papers | Marc Liberatore

Discovering Specification Violations in Networked Software Systems

Thu, 06 Aug 2015 12:00:00 +0000

Discovering Specification Violations in Networked Software Systems, written in collaboration with Robert Walls, Yuriy Brun, and Brian Levine, has been accepted to the IEEE International Symposium on Software Reliability Engineering (ISSRE 2015).

From the abstract:

Publicly released software implementations of network protocols often have bugs that arise from latent specification violations. We present APE, a technique that explores program behavior to identify potential specification violations. APE overcomes the challenge of exploring the large space of behavior by dynamically inferring precise models of behavior, stimulating unobserved behavior likely to lead to violations, and refining the behavioral models with the new, stimulated behavior. APE can (1) discover new specification violations, (2) verify that violations are removed, (3) identify related violations in other versions and implementations of the protocols, and (4) generate tests. APE works on binaries and requires a lightweight description of the protocol’s network messages and a violation characteristic. We use APE to rediscover the known heartbleed bug in OpenSSL, and discover one unknown bug and two unexpected uses of three popular BitTorrent clients. Manual inspection of APE-produced artifacts reveals four additional, previously unknown specification violations in OpenSSL and μTorrent.

Sybil-Resistant Mixing for Bitcoin

Mon, 25 Aug 2014 17:00:00 +0000

My paper Sybil-Resistant Mixing for Bitcoin, written in collaboration with George Bissias, Pinar Ozisik, and Brian Levine, has been accepted to the Workshop on Privacy in the Electronic Society workshop, held in conjunction with the ACM Conference on Computer and Communications Security.

From the abstract:

A fundamental limitation of Bitcoin and its variants is that the movement of coin between addresses can be observed by examining the public block chain. This record enables adversaries to link addresses to individuals, and to identify multiple addresses as belonging to a single participant. Users can try to hide this information by mixing, where a participant exchanges the funds in an address coin-for-coin with another participant and address. In this paper, we describe the weaknesses of extant mixing protocols, and analyze their vulnerability to Sybil-based denial-of-service and inference attacks. As a solution, we propose Xim, a two-party mixing protocol thatis compatible with Bitcoin and related virtual currencies.

It is the first decentralized protocol to simultaneously address Sybil attackers, denial-of-service attacks, and timing-based inference attacks. Xim is a multi-round protocol with tunably high success rates. It includes a decentralized system for anonymously finding mix partners based on ads placed in the block chain. No outside party can confirm or find evidence of participants that pair up. We show that Xim’s design increases attacker costs linearly with the total number of participants, and that its probabilistic approach to mixing mitigates Sybil-based denial-of-service attack effects. We evaluate protocol delays based on our measurements of the Bitcoin network.

Location Privacy without Carrier Cooperation

Tue, 29 Apr 2014 10:57:00 +0000

My paper Location Privacy without Carrier Cooperation, written in collaboration with Keen Sung and Brian Levine, has been accepted to the Mobile Security Technologies workshop, held as part of the IEEE Computer Society Security and Privacy Workshops, in conjunction with the IEEE Symposium on Security and Privacy.

From the abstract:

Cellular network operators can track the location of cell phone users as they connect to different towers. Operators may not directly control the user’s phone, but they do supply and control the SIM card that identifies the user. We seek to preserve a cellular phone user’s location privacy from cellular network operators. We propose the ZipPhone protocol for secure, virtual, and therefore easily changeable SIM cards. ZipPhone breaks the association between the user and IMSI identifier, and thus prevents the cellular operator from localizing the user.

Measuring a year of child pornography trafficking by U.S. computers on a peer-to-peer network

Wed, 23 Oct 2013 20:18:00 +0000

My paper Measuring a year of child pornography trafficking by U.S. computers on a peer-to-peer network, written in collaboration with Janis Wolak and Brian Levine, has been accepted to Child Abuse & Neglect.

From the abstract:

We used data gathered via investigative “RoundUp” software to measure a year of online child pornography (CP) trafficking activity by U.S. computers on the Gnutella peer-to-peer network. The data include millions of observations of Internet Protocol addresses sharing known CP files, identified as such in previous law enforcement investigations. We found that 244,920 U.S. computers shared 120,418 unique known CP files on Gnutella during the study year. More than 80% of these computers shared fewer than 10 such files during the study year or shared files for fewer than 10 days. However, less than 1% of computers (n = 915) made high annual contributions to the number of known CP files available on the network (100 or more files). If law enforcement arrested the operators of these high-contribution computers and took their files offline, the number of distinct known CP files available in the P2P network could be reduced by as much as 30%. Our findings indicate widespread low level CP trafficking by U.S. computers in one peer-to-peer network, while a small percentage of computers made high contributions to the problem. However, our measures were not comprehensive and should be considered lower bounds estimates. Nonetheless, our findings show that data can be systematically gathered and analyzed to develop an empirical grasp of the scope and characteristics of CP trafficking on peer-to-peer networks. Such measurements can be used to combat the problem. Further, investigative software tools can be used strategically to help law enforcement prioritize investigations.

Efficient Tagging of Remote Peers During Child Pornography Investigations

Mon, 07 Oct 2013 12:00:00 +0000

My paper Efficient Tagging of Remote Peers During Child Pornography Investigations, written in collaboration with Brian Levine, Clay Shields, and Brian Lynn, has been accepted to the IEEE Transactions on Dependable and Secure Computing.

In it, we examine the problems inherent in using various network- and application-level identifiers in the context of forensic measurement, as exemplified in the policing of peer-to-peer file sharing networks for sexually exploitative imagery of children. We present a one-year measurement performed in the law enforcement context. We propose a tagging method marks that remote machines by providing them with application- or system-level data that is valid, but which covertly has meaning to investigators. This tagging allows investigators to link network observations with physical evidence in a legal, forensically strong, and valid manner.

Disabling GPS is Not Enough: Cellular location leaks over the Internet

Wed, 15 May 2013 12:00:00 +0000

My paper Disabling GPS is Not Enough: Cellular location leaks over the Internet, written in collaboration with Hamed Soroush, Keen Sung, Erik Learned-Miller, and Brian Levine, has been accepted for publication in the proceedings of the Privacy Enhancing Technologies Symposium.

In this paper, we show that, given a cell phone and a remote party communicating over the Internet through 3G, the remote party can determine locational information without explicit GPS data. Specifically, we show that the path a cell phone and its owner take from or to a known location can be determined from remote observations of changes in TCP throughput. This determination is made possible by the relative ease of acquiring training data, given our attacker model (a streaming media service, or its data as subpoenaed by an investigator).

Measurement and Analysis of Child Pornography Trafficking on P2P Networks

Fri, 08 Feb 2013 09:00:00 +0000

My paper Measurement and Analysis of Child Pornography Trafficking on P2P Networks, written in collaboration with other members of the Center for Forensics, has been accepted for publication in the proceedings of the International World Wide Web Conference.

In it, we examine a large data set collected over a year on both the Gnutella and eMule/eDonkey networks. We examine methods of target selection designed to reduce content availability (an NP-hard problem); and we discover an empirical justification for focusing on subgroups of peers that are the most aggressive, in terms of their duration and scope of activity, volume of shared content, or attempts to escape attribution.

We also find that users trafficking in child sexual abuse imagery on these networks who use Tor use it inconsistently. Over 60% of linkable user sessions send traffic from non-Tor IPs at least once after first using Tor, thus removing its protection; over 90% of sessions observed on three or more days fail likewise. These sessions are linkable by the remote host because at the application level, some protocols send consistent identifiers. This problem is well documented.

Effectiveness and Detection of Denial-of-Service Attacks in Tor

Thu, 15 Nov 2012 12:00:00 +0000

After an extended review process, my paper Effectiveness and Detection of Denial-of-Service Attacks in Tor, written in collaboration with Norman Danner and Danny Krizanc at Wesleyan, and a very dedicated, very talented undergraduate, Sam DeFabbia-Kane, has been published in the ACM Transactions on Information and System Security.

This manuscript is a much extended and improved version of the paper we published at Financial Cryptography 2009. In it, we examine the denial-of-service attack that Borisov et al. previously proposed, both through analysis and simulation. We also describe two algorithms for detecting such attacks, one deterministic and proved correct, the other probabilistic and verified in simulation.

Forensic Investigation of the OneSwarm Anonymous Filesharing System

Mon, 17 Oct 2011 12:00:00 +0000

My paper Forensic Investigation of the OneSwarm Anonymous Filesharing System, written in collaboration with Swagatika Prusty and Brian Neil Levine, has been published in the ACM Conference on Computer and Communications Security (CCS 2011). In it:

We show a weaknesses of the OneSwarm system to a practical, statistical timing attack, allowing attackers to determine if a peer is the source of a file.
We correct the original analysis of the system’s robustness against collusion attacks and show it is less resistant than previously believed.
We show that an application of a known TCP-based attack can determine a peer is the source of a file, if that peer has disabled rate-limiting in their client.

Effective Digital Forensics Research is Investigator-Centric

Tue, 09 Aug 2011 12:00:00 +0000

My position paper Effective Digital Forensics Research is Investigator-Centric, written in collaboration with Robert Walls, Brian Levine, and Clay Shields, has been published in the USENIX Workshop on Hot Topics in Security (HotSec 2011). In it, we point out the sharp differences of digital forensics research to computer security research, in the hopes of aiding both reviewers and researchers in their goal of producing and publishing useful, effective digital forensics research.