Honeypots in the age of universal attacks and the Internet of Things

Today's Internet connects billions of physical devices. These devices are often immature and insecure, and share common vulnerabilities. The predominant form of attacks relies on recent advances in Internet-wide scanning and device discovery. The speed at which (vulnerable) devices can be discovered, and the device monoculture, mean that a single exploit, potentially trivial, can affect millions of devices across brands and continents. In an attempt to detect and profile the growing threat of autonomous and Internet-scale attacks against the Internet of Things, we revisit honeypots, resources that appear to be legitimate systems. We show that this endeavour was previously limited by a fundamentally flawed generation of honeypots and associated misconceptions. We show with two one-year-long studies that the display of warning messages has no deterrent effect in an attacked computer system. Previous research assumed that they would measure individual behaviour, but we find that the number of human attackers is orders of magnitude lower than previously assumed. Turning to the current generation of low- and medium-interaction honeypots, we demonstrate that their architecture is fatally flawed. The use of off-the-shelf libraries to provide the transport layer means that the protocols are implemented subtly differently from the systems being impersonated. We developed a generic technique which can find any such honeypot at Internet scale with just one packet for an established TCP connection. We then applied our technique and conducted several Internet-wide scans over a one-year period. By logging in to two SSH honeypots and sending specific commands, we not only revealed their configuration and patch status, but also found that many of them were not up to date. As we were the first to knowingly authenticate to honeypots, we provide a detailed legal analysis and an extended ethical justification for our research to show why we did not infringe computer-misuse laws. Lastly, we present honware, a honeypot framework for rapid implementation and deployment of high-interaction honeypots. Honware automatically processes a standard firmware image and can emulate a wide range of devices without any access to the manufacturers' hardware. We believe that honware is a major contribution towards re-balancing the economics of attackers and defenders by reducing the period in which attackers can exploit vulnerabilities at Internet scale in a world of ubiquitous networked `things'.Premium Research Studentship, Department of Computer Science and Technology, University of Cambridg

Patterns and Interactions in Network Security

Networks play a central role in cyber-security: networks deliver security attacks, suffer from them, defend against them, and sometimes even cause them. This article is a concise tutorial on the large subject of networks and security, written for all those interested in networking, whether their specialty is security or not. To achieve this goal, we derive our focus and organization from two perspectives. The first perspective is that, although mechanisms for network security are extremely diverse, they are all instances of a few patterns. Consequently, after a pragmatic classification of security attacks, the main sections of the tutorial cover the four patterns for providing network security, of which the familiar three are cryptographic protocols, packet filtering, and dynamic resource allocation. Although cryptographic protocols hide the data contents of packets, they cannot hide packet headers. When users need to hide packet headers from adversaries, which may include the network from which they are receiving service, they must resort to the pattern of compound sessions and overlays. The second perspective comes from the observation that security mechanisms interact in important ways, with each other and with other aspects of networking, so each pattern includes a discussion of its interactions.Comment: 63 pages, 28 figures, 56 reference

Modeling and performance analysis of ATM LANs

Asynchronous Transfer Mode (ATM} is a method of data transmission using small fixed-length cells. This thesis presents a model of an ATM LAN which provides a realistic representation of data transmission over the system by explicitly modeling both the ATM network and the applications running over that network. Coloured timed Petri nets are used to create a compact model that is capable of representing a variety of different protocols at a high level of detail. The model is designed to allow easy reconfiguration or addition of detail at different levels of the system. Simulation is used to evaluate the performance of the model, and results are compared to actual data gathered from the Memorial University campus network

Design of an Embedded Readout System for the ALOFT Gamma-Ray Detector Instrument

Birkeland Center for Space Science has proposed a campaign known as the Airborne Lightning Observatory for FEGS & TGFs (ALOFT) to study Terrestrial Gamma-Ray Flashes (TGFs). TGFs are the most energetic natural phenomena occurring in the Earth’s atmosphere, and are important to our knowledge about the relationship between the Earth and space. The ALOFT campaign will use a gamma-ray detector instrument built by the University of Bergen which will be mounted to the NASA ER-2 High-Altitude Airborne Science Aircraft. This work covers the design and development of the embedded software used to offload and operate the detector readout system of said instrument. A similar instrument was built and flown in 2017. The new instrument differs from this by being implemented on a System on a Chip (SoC) embedded platform, reusing relevant modules from the old instrument. The software has been implemented with the FreeRTOS Realtime Operating System (RTOS). Design considerations to limit complexity, and the impact of the radiation environment the instrument is to be operated in, has been performed trough implementation of a checksum algorithm, cyclic rewriting of registers, and modular design strategies. A verification system has been realized with a prototype hardware setup, in which test systems has been added to process synthetic TGF-events in the software and hardware. Test with emulated data and a Telnet control interface has been successfully implemented. The current implementation focuses on modularity, and thus offers a very good framework for further development of the instrument when campaign specifications are decided.Masteroppgåve i fysikkMAMN-PHYSPHYS39