Categories
Events Improving Technical Security Open Internet Standards Technology

NDSS 2018: Automating the Process of Vulnerability Discovery

NDSS 2018 is in full swing in San Diego this week and a couple of papers that really grabbed my attention were both in the same session on Network Security and Cellular Networks yesterday.

Samuel Jero, a PhD student at Purdue University and past IRTF Applied Networking Research Prize Winner, presented a fascinating paper on “Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach”. Of the many protocols and algorithms that are in daily use on the Internet, some are more fundamental and important than others and it doesn’t get much more fundamental and important than TCP congestion control.

TCP congestion control is what makes it possible for millions of autonomous devices and networks to seamlessly, and more-or-less fairly, share available bandwidth. Without it the network would literally collapse.

Attacks against congestion control to manipulate senders’ or receivers’ understanding of the state of the network have been known for some time. Jero and his co-authors Endadul Hoque, David Choffnes, Alan Mislove and Cristina Nita-Rotaru developed an approach using model-based testing to address the scalability challenges of previous work to automate the discovery of manipulation attacks against congestion control algorithms.

By building abstract models of several congestion control algorithms from IETF RFCs, the team were able to generate abstract attack strategies. These abstract strategies could then be mapped to concrete attack strategies including details of how attack packets should be created and timing information for injecting malicious traffic to effect an attack. Both off-path and on-path attackers were considered.

Armed with a set of concrete attack strategies, the team built a platform on which to test them against different congestion control implementations running on a variety of OS environments. Evaluating five TCP implementations from four Linux distributions and Windows 8 they found 11 classes of attacks, eight of which were previously unknown.

This work illustrates the vulnerability of transport protocols that carry their signalling in the clear, as TCP does. It is relatively trivial for an attacker to confuse congestion control state machines about the state of the network which leads to the large and diverse set of attack methods discovered. The new and rapidly developing QUIC protocol is perhaps one of the key next steps in defending the Internet against these kinds of manipulations: QUIC encrypts signalling by design.

In his paper, “LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE”, Syed Hussain (with co-authors Omar Chowdhury, Shagufta Mehnaz and Elisa Bertino) also employs a model-based testing approach to uncover 10 new attacks against the three fundamental protocol operations of the 4G LTE protocol (attach, detach and paging).

To ensure that the theoretical attacks were actually practical against real deployed 4G LTE networks, the team validated eight attacks using a real-world testbed. The most interesting attack discovered in this way is referred to as the ‘authentication relay attack,’ which enables an adversary to poison the core network’s knowledge of the location of a victim device, without possessing any legitimate credentials. This attack could provide a means to create a false alibi or plant fake evidence during a criminal investigation for example.

Both of these papers illustrate the power of applying model-based testing approaches to deployed systems to effectively automate the process of vulnerability discovery. As the dependence of modern society on Internet and cellular technologies continues to grow, this kind of work is crucial to help us move beyond the ‘whack-a-mole’ response to security vulnerabilities we’re familiar with.

These two papers are great examples of the strength of the work presented at NDSS and the importance of the research undertaken by this community for the security of our networked, distributed future. Both papers are already on the NDSS website, and slides and videos from these and all other presentations will be posted shortly after NDSS.

Categories
Building Trust Events Improving Technical Security Internet of Things (IoT) Technology

Report: Distributed IoT Security and Standards Workshop at NDSS 2018

Network and Distributed Systems Security (NDSS) Symposium is in full swing for its 25th anniversary year. As usual the NDSS program includes a really impressive array of great content on a wide range of topics. Prior to the main event there were four one-day workshops on themes related to the topic of NDSS: Binary Analysis Research, DNS Privacy, Usable Security, and the workshop I’d like to delve into here, Distributed IoT Security and Standards (DISS).

The DISS workshop received 29 submissions and accepted 12 papers. In an interesting twist on the usual scientific workshop format, the presented papers were all still in draft form and will now be revised based on the Q&A and offline discussions that took place as a result of the workshop. Revised papers will be published by the Internet Society in due course.

Introducing proceedings, co-chair Dirk Kutscher explained that it has become evident that the success of the Internet of Things (IoT) depends on sound and usable security and privacy. Device constraints, intermittent network connectivity, the scale of deployments, economic issues all combine to create an interesting and challenging environment for the research community to address.

A decentralised approach to IoT security is being pursued by multiple projects and several were presented during the workshop. Simultaneously, many IoT standards are under development in IETF, W3C, and elsewhere. It is therefore very timely to bring researchers together on the topic of DISS. The scope for the workshop was threefold:

  1. Enabling secure interoperability across IoT ecosystems;
  2. Security and privacy in ongoing IoT standardisation work, and;
  3. Other topics related to decentralised security and standardization in IoT

Ian Molloy gave a very interesting presentation on his work (with co-authors David Barrera and Heqing Huang) to monitor the connectivity profiles of different IoT devices and enforce network security policy to minimise the risks posed by insecure IoT devices to both the device owners and the wider Internet. The approach was described as ‘parental controls’ for IoT and brought to mind the work underway in the IETF on Manufacturer Usage Descriptions (MUD). An interesting difference between the two approaches is that Molloy’s explicitly does not require the user to trust the manufacturer to define a policy and provide a product that understands or respects the concerns of the end-user. There may be a place for a more distributed and crowdsourced approach.

Two papers addressed security reviews of existing standards. Michael McCool presented work (with co-author Elena Reshetova) to evaluate the security of the W3C Web of Things standard. Carsten Bormann presented an analysis of various developing standards for authorization solutions for the IoT. Both talks made clear that while standardisation for various pieces of a secure IoT ecosystem is underway, there is more work to be done to minimise the potential for implementation mistakes and the unintended consequences of exposing IoT device metadata.

Tomer Golomb presented a very interesting approach to anomaly detection including a great video demonstration of a wall of Raspberry Pis sharing state regarding normal operating conditions and then alarming when simulated exploits were run against known vulnerabilities.

The workshop also received an explicitly non-technical paper that considered the economic aspects of standardising security for the IoT. The authors tried to understand why IoT device manufacturers continue to ignore the findings of security research. They observed that consumers can’t determine the level of security provided by IoT products and are unwilling to pay for something they cannot assess. They identified a number of recommendations for ‘market-driven’ standardisation organisations:

  1. Define precise security model
  2. Stop consumer/business differentiation
  3. Add membership level for academic institutes
  4. Conduct security testing without conflict of interest
  5. Define and Enforce Update Policy

Lively discussion following this talk emphasised the importance of academic involvement, an open standards process with a multistakeholder ethos, and incorporating the development of reference implementations as part of the standards development life cycle. The need for regulation to help overcome the information asymmetry problem between industry and the consumers of IoT devices was also a hot topic of discussion.

Other topics discussed during the workshop included securing payments for outsourced computations, building a secure and open federation layer for IoT silos, authentication and key exchange protocols for IoT, practical implementation aspects and attestation.

To read more about NDSS, see our introductory blog post, our overview of the full NDSS 2018 program, and remember you can follow along via our social media channels – Twitter, Facebook, YouTube, and LinkedIn – or search/post using #NDSS18.

Categories
Building Trust Events Improving Technical Security Open Internet Standards Technology

Starting Today: NDSS Highlights the Best in Internet Security Research

You’ve undoubtedly heard about all sorts of Internet security vulnerabilities and incidents causing harm around the world, but the flip side of all that doom and gloom is all the promising efforts underway to create a more secure, private, and trusted Internet. Starting today and going through Wednesday (18-21 February), the Network and Distributed Systems Security (NDSS) Symposium takes place to present groundbreaking research in the world of Internet security.

This year marks the 25th anniversary of NDSS, and the Internet Society is proud to have been associated with it for over 20 years now. A key focus of the Internet Society has long been improving trust in the global open Internet. In order to promote this trust, we need new and innovative ideas and research on the security and privacy of our connected devices and the Internet that brings them together. NDSS is a top tier forum for highlighting this research.

NDSS 2018 is four full days featuring:

In addition to being excited by the potential of all the excellent security and privacy research to be presented at NDSS, the Internet Society is also pleased to support NDSS with continuing commitments to promoting open access to all information, encouraging cooperation and collaboration, and developing the next generation of leaders in the security space.

Quality academic research that is open and easily accessible to anyone is one of our best long-term investments in a truly open and trustable Internet. All of the information from NDSS including abstracts, papers, slides, videos, and posters will be available on the NDSS website. Papers and abstracts for the main programme are already on the NDSS website, and posters, slides, and videos from all the presentations will be posted shortly after NDSS. Individual workshops will have proceedings produced and put online in the weeks following NDSS.

NDSS brings together security researchers, standards developers, vendors, and the operational community into a cooperative and collaborative environment for the exchange of ideas. People are what ultimately hold the Internet together. The Internet’s development has been based on voluntary cooperation and collaboration, and these tenets remain essential factors for the Internet’s prosperity and potential. Because of this, the Internet Society has a long commitment to a Collaborative Security approach and views NDSS as an excellent example of this collaboration. We are especially pleased to see examples like the DNSPRIV and DISS workshops having active participation from the Internet Engineering Task Force (IETF) community, resulting in close coordination between emerging research and resulting standards. Enhanced collaboration makes both communities stronger.

Finally, for those of us who have been working in this space for more than a few years, we recognize the importance of developing the next generation of leaders. We need the best and the brightest engaged in solving the challenging security and privacy issues facing the Internet. Academic research by its very nature is developing the next generation of thought leaders in this space. To further support the exposure of students, NDSS, with the help of NSF, Cisco, and the Internet Society, is proud to have awarded 20 grants for students to attend NDSS in person.

For all of the above reasons and more, the Internet Society is pleased to support NDSS. We look forward to the results of this year’s event! And we want to wish a happy 25th anniversary to all those in the NDSS community!

There is still time if you want to join us in person in San Diego (by registering onsite). Otherwise you can follow along via our social media channels – Twitter, Facebook, YouTube, and LinkedIn, or search/post using #NDSS18.

Categories
Building Trust Events Improving Technical Security Open Internet Standards Technology

Celebrating the 25th Anniversary of NDSS

This year we are celebrating the 25th anniversary of the Network and Distributed System Security Symposium (NDSS). NDSS is a premier academic research conference addressing a wide range of topics associated with improving trust in the Internet and its connected devices. A key focus of the Internet Society has long been improving trust in the global open Internet. In order to promote this trust, we need new and innovative ideas and research on the security and privacy of our connected devices and the Internet that connects them together.

NDSS 2018 is about to get underway in San Diego, CA (18-21 February). It will be the biggest NDSS symposium yet, featuring 71 peer-reviewed papers, 20 posters, 4 workshops, 2 keynotes, and a co-located research group meeting. Record registration numbers are a key indicator that NDSS 2018 is featuring vital and timely topics. Below are some of the highlights expected in the coming week.

Workshops

This year’s program officially starts with four workshops on Sunday, 18 February. NDSS workshops are organized around a single topic and provide an opportunity for greater dialogue amongst researchers and practitioners in the area. Each of this year’s workshop have dynamic agendas.

The Workshop on Binary Analysis Research (BAR) is a new workshop topic for NDSS this year. Binary analysis refers to the process where humans and automated systems examine underlying code in software to discover, exploit, and defend against vulnerabilities. With the enormous and ever-increasing amount of software in the word today, formalized and automated methods of analysis are vital to improving security. This workshop will include a number of peer-reviewed papers and a panel discussion.

The Workshop on Decentralized IoT Security and Standards (DISS) is also new to NDSS this year. We are surrounded every day with the excitement and seemingly endless potential of the Internet of Things (IoT). The success of IoT depends significantly on solving the underlying security and privacy challenges. Following the spirit of NDSS, the goal of this workshop is to bring together researchers and practitioners to analyze and discuss decentralized security in the IoT, especially in the light of ongoing standardisation work and wider systems interoperability.

The Workshop on DNS Privacy (DNSPRIV) is in its second year at NDSS and will focus on increasing usability and decreasing traceability in the Domain Name System (DNS) infrastructure. DNS Privacy has been a growing concern of the IETF and others in the Internet engineering community for the last few years. Almost every activity on the Internet starts with a DNS query (and often several). The goal of this workshop is to bring together privacy and Internet researchers with a diversity of backgrounds and views, to identify promising long-term mitigations of the broad space of DNS privacy risks. This workshop, along with the DISS workshop, both have active participation from the Internet Engineering Task Force (IETF) community resulting in collaboration between academics and the engineers developing the standards.

Finally, the Workshop on Usable Security (USEC 2018) is one of the original NDSS workshops and is occurring at NDSS for the fifth consecutive year. It has long been established that ensuring effective security and privacy in real-world technology requires considering technical as well as human aspects. USEC 2018 fosters a multi-disciplinary approach to all aspects of human factors including adoption and usability in the context of security and privacy. Also notable about the USEC 2018 workshop is that it encourages papers that replicate previous results for validation purposes or document failed experiments to highlight the lessons learned. Finally, in another first for NDSS, USEC 2018 and DNSPRIV will have one joint session to discuss usability in the context of DNS.

Keynotes

Moving beyond the workshops, NDSS will also feature two excellent keynotes this year. On Monday morning, Ari Juels of Cornell University will kick off NDSS 2018 with a talk entitled “Beyond Smarts: Toward Correct, Private, Data-Rich Smart Contracts”. In this keynote, Ari will explore smart contracts, blockchains, secure off-chain data feeds or oracles, and much more. Check back after NDSS for a video recording of what will undoubtedly be an educational keynote.

On Wednesday morning, Parisa Tabriz of Google, Inc. will talk about “The Long Winding Road from Idea to Impact in Web Security”. In this keynote, she will share stories of multi-year initiatives that have made Chrome and the open web platform safer. She will talk about securing Flash content, the push to drive HTTPS adoption, and a 5+ year refactoring project to help mitigate speculative cpu vulnerabilities. She will focus on some of the practical constraints and lessons learned for others to consider when trying to improve security of large, complex, real-world systems.

NDSS Programme

The main content of NDSS 2018 is of course the set of papers to be presented and published. This year there are 71 peer-reviewed papers organized into 17 sessions, representing around 20% of the original submissions. Topics are wide-ranging and include authentication, cryptography, privacy, android, blockchain, cloud, and web security. This year, the Internet Society has reinforced its commitment to open access of information by updating the publishing policy for NDSS. Copyright of all papers remains with the authors. Papers, slides, and videos of all the talks will eventually be available on the NDSS 2018 programme page.

The final program component of NDSS 2018 is the Monday night Poster Session and Reception. This session will feature 20 posters of recently published or newly emerging research. Attendees will have a chance to vote for their favorite posters with special prizes being awarded in different categories.

Finally, on the Saturday before NDSS there will be an interim meeting of a proposed Internet Research Task Force (IRTF) research group on Decentralized Internet Infrastructure. The organizers of this meeting opted to use the fact that many of them will be in town for NDSS to co-locate their meeting as well. This group is in the formative stages so now is an excellent time to engage. The agenda looks interesting so if you are in San Diego early, drop on by the Rousseau room.

To wrap up this rather long blog post, I would like to say that the Internet Society is proud to have been associated with NDSS for over 20 years, and we are excited to see the results of this year’s event! Happy 25th to all those in the NDSS community!

You can still register onsite if you’d like to join us in person in San Diego, or you can follow along via our social media channels – Twitter, Facebook, and LinkedIn, or search/post using #NDSS18. Now, I’m off to catch my flight. See you in San Diego!

Categories
Building Trust Events Improving Technical Security Technology

Workshop on Binary Analysis Research (BAR) 2018 at NDSS on 18 February

Binary analysis refers to the process where human analysts and/or automated systems scrutinize the underlying code in software to discover, exploit, and defend against malice and vulnerabilities, oftentimes without access to source code. Through protecting legacy software deployed in all types of devices and platforms in the modern world, binary analysis techniques are becoming more and more critical in making our everyday life and our society more secure.

A Workshop on Binary Analysis Research (BAR) will be co-located with the Network and Distributed System Security Symposium (NDSS), and held in San Diego, CA, USA, on February 18, 2018.

The Workshop aims to provide an interaction point for researchers doing work in binary program analysis, with half of the workshop dedicated to traditional paper sessions and the other half to a roundtable discussion among researchers, implementers, and end-users of binary analysis techniques. BAR has attracted attention of many researchers, especially tool and framework authors, who actively work to create cutting-edge techniques and build powerful tools. Here we are happy to announce that eight high-quality academic papers have been accepted to appear in the paper sessions of the workshop, with presenters from both academia and industry. Researchers and authors of several famous binary analysis tools and frameworks, including BAP, Binary Ninja, BitBlaze-Fuzzball, BinCAT, CodeSurfer, Manticore, McSema, Panda, and S2E, will participate in the roundtable discussion.

With the analysis of binary programs once again becoming relevant due to the proliferation of interconnected embedded devices, the subfield of binary analysis has recently undergone a renaissance. Over the past few years, well over a dozen binary analysis frameworks were produced and released by well over a dozen research groups and private enterprise, putting the world in a situation where there are more binary analysis frameworks than there are web browsers. The situation has not been ignored by funding agencies, with massive grants, featuring binary analysis, being funded around the world. To drive the point home, in 2016, DARPA Cyber Grand Challenge turned automatic binary analysis, exploitation, and defense into something resembling a spectator sport.

It is worth noting that this binary analysis gold rush has taken place in a mostly uncoordinated manner, with some researchers meeting up on an ad-hoc basis at conferences and other research groups working in obscurity and isolation. As a result, while commonly adapted solutions to some problems have emerged, there is very little actual sharing and solution reuse among tools. This has resulted in missing tool functionality and needlessly duplicated effort, and has hampered the adoption of fundamental scientific advances in the field.

At the Workshop on the 18th, we are expecting great presentations, heated discussions, and exchange of brilliant ideas. If you are interested in reverse engineering and binary analysis, please consider registering for the workshop and paying us a visit!

Categories
Building Trust Domain Name System (DNS) Events Improving Technical Security Internet of Things (IoT) Privacy Technology

Announcing Four NDSS 2018 Workshops on Binary Analysis, IoT, DNS Privacy, and Security

The Internet Society is excited to announce that four workshops will be held in conjunction with the upcoming Network and Distributed System Security (NDSS) Symposium on 18 February 2018 in San Diego, CA. The workshop topics this year are:

A quick overview of each of the workshops is provided below. Submissions are currently being accepted for emerging research in each of these areas. Watch for the final program details in early January!

The first workshop is a new one this year on Binary Analysis Research (BAR). It is exploring the reinvigorated field of binary code analysis in light of the proliferation of interconnected embedded devices. In recent years there has been a rush to develop binary analysis frameworks. This has occurred in a mostly uncoordinated manner with researchers meeting on an ad-hoc basis or working in obscurity and isolation. As a result, there is little sharing or results and solution reuse among tools. The importance of formalized and properly vetted methods and tools for binary code analysis in order to deal with the scale of growth in these interconnected embedded devices cannot be overstated. The BAR workshop aims to provide an interaction point for researchers doing work in binary program analysis, with half of the workshop dedicated to traditional paper sessions and the other half to a roundtable discussion among researchers, implementers, and end-users of binary analysis techniques.

The second workshop is also new this year and focuses on Decentralized IoT Security and Standards (DISS). The success of the Internet of Things (IoT) depends significantly on solving the underlying security and privacy challenges. Due to their scale of deployment and limited resources, some of these systems will be extremely challenging to secure. A decentralized approach to IoT security brings forth many opportunities but also challenges, such as operating with constrained device and network capabilities, state synchronization, and trust management. At the same time, many IoT standards are now under development and decisions are being made today that will have long-term impact on the security of these systems. Of particular interest are open standards (e.g., IETF CoAP, OCF, and LWM2M), developed by organizations such as the IETF and the W3C including W3C Web of Things. The DISS workshop will gather researches and the open standards community together to help address the challenges of IoT Security.

The third workshop, DNS Privacy: Increasing Usability and Decreasing Traceability (DNSPRIV), continues the work started at the first DNS Privacy workshop held at NDSS 2017. DNS Privacy has been a growing concern of the IETF and others in the Internet engineering community for the last few years. Almost every activity on the Internet starts with a DNS query (and often several). Those queries can reveal information about not only what websites are visited but also about other services such as the domains of email contacts or chat services. This information crosses international boundaries and is sent in the clear. The IETF has taken steps to address these concerns; however, because of the diversity of the DNS ecosystem, and the pervasive role of DNS and domain names in Internet applications and security, much is not fully understood or resolved. The goal of this workshop is to bring together privacy and Internet researchers with a diversity of backgrounds and views, to identify promising long-term mitigations of the broad space of DNS privacy risks.

The final workshop, Usable Security (USEC), is a regular at NDSS dating back several years. It has even resulted in a sister event held in Europe over the summer months. This workshop brings together the technical and human aspects in of real-world technology to provide improved security and privacy. Experience has taught us over and over again that the best technical solutions for security and privacy will fail in deployment if usability is not a key design consideration. Enabling people to manage privacy and security necessitates giving due consideration to the users and the larger operating context within which technology is embedded. USEC 2018 aims to bring together researchers already engaged in this interdisciplinary effort with other computer science researchers in areas such as visualization, artificial intelligence, machine learning, and theoretical computer science as well as researchers from other domains such as economics and psychology.

I hope you will join us at NDSS 2018 from 18-21 February. Registration for the event will open later this month. Visit the NDSS website for more information, including upcoming announcements on the full workshop and NDSS program agendas. You can also find us on Twitter, Facebook, and LinkedIn using #NDSS18.