1 / 35

Bunker: A Tamper Resistant Platform for Network Tracing

Bunker: A Tamper Resistant Platform for Network Tracing. Stefan Saroiu University of Toronto. Motivation. Today’s tracing help build tomorrow’s systems ISPs view raw network traces as a liability Traces can compromise user privacy Protecting users’ privacy increasingly important

Mercy
Télécharger la présentation

Bunker: A Tamper Resistant Platform for Network Tracing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bunker: A Tamper Resistant Platform for Network Tracing Stefan Saroiu University of Toronto

  2. Motivation • Today’s tracing help build tomorrow’s systems • ISPs view raw network traces as a liability • Traces can compromise user privacy • Protecting users’ privacy increasingly important • Trace anonymization mitigates these issues

  3. Offline Anonymization • Trace anonymized after raw data is collected • Privacy risk until raw data is deleted • Today’s traces require deep packet inspection • Headers insufficient to understand phishing or P2P • Payload traces pose a serious privacy risk • Risk to user privacy is too high • Two universities rejected offline anonymization

  4. Offline’s Privacy Vulnerabilities • Two types of attacks: • Traditional: Network intrusion attacks • New: Raw data can be subpoenaed • Both universities required that subpoenas would not affect privacy

  5. Online Anonymization • Trace anonymized while tracing • Raw data resides in RAM only • Difficult to meet performance demands • Extraction and anonymization must be done at line speeds • Code is frequently buggy and difficult to maintain • Low-level languages (e.g. C) + “Home-made” parsers • Small bugs cause large amounts of data loss • Introduces consistent bias against long-lived flows

  6. Simple Tasks can be Very Slow • Regular expression for phishing:" ((password)|(<form)|(<input)|(PIN)|(username)|(<script)|(user id)|(sign in)|(log in)|(login)|(signin)|(log on)|(sign on)|(signon)|(passcode)|(logon)|(account)|(activate)|(verify)|(payment)|(personal)|(address)|(card)|(credit)|(error)|(terminated)|(suspend))[^A-Za-z]” • libpcre: 5.5 s for 30 M = 44 Mbps max

  7. Online Anonymization • Trace anonymized while tracing • Raw data resides in RAM only • Difficult to meet performance demands • Extraction and anonymization must be done at line speeds • Code is frequently buggy and difficult to maintain • Low-level languages (e.g. C) + “Home-made” parsers • Small bugs cause large amounts of data loss • Introduces consistent bias against long-lived flows

  8. Our solution: Bunker • Combines best of both worlds • Same privacy benefits as online anonymization • Same engineering benefits as offline anonymization • Pre-load analysis and anonymization code • Lock-it and throw away the key (tamper-resistance)

  9. Threat Model • Accidental disclosure: • Risk is substantial whenever humans are handling data • Subpoenas: • Attacker has physical access to tracing system • Subpoenas force researcher and ISPs to cooperate • As long as cooperation is not “unduly burdensome” • Implication: Nobody can have access to raw data

  10. Is Developing Bunker Legal?

  11. It Depends on Intent of Use • Developing Bunker is like developing encryption • Must consider purpose and uses of Bunker • Developing Bunker for user privacy is legal • Misuse of Bunker to bypass law is illegal

  12. Outline • Motivation • Design of our platform • System evaluation • Case study: Phishing • Conclusions

  13. One-Way Interface (anon. data) Capture Hardware Logical Design anonymize parse Anon. Key assemble Offline Online capture

  14. VM-based Implementation One-Way Socket decrypt encrypt Enc. Key Capture Hardware Open-box NIC Closed-box VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor Encrypted Raw Data

  15. VM-based Implementation Open-box VM One-Way Socket save trace logging decrypt encrypt maintenance Enc. Key Capture Hardware Open-box NIC Closed-box VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor Encrypted Raw Data

  16. Benefits • Strong privacy properties • Raw trace and other sensitive data cannot be leaked • Trace processing done offline • Can use your favorite language! • Parsing can be done with off-the-shelf components

  17. Key Technologies • “Closed-box” VM protects sensitive data • Contains all raw trace data & processing code • No interactive access to closed-box (e.g. no console) • Encryption protects on-disk data • Randomly generated key held in volatile memory • Data cannot be decrypted upon reboot • “Safe-on-reboot” VM mitigates hardware attacks

  18. Outline • Motivation • Design of our tool • System evaluation • Case study: Phishing • Conclusions

  19. Software Engineering Benefits One order of magnitude btw. online and offline Development time: Bunker - 2 months, UW/Toronto - years

  20. Work Deferral Don’t do now what you can do later

  21. Error Recovery Small bugs lead to small errors in the trace -- not huge gaps

  22. Outline • Motivation • Design of our tool • System evaluation • Case study: Phishing • Conclusions

  23. Phishing is Bad • Costs U.S. economy hundreds of millions • Affects 1+ million U.S. Internet users • 2004 - mid 2006: # of phishing sites grew 10x • Banks claim phishing is #1 source of fraud • Phishing messages now personalized • Harder to filter

  24. Two Day Hotmail Trace Tues Jan 29/08 11:15am - Thurs Jan 31 11:23am,University of Toronto at Mississauga

  25. Questions • How often are URLs present in e-mails? • How often do people click on links in e-mails? • Do people verify an e-mail for legitimacy before clicking on a link?

  26. Links in Email

  27. Conclusions • Today’s tracing experiments need to look “deep” into network activity • IP-level trace vs. email and browse history • Serious privacy concerns • Physical security isn’t enough: subpoenas • Bunker provides • the safety of online anonymization • the simplicity of offline anonymization

  28. Acknowledgments • Andrew Miklas (U. of Toronto) • Alec Wolman (Microsoft Research) • Angela Demke Brown (U. of Toronto)

  29. Questions?http://www.cs.toronto.edu/~stefan

  30. One-Way Interface Encrypted Raw Trace Capture NIC Open NIC Design Anon. Key Open-box VM Closed-box VM (DomainU) (Domain0) Offline Software Enc. Key Untrusted Software Online Software XEN Hypervisor

  31. Phishy Mail Leaks through Filters

  32. Anonymized Trace Capture Hardware anonymize parse Anon. Key assemble Offline Online capture

  33. Commodity VM One-Way Socket save trace logging maintenance Anonymized Trace Capture Hardware Inaccessible VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor

  34. Commodity VM One-Way Socket save trace logging decrypt encrypt maintenance Enc. Key Anonymized Trace Encrypted Raw Trace Capture Hardware Inaccessible VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor

  35. Overall Privacy Goal Tracing Starts Tamper Attack Time Data Protected Data Exposed • Goal: Ensure that user’s privacy is “no worse off” when a trace is in progress

More Related