman, University of Cali-
environment (Java) where all tasks share
accesses needed to compute an authenti- fornia at San Diego
a single heap. The solution proposed was
cator to three. Their performance study to do accounting during garbage collec- Fryckman proposed a solution for trac-
shows that in a network of 1200 1GHz tion. This is done by starting at the root ing attacks across the Internet. It
PCs that generate events every second of each task and walking the reachable involves adding “back-pointers” to pack-
and in which each pair of hosts entan- memory tree, charging the first task for ets in the IP headers. The first (edge) AS
shared memory.
December 2002 ;login: USENIX SECURITY SYMPOSIUM 2002 q 83
and every subsequent AS adds its own VFIASCO – TOWARD A FULLY VERIFIED gotiations, symmetric authentication,
AS number to the packet. It was claimed OPERATING-SYSTEM KERNEL revealing the MAC key in the clear, and
that with at most 17 AS numbers, the Michael Hohmuth, TU Dresden introduction of delays.
entire Internet could be covered. Hohmuth and associates believe that
PLUTUS – ENABLING SECURE SHARING OF
“formal methods can be worthwhile,”
TURING: A FAST SOFTWARE STREAM CIPHER PERSISTENT DATA
and they deny the conventional wisdom
Greg Rose, Qualcomm Australia Erik Riedel, Seagate Research
that “OS verification is an intractable
Rose presented initial work on a new problem.” With that starting point, he Riedel presented file system work done
fast, simple stream cipher called Turing, presented their work on Fiasco, a micro- at HP to address the problems of both
designed for use in cheap, slow, small kernel OS written in a C++ subset and sharing and protecting data, dealing
CPUs with little memory. It uses keyed their results in proving one class. To the with key management, and distributing
non-linear transformation and was question of how long it would take to the encryption workload. Their system
inspired by work on “tc24.” The net prove the whole OS, Hohmuth pushes key management and encryption
effect: an Athlon can do 3 cycles/byte. “If answered, Three to four years. to the edge, uses untrusted servers that
it works and is secure, it will be the only do verified writes, supports keys for
fastest stream cipher in software.” WORMHOLE DETECTION IN AD HOC groups of files, not users, and is client
NETWORKS centered. It is built on AFS using secure
ACTIVE MAPPING: RESISTING NIDS EVASION Yih-Chun Hu, CMU RPC.
WITHOUT ALTERING TRAFFIC
Your humble summary writer admits to
Umesh Shankar, University of California A SIGNATURE MATCHING ENGINE FOR BRO
note-taking failure for this talk and
at Berkeley Robin Sommer, TU Munich, ICIR
kindly asks that you visit the author’s
Ways of avoiding IDSes have been Web site: Sommer said that traditional signature
known for some time (Ptacek, New- http://monarch.cs.rice.edu/papers.html matching just compares signatures to
sham, 1998). These problems stem from net traffic, whereas BRO reuses existing
uncertainty about what packets reach A SNAPSHOT OF GLOBAL INTERNET WORM signatures and uses regular expressions.
end systems and how they are inter- ACTIVITY BRO supports bi-directional signatures
preted. Most of these problem can be Dug Song, Arbor Networks and uses knowledge about target (this is
overcome by normalizing the traffic and Song presented work on monitoring Apache server; IIS exploit does not mat-
interpreting the TCP stream as the target Internet worm activity by monitoring ter).
system would. To do this, the authors large chunks of unused Internet address
built a database of the systems and types space. The work is unique in that for HONEYD: A VIRTUAL HONEYPOT DAEMON
of systems on their local net and per- 1/N SYNs to port 80, they reply with an Niels Provos, CITI, University of Michi-
formed IDS on normalized data as the ACK and then log payloads. Using this gan
end system would see it. method they can track attacks individu- Provos presented his work on “honeyd,”
ally and can see DDoS and backscatter which implements a small, low-interac-
MAKING SOFTWARE RESISTANT TO DOS tion virtual honeypot. It can simulate
traffic. Song also presented data on the
THROUGH DEFENSIVE PROGRAMMING arbitrary TCP services, listen on up to
rise, continued prevalence, and interac-
Xiaohu (Tiger) Qie (with Ruoming Pang 65,000 IPs at one time. It reads the nmap
tions of Code Red and Nimda.
and Larry Peterson), Princeton Univer- fingerprint database and can respond
sity OFF-THE-RECORD COMMUNICATION appropriately to impersonate anything
This talk presented the case for building Nikita Borisov, University of California in nmap DB. It can simulate arbitrary
robust network infrastructure (routers, at Berkeley virtual routing topologies, lie to
systems) by applying improved pro- In online conversations as in the real traceroute, and simulate packet loss and
gramming techniques and tools. They world, you may want conversations to be various services. You can proxy attackers
built a C toolkit, allowing programmers private, but you may want repudia- back to themselves.
to specify general resource usage poli- tion...the ability to deny that you said
cies. It does some flow analysis, per- Peter Honeyman asked, “This is not part
something. PGP and friends use long-
forms consistency checks, and uses of your research. How do you ever
lived keys that provide non-repudiation.
sensors/actuators. It was used in real expect to get your Ph.D. [from me]
This is not good for casual conversation.
software (Linux networking code). working on stuff like this?”
The author then presents work on a pro-
Results were mixed. tocol for instant messaging to solve this
problem. It involves frequent key rene-
84 Vol. 27, No. 6 ;login: