PDoT: Private DNS-over-TLS with TEE Support

Security and privacy of the Internet Domain Name System (DNS) have been longstanding concerns. Recently, there is a trend to protect DNS traffic using Transport Layer Security (TLS). However, at least two major issues remain: (1) how do clients authenticate DNS-over-TLS endpoints in a scalable and extensible manner; and (2) how can clients trust endpoints to behave as expected? In this paper, we propose a novel Private DNS-over-TLS (PDoT ) architecture. PDoT includes a DNS Recursive Resolver (RecRes) that operates within a Trusted Execution Environment (TEE). Using Remote Attestation, DNS clients can authenticate, and receive strong assurance of trustworthiness of PDoT RecRes. We provide an open-source proof-of-concept implementation of PDoT and use it to experimentally demonstrate that its latency and throughput match that of the popular Unbound DNS-over-TLS resolver.Comment: To appear: ACSAC 201

The Scrivener’s Secrets Seen Through the Spyglass: GCHQ and the International Right to Journalistic Expression

As part of the U.K.’s electronic surveillance program, the Government Communications Headquarters (GCHQ), started in 1909 to combat German Spies, now collects metadata from both foreigners and its own citizens. Through the express statutory authority of the Regulation of Investigatory Powers Act of 2000 (RIPA), and a loophole in section 94 of the Telecommunications Act of 1984, the GCHQ collects metadata, which is all of the information that is extrinsic to the actual contents of a communication. The GCHQ can request an authorization from a public authority—a member of its own staff—to collect traffic data, service use information, or subscriber information, either from the relevant communications service provider or through their own interception of traffic. This metadata collection interferes with journalists’ ability to function as the pillar of democratic society that the international community expressly values. Specifically, The U.K government’s statutory scheme is in contravention of the freedom of journalistic expression contained within Article 10 of the European Convention on Human Rights. This Note argues that the U.K. government must change its legislative, philosophical, and administrative approaches to electronic surveillance to come into comport with European democratic principles

Assessing the Privacy Benefits of Domain Name Encryption

As Internet users have become more savvy about the potential for their Internet communication to be observed, the use of network traffic encryption technologies (e.g., HTTPS/TLS) is on the rise. However, even when encryption is enabled, users leak information about the domains they visit via DNS queries and via the Server Name Indication (SNI) extension of TLS. Two recent proposals to ameliorate this issue are DNS over HTTPS/TLS (DoH/DoT) and Encrypted SNI (ESNI). In this paper we aim to assess the privacy benefits of these proposals by considering the relationship between hostnames and IP addresses, the latter of which are still exposed. We perform DNS queries from nine vantage points around the globe to characterize this relationship. We quantify the privacy gain offered by ESNI for different hosting and CDN providers using two different metrics, the k-anonymity degree due to co-hosting and the dynamics of IP address changes. We find that 20% of the domains studied will not gain any privacy benefit since they have a one-to-one mapping between their hostname and IP address. On the other hand, 30% will gain a significant privacy benefit with a k value greater than 100, since these domains are co-hosted with more than 100 other domains. Domains whose visitors' privacy will meaningfully improve are far less popular, while for popular domains the benefit is not significant. Analyzing the dynamics of IP addresses of long-lived domains, we find that only 7.7% of them change their hosting IP addresses on a daily basis. We conclude by discussing potential approaches for website owners and hosting/CDN providers for maximizing the privacy benefits of ESNI.Comment: In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security (ASIA CCS '20), October 5-9, 2020, Taipei, Taiwa

Credit Card Fraud: A New Perspective On Tackling An Intransigent Problem

This article offers a new perspective on battling credit card fraud. It departs from a focus on post factum liability, which characterizes most legal scholarship and federal legislation on credit card fraud and applies corrective mechanisms only after the damage is done. Instead, this article focuses on preempting credit card fraud by tackling the root causes of the problem: the built-in incentives that keep the credit card industry from fighting fraud on a system-wide basis. This article examines how credit card companies and banks have created a self-interested infrastructure that insulates them from the liabilities and costs of credit card fraud. Contrary to widespread belief, retailers, not card companies or banks, absorb much of the loss caused by thieves who shop with stolen credit cards. Also, credit card companies and banks earn fees from every credit card transaction, including those that are fraudulent. In addressing these problems, this article advocates broad reforms, including legislation that would mandate data security standards for the industry, empower multiple stakeholders to create the new standards, and offer companies incentives to comply by capping bank fees for those that are compliant, while deregulating fees for those that are not compliant

PANDAcap: A framework for streamlining collection of full-system traces

Full-system, deterministic record and replay has proven to be an invaluable tool for reverse engineering and systems analysis. However, acquiring a full-system recording typically involves signifcant planning and manual effort. This represents a distraction from the actual goal of recording a trace, i.e. analyzing it. We present PANDAcap, a framework based on PANDA full-system record and replay tool. PANDAcap combines off-the-shelf and custom-built components in order to streamline the process of recording PANDA traces. More importantly, in addition to making the setup of one-off experiments easier, PANDAcap also caters to the streamlining of systematic repeatable experiments in order to create PANDA trace datasets. As a demonstration, we have used PANDAcap to deploy an ssh honeypot aiming to study the actions of brute-force ssh attacks