370 likes | 547 Views
Bunker: A Tamper Resistant Platform for Network Tracing. Stefan Saroiu University of Toronto. Motivation. Today’s tracing help build tomorrow’s systems ISPs view raw network traces as a liability Traces can compromise user privacy Protecting users’ privacy increasingly important
E N D
Bunker: A Tamper Resistant Platform for Network Tracing Stefan Saroiu University of Toronto
Motivation • Today’s tracing help build tomorrow’s systems • ISPs view raw network traces as a liability • Traces can compromise user privacy • Protecting users’ privacy increasingly important • Trace anonymization mitigates these issues
Offline Anonymization • Trace anonymized after raw data is collected • Privacy risk until raw data is deleted • Today’s traces require deep packet inspection • Headers insufficient to understand phishing or P2P • Payload traces pose a serious privacy risk • Risk to user privacy is too high • Two universities rejected offline anonymization
Offline’s Privacy Vulnerabilities • Two types of attacks: • Traditional: Network intrusion attacks • New: Raw data can be subpoenaed • Both universities required that subpoenas would not affect privacy
Online Anonymization • Trace anonymized while tracing • Raw data resides in RAM only • Difficult to meet performance demands • Extraction and anonymization must be done at line speeds • Code is frequently buggy and difficult to maintain • Low-level languages (e.g. C) + “Home-made” parsers • Small bugs cause large amounts of data loss • Introduces consistent bias against long-lived flows
Simple Tasks can be Very Slow • Regular expression for phishing:" ((password)|(<form)|(<input)|(PIN)|(username)|(<script)|(user id)|(sign in)|(log in)|(login)|(signin)|(log on)|(sign on)|(signon)|(passcode)|(logon)|(account)|(activate)|(verify)|(payment)|(personal)|(address)|(card)|(credit)|(error)|(terminated)|(suspend))[^A-Za-z]” • libpcre: 5.5 s for 30 M = 44 Mbps max
Online Anonymization • Trace anonymized while tracing • Raw data resides in RAM only • Difficult to meet performance demands • Extraction and anonymization must be done at line speeds • Code is frequently buggy and difficult to maintain • Low-level languages (e.g. C) + “Home-made” parsers • Small bugs cause large amounts of data loss • Introduces consistent bias against long-lived flows
Our solution: Bunker • Combines best of both worlds • Same privacy benefits as online anonymization • Same engineering benefits as offline anonymization • Pre-load analysis and anonymization code • Lock-it and throw away the key (tamper-resistance)
Threat Model • Accidental disclosure: • Risk is substantial whenever humans are handling data • Subpoenas: • Attacker has physical access to tracing system • Subpoenas force researcher and ISPs to cooperate • As long as cooperation is not “unduly burdensome” • Implication: Nobody can have access to raw data
It Depends on Intent of Use • Developing Bunker is like developing encryption • Must consider purpose and uses of Bunker • Developing Bunker for user privacy is legal • Misuse of Bunker to bypass law is illegal
Outline • Motivation • Design of our platform • System evaluation • Case study: Phishing • Conclusions
One-Way Interface (anon. data) Capture Hardware Logical Design anonymize parse Anon. Key assemble Offline Online capture
VM-based Implementation One-Way Socket decrypt encrypt Enc. Key Capture Hardware Open-box NIC Closed-box VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor Encrypted Raw Data
VM-based Implementation Open-box VM One-Way Socket save trace logging decrypt encrypt maintenance Enc. Key Capture Hardware Open-box NIC Closed-box VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor Encrypted Raw Data
Benefits • Strong privacy properties • Raw trace and other sensitive data cannot be leaked • Trace processing done offline • Can use your favorite language! • Parsing can be done with off-the-shelf components
Key Technologies • “Closed-box” VM protects sensitive data • Contains all raw trace data & processing code • No interactive access to closed-box (e.g. no console) • Encryption protects on-disk data • Randomly generated key held in volatile memory • Data cannot be decrypted upon reboot • “Safe-on-reboot” VM mitigates hardware attacks
Outline • Motivation • Design of our tool • System evaluation • Case study: Phishing • Conclusions
Software Engineering Benefits One order of magnitude btw. online and offline Development time: Bunker - 2 months, UW/Toronto - years
Work Deferral Don’t do now what you can do later
Error Recovery Small bugs lead to small errors in the trace -- not huge gaps
Outline • Motivation • Design of our tool • System evaluation • Case study: Phishing • Conclusions
Phishing is Bad • Costs U.S. economy hundreds of millions • Affects 1+ million U.S. Internet users • 2004 - mid 2006: # of phishing sites grew 10x • Banks claim phishing is #1 source of fraud • Phishing messages now personalized • Harder to filter
Two Day Hotmail Trace Tues Jan 29/08 11:15am - Thurs Jan 31 11:23am,University of Toronto at Mississauga
Questions • How often are URLs present in e-mails? • How often do people click on links in e-mails? • Do people verify an e-mail for legitimacy before clicking on a link?
Conclusions • Today’s tracing experiments need to look “deep” into network activity • IP-level trace vs. email and browse history • Serious privacy concerns • Physical security isn’t enough: subpoenas • Bunker provides • the safety of online anonymization • the simplicity of offline anonymization
Acknowledgments • Andrew Miklas (U. of Toronto) • Alec Wolman (Microsoft Research) • Angela Demke Brown (U. of Toronto)
One-Way Interface Encrypted Raw Trace Capture NIC Open NIC Design Anon. Key Open-box VM Closed-box VM (DomainU) (Domain0) Offline Software Enc. Key Untrusted Software Online Software XEN Hypervisor
Anonymized Trace Capture Hardware anonymize parse Anon. Key assemble Offline Online capture
Commodity VM One-Way Socket save trace logging maintenance Anonymized Trace Capture Hardware Inaccessible VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor
Commodity VM One-Way Socket save trace logging decrypt encrypt maintenance Enc. Key Anonymized Trace Encrypted Raw Trace Capture Hardware Inaccessible VM anonymize parse Anon. Key assemble Offline Online capture Hypervisor
Overall Privacy Goal Tracing Starts Tamper Attack Time Data Protected Data Exposed • Goal: Ensure that user’s privacy is “no worse off” when a trace is in progress