Tech Report Abstracts

Flexible mandatory access control (MAC) enforcement is now available for virtual machine systems. For example, the sHype MAC system for the Xen virtual machine monitor is part of the mainline Xen distribution. Such systems offer the isolation of VM system with the flexible security of MAC enforcement. A problem is that such MAC VM systems will only be assured at modest levels (e.g, Common Criteria EAL4), so they may contain covert channels. Covert channels are often difficult to identify and harder to remove, so we propose an approach to manage possible covert leakage to enable verification of security guarantees. Typically, covert channels are outside of access control policies, but we propose an approach that includes both overt flows and covert flows to assess the possible risk of information and covert flows to asses the possible risk of information leakage due to their combination. We define the concept of a risk flow policy that describes the authorized risks due to covert flows. In this paper, we evaluate the ability of four policy models to express risk flow policies. Further, we examine how such policies will be enforced in VM systems. We find that variants of the Chinese Wall model and Bell-LaPadula model have features that such policies can be enforced in the context of sHype's Type Enforcement model.

One of the main goals of many sensor networks is to provide accurate information about a sensing field for an extended period of time. This requires collecting measurement from as many sensors as possible to have a better view of the sensor surroundings. However, due to energy limitations and to prolong the network lifetime the number of active sensors should be kept to a minimum. To resolve this conflict of interest, sensor selection schemes are used. In this paper, we survey different schemes that are used to select sensors. Based on the purpose of selection, we classify the schemes into (1) coverage schemes, (2) target tracking and localization schemes, (3) single task assignment schemes and (4) multiple task assignment schemes. We also look at solutions to relevant problems from other areas and consider their applicability to sensor networks. Finally, we take a look at the open research problems in this field.

ASes in inter-domain routing receive little information about the quality of the routes they receive. This lack of information can lead to inefficient and even incorrect routing. In this paper, we quantitatively characterize BGP announcements that violate the so-called valley-free propertyan indicator that universal best practices are not being preserved in the propagation of routes. Our analysis indicates that valley announcements are more pervasive than expected. Approximately ten thousand valley announcements appear every day and involve a substantial number of prefixes. 11% of provider ASes propagate valley announcements, with a majority of violations happening at intermediate providers. We find that large surges of violating announcements can be attributed to transient configuration errors. We further propose a dynamic mechanism that provides route propagation information as transitive attributes of BGP. This information implicitly reflects the policies of the ASes along the path, without revealing the relationship of each AS pair. BGPspeaking routers use this information to identify (and presumably avoid) routes that violate the valley-free property.

Multi-hop relaying in cellular networks can greatly increase capacity and performance by exploiting the best available links to a base station. We envision an environment in which relay networks are dynamically formed when performance on the radio access network is degraded and then dissolved when the performance improves or the radio spectrum on which the relay network is operating is reclaimed. Each relay network operates on a different frequency band. Likewise, a relay network may channelize its frequency band to offer non-interfering links among the mobile nodes within a single relay network. We propose a set of algorithms used to form such relay networks on-demand. Each algorithm provides a simple and distributed frequency assignment scheme. We also propose two enhancements to improve network throughput of resulting relay networks. We evaluate these algorithms in terms of the overhead of the relay network formation. The evaluation results show that having nodes outmost from the BS initiate route discovery first is the best approach for reducing the formation overhead. The results also show that there is a large increase in throughput when using multiple frequencies in a relay network. Further, the performance of the network using multiple frequencies based on our simple frequency assignment is very close to that of a network using optimal frequency assignment.

Recent advances in the area of security-typed languages have enabled the development of realistic applications aware of information flow security. Traditionally, operating systems have enforced MAC with minimal dependence on application programs. Although these approaches have common goals, they have progressed independently. However, there are many cases where systems depend on userlevel programs to enforce information flows, so integration of information flow enforcement between the operating systems and security-typed applications would be beneficial. In this paper, we examine what it takes to integrate information flow enforcement of a security-typed extension of Java with SELinux. We find that SELinux has most of the necessary features to build a proof-of-concept system, but other services are necessary, such as verifying compliance between information flow policies. Ultimately, we are optimistic that the comprehensive access control enforcement of SELinux will be ideal for integration with these security-typed applications.

The transformation of telecommunications networks from homogeneous closed systems providing only voice services to Internet-connected open networks that provide voice and data services presents significant security challenges. For example, recent research illustrated that a carefully crafted DoS attack via text messaging could incapacitate all voice communications in a metropolitan area with little more than a cable modem. This attack highlights a growing threat to these systems; namely, cellular networks are increasingly exposed to adversaries both in and outside the network. In this paper, we use a combination of modeling and simulation to demonstrate the feasibility of targeted text messaging attacks. Under realistic network conditions, we show that adversaries can achieve blocking rates of more than 70% with only limited resources. We then develop and characterize five techniques from within two broad classes of countermeasures - queue management and resource provisioning. Our analysis demonstrates that these techniques can eliminate or extensively mitigate even the most intense targeted text messaging attacks. We conclude by considering the tradeoffs inherent to the application of these techniques in current and next generation telecommunications networks.

In this paper, we propose a general framework for integration of power control, routing and scheduling relying on time-scales in multihop ad hoc CDMA networks. We exploit the longer time-scale available for link (not packet) scheduling to perform that complex operation only periodically and suggest a feasible incremental strategy for admission control and re-routing between scheduling "refreshes". We also propose a feasible, distributed power control algorithm that maximizes a global (network-wide) utility. Routing identifies minimum SINR nodes per flow and these bottleneck SINRs are monitored by their (interfering) neighbors, i.e., transmission powers are adjusted specifically with the affected flows' bottleneck SINRs in mind.

Sensors may be deployed in hostile environments. If an adversary captures a node, they may be able to access the private information within the node. The adversary then can clone these sensors and deploy them in the network to launch a variety of attacks. In this paper, we propose a new scheme, called SET, to detect such cloning attacks. Exclusive subsets are reliably constructed, and the intersection and union of these subsets are calculated to detect the existence of node duplication. We show the reliability and resilience of SET by analyzing the probability that an adversary can effectively hinder the set operations. Through analysis and simulations, we also demonstrate that the proposed scheme is more efficient than existing schemes from a communication and memory cost standpoint, which is crucial in resource-constrained sensor networks.

IP networks fundamentally rely on the Address Resolution Protocol (ARP) for proper operation. Unfortunately, vulnerabilities in the ARP protocol enable a raft of IP-based impersonation, man-in-the-middle, or DoS attacks. Proposed countermeasures to these vulnerabilities have yet to simultaneously address backward compatibility and cost requirements. This paper introduces the Ticket-based Address Resolution Protocol (TARP). TARP implements security by distributing centrally issued secure IP/MAC address mapping attestations through existing ARP messages. We detail the TARP protocol and its implementation within the Linux operating system. We also detail the integration of TARP with DHCP for dynamic ticket distribution. Our experimental analysis shows that TARP improves the costs of implementing ARP security by as much as two orders of magnitude over existing protocols. We conclude by exploring a range of operational issues associated with deploying and administering ARP security.

A new method is described which builds on Mitzenmachers idea of adding a different pseudo-random number to each packet to help in verification-based decoding low density codes with packet deletions or errors, or out-of-order receptions, and no sequence numbers. The new method has less decoding complexity and is applicable to any parity check code structure, not just low density codes. Performance depends on the weight distribution of the code. For deletions with ordered reception, the method tolerates, roughly, up to only one more deletion, or packet error, than an erasure channel that knows the positions of all packet errors or deletions. With out-of-order reception, it tolerates, roughly, up to only two more deletions than the erasure channel. Also, it is shown how convolutional codes can further simplify decoding through a partition of the verification search. Moreover, with a modest amount of error detection built into the data, most of the deficiency relative to the erasure channel can be overcome by using error detection to choose from a small list of possibilities.

Many applications that make use of sensor networks require secure communication. Because asymmetric-key solutions are difficult to implement in such a resource-constrained environment, symmetric-key methods coupled with a priori key distribution schemes have been proposed to achieve the goals of data secrecy and integrity. These approaches typically assume that all nodess are similar in terms of capabilities, and hence deploy the same number of keys in all sensors in a network to provide the aforementioned protections.  In this paper, we demonstrate that a probabilistic unbalanced distribution of keys throughout the network that leverages the existence of a small percentage of more capable sensor nodes can not only provide an equal level of security but also reduce the consequences of node compromise. To fully characterize the effects of the unbalanced key management system, we develop, implement and measure the performance of a complimentary suite of key establishment protocols known as LIGER. Using their pre-deployed keys, nodes operating in isolation from external networks can securely and efficiently establish keys with each other. Should resources such as a backhaul link to a key distribution center (KDC) become available, networks implementing LIGER automatically incorporate and benefit from such facilities.  Detailed experiments demonstrate that the unbalanced distribution in combination with the multi-modal LIGER suite offers a robust and practical solution to the security needs in sensor networks.

Structured peer-to-peer systems have grown enormously because of their scalability, efficiency and reliability. These systems assign a unique identifier to each user and object. However, current assignment schemes allow an adversary to carefully select user IDs and/or simultaneously obtain many pseudo-identities---leading ultimately to an ability to disrupt the P2P system in very targeted (and dangerous) ways. In this paper, we propose novel ID assignment protocols based on identity-based cryptography. This approach permits the acquisition of node IDs to be tightly regulated without many of the the complexities and costs associated with tradtional certificate solutions. We broadly consider the security requirements of ID assignment and present three protocols representing distinct threat and trust models. A detailed empirical study of the protocols is given. Our analysis shows that the cost of our identity-based protocols is nominal, and that the associated identity services can scale to millions of users using a limited number of servers.

Information flow policies (labels and lattices) are not stated in terms that administrators and developers articulate security goals (natural language). Hence, any solution implementing information flow security must find a way to reconcile the semantic differences between what a user security wants and what security the solution implements. In this paper, we consider a formal approach for evaluating the {\it equivalence} between user intent and information flow policy. We develop a formal model and produce analysis techniques for proving policy equivalence.

Simple methods are shown for correcting bursts of large size and bursts combined with random errors using vector symbols and primarily vector XOR and feedback shift register operations. One result is that any (n, k) cyclic code with minimum distance > 2 can correct all full error bursts of length n-k-1 or less if the error vectors are linearly independent. If the bursts are not full but contain some error-free components the capability of correcting bursts up to n-k-1 or less is code-dependent. The techniques often work when there is linear dependence. For the case where most errors are in a burst but a small number of errors are outside, the solution, given error-correcting capability, can be broken down into a simple solution for the small number of outside errors, followed by a simple subtraction to reveal all the error values in the burst part.

Email has become an integral and sometimes overwhelming part of users' personal and professional lives. In this paper, we study collections of email users that share common goals or associations, called communities of interest (COIs). We develop three algorithms that attempt to capture the structure of COIs by observing only email origins, destinations, and frequency. The algorithms are validated over a large corpus of university email by assessing their ability to predict the importance of email (as indicated by the human recipients). Our analysis shows that these algorithms identify important email with greater than 90% accuracy. Thus, they identify COIs by accurately detecting users that maintain important associations. The structure and characteristics of COIs are explored analytically and broader conclusions about email use are posited.

Multi-hop relaying in cellular networks can greatly increase capacity and performance by exploiting the best available relay links to a base station. We envision an environment in which relay networks are dynamically formed when performance on the radio access network is degraded and then dissolved when the performance improves or the radio spectrum on which the relay network is operating is reclaimed. Each relay network operates on a different frequency band. Likewise, a relay network may channelize its frequency band to offer non-interfering links between the mobile nodes within a single relay network. In this paper, we propose a set of algorithms used to form such relay networks on-demand. Each algorithm provides a simple and distributed frequency assignment scheme. We evaluate these algorithms in terms of several metrics indicating the overhead of the relay network formation. The evaluation results show that having nodes outmost from the BS initiate route discovery first is the best approach for reducing the formation overhead. We also measure the throughput of the resulting relay networks. The results show that there is a large performance gain when using multiple frequencies in a relay network. Further, the performance of the network using multiple frequencies based on our simple frequency assignment is very close to that of a network using optimal frequency assignment.

This paper presents aCAT - Advanced Cellular Network Vulnerability Assessment Toolkit, a graph based end-to-end vulnerability assessment tool for 3G networks. The novelties of this tool include (1) usage of technical specifications written in the Specification and Description Language (SDL); (2) the definition of a network dependency model for accurate chain derivation; and (3) exhaustive attack graph generation. Based on our experience with the toolkit we identify inadequate areas in the SDL specifications and augment them with expert input, show how to derive realistic attack scenarios from the tool output, and identify several interesting attacks.

Mandatory access control (MAC) enforcement is becoming available for commercial environments. For example, Linux 2.6 includes the Linux Security Modules (LSM) framework that enables the enforcement of MAC policies (e.g., Type Enforcement or Multi-Level Security) for individual systems. While this is a start, we envision that MAC enforcement should span multiple machines. The goal is to be able to control interaction between applications on different machines based on MAC policy. In this paper, we describe a recent extension of the LSM framework that enables labeled network communication via IPsec that is now available in mainline Linux as of version 2.6.16. This functionality enables machines to control communication with processes on other machines based on the security label assigned to an IPsec security association. We outline a security architecture based on labeled IPsec to enable distributed MAC authorization. In particular, we examine the construction of a {\tt xinetd} service that uses labeled IPsec to limit client access on Linux 2.6.16 systems. We also discuss the application of labeled IPsec to distributed storage and virtual machine access control.

All data generated in wireless sensor networks may not be alike; some data may be more important than others and hence may have different delivery requirements. As deployment sizes and data rates grow, congestion arises as a major problem in these networks. This congestion leads to indiscriminate dropping of data, i.e. data of high importance might be dropped while others of less importance are delivered. In this paper, we take a look at data delivery issues in the presence of congestion in wireless sensor networks. We propose the use of data prioritization and a priority aware routing protocol - Congestion Aware Routing (CAR). CAR dynamically discovers the congestion zone (conzone) and enforces differentiated routing based on conzone and data priority. While high priority packets are routed inside the conzone, low priority packets generated outside the conzone use off-conzone nodes only for routing and those generated within the conzone are routed out. In effect, conzone nodes are dedicated to serving high priority data, thereby providing better service. Our extensive simulations show that as compared to AODV, CAR increases the fraction of high priority data delivery, decreases delay and jitter for such delivery while using energy uniformly in the deployment. Since CAR reduces the energy consumed in the nodes, it leads to an increase in connectivity lifetime. Moreover, we look at issues related to real-time audio/video traffic and conclude that CAR can effectively handle such data.

Security-typed languages are an evolving tool for implementing systems with provable security guarantees. However, to date, these tools have only been used to build simple ``toy'' programs. In this paper, we explore the process and machinery of building provably secure applications using security-typed languages. We develop a secure email system in the Java language variant Jif. Real world policies are mapped onto the information flows controlled by the language primitives, and we consider the process and tractability of broadly enforcing security policy in commodity applications. In this investigation, we found that while the language provided the rudimentary tools to achieve low-level security goals, additional tools, services, and language extensions were necessary to formulate and enforce application policy. We detail the design and use of these tools. This work serves as a starting point---we have demonstrated that it is possible to implement real world systems and policy using security-typed languages. However, further investigation of the developer tools and supporting policy infrastructure is necessary before they can fulfill their considerable promise of enabling more secure systems.

Nodes forward data on behalf of each other in mobile ad hoc networks. In a civilian application, nodes are assumed to be selfish and rational, i.e., they pursue their own self-interest. Hence, the ability to accurately measure traffic forwarding is critical to ensure proper network operation. These measurements are also often used to credit nodes based on their level of participation, or to detect loss. Past solutions employ neighbor monitoring and reporting on node forwarding traffic. These methods are not applicable in civilian networks in which neighbor nodes lack the desire or ability to perform the monitoring function. Such environments occur frequently in which neighbor hosts are resource constrained, or in networks where directional antennas are used and reliable eavesdropping is difficult or impossible. In this paper, we propose a protocol that uses nodes on the data path to securely produce packet forwarding reports. Reporting nodes are chosen randomly and secretly so that malicious nodes cannot modify their behavior based upon the monitoring point. The integrity and authenticity of reports are preserved through the use of secure link layer acknowledgments and monitoring reports. The robustness of the reporting mechanism is strengthened by forwarding the report to multiple destinations (source and destination). We explore the security, cost, and accuracy of our protocol.

Security-typed languages promise to be a powerful tool with which provably secure software applications may be developed. Programs written in these languages enforce a strong, global policy of noninterference for all their data. Unfortunately, real programs almost always require the use of noninterference-violating flows introduced by declassification. This causes the global policy to break down and obscures the meaning of security labels. These languages suffer from the lack of an alternative, global policy which can handle declassifications. In this paper, we present a security-typed, object-oriented language which allows trusted declassifications based on a global policy. We prove the soundness of our language as well as a modified form of noninterference, which we call noninterference modulo trusted declassification. We implement our declassification mechanism and global security policy in Jif and provide some examples which motivate its use.

Mobile ad hoc networks often support sensitive applications. These applications may require that users identity, location, and correspondents be kept secret. This is a challenge in a MANET because of the cooperative nature of the network. In this paper, we propose a privacy preserving communication system (PPCS) for MANETs. It consists of three components: random node pseudonyms, dynamic flow pseudonyms, and resilient packet forwarding. Random node and flow pseudonyms conceal the linkability of identity and location, the real identity of a source and destination, and correspondents. The resilient traffic forwarding provides strong resistance against a range of traffic analysis and eavesdropping attacks. We present a thorough analysis of the security of PPCS against passive internal attackers, provide a qualitative discussion on its strength against external attackers, and characterize its performance tradeoffs.

Passwords are currently the dominant authentication mechanism in computing systems. However, users are unwilling or unable to retain passwords with a large amount of entropy. This reality is exacerbated by the increasing ability of systems to mount offline attacks. In this paper, we evaluate the degree to which the previous statements are true and attempt to ascertain the point at which passwords are no longer sufficient to securely mediate authentication. In order to demonstrate this, we develop an analytical model for computation to understand the time required to recover random passwords. Further, an empirical study suggests the situation is much worse. In fact, we found that past systems vulnerable to offline attacks will be obsolete in 5-15 years, and our study suggests that a large number of these systems are already obsolete. We conclude that we must discard or fundamentally change these systems, and to that effect, we suggest a number of ways to prevent offline attacks.

Non-volatile memories provide energy efficiency, tolerance against power failure, and instant-on power-up. These memories are likely to replace traditional volatile memory in next-generation laptops and desktops. However, the move to non-volatile memory introduces new vulnerabilities; sensitive data such as passwords and keys residing in main memory persists across reboots and can be probed during hardware suspension. In this paper, we propose a Memory Encryption Control Unit (MECU) to address the vulnerabilities introduced by non-volatile memories. The MECU encrypts all memory transfers between the level 2 cache and main memory. The keys used to encrypt memory blocks are derived from secret information present on removable authentication tokens, e.g., smart card, or other similar secure storage devices. This provides protection against physical attacks in absence of the token. A MECU design is outlined and performance, memory, and security trade-offs considered. We evaluate a MECU-enhanced architecture using the SimpleScalar hardware simulation framework on several hardware benchmarks. The performance analysis shows that we can secure non-volatile memories with minimal overheadthe majority of memory accesses are delayed by less than 1 ns, with limited degradation subsiding within 67 $\mu$s of a system resume. In effect, we provide zero-cost steady state confidentiality for main memory.

Attributes are a powerful building block for the design of information systems. However, traditional attribute architectures and cryptosystems are ill-equipped to provide security in the face of diverse access requirements and environments. In this paper, we introduce a novel secure information management architecture based on emerging attribute-based encryption (ABE) primitives. A policy language that meets the needs of complex policies is defined and illustrated. Based on the needs of those policies, we propose cryptographic optimizations that vastly improve enforcement efficiency. We further explore the use of such policies in two example applications: a HIPAA compliant distributed filesystem and a social network. A performance analysis of our ABE system and example applications demonstrates the ability to reduce cryptographic costs by as much as 98% over previously proposed constructions. Through such analyses and illustrations, we demonstrate that our attribute system is an efficient solution for securely managing information in large, loosely-coupled, distributed systems.

Vector Symbol Decoding (VSD) is compared with Reed-Solomon Decoding (RSD) as an outer code of a concatenated code for two examples, where the inner decoder may provide a combination of errors, erasures or list decisions for a symbol. One example is for idealized orthogonal inner code signals with random noise and soft inner code decisions. The other example is for multiple access fast frequency or pulse position hopping within the inner symbol. VSD with a randomly-chosen code shows an advantage over RSD error-erasure decoding for the examples.

Mobility management protocols allow wireless devices to move between networks. These protocols have traditionally supported the mobility of individual nodes and are therefore not optimized to support the migration of groups. Accordingly, the time required to re-establish connectivity, frequency of dropped packets and contention for the air interface increase significantly for mobile groups. We propose a protocol for mobile groups that reduces all of the above by allowing a single node to perform handoffs on behalf of all group members. This "gateway" node eliminates the need for multiple handoff messages by obscuring group membership to external parties. Through extensive simulation and implementation, we show significant reduction in handoff times, message complexity and packet loss for groups of heterogeneous, mobile sensors running AODV and DSDV. By leveraging the naturally occurring hierarchy, we demonstrate that it is possible for groups to efficiently use traditional mobility protocols to support their collective movements.

Determining whether a user or system is exercising appropriate security practices is difficult in any context. Such difficulties are particularly pronounced when uncontrolled or unknown hosts join closed networks. Commonly practiced techniques used to vet these hosts, such as system scans, have the potential to infringe upon the privacy of users. In this paper, we show that it is possible for clients to prove both the presence and proper functioning of security infrastructure without allowing unrestricted access to their system. We demonstrate this approach, specifically applied to anti-virus security, by requiring clients seeking admission to a network to positively identify the presence or absence of malcode in a series of puzzles. The implementation of this mechanism and its application to real networks are also explored. In so doing, we demonstrate that it is not necessary for an administrator to be invasive to determine whether a client implements good security practices. must also be vetted. Vetting hosts is a problem of certification: untrusted/foreign hosts need to be evaluated to ensure they meet minimal security practices.

Accurate and secure localization is essential to the correct operation of many applications of sensor networks. However, existing methods lack concrete security mechanisms or are not resilient to beacon node compromise. We address the limitations of present approaches in this paper through the Secure Localization with Attack Tolerance (SLAT) protocol. In SLAT, non-beacon nodes estimate their positions by calculating the intersection of multiple authenticated beacon messages. Message authentication prevents wholesale beacon location report forgeries. To combat compromised beacons, we develop and analyze a location reporting algorithm that ensures that compromised beacons have little ability to affect location estimates. Moreover, the degree to which a malicious location report affects an estimate is inversely proportional to its distance from the true location (as reported by the majority of properly operating beacons). We evaluate the protocol via simulation within a range of sensor networks and protocol parameters. Our results indicate that even large numbers of compromises only nominally affect location estimates. For example, we show that compromising 40 out of 200 nodes in a simulated environment only increases the average location estimate error from 3 meters to 5 meters. Such results apply across a wide range of networks, topologies, and hardware platforms.

Mining traffic traces to identify the dominant flows sent over a given link, over a specified time interval, is a valuable capability with applications to traffic auditing, simulation, and visualization of unexpected phenomena. Recently, Estan et al. advanced a comprehensive data mining structure tailored for networking data a parsimonious, multidimensional flow hierarchy, along with an algorithm for its construction. While they primarily targeted off-line auditing, interactive visualization of current traffic or of network simulations in progress will require real-time data mining. We suggest several improvements to Estan et al.'s algorithm that substantially reduce the computational complexity of multidimensional flow mining. We also propose computational and memory-efficient approaches for unidimensional clustering of the IP address spaces. For baseline implementations, evaluated on the New Zealand (NZIX) trace data, our method reduced CPU execution times of the Estan el al. method by a factor of more than eight. We also demonstrate the usefulness of our approach for anomaly and attack identification, based on traces from the Slammer and Code Red worms and the MIT Lincoln Labs DDoS data.

Reputation systems are used to provide incentives for cooperation among participants of, and generally help to secure, peer-to-peer networks. In this paper, a survey of such systems is provided followed by the description of a model of a reputation framework that can capture the phenomenon of peer nodes misrepresenting reputations for malicious or selfish reasons. For special case, the model is shown to converge in mean to reputations that reveal the true propensity of peer nodes to cooperate. The paper concludes with a simulation study that considers weighted voting, hierarchical trust groups and misrepresentations.

Cross Network Services are a new breed of services that have spawned from the merger of the Internet and the previously isolated wireless telecommunication network. These services act as a launching pad for a new type of security threat - the Cross Infrastructure Cyber Attack. This paper is the first to propose attack taxonomy for 3G networks. The uniqueness of this taxonomy is the inclusion of Cross Infrastructure Cyber Attacks in addition to the standard Single Infrastructure attacks. This paper also proposes an abstract model of the 3G network entities. This abstract model has been a vehicle in the development of the attack taxonomy, detection of vulnerable points in the network and validating 3G network vulnerability assessment tools. This paper examines the threats and vulnerabilities in a 3G network with special examination of the security threats and vulnerabilities introduced by the merger of the 3G and the Internet. The abstract model aids this comprehensive study of security threats and vulnerabilities on 3G networks.

Multi-hop data delivery through vehicular ad hoc networks is complicated by the fact that vehicular networks are highly mobile and frequently disconnected. To address this issue, we adopt the idea of carry and forward, where a moving vehicle carries the packet until a new vehicle moves into its vicinity and forwards the packet. Different from existing carry and forward solutions, we make use of the predicable vehicle mobility, which is limited by the traffic pattern and road layout. Based on the existing traffic pattern, a vehicle can find the next road to forward the packet to reduce the delay. We propose several vehicle-assisted data delivery (VADD) protocols to forward the packet to the best road with the lowest data delivery delay. Experimental results are used to evaluate the proposed solutions. Results show that the proposed VADD protocols outperform existing solutions in terms of packet delivery ratio, data packet delay and protocol overhead. Among the proposed VADD protocols, the H-VADD protocol has much better performance.

This paper presents the Cross Infrastructure Attack Attribution Toolkit (CAT), which is a utility to analyze the vulnerability of 3G networks using telecommunication specifications. CAT analyzes vulnerabilities by generating attack graphs, which show the global view of the network in the event of an attack. The uniqueness of CAT is as follows: (1) usage of telecommunication specification written in Specification and Description Language (SDL) to derive attack graphs, (2) implementation of simple algorithms that output attack graphs irrespective of intruder profile and network configuration, and (3) generation of attack graphs that are exhaustive, succinct and loop free with low redundancy.

The stability and robustness of BGP remains one of the most critical elements in sustaining today's Internet. In this paper, we study the structure and stability of origin advertisements in inter-domain routing. Using our q-chart IP address advertisement visualization tool, we explore the gross structure of IP address advertisements and show that it exhibits considerably consistent structure. We further quantitatively characterize the stability of origin advertisements by analyzing real-world BGP updates for a period of one year from multiple vantage points. We show that while repetitive prefix re-additions and subsequent withdrawals constitute a major volume of BGP updates - due in part to a number of frequently flapping prefixes with short up-and-down cycles - a significant portion of prefixes have high origin stability. In particular, origin changes account for less than 2% of the BGP update traffic, with more than 90% of the prefixes being consistently originated by the same AS for an entire year. For those prefixes involved in origin changes, approximately 57% have only one change across the year, implying that these changes are indeed permanent. We also show that most ASes are involved in few, if any, prefix movement events, while a small number of ASes are responsible for most of the advertisement churn. Additionally, we find that a high volume of new prefixes can be attributed to actively evolving countries, that some abnormal prefix flapping is most likely due to misconfiguration, and that most of the origin changes are a result of multi-homed prefixes oscillating between their origins. This work not only contributes to a better understanding of BGP dynamics, but also provides insights for other research areas such as BGP security that rely on key assumptions pertaining to origin stability.

Structured peer-to-peer networks are highly scalable, efficient, and reliable. These characteristics are achieved by deterministically replicating and recalling content within a widely distributed and decentralized network. One practical limitation of these networks is that they are frequently subject to Sybil attacks: malicious parties can compromise the network by generating and controlling large numbers of shadow identities. In this paper, we propose an admission control system that mitigates Sybil attacks by adaptively constructing a hierarchy of cooperative admission control nodes. Implemented by the peer-to-peer nodes, the admission control system vets joining nodes via client puzzles. A node wishing to join the network is serially challenged by the nodes from a leaf to the root of the hierarchy. Nodes completing the puzzles of all nodes in the chain are provided a cryptographic proof of the vetted identity. In this way, we exploit the structure of hierarchy to distribute load and increase resilience to targeted attacks on the admission control system. We evaluate the security, fairness, and efficiency of our scheme analytically and via simulation. Centrally, we show that an adversary must perform days or weeks of effort to obtain even a small percentage of nodes in small peer-to-peer networks, and that this effort increases linearly with the size of the network. We further show that we can place a ceiling on the number of IDs any adversary may obtain by requiring periodic reassertion of the an IDs continued validity. Finally, we show that participation in the admission control system does not interfere with a node?s use of the peer-to-peer system: the loads placed on the nodes participating in admission control are vanishingly small.

The existing time synchronization schemes in sensor networks were not designed with security in mind, thus leaving them vulnerable to security attacks. In this paper, we first identify various attacks that are effective to several representative time synchronization schemes, and then focus on a specific type of attack called delay attack, which cannot be addressed by cryptographic techniques. Then, we propose two approaches to detect and accommodate the delay attacks. Our first approach uses the generalized extreme studentized deviate (GESD) algorithm to detect multiple outliers introduced by the compromised nodes; our second approach uses a threshold derived using a time transformation technique to filter out the outliers. Finally, we show the effectiveness of these two schemes through extensive simulations.

Most ad hoc networks do not implement any network access control, leaving these networks vulnerable to packet injection attacks where a malicious node injects a large number of packets into the network with the goal of depleting the resources of the nodes relaying the packets. To prevent such attacks, it is necessary to employ authentication mechanisms that ensure that only authorized nodes can inject traffic into the network. We design a Lightweight Inter-layer Protocol (LIP) for network access control based on efficient local broadcast authentication mechanisms. In addition to preventing attacks by unauthorized nodes, LIP can also detect and minimize the impersonation attacks by compromised insider nodes. Through detailed simulation study, we show that LIP incurs small bandwidth overhead and has little impact on the traffic delivery ratio even in the case of high node mobility. Moreover, the transparency and independence properties of LIP allows it to be turned on/off as desired and to be integrated seamlessly with secure routing protocols, providing stronger security services for ad hoc networks.

Assume a broadcast network with a central station. All senders send to the central station, and the central station rebroadcasts all receptions on a different band. In standard CSMA/CD, all senders stop when a collision is detected. In the suggested modified algorithm, exactly one continues to send. A colliding sender can know if it was the first to arrive at the central station. If so, it continues to send, else it stops. The one that continues to send incurs an observable-length erasure burst, and appends a redundant part to its frame to allow filling in the burst erasure. Also, a collision resolution-like algorithm is introduced which improves fairness and performance.

A multicast scheme is described which merges the key distribution and acknowledgment tasks, allowing simple acknowledgment and frequent key changing, if desired. The scheme, denoted SAM for Secure Acknowledging Multicast, requires a ring organization. The key change requires only slightly more than one ring revolution, and need not interrupt data flow. Leaving and joining key changes are similarly easy to handle. Any group member can be the source, and the same acknowledgment policy can be used for reliable communication. The new key is encrypted by the old key, and only new messages use the new key. The joining and leaving methods are somewhat like the ?CLIQUES? strategy, but SAM is more symmetrical, and directly incorporates acknowledgments as an added bonus. It can be applied to virtual rings in switched networks, or to rings in wireless networks. The basic ring procedure is?stop and wait?, but in a modified method, denoted MSAM, channels can be interlaced for near continuous transmission or simultaneous many-to-many communication. For some wireless networks, average transmitted power is a more severe limitation on average bit rate than bandwidth, and stop-and-wait transmission is practical. Broadcast information can be combined with ring acknowledgment for further efficiency reduction.

Pulsed ALOHA is a form of impulse Ultra-Wideband communication where a bit is carried with each pulse, rather than using a time spreading code. Pulsed ALOHA and Wideband ALOHA are perfect fits to low energy wide-bandwidth communication. They permit energy-efficient higher data rates. Pulsed ALOHA has some unique advantages in collision avoidance and collision tolerance over Wideband ALOHA, when used with multi-receiver diversity reception. Both systems have substantial advantages in rate, energy efficiency, and simplicity over using spreading codes. A one-dimensional network example is given, which could be a model for a system along auto roadways.

Because of the increasing demands for privacy and integrity guarantees in applications that handle sensitive, electronic data, there is a need for automated software development tools and techniques for enforcing this security. Although there have been many attempts to apply security to existing systems after the fact, manifold failures indicate that this approach should be revisited. To the contrary, experience indicates that secure systems must be designed with explicit policies from the beginning and that there should be some automated, mathematically-verifiable mechanism to aid programmers in doing this correctly. Recent research in language-based security has made great strides towards the development of sophisticated and robust languages for programming with explicit security policies. Insufficient experience with these languages, however, has left them untested and impractical for writing real, distributed applications. In this paper, we present our experiences of working with Jif, a Java-based, security-typed language, in building a distributed, database application. Our experience has indicated the current impracticality of programming in Jif, but has helped us to identify language development tools and automation algorithms that could aid in making Jif more practical for developing real, distributed applications.

IP networks fundamentally rely on the Address Resolution Protocol (ARP) for proper operation. Unfortunately, vulnerabilities in the ARP protocol enable a raft of IP-based impersonation, man-in-the-middle, or DoS attacks. Proposed countermeasures to these vulnerabilities have yet to simultaneously address backward compatibility and cost requirements. This paper introduces the Ticket-based Address Resolution Protocol (TARP). TARP implements security by distributing centrally issued secure MAC/IP address mapping attestations through existing ARP messages. We detail the TARP protocol and its implementation within the Linux operating system. Our experimental analysis shows that TARP improves the costs of implementing ARP security by as much as two orders of magnitude over existing protocols. We conclude by exploring a range of operational issues associated with deploying and administering ARP security.

The Internet is hemorrhaging unimaginable amounts of user data. In addition to information leaked through tracking cookies and spyware, users are often required to allow the providers of online services such as web-based email access to their data. We argue that it is possible to protect this informationfrom the dangers of data mining by external sources regardless of the arbitrary privacy policies imposed by these services. As an existence proof, we present Ketu - an open-source, extensible tool that provides or message privacy and integrity while assuring plausible deniability for both the sender andreceiver.

The majority of security schemes available for sensor networks assume deployment in areas without access to a wired infrastructure. More specifically, nodes in these networks are unable to leverage key distribution centers (KDCs) to assist them with key management. In networks with a heterogeneous mix of nodes, however, it is not unrealistic to assume that some more powerful nodes have at least intermittent contact with a backbone network. For instance, an air-deployed battlefield network may have to operate securely for some time until uplinked friendly forces move through the area. We therefore propose LIGER, a hybrid key management scheme for heterogeneous sensor networks that allows systems to operate in both the presence and absence of a KDC. Specifically, when no KDC is available, nodes communicate securely with each other based upon a probabilistic unbalanced method of key management. The ability to access a KDC allows nodes to probabilistically authenticate neighboring devices with which they are communicating. We also demonstrate that this scheme is robust to the compromise of both low and high capability nodes and that the same keys can be used for both modes of operation. Detailed experiments and simulations are used to show that LIGER is a highly practical solution for the current generation of sensors and the unbalanced approach can significantly reduce the network initialization time.

Cellular networks are a critical component of the economic and social infrastructures in which we live. In addition to voice services, these networks deliver alphanumeric text messages to the vast majority of wireless subscribers. To encourage the expansion of this new service, telecommunications companies offer connections between their networks and the Internet. The ramifications of such connections, however, have not been fully recognized. In this paper, we evaluate the security impact of the SMS interface on the availability of the cellular phone network. Specifically, we demonstrate the ability to deny voice service to cities the size of Washington D.C. and Manhattan with little more than a cable modem. Moreover, attacks targeting the entire United States are feasible with resources available at most medium-sized organizations. This analysis begins with an exploration of the structure of cellular networks. We then characterize network behavior and explore a number of reconnaissance techniques aimed at effectively targeting attacks on these systems. We conclude by discussing countermeasures that mitigate or eliminate the threats introduced by these attacks.

There has been much recent attention on using wireless relay networks to forward data from mobile nodes to a base station. This network architecture is motivated by performance improvements obtained by leveraging the highest quality links to a base station for data transfer. With the advent of agile radios it is possible to improve the performance of relay networks through intelligent frequency assignments. First, it is beneficial if the links of the relay network are orthogonal with respect to each other so that simultaneous transmission on all links is possible. Second, diversity can be added to hops in the relay network to reduce error rates. In this paper we present algorithms for forming such relay networks dynamically. The formation algorithms support intelligent frequency assignments. Our results show that algorithms that order the sequence in which nodes join a relay network carefully achieve the highest amount of diversity and hence best performance.

Multi-hop relaying in cellular networks can greatly increase capacity and performance by exploiting the best available links to a base station. We envision an environment in which relay networks are dynamically formed in different frequency bands in response to the degradation of network performance. Nodes experiencing poor service may use their agile radios to join one of the available, non-interfering relay networks. We propose and evaluate a set of algorithms used to form such relay networks on-demand. Each of the algorithms begins by designating the nodes best suited for acting as gateways between the relay and cellular networks. Each scheme then determines the order of route request initiations. These algorithms are evaluated for latency, signaling overhead and gateway load during the network formation process, and average path length and amount of link sharing in the resulting relay networks. The evaluation leads us to conclude that having nodes furthest from the BS initiate route discovery first is the best approach for reducing the formation overhead and building efficient relay networks. To our knowledge, we are the first to propose and evaluate algorithms for the on-demand formation of multi-hop relay networks.

Security-typed languages are powerful tools for provably enforcing noninterference. Real computing systems, however, often intentionally violate noninterference by deliberately releasing (or declassifying) sensitive information. These systems frequently trust cryptographic functions to achieve declassification while still maintaining confidentiality. We introduce the notion of trusted functions that implicitly act as declassifiers within a security-typed language. Proofs of the new language's soundness and its enforcement of a weakened form of noninterference are given. Additionally, we implement trusted functions used for declassification in the Jif language. This represents a step forward in making security-typed languages more practical for use in real systems.

Secure data dissemination is a necessary and an extremely important component of ad hoc sensor networks and has been the topic of a large body of literature over the past few years. A variety of schemes have been proposed in order to ensure that data is delivered through these networks while maintaining message authenticity, integrity and, if so desired, privacy. The majority approaches applied to ad hoc networks assume the presence of either public or pre-established symmetric keys. This assumption, however, is not realistic for sensor networks. In this paper, we discuss the use of probabilistic symmetric-key management schemes and the ways in which their deployment specifically affects the ability of sensor nodes to optimally route packets in a secure setting. While numerous papers have advocated such an approach, none have investigated the details of such an implementation. Specifically, we contrast pre-establishing symmetric keys with neighboring nodes to a completely reactive approach of instituting secure relationships. Through simulation, we quantify the consequences of the application of these two methods on a number of scenarios requiring secure hop-by-hop routing in sensor networks.

Interdomain routing is implemented on the Internet through the Border Gateway Protocol (BGP). Many approaches have been proposed to mitigate or solve the many problems of BGP security; yet, none of the proposed solutions have been widely deployed. The lack of adoption is largely caused by a failure to find an acceptable balance between deployability, cost, and security. In this paper, we study one aspect of the BGP security puzzle: path validation. Unlike many previous works in this area, we develop a formal model of path authentication in BGP. We define and prove the security of our novel and efficient solutions under this model. We further analyze the security relevant stability of paths in the Internet and profile resource consumption of the proposed constructions via trace-based simulations. Our constructions are shown to reduce signature validation costs by as much as 97.3% over existing proposals while requiring nominal storage resources. We conclude by considering how our solution can be deployed in the Internet.

Many applications that make use of sensor networks require secure communication. Because asymmetric-key approaches to security are impossible to implement in such a resource-constrained environment, symmetric-key methods coupled with clever a priori key distribution schemes have been proposed to achieve the goals of data secrecy and integrity. These approaches typically assume that all sensors are similar in terms of capabilities, and hence deploy the same number of keys in all sensors in a network to provide the aforementioned protections. In this paper we demonstrate that a probabilistic unbalanced distribution of keys throughout the network that leverages the existence of a small percentage of more capable sensor nodes can not only provide an equal level of security but also reduce the consequences of node compromise. We demonstrate the effectiveness of this approach on small networks using a variety of trust models and then demonstrate the application of this method to very large systems.