Security, user privacy, network neutrality
Transcript of Security, user privacy, network neutrality
Security, user privacy, network neutrality
Yves ROUDIER (EURECOM)
Current user-centric networked systems increasingly raise security, safety, privacy, and neutrality concerns:
Introduction
2
CloudComputing
Mobilenetworks,
IoT
SocialNetworks
ConnectedVehicles
3
Labex UCN@Sophia
Privacy:Howtocontrolthelevelofexposureofuserdata?Howvaluableisinformationdisclosedwithprivacyinmind?
Neutrality: howtocontrolthequalityofservicedeliveredbythenetwork?Howtoensureequaltreatmentofallusers?
Security:Howcanuserstrustsuchsystems?Howtointegratesecuritymechanismsatdifferentlevelsofdistributedsystems(networkinfrastructure,hardware,protocolstacks,applications)?
• Security, Privacy & Neutrality is a transversal topic in UCN@Sophia– Scientific Days helped raise awareness and introduce research
interests to the Labex community:• Workshop on Security and Privacy (December 2013)• Workshop on ITS (March 2015)• CIM-PACA platform workshop (May 2015)
• 3 PhDs:– Mehdi Ahizoune– Florian Lugou– Riccardo Ravaioli
• 2 Post-Doctoral Fellowships:– Michela Chessa– Quentin Jacquemart
• 1 Invited Researcher:– Jörg Kienzle (Pr. McGill University)
Labex UCN@Sophia - Support
4
• Post-Doc (ongoing: 2016): Quentin Jacquemart (I3S)– Topic: Stealthy BGP Hijacking Monitoring – IPv6– Objective: compare IPv6 with IPv4 capabilities of detection of
falsification of IP prefixes announced by Internet Service Providers through correlation of verification data sources
• PhD (2014 - ongoing): Florian Lugou (LTCI – EURECOM collaboration)– Topic: Security analysis for communicating devices– Objective: formal verification of lower-level, embedded system and
hardware & protocols• PhD (2014 - ongoing): Mehdi Ahizoune (EURECOM – I3S
collaboration)– Topic: Software factories for security-by-design– Objective: Model-Driven Security for distributed software and
security protocols • Model-Driven Engineering for distributed software architecture & design• Model-Based Security Testing for cryptographic protocols
Security
5
Datasets AnomalyDetection
DomainKnowledge
BGPData
Ø BGProutingtablesØ BGProutermessages
SemanticData
Ø InternetRoutingRegistriesØ ASTopologyRelationships
Ø ASHierarchyØ Bogonlist
Application-levelData
Ø SpamtrapdataØ Alexiarankings
Ø NetflowsØ SSL/TLSCertificates
Ø Malwaredata
ControlPlaneAnomalyDetection
DataPlaneAnomalyDetection
SemanticsAnomalyDetection
ForensicsAnalysis
SuspiciousBGPRoute
IPData
Ø TraceroutesØ Netflows
SuspiciousCases
MaliciousBGPRoutes
MaliciousBGPRoute
Ø MultipleOrigin(MOAS)Ø Sub-MOASØ Sub-prefix
Ø Man-in-the-middleØ Blackspace
Stealthy BGP Hijacking Monitoring – IPv6: Objectives & Technical Approach
6
7
Software Hardware
High Level Semanticgap
Low Level
InterruptsHW enforced memory protections
Trusted Technologies
FirmwaresDriversMemory-mapped I/O
How can we verify security properties when hardware and software tightly interact?
Security analysis for communicating devices: Objectives
• Avatar to ProVerif - Hardware and Software provide functionalities(improvements to compilation process)
• SMASHUP – Hardware impacts how Software is executed(Simple Modeling and Attestation of Software and Hardware Using Proverif) first release
8
Block diagram
Describes communications
Activity diagram
Describes behaviors
translator Specification ProVerif Proof
[MODELSWARD 16]
Semantic desc. of how HW
acts on SW
SW
SW integration Specification ProVerif Proof
[PROOFS 15]
Security analysis for communicating devices: Technical Approach
https://gitlab.eurecom.fr/Aishuu/smashup
9
MDE MBST
Specification
SoftwareProductLines (SPL)
Implementation
- Modeling security expertise
- Deployment of security mechanisms
- Isolate protocol state machine
- Modularize tests through variant management
How to specify security mechanisms?How to generate or test their correct implementation?
- Security architectures
- Software
- Security protocol stack
- Protocol definition(e.g. RFC)
- Attack strategies
- Security requirements
- Security best practices and design patterns
Software factories for security-by-design: Objectives
• MDE – Automate architectural exploration and verification– Achievements: catalog of security design patterns within a software
product line approach– Perspectives: Construction of the complete security SPL for
distributed system architectures and security mechanisms • Expertise automation will result in inferences on catalog + mapping of
corresponding security mechanisms on architecture• Component selection / code generation from the SPL
• MBST – Improve security test through variability modeling– Ongoing: TLS protocol as a use case for modeling protocol
variability with Software Product Lines in order to control tests – Underlying feature model and feature transition system under
construction• Perspectives:
– New applications of FAMILIAR toolkit for security engineering / test– Extension of SysML-Sec MDE methodology
Software factories for security-by-design: Technical Approach
10
• PhD (ongoing: 2016): Riccardo Ravaioli (Diana/INRIA –Signet/I3S)– Topic: Active inference of network neutrality– Objective: monitor network at the user level and considering non-
specific network traffic• Perspectives: Measurement as a Service (new Labex PhD)
– measuring virtualized environments– coordination of measurements
• Achievements: chkdiff tool– building block for project on network transparency and
troubleshooting
Net Neutrality
11
• ISPs violations of neutrality: numerous examples: • [2011, 2012] Free throttles bandwidth allocated to YouTube during evening hours • [2014] Verizon deteriorates connections to Netflix
• Detecting neutrality violations - principle:1. Capture user traffic2. Shuffle packets within trace à combat load variations3. Replay in upstream direction with limited TTL [ITC 15]
• Intermediate routers answers [ICC 15]• Compare distribution of each flow against the rest (Kolmogorov-Smirnov tests)
4. Download direction [ITC 16]• Need to open ports as client behind NAT• Send trace from server• Need to account for multipath: clustering approach – outliers = suspect flows
• Validation over Ethernet, Wifi and 3G/4G networks• ChkDiff code available at: https://riccardoravaioli.wordpress.com/chkdiff/
Active inference of network neutrality: Objectives
12
Active inference of network neutrality:Technical Approach
13
Upstreamexperiment Downstreamexperiment
• Post-Doc: Michela Chessa– Topic: PRIvate data Monetization– Objective: cooperative game theory approach to user
privacy– Social networks: incidence of graph structure over personal
information release?– Data analytics: estimating population averages from data
provided by privacy-sensitive users?
• Collaboration with ISEM lab (Institut Supérieur d’Économieet Management) – Perspectives: further collaborations on the game theoretic
approaches, notably following Michela Chessa hiring at University of Nice as an Assistant Professor
Privacy Protection
14
• [CoNEXT 12] Riccardo Ravaioli, Chadi Barakat, Guillaume Urvoy-Keller, “Chkdiff: CheckingTraffic Differentiation at Internet Access”, in proceedings of ACM CoNEXT 2012 StudentWorkshop, Nice, December 2012.
• [ITC 16] Riccardo Ravaioli, Guillaume Urvoy-Keller, Chadi Barakat, “Testing for TrafficDifferentiation with ChkDiff: The Downstream Case”, in proceedings of ITC-28, Wurzburg,Germany, September 2016
• [ITC 15] Riccardo Ravaioli, Guillaume Urvoy-Keller, Chadi Barakat, “Towards a GeneralSolution for Detecting Traffic Differentiation At the Internet Access“, in proceedings of ITC-27, Ghent, Belgium, September 2015.
• [ICC 2015] Riccardo Ravaioli, Guillaume Urvoy-Keller, Chadi Barakat, “CharacterizingICMP Rate Limitation on Routers“, in proceedings of IEEE ICC, London, June 2015
• [MODELSWARD 16] Florian Lugou, Letitia W. Li, Ludovic Apvrille and Rabéa Ameur-Boulifa, “SysML Models and Model Transformation for Security”, MODELSWARD 2016, 4thInternational Conference on Model-Driven Engineering and Software Development, Rome,Italy, February 2016
• [PAM 16] Quentin Jacquemart; Guillaume Urvoy-Keller; and Ernst Biersack, “Behind IPPrefix Overlaps in the BGP Routing Table”, PAM 2016, 17th International Passive andActive Measurements Conference, Mar. 2016 - Heraklion, Greece
• [PROOFS 15] Florian Lugou, Ludovic Apvrille, Aurélien Francillon, “Toward a methodologyfor unified verification of hardware/software co-designs”, PROOFS 2015, Security Proofs forEmbedded Systems, Saint-Malo, France, September 2015,
• [SAC 16] Johann Schlamp, Ralph Holz, Quentin Jacquemart, Georg Carle, Ernst W.Biersack, “HEAP: Reliable Assessment of BGP Hijacking Attacks”, IEEE Journal onSelected Areas in Communications (Volume:PP , Issue: 99), ISSN : 0733-8716, to bepublished, 2nd semester 2016, DOI: 10.1109/JSAC.2016.2558978
References
15
• Journals: 5– SIGCOMM Comput. Commun. Rev.– Journal of Computer Virology and Hacking Techniques– Telecommunication Systems– IEEE Journal on Selected Areas in Communications– Revue de l'Electricité et de l'Electronique
• Conferences & Workshops: 40– FC, CSF, ACSAC, NDSS, RAID, DIMVA, BLACKHAT,
TrustCom, CLOUDCOM, IEEE Communications, PAM, WWW, MODRE, GramSec, MODELSWARD …
Labex Publications
16
• New collaborations were initiated with the support of Labex between the following teams:– INRIA: DIANA– I3S: Modalis, Signet– EURECOM: Security Department– LTCI/Telecom ParisTech: LabSoc
• Academic Collaborations– ISEM– Penn. State Univ.– IMT
• Industrial Collaborations– VEDECOM– Thales
Collaborations and Impact
17
• Main collaborations and support:– Network: trust guarantees and neutrality monitoring– System and applications: model-based techniques for
security engineering, validation and testing– Application data: game theory for privacy vs. usability
• Software tools (new or extended): – chkdiff, SMASHUP, TTool, FAMILIAR
• Perspectives– Newly starting projects
• French ANR project BottleNet• Inria Project Lab (IPL) BetterNet
– Technical Evolutions• Virtualization and network monitoring• Multi-level security and certification of trusted computing (e.g.
Intel SGX Secure Enclaves)
Conclusions and Perspectives
18