1,957 research outputs found
A countermeasure approach for brute-force timing attacks on cache privacy in named data networking architectures
One key feature of named data networks (NDN) is supporting in-network caching to increase the content distribution for today’s Internet needs. However, previously cached contents may be threatened by side-channel timing measurements/attacks. For example, one adversary can identify previously cached contents by distinguishing between uncached and cached contents from the in-network caching node, namely the edge NDN router. The attacks can be mitigated by the previously proposed methods effectively. However, these countermeasures may be against the NDN paradigm, affecting the content distribution performance. This work studied the side-channel timing attack on streaming over NDN applications and proposed a capable approach to mitigate it. Firstly, a recent side-channel timing attack, designated by brute-force, was implemented on ndnSIM using the AT&T network topology. Then, a multi-level countermeasure method, designated by detection and defense (DaD), is proposed to mitigate this attack. Simulation results showed that DaD distinguishes between legitimate and adversary nodes. During the attack, the proposed DaD multi-level approach achieved the minimum cache hit ratio (≈0.7%) compared to traditional countermeasures (≈4.1% in probabilistic and ≈3.7% in freshness) without compromising legitimate requests.This work has been supported by FCT - Fundação para a Ciência e Tecnologia within the R&D Units Project Scope: UIDB/00319/2020
Side-channel timing attack on content privacy of named data networking
Tese de Doutoramento em Engenharia Electrónica e de ComputadoresA diversity of current applications, such as Netflix, YouTube, and social media, have used the Internet mainly
as a content distribution network. Named Data Networking (NDN) is a network paradigm that attempts to
answer today’s applications need by naming the content. NDN promises an optimized content distribution
through a named content-centric design. One of the NDN key features is the use of in-network caching
to improve network efficiency in terms of content distribution. However, the cached contents may put the
consumer privacy at risk. Since the time response of cached contents is different from un-cached contents,
the adversary may distinguish the cached contents (targets) from un-cached ones, through the side-channel
timing responses. The scope of attack can be towards the content, the name, or the signature. For instance,
the adversary may obtain the call history, the callee or caller location on a trusted Voice over NDN (VoNDN)
and the popularity of contents in streaming applications (e.g. NDNtube, NDNlive) through side-channel
timing responses of the cache.
The side-channel timing attack can be mitigated by manipulating the time of the router responses. The
countermeasures proposed by other researches, such as additional delay, random/probabilistic caching,
group signatures, and no-caching can effectively be used to mitigate the attack. However, the content
distribution may be affected by pre-configured countermeasures which may go against the goal of the
original NDN paradigm. In this work, the detection and defense (DaD) approach is proposed to mitigate the
attack efficiently and effectively. With the DaD usage, an attack can be detected by a multi-level detection
mechanism, in order to apply the countermeasures against the adversarial faces. Also, the detections can
be used to determine the severity of the attack. In order to detect the behavior of an adversary, a brute-force
timing attack was implemented and simulated with the following applications and testbeds: i. a trusted
application that mimics the VoNDN and identifies the cached certificate on a worldwide NDN testbed, and
ii. a streaming-like NDNtube application to identify the popularity of videos on the NDN testbed and AT&T
company. In simulation primary results showed that the multi-level detection based on DaD mitigated the
attack about 39.1% in best-route, and 36.6% in multicast communications. Additionally, the results showed
that DaD preserves privacy without compromising the efficiency benefits of in-network caching in NDNtube
and VoNDN applications.Várias aplicações atuais, como o Netflix e o YouTube, têm vindo a usar a Internet como uma rede de
distribuição de conteúdos. O Named Data Networking (NDN) é um paradigma recente nas redes de comunicações
que tenta responder às necessidades das aplicações modernas, através da nomeação dos
conteúdos. O NDN promete uma otimização da distribuição dos conteúdos usando uma rede centrada
nos conteúdos. Uma das características principais do NDN é o uso da cache disponivel nos nós da rede
para melhorar a eficiência desta em termos de distribuição de conteúdos. No entanto, a colocação dos
conteúdos em cache pode colocar em risco a privacidade dos consumidores. Uma vez que a resposta
temporal de um conteúdo em cache é diferente do de um conteúdo que não está em cache, o adversário
pode distinguir os conteúdos que estão em cache dos que não estão em cache, através das respostas de
side-channel. O objectivo do ataque pode ser direcionado para o conteúdo, o nome ou a assinatura da
mensagem. Por exemplo, o adversário pode obter o histórico de chamadas, a localização do callee ou do
caller num serviço seguro de voz sobre NDN (VoNDN) e a popularidade do conteúdos em aplicações de
streaming (e.g. NDNtube, NDNlive) através das respostas temporais de side-channel.
O side-channel timing attack pode ser mitigado manipulando o tempo das respostas dos routers. As
contramedidas propostas por outros pesquisadores, tais como o atraso adicional, o cache aleatório /probabilístico,
as assinaturas de grupo e não fazer cache, podem ser efetivamente usadas para mitigar um
ataque. No entanto, a distribuição de conteúdos pode ser afetada por contramedidas pré-configuradas
que podem ir contra o propósito original do paradigma NDN. Neste trabalho, a abordagem de detecção e
defesa (DaD) é proposta para mitigar o ataque de forma eficiente e eficaz. Com o uso do DaD, um ataque
pode ser detectado por um mecanismo de detecção multi-nível, a fim de aplicar as contramedidas contra
as interfaces dos adversários. Além disso, as detecções podem ser usadas para determinar a gravidade
do ataque. A fim de detectar o comportamento de um adversário, um timing attack de força-bruta foi
implementado e simulado com as seguintes aplicações e plataformas (testbeds): i. uma aplicação segura
que implementa o VoNDN e identifica o certificado em cache numa plataforma NDN mundial; e ii. uma
aplicação de streaming do tipo NDNtube para identificar a popularidade de vídeos na plataforma NDN da
empresa AT&T. Os resultados da simulação mostraram que a detecção multi-nível oferecida pelo DaD atenuou
o ataque cerca de 39,1% em best-route e 36,5% em comunicações multicast. Para avaliar o efeito nos
pedidos legítimos, comparou-se o DaD com uma contramedida estática, tendo-se verificado que o DaD foi
capaz de preservar todos os pedidos legítimos
Public key certificate privacy in VoNDN: voice over named data networks
Scenarios were scripted by the C++11 library in ndnSIM 2.6. The scenario implementations and required tools can be publicly accessible at the author’s GitHub account—https://git.io/JJqEwNamed Data Network (NDN) is a network paradigm that attempts to answer today's needs for distribution. One of the NDN key features is in-network caching to increase content distribution and network efficiency. However, this feature may increase the privacy concerns, as the adversary may identify the call history, and the callee/caller location through side-channel timing responses from the cache of trusted Voice over NDN (VoNDN) application routers. The side-channel timing attack can be mitigated by countermeasures, such as additional unpredictable delay, random caching, group signatures, and no-caching configurations. However, the content distribution may be affected by pre-configured countermeasures, which may be against the original purpose of NDN. In this work, the detection and defense (DaD) approach is proposed to mitigate the attack efficiently and effectively. With the DaD usage, an attack can be detected by a multi-level detection mechanism, in order to apply the countermeasures against the adversarial faces. Also, the detections can be used to determine the severity of the attack. In order to detect the behavior of an adversary, a brute-force timing attack was implemented and simulated of the VoNDN application on NDN-testbed. A trusted application that mimics the VoNDN and identifies the cached certificate on a worldwide NDN-testbed. In simulation primary results showed that the multi-level detection based on DaD mitigated the attack about 39.1% in best-route, and 36.5% in multicast communications. Additionally, the results showed that DaD preserves privacy without compromising the efficiency benefits of in-network caching in the VoNDN application.This work was supported by the Fundacao para a Ciencia e Tecnologia (FCT) within the Research and Development Units Project Scope under Grant UIDB/00319/2020
Covert Ephemeral Communication in Named Data Networking
In the last decade, there has been a growing realization that the current
Internet Protocol is reaching the limits of its senescence. This has prompted
several research efforts that aim to design potential next-generation Internet
architectures. Named Data Networking (NDN), an instantiation of the
content-centric approach to networking, is one such effort. In contrast with
IP, NDN routers maintain a significant amount of user-driven state. In this
paper we investigate how to use this state for covert ephemeral communication
(CEC). CEC allows two or more parties to covertly exchange ephemeral messages,
i.e., messages that become unavailable after a certain amount of time. Our
techniques rely only on network-layer, rather than application-layer, services.
This makes our protocols robust, and communication difficult to uncover. We
show that users can build high-bandwidth CECs exploiting features unique to
NDN: in-network caches, routers' forwarding state and name matching rules. We
assess feasibility and performance of proposed cover channels using a local
setup and the official NDN testbed
Trojans in Early Design Steps—An Emerging Threat
Hardware Trojans inserted by malicious foundries
during integrated circuit manufacturing have received substantial
attention in recent years. In this paper, we focus on a different
type of hardware Trojan threats: attacks in the early steps of
design process. We show that third-party intellectual property
cores and CAD tools constitute realistic attack surfaces and that
even system specification can be targeted by adversaries. We
discuss the devastating damage potential of such attacks, the
applicable countermeasures against them and their deficiencies
Security and Privacy of IP-ICN Coexistence: A Comprehensive Survey
Internet usage has changed from its first design. Hence, the current Internet
must cope with some limitations, including performance degradation,
availability of IP addresses, and multiple security and privacy issues.
Nevertheless, to unsettle the current Internet's network layer i.e., Internet
Protocol with ICN is a challenging, expensive task. It also requires worldwide
coordination among Internet Service Providers , backbone, and Autonomous
Services. Additionally, history showed that technology changes e.g., from 3G to
4G, from IPv4 to IPv6 are not immediate, and usually, the replacement includes
a long coexistence period between the old and new technology. Similarly, we
believe that the process of replacement of the current Internet will surely
transition through the coexistence of IP and ICN. Although the tremendous
amount of security and privacy issues of the current Internet taught us the
importance of securely designing the architectures, only a few of the proposed
architectures place the security-by-design. Therefore, this article aims to
provide the first comprehensive Security and Privacy analysis of the
state-of-the-art coexistence architectures. Additionally, it yields a
horizontal comparison of security and privacy among three deployment approaches
of IP and ICN protocol i.e., overlay, underlay, and hybrid and a vertical
comparison among ten considered security and privacy features. As a result of
our analysis, emerges that most of the architectures utterly fail to provide
several SP features including data and traffic flow confidentiality,
availability and communication anonymity. We believe this article draws a
picture of the secure combination of current and future protocol stacks during
the coexistence phase that the Internet will definitely walk across
- …