36 research outputs found
TWO-STEP BUCKETING TO ACHIEVE HIGH PERFORMANCE DATA STRUCTURES
A variety of techniques and strategies are presented for protecting a data structure, e.g., a hash table, from an attacker who wishes to force worst-case performance. Many data structures are designed with fast and efficient insertion and lookup functionality under normal use-case scenarios. However, when forced into a worst-case context, the performance of the data structure is undermined and services relying on the data structure are impacted. The techniques presented maintain the high performance under normal use-case while protecting the data structure from malicious use
Protecting web applications from DDoS attacks by an active distributed defense system
In the last a few years a number of highly publicized incidents of Distributed Denial of Service (DDoS) attacks against high-profile government and commercial websites have made people aware of the importance of providing data and services security to users. A DDoS attack is an availability attack, which is characterized by an explicit attempt from an attacker to prevent legitimate users of a service from using the desired resources. This paper introduces the vulnerability of web applications to DDoS attacks, and presents an active distributed defense system that has a deployment mixture of sub-systems to protect web applications from DDoS attacks. According to the simulation experiments, this system is effective in that it is able to defend web applications against attacks. It can avoid overall network congestion and provide more resources to legitimate web users.<br /
Backscatter from the Data Plane --- Threats to Stability and Security in Information-Centric Networking
Information-centric networking proposals attract much attention in the
ongoing search for a future communication paradigm of the Internet. Replacing
the host-to-host connectivity by a data-oriented publish/subscribe service
eases content distribution and authentication by concept, while eliminating
threats from unwanted traffic at an end host as are common in today's Internet.
However, current approaches to content routing heavily rely on data-driven
protocol events and thereby introduce a strong coupling of the control to the
data plane in the underlying routing infrastructure. In this paper, threats to
the stability and security of the content distribution system are analyzed in
theory and practical experiments. We derive relations between state resources
and the performance of routers and demonstrate how this coupling can be misused
in practice. We discuss new attack vectors present in its current state of
development, as well as possibilities and limitations to mitigate them.Comment: 15 page
Strongly universal string hashing is fast
We present fast strongly universal string hashing families: they can process
data at a rate of 0.2 CPU cycle per byte. Maybe surprisingly, we find that
these families---though they require a large buffer of random numbers---are
often faster than popular hash functions with weaker theoretical guarantees.
Moreover, conventional wisdom is that hash functions with fewer multiplications
are faster. Yet we find that they may fail to be faster due to operation
pipelining. We present experimental results on several processors including
low-powered processors. Our tests include hash functions designed for
processors with the Carry-Less Multiplication (CLMUL) instruction set. We also
prove, using accessible proofs, the strong universality of our families.Comment: Software is available at
http://code.google.com/p/variablelengthstringhashing/ and
https://github.com/lemire/StronglyUniversalStringHashin
SlowFuzz: Automated Domain-Independent Detection of Algorithmic Complexity Vulnerabilities
Algorithmic complexity vulnerabilities occur when the worst-case time/space
complexity of an application is significantly higher than the respective
average case for particular user-controlled inputs. When such conditions are
met, an attacker can launch Denial-of-Service attacks against a vulnerable
application by providing inputs that trigger the worst-case behavior. Such
attacks have been known to have serious effects on production systems, take
down entire websites, or lead to bypasses of Web Application Firewalls.
Unfortunately, existing detection mechanisms for algorithmic complexity
vulnerabilities are domain-specific and often require significant manual
effort. In this paper, we design, implement, and evaluate SlowFuzz, a
domain-independent framework for automatically finding algorithmic complexity
vulnerabilities. SlowFuzz automatically finds inputs that trigger worst-case
algorithmic behavior in the tested binary. SlowFuzz uses resource-usage-guided
evolutionary search techniques to automatically find inputs that maximize
computational resource utilization for a given application.Comment: ACM CCS '17, October 30-November 3, 2017, Dallas, TX, US
Regular and almost universal hashing: an efficient implementation
Random hashing can provide guarantees regarding the performance of data
structures such as hash tables---even in an adversarial setting. Many existing
families of hash functions are universal: given two data objects, the
probability that they have the same hash value is low given that we pick hash
functions at random. However, universality fails to ensure that all hash
functions are well behaved. We further require regularity: when picking data
objects at random they should have a low probability of having the same hash
value, for any fixed hash function. We present the efficient implementation of
a family of non-cryptographic hash functions (PM+) offering good running times,
good memory usage as well as distinguishing theoretical guarantees: almost
universality and component-wise regularity. On a variety of platforms, our
implementations are comparable to the state of the art in performance. On
recent Intel processors, PM+ achieves a speed of 4.7 bytes per cycle for 32-bit
outputs and 3.3 bytes per cycle for 64-bit outputs. We review vectorization
through SIMD instructions (e.g., AVX2) and optimizations for superscalar
execution.Comment: accepted for publication in Software: Practice and Experience in
September 201
Defending Hash Tables from Subterfuge with Depth Charge
We consider the problem of defending a hash table against a Byzantine
attacker that is trying to degrade the performance of query, insertion and
deletion operations. Our defense makes use of resource burning (RB) -- the the
verifiable expenditure of network resources -- where the issuer of a request
incurs some RB cost. Our algorithm, Depth Charge, charges RB costs for
operations based on the depth of the appropriate object in the list that the
object hashes to in the table. By appropriately setting the RB costs, our
algorithm mitigates the impact of an attacker on the hash table's performance.
In particular, in the presence of a significant attack, our algorithm incurs a
cost which is asymptotically less that the attacker's cost