1、Bunker: A Tamper Resistant Platform for Network TracingStefan SaroiuUniversity of Toronto邢臺人才網 1MotivationTodays tracing help build tomorrows systemsISPs view raw network traces as a liabilityTraces can compromise user privacyProtecting users privacy increasingly importantTrace anonymization mitigat

2、es these issues2Offline AnonymizationTrace anonymized after raw data is collectedPrivacy risk until raw data is deletedTodays traces require deep packet inspectionHeaders insufficient to understand phishing or P2PPayload traces pose a serious privacy riskRisk to user privacy is too high Two universi

3、ties rejected offline anonymization3Offlines Privacy VulnerabilitiesTwo types of attacks:Traditional: Network intrusion attacksNew: Raw data can be subpoenaedBoth universities required that subpoenas would not affect privacy4Online AnonymizationTrace anonymized while tracingRaw data resides in RAM o

4、nlyDifficult to meet performance demandsExtraction and anonymization must be done at line speedsCode is frequently buggy and difficult to maintainLow-level languages (e.g. C) + “Home-made” parsersSmall bugs cause large amounts of data lossIntroduces consistent bias against long-lived flows5Simple Ta

5、sks can be Very SlowRegular expression for phishing: (password)|(form)|(input)|(PIN)|(username)|(script)|(user id)|(sign in)|(log in)|(login)|(signin)|(log on)|(sign on)|(signon)|(passcode)|(logon)|(account)|(activate)|(verify)|(payment)|(personal)|(address)|(card)|(credit)|(error)|(terminated)|(sus

6、pend)A-Za-z”libpcre: 5.5 s for 30 M = 44 Mbps max6Online AnonymizationTrace anonymized while tracingRaw data resides in RAM onlyDifficult to meet performance demandsExtraction and anonymization must be done at line speedsCode is frequently buggy and difficult to maintainLow-level languages (e.g. C)

7、+ “Home-made” parsersSmall bugs cause large amounts of data lossIntroduces consistent bias against long-lived flows7Our solution: BunkerCombines best of both worldsSame privacy benefits as online anonymizationSame engineering benefits as offline anonymizationPre-load analysis and anonymization codeL

8、ock-it and throw away the key (tamper-resistance)8Threat ModelAccidental disclosure:Risk is substantial whenever humans are handling dataSubpoenas:Attacker has physical access to tracing systemSubpoenas force researcher and ISPs to cooperate As long as cooperation is not “unduly burdensome”Implicati

9、on: Nobody can have access to raw data9Is Developing Bunker Legal?10It Depends on Intent of UseDeveloping Bunker is like developing encryption Must consider purpose and uses of BunkerDeveloping Bunker for user privacy is legalMisuse of Bunker to bypass law is illegal11OutlineMotivationDesign of our

10、platformSystem evaluationCase study: PhishingConclusions12Logical DesigncaptureAnon.KeyOnlineOfflineassembleparseanonymizeOne-Way Interface(anon. data)Capture Hardware13captureAnon.KeyOnlineOfflineCapture HardwareClosed-box VMassembleparseanonymizeHypervisorencryptdecryptEnc.KeyEncrypted Raw DataOne

11、-WaySocketVM-based ImplementationOpen-box NIC14Open-box NICOpen-box VMsave traceloggingmaintenancecaptureAnon.KeyOnlineOfflineCapture HardwareClosed-box VMassembleparseanonymizeHypervisorencryptdecryptEnc.KeyEncrypted Raw DataOne-WaySocketVM-based Implementation15BenefitsStrong privacy propertiesRaw

12、 trace and other sensitive data cannot be leakedTrace processing done offlineCan use your favorite language!Parsing can be done with off-the-shelf components16Key Technologies“Closed-box” VM protects sensitive dataContains all raw trace data & processing codeNo interactive access to closed-box (e.g.

13、 no console)Encryption protects on-disk dataRandomly generated key held in volatile memoryData cannot be decrypted upon reboot“Safe-on-reboot” VM mitigates hardware attacks17OutlineMotivationDesign of our toolSystem evaluationCase study: PhishingConclusions18Software Engineering BenefitsOne order of

14、 magnitude btw. online and offlineDevelopment time: Bunker - 2 months, UW/Toronto - years19Work Deferral Dont do now what you can do later20Error RecoverySmall bugs lead to small errors in the trace - not huge gaps21OutlineMotivationDesign of our toolSystem evaluationCase study: PhishingConclusions2

15、2Phishing is BadCosts U.S. economy hundreds of millionsAffects 1+ million U.S. Internet users2004 - mid 2006: # of phishing sites grew 10 xBanks claim phishing is #1 source of fraudPhishing messages now personalizedHarder to filter23Two Day Hotmail TraceTues Jan 29/08 11:15am - Thurs Jan 31 11:23am,

16、University of Toronto at Mississauga 24QuestionsHow often are URLs present in e-mails?How often do people click on links in e-mails?Do people verify an e-mail for legitimacy before clicking on a link?25Links in Email26ConclusionsTodays tracing experiments need to look “deep” into network activityIP-

17、level trace vs. email and browse historySerious privacy concernsPhysical security isnt enough: subpoenasBunker provides the safety of online anonymizationthe simplicity of offline anonymization27AcknowledgmentsAndrew Miklas (U. of Toronto)Alec Wolman (Microsoft Research)Angela Demke Brown (U. of Tor

18、onto)28Questions?29DesignOpen-box VMXEN Hypervisor(DomainU)Untrusted SoftwareOnline SoftwareClosed-box VM(Domain0)Anon.KeyEnc.KeyCaptureNICEncrypted Raw TraceOpenNICOne-WayInterfaceOffline Software30Phishy Mail Leaks through Filters31captureAnon.KeyOnlineOfflineAnonymized TraceCaptureHardwareassembleparseanonymize32Commodity VMsave traceloggingmaintenancecaptureAnon.KeyOnlineOfflineAnonymized TraceCaptureHardwareInaccessible VMassembleparseanonymizeHypervisorOne-WaySocket33Commodity VMsave traceloggingmaintenancecaptureAnon.KeyOn