My UW
|
UW Search
Computer Science Home Page
|
 |
|
Computer Security and Cryptography Reading Group
February 2006 List
Friday, February 3, 2006
11 AM - 12 PM
7331 CS
|
W. Cui
V. Paxson
W. Cui, V. Paxson, N. Weaver, R. H. Katz
Berkeley / ICSI
Protocol-Independent Adaptive Replay of Application Dialog
NDSS'06
URL: http://www.cs.berkeley.edu/~wdc/papers/CPWK06.pdf
For many applications---including recognizing
malware variants, determining the range of system
versions vulnerable to a given attack, testing
defense mechanisms, and filtering multi-step
attacks---it can be highly useful to mimic an
existing system while interacting with a live host
on the network. We present RolePlayer, a system
which, given examples of an application session, can
mimic both the client side and the server side of
the session for a wide variety of application
protocols. A key property of RolePlayer is that it
operates in an application-independent fashion: the
system does not require any specifics about the
particular application it mimics. It instead uses
byte-stream alignment algorithms to compare
different instances of a session to determine which
fields it must change to successfully replay one
side of the session. Drawing only on knowledge of a
few low-level syntactic conventions (such as
representing IP addresses using "dotted quads"), and
contextual information such as the domain names of
the participating hosts, RolePlayer can
heuristically detect and adjust network addresses,
ports, cookies, and length fields embedded within
the session, including sessions that span multiple,
concurrent connections on dynamically assigned
ports.
We have successfully used RolePlayer to replay both
the client and server sides for a variety of network
applications, including NFS, FTP, and CIFS/SMB file
transfers, as well as the multi-stage infection
processes of the Blaster and W32.Randex.D worms.
|
Friday, February 10, 2006
11 AM - 12 PM
7331 CS
|
S. Neuhaus
A. Zeller
S. Neuhaus, A. Zeller
Saarland U.
Isolating Intrusions by Automatic Experiments
NDSS'06
URL: http://www.st.cs.uni-sb.de/~neuhaus/publications/isoproc.pdf
When dealing with malware infections, one of the
first tasks is to find the processes that were
involved in the attack. We introduce Malfor, a
system that isolates those processes
automatically. In contrast to other methods that
help analyze attacks, Malfor works by experiments:
first, we record the interaction of the system under
attack; after the intrusion has been detected, we
replay the recorded events in slightly different
configurations to see which processes were relevant
for the intrusion. This approach has three
advantages over deductive approaches: first, the
processes that are thus found have been
experimentally shown to be relevant for the attack;
second, the amount of evidence that must then be
analyzed to find the attack vector is greatly
reduced; and third, Malfor itself cannot make wrong
deductions. In a first experiment, Malfor was able
to extract the three processes responsible for an
attack from 32 candidates in about six minutes.
|
Friday, February 17, 2006
11 AM - 12 PM
7331 CS
|
S. M. Bellovin
A. Keromytis
B. Cheswick
S. M. Bellovin, A. Keromytis, B. Cheswick
Columbia U. / Lumeta / Columbia U.
Worm propagation strategies in an IPv6 Internet
;login: Magazine, Feb. 2006
URL: http://www.cs.columbia.edu/~smb/papers/v6worms.pdf
In recent years, the Internet has been plagued by a
number of worms. One popular mechanism that worms
use to detect vulnerable targets is random IP
address-space probing. This is feasible in the
current Internet due to the use of 32-bit addresses,
which allow fast-operating worms to scan the entire
address space in a matter of a few hours. The
question has arisen whether or not their spread will
be affected by the deployment of IPv6. In
particular, it has been suggested that the 128-bit
IPv6 address space (relative to the current 32-bit
IPv4 address space) will make life harder for the
worm writers: assuming that the total number of
hosts on the Internet does not suddenly increase by
a similar factor, the work factor for finding a
target in an IPv6 Internet will increase by
approximately 296, rendering random
scanning seemingly prohibitively expensive.
|
Friday, February 24, 2006
11 AM - 12 PM
7331 CS
|
T. Jaeger
R. Sailer
U. Shankar, T. Jaeger, R. Sailer
Berkeley / PSU / IBM T.J. Watson
Toward Automated Information-Flow Integrity Verification for Security-Critical Applications
NDSS 2006
URL: http://www.cs.berkeley.edu/~ushankar/research/cwlite/cwlite.pdf
We provide a largely automated system for verifying Clark-
Wilson interprocess information-flow
integrity. Information-flow integrity properties are
essential to isolate trusted processes from untrusted ones,
but system misconfiguration can easily create insecure
dependences. For example, an untrusted user process may be
able to write to sshd_config via a cron script. A
useful notion of integrity is the Clark-Wilson integrity
model [7], which allows trusted processes to accept
necessary untrusted inputs (e.g., network data or print
jobs) via filtering interfaces that sanitize the
data. However, Clark-Wilson has the requirement that
programs undergo formal semantic verification; in practice,
this kind of burden has meant that no information-flow
integrity property is verified on most widely-used
systems. We define a weaker version of Clark-Wilson
integrity, called CW-Lite, which has the same interprocess
information-flow guarantees, but which requires less
filtering, only small changes to existing applications, and
which we can check using automated tools. We modify the
SELinux user library and kernel module in order to support
CW-Lite integrity verification and develop new software
tools to aid developers in finding and enabling filtering
interfaces. Using our toolset, we found and fixed several
integrity-violating configuration errors in the default
SELinux policies for OpenSSH and vsftpd.
|
< Back to the Sec & Crypto reading group page
Created and maintained by Mihai Christodorescu ( http://www.cs.wisc.edu/~mihai)
Created: Fri Jan 27 11:58:07 2006
Last modified: Fri Jan 27 11:59:05 Central Standard Time 2006
|
|
|
 |