Systems Security: Why is Measurement Important? Patrick Traynor - - PowerPoint PPT Presentation

CSE 545 - Professor Patrick McDaniel Page

฀฀฀฀ ฀

• ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

Systems Security: Why is Measurement Important?

Patrick Traynor CSE 544 - Advanced Systems Security 1/23/07

1

CSE 544 - Professor Patrick McDaniel Page

Scotland vs Security

2

CSE 544 - Professor Patrick McDaniel Page

Scotland vs Security

2

CSE 544 - Professor Patrick McDaniel Page

Scotland vs Security

2

CSE 544 - Professor Patrick McDaniel Page

Scotland vs Security

2

CSE 544 - Professor Patrick McDaniel Page

Scotland vs Security

2

CSE 544 - Professor Patrick McDaniel Page

The Importance of Measurement

• Measurement is a critical step in the science of

systems security.

• It helps us understand the true nature of a system -

how it looks, feels and operates.

• While mathematical modeling is important, our models

typically fail to describe subtle interactions between components.

• Measurement is about the difference between how a

bowling ball and a feather fall from a great height in a lab and in the real world...

3

CSE 544 - Professor Patrick McDaniel Page

Engineering vs Science

• What is the difference between engineering and

science?

• Why then is measurement a science and not simply

part of engineering?

• Measurement is at the very core of what

we as systems people do!

• If you have not done a performance analysis,

you should consider one as part of your semester project...

4

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Restoring State

5

• Traffic channels (TCH)
• used to deliver voice traffic to cell phones (yak yak ...)
• Control Channel (CCH)
• used for signaling between base station and phones
• used to deliver SMS messages
• not originally designed for SMS

CCH TCH

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

The Vulnerability

6

• Once you fill the SDCCH channels with SMS

traffic, call setup is blocked

• The goal of an adversary is therefore to fill

SDCCHs with SMS traffic.

SMS Voice SMS SMS SMS SMS SMS SMS SMS X

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Message Generation RACH Voice SMS Attack SMS Service Queue Manager Service Queue Module SDCCH TCH Call Completion and SMS Delivery Reporting Module

Modeling

• To better understand these attacks and

countermeasures, we use two techniques: queueing and simulation.

• We implemented protocols/channels as specified in

3GPP documents.

• We use parameters from publicly available

documents: 3GPP , FCC, NCS.

7

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Why Simulation?

• Why are the calculations in the first paper not

enough to characterize this attack?

• Why is simulation the right tool for this job?
• How can we be sure that the results we get are

meaningful?

• What other techniques could you use in your class

projects?

8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Attack Profile

• Examined call blocking under uniform, Poisson and

bursty arrival patterns.

• Because of variability in the network, we use the

Poisson model for our remaining experiments.

• Using 495 msgs/sec, a blocking probability of 71% is

possible with the bandwidth of a cable modem.

9

0.2 0.4 0.6 0.8 1 3 4 5 6 7 8 9 Average Percent Blocking During Attack SMS Attack Messages per Second Uniform (SDCCH) Poisson (SDCCH) Burst 12 (SDCCH) 0.2 0.4 0.6 0.8 1 1.2 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH Utilization TCH Utilization

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Current Countermeasures

• SPAM filtering, Source IP-address filtering and Rate

limitation are edge solutions.

• There are many portals to these networks - email,

IM, bulk senders, infected/compromised mobile devices, other provider networks, etc.

• Given that the solutions offer no protection once

messages are inside the system, we look to other methods to defend against attacks.

10

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Queue Management

• Simply adding a queue in front of the SDCCHs is not

a sufficient means of preventing this attack.

• We look to queue management techniques that have

been successful in data networks.

• We segment traffic into voice and SMS

streams, and attempt to deliver the maximum amount of legitimate traffic possible.

11

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Weighted Fair Queueing

• Traffic can be classified, split into separate queues and

serviced at equal rates.

• Packets belonging to misbehaving flows are therefore

unable to affect other traffic.

• To ensure that voice calls are not crowded out by

targeted SMS attacks, we give 2:1 priority to calls

• ver text messages.

12

2 4 2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

Voice SMS

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

2

Voice SMS

2 4 4

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

Voice SMS

2 4 4

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

Voice SMS

4 4

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

Voice SMS

4

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

Voice SMS

4 2

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

Voice SMS

4

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Overview

13

4 2

Voice SMS

2

Finished Finished Finished

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WFQ - Results

• Under WFQ, voice calls never block.
• 72% of all SMS messages are blocked.
• We throw out huge numbers of both legitimate AND

malicious packets.

14

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) Service Queue (SMS) Service Queue (Voice) TCH (Voice) 0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH TCH Service Queue

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Random Early Detection

• RED has traditionally been used to maintain TCP

window size, but it also helps prevent queue lockout.

• We again separate traffic into voice and SMS, but

further subdivide SMS into high, medium and low

• rigin priorities.
• Based on these priorities, we

evict newly arriving packets based on queue status.

15

NQ = PQ ρ 1 − ρ PQ = p0(mρ)m m!(1 − ρ) p0 = "m−1 X

n=0

(mρ)n n! + (mρ)m m!(1 − ρ) #−1

ρtarget = ρactual(1 − Pdrop)

Pdrop = Pdrop,high · λhigh + Pdrop,med · λmed + Pdrop,low · λlow λSMS

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Overview

16

Low Med High

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

WRED - Results

• Messages of high and medium-priority experience no

blocking, but increased delay.

• An average of 77% of low-priority messages are

blocked.

• This is a nice solution, assuming meaningful partitioning
• f flows.

17

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) Service Queue (SMS - Priority 1) Service Queue (SMS - Priority 2) Service Queue (SMS - Priority 3)

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Resource Provisioning

• The previous techniques do not address the

bottleneck directly.

• Instead, we look to reallocate the messaging

bandwidth itself.

• Changing channel coding or definition is not

feasible in the short term.

• Our techniques use many mechanisms

already in place.

18

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Strict Resource Provisioning

• Under SRP

, incoming SMS messages compete for a subset of the total SDCCHs.

• We can explore the expected blocking behavior using

standard Erlang-B blocking analysis:

• For an offered load of 50,000 calls/hour, SDCCH

utilization is only 2%.

19

PB =

An n!

Pl=n−1

l=0 Al l!

E(n) = ρ(1 − PB)

SDCCHs

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Strict Resource Provisioning

• Under SRP

, incoming SMS messages compete for a subset of the total SDCCHs.

• We can explore the expected blocking behavior using

standard Erlang-B blocking analysis:

• For an offered load of 50,000 calls/hour, SDCCH

utilization is only 2%.

19

PB =

An n!

Pl=n−1

l=0 Al l!

E(n) = ρ(1 − PB)

SDCCHs

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

SRP - Results

• By restricting SMS messages to 6 of the 12 SDCCHs,

we eliminate voice call blocking.

• 84% of text messages are blocked at the SDCCH.
• The SDCCHs used for voice only achieve a 6.3%

utilization - a potential waste of resources.

20

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) SDCCH (SMS) SDCCH (Voice) TCH (Voice) 0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH TCH

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Dynamic Resource Provisioning

• Temporarily reclaim unused TCHs as SDCCHs.
• A similar mechanism is already in use for converting

TCHs between voice and data channels.

• By simply adding SDCCHs, we quickly increase the

probability that at least once is available.

21 CCH* SDCCH/8 TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TRX 1 TRX 2 TRX 3 TRX 4

1 2 3 4 5 6 7

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Dynamic Resource Provisioning

• Temporarily reclaim unused TCHs as SDCCHs.
• A similar mechanism is already in use for converting

TCHs between voice and data channels.

• By simply adding SDCCHs, we quickly increase the

probability that at least once is available.

21 CCH* SDCCH/8 TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TRX 1 TRX 2 TRX 3 TRX 4

1 2 3 4 5 6 7

SDCCH/8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Dynamic Resource Provisioning

• Temporarily reclaim unused TCHs as SDCCHs.
• A similar mechanism is already in use for converting

TCHs between voice and data channels.

• By simply adding SDCCHs, we quickly increase the

probability that at least once is available.

21 CCH* SDCCH/8 TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TCH TRX 1 TRX 2 TRX 3 TRX 4

1 2 3 4 5 6 7

SDCCH/8 SDCCH/8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

DRP - Results

• We can add up to 36 additional SDCCHs (-4 TCHs)

before call blocking increases over 1%.

• Like all dynamic allocation mechanisms, DRP may be

subject to thrashing and should therefore be carefully used.

22

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) SDCCH (SMS) SDCCH (Voice) TCH (Voice) 0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Utilization Time (seconds) SDCCH TCH

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

SMS

Direct Channel Allocation

• Ultimately, removing text messaging and voice calls

from shared channels is the only solution.

• In the short term, it is possible to have incoming calls

use a TCH for both setup and the call itself.

• DCA therefore removes the

bottleneck responsible for this vulnerability.

23

SDCCHs TCH

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

SMS Voice

Direct Channel Allocation

• Ultimately, removing text messaging and voice calls

from shared channels is the only solution.

• In the short term, it is possible to have incoming calls

use a TCH for both setup and the call itself.

• DCA therefore removes the

bottleneck responsible for this vulnerability.

23

SDCCHs TCH

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

DCA - Results

• As expected, the only blocking observed occurs for

text messages.

• Unfortunately, DCA introduces a new vulnerability as

it allows anyone to hold a traffic channel before authenticating.

24

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) SDCCH (SMS) SDCCH (Voice) TCH (Voice)

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Combined Mechanisms

• Combining a number of the mechanisms can also be

beneficial.

• The combination of DRP and WFQ allows for

resources to be allocated for “good” messages.

25

0.2 0.4 0.6 0.8 1 500 1000 1500 2000 2500 3000 3500 4000 Percent of Attempts Blocked Time (seconds) Service Queue (SMS - Priority 1) Service Queue (SMS - Priority 2) Service Queue (SMS - Priority 3)

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

State of the Union

• How was this work received by the community?
• What new projects have followed this body of work?
• New virus and worm defense techniques
• End device protection and mediation
• New attacks
• More...?
• We examine one of these new works to

understand the “state of the union”.

26

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Stealthily Exhaust MMS

• The premise behind this work is that an Internet-based

adversary can drain the battery of your phone without your knowledge.

• By sending an initial MMS message, the targeted phone

automatically opens a connection with a malicious server.

• The adversary then drains your

battery by sending periodic messages, thereby keeping your phone in an energy-inefficient state.

27

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

What do you think?

• Given our discussions throughout this lecture, what

are your thoughts on this paper?

28

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Critique

• The original SMS attack had a power drain attack as a footnote.
• The novelty here is that is only that the attack is stealthy.
• The effectiveness of the attack is questionable.
• 7 hours to drain a battery? How long are you realistically between

chargers?

• Measurement and technique are poorly explained.
• Is there enough information here to recreate their experiments?
• There are serious grammatical errors throughout...

29

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Many miles away...

• Measurement quantizes observation. It forms the

basis of science.

• It’s the difference between a Loch Ness Monster and a

Loch Ness Minnow...

• There are lots of things to be measured in a system.

Part of our job is figuring out what is interesting.

• Techniques are varied, numerous and
• powerful. The most important thing is

that you learn to use them properly!

30

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Questions

Patrick Traynor traynor@cse.psu.edu www.cse.psu.edu/~traynor www.patricktraynor.org

31