THE MAGAZINE OF USENIX & SAGE
November 2001 • Volume 26 • Number 7
Special Focus
Issue: Security
Guest Editor: Rik Farrow
inside:
CONFERENCE REPORTS
10th USENIX Security Symposium
&
The Advanced Computing Systems Association &
The System Administrators Guild
conference reports
This issue’s reports are on the 10th 10th USENIX Security Is this a good thing? Still another time
USENIX Security Symposium Symposium the company apparently chose to “adver-
tise” new services by causing the TV to
WASHINGTON, DC tune to a soft-porn channel which he
OUR THANKS TO THE SUMMARIZERS: AUGUST 13–17, 2001 had not subscribed to or selected.
TAKEAKI CHIJIIWA KEYNOTE Earlier this year, just before the Super
SAMEH ELNIKETY
WEB-ENABLED GADGETS: Bowl, the company downloaded a pro-
KEVIN FU
CAN WE TRUST THEM? gram to all DirecTV boxes. The goal was
RACHEL GREENSTADT
Richard M. Smith, CTO, The Privacy to disable black market devices used to
YONG GUAN
Foundation pirate programming. It succeeded. But
ANCA IVAN
Summarized by George M. Jones what if they had made a mistake? What
GEORGE M. JONES
Richard Smith started off by saying that if they had disabled service for legiti-
STEFAN KELM
what he primarily does is “cause prob- mate customers? Who, in fact, owns the
DAVID RICHARD LAROCHELLE
lems,” mostly for companies that have boxes? DirecTV clearly did not own the
ROSS OLIVER
not thought through the security impli- black-market devices. Did the com-
EVAN SARMIENTO
cations of products that they have pany’s actions constitute “hacking”? Did
COLE TUCKER
released. They often “discover unin- the terms of service allow them to repro-
MIKE VERNAL
tended consequences that companies gram the legitimate boxes?
SAM WEILER
don’t like to talk about.” The three main It turns out that DirecTV was not send-
areas they consider are security, privacy, ing back “Nielsen” information, just a lot
and control. of information about the temperature
He stated that inside the box. Their competitor Tivo
“consumers does send in “Nielsen” info. You have to
care more explicitly opt out by calling customer
about the service.
security of We’re entering a brave new world of
cell phones connected devices. A company called
than about Sports Barn sold a strap-on device that
Web servers” monitored your daily exercise...and then
because cell uploaded it via phone to their Web site
phones are to create a “personal profile” (which, of
Richard M. Smith personal course, would never be used for market-
devices with ing or other) purposes. One could have
which consumers have immediate con- gotten the same effect by uploading to a
nections. Application developers and PC without disclosing personal informa-
companies are more concerned with tion, and there are inexpensive stand-
functionality than security. Products alone devices available at sports shops
such as consumer devices based on real- that do similar things. But to maintain a
time operating systems tend to have record you might have to (gasp) write
lower concerns for security. things on paper: the price of privacy.
Smith said that DirecTV was the first Oh, the company just went out of busi-
consumer device that got his interest ness. Many formerly happy customers
about privacy issues. It had a phone jack. now have worthless devices. Similar
What information was it sending back? things could never happen with sub-
Later, a call to customer service on a dif- scription software licensing, could it?
ferent issue revealed that the customer Software companies never go out of
service people were able to send com- business, get bought out, refocus on
mands (via satellite?) to turn his TV on. newer products, or have turnover or loss
of support staff.
4 Vol. 26, No. 7 ;login:
Ever considered plugging your picture attempted to walk out with its replace- that online records are the key to prose-
CONFERENCE REPORTS
frames into the phone? Kodak wants you ment in broad daylight). Information cuting network criminals.
to so that you can “register” your digital security management issues that were
The law distinguishes four types of envi-
pictures. Of course, you’ll pay a recur- once handled by trained security profes-
ronments, based on whether the data is
ring subscription fee to do so. And sionals in controlled, centralized envi-
content or transactional in nature and
they’ll never share your private pictures ronments are now the problem of your
whether it’s being intercepted in real
with anyone either, their servers never grandmother, Joe Six-pack, and your
q
time or after it’s been stored. The class
get hacked, and all their employees are CEO.
that receives the most protection, real-
intimately familiar with their informa-
Do you ever speed in a rental car? In the time content, has a very basic rule for
tion security policies and actively make
Q&A session Rik Farrow noted that at the normal user: don’t get or look at it.
it their top priority each day to follow
least one person has been fined by the For the government, the rule is nearly as
them.
rental car company for doing so. The simple: don’t get it without a wiretap
Want free wireless Internet access? See company installed GPS devices in all it’s order. Providers aren’t supposed to look
the Global Access Wireless Database at cars that enable it to track down stolen at it unless they’re in the process of pro-
http://www.shmoo.com/gawd/. Want to cars...and tell how fast you go. Any tecting their rights and property. So if
see what your neighbors and coworkers guesses how long it will be before law you’re a regular user, don’t run an unau-
are doing? 802.11 is your friend. At least enforcement and insurance companies thorized sniffer. If you’re representing a
one non-USENIX conference person push for legislation requiring such provider, under Eckenwiler’s interpreta-
was observed using the USENIX wireless devices in all new cars? tion, feel free to run an IDS or even a
network at the symposium. keystroke logger in real time; you can be
Steve Bellovin noted that during the talk
proactive in defending yourself. Other
Convergence is a good thing, right? there had been multiple nmaps of the
exceptions are made for publicly accessi-
Fewer devices, more functionality, lower wireless net and an ongoing battle for
ble systems, such as IRC, or if all parties
cost, but do you really want someone address of the default router (Dug Song
consent, say in a system that has a ban-
using the cell phone API in your combo of dsniff fame was in the room).
ner stating that use implies consent to
phone/palm pilot to run a program that
And lastly, true confessions — Smith monitoring. As a provider, if you have a
(1) turns off the speaker, (2) places a
admitted that he has not turned on WEP legitimate need to monitor, there’s no
call, and (3) turns on the microphone?
on his own wireless net at home. reason to worry.
Your phone is now a bugging device, in
addition to a tool for pinpointing your And the beat goes on... The second class of data consists of
location at all times. Personally, I’ll stick transactional records being intercepted
with dumb one-way pagers and only INVITED TALKS in real time. For providers and users the
turn my phone on when I want to make A MAZE OF TWISTY LITTLE STATUTES, ALL rules remain nearly the same: hands off
a call (and announce my location). ALIKE: THE ELECTRONIC COMMUNICATIONS for the latter and have a good reason for
PRIVACY ACT OF 1986 (AND ITS APPLICA- the former. The standards have been
Do you ever store personal/low-sensitiv-
TION TO N ETWORK S ERVICE P ROVIDERS ) lowered for the government, so this
ity data and business/high-sensitivity
Mark Eckenwiler, U.S. Department of information is essentially “less private.”
information on, say, a palm pilot, a lap-
Justice For access to this data, the government
top computer, or a home computer con-
Summarized by Cole Tucker simply needs a court order. Examples of
nected to public networks? Mudge and
The Electronic Communications Privacy data that fall under this are addresses
Kingpin of @stake pointed out in a later
Act of 1986 has a reputation for com- attached to incoming emails and infor-
talk (dressed in bathrobes to protest
plexity. Mark Eckenwiler gave an expres- mation on where users are connecting
their 9 a.m. speaking slot) that PalmOS
sive overview of the law, primarily from from and whether they are online.
has serious security problems. Cable
modem providers do not generally pro- the viewpoint of a system administra- Next comes stored content. Eckenwiler
vide security/firewall services. Laptops tor/provider. Basically, the act covers referred to this section as “Dichotomies
are routinely stolen (the laptop that was the relationship between, providers and ‘R’ Us”; basically, each situation has dif-
being used as the gateway/router for the customers, and providers and the gov- ferent rules that apply, with way too
conference terminal room disappeared ernment. It tries to allow for communi- many to generalize here.
overnight and one of the terminal-room cation privacy while keeping in mind
Finally, there are stored transactional
attendants stopped someone who
records. Users, hands off. Providers are
November 2001 ;login: SECURITY 2001 q 5
allowed to reveal this information to s In science, people are rewarded for always end with the question ‘What do
anyone they like, except for the govern- new discoveries. Disruptiveness is you suggest we do?’” Stick to what you
ment. In respect to the government, considered good. In politics, people know.
there are two classes of data: basic user are rewarded for making other peo-
data and non-contact info. Basic user ple happy. Disruptiveness is consid- COPS ARE FROM MARS, SYSADMINS ARE
FROM P LUTO : D EALING WITH L AW E NFORCE -
data (things like name, address, and ered bad.
MENT
phone number) is accessible with a sub- s In science, uncompromising people
poena, and thus not strongly protected. are admired; in politics, uncompro- Tom Perrine, San Diego Supercomputer
Center
Everything else requires a 2703(d) war- mising people are considered fools.
rant to access, but providers can be sent s In science, “honesty” means admit- Summarized by Ross Oliver
a court order requiring they hold on to ting mistakes; in politics, it means Tom Perrine described some of his expe-
the data for a specified amount of time, keeping promises. riences with law enforcement people
usually in expectation of a warrant being s In science, challenging someone and discussed his recommendations for
served in the near future. shows interest; in politics, a chal- other sysadmins who may need to inter-
lenge is an attack. act with law enforcement.
LOANING YOUR SOUL TO THE DEVIL: INFLU- s In science there is no “dress code”;
ENCING P OLICY WITHOUT S ELLING O UT Like system administration, law enforce-
in politics, even suits can be consid-
Matt Blaze, AT&T Labs-Research ment is a culture as well as an occupa-
ered “casual” (and thus cause you
tion, with its own lingo, inside jokes, etc.
Summarized by George M. Jones not to be taken seriously).
There are also many different law
Matt Blaze commented on the public The policy options range from discour- enforcement agencies: federal, state, city,
debate over cryptology that’s taken place aging/forbidding its use; allowing lim- county, military, and customs. Even
over the past 10 years or so. He included ited strength crypto; allowing use of schools and universities often have their
amusing stories of “hacker tourism,” strong, modern cryptographic methods; own police force.
including nine cryptography experts all and encouraging use. In the last few
independently trying to score “cool” Throughout the talk, Perrine empha-
years the US has moved mostly from the
points by stealing stationery from secret sized the importance of trust in individ-
first to the third stage.
congressional briefing rooms and NOT uals rather than organizations. Just as in
opening a red folder marked “TOP The tone of the any large organization, there are “clue-
SECRET: President’s Daily National debate has also ful” and not “clueful” members, and
Security Briefing” when left alone in a changed and building personal relationships is key.
conference room in the old executive includes more actual Also realize that the goals and priorities
office building. dialogue. We no of law enforcement may be different
longer have one side from yours.
What can a scientist/techie contribute to yelling, “You’re a
the public policy debate? His main Because they are “agents of the govern-
bunch of long-
advice is “stick to what you know” (sci- ment,” law enforcement officers have
haired hippies,” and
ence/technology). “You are listened to many legal constraints on their actions
Matt Blaze the other yelling,
because people believe you have objec- that may not apply to private citizens.
“You’re a bunch of
tivity.The basic purpose of science and Sysadmins can take advantage of “ISP
jack-booted thugs.” Now it’s just “you’re
engineering is to expand understanding exemptions” in the law to take “any steps
a bunch of hippies” vs. “you’re a bunch
of reality/truth, with no compromises.” necessary to protect the communica-
of thugs.” See, for instance, “Thou shalt
You are not there to comment on philos- tions system.”
use skipjack/clipper” vs. the process for
ophy, politics, or constitutional law. selecting AES. Perrine recommends that sysadmins
He gave an amazingly insightful list of become familiar with applicable laws
“Washington, D.C. is another planet, a
the contrasting values of science and (both federal and state) before the need
closed system.” “Much of what happens
politics): to apply them arises. Advice of qualified
here is for show.” “Any meeting with a
legal counsel is strongly recommended.
s Science is interested in finding policy maker involves a little conspiracy
Also, make sure your organization’s poli-
truth. Politics is about balancing to make each other feel important.”
cies are suitable, and adhere to them
interests. “Meetings with congressional staffers
during any investigation.
6 Vol. 26, No. 7 ;login:
if it had been mp3 compressed, an sample when the distortion was
CONFERENCE REPORTS
READING BETWEEN THE LINES: LESSONS
FROM THE SDMI CHALLENGE SDMI device could perhaps determine if removed. However, removing this dis-
Summarized by Rachel Greenstadt a CD track was ever an mp3 in the past, tortion in technology F was able to make
Scott A. Craver, Min Wu, and Bede Liu, perhaps illegally downloaded. The other that watermark undetectable (quick,
Princeton University; Adam Stubble- technologies (D and E) were used to somebody call the FBI).
field, Ben Swartzlander, and Dan S. sign tables of contents, supposedly to
Another approach to defeating technol-
Wallach, Rice University; Drew Dean control the propagation of CDs with
q
and Edward W. Felten, Princeton Uni-
ogy A would have been to try reinstating
mixed tracks.
versity the fragile component. However, there
For the watermarking technologies there was no way to test this type of attack
Program Chair Dan Wallach introduced
were three samples given: (1) a sound using the oracle.
this talk as being a long time in the mak-
clip without a watermark, (2) the same
ing and mentioned that he was pleased The group noticed a ripple in the fre-
sample with a watermark, and (3) a dif-
to have it here. However, he stressed that quency domain, which led them to
ferent sound clip with a watermark. The
this first section would be a normal, bor- believe that technology A used some sort
challenge was to remove the watermark
ing technical talk. THEN there would be of echo hiding technique consisting of
from the third sound clip. SDMI pro-
a panel discussion where policy ques- deliberate but inaudible echoes, which
vided no actual embedders or detectors.
tions would be allowed. Matt Blaze meant that there was a signal which was
There was an online oracle to which you
asked when the subpoenas would be delayed and then added back into the
could submit a sound clip and get a
served; however, despite the large mass music. They tried a filtering approach to
response. There was no description of
of press and lawyers that joined the reduce the audibility of the echo suffi-
the algorithms used, and no details or
USENIX attendees, there was no last- cient to remove the watermark. Wanting
reasons were given when an oracle
minute withdrawal of the talk this time, to discover more, they decided to do a
rejected a clip. The challenge lasted only
and no FBI agents came to cart Scott patent search figuring correctly that this
three weeks and the oracle had a turn-
Craver away as he gave his talk. was a proprietary algorithm with a
around time in hours. As such, adaptive
patent. They found a patent belonging
Craver began by describing the chal- oracle attacks, which would be possible
to Aris corporation which became Ver-
lenge, which took place during three if the system were deployed, were not
ance, one of the SDMI companies. This
weeks in September and October of feasible.
made them feel like they were on the
2000. SDMI (Secure Data Music Initia-
There were several approaches used right track. They also discovered that it
tive) invited “hackers,” otherwise known
against the marks: (1) brute force attacks was a simple echo every fiftieth of a sec-
as the general public, to crack six of their
not specific to the algorithm used and ond and that a delayed version was
proposed technologies labeled A
which mostly consisted of adding noise added or subtracted every fifteenth
through F. There were four watermark-
and filtering, (2) slight brute force interval. To further analyze the signal
ing technologies and two others. SDMI
attacks loosely based on supposed they used the auto-kepstral technique
offered a cash prize for the successful
details of the algorithms, and (3) full- for echo hiding, combining techniques
defeat of one of their technologies, but
blown reverse engineering. to estimate the echo. They’ve come up
this required the winners to sign a Non-
with better echo hiding detection soft-
Disclosure Agreement, so the Felten For technologies B and C, the group
ware subsequent to the challenge. Scott
group decided to forego the prize in noticed that there was a narrow band
demonstrated a program that was color
favor of publishing their findings. signal added to the clip. By the slightly
coded to detect the echo.
brute method of filtering at the fre-
SDMI is an organization, an initiative,
quency and adding narrow-band noise For technologies D and E, SDMI pre-
and the technology for that initiative. At
they were able to foil the oracle. sented table-of-contents files for 100
the time of the challenge, that technol-
CDs and signature tracks. The challenge
ogy was watermarking and related tech- In their analysis of technology A, the-
was to create a new table of contents and
nologies. The watermarks (technologies group noticed a slight warping in the
successfully forge a signature for it. For
A, B, C, and F) were composed of a time domain as though the signal was
technology D they found that all the
robust and a fragile component, the slowly advancing or decreasing. They
energy was concentrated in a small fre-
robust part of which would survive determined that this phase shifting was
quency band of 80 frequency bins which
altered music. Through a missing water- pre-processing and not the actual water-
only actually used a 16-bit signal
mark in the fragile component, such as mark, since the oracle did not admit the
November 2001 ;login: SECURITY 2001 q 7
repeated five times with constant shuf- watermarking won’t work for actively Copyright Act (DMCA), section 1201.
fling. Since there were only 16 bits of enforcing a usage policy since doing this He explained the difference between the
output, a user should be able to acquire provides all targets an oracle that they DMCA and copyright law. Copyright
many authenticators, as there were two can use. He is pessimistic about the use law has been developed and refined over
hash collisions among the CDs given. of watermarking for copyright control. a few hundred years and maintains a
However, it was difficult to get further He clarified that they broke, according delicate balance between owners and
than this analysis because the oracle for to the oracle, technologies A, B, C, and F, users’ privileges. To that end it has been
D didn’t work; it would always return but that D and E had no valid responses. relatively successful. It is important to
“invalid” regardless of input. Technology He also clarified that only technology A understand that the DMCA is not copy-
used echo hiding, and that though they right law but, rather, a supplement to
don’t know what the criteria for the ora- copyright law or para-copyright legisla-
cle was, it appeared to make a decision tion. As such it has the potential to over-
based on detectability and quality. He ride the
explained that some areas where water- copyright
marking might prove useful is in fragile default protec-
watermarks which provide tamper evi- tions which had
dence in digital photographs and in pre- been carefully
venting duplication of currency. These laid out over
technologies have a different threat time. He sought
Q & A: Scott Craver & Dan Wallach model. Someone asked about copy pro- to explain these
tected CDs; Scott replied that that was a overrides and
E, however, didn’t have any data to ana- completely different approach done mentioned that
Prof. Peter Jaszi
lyze at all. You could submit a mail say- entirely at the hardware level. People the risk the
ing you’d try mixing this track and that wondered why honest people would not DMCA poses to the fundamental copy-
track, and you’d get a reply saying that want a complex copy protection scheme; right system isn’t news and wasn’t news
you couldn’t do that. Scott answered that complex schemes when it was passed. As a result some
have higher rates of failure and higher limitations to the DMCA were built in,
The speaker concluded by saying that
cost. Someone asked how this was rele- but most of these exceptions are not
many claimed that this was a system to
vant to detecting steganographic infor- very functional.
“keep honest people honest.” However,
mation and Scott answered that they
though the Felten group felt that the sys- The fundamental commandment of the
were basically the same and that the
tem was too complex for that, they DMCA is “Thou shall not circumvent
information about echo detection would
wouldn’t claim any type of strong secu- for access.” The fact that it was access
be useful.
rity. The systems require trusted clients and not use was a compromise intended
in a hostile environment, but if deployed PANEL DISCUSSION ON SDMI/DMCA to limit the DMCA. However, it limited
they would be broken quickly. No spe- Moderator: Dan Wallach, Rice Univer- the legislation less than some imagined
cial EECS knowledge is needed and sity; Panelists: Edward W. Felten, it would since there is a great deal of
there are no dirty secrets. Anyone with Princeton University; Cindy Cohn, EFF; confusion between access and use. There
reasonable expertise could do this. and Peter Jaszi, American University are also secondary prohibitions concern-
Watermarking can be useful but not in College of Law ing making goods and services which
this situation. The weakness is in the The three panelists spoke about the legal can be used for circumvention available.
overall concept, not the specific technol- and social questions surrounding the Section 1201(b)(1) can be interpreted
ogy. One main lesson learned is that SDMI/DMCA issue. Dan Wallach men- broadly, and it was under this provision
security through obscurity STILL tioned that if there were any representa- that the threats from SDMI to the
doesn’t work. This is particularly the tives from the record company, the panel authors of the paper were made.
case for secret algorithms which are would love to have someone from the Section 1201(c) presents a fair-use
patented and therefore public. other side come speak; he doubted, exception in wonderful ringing lan-
Peter Honeyman asked about the possi- however, that they would be here. guage, however, it is completely irrele-
bility of a secure watermark. Scott Peter Jaszi then presented a detailed vant since it references fair use as a
replied that he personally thinks that description of the Digital Millennium defense of copyright and the DMCA is
not copyright.
8 Vol. 26, No. 7 ;login:
The law enforcement exception is actu- addition, most press organizations wish DMCA is that the basic assumptions it
CONFERENCE REPORTS
ally sweeping and robust; it applies to all to be seen as nonpartisan and objective. makes about people are dark and pes-
the provisions of the act. The reverse simistic. We need to question those
Someone asked about dual use tech-
engineering exception is not half bad; it assumptions and what flows from them.
nologies, such as echo detection. The
refers to the whole range of prohibitions
DMCA takes this into account but the Someone asked for some insight into
although it is still narrower in scope
language doesn’t give much comfort. why the industry wouldn’t want this
than the protections under copyright
q
There are a series of criteria which will research since it would allow them to
law. Sections 1201(g) and (j) present
give you liability. build better protection schemes. Felten
limited exceptions for encryption
responded that to us the question is, is
research and security testing which are There was a question about potential
this technology weak? We didn’t make it
uncertain in scope. Section 1201(h) connections between the lawsuit and the
weak, and we think it should be fixed.
presents a small but robust exception to Skylarov case. Cindy answered that in
The industry’s concern is not whether
allow adults to circumvent in order to strictly legal terms there was no overlap.
the technology is strong or weak so
frustrate a minor’s attempt to achieve
Someone asked what to do in Felten’s much as whether people believe it is
privacy in a Web environment. Section
situation, what lessons had they learned? strong or weak. They think that if the
1201(i) allows ordinary people to pro-
Felten responded that they learned a public reaches a consensus that the tech-
tect their privacy, but it is only a conduct
great deal responding to the threats nology is strong, that will be enough.
exception; you need to make your own
regarding the paper. He said to talk to Many of us find this hard to understand.
tools and not distribute them. There is
people who’ve been there and keep in
less to all these limitations and excep- [More information and photographs
mind your goals and values.
tions than meets the eye. can be found at
Someone brought up the question of http://www.usenix.org/events/sec01/index.html
There are risks posed by this legislation
whether a person would be at risk for
to the traditional balance of interest in CHANGES IN DEPLOYMENT OF
summarizing the session. Cindy said
copyright law, which calls for a push- CRYPTOGRAPHY, AND POSSIBLE CAUSES
that the letter they received only per-
back against legislative excess. To this Eric Murray, SecureDesign
tained to the particular paper, but
end Jaszi is forming a new access coali-
because the paper can be published, Summarized by Takeaki Chijiiwa
tion. They have a Web site at
prosecuting for summarizing would be A survey of cryptography deployment
http://www.ipclinic.org.
hard. Peter suggested that if you were was conducted last year (2000) by Eric
Cindy Cohn from the EFF said that going to synthesize the talk (uh...this is Murray, and a similar survey was con-
Peter had already said everything about starting to sound disturbingly famil- ducted in 2001 to measure changes in
section 1201 but stressed that the EFF iar...) and discuss strengths and weak- the deployment of SSL (Secure Socket
was “pushback central” and explained nesses, theoretically you could be in Layer) and TLS (Transport Layer Secu-
ways in which people could get involved trouble. Especially if you implement rity) Web servers.
in this effort. The EFF has been involved something based on the presentation.
in this issue even before the cases involv- Felten mentioned that the fact that this The results of the 2000 survey showed
ing 2600 Magazine, Felten and the question has no simple answer is telling. 10,381 unique hostname and port num-
USENIX presentation of the SDMI ber combinations compared to 12,630 in
Someone suggested widespread civil dis- 2001. Detailed results are available at
paper, and the California trade secrets
obedience as the only way to effect http://www.lne.com/usenix01.
case.
change. Cindy responded that she never
Thomas Greene from the Register won- advises people to break the law. Though There were several noteworthy changes
dered why the mainstream press hasn’t she feels that if the law is out of step between the results from the surveys in
realized their stake in this and what it with what people believe their rights are, 2000 and 2001:
implies about freedom of the press. the law should be changed. Peter added What got better?
Cindy replied that they were getting that copyright law has functioned well
increased press support with the Sky- based on shared social investment. Like
s A 14% increase, 5% decrease, and
larov arrest; speaking speculatively, she the tax code, it works not because it is 8% decrease among servers catego-
also mentioned that the mainstream policed but because there is a high rized as Strong, Medium, and Weak,
press is owned by content holders. In degree of collective buy in to its prem- respectively.
ises. The most corrosive thing about the
November 2001 ;login: SECURITY 2001 q 9
s The number of servers supporting surveillance state. Based upon the sonal information and documents if
1024-bit key size increased by 10% assumption that information is power, requested by the person in question.
while a decrease of 8% was seen for Natsios likened the work of cartome.org They also reminded the audience that
support of less than 512-bit key and cryptome.org to that of Ariadne in they do not verify the authenticity of the
size. the myth of Theseus and the Minotaur. information they publish – they leave
s The protocol adoption saw a shift By reversing the flow of information, that to the interested reader.
from SSL v2 (3% decrease) toward cartome.org and cryptome.org hope to
Young repeatedly stressed what he
TLS (5% increase). empower those who may be caught in
believed to be the transitory nature of
the labyrinth of the security state, much
What got worse? cryptome.org. He assured the audience
as Ariadne empowered Theseus with a
that at some point cryptome.org will
s The number of expired certificates trail of silk thread through the labyrinth
either be silenced or it will simply
increased from 3.1% to 3.7%. of Crete.
mature away from the cutting edge.
s Self-signed certificates increased
John Young continued by explaining When that finally happens, Young is
from 0.8% to 2.0%.
that cryptome.org welcomed the sub- confident that someone else will emerge
The results presented raised many ques- mission of proprietary or classified doc- at the vanguard of the quest to reverse
tions from the audience. uments and trade secrets from any the Panopticon state.
nation or corporation. Young described
Question: Why do you think there was DESIGNS AGAINST TRAFFIC ANALYSIS
a few such documents and the unfavor-
an increase in the number of self-signed Paul Syverson, U.S. Naval Research
able responses they had received. The
certificates? Laboratory
British government objected to one doc-
Answer: This may be due to people play- ument and attempted to have cryp- Summarized by Yong Guan
ing around with OpenSSL, or the survey tome.org’s Internet service provider shut Paul Syverson used a pseudonym, “Peter
may have picked up servers used for the site down. Another document Honeyman,” on his talk, a joke which
internal use. Furthermore, the increase prompted diplomatic requests from the pervaded the rest of the conference.
in the number of expired certificates Japanese government for its removal. All
may have been a result of study error attempts to shut the site down have thus Although the encryption of network
and/or the inclusion of abandoned Web far been rebuffed, but Young imagines packets ensures privacy of the payload in
sites. that someone will eventually be success- a public network, packet headers iden-
ful. tify recipients, packet routes can be
Question: Did you retest the servers tracked, and volume and timing signa-
from last year’s survey? Other information cryptome.org has tures are exposed. Since encryption
received and published include proofs does not hide routing information, pub-
Answer: No. This was a new list and,
that American corporations used US lic networks are vulnerable to traffic
therefore, a completely new survey.
intelligence to stay ahead of foreign analysis.
Question: Is the raw data available? competitors, the names of over 8,000
CIA informants, and, currently, the pro- Traffic analysis can reveal, for example,
Answer: You can email ericm@lne.com who is searching a public database, what
grams and keys associated with Russian
for private requests. Web sites are surfed, which agencies or
programmer Dmitri Skylarov’s crack of
Question: Which browsers do you use Adobe’s E-book system, for which he companies are collaborating, where your
for personal use? was arrested in July. email correspondents are, what sup-
plies/quantities you are ordering and
Answer: Linux and Netscape. An audience member asked what types from whom, and so forth.
of material cryptome.org would not
REVERSING THE PANOPTICON publish. Young explained that cryp- Knowing traffic properties can help an
Deborah Natsios, cartome.org; John tome.org is open to any kind of publica- adversary decide where to spend
Young, cryptome.org tion, but they have refused to publish resources for decryption and penetra-
Summarized by Mike Vernal child pornography documents and tion. Therefore, it is important to
information related to biological war- develop countermeasures to prevent
Deborah Natsios described the mission
fare. They also feel that personal prerog- traffic analysis.
of cartome.org and cryptome.org as an
attempt to reverse the one-way flow of ative takes precedence over the public’s The security goal of traffic-analysis-
information controlled by the national right to know, so they will remove per- resistant systems is to hide one or more
of the following:
10 Vol. 26, No. 7 ;login:
Sender activity: that a site is sending ies that filter out the identifying headers which in turn are similar to real-time
CONFERENCE REPORTS
s
anything and source addresses from Web Chaum mixes. In Onion Routing, the
s Receiver activity: that a site is browsers’ requests. Instead of the user’s data packet is broken into fixed-size
receiving anything true identity (e.g., IP address), a Web cells, and each cell is encrypted multiple
s Sender content: that a sender sent server can only learn the identity of the times (once for each onion router on the
specific content Web proxy. Both offer encrypted links to path). Thus, a recursively layered data
s Receiver content: that a receiver their proxy (SSL or SSH). Anonymizer is structure called an onion is constructed.
q
received specific content a single point of failure, whereas An onion is the packet transmitted along
s Source-destination linking: that a SafeWeb is a double point of failure. the rerouting path. The fixed size of an
particular source is sending to a SafeWeb offers additional protection onion limits a route to a maximum of 11
particular destination from censorship. nodes in the current implementation.
s Channel linking: identifying the Onions can be tunneled to produce
Crowds aims at protecting users’ Web-
endpoints of a channel arbitrary length routes.
browsing anonymity. Like Onion Rout-
Some systems were described: ing, the Crowds protocol uses a series of Onion Routing I (Proof-of-concept)
cooperating proxies (called jondo) to uses a network of five Onion Routing
Dining Cryptographers (DC) – net-
maintain anonymity within the group. nodes operating at the Naval Research
works, in which each participant shares
Unlike Onion Routing, the sender does Laboratory. It forces a fixed length (five
secret coin flips with other pairs and
not determine the whole path. Instead, hops, i.e., five intermediate onion
announces the parity of the flips the
the path is chosen randomly on a hop- routers) for all routes.
participant has seen to all other partici-
by-hop basis. At each hop a decision is
pants and the receiver. Onion Routing II can support a network
made whether to submit the request
of up to 50 core onion routers. For each
Chaum mixes – a network of mix nodes, directly to the end server or to forward it
rerouting path through an Onion Rout-
in which messages are wrapped in mul- to another randomly chosen member
ing network, each hop is chosen at ran-
tiple layers of public-key encryption by according to forwarding probability. The
dom. The rerouting path may contain
the sender, one for each node in a route. expected path length is controlled by the
cycles, although only cycles with one or
Most widely used anonymous commu- forwarding probability. Cycles are
more intermediate nodes are allowed.
nication systems use the Chaum mix allowed on the path. The receiver is
method. known to any intermediate node on the Freedom Network also aims at provid-
route. Once a path out of a crowd is ing anonymity for Web browsing. From
There are two kinds of
chosen, it is used for all the anonymous the user’s point of view, Freedom is very
routes for the messages:
communication from the sender to the similar to Onion Routing. Freedom con-
mix cascade, where all
receiver within a 24-hour period. sists of a set of nodes (called Anony-
messages from any
Crowds does not have a single point of mous Internet Proxy) which run on top
source move through a
failure and is a more lightweight crypto of the existing Internet infrastructure.
fixed-order “cascade” of
than mix-based systems. However, To communicate with a Web server, the
mixes, and random
Crowds has limitations: all users must user first selects a series of nodes to form
Paul Syverson route, where the route run Perl code, users have to have long- a rerouting path and then uses this path
of any message is
running high-speed Internet connec- to forward the requests to its destina-
selected at random by the sender from
tions, an entirely new network graph is tion. The Freedom Route Creation Pro-
the available mixes.
needed for a new or reconnecting Crowd tocol allows the sender to randomly
Remailers, mainly used for email member, connection anonymity is choose the path, but the path length is
anonymity, employ rerouting of an dependent on data anonymity, and fixed to be three. The Freedom client-
email through a sequence of multiple responder protection is weak. user interface does not allow the user to
mail remailers before the email reaches specify a path-containing cycle. The
Onion Routing provides anonymous
the recipient, so that the true origin of Freedom client must either have all the
Internet connection services. The Onion
the email can be hidden. intermediate nodes in the path chosen
Routing network operates on top of
or choose a preferred first node and last
Anonymizer and SafeWeb provide fast, existing TCP/IP networks such as the
node, and the intermediary nodes are
anonymous, interactive communication Internet. It builds a rerouting path
picked at random.
services. They are essentially Web prox- within a network of onion routers,
November 2001 ;login: SECURITY 2001 q 11
For more information, visit The Cisco PIX used a threshold tech- This technique may not work as well in a
http://www.onion-router.net and nique which allowed a set number of situation in which there are new connec-
http://www.syverson.org. incomplete connections and dropped tions from previously unseen clients.
additional SYN packets. The tests
Question: Who manages the onion How much protection you need depends
showed no significant improvement
routers? Are they managed independ- on what type of attack you expect. An
over no firewall. The Firewall-1 fared
ently? attacker with a Cable or DSL connection
slightly better. It lets SYN packets reach
can produce 200 SYNs/sec. An attacker
Answer: Yes. The onion routers can be the Web server and then sends an ACK
with a T1 can produce 2,343 SYNs/sec.
distributed anywhere and be managed packet to the Web server to complete the
According to the paper “Inferring Inter-
by different groups. three-way handshake. Under a SYN
net Denial-of-Service Activity” pre-
flood attack, the Web server will then
Question: Do you believe that, the sented the previous day, 46% of DoS
have a bunch of com-
longer the path, the safer the anony- attacks involved more than 500
pleted connections
mous communication system? SYNs/sec but only 2.4% were above
instead of half-open
14,000 SYNs/sec. This level can be han-
Answer: I am not sure. ones. Firewall-1 pro-
dled with a single firewall. Multiple or
tected up to 500 SYNs
COUNTERING SYN FLOOD distributed attacks may require multiple
per second but with
DENIAL-OF-SERVICE (DOS) ATTACKS parallel firewalls. Because of the wide
degraded response time.
Ross Oliver, Tech Mavens Ross Oliver range of performance between devices,
The Web server returned
Oliver stressed the importance of testing
Summarized by David Richard to normal 3–10 minutes after the attack
and advised testing the devices yourself
Larochelle ceased.
if possible.
SYN flood attacks are a nasty DoS Netscreen and AppSafe had the best
attack. The attacker sends a SYN packet results. If these firewalls detect a SYN REAL STATEFUL TCP PACKET FILTERING WITH
but does not complete the three-way flood attack, they proxy the incoming IP FILTER
handshake. This is hard to defend connections and only send the Web Guido van Rooij, Eindhoven University
against because SYN packets are part of server the SYN and ACK packets if the of Technology
normal traffic, and unlike ping attacks handshake is completed by the client. Summarized by Evan Sarmiento
you can’t firewall them. Since SYN pack- Netscreen detects SYN floods by looking Old firewall implementations used to fil-
ets are small, the attack can be done with at the number of incomplete connec- ter TCP sessions using addresses and
limited bandwidth. Finally, the attacks tions. It protected up to 14,000 SYNs/sec ports only, creating an interesting prob-
are difficult to trace because source IP with acceptable response times and con- lem. The administrator would have to
addresses can be faked. Ross Oliver tinued to function at higher SYN rates guess the source port of the packet in
stressed that it’s up to you to defend but with increasing delays. The server order to filter it correctly. In order to
yourself (law enforcement is unable to
responded normally immediately after solve this, a new trend in firewalls is to
deal with attacks as they occur, if they
the attack. introduce stateful packet filtering. State-
can deal with them at all) and suggested
ful packet filters remember and only
that firewalls employing SYN flood AppSafe used a more elaborate
allow through addresses and ports of
defenses are the best way of doing this. approach. It determined whether to
connections that are currently set up.
proxy a connection request based on the
He reviewed four such products: PIX by
source IP address. SYN packets from IP Even before Guido van Rooij’s work, IP
Cisco, Firewall-1 by Checkpoint,
addresses which had recently behaved Filter did have stateful packet filtering,
Netscreen 100 by Netscreen, and App-
legitimately were let through to the Web but it was implemented in the wrong
Safe (previously called AppSwitch) by
server immediately. Only connections way. IP Filter does take sequence, ACK,
TopLayer. To test these products, he
from previously unseen or malicious IP and window values into account, but it
placed a Web server behind the firewall
addresses were proxied. AppSafe was makes the wrong assumption that pack-
and used a machine with a script which
effective up to 22,000 SYNs/sec, which ets seen by the filter host will also be
called wget repeatedly to request Web
was the most traffic that the attacking seen by the final destination. This
pages to represent the legitimate client
machine could produce in this test. assumption caused IP Filter to drop
traffic. An attacking machine threw SYN
However, it was pointed out that, in the packets in certain situations. The new
packets with forged source addresses at
test, the client machine used only one IP. state engine for IP Filter encompasses
the Web server.
the following goals:
12 Vol. 26, No. 7 ;login:
Conclusions made by the engine operations performed at both the client This paper, awarded the best paper
CONFERENCE REPORTS
s
must be provable. and the server side. A server, however, award, tried to answer the question of
s All kinds of TCP behavior must be has to perform the more expensive RSA how prevalent denial-of-service attacks
taken into account. decrypt operations during the session in the Internet currently are. The
s The number of blocked packets handshake; thus any small number of authors ran a test over a period of three
must be minimized. clients could easily overload a TLS server weeks, trying to come up with an esti-
s Blocking of packets must never lead by flooding the server with TLS hand- mate of worldwide DoS activity.
q
to hanging connections. shake messages. The goal of this work is
s Opportunities for abuse should be
David Moore presented the so-called
to prevent this using cheap methods.
“backscatter analysis” as their key idea
made as small as possible.
The idea of TLS-based cryptographic and outlined the basic technique: since
The new state engine includes 20 bytes puzzles is to first let the client do the attackers normally use spoofed source IP
per state entry and about 40 lines of C work, and subsequently the server. If the addresses, the “real owners” of those IP
code without loops; thus, the perfor- server is under a heavy load it sends a addresses regularly receive response
mance overhead is minimal. so-called “puzzle request” to the client. packets from the systems being attacked
The client, in turn, has to compute a (Moore called these “unsolicited
However, even the new state engine is
number of operations which it then uses responses”). By monitoring these unso-
not always successful, even though it is a
to send a “puzzle solution” back to the licited responses one is able to detect
great improvement. Occasionally,
server. Thus, the server will not need to different kinds of DoS attacks. Further-
blocked FIN and ACK packets cause
continue the TLS handshake unless the more, by observing a huge number of
problems in the state timeout handling
client has proven its intent to really open different IP addresses over a longer
for TCP half-closed sessions. IP Filter
a TLS connection. period of time, sampling the results can
drops packets coming from a few Win-
provide an overview of attacks going on.
dows NT workstations for a strange and Client puzzles are surprisingly easy to
as yet unknown reason. implement on both the client and the Moore presented some interesting
server side. Stubblefield used modified results and displayed a number of fig-
Guido then outlined some future addi-
OpenSSL and mod_ssl source code to ures and tables showing the number of
tions to IP Filter. He would like to be
test the implementation. The implemen- attacks, the attacks over time, the attack
able to fix fragment handling, add sup-
tation uses a metric which tracks unfin- characterization, the attack duration dis-
port for sessions entering the state table
ished RSA decrypt requests in order to tribution, and the attack rate distribu-
after establishment, and check validity of
decide whether or not the server is tion. Moore’s team observed a number
a session if a packet comes in from the
assumed to be under attack. Since of minor DoS attacks (described as “per-
middle of the connection.
adding more latency to the TLS protocol sonal vendettas”) as well as some victims
was not a goal of this work, the server under repeated attack. Classifying the
REFEREED PAPERS
only sends a puzzle request back to the victims by TLD showed countries like
SESSION: DENIAL OF SERVICE client if it really has to. This is imple- Romania and Brazil being attacked far
Summarized by Stefan Kelm mented by using variable thresholds. more often than most other TLDs. The
presenter’s hypothesis was that either
USING CLIENT PUZZLES TO PROTECT TLS The author concluded that they are able
those countries host ISPs that attack
Drew Dean, Xerox PARC; Adam Stub- to protect against certain denial-of-ser-
each other, or there simply are more
blefield, Rice University vice attacks at not much cost and with a
hackers located in Romania and Brazil
Adam Stubblefield presented their work good user experience. Moreover, the
(this was later denied by someone in the
on a DoS protection technique, namely, proposed solution can be implemented
audience stating that Romania has really
the use of client puzzles within the TLS using already existing code.
nice people).
protocol. Even though client puzzles For more information, contact astubble
have been supposed to be a solution to In conclusion, the authors observed
@rice.edu.
DoS attacks, Stubblefield pointed out some very large DoS attacks, though
the lack of actual implementations. The INFERRING INTERNET DENIAL-OF-SERVICE most attacks seem to be short in dura-
choice of TLS as the protocol to protect ACTIVITY tion. Another result showed the majority
against DoS seems obvious, but TLS is David Moore, CAIDA; Geoffrey M. of attacks being TCP based. To clarify,
subject to DoS attacks because of the Voelker and Stefan Savage, University this technique is not good at distin-
computing-expensive cryptographic of California, San Diego guishing between DoS and DDoS
November 2001 ;login: SECURITY 2001 q 13
attacks since it is not good at distin- The authors succeeded in simplifying s Hot carriers: during operation, the
guishing between attackers. memory management and the mecha- device heats up and its characteris-
nism that keeps track of packets. Gil tics change considerably.
During the Q&A session, one question
pointed out that their solution is suc- s Ionic contamination: this is no
was on why the analysis showed no
cessfully being used by a network com- longer an issue and its effects are no
attacks on the .mil domain. The
pany. They are currently trying to focus longer significant.
response given was that either .mil is not
on the behavior of different TCP imple- s Radiation-induced charging: it
under attack (unlikely) or that backscat-
mentations as well as protocols other freezes the circuit into a certain
ter packets are being filtered.
than TCP. state.
For more information, contact
Someone brought up the question of The first phenomenon enables attackers
dmoore@caida.org, or see
differentiating DoS traffic from traffic to recover partial information from spe-
http://www.caida.org/outreach/papers/backscatter/.
that normally shows disproportional cial-purpose devices (e.g., cryptographic
MULTOPS: A DATA-STRUCTURE FOR packet flows, e.g., video traffic. The reply smartcards). The next two can be used
BANDWIDTH ATTACK DETECTION suggested the possibility of building to recover data deleted from memory. In
Thomer M. Gil, Vrije Universiteit/MIT; some kind of knowledge base. A lively order to avoid long- and short-term data
Massimiliano Poletto, MIT discussion on random class A addresses retention from semiconductors (a DES
Thomer Gil proposed a heuristic as well within MULTOPS subsequently arose key was recovered in the ‘80s),
as a new data structure to be used by but was taken offline. researchers developed a series of solu-
routers and similar network devices to tions that use various semiconductor
For more information, contact thomer
detect (and possibly eliminate) denial- forensic techniques, including the fol-
@lcs.mit.edu.
of-service attacks. Most DoS attacks lowing two:
show disproportional packet rates with a SESSION: HARDWARE s Short-term retention: probably the
huge number of packets being sent to Summarized by Anca Ivan safest way to defend against it is not
the victim and only very few packets to keep the same values in the same
being sent by the victim in response. The DATA REMANENCE IN SEMICONDUCTOR
memory cells for too long (maxi-
DEVICES
new data structure, called MULTOPS mum a few minutes).
(Multi-Level Tree for Online Packet Sta- Peter Gutmann, IBM T.J. Watson
s Long-term retention: in 1996, some
Research Center
tistics), monitors certain Internet traffic researchers proposed periodically
characteristics and is able to drop pack- Peter Gutmann explained the dangers of flipping the stored bits. In this way,
ets based on either the source or the des- deleting data in semiconductors. Every- no cell holds the same bit value for
tination address. one knows that deleting data from mag- long enough to “remember” it.
netic media is very hard, but not too
The main implementation challenges many realize that the same problem In the end, Peter talked about how all
with MULTOPS have been and still are exists for semiconductors, especially the problems cited above extend to flash
the precise identification of malicious since there are so many ways of building memory. For example, random genera-
addresses, athe achievement of a small semiconductors, each with its own set of tors can generate strings of 1s when the
memory footprint, and a low overhead problems and solutions. After giving a pool is empty, or information can be
on forwarding “real” traffic as opposed short background introduction in semi- leaked into adjacent cells into shared cir-
to DoS-based traffic. MULTOPS is conductors and circuits (n-type, p-type, cuitry.
implemented as a memory-efficient tree SRAM, DRAM), Peter described some of
of nodes which contains packet-rate sta- Even though the entire presentation
the most important issues:
tistics and which dynamically grows and scared at least one person in the audi-
shrinks with the traffic being observed. s Electromigration: because of high ence (guess who?), Peter assured us that
At the current implementation, packets current densities, metal atoms are reality is not that gloomy. In fact, the
are dropped based on either a variable moved in the opposite direction of only problem is the lack of a standard.
packet rate or a ratio. Since it usually is the normal current flow. The conse- Every time people decide to choose one
impossible to identify an attacker quence is that the operating proper- implementation method, they should
(because of IP spoofing), packets can be ties of the device are strongly also choose which solutions are best for
dropped based on the victim’s IP, too. altered. it. Answering a question, Peter told us
that personal computers are not affected
14 Vol. 26, No. 7 ;login:
by those problems but that most special- After making performance measure- Reducing card-host interaction:
CONFERENCE REPORTS
s
ized devices, like airplane black boxes, ments for all techniques, the authors “folklore in IBM” taught them that
can leak information if analyzed with noticed that the chances of StackGhost any card-host interaction consumes
very sophisticated equipment. But then not catching an attack were 1 in 3 for too much time. Thus, they rewrote
again who has such equipment? XOR cookies and 1 in 232 for the return- the application to minimize the
address stack. The conclusion was that number of interactions. The speed
STACKGHOST: HARDWARE-FACILITATED StackGhost was offering protection went up to 18–23 kilobytes/second;
q
STACK PROTECTION against return-pointer overriding to all however, it was still too far from
Mike Frantzen, CERIAS; Mike Shuey, processes in the system (which might be megabyte speed.
Purdue University seen as a disadvantage). s Batching all operations into one
The authors presented a software solu- chip operation: chip resets were too
tion to the return-pointer hijacking IMPROVING DES COPROCESSOR THROUGH- expensive. The speed became 360
problem. The most important step in PUT FOR S HORT O PERATIONS
kilobytes/second.
the function-call process is when the Mark Lindemann, IBM T.J. Watson s Batching into multiple chip opera-
caller saves the return pointer before Research Center; Sean W. Smith, tions: it reduced the number of
giving the control to the called function. Dartmouth College Layer 3 – Layer 2 switches. The
Many attacks are based on changing this While the first two talks in this session speed changed to 30–290
pointer. When the callee finishes, the were at opposite poles (one deeply hard- kilobytes/second, still not good.
return pointer dictates which function ware and one purely software), the third s Reducing data transfers: they did it
takes control next. StackGhost is a piece one was somehow in the middle. The by using an internal key-table and
of software that automatically and trans- presenter, Sean Smith, is one the fathers boosted the speed to 1,400 kilo-
parently saves the return pointer and of the cryptographic card developed at bytes/second.
replaces it with another number. When IBM and presently working at Dart- s Using memory-mapped I/O: this
the called function completes, Stack- mouth College. Everything started in a eliminated the internal ISA bus bot-
Ghost verifies the integrity of that num- very optimistic fashion, with the usual tleneck. The speed went up to 2,500
ber (catching, in this way, possible introduction we would have expected kilobytes/second.
attacks) and reinstalls the correct from an IBM representative trying to sell s Batching operation parameters:
pointer value. us this device: “It is secure . . . it is fast instead of sending them as separate
The security of StackGhost depends on . . . it is reliable.” All the buzzwords were packets. It increased the speed to
how it modifies the return pointer to there. However, with the next slide this 5000 kilobytes/second. This was
catch attacks; the authors have tried sev- changed to “It is not as secure . . . fast . . . even more than they were expect-
eral ways: as we thought.” For example, the specifi- ing, but the results were incorrect.
cation promised the DES speed to be 20 The client had asked for speed but
s Per kernel XOR with a 13-bit signed megabytes/second when in reality a hadn’t mentioned anything about
cookie: the main problem is that an friend obtained less than two kilobytes/ correctness. So was the problem
attacker can find out the cookie by second in a database application. Where solved?
starting several arbitrary programs. was the discrepancy coming from? The s Not using memory-mapped I/O: to
s Per process XOR with a 32-bit
main intuition was that the specification increase accuracy, they gave up on
cookie: this is safer than the previ- gives the performance for operations on memory-mapped I/O for initializa-
ous method, but more expensive. megabytes of input. The real speed is tion vectors and count. Unfortu-
s Encrypt/decrypt the return pointer:
much slower if the data is shipped to the nately, there was a small
this method seems to be the most card in small chunks. The difference performance cost: the speed was
expensive. between specs and reality was too big now 3,000 kilobytes/second.
s Return-address stack: this method
not to be studied, and Lindemann From the client’s point of view, all of
replaces the return pointer with decided to find out the reasons behind
another number and saves the these steps showed them that the only
it. First, they built a model that simu- way to maximize the performance while
pointer into a return-address stack. lates the database application and then
However, this would impede other using the secure coprocessor was to
tried to improve the speed by modifying design DES-batched API. From the
applications from running correctly. the execution conditions in the follow- designer’s point of view, the conclusions
ing ways:
November 2001 ;login: SECURITY 2001 q 15
were simpler: always distrust folklore cannot therefore detect tunneling prob- NETWORK INTRUSION DETECTION: EVASION,
and think if and how people will use lems. TRAFFIC NORMALIZATION, AND END-TO-END
your product before designing it! PROTOCOL SEMANTICS
For more information, contact Mark Handley and Vern Paxson, ACIRI;
yash@acm.org, or visit Christian Kreibich, Technische Univer-
SESSION: FIREWALLS/INTRUSION
http://www.lumeta.com/firewall.html. sität München
DETECTION
Summarized by Stefan Kelm and Yong TRANSIENT ADDRESSING FOR RELATED This paper focused on the problem of
Guan PROCESSES: IMPROVED FIREWALLING BY network intrusion detection system
USING IPV6 AND MULTIPLE ADDRESSES PER (NIDS) evasion. Attackers usually can
ARCHITECTING THE LUMETA FIREWALL
HOST fool any NIDS by exploiting certain
ANALYZER
Peter M. Gleitz and Steven M. Bellovin, ambiguities in the packet flow being
Avishai Wool, Lumeta
AT&T Labs-Research monitored by the NIDS, i.e., (1) the
“What is your firewall doing?” Avishai NIDS may lack complete analysis of the
The authors proposed a method to sim-
Wool asked the audience at the begin- packet flow (e.g., no TCP stream re-
plify firewall decisions. By using the
ning of his presentation, thereby assembly); (2) the NIDS may lack end-
large address space brought by IPv6,
describing the motivation to build LFA, system knowledge (e.g., certain
they employed a strategy of multiple
the “Lumeta Firewall Analyzer.” application vulnerabilities); and (3) the
network addresses per host. That is, for
Firewalls have been installed by almost each request on the client host an IPv6 NIDS may lack network knowledge
all companies connected to the Internet. address is tied to the client process. The (e.g., the topology between the NIDS
However, the underlying policy often is firewall now makes access decisions and an end system).
far from being good enough to actually based on transport layer protocol infor- As a solution, Paxson proposed the
protect the company from outside mation (i.e., filtering is shifted from deployment of a “normalizer,” the goal
attackers. Network administrators often ports to addresses). Once approved, the of which would be to observe all packets
do not know how to set up a firewall firewall allows all traffic between the two being sent between two network nodes
securely, much less how to test or audit peers to pass to and fro. Once the service (he called that a “bump-in-the-wire”)
the firewall configuration. Wool pointed is finished the IPv6 address is discarded. and to modify (“normalize”) packets
out that LFA is the successor of the Fang This method is called TARP (transient that seem to be ambiguous for one rea-
prototype system built at Bell Labs as a addressing for related processes). TARP son or another. As an example the
firewall analysis engine. employs two different types of author described problems with two
addresses: (fixed) server addresses and overlapping fragments: the normalizer
The key idea is not to probe the actual
process group addresses. would re-assemble (and re-fragment, if
firewall in any way but to allow testing
of the configuration before the firewall Gleitz discussed how TARP works with necessary) those packets before forward-
is deployed. The firewall’s routing table TCP and UDP applications and with the ing. Since re-assembly is a valid opera-
and configuration files are used as input firewall, router, domain name server, tion, the normalizer would, in this
to the LFA, which parses these files and and IPSEC. Employing TARP does not example, have no impact on the seman-
simulates the behavior of any possible necessarily affect the routers, though tics at all.
packet flow combination (LFA mainly TARP-aware routers can perform better. Paxson also pointed out some of the
offers support for Firewall-1 and PIX). Moreover, Gleitz pointed out that no problems with this approach, one of
The results are presented to the user as modifications to standard applications which is the “cold start” problem:
HTML pages. such as Telnet, SSH, FTP, Sendmail, or (re-)starting the normalizer will show
Wool concluded by giving a short TFTP are necessary in order to use many valid connections already estab-
TARP. He also mentioned briefly some lished. It is difficult to handle those con-
demonstration. As input to the LFA, he
interop problems with protocols such as nections accordingly (this is also true for
used a short Firewall-1 policy which
DNS and ICMPv6. the NIDS itself). The normalizer has
contained only six rules and explained
why even such a short rule set might For more information, contact been implemented and will be available
lead to problems once the firewall is pmgleit@netscape.net. at www.sourceforge.net soon.
deployed. During the Q&A session he In the Q&A session Steven Bellovin
emphasized that the LFA only checks wanted to know whether normalization
packet headers, not the content, and
16 Vol. 26, No. 7 ;login:
would not be needed at the application The security threat of the Palm stems Bauer suggested that with the increasing
CONFERENCE REPORTS
layer as well. The presenter answered in from the PalmOS’s lack of a well-defined prevalence of public kiosks, thin clients,
the affirmative. security framework. Specific weaknesses multi-user computing clusters, and dis-
enumerated include the direct address- tributed file systems, users will want to
For more information, contact
ability of hardware, the lack of memory ensure that when their data is deleted
vern@aciri.org.
encryption, the lack of ACLs, weak from these systems, it is truly and irre-
obfuscation of passwords, and a back- trievably deleted.
q
SESSION: OPERATING SYSTEMS
door debug mode that allows for the
Summarized by Mike Vernal In 1996, Peter Gutmann of IBM demon-
bypassing of “system lockout.” Because
strated that data that had been overwrit-
SECURITY ANALYSIS OF THE PALM OPERATING of these and other weaknesses, the audi-
ten on a magnetic disk could be
SYSTEM AND ITS WEAKNESSES AGAINST ence agreed with the assertion that
MALICIOUS CODE THREATS recovered using advanced probing tech-
developing a secure application on top
niques. While popular lore has suggested
Kingpin and Mudge, @stake, Inc. of the PalmOS would be impossible.
certain government agencies may be
Kingpin and Mudge began their presen- The presentation suggested that able to recover data overwritten dozens
tation with a bold fashion statement, unscrupulous users could exploit a of times, no commercial data recovery
appearing in matching white bathrobes. number of weaknesses to install mali- company contacted in conjunction with
Their bathrobes aimed to underscore the cious code, including normal applica- Bauer’s research believed that it could
fact that PDAs can undermine user pri- tion installation, desktop conduits, recover data that had been overwritten
vacy in a public setting. Their efforts creator ID replacement, wireless com- more than once. As such, the SDD sys-
were later rewarded with the coveted munications, and the Palm Debugger. tem as described probably only needs to
USENIX Style Award, presented by the Another threat raised by Kingpin and overwrite data a few times.
real Peter Honeyman, of the University Mudge was the possibility of a new set of
of Michigan. This SDD system was designed to ensure
cross-pollinating viruses, which could be
that all flagged data is deleted, even in
acquired via a Palm and propagate
the event of system failure. The deletion
themselves to desktop computers via the
process was designed as an asynchro-
HotSync operation, or vice versa.
nous daemon to ensure that it did not
With the growing popularity of PDAs, interfere with normal operation and
Kingpin and Mudge invoked Occam’s performance. Though implemented for
Razor: all other factors being equal, the the ext2 file system, Bauer asserts that
PDA may be the malicious user’s easiest this system should be portable to any
point of entry into an information net- block-oriented file system.
work. The upcoming PalmOS 4.0
The ext2 implementation used the
reportedly fixes some of the security
unused secure-deletion flag, settable
concerns raised. In the interim, users
with the chattr() function. With this
should be made aware of the possible
Kingpin and Mudge mechanism, the granularity with which
security threats and restrict or eliminate
secure deletion can be specified ranges
their use of sensitive data and applica-
The presentation centered on the secu- from an entire device to an individual
tions on Palm devices.
rity threat posed by the recent ubiquity file. Questions were raised as to the vul-
of Personal Digital Assistants (PDAs), SECURE DATA DELETION FOR LINUX nerability of temporary files that are not
and, more specifically, devices running FILE SYSTEMS flagged in a secure deletion zone. Bauer
the Palm Operating System. Palm Steven Bauer and Nissanka B. Priyan- recommended that for maximum secu-
devices increasingly are being used in tha, MIT rity, the entire device should be flagged
security-sensitive settings such as hospi- Steven Bauer presented an implementa- for secure deletion.
tals and government agencies. While the tion of a kernel-level secure data-dele-
government is now aware of the security tion (SDD) mechanism for the ext2 file
threat posed by PDAs, the corporate system.
world has remained generally oblivious.
November 2001 ;login: SECURITY 2001 q 17
SESSION: MANAGING CODE ftpd, it took less than one minute for tion pointer that has the address of
Summarized by Sameh Elnikety LCLint to analyze all 17,000 lines of printf, then it evades the macro expan-
STATICALLY DETECTING LIKELY BUFFER unmodified wu-ftpd source code. This sion.
OVERFLOW VULNERABILITIES resulted in 243 warnings that showed
FormatGuard is incorporated in WireX’s
known and unknown buffer overflow
David Larochelle and David Evans, Uni- Immunix Linux distribution and server
versity of Virginia
vulnerabilities.
products. It is available as a GPL’d patch
Buffer overflow attacks account for LCLint source code and binaries are to glibc at http://immunix.org.
approximately half of all security vul- available from
nerabilities. Programs written in C are http://lclint.cs.virginia.edu. DETECTING FORMAT STRING VULNERABILITIES
WITH T YPE Q UALIFIERS
particularly susceptible to buffer over-
flow attacks because C allows direct FORMATGUARD: AUTOMATIC PROTECTION Umesh Shankar, Kunal Talwar, Jeffrey S.
FROM PRINTF F ORMAT S TRING Foster, and David Wagner, University
pointer manipulations without any
VULNERABILITIES of California, Berkeley
bounds checking.
Crispin Cowan, Matt Barringer, Steve Systems written in C are difficult to
Run-time approaches to mitigate the Beattie, Greg Kroah-Hartman, WireX secure, given C’s tendency to sacrifice
risks of buffer overflow incur perfor- Communications, Inc.; Mike Frantzen, safety for efficiency. Format string vul-
mance penalties, and they turn buffer Purdue University; and Jamie Lokier, nerabilities can occur when user input is
overflow attacks into denial-of-service CERN
used as a format specifier. One of the
attacks by terminating execution of the In June 2000, a major new class of vul- most common cases is when the pro-
attacked processes. Static checking over- nerabilities called format bugs was dis- gram uses printf with one argument: a
comes these problems by detecting likely covered when a vulnerability in user-supplied string assuming that the
vulnerabilities before deployment. WU-FTP appeared that looked almost string does not contain any % directive.
like a buffer overflow but was not. It is The authors presented a tool (cqual)
The authors developed a practical light-
unsafe to allow potentially hostile input that automatically detects format string
weight static analysis tool based on
to be passed directly as the format string bugs at compile time using type-theo-
LCLint to detect a high percentage of
for calls to printf-like functions. The retic analysis techniques. With this static
likely buffer overflow vulnerabilities.
danger is that the inclusion of % direc- analysis, vulnerabilities can be proac-
The tool exploits semantic comments tives, especially %n, in the format string tively identified and fixed before the
(annotations) that describe programmer coupled with the lack of any effective code is deployed.
assumptions and intents. These annota- type or argument counting in C’s
tions are treated as regular C comments varargs facility allows the attacker to Cqual builds an annotated Abstract Syn-
by the compiler but are recognized as induce unexpected behavior in pro- tax Tree (AST). Then, it traverses the
syntactic entities by LCLint. The annota- grams. AST to generate a system of type con-
tions represent preconditions and post- straints, which is solved online. Warn-
The authors developed FormatGuard, a ings are produced whenever an
conditions for functions to determine
small patch to glibc. It provides general inconsistent constraint is generated.
how much memory has been allocated
protection against format bugs using Cqual presents the results of tainting
for buffers. LCLint uses traditional com-
particular properties of the GNU CPP analysis to the programmer using Pro-
piler data flow analyses with constraint
macro-handling mechanism to extract gram Analysis Mode for Emacs (PAM).
generation and resolution. Also, LCLint
the count of actual arguments to printf PAM is a GUI that is designed to add
uses loop heuristics to efficiently analyze
statements. This is then passed to a safe hyperlinks and color mark-ups to the
many loop idioms in typical C pro-
printf wrapper. The wrapper parses the preprocessed text of the program. The
grams.
format string to determine how many interface shows the taint flow path to
The authors used the tool to analyze wu- arguments to expect, and if the format help programmers determine how a
ftpd, which is a popular open source string calls for more arguments than the variable becomes tainted.
FTP server, and part of BIND, which is a actual number of arguments, it raises an
set of domain-name tools and libraries intrusion alert and kills the process. The configuration files makes cqual
that is considered the reference imple- usable without modifying the source
FormatGuard fails to protect against for- code. The authors analyzed four secu-
mentation of DNS. Running LCLint is
mat bugs under several circumstances. rity-sensitive benchmark programs with
similar to running a compiler. For wu-
For example, if the program uses a func- the same standard prelude file and no
18 Vol. 26, No. 7 ;login:
direct changes to the applications’ without complete control of the net-
CONFERENCE REPORTS
DOS DON’TS OF CLIENT AUTHENTICA-
AND
source code. Typically a few application- work. Performance was evaluated in TION ON THEWEB
specific entries were added to the prel- comparison to NFS. Most of the over- Kevin Fu, Emil Sit, Kendra Smith, and
ude file to improve accuracy in the head was in the open statement. Reads Nick Feamster, MIT
presence of wrappers around library were slightly slower and writes were [This paper received the Best Student
functions. Cqual reliably finds all known much slower, but they felt this could be Paper Award]
bugs for the benchmark programs. It alleviated by implementing symmetric
q
also reports few false positives. Cqual is writes. Kevin gave a very amusing presentation
fast; it usually takes less than a minute. which illustrated the gap between secu-
KERBERIZED CREDENTIAL TRANSLATION: A rity theory and practice. He described a
Cqual is available at SOLUTION TO WEB ACCESS CONTROL variety of Web sites that used insecure
http://bane.cs.berkeley.edu/cqual. Olga Kornievskaia, Peter Honeyman, client authentication schemes and pre-
Bill Doster, and Kevin Coffman, CITI, sented hints on how to avoid their mis-
SESSION: AUTHORIZATION University of Michigan takes.
Summarized by Rachel Greenstadt There are two different authentication
mechanisms: those used for services Client authentication seems like a solved
CAPABILITY FILE NAMES: SEPARATING
such as login, AFS, and mail, for which problem, but many sites continue to
AUTHORIZATION FROM USER MANAGEMENT
Kerberos is popular, and public key- come up with homebrew schemes which
IN AN I NTERNET F ILE S YSTEM
based mechanisms such as SSL, which is just don’t quite get it right. Out of the 27
Jude T. Regan, consultant; Christian D.
used to establish secure connections on Web sites the cookie eaters group exam-
Jensen, Trinity College
the Web. These systems need to be able ined, they weakened the security on two
On the Internet there is no reliable way sites, were able to mint authenticators
to establish an identity. Flexible user- to work together to satisfy a request.
on eight, and on one site were able to
user collaboration outside of an admin- The authors propose to achieve the best obtain the secret key. Some of these sites
istered system so that people could of both worlds by leveraging Kerberos to were high profile, such as the Wall Street
create ad hoc work groups and remove solve PKI key management. This will use Journal (wsj.com), Sprint PCS (sprint-
arbitrary limitations to information existing infrastructures which allow pcs.com), and FatBrain (fatbrain.com).
sharing is the authors’ goal. strong authentication on the Web with
SSL and which provide access to Kerber- In most cases, the mistakes made in
Such a system should be globally accessi- these sites were simple. By simply look-
ble, easy to use, and require as little ized back-end services. They propose a
system to provide interoperability ing at their cookie files the authors could
intervention by system administrators as query Web servers and look at headers,
possible. This system should integrate between PKI and Kerberos. Their system
consists of (1) a Certificate Authority responses, and create sample authentica-
with existing systems and applications. It tors. Except for
should have fine granularity so that (CA), KX509, which creates short-lived
certificates, (2) a Web server which acts Sprint, these
users would not have to use complicated attacks involved no
export mechanisms to share files. like a proxy for users by requesting serv-
ices from Kerberized back-end services eavesdropping at
The authors used the concept of a capa- and (3) a Kerberized Credential Transla- all. The schemes
bility, a token conveying specified access tor, which translates public-key creden- were not even
rights to a named object in order to tials to Kerberos. They created a strong against what
make the identity of the object and the prototype of their system called WebAFS the authors termed
access rights inseparable. They embed- using AFS as an example Kerberized ser- the “interrogative
ded the capability in something every vice. adversary.” This
system knows – the file name. Kevin Fu adversary has no
special access, but it
The authors concluded that the system adaptively queries a Web server a rea-
was safe from interception and modifi- sonable number of times. It just sits
cation Attackers could forge the client there and connects to port 80; it cannot
part but not the server part of the file defeat SSL client authentication, HTTP
names. Service could be interrupted, but basic, or digest authentication. The best
protecting against this is impossible such an adversary can do against a pass-
November 2001 ;login: SECURITY 2001 q 19
word sent in the clear is a dictionary implements a secure file system and is SECURE DISTRIBUTION OF EVENTS IN
attack. However, some homebrew cookie based on Matt Blaze’s Cryptographic CONTENT-BASED PUBLISH SUBSCRIBE
schemes are vulnerable. File System for UNIX (CFS). SC-CFS SYSTEMS
uses a smartcard to generate a key for Lukasz Opyrchal and Atul Prakash,
In the case of the Wall Street Journal, a University of Michigan
each file rather than for each directory.
site with half a million paid subscribers
The per-file key encryption counters the Some Internet applications, such as
who can track their stocks and buy arti-
password-guessing attack and minimizes wireless delivery services and inter-
cles, the authors found that the makers
both the damage caused by physical enterprise supply-chain management
of the site had misused cryptography
attack, compromised media, and bug applications, require high scalability as
and created an authenticator weaker
exploitation. well as strict security guarantees. The
than a plaintext password.
content-based publish subscribe para-
When an encrypted file is updated, a
Some hints provided for client authenti- digm is one of the messaging technolo-
new key is generated for that file and the
cation were: limit the lifetime of authen- gies that facilitate building more scalable
file is re-encrypted for increased secu-
ticators since browsers cannot be trusted and flexible distributed systems. In the
rity. SC-CFS employs the same authenti-
to expire cookies; expiration dates must publish subscribe model, publishers
cation mechanism as CFS, using an
be cryptographically signed (this was publish messages and send them to sub-
encrypted signature containing both a
another problem with WSJ). Authentica- scribers via brokers. Each broker man-
random number and a predefined
tors should be unforgeable, and cookies ages a large number of subscribers. The
sequence. A signature is stored in each
should not be modifiable by the user. broker encrypts every message and
directory. When a user starts to access a
There should be no bypassing of pass- broadcasts it to subscribers. The broker
directory, SC-CFS gets the user key and
word authentication. Digital signatures needs to guarantee the confidentiality of
decrypts the signature to recover the
are great, but you should not allow the the messages so that only a specific
predefined sequence. If the sequence is
things you sign to be ambiguous. For group of subscribers can read the mes-
not recovered, SC-CFS denies the user
example, the concatenation of “Alice, 21- sage.
access to the directory.
Apr” and “Alice2, 1-Apr” is the same.
Each subscriber has an individual sym-
Delimiters can help solve this problem. SC-CFS is more secure than CFS
metric pair key shared only with its bro-
He presented a simple scheme for build- because the master key is a random
ker. A naïve way to achieve this secure
ing an authenticator which would work number instead of a password. This pre-
end-point delivery is for the broker to
against the interrogative adversary. vents dictionary attacks. Also, the user
encrypt each message with a new key.
master key is not exposed to the host,
In summary, there are many broken Then, the broker sends the new key
and a stolen file key would reveal only
schemes out there, even in popular Web securely to each subscriber in the target
one file and then only until that file is
sites. There are even more juicy details group, by encrypting the new key with
updated and consequently re-encrypted
in the authors’ technical report. Cookie the symmetric key shared between the
with a new file key.
schemes are limited; live with it or move broker and the subscriber. The number
on. You can join the authors by donating The author implemented SC-CFS as an of encryptions limits the broker
your cookies for analysis at extension to CFS, then evaluated the throughput and system scalability. For
http://cookies.lcs.mit.edu. performance of SC-CFS in comparison the naïve approach, the number of
with CFS and a local Linux file system encryptions is the same as the group
SESSION: KEY MANAGEMENT (ext2) using the Andrew Benchmark size.
Summarized by Sameh Elnikety test. The results show that the perfor-
The authors presented four caching
mance of the system is not yet satisfac-
SC-CFS: SMARTCARD SECURED strategies to reduce the number of
CRYPTOGRAPHIC FILE SYSTEM
tory because smartcard access is the
required encryptions. Simple cache
bottleneck of SC-CFS. SC-CFS works as
Naomaru Itoi, CITI, University of assumes that many messages will go to
Michigan
efficiently as ext2 and CFS when it does
the same subset of subscribers. Simple
not access a smartcard. However, SC-
Storing information securely is one of cache creates a separate key for each
CFS is significantly slower than CFS
the most important applications of group and caches it. Build-up cache is
when it accesses a smartcard because
computer systems. Secure storage pro- based on the observation that many
the smartcard generates a key in 0.31
tects the secrecy, authenticity, and groups are subsets of other larger
seconds.
integrity of the information. SC-CFS groups. Build-up cache uses a heuristic
20 Vol. 26, No. 7 ;login:
to select some groups to cover the target only to the user, and the other part only
CONFERENCE REPORTS
SESSION: MATH ATTACKS!
group. Clustered cache uses a much to the SEM. Second, the SEM responds Summarized by Kevin Fu
smaller cache size by dividing the sub- to user requests with short tokens. The
PDM: A NEW STRONG PASSWORD-BASED
scribers into clusters. Then, it uses the tokens reveal no information to other PROTOCOL
simple-cache method to send a message users. Third, the user contacts the SEM
Charlie Kaufman, Iris Associates; Radia
to the target subgroup in each cluster. in case he wants to generate a digital sig- Perlman, Sun Microsystems
Clustered-popular cache maintains both nature or to decrypt a message. The sys- Laboratories
q
a simple cache and a clustered cache. tem uses the MRSA encryption
A bright and cheery Radia Perlman
When a new message arrives, clustered- technique, which is similar to RSA, in a
talked about Password-Derived Moduli
popular cache searches for the target way that is transparent to peer users.
(PDM), a protocol useful for both
group in the simple cache. If the group The encryption process is identical to
mutual authentication and securely
is not found it uses the clustered cache standard RSA. For the decryption
downloading credentials. PDM’s notable
to send the message to the appropriate process, the SEM does part of the
features and improvements over existing
subgroup in each cluster. decryption and the user does the
protocols include unencumberance by
remaining part. Both the SEM and the
The authors analyzed the four caching patents, better overall server perfor-
user must perform their share to decrypt
strategies to find the average number of mance, and better performance when
a message. Digital signatures are gener-
required encryptions and ran a number not storing password-equivalent data on
ated in a similar way to performing
of simulations to confirm the theoretical the server.
decryption.
results. They found that clustering the
Despite the promise of smartcards, pass-
subscribers can substantially reduce the The authors implemented the system
words are still important for authentica-
number of encryptions, which can be using OpenSSL and provided a client
tion. Demonstrating this importance,
further reduced by adding a simple API and server daemons.
Perlman cited her own habit of misplac-
cache to clustered cache. Build-up cache, The performance meas-
ing any hardware token given to her.
however, has little effect on the number urements showed that
However, she can remember a password.
of required encryptions. signature and encryption
times are essentially PDM deterministically generates a
A METHOD FOR FAST REVOCATION OF unchanged from the prime from a user’s password and salt
PUBLIC KEY CERTIFICATES AND SECURITY Gene Tsudik user’s perspective. The such as the username. To generate a
CAPABILITIES
authors also imple- prime, the user Alice fills out chunks of
Dan Boneh, Stanford University; Xuhua mented a plug-in for Eudora that the right size with the hash of (“Alice,”
Ding and Gene Tsudik, University of
enables users to sign their emails using password, constant). PDM then searches
California, Irvine; Chi Ming Wong,
the SEM. This approach achieves imme- for a safe “Sophie Germain” prime (p). A
Stanford University
diate revocation of public key certifi- prime is Sophie Germain if (p-1)/2 is
The authors presented a new approach also a prime. PDM then uses this prime
cates and security capabilities for
to fast certificate revocation using an as the modulus in Diffie-Hellman
medium-size organizations rather than
online semi-trusted mediator (SEM). exchanges.
the global Internet.
Suppose an organization has a Public
Key Infrastructure that allows users to The implementation of the system is PDM is potentially fast on a server and
encrypt and decrypt messages and to available at: tolerably slow on a client. Although 512-
digitally sign the messages. If an adver- http://sconce.ics.uci.edu/sucses. bit Diffie-Hellman moduli are within
sary compromises the private key of a the realm of breakability, a dictionary
The SEM Eudora plug-in is available at:
user, then the organization needs to attack against PDM requires a Diffie-
http://crypto.stanford.edu/semmail.
immediately prevent the adversary from Hellman exponentiation per password
signing or decrypting any message. guess. This places a lot of computational
burden on an adversary. Using 512-bit
The overall architecture of the system is moduli instead of 1024-bit moduli
made up of three components. First, the improves performance on the server by a
central Certificate Authority (CA) gen- factor of six.
erates a public key and a private key for
each user. The private key consists of PDM strives not to leak information and
two parts. The CA gives the first part avoids timing attacks by properly order-
November 2001 ;login: SECURITY 2001 q 21
ing cryptographic operations. PDM can The popular press claims that terrorists as yet no final conclusion on whether
also avoid storing password-equivalent like Osama bin Laden use steganogra- the underworld uses steganography in
data on the server. If the server is com- phy. Of course, this is totally unsubstan- this way. The popular press will have to
promised, the user’s password can tiated. Hence, Niels sought answers to continue with unsubstantiated claims.
remain safe. Other protocols avoid pass- three questions:
Asked if one can determine the quality
word equivalence by having extra Diffie- s How to automatically detect metric used to create a JPEG, Niels said
Hellman exchanges.
steganographic content this is possible but will not reveal
Deriving a 512-bit prime from a pass- s How to find a source of images with whether there is steganographic content
word is computationally expensive. potentially steganographic content because modifications of DCT coeffi-
Ten seconds on a reasonably modern s How to determine whether an cients do not modify quality of images
machine is not uncommon. However, image contains hidden content much.
there are simple improvements. Perl-
Steganography is the art and science of Another person asked for advice on how
man’s son improved the client perfor-
hiding the fact that communication is to hide messages while minimizing dis-
mance by a factor of three by using a
happening. In modern steganography, tortion. Niels explained that hiding just
sieve instead of division. If a user pro-
one should only be able to detect the one bit is easy. Otherwise it is important
vides a hint in addition to the password,
presence of hidden information by to realign the statistical properties of the
the generation of the prime can finish in
knowing a secret key. The goal of an image after embedding a message.
a fraction of a second. The hint could
adversary is to detect steganography, not
be the first few bits of the prime, easily One audience member suggested that
necessarily to recover
encoded as a single character to remem- terrorists might use homebrew stegano-
the message. One must
ber. graphic software. In such a case, will the
select a cover medium to
same statistical tests help detect hidden
Then came questions. Asked about the embed a hidden mes-
messages? Niels said that with certain
distribution of primes derived from sage. Bits are changed to
generic assumptions, maybe. One would
passwords, Perlman answered that the embed a message. The
need to know the statistical signature
primes are uniformly distributed in the original cover medium
Niels Provos is then destroyed. common to the software.
range of possible primes. For all possible
passwords, this is uniformly distributed. Another audience member asked if Niels
There are many systems to hide mes-
has searched for JPEGs on sites other
Asked why PDM depends on a strong sages in images: JSteg, JPHide, and Niels’
than eBay. Niels responded that he has
Sophie Germain prime, Radia explained Outguess. All of these systems cause dif-
only considered eBay because the popu-
that the base 2 is then guaranteed to be a ferent distortions in images. Niels wrote
lar press mentioned auctions as the per-
generator if the prime is also congruent the “stegdetect” program to detect
fect venue. So far the press seems to be
to 3 mod 8. If 2 were not a generator, images modified by JSteg, JPHide, and
fantasizing.
then 2 would generate a smaller sub- Outguess. The program gives a notion of
group – reducing security. how likely it is that an image contains Finally, a participant asked if the num-
hidden content. ber of false positives fit any hypothesis.
DETECTING STEGANOGRAPHIC CONTENT ON Niels answered no. The images vary in
THE I NTERNET On a 1200MHz Pentium III, stegbreak
quality and size. So, from the beginning,
Niels Provos, CITI, University of processes 15,000 words/sec for JPHide,
many images are mischaracterized by
Michigan 47,000 words/sec for Outguess, and
the statistical tests. Niels did run his
Because Slashdot had just discussed a 112,000 words/sec for JSteg. Because a
software against a test set though. It cor-
“theoretical” system to detect stegano- single fast machine can only process so
rectly detected the hidden messages.
graphic content on the Internet, Niels much, Niels wrote the “disconcert” pro-
decided it was time to discuss a system gram to mount a distributed dictionary For more information, see
already doing this. Instead of talking attack. http://www.citi.umich.edu/u/provos/ or
about methods to defend against statisti- http://www.outguess.org/.
Niels has sorted through over 2 million
cal steganalysis, Niels talked about his JPEG images from eBay. Although
software to find hidden messages in 17,000 images came up positive, no gen-
JPEG files. uine steganography was found. There is
22 Vol. 26, No. 7 ;login:
same hand. The latency between each For more information, visit
CONFERENCE REPORTS
TIMING ANALYSIS OF KEYSTROKES AND
TIMING ATTACKS ON SSH keypress is distinguishing. For randomly http://www.cs.rice.edu/~astubble/wep/.
Dawn Xiaodong Song, David Wagner, chosen passwords, inter-keystroke tim-
and Xuqing Tian, University of ings leak about 1.2 bits per character. SRMAIL – THE SECURE REMAILER
California, Berkeley Cory Cohen, CERT
One countermeasure against this attack
Dawn Song explained how two traffic SRMail allows groups of people who
would be to hide inter-keystroke timings
analysis vulnerabilities in the SSH proto- may not share common crypto methods
q
by using a constant packet rate in active
col can leak damaging amounts of infor- to communicate. It can generate
traffic.
mation. By eavesdropping on an SSH encrypted form letters and convert
session, Song demonstrated the ease of Next, a slew of people raced to the between encryption formats when used
recovering confidential data such as root microphone. One person asked whether as a remailer. SRMail will be used at
passwords typed over an SSH connec- taking many samples of a single user CERT to allow several people to mas-
tion. Song’s group then built the Herbi- would reduce the password search space querade as CERT and generate docu-
vore attacker system, which tries to learn even more. Song responded that this ments signed with CERT’s keys without
users’ passwords by monitoring SSH ses- technique has diminishing returns. requiring them to have direct access to
sions. Herbivore can speed up brute those keys.
Asked about the effect this work has on
force password searches by a factor of
passwords typed over a wireless net- VOMIT – VOICE OVER MISCONFIGURED
50.
work, Song reported that her group did INTERNET TELEPHONES
The SSH protocol has largely replaced not test real users’ passwords. Each test Niels Provos, CITI, University of
insecure Telnet. Ideally SSH should subject used an assigned password. All Michigan
withstand attacks by eavesdroppers. the test subjects were touch typists. Vomit converts a Cisco IP phone conver-
Alas, SSH leaks information about the sation into a wave file, allowing users to
When one audience member asked why
approximate length of data. Moreover, play a call directly from the network or
not set TCPNODELAY right before typ-
each key press generates a separate from a tcpdump output file. Vomit can
ing passwords, another audience mem-
packet. The length can indicate when a also insert wave files into ongoing tele-
ber said that is already the case.
user is about to enter a password during phone conversations. Provos suggested
an established SSH session. By watching Song also explained that randomly that Vomit can be used as a network
the inter-keystroke events, an eavesdrop- inserting a delay in traffic will not help debugging tool, a speaker phone, and so
per can make educated guesses about much. An eavesdropper can obtain your on.
passwords and other confidential infor- typing of passwords many times to filter
mation. out the randomization. For more information, visit
http://www.monkey.org/~provos/vomit/.
The most startling example is that of the
WORKS IN PROGRESS
su command typed over an SSH session, VILLAIN-TO-VICTIM (V2V) PROTOCOLS, A
Summarized by Sam Weiler and David
which results in a very recognizable traf- NEW THREAT
Richard Larochelle
fic signature. Simply by looking at the Matthias Bauer, Institut für Informatik
lengths of requests and responses, an USING THE FLUHRER, MANTIN, AND SHAMIR Bauer amused us with several ways to
eavesdropper can detect the transmis- ATTACK TO BREAK WEP
transport or temporarily store data on
sion of a password. Song noted that su Adam Stubblefield, Rice University; correctly configured machines without
disables echo mode. The resulting asym- John Ioannidis and Avi Rubin, AT&T
the consent of the owner (i.e., in Web
metric traffic indicates that a password Research
guest books, in ICMP-echo-request
will follow. The authors implemented a recently datagrams sent over connections with
published attack against WEP, the link- long RTTs, or in SMTP messages sent
Once an eavesdropper knows that a
layer security protocol for 802.11 net- via open relays to domains that refuse to
sequence of packets corresponds to a
works. Exploiting WEP’s improper use accept the messages for several days). In
password, the inter-keystroke timings
of RC4 initialization vectors, they recov- addition to providing an unreliable
can reveal characteristics of the pass-
ered a 128-bit key from a production backup medium, these methods can be
word. Herbivore looks at the frequency
network using a passive attack. For used to build an unobservable channel.
distribution of a given character pair.
assorted legal and moral reasons, they’re He proposes that these theft-of-service
For instance, one may type vo with alter-
not planning to release the code, but attacks should be called “villain-to-
nating hands while typing vb with the
others are developing similar tools.
November 2001 ;login: SECURITY 2001 q 23
victim” computing because some of the The authors have written a PAM module for summarizing the session), they aren’t
engineering problems of P2P can be for user authentication to workstations releasing the full details of their crypt-
solved by V2V protocols. based on RSA credentials stored on a analysis.
Dallas Semiconductor Java-iButton.
For more information, visit TRUST, SERVERS, AND CLIENTS
They use the KeyNote policy engine to
http://www1.informatik.unierlangen.de/~bauer/new/v2v.html
make authorization decisions, which Sean Smith, Dartmouth University
.
allows for complex trust relationships WebALPS extends an SSL connection
DETECTING MANIPULATED REMOTE CALL and delegation of authority. They do not into a tamper-resistant coprocessor. By
STREAMS presently address user or token revoca- using the coprocessor as a trusted third
Jonathon Giffin, Bart Miller and Somesh tion. party, sensitive information is protected
Jha, University of Wisconsin from rogue server operators. Credit card
For more information, visit
In a distributed grid computing envi- information, for example, can be sent
http://www.wieseckel.de/ibutton_smartcard.html
ronment, remotely executing processes from the coprocessor via encrypted
.
send call requests back to the originating email to a merchant with the web host-
machine. A hostile user may manipulate MOVING FROM DETECTION TO RECOVERY ing provider never having access to it.
these streams of calls. This technique AND A NALYSIS
Additionally, Smith described how SSL
statically analyzes the process’s binary George Dunlap, University of Michigan connections can be spoofed and pre-
code at dispatch time and generates a Dunlap proposed a mechanism of roll- sented an impressive demo in which Java
model of all possible call sequences. As back and selective replay of network script and DHTML were used to spoof
calls come back during execution, events to aid in intrusion analysis and the URL, the SSL warning windows, the
they’re checked against the model, recovery. Being able to answer questions SSL icon, and the certificate informa-
which detects some types of manipula- like “What if this packet had not been tion.
tion. delivered?” or “What if this TCP session
For more information, visit
hadn’t happened?” should facilitate
A QUANTITATIVE ANALYSIS OF ANONYMOUS http://www.cs.dartmouth.edu/~pkilab.
debugging, forensic analysis, and intru-
COMMUNICATIONS
sion detection signature development. SOURCE ROUTER APPROACH TO DDOS
Yong Guan, Xinwen Fu, Riccardo Bet-
tati, and Wei Zhao, Texas A&M Univer- DEFENSE
A CRYPTANALYSIS OF THE HIGH-BANDWIDTH
sity DIGITAL CONTENT PROTECTION (HDCP) Jelena Mirkovic and Peter Reiher, Uni-
SYSTEM versity of California, Los Angeles
This probabilistic analysis of rerouting
systems found that longer paths don’t Rob Johnson, Dawn Song, and David The authors propose a system to prevent
necessarily provide better protection Wagner, University of California at a network from participating in a DDoS
against sender identification. They also Berkeley; Ian Goldberg, Zero Knowl- attack. Located at the source network
found that path complexity doesn’t have edge Systems; and Scott Crosby, router, the system watches for a drop-off
a significant impact on the probability Carnegie Mellon University. in reverse traffic from a particular desti-
of identifying a sender. Additionally, the HDCP is a proposed identity-based nation with heavy outgoing traffic. It
ease of identifying a sender increases as cryptosystem for use over the Digital then throttles all traffic to that destina-
the number of compromised nodes in Visual Interface bus, a consumer video tion while attempting to identify attack-
the system increases, but that growth is bus already in widespread use. The ing flows and machines. The system is
sublinear. authors found serious design flaws in similar to MULTOPS, but its source side
HDCP which allow one to eavesdrop on only, and its traffic models don’t depend
For more information, visit http:// HDCP communications, clone HDCP on packet ratios.
netcamo.cs.tamu.edu/. devices, and build an HDCP-compliant For more information, visit
device that cannot be disabled via
DISTRIBUTED AUTHORIZATION WITH http://fmg-www.cs.ucla.edu/ddos.
HARDWARE TOKENS HDCP’s Key Revocation facilities.
Because of the DMCA mess (see page 7,
Stefan Wieseckel and Matthias Bauer,
Friedrich-Alexander-University Erlan- the summary of “Reading Between the
gen-Nuernberg Lines: Lessons from the SDMI Chal-
lenge,” particularly the question regard-
ing whether a person would be at risk
24 Vol. 26, No. 7 ;login:
handshakes. The new mechanism hashes. The command line client can
CONFERENCE REPORTS
SAVE: SOURCE ADDRESS VALIDITY
ENFORCEMENT PROTOCOL reduces both network traffic and flows query that data locally or over the net-
Jun Li, Jelena Mirkovic, Mengqiu and requires no additional server state. work.
Wang, Peter Reiher, and Lixia Zhang, The bandwidth savings are particularly
University of California, Los Angeles For more information, visit
relevant to wireless devices.
http://www.systemstability.org/.
SAVE is a new protocol for building
For more information, visit
incoming address tables at routers, even OPEN SOURCE IMPLEMENTATION OF 802.1X
q
http://crypto.stanford.edu/.
in the face of asymmetric routes. Those Arunesh Mishra, Maryland Information
tables can be used to filter out packets ELECTROMAGNETIC ATTACKS ON CHIP CARDS and Systems Security Lab, University of
with spoofed IP source addresses, build Bruce Archambeault, Josyula R. Rao, Maryland
multicast trees, debug network prob- and Pankaj Rohatgi, IBM Research Lib1x is an open source implementation
lems, etc. To build the tables, SAVE of 802.1x, a port-based authentication
Chip cards and other devices leak sub-
sends valid source address information mechanism for wireless networks that’s
stantially more information through
downstream along the paths used for intended to be an alternative to 802.11
electromagnetic emanations than
delivery. WEP (see the WiP by Adam Stubblefield
through other side-channels such as
For more information, visit power consumption and timing analysis. et al., above, for details on why an alter-
http://fmg-www.cs.ucla.edu/adas/. Additionally, the countermeasures for native is needed). Contributions are wel-
the other side-channel attacks are often comed.
CODE RED, THE SECOND COMING — FROM insufficient to protect from electromag-
WHENCE DIURNAL CYCLES For more information, visit
netic attacks. Because of the sensitive
Colleen Shannon and David Moore,
http://www.missl.cs.umd.edu/1x/.
nature of this work, the authors are
CAIDA working with interested parties to secure [Photographs of the Symposium can be
Using the same system presented in the vulnerable devices prior to disclosing found at
Denial of Service session on Wednesday complete details. http://www.usenix.org/events/sec01/index.html
morning, CAIDA analyzed the second ]
round of Code Red. They observed that For more information, visit
many of the infected hosts were using http://www.research.ibm.com/intsec.
dynamic addressing, suggesting that the PASSWORD AUTHENTICATION
owners were not intentionally running
Philippe Golle, Stanford University
IIS. The data also showed a clear diurnal
pattern – one-third to one-half of Philippe Golle proposed a scheme for
infected machines were being turned on authenticating to a large number of Web
and off daily – again suggesting that sites with different passwords, while
these machines were not running pro- requiring the client to remember only a
duction Web servers. single master password. The scheme
can be adapted to master passwords as
For more information, visit short as 40 bits and can resist coalitions
http://www.caida.org/analysis/security/code-red/. of up to three Web sites.
FAST-TRACK SESSION ESTABLISHMENT FOR For more information, visit
TLS http://crypto.stanford.edu/~pgolle.
Hovav Shacham and Dan Boneh, Stan-
ford University A TRAFFIC CAPTURE AND ANALYSIS FRAME-
WORK
The authors describe a new, “fast-track”
Josh Gentry, Southwest Cyberport
handshake mechanism for TLS. A fast-
track client caches a server’s public Josh Gentry presented some Perl tools
parameters and certain client-server for collecting network statistics. The
negotiated parameters in the course of capture engine uses libpcap to collect Will the real Peter Honeyman
an initial, enabling handshake; these traffic, does some pattern matching and please stand up!
need not be present on subsequent analysis, and stores the results in Perl
November 2001 ;login: SECURITY 2001 q 25