Simple HPC for Systems Security Research Invited Talk Kansas State University September 25 th 2013 Rob Jansen US Naval Research Laboratory robgjansennrlnavymil Outline Experimentation Ideology ID: 321135
Download Presentation The PPT/PDF document "Shadow:" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Shadow: Simple HPC for Systems Security Research
Invited TalkKansas State UniversitySeptember 25th, 2013
Rob Jansen
U.S. Naval Research Laboratory
rob.g.jansen@nrl.navy.milSlide2
Outline
Experimentation IdeologyShadow and its DesignUse case:Overview: the Distributed Tor NetworkResearch: the Sniper Attack Against TorSlide3
Outline
Experimentation IdeologyShadow and its DesignUse case:Overview: the Distributed Tor NetworkResearch: the Sniper Attack Against TorSlide4
Properties of ExperimentationSlide5
Network Research
Approaches
Problems
Live Network
Hard to manage, lengthy deployment, security
risks
PlanetLab
Hard to manage,
b
ad
at modeling,
not scalableSimulationNot generalizable, inaccurateEmulationLarge overhead, kernel complexitiesSlide6
Testbed Trade-offs
Controllable
Reproducible
Scalable
Accuracy
Convenient
Live Network
X
X
PlanetLab
?
Simulation
X
X
X
X
Emulation
X
X
Shadow
X
X
X
?
XSlide7
Outline
Experimentation IdeologyShadow and its DesignUse case:Overview: the Distributed Tor NetworkResearch: the Sniper Attack Against TorSlide8
What is Shadow?
Discrete event network simulatorRuns real applications without modificationSimulates time, network, crypto, CPUModels routing, latency, bandwidthSingle Linux box without root privilegesSlide9
Shadow’s CapabilitiesSlide10
Bootstrapping ShadowSlide11
Virtual Network ConfigurationSlide12
Virtual Host ConfigurationSlide13
Simulation EngineSlide14
Program Layout
Libraries
(
libc
,
…)
Shadow Engine
(
s
hadow-bin)
ShadowPlug-in(application+wrapper)Slide15
Plug-in Wrapper Hooks
p
lugin_init()
n
ew_instance
(
argv
,
argc
)
f
ree_instance()instance_notify()Libraries(libc, …)Shadow Engine(shadow-bin)
Shadow
P
lug-in(application+wrapper)Slide16
Function Interposition
LD_PRELOAD=/home/rob/libpreload.so
Libraries
(
libc
,
…)
Shadow Engine
(
s
hadow-bin)ShadowPlug-in(application+wrapper)libpreload (socket, write, …)Slide17
Function Interposition
LD_PRELOAD=/home/rob/libpreload.so
hooks
Libraries
(
libc
,
…)
Shadow Engine
(
shadow-bin)ShadowPlug-in(application+wrapper)libpreload (socket,
write, …
)Slide18
Function Interposition
libpreload
(
socket,
w
rite, …
)
LD_PRELOAD=/home/rob/
libpreload.so
Libraries(libc, …)Shadow Engine(shadow-bin)ShadowPlug-in(application+wrapper)
hooks
fopenSlide19
Function Interposition
libpreload
(
socket,
w
rite, …
)
LD_PRELOAD=/home/rob/
libpreload.so
socketLibraries(libc, …)Shadow Engine(shadow-bin)Shadow
Plug-in
(application+wrapper)
hooks
fopenSlide20
Function Interposition
libpreload
(
socket,
w
rite, …
)
LD_PRELOAD=/home/rob/
libpreload.so
writeLibraries(libc, …)Shadow Engine(shadow-bin)Shadow
Plug-in(
application+wrapper)
hooks
fopenSlide21
Clang/LLVM (custom
pass)
Virtual Context SwitchingSlide22
Virtual Context SwitchingSlide23
Shadow-Tor’s AccuracySlide24
Shadow-Tor’s Scalability
Memory: 20-30 MiB per virtual Tor hostSlide25
Outline
Experimentation IdeologyShadow and its DesignUse case:Overview: the Distributed Tor NetworkResearch: the Sniper Attack Against TorSlide26
The Tor Anonymity Network
t
orproject.orgSlide27
How Tor WorksSlide28
How Tor WorksSlide29
How Tor WorksSlide30
How Tor WorksSlide31
How Tor Works
Tor
protocol a
wareSlide32
Outline
Experimentation IdeologyShadow and its DesignUse case:Overview: the Distributed Tor Network*Research: the Sniper Attack Against Tor
*Joint with Aaron Johnson, Florian Tschorsch, Björn
ScheuermannSlide33
Tor Flow Control
exit
entrySlide34
Tor Flow Control
One TCP
Connection
Between Each Relay,
M
ultiple
Circuits
exit
entrySlide35
Tor Flow Control
One TCP
Connection
Between Each Relay,
M
ultiple
Circuits
Multiple Application
Streams
exit
entrySlide36
Tor Flow Control
No end-to-end TCP!
exit
entrySlide37
Tor Flow Control
Tor
protocol a
ware
exit
entrySlide38
Tor Flow Control
Packaging End
Delivery
End
exit
entrySlide39
Tor Flow Control
Packaging End
Delivery
End
exit
entrySlide40
Tor Flow Control
1000 Cell Limit
SENDME Signal Every 100 Cells
exit
entrySlide41
The Sniper AttackLow-cost memory consumption attack
Disables arbitrary Tor relaysAnonymous if launched through TorSlide42
The Sniper Attack
Start Download
Request
exit
entrySlide43
The Sniper Attack
Reply
DATA
exit
entrySlide44
The Sniper Attack
Package and Relay DATA
DATA
DATA
exit
entrySlide45
The Sniper Attack
DATA
DATA
Stop Reading from
Connection
DATA
R
exit
entrySlide46
The Sniper Attack
DATA
DATA
DATA
DATA
DATA
DATA
DATA
DATA
R
exit
entrySlide47
The Sniper Attack
DATA
DATA
DATA
DATA
DATA
DATA
DATA
DATA
Periodically Send
SENDME
SENDME
R
DATA
DATA
DATA
DATA
DATA
exit
entrySlide48
The Sniper Attack
DATA
DATA
DATA
DATA
DATA
DATA
DATA
DATA
Out of Memory, Killed by OS
R
DATA
DATA
DATA
DATA
DATA
exit
entrySlide49
Memory Consumed over TimeSlide50
Mean RAM Consumed, 50 RelaysSlide51
Mean BW Consumed, 50 RelaysSlide52
Sniper Attack Defenses
Authenticated SENDMEsQueue Length LimitAdaptive Circuit KillerSlide53
Circuit-Killer DefenseSlide54
Sniper Attack Implications
Reduce Tor’s capacityNetwork Denial of ServiceInfluence path selection (selective DoS)Deanonymization of hidden servicesSlide55
Outline
Experimentation IdeologyShadow and its DesignUse case:Overview: the Distributed Tor NetworkResearch: the Sniper Attack Against TorSlide56
Questions?
shadow.github.iogithub.com/shadowcs.umn.edu/~jansenrob.g.jansen@nrl.navy.mil
t
hink like an adversary