!"#$%$&"#'(!)&*+',-./"0123'45/0165')0%17%8171#9'12'#:5';%65'"<'&"#25#')=%6>?'Ramakrishna (Ramki) Gummadi MIT Hari B alakrishnan (MIT), Petros Maniatis and Sylvia Ratnasamy (Intel Research)NSDI 2009 2 @:5'./"875-+'45/0165'A2%0%17%8171#9'Misclassified email Bounced emailNSDI 2009 3 &"#25#?+'B5CA65'?5/0165'%0%17%8171#9' ! Email: 85% of spam from top six botnets •!Over 95% of all inboxes affected •!120 billion messages/day: Overloaded mail servers ! DDoS: 4000 attacks/week [Moore et al.,’ 06] ! Click-fraud: ad fraud, search engine fraud •!~ 15% of all ad clicks •!Compromise search results DA5?E"2+'F525/%7'G%9'#"'C1?E23A1?:''8"#?'</"-':A-%2?H''NSDI 2009 4 IJ1?E23'?"7AE"2?'Drawback: Intrusive K"G'#"'C1?E23A1?:':A-%2?'</"-'8"#?'%A#"-%E6%779H' Drawback: Default “ yes” [Whitten,Tygar ’ 99] CAPTCHAs User Account ControlNSDI 2009 5 4#/%G-%2+')=5?E23':A-%2'%6E01#9'G1#:'@/A?#5C'L7%M"/-'N"CA75?'Keystrokes Attested KeystrokesNSDI 2009 6 Attested Keystrokes L/"875-?'G1#:'#:5'?#/%G-%2''O4'&/"G?5/'Slow High-rate clicksNSDI 2009 7 )??A-.E"2?'%2C'B5PA1/5-52#?' ! Assumptions •! Untrusted O S •! Verifiable TPM bootup •! Correct implementation of cryptographic primitives ! Requirements •! Automatic •! F ast (handle interactive traffic) •! Small T C B (Trusted Computing Base) •! Preserve privacy and anonymityNSDI 2009 8 @LN'&%6>3/"A2C' ! Small, physically sealed chip ! Internal private key for measuring and reporting system integrity ! Two relevant protocols •!Direct anonymous attestation ! Group signatures using a key •!Sealed storage ! Secure location to store until system integrity verified Kpriv KprivNSDI 2009 9 !)&'(!"#$)$&"#*')/6:1#56#A/5'!"#$%#&')=5?#5C''/5PA5?#?'@LN'O4'&/"G?5/'!5#G"/>'(#&)*#&'Q58'45/05/'TCB ! Goal: Attest all human requests, reduce attested bot requests •!No blacklisting: human requests from compromised hosts still receive serviceNSDI 2009 10 )=5?#%E"2'?56A/1#9'./".5/E5?' ! Non-transferable •!C annot generate at one host, use at another ! Bound to request content •!No way to send spam from bots using one gmail account ! Single-use (verifier detects dupes) ! Limited valid time-windowNSDI 2009 11 Q:52'#"'%=5?#H' ! Simple, timing-based attestation •!Requires human activity ! Allow attestation when request received within !{k,m} of last keyboard, mouse click ! Attester provides attestation only if !{k,m}<"{k,m} (= 1s for email) •!Verifier checks !{k,m} in attestation for validity ! Reduces click harvestingNSDI 2009 12 Q:%#'#"'%=5?#H' ! Challenger-specific •!C annot be retargeted ! Responder-specific •!C annot exploit manually configured whitelisting ! Content-specific •!C annot modify or piggyback on valid messages To: bob @ b.org From: alice @ a.org Hi Bob,…NSDI 2009 13 Q:%#'1?'12'%2'%=5?#%E"2H' ! Signed SHA-1 hash of message ! 160-bit signed nonce •!Verifier stores nonces for application-defined period, checks duplicates ! Optional !{k,m} values (omitted for privacy) ! C ertificate to verify Kpriv Kpriv{H(msg)} !m, !k} Siged Nonce Kpriv{ certified Kpub AttestationNSDI 2009 14 )=5?#5/',2#5/<%65?')=5?#5/')=5?#%E"2'>8CR'-"A?5'6716>?'S?5/'@LN'N5%?A/5'12#53/1#9R'/575%?5'65/ET5C'UV.A8RV./10W'%#'8""#'/5P(:(-?3*R'#9.5R''''''''''''R''''''R'L,X*'¢ k ¢ m O4')..'Type: Anonymous or non-anonymous PID: Delayed attestation release for a processNSDI 2009 15 )=5?#5/'O.5/%E"2' ! Installation: Set to use TPM register# 18: P C R E xtend(18, Hash(Attester Code)) ! Sealing private key Kpriv to host: S= S e al(18,Kpriv) ! Booting: Release Kpriv to attester: Kpriv =Unse al(S,(18,P C R18)) Kpriv Recomputed attester’s hashNSDI 2009 16 Y5/1T5/'O.5/%E"2' ! Checks validity of Kpriv, attestation, nonce ! Uses application-specific policies ! Email: &57"G'?.%-'%??%??12'#:/5?:"7CH'95?';"/G%/C'-%17'2"')=5?#5CH'95?'2"'X1?6%/C';"/G%/C'!"265'0%71CH'X1?6%/C'95?'2"'NSDI 2009 17 I-%17+'S?%35'?652%/1"?'%2C'12652E05?' ! Mailing lists •!Verifier checks subscription to mailing list name in “ To:” field ! Offline mode •!Attestation requested when user hits “ send” ! Sender incentive •!Better email reliability ! Recipient incentive •!Reduced mail server load, better reliabilityNSDI 2009 18 B5PA5?#'./"65??123'%#'05/1T5/'Requests Attested Unattested Overloaded email, web server L/1"/1EZ5'%=5?#5C'/5PA5?#?'NSDI 2009 19 XX"4R'[716>$</%AC+'S?%35'%2C'12652E05?' ! Browser gets attestation when requesting document root (“ http://foo.com/”) •! Verifier stores attestation, accepts same attestation in future for all embedded links •! 10 minutes expiry !Browser forced to use new attestation for next fetch ! Incentive: Attester distributed in search engine toolbarsNSDI 2009 20 I0%7A%E"2' ! Implemented attester with Xen VMM •! Uses domain disaggregation [Murray et al.,’ 08] •! Attester within a paravirtualized Xen domain built with miniO S, isolated from untrusted O S ! Trace-driven verifier evaluation •! Click traces of 328 users in one month [Giroire et al.,’ 08] •! Publicly available spam, DDoS and click-fraud traces •! Worst-case scenario with adaptive botsNSDI 2009 21 )=5?#5/'50%7A%E"2' ! C PU cost: At most 10 ms on 2 G Hz C PU •!RSA signatures, 1024-bit modulus ! Complexity metric: lines of code •!Attester kernel module: 500 lines •!miniO S: 30,000 lines ! Applications: N E T::SMTP (Email), cURL (Web) •!250 lines of code modified •!Attestations as extended protocol objectsNSDI 2009 22 Y5/1T5/'50%7A%E"2' ! Methodology: 328 click traces at 1s intervals •! Adaptive bot: steals as many clicks as possible •! G enerates traffic using all stolen clicks •! Compare against status quo (normal bot without NAB) within the same time •! 328 data points, one for each user’ s trace ! Other metrics •! Nonce storage cost (< 600 G B for one-month nonces with million clients) •! Throughput: 10,000 attestations/sNSDI 2009 23 4.%-'-1E3%E"2'Default: 1.5% missed spam, 0.08% misclassified as spam NAB: 0.15% missed spam, 0% misclassified as spam !)&'/5CA65?'128"J'?.%-'89'\]^'NSDI 2009 24 I-%17'?5/05/'"05/7"%C'-1E3%E"2'!)&'/5CA65?'5-%17'?5/05/'"05/7"%C'89'%#'75%?#'\_^'No trace sees more than 8% prioritized spamNSDI 2009 25 XX"4'-1E3%E"2'!)&'-1E3%#5?'`\^'"<'XX"4'/5PA5?#?'No trace sees more than 11% prioritized DDoSNSDI 2009 26 [716>$</%AC'-1E3%E"2'!)&'/5CA65?'6716>$</%AC'89'`a^'No trace sees more than 13% click-fraud trafficNSDI 2009 27 B57%#5C'G"/>' ! Human activity detection •! C
View Full Document