shadow: simple hpc for systems security research
DESCRIPTION
Shadow: Simple HPC for Systems Security Research. Invited Talk Kansas State University September 25 th , 2013. Rob Jansen U.S. Naval Research Laboratory [email protected]. Outline. Experimentation Ideology Shadow and its Design Use case: Overview: the Distributed Tor Network - PowerPoint PPT PresentationTRANSCRIPT
Shadow: Simple HPC for Systems Security Research
Invited TalkKansas State UniversitySeptember 25th, 2013
Rob JansenU.S. Naval Research [email protected]
Outline
● Experimentation Ideology
● Shadow and its Design
● Use case:– Overview: the Distributed Tor Network– Research: the Sniper Attack Against Tor
Outline
● Experimentation Ideology
● Shadow and its Design
● Use case:– Overview: the Distributed Tor Network– Research: the Sniper Attack Against Tor
Properties of Experimentation
Network ResearchApproaches ProblemsLive Network Hard to manage, lengthy deployment,
security risks
PlanetLab Hard to manage, bad at modeling, not scalable
Simulation Not generalizable, inaccurate
Emulation Large overhead, kernel complexities
Testbed Trade-offs
Controllable
Reproducible
Scalable
Accuracy
Convenient
Live Network X XPlanetLab ?Simulation X X X XEmulation X XShadow X X X ? X
Outline
● Experimentation Ideology
● Shadow and its Design
● Use case:– Overview: the Distributed Tor Network– Research: the Sniper Attack Against Tor
What is Shadow?
● Discrete event network simulator
● Runs real applications without modification
● Simulates time, network, crypto, CPU
● Models routing, latency, bandwidth
● Single Linux box without root privileges
Shadow’s Capabilities
Bootstrapping Shadow
Virtual Network Configuration
Virtual Host Configuration
Simulation Engine
Program Layout
Libraries(libc, …)
Shadow Engine
(shadow-bin)
ShadowPlug-in
(application+wrapper)
Plug-in Wrapper Hooks
plugin_init()new_instance(argv, argc)
free_instance()instance_notify()
Libraries(libc, …)
Shadow Engine
(shadow-bin)
ShadowPlug-in
(application+wrapper)
Function InterpositionLD_PRELOAD=/home/rob/libpreload.so
Libraries(libc, …)
Shadow Engine
(shadow-bin)
ShadowPlug-in
(application+wrapper)
libpreload (socket, write, …)
Function InterpositionLD_PRELOAD=/home/rob/libpreload.so
hooks Libraries(libc, …)
Shadow Engine
(shadow-bin)
ShadowPlug-in
(application+wrapper)
libpreload (socket, write, …)
Function Interposition
libpreload (socket, write, …)
LD_PRELOAD=/home/rob/libpreload.so
Libraries(libc, …)
Shadow Engine
(shadow-bin)
ShadowPlug-in
(application+wrapper)
hooks fopen
Function Interposition
libpreload (socket, write, …)
LD_PRELOAD=/home/rob/libpreload.so
sock
et
Libraries(libc, …)
Shadow Engine
(shadow-bin)
ShadowPlug-in
(application+wrapper)
hooks fopen
Function Interposition
libpreload (socket, write, …)
LD_PRELOAD=/home/rob/libpreload.so
wri
te
Libraries(libc, …)
Shadow Engine
(shadow-bin)
ShadowPlug-in
(application+wrapper)
hooks fopen
Clang/LLVM (custom pass)
Virtual Context Switching
Virtual Context Switching
Shadow-Tor’s Accuracy
Shadow-Tor’s Scalability
Memory: 20-30 MiB per virtual Tor host
Outline
● Experimentation Ideology
● Shadow and its Design
● Use case:– Overview: the Distributed Tor Network– Research: the Sniper Attack Against Tor
The Tor Anonymity Network
torproject.org
How Tor Works
How Tor Works
How Tor Works
How Tor Works
How Tor Works
Tor protocol aware
Outline
● Experimentation Ideology
● Shadow and its Design
● Use case:– Overview: the Distributed Tor Network– *Research: the Sniper Attack Against Tor
*Joint with Aaron Johnson, Florian Tschorsch, Björn Scheuermann
Tor Flow Control
exitentry
Tor Flow Control
One TCP Connection Between Each Relay,Multiple Circuits
exitentry
Tor Flow Control
One TCP Connection Between Each Relay,Multiple Circuits
Multiple Application Streams
exitentry
Tor Flow Control
No end-to-end TCP!
exitentry
Tor Flow Control
Tor protocol aware
exitentry
Tor Flow Control
Packaging End
DeliveryEnd
exitentry
Tor Flow Control
Packaging End
DeliveryEnd
exitentry
Tor Flow Control
1000 Cell Limit
SENDME Signal Every 100 Cells
exitentry
The Sniper Attack
● Low-cost memory consumption attack
● Disables arbitrary Tor relays
● Anonymous if launched through Tor
The Sniper Attack
Start Download
Request
exitentry
The Sniper Attack
Reply
DATAexitentry
The Sniper AttackPackage and Relay DATA
DATA
DATAexitentry
The Sniper Attack
DATA
DATA
Stop Reading from Connection
DATA
Rexitentry
The Sniper Attack
DATA
DATA
DATADATADATADATADATADATA
Rexitentry
The Sniper Attack
DATA
DATA
DATADATADATADATADATADATA
Periodically Send SENDME SENDME
R
DATADATADATADATADATA
exitentry
The Sniper Attack
DATA
DATA
DATADATADATADATADATADATA
Out of Memory, Killed by OS
R
DATADATADATADATADATA
exitentry
Memory Consumed over Time
Mean RAM Consumed, 50 Relays
Mean BW Consumed, 50 Relays
Sniper Attack Defenses
● Authenticated SENDMEs
● Queue Length Limit
● Adaptive Circuit Killer
Circuit-Killer Defense
Sniper Attack Implications
● Reduce Tor’s capacity
● Network Denial of Service
● Influence path selection (selective DoS)
● Deanonymization of hidden services
Outline
● Experimentation Ideology
● Shadow and its Design
● Use case:– Overview: the Distributed Tor Network– Research: the Sniper Attack Against Tor