an extensible platform for evaluating security protocols
play

An Extensible Platform for Evaluating Security Protocols Seny - PowerPoint PPT Presentation

Nov 02, 2023 •514 likes •1k views

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R. Caudy, D.Davis, F. Monrose Outline Objectives High-level architecture Plugin architecture Case studies Objectives Security

  1. An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R. Caudy, D.Davis, F. Monrose

  2. Outline • Objectives • High-level architecture • Plugin architecture • Case studies

  3. Objectives • Security • DDoS, VPNs, worm propagation, cryptographic protocols • Ease of use • Fast prototyping • Research • Education

  4. Objectives • Modularity • plugin architecture • Portability • Java • Java networking API • Dynamic customization • Java dynamic class loading

  5. System Architecture • Topology parser • Otter [CAIDA] file format (Brite) • Extended to handle real IPs • Routers can serve network prefixes • User interface (interactive and scripts) • Simulator (hosts, routers, links)

  6. Host Architecture Incoming Links • Incoming packet filter (FW) HOST • Applications Incoming Berkeley Packet Filter FW Trace (BPF) Ping DNS route copy BPF Raw IP • Transports TCP ICMP UDP • Applications Transports • Transports FW • Outgoing packet filter (FW) BPF • Outgoing Berkeley packet filter Outgoing Links (BPF)

  7. Router Architecture Incoming Links • Link Processor ROUTER • Link Processor Incoming packet filters (FW) Applications FW FW Trace Incoming Berkeley Packet Filters Ping DNS route copy BPF BPF (BPF) Raw IP • Transports TCP ICMP UDP Dest? • Applications Transports • Transports Routing Table • FW FW Routing Table BPF BPF • Outgoing packet filters (FW) • Outgoing Berkeley packet filters Outgoing Links (BPF)

  8. Plugin Architecture • Modularity • Transparency to user • Dynamic Customization • Correctness and interoperability testing • Cryptographic protocols, TCP implementations, DDoS mitigation etc...

  9. Plugin Architecture Incoming Links • Transparent ROUTER Link Processor • plugin [IP|all] ICMP Applications FW FW Trace Ping DNS route copy BPF BPF • plugin [IP|all] Ping Raw IP • select src-IP TCP ICMP UDP Dest? Transports • ping dest-IP Routing Table FW FW • Dynamic (Java’s dynamic BPF BPF class loading) Outgoing Links

  10. Plugin Architecture • Event notification (i.e. applications need to know if TCP stack is being replaced) • Before plugin • Objects can register as listeners for particular plugins

  11. Plugin Architecture • Before plug out: • plugin’s pre-plugout method is called and given replacing object • transfer state (i.e. firewall rules) • listeners are notified of plugout operation

  12. Plugin Architecture • Simnet plugins: • Topology parser • User interface • Hosts • Routers • Link processor

  13. Plugin Architecture • Simnet plugins: • Packet filters • Berkeley Packet Filters (BPFs) • Routing tables • Transports • Applications

  14. Case Studies • Scalability : Worm Propagation • Modularity : DNSSEC

  15. Experimental Setup • Dual-processor 1.3 GHz XServe G4 • 1024 MB RAM • Mac OS 10.2.6

  16. Worm Propagation • Zero-day worms • Nimda, Code Red I, Code Red II • Compare effectiveness of various worm target selection algorithms

  17. Worm Propagation • Naive worms • Uniform selection • Nimda • Biased towards own class B • Code Red II • Biased towards own class A

  18. Worm Propagation • Requires • Topologies on the order of millions • Simnet only supports topologies on the order of hundreds (full packet-level simulation) • Trade simulation detail for scalability

  19. Worm Propagation • Aggregate Router plugin • Simulate entire Class B networks • Parameters: • percentage of reachable class C nets. • percentage of allocated IPs (in each class C)

  20. Worm Propagation • Worm Modeler Plugin • Simulates propagation characteristics • Parameters: • percentage of reachable hosts that are vulnerable • probing rate per infected host per second • target selection probs. for Class B, A, I

  21. Worm Propagation • Given scope of simulation we want to reduce total simulation time • “Compress” time by only sending probes to vulnerable hosts • And assigning a time cost to each probe according to a geometric distribution on the probability of choosing a vulnerable host

  22. Worm Propagation • 192 Agg. Routers chosen from AS level topology from Router Views project • Yields about 2 million hosts

  23. Worm Propagation • 500,000 vulnerable hosts • 0.5 probes per infected host per second • Target selection: B A I Naive 0.3 0.3 0.3 Nimda 0.5 0.25 0.25 Code Red II 0.375 0.5 0.125

  24. Worm Propagation • Assumptions • Vulnerable hosts infected after 1 UDP probe (SQLSlammer) • Once infected host remains infected

  25. Worm Propagation

  26. Pushback • Aggregate-based Congestion Control (ACC) [MBF+01] • DDoS mitigation • Rate limits flows that match certain characteristics • If necessary propagates rate limiting upstream

  27. Pushback • Am I congested? • monitor packet drop rate • Can I identify the offending flow • Sample high volume traffic (dropped packets from RED) • How much should I rate limit offending flow? • When do I stop rate limiting

  28. Pushback • Compare effectiveness of various ACC mechanisms against DDoS attacks • Requires • Accurate bandwidth and latency modeling

  29. Pushback • Pushback variants: • Pushback • Direct pushback (unpublished) • On/Off pushback (unpublished)

  30. Pushback • Link A has 3/4 cap. and 2/ 3 queue size • Attack traffic from 7 (/20) hosts @ 25 pkts. per sec. toward victim • Good/poor traffic from A 13 (/20) hosts @ 10 pkts. per sec toward 1/6 dests. (including victim) • 10 min. experiments

  31. Pushback

  32. DNSSEC • Public-key DNSSEC • Mitigates DNS spoofing, cache poisoning etc... • authenticates RRs

  33. DNSSEC • Overhead in processing time and traffic (no experimental results have ever appeared) • Requires • Modularity • Cryptography

  34. DNSSEC

  35. DNSSEC

  36. DNSSEC • 40 nodes in .com and .edu domains • 16 clients (Application level plugins) making • type A and NS requests • bogus requests • domain distribution • all according to published results

  37. DNSSEC • 3 second cache duration • zones resigned every 6 seconds • 3 second request timeouts • Cryptographic primitives • Signatures: DSA • PK encryption: RSA • TSIGs: HMAC-MD5

  38. DNSSEC • Local resolver servicing 3 stub resolvers

  39. DNSSEC

  40. DNSSEC • Increase in packets due to public key requests • Increase in packet size due to signatures, RR sets etc...

  41. Conclusions • Simnet was designed with security protocols in mind • Simnet is not meant to replace ns

  42. Conclusions • Low learning curve • Highly modular • Scalable • Accurate modeling

  43. Implementations • Network protocols • IP , ICMP , UDP , TCP • Ping, Traceroute, DNS, NAT

  44. Implementations • DDoS mitigation protocols • Pushback • Direct Pushback • Synkill

  45. Implementations • IP traceback schemes • PPM • SPIE • Authenticated and Advanced Marking Schemes

  46. Implementations • Cryptographic protocols • SSL • PK-DNSSEC • Kerberos • Onion routing

  47. Questions? • Simnet v1.0 available at: http://simnet.isi.jhu.edu

Recommend

eXtensible Multi Security Contracts for .NET Platform Wiktor Zychla wzychla@ii.uni.wroc.pl

eXtensible Multi Security Contracts for .NET Platform Wiktor Zychla wzychla@ii.uni.wroc.pl

Agenda eXtensible Multi Security Contracts for .NET Platform Wiktor Zychla wzychla@ii.uni.wroc.pl Institute of Computer Science University of Wroclaw, Poland .NET Technologies 2006 Wiktor Zychla eXtensible Multi Security, Contracts for .NET

893 views • 68 slides
Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org

Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org

Lay Down the Common Metrics Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org bart.preneel@esat.kuleuven.be @nirenzang PUBLISH OR PERISH SUBCHAINS BYZCOIN GOSHAWK TORTOISE AND HARES BITCOIN-NG (AETERNITY,

446 views • 27 slides
Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed

Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed

Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed Systems & Networks SCADA & Spire Overview High-Performance, Scalable Spire Trusted Platform Module Known Network Characteristics

1.01k views • 51 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Jupyter Trends in 2018 Paco Nathan @pacoid Jupyter provides a rich set of extensible, re-usable

Jupyter Trends in 2018 Paco Nathan @pacoid Jupyter provides a rich set of extensible, re-usable

Jupyter Trends in 2018 Paco Nathan @pacoid Jupyter provides a rich set of extensible, re-usable building blocks , expressed through various open protocols, APIs, and standards. These get combine for a wide variety of use cases, as extensible

495 views • 21 slides
Egg: An Extensible and Economics-Inspired Open Grid Computing Platform David C. Parkes Division

Egg: An Extensible and Economics-Inspired Open Grid Computing Platform David C. Parkes Division

Egg: An Extensible and Economics-Inspired Open Grid Computing Platform David C. Parkes Division of Engineering and Applied Sciences Harvard University GECON 2006 Grids internal realm: Java, python, C++, applications Science,

623 views • 38 slides
Plugins for the Isabelle Platform: A Perspective for Logically Safe, Extensible, Powerful and

Plugins for the Isabelle Platform: A Perspective for Logically Safe, Extensible, Powerful and

Plugins for the Isabelle Platform: A Perspective for Logically Safe, Extensible, Powerful and Interactive Formal Method Tools Burkhart Wolff Universit Paris-Sud (Technical Advice by: Makarius Wenzel, Universit Paris-Sud) What I am not

668 views • 54 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data Security February 2016 Data Security Impacts Design and Delivery of Big Data Projects Data Security frequently is a leading Role Security Impacts

545 views • 23 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara

Human Errors in Security Protocols David Basin joint work with Sa a Radomirovi and Lara Schmid Institute of Information Security Recap Security Protocols We have defined the Dolev-Yao adversary communicating agents that follow a

618 views • 51 slides
XPDL: Extensible Platform Description Language to Support Energy Modeling and Optimization

XPDL: Extensible Platform Description Language to Support Energy Modeling and Optimization

XPDL: Extensible Platform Description Language to Support Energy Modeling and Optimization Christoph Kessler, Lu Li, Aras Atalar and Alin Dobre christoph.kessler@liu.se, lu.li@liu.se 1 / 25 Agenda Motivation A Review of PDL XPDL Features

2.14k views • 26 slides
BEER Block Extensible Exchange in Rebol What is it? It is a framework to implement your own

BEER Block Extensible Exchange in Rebol What is it? It is a framework to implement your own

BEER Block Extensible Exchange in Rebol What is it? It is a framework to implement your own Application Protocols It solves the encapsulation, extensibility and flow control problems It was inspired by IETF RFC 3080 and 3081

454 views • 11 slides
Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini

Security in in Security 802.11 Data Link Link Protocols Protocols 802.11 Data Gianluca Dini Gianluca Dini Dept. of Ingegneria dellInformazione University of Pisa, Italy Via Diotisalvi 2, 56100 Pisa gianluca.dini@ing.unipi.it If you

467 views • 35 slides
Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security

Security Analysis of Network Protocols John Mitchell Stanford University Usenix Security Symposium, 2008 Many Protocols Authentication and key exchange SSL/TLS, Kerberos, IKE, JFK, IKEv2, Wireless and mobile computing Mobile IP, WEP,

959 views • 71 slides
Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives

Security Bugs in Protocols are Really Bad! Marsh Ray PhoneFactor Protocol Bugs Objectives Discuss the complexities in mitigating security bugs occurring in network protocols. Describe some current issues. Leave time for Q&A.

631 views • 50 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory

Proving Security Protocols 1 L. C. Paulson Proving Properties of Security Protocols by Induction Lawrence C. Paulson Computer Laboratory University of Cambridge Proving Security Protocols 2 L. C. Paulson Cryptographic Protocol Analysis

389 views • 24 slides

More recommend