Architectural Support for Managing Privacy Tradeos in the Internet David Naylor August 2017 CMU-CS-17-116 Computer Science Department School of Computer Science Carnegie Mellon University Pittsburgh, PA ¿esis Committee: Peter Steenkiste, Chair Vyas Sekar Srini Seshan Dave Oran (Network Systems Research & Design; MIT Media Lab) Adrian Perrig (ETH Zürich) Submitted in partial fulllment of the requirements for the degree of Doctor of Philosophy. Copyright © 2017 David Naylor. ¿is work was supported by the Department of Defense (DoD) through the National Defense Science & Engineering Graduate Fellowship (ND- SEG) Program, by the National Science Foundation under grants numbered CNS-1040801 and CNS-1345305, and by the European Union under the FP7 Grant Agreement n. 318627 (Integrated Project “mPlane”). ¿e views and conclusions contained in this document are those of the author and should not be interpreted as representing the ocial policies, either expressed or implied, of any sponsoring institution, the U.S. government, or any other entity. Keywords: networks, privacy, anonymity, secrecy, accountability, TLS, HTTPS, encryption, middleboxes, trusted computing, SGX To my parents who made me think getting a PhD was a normal thing to do. iv Abstract Using a communication network entails an inherent privacy risk: packets cross an infrastructure maintained by several parties other than the sender and receiver, each of which has the opportunity to observe the packets as they are processed and forwarded. ¿is poses a risk because packets carry information that users might rather keep private, namely: (1) the source address, which exposes the sender, (2) the destination address, which exposes the recipient, and (3) the body, which can expose user data. Beyond the information explicitly carried by the packet, observers can also learn sensitive things merely from the fact that a packet happened to be in a certain place at a certain time. All of this information is o en divided into two categories: data (the actual message being communicated, e.g., the contents of an email) and metadata (information about the communication, e.g., “A emailed B at 12:07 today”). Fortunately, we have tools, widely used in practice, to protect this information. Unfortunately, these tools tend to make aggressive trade-os, sacricing other desirable properties for the sake of privacy. For example, to protect data, the use of encryption is widespread—on the Web, for instance, many sites have switched from HTTP to HTTPS. Unfortunately, encryption blinds middleboxes, which can lead to a loss of functionality, performance, and even security. And to protect metadata, anonymous communication systems like Tor reduce accountability by preventing network operators from learning who sent a packet and also o en introduce performance overheads. ¿ese “privacy vs. X” tussles seem fundamental, because privacy requires hid- ing information like source addresses and payloads, while the other properties— performance, accountability, functionality, and security—require exposing that in- formation. How can we do both? In this thesis, we argue rst that a practical balance is possible if we carefully control access to packet data and metadata and second that this requires architectural support from the network. We make this argument in two parts. First, we show how to keep in-ight data private while at the same time allowing middleboxes like caches, compression proxies, and intrusion detection systems to operate. We motivate, design, and evaluate two protocols for secure communication that includes middleboxes, each one granting data access only to middleboxes explicitly trusted by an endpoint and also limiting the scope of what those middleboxes can do with that data. With fully-functional implementations, we show that these protocols are deployable and have minimal performance overhead. Second, we show how re-thinking the way the network treats source addresses can enable a balance between privacy and accountability that is not possible today. We present the design of a new network architecture that separates source addresses into distinct “accountability” and “return” addresses and show with trace-driven analysis that the performance overhead is reasonable. In order to compare our new architecture to related work, we also develop an evaluation methodology for quantifying “how private” a network architecture is. vi Acknowledgments ¿is thesis would undoubtedly not have happened without the support, guidance, patience, and friendship of a long list of people. I will unsuccessfully attempt to enumerate them here; to anyone I’ve inadvertently le out, my apologies. To start, huge thanks to my advisor, Peter Steenkiste, for six years of guidance and mentorship (though even a er six years, I still haven’t managed to pick up his ability to immediately see through superuous details and articulate the heart of a problem, no matter how badly I explain something). I particularly appreciated his willingness to leave me to my own devices when it came time to format papers or design slides. ¿e rest of my committee deserves thanks as well: Vyas Sekar, for being a top notch random idea generator and evil question simulator; Srini Seshan, for his honest appraisal of my color schemes; Dave Oran, for not giving up on me a er I completely misunderstood his question a er my talk at SIGCOMM; and Adrian Perrig, for consistently reminding us networking folks how security works. I’d also like to thank my collaborators outside CMU, starting with the crew at Telefónica. ¿anks Dina Papagiannaki, Matteo Varvello, Jeremy Blackburn, Ilias Leon- tiadis, Yan Grunenberger, Alessandro Finamore, and Pablo Rodriguez for an amazing summer (and winter!) in Barcelona (and also for not naming mcTLS “TruMP”—we really dodged a bullet there). And to my MSR colleagues ¿omas Karagiannis and Christos Gkantsidis for an equally awesome, albeit less sunny, summer in Cambridge. Even with the support of all these amazing researchers, no actual reserach would happen without the additional support of SCS, CSD, and XIA sta. Deb Cavlovich, Jenn Landefeld, Angie Miller, Kathy McNi, Angy Malloy, Dan Barrett, and Nitin Gupta—sometimes I think yinz are the only ones in the building who actually know what’s going on. Beyond getting through the PhD, I could not have gotten to it without the help of my undergraduate research mentors—Alberto Segre, Ted Herman, Phil Polgreen, Sriram Pemmaraju, Geb ¿omas, and the rest of the CompEpi team; my family, for raising baby-David in an environment that valued education, curiosity, and rational thought; and the privilege that comes with being a white, male American. Finally, shoutouts to my Pittsburgh friends, who deserve credit for keeping me happy and sane for the past six years. Alphabetically, thanks to: Alex Beutel, for giving us all a hard time when we tried to work on Friday nights; Brock, for being the cutest dog ever, even when he bites you because you have a deadline so you can’t play with him; JP Dickerson, for giving us one more reason to not use Comic Sans; Zakir Durumeric, for scanning the whole Internet for me; Lili Ehrlich, for all the awesome tattoo suggestions; Nico Feltman, for backing me up when I’m being pedantic and (I guess) for coining “Nay-Nay”; Sam Gottlieb, for distracting me from research with Teddy; Dongsu Han, for being a vim super-user role model; Sophie Hood, for teaching me about all the weird colors vegetables come in; Sid Jain, for briey keeping me company in GHC 7509; Angela Jiang, for making me feel less guilty about my Uber usage; Hyeontaek Lim, for explaining to me how systems actually work; Sarah Loos, for the grad lounge; Dana and Yair Movshovitz-Attias, for never complaining that we always addressed them as a unit; Matt Mukerjee, for at least somewhat successfully convincing me not to spend all my time working and also for keeping me from being a hoarder; Kenton Murray, for making sure at least one of us has cool hair; George Nychis, for helping me decipher Peter’s handwriting; Vagelis Papalexakis, for single-handedly raising CSD’s average height by like at least an inch; Alex Poms, for reminding me to be thankful I’m acclimated to winter; Nic Resch, for teaching us Canadian; Wolf Richter, for showing us that reserach code doesn’t have to be research code; Raja Sambasivan, for encouraging me to ignore ugly conference formatting guidelines; Nick Sharp, for pairing applesauce with weird things; Evan Shimizu, for literally being the SCS dragon; Richard Wang, for only occasionally stalking me with Cobot; Gabe Weisz, for keeping the department stocked with quality beer; Colin White, for encouraging healthy activities like eating donuts in the middle of a run; David Witmer, for running two awesome visit days with me and for making me look stronger by association at the gym; John Wright, for being right about expander graph networks all along; Yuchen Wu, for forcing me to switch to zsh; Yu Zhao, for not leaving me by myself in the oce; Jayant, Kevin, Shiva, and Patrick, for running the CS party house; and to Duy, Molly, Greg, Kevin, Randy, Kristy, Arush, Pallavi, Su Su, Mariah, Hank, Dana, Alex, Elizabeth, and Matteus, for reminding me there is life outside CS. viii Contents I Introduction and Background1 1 Introduction3 1.1 Background.........................................4 1.1.1 Our Setting.....................................4 1.1.2 User Goals.....................................5 1.2 Overview and Contributions...............................5 1.2.1 Protecting In-Flight Data (Without Giving Up Performance & Functionality) 5 1.2.2 Protecting Communication Metadata (Without Giving up Accountability)8 II Protecting Data (Without Giving Up Performance & Functionality) 13 II.1 Protecting In-Flight Data.................................... 15 II.1.1 Properties...................................... 15 II.1.2 Techniques..................................... 16 II.2 ...Without Giving Up Performance and Functionality................. 17 II.3 Related Work......................................... 20 II.3.1 Operating on Encrypted Data.......................... 21 II.3.2 Granting Access to Encrypted Data......................