POPULAR POWER

1. POPULAR POWER Security Issues of Peer-to-Peer Systems February 14, 2001 O’Reilly Peer-to-Peer Conference

2. Overview • Peer-to-peer security is hard • Some old techniques, some new • Example: Popular Power POPULAR POWER

3. Standard security concerns • Someone stealing my data • Virus infecting my computer • Someone impersonating me • Someone modifying my data POPULAR POWER

4. The Real Problem: the Network Anna Kournikova VBS/SST-A VBS/SST@MM OnTheFly ILOVEYOU VBS/Loveletter.a Melissa Trinoo Tribe Flood Network Creative W32/ProLin@MM Kalamar’s VBS Worm Generator +50,000 more Stacheldraht POPULAR POWER

5. Client/Server Security: Understood • Make a secure server • Use firewall to restrict access to server • Encrypt all communications • Authenticate server to client • Authenticate client to server (oops) • Audit server: logs, tripwires, etc • Pray you have no bugs POPULAR POWER

6. P2P Security is Harder • Each computer is untrusted • Peers don't have trust relationships • Capacity for rapid spread of trouble • Individuals can cause local damage that spreads • Everyone can be running different software • Code may be mobile; beware! • Decentralization can make auditing difficult • Complex systems: hard to understand POPULAR POWER

7. Security Tools (not Solutions!) • Encryption • Authentication • Firewalls • Trust and Reputation • Sandboxes • Frameworks: SSL, Intel’s PTPTL, etc. POPULAR POWER

8. Firewalls • Good things • Easy to set up • Restrict access to a “white list” of allowed traffic • Single point of control • Bad things • Unsubtle: Block all traffic on port, not application • Inflexible: Generally static rulesets • Single point of control • Difficult for users inside network to influence • Not an Internet-wide security solution POPULAR POWER

9. Trust and Reputation Mechanisms • Give entities identities (pseudonymonous) • Create reputation sharing mechanism • Assign reputations to entities • Allow others to retrieve reputations • Use reputation to build trust relationships • Example: eBay • Example: Public key infrastructure • Verisign-style certificate hierarchies • PGP Web of Trust • Peer to Peer / decentralized solutions POPULAR POWER

10. Secure Execution Environments • Essential for mobile code systems! • Traditional approaches • OS-based security • Ad-hoc mechanisms (VBS, Javascript, Emacs) • Sandboxes • Java Virtual Machine • Inferno / Dis • C# / CLR • NSA / VMWare: NetTop POPULAR POWER

11. Example Application: Popular Power • Distributed computing • Centralized server • Untrusted clients • Mobile code • Must protect four different groups: • Our own servers • Client computers • Customers submitting jobs • The Internet itself POPULAR POWER

12. Protecting Our Servers • Standard Unix server protection • Firewalls • Validating all input (Java – no buffer overflows) • Auditing servers • Offline signature keys POPULAR POWER

13. Protecting Client Computers • Threat model: Byzantine failure • Malicious code • Buggy code • Secure execution environment • Java sandbox • Fine-grained policy model to add privileges • Authentication • Cryptographic protection on files, communication POPULAR POWER

14. Protecting Job Submitters • Theft of intellectual property • Obfuscation of code • Encryption of data • “Shredding” of computation • Time to crack vs. value of data • Data manipulation – spoofing results • Redundant execution + verification • Reputations of client computers • Running checksums POPULAR POWER

15. Protecting the Internet • Distributed denial of service • Load testing / quality of service monitoring • Malicious attack, or accident in programming • Careful authentication of job submission • Built-in failsafes in code • Built-in failsafes in system • Play nice with firewalls • Open question? POPULAR POWER

16. Conclusion • There are lots of good security tools • Peer-to-peer has hard problems • Complex decentralized systems are inherently difficult to secure • We have an ethical responsibility to create secure systems POPULAR POWER