THE USENIX MAGAZINE
December 2003 • volume 28 • number 6 { inside:
SECURITY Perrine: The End of crypt() Passwords . . . Please? Wysopal: Learning Security QA from the Vulnerability Researchers Damron: Identifiable Fingerprints in Network Applications Balas: Sebek: Covert Glass-Box Host Analysis Jacobsson & Menczer: Untraceable Email Cluster Bombs Mudge: Insider Threat Singer: Life Without Firewalls Focus Issue: Security Deraison & Gula: Nessus Guest Editor: Rik Farrow Forte: Coordinated Incident Response Procedures Russell: How Are We Going to Patch All These Boxes? Kenneally: Evidence Enhancing Technology
BOOK REVIEWS AND HISTORY USENIX NEWS # CONFERENCE REPORTS 12th USENIX Security Symposium
The Advanced Computing Systems Association conference reports
12th USENIX Security tification. In addition, the link between Symposium identity and reputation is not addressed OUR THANKS TO THE SUMMARIZERS: in conventional systems. August 4–8, 2003 Scott A. Crosby This led to the next phase of the talk: Catherine Dodge Washington, D.C. Clif Flynt reputation. Black Unicorn’s most appro- Seung Won Jun KEYNOTE ADDRESS: REFLECTIONS priate definition is a specific characteris- David Molnar ON A DECADE OF PSEUDONYMITY tic or trait ascribed to a person or thing: Chris Ries Black Unicorn a reputation for courtesy. The value of Gelareh Taban reputation is as a predictor of behavior, Tara Whalen Summarized by Tara Whalen Black Unicorn, aka A.S.L. von Bern- as a means of valuation, and as a means hardi, kicked off the conference with his for third-party assessment. Black Uni- talk on the relationships between iden- corn took issue with the notion of repu- NOTE tation as a behavior-predictor. Reports for BSDCon ’03 arrived too late tity, reputation, and trust. Anonymity to be included in this issue. They are has negative connotations, or “sunny Black Unicorn then discussed trust; he available at http://www.usenix.org/ climes attract shady characters.”He presented several definitions, choosing publications/library/proceedings/ chose his pseudonym when the cypher- “reliance on something in the future; bsdcon03/confrpts. punks list was being archived, and sug- hope” as the most appropriate for this gested that anybody who doesn’t want to talk. The value of trust has several com- attract undue attention should probably ponents: as a means of inexpensive due diligence; as a delegation enabler; as a means to reduce robustness of envi- ronmental security; and as an indication of risk toler- ance. Black Unicorn then dis- cussed the relationships between trust, identity, and reputation, showing how factors such as credentials, Black Unicorn and Vern Paxson third-party attestation, and pick a benign pseudonym, such as “Bill certification affect trust. Smith.” Identity information can be augmented by due diligence, consequence augmen- He then launched into a detailed discus- tation (e.g., penalties for crimes), and sion of identity: its definition, its value, third-party attestation. and some common fallacies. The defini- tion he prefers is “the distinct personal- Q: Given the reticence of Americans to ity of an individual regarded as a persist- use ID cards, how will we be able to ing entity; individuality.” identify people? The value of identity encompasses both A: This problem is likely to remain. its use as a unique identifier and in There is no good answer; identity is establishing the uniqueness of a reputa- always going to be nebulous. We have tional assertion. different roles that we play, and we tend not to like third-party assertions about The problems with identity are a lack of our identities. a standard unique identifier, reliance on third-party attestation, and the absence Q: How is the use of third-party attesta- of static physical characteristics for iden- tions different from due diligence?
70 Vol. 28, No. 6 ;login: A: We often look at collections of attes- expected to fail, and the time it takes to 802.11 DENIAL-OF-SERVICE ATTACKS: REAL tations, which is better than looking at reject each query is measured. Rejecting VULNERABILITIES AND PRACTICAL SOLUTIONS EPORTS only one attestation. The problem with a query requires that the server perform John Bellardo and Stefan Savage, Uni- R third-party attestations is that these par- several math operations. Depending on versity of California, San Diego ties have limited motivation to do the organization of the 1s and 0s in the While many members of the audience
proper due diligence (to save money), query, different speed optimizations may were connected to the outside world via ONFERENCE C
and their own liability is limited by be performed. A program can deduce their laptops and 802.11b wireless links, insurance, which makes them less likely the positions of 1s and 0s from the time Stefan Savage demonstrated just how to be appropriately diligent. Direct expe- required to perform the math opera- insubstantial that link can be. He rience and/or lore may be better guides. tions. opened his talk by showing a graph of current network activity and then Q: Do you want different ID documents The timing attacks have been done attacked John Bellardo’s link, halting his for different purposes? many times in the past, but previous download. When this attack was started, work was done against “simple” devices A: Definitely. You have to look at the the graph showed that traffic to Bel- like smartcards. Boneh and Brumley’s agency making the attestation—what are lardo’s laptop was reduced to nearly 0 work shows that a surprising level of they qualified to say? Probably not a lot. packets, and Bellardo concurred that he noise can be introduced into the timing When looking at ID documents, you was no longer downloading any data. data without degrading it beyond have to look at what the agency is good Savage then extended the attack to the usability. Complex systems with multi- at attesting. rest of the audience, and I can confirm ple applications running simultaneously, that my connection to the outside world Q: Considering this issue from a cultural or even the variance of network latency, was gone. This lasted a few seconds after perspective: Identity is partially defined do not produce enough noise to disguise which Savage discontinued the attack, by race, religion, etc., and this affects the time difference required to perform and service was restored. one’s reputation. Comment? the analysis. He then described the two denial-of-ser- A: I agree. A lot of reputation is tied up OpenSSL was chosen for this work vice attacks he used, both of which use in name, for example, and differs from because the package is used in many legitimate features of the 802.11b proto- culture to culture (e.g., Europe vs. US). other applications, including mod_SSL, col. The first attack, which disabled only Look at what’s used for credibility: in stunnel, sNFS, and more. Of the applica- a single 802.11b user, used a deauthenti- Europe, it’s family history, unlike in the tions examined, only the Mozilla NSS cation attack. In a normal conversation US. packages defaulted to secure behavior. between an 802.11b client and access Because the RSA algorithm requires point, the client requests and receives an REFEREED PAPERS: ATTACKS many multiplications of very large num- authentication. At any point in the con- Summarized by Clif Flynt bers, most implementations use arith- versation, the client can request that the REMOTE TIMING ATTACKS ARE PRACTICAL metic optimization techniques to speed session be deauthenticated. The deau- David Brumley and Dan Boneh, up encrypting and decrypting. These thentication request is not a secure mes- Stanford University techniques are sensitive to certain bit sage; thus one client can send a message The authors received the Best Paper patterns in the test and real key, making to deauthenticate another client. Once a award for their report on the viability of a message rejection faster or slower session has been deauthenticated, the timing attacks on the RSA algorithm as depending on how closely the bit pat- original client must return to the begin- implemented in OpenSSL. They proved terns of the test key match the real key. A ning of the conversation with the AP that they could extract RSA private keys, defense against this attack is to use RSA before transmitting any more informa- not only when running on the same blinding, in which the client and server tion. should decrypt a random string as well hardware as the secure application, but He described a simple technique to pro- as the actual encrypted text to provide a also across a network including several tect against this attack. When the AP random decryption time. This produces routers. receives a deauthenticate request, it a 2–10% hit in performance. Brumley should hold the request for a period of Dan Boneh described how a timing found that this was sufficient to prevent time before implementing it. If a fresh attack works and how to defend against a successful timing analysis. This is data packet from the deauthenticating it. In a timing attack, the secure server is implemented by default in versions of sent many different queries that are OpenSSL after version 0.9.7b.
December 2003 ;login: 12TH USENIX SECURITY SYMPOSIUM 71 client is received, the AP will not process into the packets and modify it. The tory entry cache, and others. Since the the deauthenticate request. defense against this attack is simply to paper was written, the Bro IDS and the reject unreasonably large values in the Linux vulnerabilities have been Savage described other potential attacks NAV field. In actual use, legitimate val- addressed. based on fields designed to enable power ues are always under 3 ms. conservation and reduce packet colli- Crosby described several alternative
sions. However, when they implemented DENIAL OF SERVICE VIA ALGORITHMIC hash implementations and discussed some of these attacks they discovered COMPLEXITY ATTACKS their strengths and weaknesses. The uni- that current implementations of most Scott A. Crosby and Dan S. Wallach, versal hashing algorithm described by 802.11b interface cards don’t implement Rice University Carter & Wegman in 1979 is about as these features, and data in those fields is Scott Crosby pointed out that algo- fast as the Perl 5 hash algorithm. The ignored. rithms have best-case, normal-case, and UMAC hash generator is optimized for modern compilers. A new hashing As the use of 802.11b becomes more worst-case behaviors. When we imple- library dubbed UHASH was developed widespread and quality-of-service ment algorithms, we rely on normal- based on the Carter & Wegman code demands become greater, we can expect case behavior. A system with malicious and UMAC code with further optimiza- new cards to implement these features, users may be forced to demonstrate tions and generalizations to make it use- so Savage simulated a network of cards worst-case behavior. ful for applications with unknown A hash algorithm dis- length strings (CGI applications that plays a constant time to may hash on user input), as well as access an element applications where a key length can be (O(1)), unless there are determined (compilers where the key- many collisions. As the word size is fixed). number of collisions increases, the behavior of The UHASH library is slower than the the hash access Perl hash algorithm for strings of fewer approaches linear (O(n)). than 60 characters, but faster for longer By discovering a few sets strings. of letters that hash to “zero,”an attacker can INVITED TALK: DISTRIBUTING easily generate a large SECURITY: DEFENDING WEB SITES number of collisions. WITH 13,000 SERVERS Andy Ellis, Akamai Crosby demonstrated Summarized by Seung Won Jun A book-signing party that thousands of colli- sions are required before Andy Ellis showed the audience some numbers to give an idea of the scale of that implement the specifications cor- the linear nature of the hashtable search the Akamai network: 14,000 servers that rectly, and simulated attacks on that net- becomes run 100 applications and are distributed work. One of these specifications is the a problem, but that this can be achieved in 2,400 different locations. They collec- Network Allocation Vector (NAV) field. in six minutes with a typical dialup tively serve 25 billion connections and The NAV field allows an AP-client pair modem. In an attack on a Perl applica- 200 terabytes per day. Securing such a to reserve a period of time for their tion, he generated 90,000 collisions. system is a challenge. exclusive use. This allows a large packet After these collisions, retrieving a value to use up the bandwidth without having for a key with no collision took about A traditional Web service model may another unit collide with it. This time two seconds, while retrieving a value for provide confidentiality and integrity via period can be as long as 31.5 millisec- a key that had collisions took about two the separation of application/database onds. The NAV bit is maintained by the hours. servers guarded by firewalls and IDSes, firmware and, in theory, can’t be modi- This vulnerability was found in Perl, but it does not provide availability very fied by a user program. Savage described Squid, the Bro Intrusion Detection Sys- well. Availability can be compromised how an attacking application can scan tem, the Linux routing cache and direc- when flash crowds or denial-of-service the SRAM to find the value being placed attacks occur. Akamai addresses it by
72 Vol. 28, No. 6 ;login: delivering contents from the edge. While performance or reliability; it is all about Don’t scare the user. The certificate some servers on the edge may be over- “screwing the neighbors” or “not having request forms should only require EPORTS whelmed, plenty of others can still serve your bits on my network.”Though Aka- information they will actually use R the requests. The principle of delivering mai is across the street from MIT, Inter- (username, password), not unneces- from the edge applies to almost all pro- net traffic requires 15 hops and is routed sary information such as passport
tocols Akamai supports, including DNS through New York. On September 11, number. ONFERENCE