2 research outputs found
K-resolver: Towards Decentralizing Encrypted DNS Resolution
Centralized DNS over HTTPS/TLS (DoH/DoT) resolution, which has started being
deployed by major hosting providers and web browsers, has sparked controversy
among Internet activists and privacy advocates due to several privacy concerns.
This design decision causes the trace of all DNS resolutions to be exposed to a
third-party resolver, different than the one specified by the user's access
network. In this work we propose K-resolver, a DNS resolution mechanism that
disperses DNS queries across multiple DoH resolvers, reducing the amount of
information about a user's browsing activity exposed to each individual
resolver. As a result, none of the resolvers can learn a user's entire web
browsing history. We have implemented a prototype of our approach for Mozilla
Firefox, and used it to evaluate the performance of web page load time compared
to the default centralized DoH approach. While our K-resolver mechanism has
some effect on DNS resolution time and web page load time, we show that this is
mainly due to the geographical location of the selected DoH servers. When more
well-provisioned anycast servers are available, our approach incurs negligible
overhead while improving user privacy.Comment: NDSS Workshop on Measurements, Attacks, and Defenses for the Web
(MADWeb) 202
Temporal System Call Specialization for Attack Surface Reduction
Presented online on October 16, 2020 at 12:00 p.m.Seyedhamed Ghavamnia is currently a PhD candidate at the Computer Science Department of Stony Brook University. He is a research assistant at HexLab, where he works under the supervision of Prof. Michalis Polychronakis on system security and more specifically on attack surface reduction.Runtime: 43:15 minutesAttack surface reduction through the removal of unnecessary application features and code is a promising technique for improving security without incurring any additional overhead. Recent software debloating techniques consider an application’s entire lifetime when extracting its code requirements, and reduce the attack surface accordingly.
In this talk, we present temporal specialization, a novel approach for limiting the set of system calls available to a process depending on its phase of execution. Our approach is tailored to server applications, which exhibit distinct initialization and serving phases with different system call requirements. We present novel static analysis techniques for improving the precision of extracting the application’s call graph for each execution phase, which is then used to pinpoint the system calls used in each phase. We show that requirements change throughout the lifetime of servers, and many dangerous system calls (such as execve) can be disabled after the completion of the initialization phase