Randomized Instruction Sets and Runtime Environments: Past Research and Future Directions

Instruction set randomization offers a way to combat code-injection attacks by separating code from data (specifically, by randomizing legitimate code's execution environment). The author describes the motivation behind this approach and two application environments

"Patch-on-Demand" Saves Even More Time?

In the June 2004 Security column (“A Patch in Nine Saves Time?”pp. 82-83), Bill Arbaugh makes two interesting observations: first, whoever has the tightest observe-orient-decide-act (OODA) loop will prevail in a confrontation; second, the infection rates of recent worms suggest that the good guys are losing the battle

Countering DDoS Attacks with Multi-Path Overlay Networks

Distributed Denial of Service (DDoS) has emerged as a major threat to the operation of online network services [1, 2, 3]. Current forms of DDoS attacks implicate multiple groups of Internet machines that have been taken over and controlled by an attacker. These machines, called bots, are manipulated by the attacker to produce an excessive surge of traffic toward a target server, the victim. The target server is forced to processing and/or to link-capacity starvation, since malicious traffic is blended with normal traffic, making it difficult to weed out. Figure 1 depicts a DDoS attack and its impact on the target server

Countering DoS Attacks With Stateless Multipath Overlays

Indirection-based overlay networks (IONs) are a promising approach for countering distributed denial of service (DDoS) attacks. Such mechanisms are based on the assumption that attackers will attack a fixed and bounded set of overlay nodes causing service disruption to a small fraction of the users. In addition, attackers cannot eaves-drop on links inside the network or otherwise gain information that can help them focus their attacks on overlay nodes that are critical for specific communication flows. We develop an analytical model and a new class of attacks that considers both simple and advanced adversaries. We show that the impact of these simple attacks on IONs can severely disrupt communications. We propose a stateless spread-spectrum paradigm to create per-packet path diversity between each pair of end-nodes using a modified ION access protocol. Our system protects end-to-end communications from DoS attacks without sacrificing strong client authentication or allowing an attacker with partial connectivity information to repeatedly disrupt communications. Through analysis, we show that an Akamai-sized overlay can withstand attacks involving over 1.3M "zombie" hosts while providing uninterrupted end-to-end connectivity. By using packet replication, the system can resist attacks that render up to 40% of the nodes inoperable. Surprisingly, our experiments on PlanetLab demonstrate that in many cases end-to-end latency decreases when packet replication is used, with a worst-case increase by a factor of 2.5. Similarly, our system imposes less than 15% performance degradation in the end-to-end throughput, even when subjected to a large DDoS attack

Voice-over-IP Security: Research and Practice

Consumers and enterprises alike are rapidly adopting voice-over-IP (VoIP) technologies, which offer higher flexibility and more features than traditional telephony infrastructures. They can also potentially lower costs through equipment consolidation and, for the consumer market, new business models. However, VoIP systems also represent high complexity in terms of architecture, protocols, and implementation, with a corresponding increase in the potential for misuse. The author conducted survey of published vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database and in two IETF RFC Internet drafts. These issues ranged from relatively straightforward problems that can lead to server or equipment crashes (denial of service [DoS]) to more serious problems that let adversaries eavesdrop on communications, remotely take over servers or handsets, impersonate users, avoid billing or charge another user (toll fraud), and so on

A Look at VoIP Vulnerabilities

Voice over IP (VoIP) and Internet Multimedia Subsystem (IMS) technologies offer higher flexibility than traditional telephony infrastructures and the potential for lower cost through equipment consolidation and new business models. In this article, I examine the current state of affairs on VoIP/IMS security through a survey of all the 221 known/disclosed security vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database and in IETF RFCs/drafts. My key finding is that the higher complexity of VoIP/IMS systems leads to a variety of attack vectors, many of them caused by unforeseen and unexpected component interactions. A second finding is that what people seem to worry about in VoIP (traffic interception and impersonation) bears no resemblance to the distribution of vulnerabilities actually disclosed. The article concludes with some practical suggestions for securing VoIP systems

A Comprehensive Survey of Voice over IP Security Research

We present a comprehensive survey of Voice over IP security academic research, using a set of 245 publications forming a closed cross-citation set. We classify these papers according to an extended version of the VoIP Security Alliance (VoIPSA) Threat Taxonomy. Our goal is to provide a roadmap for researchers seeking to understand existing capabilities and to identify gaps in addressing the numerous threats and vulnerabilities present in VoIP systems. We discuss the implications of our findings with respect to vulnerabilities reported in a variety of VoIP products. We identify two specific problem areas (denial of service, and service abuse) as requiring significant more attention from the research community. We also find that the overwhelming majority of the surveyed work takes a black box view of VoIP systems that avoids examining their internal structure and implementation. Such an approach may miss the mark in terms of addressing the main sources of vulnerabilities, i.e., implementation bugs and misconfigurations. Finally, we argue for further work on understanding cross-protocol and cross-mechanism vulnerabilities (emergent properties), which are the byproduct of a highly complex system-of-systems and an indication of the issues in future large-scale systems

LinkWidth: A Method to measure Link Capacity and Available Bandwidth Using Single-End Probes

We introduce LinkWidth, a method for estimating capacity and available bandwidth using single-end controlled TCP packet probes. To estimate capacity, we generate a train of TCP RST packets "sandwiched" between two TCP SYN packets. Capacity is obtained by end-to-end packet dispersion of the received TCP RST/ACK packets corresponding to the TCP SYN packets. Our technique is significantly different from the rest of the packet-pair-based measurement techniques, such as CapProbe, pathchar and pathrate, because the long packet trains minimize errors due to bursty cross-traffic. TCP RST packets do not generate additional ICMP replies preventing cross-traffic interference with our probes. In addition, we use TCP packets for all our probes to prevent some types of QoS-related traffic shaping from affecting our measurements. We extend the Train of Packet Pairs technique to approximate the available link capacity. We use pairs of TCP packets with variable intra-pair delays and sizes. This is the first attempt to implement this technique using single-end TCP probes, tested on a wide range of real networks with variable cross-traffic. We compare our prototype with pathchirp and pathload, which require control of both ends, and demonstrate that in most cases our method gives approximately the same results

Distributed Firewall For MANETs

Mobile Ad-hoc Networks (MANETs) are increasingly used in military tactical situations and in civil rapid-deployment networks, including emergency rescue operations and {\it ad hoc} disaster-relief networks. The flexibility of MANETs comes at a price, when compared to wired and basestation-based wireless networks: MANETs are susceptible to both insider (compromised node) and outsider attacks due to the lack of a well-defined perimeter in which to deploy firewalls, intrusion detection systems, and other mechanisms commonly used for network access and admission control. In this paper, we define a distributed firewall architecture that is designed specifically for MANETs. Our approach harnesses and extends the concept of a {\it network capability}, and is especially suited for environments where the communicating nodes have different roles and hence different communication requirements, such as in tactical networks. Our model enforces communication restrictions among MANET nodes and services, allowing hop-by-hop policy enforcement in a distributed manner. We use a ''deny-by-default'' model where compromised nodes have access only to authorized services, without the ability to disrupt or interfere with end-to-end service connectivity and nodes beyond their local communication radius. Our simulations show that our solution has minimal overhead in terms of bandwidth and latency, works well even in the presence of routing changes due to mobile nodes, and is effective in containing misbehaving nodes