an extensible platform for evaluating security protocols
play

An Extensible Platform for Evaluating Security Protocols Seny - PowerPoint PPT Presentation

Nov 02, 2023 •514 likes •1k views

An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R. Caudy, D.Davis, F. Monrose Outline Objectives High-level architecture Plugin architecture Case studies Objectives Security

  1. An Extensible Platform for Evaluating Security Protocols Seny Kamara joint with L. Ballard, R. Caudy, D.Davis, F. Monrose

  2. Outline • Objectives • High-level architecture • Plugin architecture • Case studies

  3. Objectives • Security • DDoS, VPNs, worm propagation, cryptographic protocols • Ease of use • Fast prototyping • Research • Education

  4. Objectives • Modularity • plugin architecture • Portability • Java • Java networking API • Dynamic customization • Java dynamic class loading

  5. System Architecture • Topology parser • Otter [CAIDA] file format (Brite) • Extended to handle real IPs • Routers can serve network prefixes • User interface (interactive and scripts) • Simulator (hosts, routers, links)

  6. Host Architecture Incoming Links • Incoming packet filter (FW) HOST • Applications Incoming Berkeley Packet Filter FW Trace (BPF) Ping DNS route copy BPF Raw IP • Transports TCP ICMP UDP • Applications Transports • Transports FW • Outgoing packet filter (FW) BPF • Outgoing Berkeley packet filter Outgoing Links (BPF)

  7. Router Architecture Incoming Links • Link Processor ROUTER • Link Processor Incoming packet filters (FW) Applications FW FW Trace Incoming Berkeley Packet Filters Ping DNS route copy BPF BPF (BPF) Raw IP • Transports TCP ICMP UDP Dest? • Applications Transports • Transports Routing Table • FW FW Routing Table BPF BPF • Outgoing packet filters (FW) • Outgoing Berkeley packet filters Outgoing Links (BPF)

  8. Plugin Architecture • Modularity • Transparency to user • Dynamic Customization • Correctness and interoperability testing • Cryptographic protocols, TCP implementations, DDoS mitigation etc...

  9. Plugin Architecture Incoming Links • Transparent ROUTER Link Processor • plugin [IP|all] ICMP Applications FW FW Trace Ping DNS route copy BPF BPF • plugin [IP|all] Ping Raw IP • select src-IP TCP ICMP UDP Dest? Transports • ping dest-IP Routing Table FW FW • Dynamic (Java’s dynamic BPF BPF class loading) Outgoing Links

  10. Plugin Architecture • Event notification (i.e. applications need to know if TCP stack is being replaced) • Before plugin • Objects can register as listeners for particular plugins

  11. Plugin Architecture • Before plug out: • plugin’s pre-plugout method is called and given replacing object • transfer state (i.e. firewall rules) • listeners are notified of plugout operation

  12. Plugin Architecture • Simnet plugins: • Topology parser • User interface • Hosts • Routers • Link processor

  13. Plugin Architecture • Simnet plugins: • Packet filters • Berkeley Packet Filters (BPFs) • Routing tables • Transports • Applications

  14. Case Studies • Scalability : Worm Propagation • Modularity : DNSSEC

  15. Experimental Setup • Dual-processor 1.3 GHz XServe G4 • 1024 MB RAM • Mac OS 10.2.6

  16. Worm Propagation • Zero-day worms • Nimda, Code Red I, Code Red II • Compare effectiveness of various worm target selection algorithms

  17. Worm Propagation • Naive worms • Uniform selection • Nimda • Biased towards own class B • Code Red II • Biased towards own class A

  18. Worm Propagation • Requires • Topologies on the order of millions • Simnet only supports topologies on the order of hundreds (full packet-level simulation) • Trade simulation detail for scalability

  19. Worm Propagation • Aggregate Router plugin • Simulate entire Class B networks • Parameters: • percentage of reachable class C nets. • percentage of allocated IPs (in each class C)

  20. Worm Propagation • Worm Modeler Plugin • Simulates propagation characteristics • Parameters: • percentage of reachable hosts that are vulnerable • probing rate per infected host per second • target selection probs. for Class B, A, I

  21. Worm Propagation • Given scope of simulation we want to reduce total simulation time • “Compress” time by only sending probes to vulnerable hosts • And assigning a time cost to each probe according to a geometric distribution on the probability of choosing a vulnerable host

  22. Worm Propagation • 192 Agg. Routers chosen from AS level topology from Router Views project • Yields about 2 million hosts

  23. Worm Propagation • 500,000 vulnerable hosts • 0.5 probes per infected host per second • Target selection: B A I Naive 0.3 0.3 0.3 Nimda 0.5 0.25 0.25 Code Red II 0.375 0.5 0.125

  24. Worm Propagation • Assumptions • Vulnerable hosts infected after 1 UDP probe (SQLSlammer) • Once infected host remains infected

  25. Worm Propagation

  26. Pushback • Aggregate-based Congestion Control (ACC) [MBF+01] • DDoS mitigation • Rate limits flows that match certain characteristics • If necessary propagates rate limiting upstream

  27. Pushback • Am I congested? • monitor packet drop rate • Can I identify the offending flow • Sample high volume traffic (dropped packets from RED) • How much should I rate limit offending flow? • When do I stop rate limiting

  28. Pushback • Compare effectiveness of various ACC mechanisms against DDoS attacks • Requires • Accurate bandwidth and latency modeling

  29. Pushback • Pushback variants: • Pushback • Direct pushback (unpublished) • On/Off pushback (unpublished)

  30. Pushback • Link A has 3/4 cap. and 2/ 3 queue size • Attack traffic from 7 (/20) hosts @ 25 pkts. per sec. toward victim • Good/poor traffic from A 13 (/20) hosts @ 10 pkts. per sec toward 1/6 dests. (including victim) • 10 min. experiments

  31. Pushback

  32. DNSSEC • Public-key DNSSEC • Mitigates DNS spoofing, cache poisoning etc... • authenticates RRs

  33. DNSSEC • Overhead in processing time and traffic (no experimental results have ever appeared) • Requires • Modularity • Cryptography

  34. DNSSEC

  35. DNSSEC

  36. DNSSEC • 40 nodes in .com and .edu domains • 16 clients (Application level plugins) making • type A and NS requests • bogus requests • domain distribution • all according to published results

  37. DNSSEC • 3 second cache duration • zones resigned every 6 seconds • 3 second request timeouts • Cryptographic primitives • Signatures: DSA • PK encryption: RSA • TSIGs: HMAC-MD5

  38. DNSSEC • Local resolver servicing 3 stub resolvers

  39. DNSSEC

  40. DNSSEC • Increase in packets due to public key requests • Increase in packet size due to signatures, RR sets etc...

  41. Conclusions • Simnet was designed with security protocols in mind • Simnet is not meant to replace ns

  42. Conclusions • Low learning curve • Highly modular • Scalable • Accurate modeling

  43. Implementations • Network protocols • IP , ICMP , UDP , TCP • Ping, Traceroute, DNS, NAT

  44. Implementations • DDoS mitigation protocols • Pushback • Direct Pushback • Synkill

  45. Implementations • IP traceback schemes • PPM • SPIE • Authenticated and Advanced Marking Schemes

  46. Implementations • Cryptographic protocols • SSL • PK-DNSSEC • Kerberos • Onion routing

  47. Questions? • Simnet v1.0 available at: http://simnet.isi.jhu.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

eXtensible Multi Security Contracts for .NET Platform Wiktor Zychla wzychla@ii.uni.wroc.pl

eXtensible Multi Security Contracts for .NET Platform Wiktor Zychla wzychla@ii.uni.wroc.pl

Agenda eXtensible Multi Security Contracts for .NET Platform Wiktor Zychla wzychla@ii.uni.wroc.pl Institute of Computer Science University of Wroclaw, Poland .NET Technologies 2006 Wiktor Zychla eXtensible Multi Security, Contracts for .NET

893 views • 68 slides
Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org

Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org

Lay Down the Common Metrics Evaluating PoW Consensus Protocols' Security Ren Zhang Bart Preneel ren@nervos.org bart.preneel@esat.kuleuven.be @nirenzang PUBLISH OR PERISH SUBCHAINS BYZCOIN GOSHAWK TORTOISE AND HARES BITCOIN-NG (AETERNITY,

446 views • 27 slides
Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed

Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed

Evaluating BFT Protocols for Spire Henry Schuh & Sam Beckley 600.667 Advanced Distributed Systems & Networks SCADA & Spire Overview High-Performance, Scalable Spire Trusted Platform Module Known Network Characteristics

1.01k views • 51 slides
Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over

Security Protocols Q: Why security protocols? Bob Alice A: To allow reliable communication over an untrusted channel (eg. Internet) 2 Security Protocols are out there Authentication Confidentiality Example: HTTPS (HTTP + TLS)

669 views • 42 slides
Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering

Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography and system mechanisms meet They allow trust to be taken from where it exists to where it s needed But they are

941 views • 67 slides
Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief

Analysis of Security Protocols 01 Analysis of Security Protocols Gavin Lowe Analysis of Security Protocols 02 Overview Brief introduction to security protocols; Model checking of security protocols, particularly using the process

1.28k views • 110 slides
Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval,

Exploiting symmetries when proving equivalence properties for security protocols Vincent Cheval, Steve Kremer, Itsaka Rakotonirina Inria Nancy Grand-Est Security protocols TLS Wifi @ PASS E-voting E-passport 2 24 Security protocols

830 views • 69 slides
Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography

Verifying Security Protocols and their Implementations Information Security and Cryptography Reading Group Presenter: C t lin Hri cu References Verified Interoperable Implementations of Security Protocols. Karthikeyan Bhargavan,

922 views • 70 slides
Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides

Security protocols, crypto etc Computer Science Tripos part 2 Steven J. Murdoch Slides originally by Ross Anderson Security Protocols Security protocols are the intellectual core of security engineering They are where cryptography

1.47k views • 118 slides
Jupyter Trends in 2018 Paco Nathan @pacoid Jupyter provides a rich set of extensible, re-usable

Jupyter Trends in 2018 Paco Nathan @pacoid Jupyter provides a rich set of extensible, re-usable

Jupyter Trends in 2018 Paco Nathan @pacoid Jupyter provides a rich set of extensible, re-usable building blocks , expressed through various open protocols, APIs, and standards. These get combine for a wide variety of use cases, as extensible

495 views • 21 slides
Egg: An Extensible and Economics-Inspired Open Grid Computing Platform David C. Parkes Division

Egg: An Extensible and Economics-Inspired Open Grid Computing Platform David C. Parkes Division

Egg: An Extensible and Economics-Inspired Open Grid Computing Platform David C. Parkes Division of Engineering and Applied Sciences Harvard University GECON 2006 Grids internal realm: Java, python, C++, applications Science,

623 views • 38 slides
Plugins for the Isabelle Platform: A Perspective for Logically Safe, Extensible, Powerful and

Plugins for the Isabelle Platform: A Perspective for Logically Safe, Extensible, Powerful and

Plugins for the Isabelle Platform: A Perspective for Logically Safe, Extensible, Powerful and Interactive Formal Method Tools Burkhart Wolff Universit Paris-Sud (Technical Advice by: Makarius Wenzel, Universit Paris-Sud) What I am not

668 views • 54 slides
Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Evaluating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 15 Page 1 CS 236 Online Evaluating Program Security What if your task isnt writing secure code? Its determining if someone

423 views • 16 slides
Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery

Outline Security Protocols Societal issues and cryptography CS 239 Key recovery cryptosystems Computer Security Designing secure protocols February 10, 2003 Basic protocols Key exchange Lecture 8 Lecture 8 Page 1 Page

148 views • 10 slides
HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data

HPE SecureData for Big Data Platform HPE Vertica Big Data Platform HPE Security Data Security February 2016 Data Security Impacts Design and Delivery of Big Data Projects Data Security frequently is a leading Role Security Impacts

545 views • 23 slides
Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security

Outline Preliminaries: Internet protocols, PKI, X.509, Encoding Internet Security Protocols Application layer security (email) PGP, S/MIME Transport layer security Bart Preneel SSL / TLS June 2003 Network layer

571 views • 19 slides
Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van

Understanding the Role of Registrars in DNSSEC Deployment Taejoong (tijay) Chung, Roland van Rijswijk-Deij, David Choffnes, Dave Levin, Bruce M. Maggs, Alan Mislove, Christo Wilson 1 DNSSEC 101 example.com's Authoritative DNS Resolver DNS

1.54k views • 119 slides
13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff

13 Things to Consider Before DNSSEC John Kristoff jtk@cymru.com FIRST 2010 John Kristoff Team Cymru 1 Where is the DNSSEC? We make no endorsement of DNSSEC here We offer no repudiation of DNSSEC here The considerations herein

543 views • 31 slides
Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018

Multi Provider DNSSEC draft-huque-dnsop-multi-provider-dnssec-02 Shumon Huque March 22 nd 2018 DNSOP Working Group, IETF101, London, U.K. Note to the DNS Camel* This document does not propose any new extensions to the DNS protocol. It

663 views • 16 slides
Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson

Securing Internet Communication: TLS & DNSSEC CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic,

1.51k views • 92 slides
From DNS to DPKI a.k.a. Why secure decentralized namespaces are the future A presentation

From DNS to DPKI a.k.a. Why secure decentralized namespaces are the future A presentation

From DNS to DPKI a.k.a. Why secure decentralized namespaces are the future A presentation by Greg Slepak at Greg Slepak @taoe ff ect DNSChain / DPKI okTurtles GroupIncome Espionage Group Currency Target Audience (You) Most of

959 views • 85 slides
Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine

Elliptical Curves in DNSSEC Dmitry Kohmanyuk Hostmaster Ltd #EEDNSUA 2016 Kyiv, Ukraine Elliptic Curve Cryptography (ECC) y^2 = x^3 + ax + b http://en.wikipedia.org/wiki/Elliptic_curve

151 views • 13 slides
ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen ilab Lab 5 DNS and DNSSec History and Motivation of DNS Problem: The Internet needs IP addresses. Human beings do not memorize IP

779 views • 23 slides
DANE/DNSSEC/TLS Tes-ng in the Go6lab Jan or, ISOC/Go6

DANE/DNSSEC/TLS Tes-ng in the Go6lab Jan or, ISOC/Go6

DANE/DNSSEC/TLS Tes-ng in the Go6lab Jan or, ISOC/Go6 Ins-tute, Slovenia jan@go6.si zorz@isoc.org Acknowledgement I would like to thank Internet

980 views • 28 slides

More recommend