Security Measurement Professor Adam Bates Fall 2018 Security & - PowerPoint PPT Presentation

CS 563 - Advanced Computer Security: Security Measurement Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI)

Administrative Learning Objectives : • Discuss two recent studies that use measurement methods • Survey broad topics in the “security measurement” area Announcements : • Reaction paper was due today (and all classes) • Feedback for reaction papers soon • “Preference Proposal” Homework due 9/24 • Reminder : Please put away (backlit) devices at the start of class CS423: Operating Systems Design 2 2

Measuring Internet Censorship Reports suggest Internet censorship practices are diverse in their methods, targets, timing, differing by regions, as well as across time. Security & Privacy Research at Illinois (SPRAI) 3

Measuring Internet Censorship Problem: • How can we detect whether pairs of hosts around the world can talk to user each other? ? Site Security & Privacy Research at Illinois (SPRAI) 4

Measuring Internet Censorship Problem: • How can we detect whether pairs of hosts around the world can talk to user each other? ? State of the Art: Deploy hardware or software at hosts • (RIPE Atlas, OONI probe) Ask people on the ground, or use VPNs, • or research networks (PlanetLab) Site THREE KEY CHALLENGES: Coverage, ethics, and continuity Security & Privacy Research at Illinois (SPRAI) 5

Measuring Internet Censorship Problem: • How can we detect whether pairs of hosts around the world can talk to user each other? ? … from somewhere else in the world?? Impossible! Site Security & Privacy Research at Illinois (SPRAI) 6

Hybrid Idle (Spooky) Scan Spooky Scan: uses TCP/IP side channels to detect whether a user and a site can communicate (and in which direction user packets are blocked). ? ? Goal: Detect blocking from off-path Site * TCP Idle Scan Antirez, (Bugtraq 1998) * Detecting Intentional Packet Drops on the Internet via TCP/IP Side Channels Roya Ensafi, Knockel, Alexander, and Crandall (PAM ’14) * Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking Roya Ensafi , Park, Kapur, and Crandall (Usenix Security 2010) Security & Privacy Research at Illinois (SPRAI) 7

Hybrid Idle (Spooky) Scan Augur is a follow up system that uses the same TCP/IP side channels to detect blocking from off-path. user ? ? Goals: Scalable, ethical, and statistically Site robust system to continuously detect blocking. Security & Privacy Research at Illinois (SPRAI) 8

How does this work? TCP/IP provides several building blocks: TCP Handshake: SYN-ACK RST SYN [IP ID:X] Port status is open/closed SYN/ACK [IP ID: Y] A C K [ I P I D : X + 1 ] SYN SYN/ACK SYN/ACK SYN/ACK Port status is open Security & Privacy Research at Illinois (SPRAI) 9

How does this work? Requirements for each participant: Site “User” (Reflector) Open port and Must maintain a retransmitting SYN-ACKs global value for IP ID Measurement Machine Must be able to spoof packets Security & Privacy Research at Illinois (SPRAI) 10

Spooky Scans Reflector IP ID Measurement Reflector machine No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 11

Spooky Scans Reflector IP ID: S Y N / A C K 1 7000 Measurement Reflector machine No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 12

Spooky Scans Reflector IP ID: S Y N / A C K 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 Measurement Reflector machine No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 13

Spooky Scans Reflector IP ID: S Y N / A C K 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 Measurement Reflector machine 3 Spoofed SYN [src: Reflector IP] No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 14

Spooky Scans Reflector IP ID: S Y N / A C K 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 Measurement Reflector machine 3 S p o [ o s f r e c S Y N / A C K d : 4 R S e Y f N l e c t o r I P ] No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 15

Spooky Scans Reflector IP ID: S Y N / A C K 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 7001 Measurement Reflector machine 3 Spoofed SYN [src: Reflector IP] S Y N / A C K 4 RST 5 [IP ID: 7001] No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 16

Spooky Scans S Y N / A C K 6 R S T [ I P I D : 7 0 0 2 ] 7 Reflector IP ID: S Y N / A C K 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 7001 7002 Measurement Reflector machine 3 S p o [ o s f r e c S Y N / A C K d : 4 R S e Y f N l e c t R S T o r 5 I P [ I P I D : 7 0 0 1 ] ] No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 17

Spooky Scans Probe [IP ID: 7003] S Y N / A C K 6 R S T [ I P I D : 7 0 0 2 ] 7 Reflector IP ID: SYN/ACK 1 7000 RST [IP ID: 7000] 2 7001 7002 7003 Reflector 3 Spoofed SYN [src: Reflector IP] SYN/ACK 4 RST 5 [IP ID: 7001] No direction blocked Site Security & Privacy Research at Illinois (SPRAI) 18

Spooky Scans Probe [IP ID: 7002] S Y N / A C K 5 R S T [ I P I D : 7 0 0 1 ] 6 Reflector IP ID: S Y N / A C K 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 7001 7002 Reflector 3 Spoofed SYN [src: ClientIP] SYN/ACK 4 Site-to-Reflector Blocked Site Security & Privacy Research at Illinois (SPRAI) 19

Spooky Scans S Y N / A C K 6 R S T [ I P I D : 7 0 0 2 ] 7 S Y N / A C K Reflector IP ID: 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 7001 7002 Measurement machine 3 RST 5 S p o o [ s f r e c d : C S l Y i e N SYN/ACK n t I P ] 4 Reflector-to-Site Blocked Site Security & Privacy Research at Illinois (SPRAI) 20

Spooky Scans Probe [IP ID: 7004] S Y N / A C K 6 R S T [ I P I D : 7 0 0 2 ] 7 S Y N / A C K Reflector IP ID: 1 7000 R S T [ I P I D : 7 0 0 0 ] 2 7001 7002 Measurement machine 3 RST 5 S p o o [ s f r e c d : C S l Y i e N SYN/ACK n t I P ] 4 Reflector-to-Site Blocked Site Security & Privacy Research at Illinois (SPRAI) 21

Spooky Scans We can use the deltas for each IP packet ID to differentiate blockage: Site-to-Reflector Blocked No Direction Reflector-to-Site Blocked Blocked ! IP ID1 = 1 ! IP ID1 = 2 ! IP ID1 = 2 ! IP ID2 = 1 ! IP ID2 = 1 ! IP ID2 = 2 Security & Privacy Research at Illinois (SPRAI) 22

What about noise? Reflectors will be making other Internet connections. How to cope? • Amplify the signal by repeated probing (i.e., N probes instead of 1). • Repeat the experiment to account for packet loss and other network pathologies. Reflector Security & Privacy Research at Illinois (SPRAI) 23

What about noise? Not all reflectors will have the same noise levels. How to adjust? Reflector Probing Methodology: Until we have high enough confidence (or up to): Repeat runs and - For first 4s, query IPID every sec use Seq. Hypothesis Testing Run Send 10 spoofed SYNs - Query IPID to gradually build confidence. - Query IPID Security & Privacy Research at Illinois (SPRAI) 24

Sequential Hypothesis Testing Defining a Random Variable: if no IPID acceleration occurs Trial if IPID acceleration occurs Calculate known outcome probabilities: Update Prior 1 : Prob. of no IPID acceleration when there is blocking Site-to-Ref blocking Based on , Prior 2: Prob. of IPID acceleration when there is no blocking can we decide the No Blocking blocking case? Ref-to-Site blocking Maximum Likelihood Ratio No Yes No Output Unknown Security & Privacy Research at Illinois (SPRAI) 25

Augur Framework All responsive System output Reflector IPs selection Detection/ Ref-to-Site User input Validation blocking — OR — Site-to-Ref Target Reflector blocking Characterization countries — OR — Probing No blocking — OR — Site Error Site address Scheduler characterization Security & Privacy Research at Illinois (SPRAI) 26

Ethical Considerations Reflector IP ID: 1000 1001 1002 R e f l e c t o r Probing banned sites from users’ machines S Y N / A C K 4 creates risk for user? R S T 5 [ I P I D : 1 0 0 1 ] S i t e Security & Privacy Research at Illinois (SPRAI) 27

Ethical Considerations Solution: Only probe infrastructure devices. Internet U s e r Global IP ID 22.7 million 236 countries (and dependent territories) Two hops back from end user 53,000 180 countries Security & Privacy Research at Illinois (SPRAI) 28

Measurement Study • 2,050 Reflectors • 2,134 sites (Citizen Lab list + Alexa Top-10K) • 47 Measurements per site per reflector • 207,600,000 measurements total • How do we know Augur is working correctly? Security & Privacy Research at Illinois (SPRAI) 29