1 / 56

Shadow: Simple HPC for Systems Security Research

Shadow: Simple HPC for Systems Security Research. Invited Talk Kansas State University September 25 th , 2013. Rob Jansen U.S. Naval Research Laboratory rob.g.jansen@nrl.navy.mil. Outline. Experimentation Ideology Shadow and its Design Use case: Overview: the Distributed Tor Network

nico
Download Presentation

Shadow: Simple HPC for Systems Security Research

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shadow: Simple HPC for Systems Security Research Invited Talk Kansas State University September 25th, 2013 Rob Jansen U.S. Naval Research Laboratory rob.g.jansen@nrl.navy.mil

  2. Outline • Experimentation Ideology • Shadow and its Design • Use case: • Overview: the Distributed Tor Network • Research: the Sniper Attack Against Tor

  3. Outline • Experimentation Ideology • Shadow and its Design • Use case: • Overview: the Distributed Tor Network • Research: the Sniper Attack Against Tor

  4. Properties of Experimentation

  5. Network Research

  6. Testbed Trade-offs

  7. Outline • Experimentation Ideology • Shadow and its Design • Use case: • Overview: the Distributed Tor Network • Research: the Sniper Attack Against Tor

  8. What is Shadow? • Discrete event network simulator • Runs real applications without modification • Simulates time, network, crypto, CPU • Models routing, latency, bandwidth • Single Linux box without root privileges

  9. Shadow’s Capabilities

  10. Bootstrapping Shadow

  11. Virtual Network Configuration

  12. Virtual Host Configuration

  13. Simulation Engine

  14. Program Layout Shadow Engine (shadow-bin) Libraries (libc,…) Shadow Plug-in (application+wrapper)

  15. Plug-in Wrapper Hooks plugin_init() new_instance(argv, argc) free_instance() instance_notify() Shadow Engine (shadow-bin) Libraries (libc,…) Shadow Plug-in (application+wrapper)

  16. Function Interposition LD_PRELOAD=/home/rob/libpreload.so libpreload (socket,write, …) Shadow Engine (shadow-bin) Libraries (libc,…) Shadow Plug-in (application+wrapper)

  17. Function Interposition LD_PRELOAD=/home/rob/libpreload.so libpreload (socket,write, …) Shadow Engine (shadow-bin) Libraries (libc,…) Shadow Plug-in (application+wrapper) hooks

  18. Function Interposition LD_PRELOAD=/home/rob/libpreload.so libpreload (socket,write, …) Shadow Engine (shadow-bin) Libraries (libc,…) Shadow Plug-in (application+wrapper) hooks fopen

  19. Function Interposition LD_PRELOAD=/home/rob/libpreload.so libpreload (socket,write, …) socket Shadow Engine (shadow-bin) Libraries (libc,…) Shadow Plug-in (application+wrapper) hooks fopen

  20. Function Interposition LD_PRELOAD=/home/rob/libpreload.so libpreload (socket,write, …) write Shadow Engine (shadow-bin) Libraries (libc,…) Shadow Plug-in (application+wrapper) hooks fopen

  21. Virtual Context Switching Clang/LLVM (custom pass)

  22. Virtual Context Switching

  23. Shadow-Tor’s Accuracy

  24. Shadow-Tor’s Scalability Memory: 20-30 MiB per virtual Tor host

  25. Outline • Experimentation Ideology • Shadow and its Design • Use case: • Overview: the Distributed Tor Network • Research: the Sniper Attack Against Tor

  26. The Tor Anonymity Network torproject.org

  27. How Tor Works

  28. How Tor Works

  29. How Tor Works

  30. How Tor Works

  31. How Tor Works Tor protocol aware

  32. Outline • Experimentation Ideology • Shadow and its Design • Use case: • Overview: the Distributed Tor Network • *Research: the Sniper Attack Against Tor *Joint with Aaron Johnson, Florian Tschorsch, BjörnScheuermann

  33. Tor Flow Control exit entry

  34. Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits exit entry

  35. Tor Flow Control One TCP Connection Between Each Relay, Multiple Circuits exit entry Multiple Application Streams

  36. Tor Flow Control exit entry No end-to-end TCP!

  37. Tor Flow Control Tor protocol aware exit entry

  38. Tor Flow Control Delivery End Packaging End exit entry

  39. Tor Flow Control Delivery End Packaging End exit entry

  40. Tor Flow Control SENDME Signal Every 100 Cells 1000 Cell Limit exit entry

  41. The Sniper Attack • Low-cost memory consumption attack • Disables arbitrary Tor relays • Anonymous if launched through Tor

  42. The Sniper Attack Start Download exit entry Request

  43. The Sniper Attack Reply DATA exit entry

  44. The Sniper Attack Package and Relay DATA DATA DATA exit entry

  45. The Sniper Attack R Stop Reading from Connection DATA DATA DATA entry exit

  46. The Sniper Attack R DATA DATA DATA DATA DATA DATA DATA DATA exit entry

  47. The Sniper Attack R DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA exit entry Periodically Send SENDME SENDME

  48. The Sniper Attack R DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA DATA exit entry Out of Memory, Killed by OS

  49. Memory Consumed over Time

  50. Mean RAM Consumed, 50 Relays

More Related