Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya Ensafi

Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya Ensafi

University of New Mexico UNM Digital Repository Computer Science ETDs Engineering ETDs 12-1-2014 Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks Roya Ensafi Follow this and additional works at: https://digitalrepository.unm.edu/cs_etds Recommended Citation Ensafi, Roya. "Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks." (2014). https://digitalrepository.unm.edu/cs_etds/47 This Dissertation is brought to you for free and open access by the Engineering ETDs at UNM Digital Repository. It has been accepted for inclusion in Computer Science ETDs by an authorized administrator of UNM Digital Repository. For more information, please contact [email protected]. Roya Ensafi Candidate Computer Science Department This dissertation is approved, and it is acceptable in quality and form for publication: Approved by the Dissertation Committee: Jadidiah Crandall , Chairperson Stefan Savage Terran Lane Michalis Faloutsos Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks by Roya Ensafi B.E., Computer Engineering, Ferdowsi University of Mashhad, 2006 M.S., Computer Science, University of New Mexico, 2011, $ISSER'('%)! Submitted in *artial Fu+,++ment of the &equirements for the $egree of $o tor of Phi+osophy Computer Scien e The University of New Mexico (+bu-uer-ue, New Mexico $ecember, 20#. ii 201., Roya Ensa, � iii Dedication This dissertation is dedicated to my Mom, Touba Hassan Pour, who supported me nonstop since I can remember. She is my hero. I wish her years and years of happiness to come. iv Acknowledgments First % wou+d +i/e to than/ my advisor Jedidiah Cranda++. Since the ,rst day % arrived at UNM, he and % have had many creative discussions that he+ped to deve+op this resear h from scrat h. % wou+d a+so +i/e to than/ many others for their mentorship and efforts. Many than/s to Stefan Savage, 'erran 2ane, and Mi ha+is Faloutsos for serving on my dissertation committee. Than/s to Deepa/ 3apur, Stephanie Forrest, 'erran 2ane, and Cris Moore for sharing their insights into the nature of omputer science. Than/s to 4ern *a"son for his amazing pub+ications whi h have inspired me and given me joy when reading his papers bac/ in Iran. % wou+d +i/e to than/ my parents Mohammad Hossein and 'ouba, my one and on+y grandfather, and my sib+ings for their +ove and support. Than/s to Roshan &ammohan, 8endy *atterson, Kasra Manavi, and *hi+ipp Winter for being there for me unconditional+y. Without your support % wou+d not have been ab+e to dea+ with the di9 u+t situations that have arisen in my +ife. Specia+ than/s to 2ourdes McKenna, 2ynne Jacobsen, and George 2uger who have been extreme+y /ind to me throughout my time at UNM. Than/s to *hi+ipp Winter not on+y for his contribution on a new S;! ba /+og id+e scan presented in Section <.., but a+so for his ol+aboration re+ated to Chapter <. )ur col+aboration gave me the 6oy of fee+ing respected as a resear her and whose co++aborations effort is tru+y appreciated. (+so, % wou+d +i/e to than/ my co-author Jeffrey 3no /e+ for his contribution of the (&MA modeling in Section .... 2ast, but ertain+y not +east, than/s to the mountains, trees, and springs of KelateBala for the humi+ity and wonderment. v Advanced Network Inference Techniques Based on Network Protocol Stack Information Leaks by Roya Ensafi B.E., Computer Engineering, Ferdowsi University of Mashhad, 2006 M.S., Computer Science, University of New Mexico, 2011, Ph.$. Computer S ience, University of New Mexico, 20#. Abstract Side hanne+s are hannels of imp+icit information >ow that an be used to ,nd out information that is not al+owed to >ow through exp+icit hannels. This thesis focuses on networ/ side hannels, where information >ow o urs in the TC*?%* networ/ stac/ imp+ementations of operating systems. % wi++ describe three new types of id+e scans@ a S;! ba /+og id+e scan, a &S' rate-limit id+e scan, and a hybrid id+e scan. %d+e scans are special types of side hannels that are designed to help someone performing a networ/ measurement Atypica++y an attac/er or a researcherB to infer something about the networ/ that they are not otherwise ab+e to see from their vantage point. The thesis that this dissertation tests is this: because modern network stacks have shared resources, there is a wealth of information that can be inferred off-path by both attackers and Internet measurement researchers. With respect to atta /ers, no matter how arefu++y the security mode+ is designed, the non=interference property vi is unli/ely to hold, i.e., an atta /er can easi+y ,nd side hanne+s of information >ow to +earn about the networ/ from the perspective of the system remotely. One suggestion is that trust relationships for using resources be made exp+icit a++ the way down to %* +ayer with the goa+ of dividing resources and removing sharendess to prevent advanced networ/ reconnaissance. With respect to Internet measurement resear hers, in this dissertation % show that the information >ow is ri h enough to test connectivity between two arbitrary hosts on the Internet and even infer in whi h direction any b+o /ing is occurring. 'o exp+ore this thesis, % present three resear h efforts: First, % modeled a typi al 'CP/%* networ/ sta /. The bui+ding process for this • modeling effort +ed to the discovery of two new id+es scans: a S;! ba /+og id+e scan and a &S' rate-limited id+e scan. The S;! bac/+og scan is particu+ar+y interesting because it does not require whoever is performing the measurements Ai.e., the atta /er or resear herB to send any pa /ets to the victim Aor targetB at a++. Second, % developed a hybrid id+e scan that combines elements of the S;! • ba /+og id+e scan with Antire5Cs original %*%$=based id+e scan. This scan en= ab+es resear hers to test whether two arbitrary ma hines in the wor+d are ab+e to ommunicate via 'CP/%*, and, if not, in whi h direction the ommunica- tion is being prevented. 'o test the effi acy of the hybrid id+e scan, % tested three different kinds of servers A'or bridges, 'or directory servers, and normal web servers) both inside and outside China. The resu+ts were congruent with pub+ished understandings of g+obal %nternet censorship, demonstrating that the hybrid id+e scan is effective. Third, % app+ied the hybrid id+e scan to the di9 u+t prob+em of haracterizing • inconsistencies in the :reat Firewal+ of China AGFW), whi h is the +argest vii ,rewa++ in the wor+d. This effort resolved many open -uestions about the GFW. The resu+t of my dissertation wor/ is an effective method for measuring Internet censorship around the wor+d, without requiring any /ind of distributed measurement p+atform or ac ess to any of the ma hines that connectivity is tested to or from. viii #ontents List of Figures %iii List of Tables %vi & Introduction & #.# $issertation Overview .................... ......D ' Back!round and #ontext1 ( 2.# %nteraction Modeling Efforts .................... < 2.2 %*%$ Id+e S ans .................... .......... #0 ) Idle Scanning and Non-interference Analysis of Network Protocol Stacks &' D.# %ntroduction .................... ............ #D D.2 Background .................... ............ #< 1Since this research was performed with the help of collaborators, I have adopted using “we” instead of “I” in Chapters 2 through 6. i" Contents D.D Formalizing !on=interference Analysis of Id+e Scans .......... #6 D.3.# S(2 for Mode+ing, Counterexamp+es, and 4eri,cation . #6 D.3.2 Assumptions to Reduce the Number of Mode+ States . 20 D.. Finding and Ameliorating Id+e S ans .................. 22 D.4.# $iscovering Counterexamp+es .................. 22 D.4.2 Experimenta+ Con,rmation of Counterexamp+es . 2E D.4.D Ensuring Non-interference Using S(2 Model Chec/er . D6 D.< Con +uding &emarks and Future 8or/ ................. DF + Detecting Censorshi, via TCP/IP Side #hannels +) ..# %ntroduction .................... ............ .. ..2 %mp+ementation of Hybrid Id+e S an ................... 46 ..D Experimental Setup .................... <0 ... Ana+ysis .................... .............. <D ..< &esu+ts .................... ............... <6 ..6 Con +usion .................... ............. <G ( Large-scale Spatiotem,oral #haracterization of Inconsistencies in /$0 12 <.# %ntroduction .................... ............ 6# <.2 Motivation and GFW Background .................... 65 <.2.# Spatial *atterns .................... 66 " Contents <.2.2 'empora+ *atterns .................... 6E <.2.D $etai+s of the Fi+tering .................... 6E <.2.. Ar hitecture of the :FW .................... 6F <.D Networ/ing Ba /ground .................... E0 <.3.# Side Channe+s in 2inu"Cs S;! Ba /+og ............. E0 <.3.2 The :+obal %* Identi,er .................... E# <.3.D Hybrid Id+e S an .................... E2 <.3.. The 'or !etwor/ .................... E. <.. Experimental Methodo+ogy .................... E. <.4.# Encountered Chal+enges .................... E< <.4.2 Experimenta+ $esign and Setup ................. E6 <.4.D Good Internet Citizenship .................... F. <.< Ana+ysis and &esults .................... F. <.5.# Hybrid Id+e S ans .................... F< <.5.2 'empora+ and Spatia+ Association ................ FE <.5.D S;! Bac/+og Scans .................... FG <.5.. 'raceroutes .................... G0 <.6 $iscussion .................... ............. G2 <.6.# Fi+tering of 'or in China .................... G2 <.6.2 The (rchitecture of the GFW .................. G. xi Contents <.6.D Ethica+ Considerations .................... G< <.E Con +usion .................... ............. G6 1 Related 0ork 34 6.# %d+e and *ort Scanning .................... GE 6.2 Censorship Measurement .................... GG 6.D Summary .................... ............. #0# 4 Ethical Considerations &2) 5 Conclusion and $uture 0ork &21 F.# Future 8or/ .................... #07 References &23 "ii List of Figures 2.# Basi definition of an id+e scan. $ashed +ines represent %* ommuni= cation with spoofed sour e %* addresses whereas solid +ines represent %* ommunication with unspoofed %* addresses.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    135 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us