Obtaining sound inferences over remote networks via active or passive measurements is difficult. Active measurement campaigns face challenges of load, coverage, and visibility. Passive measurements require a privileged vantage point. Even networks under our own control too often remain poorly understood and hard to diagnose. As a step toward the democratization of Internet measurement, we consider the inferential power possible were the network to include a constant and predictable stream of dedicated lightweight measurement traffic. We posit an Internet "heartbeat," which nodes periodically send to random destinations, and show how aggregating heartbeats facilitates introspection into parts of the network that are today generally obtuse. We explore the design space of an Internet heartbeat, potential use cases, incentives, and paths to deployment.
Military Communications Conference (MILCOM 2013), San Diego, CA, November 2013. ; Refereed Article ; Civilian and military networks are continually probed for vulnerabilities. Cyber criminals, and autonomous botnets under their control, regularly scan networks in search of vulnerable systems to co-opt. Military and more sophisticated adversaries may also scan and map networks as part of reconnaissance and intelligence gathering. This paper focuses on adversaries attempting to map a network's \emph{infrastructure}, \ie the critical routers and links supporting a network. We develop a novel methodology, rooted in principles of military deception, for deceiving a malicious traceroute probe and influencing the structure of the network as inferred by a mapping adversary. Our Linux-based implementation runs as a kernel module at a border router to present a deceptive external topology. We construct a proof-of-concept test network to show that a remote adversary using traceroute to map a defended network can be presented with a false topology of the defender's choice.
Deploying mobile devices to frontline troops presents many potential benefits, e.g. situational awareness, enhanced communication capabilities, etc. However, security remains an impediment to realizing such capability. In this research, we develop and evaluate an approach to securing the non-volatile storage of a collection of mobile devices. Our technique relies on well-established cryptographic primitives, combining them in a unique way to meet military mission specific security and resiliency requirements. Specifically, we create MDFS, a distributed mobile file system using erasure coding, Shamir's threshold secret sharing, and the symmetric AES block cipher. The resulting system provides two important properties: (1) data at rest is protected even after total compromise of up to k devices, and (2) data is replicated within an infrastructureless ad hoc network and, as such, resilient to device outages. We implement MDFS on Android mobile devices and achieve ≃10Mbps throughput in real-world performance experiments, suggesting that MDFS is suitable for a variety of practical workloads.
Proceedings of the Military Communications Conference (MILCOM 2013), San Diego, CA, November 2013. ; Refereed Article ; The hardware identifiers of common wireless protocols can be exploited by adversaries for both tracking and physical device association. Rather than examining hardware identifiers in isolation, we observe that many modern devices are equipped with multiple wireless interfaces of different physical types, e.g. GSM and 802.11, suggesting that there exists utility in cross-protocol hardware identifier correlation. This research empirically examines the feasibility of such cross-protocol association, concentrating on correlating a GSM hardware identifier to that of the 802.11 hardware identifier on the same device. Our dataset includes 18 distinct mobile devices, with identifiers collected over time at disparate locations. We develop correlation techniques from the perspective of two adversaries: i) limited, able to observe identifiers only in time and space; and ii) a more advanced adversary with visibility into the data stream of each protocol. We first test correlation via temporal and spatial analysis using only basic signal collection, mimicking an RF collection with no decryption or data processing capability. Using a constrained optimization algorithm over temporal and spatial data to perform matching, we demonstrate increasing association accuracy over time, up to 80% in our experiments. Our second approach simulates the added capability to collect, decrypt, and reconstruct specific application protocol data, and parses the data of one protocol using search terms derived from the other. With the combined techniques, we achieve 100% accuracy and precision.
The article of record may be found at: http://dx.doi.org/10.1145/2815675.2815700. ; Proceedings of the Fifteenth ACM SIGCOMM Internet Measurement (IMC 2015) Conference, Tokyo, JP, October 2015 (Awarded Best Paper). ; As part of TCP's steady evolution, recent standards have recommended mechanisms to protect against weaknesses in TCP. But adoption, configuration, and deployment of TCP improvements can be slow. In this work, we consider the resilience of deployed TCP implementations to blind in-window attacks, where an off-path adversary disrupts an established connection by sending a packet that the victim believes came from its peer, causing data corruption or connection reset. We tested operating systems (and middleboxes deployed in front) of webservers in the wild in September 2015 and found 22% of connections vulnerable to in-window SYN and re- set packets, 30% vulnerable to in-window data packets, and 38.4% vulnerable to at least one of three in-window attacks we tested. We also tested out-of-window packets and found that while few deployed systems were vulnerable to reset and SYN packets, 5.4% of connections accepted in-window data with an invalid acknowledgment number. In addition to evaluating commodity TCP stacks, we found vulnerabilities in 12 of 14 of the routers and switches we characterized – critical network infrastructure where the potential impact of any TCP vulnerabilities is particularly acute. This surprisingly high level of extant vulnerabilities in the most mature Internet transport protocol in use today is a perfect illus- tration of the Internet's fragility. Embedded in historical context, it also provides a strong case for more systematic, scientific, and longitudinal measurement and quantitative analysis of fundamental properties of critical Internet infrastructure, as well as for the importance of better mechanisms to get best security practices deployed. ; This work was supported in part by U.S. NSF grants CNS-1111449, ACI-1127506, and CNS- 1237265, and by DHS S&T Cyber Security Division BAA 11-02 and SPAWAR Systems Center Pacific via N66001- 12-C-0130 and Defence Research and Development Canada (DRDC) pursuant to an Agreement between the U.S. and Canadian governments for Cooperation in Science and Technology for Critical Infrastructure Protection and Border Security.
International Journal of Cyber Warfare & Terrorism, Vol. 1, No. 1, pp. 1-14 ; A cyberweapon can be as dangerous as any weapon. Fortunately, recent technology now provides some tools for cyberweapons control. Digital forensics can be done on computers seized during or after hostilities. Cyberweapons differ significantly from other software, especially during their development, and recent advances in summarizing the contents of storage media can locate possible cyberweapons quickly. In addition, use of cyberweapons can be distinguished from the usual malicious Internet traffic by being aimed at targets associated with political, social, and cultural issues that are often known well in advance, and we can monitor those targets. Cyberweapons are relatively unreliable compared to other kinds of weapons because they depend on flaws in software, and flaws can get fixed; cyberweapons therefore require considerable testing, preferably against live targets, and this testing may be observable. So international "cyberarms agreements" could provide for forensics on cyberweapons and usage monitoring. Agreements can also encourage cyberweapons use to be more responsible by stipulating attribution and reversibility. We conclude with a discussion of the kinds of international agreements that are desirable, and examine the recent increasing interest of the United States government in such agreements. ; Approved for public release; distribution is unlimited.
In: International journal of cyber warfare and terrorism: IJCWT ; an official publication of the Information Resources Management Association, Band 1, Heft 2, S. 35-48
A cyberweapon can be as dangerous as any weapon. Fortunately, recent technology now provides some tools for cyberweapons control. Digital forensics can be done on computers seized during or after hostilities. Cyberweapons differ significantly from other software, especially during development, and recent advances in summarizing the contents of storage media can locate possible cyberweapons quickly. Use of cyberweapons can be distinguished in the usual malicious Internet traffic by being aimed at targets associated with political, social, and cultural issues that are often known in advance, and those targets can then be monitored. Cyberweapons are relatively unreliable compared to other kinds of weapons because they are susceptible to flaws in software; therefore, cyberweapons require considerable testing, preferably against live targets. Thus, international "cyberarms agreements" could provide for forensics on cyberweapons and usage monitoring. Agreements also encourage more responsible cyberweapons use by stipulating attribution and reversibility. The authors discuss the kinds of international agreements that are desirable, and examine the recent interest of the U.S. government in such agreements.
This paper appeared in the Proceedings of the 10th European Conference on Information Warfare and Security, Tallinn, Estonia, July 2011. ; Cyberweapons are difficult weapons to control and police. Nonetheless, technology is becoming available that can help. We propose here the underlying technology necessary to support cyberarms agreements. Cyberweapons usage can be distinguished from other malicious Internet traffic in that they are aimed precisely at targets which we can often predict in advance and can monitor. Unlike cybercriminals, cyberweapons use will have political goals, and thus attackers will likely not try hard to conceal themselves. Furthermore, cyberweapons are temperamental weapons that depend on flaws in software, and flaws can get fixed. This means that cyberweapons testing will be seen before a serious attack. As well, we may be able to find evidence of cyberweapons on computers seized during or after hostilities since cyberweapons have important differences from other software and are difficult to conceal on their development platforms. Recent advances in quick methods for assessing the contents of a disk drive can be used to rule out irrelevant data quickly. We also discuss methods for making cyberweapons more responsible by attribution and reversibility, and we discuss the kinds of international agreements we need to control them. ; Approved for public release; distribution is unlimited.