Showing papers presented at "USENIX Security Symposium in 1996"

Secure deletion of data from magnetic and solid-state memory

Abstract: With the use of increasingly sophisticated encryption systems, an attacker wishing to gain access to sensitive data is forced to look elsewhere for information. One avenue of attack is the recovery of supposedly erased data from magnetic media or random-access memory. This paper covers some of the methods available to recover erased data and presents schemes to make this recovery significantly more difficult.

A secure environment for untrusted helper applications confining the Wily Hacker

Abstract: Many popular programs, such as Netscape, use untrusted helper applications to process data from the network. Unfortunately, the unauthenticated network data they interpret could well have been created by an adversary, and the helper applications are usually too complex to be bug-free. This raises significant security concerns. Therefore, it is desirable to create a secure environment to contain untrusted helper applications. We propose to reduce the risk of a security breach by restricting the program's access to the operating system. In particular, we intercept and filter dangerous system calls via the Solaris process tracing facility. This enabled us to build a simple, clean, user-mode implementation of a secure environment for untrusted helper applications. Our implementation has negligible performance impact, and can protect pre-existing applications.

SSH: secure login connections over the internet

Abstract: SSH provides secure login, file transfer, X11, and TCP/IP connections over an untrusted network. It uses cryptographic authentication, automatic session encryption, and integrity protection for transferred data. RSA is used for key exchange and authentication, and symmetric algorithms (e.g., IDEA or three-key triple-DES) for encrypting transferred data. SSH is intended as a replacement for the existing rsh, rlogin, rcp, rdist, and telnet protocols. SSH is currently (March 1996) being used at thousands of sites in at least 50 countries. Its users include top universities, research laboratories, many major corporations, and numerous smaller companies and individuals. The SSH protocol can also be used as a generic transport layer encryption mechanism, providing both host authentication and user authentication, together with privacy and integrity protection.

Problem areas for the IP security protocols

Abstract: The Internet Engineering Task Force (IETF) is in the proces of adopting standards for IP-layer encryption and authentication (IPSEC). We describe a number of attacks against various versions of these protocols, including confidentiality failures and authentication failures. The implications of these attacks are troubling for the utility of this entire effort.

A revocable backup system

Abstract: We present a system which enables a user to remove a file from both the file system and all the backup tapes on which the file is stored. The ability to remove files from all backup tapes is desirable in many cases. Our system erases information from the backup tape without actually writing on the tape. This is achieved by applying cryptography in a new way: a block cipher is used to enable the system to "forget" information rather than protect it. Our system is easy to install and is transparent to the end user. Further, it introduces no slowdown in system performance and little slowdown in the backup procedure.

NetKuang: a multi-host configuration vulnerability checker

Abstract: NetKuang is an extension to Baldwin's SU-Kuang. It runs on networks of computers using Unix and can find vulnerabilities created by poor system configuration. Vulnerabilities are discovered using a backwards goal-based search that is breadth-first on individual hosts and parallel when multiple hosts are checked. An implementation in C++ found real vulnerabilities on production systems. Tests show reasonably fast performance on a Lan.

Confining root programs with domain and type enforcement (DTE)

Abstract: The pervasive use of the root privilege is a central problem for UNIX security because an attacker who subverts a single root program gains complete control over a computing system Domain and type enforcement (DTE) is a strong, configurable operating system access control technology that can minimize the damage root programs can cause if subverted DTE does this by preventing groups of root programs from accessing critical files in inappropriate access modes This paper illustrates how a DTE-enhanced UNIX prototype, driven by simple, machine-interpretable DTE policies, can provide strong protection against specific classes of attacks by malicious programs that gain root privilege We present a sequence of policy components that protect system binaries against Rootkit, a widely-used hacker toolkit, and protect password, system log, user, and device special files against other root-based attacks Tradeoffs among DTE policy complexity, scope of protection, and other factors are discussed

Enclaves: enabling secure collaboration over the internet

Abstract: The rapid expansion of the Internet means that users increasingly want to interact with each other. Due to the openness and unsecure nature of the net, users often have to rely on firewalls to protect their connections. Firewalls, however, make real-time interaction and collaboration more difficult. Firewalls are also complicated to configure and expensive to install and maintain, and are inaccessible to small home offices and mobile users. The Enclaves approach is to transform user machines into "enclaves," which are protected from outside interference and attacks. Using Enclaves, a group of collaborators can dynamically form a secure virtual subnet within which to conduct their joint business. This paper describes the design and implementation of the Enclaves toolkit, and some applications we have built using the toolkit.

Compliance defects in public-key cryptography

Abstract: Public-key cryptography has low infrastructural overhead because public-key users bear a substantial but hidden administrative burden. A public-key security system trusts its users to validate each others' public keys rigorously and to manage their own private keys securely. Both tasks are hard to do well, but public-key security systems lack a centralized infrastructure for enforcing users' discipline. A compliance defect in a cryptosystem is such a rule of operation that is both difficult to follow and unenforceable. This paper presents five compliance defects that are inherent in public-key cryptography; these defects make public-key cryptography more suitable for server-to-server security than for desktop applications.

Building systems that flexibly control downloaded executable context

Abstract: Downloading executable content, which enables principals to run programs from remote sites, is a key technology in a number of emerging applications, including collaborative systems, electronic commerce, and web information services. However, the use of downloaded executable content also presents serious security problems because it enables remote principals to execute programs on behalf of the downloading principal. Unless downloaded executable content is properly controlled, a malicious remote principal may obtain unauthorized access to the downloading principal's resources. Current solutions either attempt to strictly limit the capabilities of downloaded content or require complete trust in the remote principal, so applications which require intermediate amounts of sharing, such as collaborative applications, cannot be constructed over insecure networks. In this paper, we describe an architecture that flexibly controls the access rights of downloaded content by: (1) authenticating content sources; (2) determining content access rights based on its source and the application that it is implementing; and (3) enforcing these access rights over a wide variety of objects and for the entire computation, even if external software is used. We describe the architecture in the context of an infrastructure for supporting collaborative applications.

Public Key distribution with secure DNS

Abstract: Recently, many protocols in the Internet are proposing the use of public key cryptography in support of integrity and authentication security services. However, each of these protocols lacks a globally available public key distribution and management system. A secure version of the Domain Name System (DNS) is being developed which, conveniently, provides an infrastructure ideally suited for the distribution and management of public keys. We propose how this infrastructure of the secure DNS could be exploited by today's users of the Internet to distribute and manage their personal public keys.

Dual-workfactor encrypted key exchange: efficiently preventing password chaining and dictionary attacks

Abstract: Password-based key-server protocols are susceptible to password chaining attacks, in which an enemy uses knowledge of a user's current password to learn all future passwords. As a result, the exposure of a single password effectively compromises all future communications by that user. The same protocols also tend to be vulnerable to dictionary attacks against user passwords. Bellovin and Merrit[1] presented a hybrid of symmetric- and public-key cryptography called Encrypted Key Exchange (EKE) that cleanly solves the dictionary attack problem. This paper presents an extension of their ideas called dual-workfactor encrypted key exchange that preserves EKE's strength against dictionary attacks but also efficiently prevents passive password-chaining attacks.

Murphy's law and computer security

Abstract: This paper discusses lessons learned from a selection of computer security problems that have surfaced in the recent past, and that are likely to show up again in the future. Examples are taken from security advisories and from unpublished loopholes in the author's own work.

Building blocks for atomicity in electronic commerce

Abstract: Atomicity is clearly a central problem for electronic commerce protocols -- we can not tolerate electronic commerce systems where money is arbitrarily created or destroyed. Moreover, these atomicity properties should be retained in the event of component failures in distributed systems. In this paper, we enumerate several classes of atomic protocols. We then give two fundamental building blocks for building atomic electronic commerce protocols: encryption-based atomicity and authority-based atomicity. We then illustrate these building blocks by considering variations of payment-server based protocols that use these different building blocks. The results give a contrast to the class of protocols that we have previously examined in our work with NetBill.

Building systems that flexibly control downloaded executable content

Abstract: Downloading executable content, which enables principals to run programs from remote sites, is a key technology in a number of emerging applications, including collaborative systems, electronic commerce, and web information services. However, the use of downloaded executable content also presents serious security problems because it enables remote principals to execute programs on behalf of the downloading principal. Unless downloaded executable content is properly controlled, a malicious remote principal may obtain unauthorized access to the downloading principal's resources. Current solutions either attempt to strictly limit the capabilities of downloaded content or require complete trust in the remote principal, so applications which require intermediate amounts of sharing, such as collaborative applications, cannot be constructed over insecure networks. In this paper, we describe an architecture that flexibly controls the access rights of downloaded content by: (1) authenticating content sources; (2) determining content access rights based on its source and the application that it is implementing; and (3) enforcing these access rights over a wide variety of objects and for the entire computation, even if external software is used. We describe the architecture in the context of an infrastructure for supporting collaborative applications.

A DNS filter and switch for packet-filtering gateways

Abstract: IP-transparent firewalls require access to the external Domain Name System (DNS) from protected internal hosts. Misconfigurations and misuse of this system can create internal administrative and security problems. Dnsproxy provides access to and protection from untrusted DNS services. It runs on a firewall, or on a trusted host just inside the firewall. The program receives (or intercepts) DNS queries and forwards them to an appropriate internal or external "realm" for processing. The responses can be checked, filtered, and modified before they are returned to the requester. The logging and consistency checks can provide information about possible DNS attacks and irregularities that are not available from most DNS implementations.

Security mechanism independence in ONC RPC

Abstract: Generic Security Services API (GSS-API) [4] provides a framework for security services. It allows source level portability. It allows applications to run independently of the underlying security mechanisms and technologies. To provide security mechanism independence in ONC RPC [1, 2, 3], this paper proposes a new security flavor, RPCSEC_GSS. RPCSEC_GSS incorporates services offered by the GSS-API into ONC RPC. Using the programming interface for the RPCSEC_GSS flavor, ONC RPC applications can specify a GSS-API security mechanism to be used with an RPC session, and also request security services, such as integrity and privacy.

Chrg-http: a tool for micropayments on the world wide web

Abstract: Chrg-http is a simple and secure protocol for electronic payments over the Internet, especially in an intranet environment. It is designed to support those micropayments (or more specific, electronic publishing, which have costs ranging from pennies to a few dollars. A widely used secure system Kerberos V5 has been incorporated into the http protocol. The security and authentication of a transactions is provided by Kerberos, without expensive public key cryptographic computations, or on-line processing through a centralized payment processing server, which is the case to most of the existing electronic payment systems on the World Wide Web. Our implementation is based on the billing model (or the subscription model). The simplicity of the model also helps to reduce the charging cost overhead.

Texas A&M University anarchistic Key authorization (AKA)

Abstract: At the Fourth USENIX Security Conference, we presented a paper on SRA Telnet, which was a simple Diffie-Hellman based system to defeat standard password sniffing, without requiring externally validated keys. Since that time, several projects, such as Secure Telnet (stel), have worked to extend this simple Diffie-Hellman model to add data encryption, larger keys, and resistance to man-in-the-middle attack. Other projects, such as SSL and SSH use validated RSA keys for full authentication. This project uses standard PGP keys as the basis of unified authentication, authorization, and encryption, combining both perfect forward secrecy and strong RSA authentication.

Kerberos on wall street

Abstract: Morgan Stanley, an international financial services firm, has a significant investment in Kerberos. We have been using Kerberos 4 since 1993, and began a transition to Kerberos 5 in 1995. Kerberos has helped us progress towards solving the classic security problems of cleartext passwords and single sign-on. However, because of Morgan Stanley's specialized requirements, and a lack of support for Kerberos among operating system and application vendors, we have faced a number of practical integration problems not faced by the research community. This paper discusses those problems, the tools we have built to solve them, and the areas in which we feel vendors must provide better support for Kerberos.

A framework for building an electronic currency system

Abstract: We describe the framework for building an electronic currency system. We detail the design of the components of the electronic currency system and the relationship among them. Contrary to the previous electronic currency literature, which focus exclusively on electronic currency protocol designs, we address how to achieve both transaction atomicity and transaction anonymity at the presence of the hostile failures, which are common in an electronic currency system if the customers or the merchants are dishonest or malicious. We also propose a recovery method called redo_transaction to recover from hostile failures so that the aborted electronic currency transactions caused by the hostile failures can be forced to commit eventually. The structure of the electronic currency system is protocol-independent in the sense that those Chaum-like off-line electronic currency protocol could be incorporated into our framework.