Bunker: A Tamper Resistant Platform for Network Tracing

1
Bunker A Tamper Resistant Platform for Network
Tracing

• Stefan Saroiu
• University of Toronto

2
Motivation

• Todays tracing help build tomorrows systems
• ISPs view raw network traces as a liability
• Traces can compromise user privacy
• Protecting users privacy increasingly important
• Trace anonymization mitigates these issues

3
Offline Anonymization

• Trace anonymized after raw data is collected
• Privacy risk until raw data is deleted
• Todays traces require deep packet inspection
• Headers insufficient to understand phishing or
  P2P
• Payload traces pose a serious privacy risk
• Risk to user privacy is too high
• Two universities rejected offline anonymization

4
Offlines Privacy Vulnerabilities

• Two types of attacks
• Traditional Network intrusion attacks
• New Raw data can be subpoenaed
• Both universities required that subpoenas would
  not affect privacy

5
Online Anonymization

• Trace anonymized while tracing
• Raw data resides in RAM only
• Difficult to meet performance demands
• Extraction and anonymization must be done at line
  speeds
• Code is frequently buggy and difficult to
  maintain
• Low-level languages (e.g. C) Home-made
  parsers
• Small bugs cause large amounts of data loss
• Introduces consistent bias against long-lived
  flows

6
Simple Tasks can be Very Slow

• Regular expression for phishing"
  ((password)(ltform)(ltinput)(PIN)(username)(ltsc
  ript)(user id)(sign in)(log
  in)(login)(signin)(log on)(sign
  on)(signon)(passcode)(logon)(account)(activat
  e)(verify)(payment)(personal)(address)(card)
  (credit)(error)(terminated)(suspend))A-Za-z
  
• libpcre 5.5 s for 30 M 44 Mbps max

7
Online Anonymization

• Trace anonymized while tracing
• Raw data resides in RAM only
• Difficult to meet performance demands
• Extraction and anonymization must be done at line
  speeds
• Code is frequently buggy and difficult to
  maintain
• Low-level languages (e.g. C) Home-made
  parsers
• Small bugs cause large amounts of data loss
• Introduces consistent bias against long-lived
  flows

8
Our solution Bunker

• Combines best of both worlds
• Same privacy benefits as online anonymization
• Same engineering benefits as offline
  anonymization
• Pre-load analysis and anonymization code
• Lock-it and throw away the key (tamper-resistance)
  

9
Threat Model

• Accidental disclosure
• Risk is substantial whenever humans are handling
  data
• Subpoenas
• Attacker has physical access to tracing system
• Subpoenas force researcher and ISPs to cooperate
• As long as cooperation is not unduly burdensome
• Implication Nobody can have access to raw data

10
Is Developing Bunker Legal?
11
It Depends on Intent of Use

• Developing Bunker is like developing encryption
• Must consider purpose and uses of Bunker
• Developing Bunker for user privacy is legal
• Misuse of Bunker to bypass law is illegal

12
Outline

• Motivation
• Design of our platform
• System evaluation
• Case study Phishing
• Conclusions

13
Logical Design
anonymize
Anon. Key
parse
assemble
Offline
Online
capture
14
VM-based Implementation
Closed-box VM
anonymize
Anon. Key
parse
assemble
Offline
Online
capture
Hypervisor
Encrypted Raw Data
15
VM-based Implementation
Closed-box VM
anonymize
Anon. Key
parse
assemble
Offline
Online
capture
Hypervisor
Encrypted Raw Data
16
Benefits

• Strong privacy properties
• Raw trace and other sensitive data cannot be
  leaked
• Trace processing done offline
• Can use your favorite language!
• Parsing can be done with off-the-shelf components

17
Key Technologies

• Closed-box VM protects sensitive data
• Contains all raw trace data processing code
• No interactive access to closed-box (e.g. no
  console)
• Encryption protects on-disk data
• Randomly generated key held in volatile memory
• Data cannot be decrypted upon reboot
• Safe-on-reboot VM mitigates hardware attacks

18
Outline

• Motivation
• Design of our tool
• System evaluation
• Case study Phishing
• Conclusions

19
Software Engineering Benefits

• One order of magnitude btw. online and offline
• Development time Bunker - 2 months, UW/Toronto -
  years

20
Work Deferral

• Dont do now what you can do later

21
Error Recovery

• Small bugs lead to small errors in the trace --
  not huge gaps

22
Outline

• Motivation
• Design of our tool
• System evaluation
• Case study Phishing
• Conclusions

23
Phishing is Bad

• Costs U.S. economy hundreds of millions
• Affects 1 million U.S. Internet users
• 2004 - mid 2006 of phishing sites grew 10x
• Banks claim phishing is 1 source of fraud
• Phishing messages now personalized
• Harder to filter

24
Two Day Hotmail Trace
Hotmail
Users 3,062
of E-mails Received 13,438
of From Addresses 7,422
of To Addresses 25,456
Median of Words in E-mail Body 130

• Tues Jan 29/08 1115am - Thurs Jan 31
  1123am,University of Toronto at Mississauga

25
Questions

• How often are URLs present in e-mails?
• How often do people click on links in e-mails?
• Do people verify an e-mail for legitimacy before
  clicking on a link?

26
Links in Email
27
Conclusions

• Todays tracing experiments need to look deep
  into network activity
• IP-level trace vs. email and browse history
• Serious privacy concerns
• Physical security isnt enough subpoenas
• Bunker provides
• the safety of online anonymization
• the simplicity of offline anonymization

28
Acknowledgments

• Andrew Miklas (U. of Toronto)
• Alec Wolman (Microsoft Research)
• Angela Demke Brown (U. of Toronto)

29
Questions?http//www.cs.toronto.edu/stefan
30
Design
Open-box VM

Closed-box VM
(DomainU)
(Domain0)
Offline Software
Enc. Key
Untrusted Software
Online Software
XEN Hypervisor
31
Phishy Mail Leaks through Filters
32
anonymize
Anon. Key
parse
assemble
Offline
Online
capture
33
Inaccessible VM
anonymize
Anon. Key
parse
assemble
Offline
Online
capture
Hypervisor
34
Inaccessible VM
anonymize
Anon. Key
parse
assemble
Offline
Online
capture
Hypervisor
35
Overall Privacy Goal
Tracing Starts
Tamper Attack
Time
Data Protected
Data Exposed

• Goal Ensure that users privacy is no worse
  off when a trace is in progress