Peer-to-Peer Computing

Transcription

1 Peer-to-Peer Computing P2p Security

2 Outline P2P as an architecture that spreads security threats P2P Security issues Sybil attack Distributed Hash issues P2P overlay network problems

3 Threats dissemination

4 Most popular downloads ( ) By the software itself Its popularity makes it a very valuable infection vector

5 Viruses inside clients grokster.com 1 January 2002 «It has recently come to our attention that our previous Grokster installer for about a three week period contained a program being called by the anti-virus companies W32.DlDer.Trojan. This program was apparently installed by one of our advertisers, ClickTilUWin.»

6 Dissemination By the content provided Each user acts as a server for each other user No centralized server to upload and download files No way for the software developer to check the content provided Protection is up to the user A downloaded file is usually made available immediately for upload to other users

7 Dissemination kazaa.com/en/help/virus..com/en/help/virus.htm htm «Most files that are accessible using Kazaa Media Desktop originate from other users. This means that there will always be the risk of irresponsible users introducing viruses.» P2P File-Sharing networks have become a very easy mean to spread viruses

8 Example Win32/Merkur ( ) Mass mailing Internet worm in VB6 Also spreads via IRC network (using mirc) P2P network (using Kazaa, edonkey, BearShare) Copies itself to C:\Program Files\Kazaa\My Shared Folder\IPspoofer.exe C:\Program Files\Kazaa\My Shared Folder\Virtual Sex Simulator.exe

9 Example Win32/HLLW.Gool Gool.B ( ) Backdoor with trojan and internet worm capabilities in Delphi Sets in the registry the sharing folders for Kazaa to C:\Windows\Sys32 Copies itself in this folder to Britney.jpg.exe Catherine_Zeta_Jones_Nude.jpg.exe X_Box_Emulator.txt.exe

10 Screenshot XBOX Emulator search results on KaZaA From Kostya Kortchinsky s slides

11 Screenshot NO CD search results on emule From Kostya Kortchinsky s slides

12 Spyware In general, spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet, spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties.

13 Screenshot From Kostya Kortchinsky s slides

14 Sharing Private Data The risk is great that unintended files will be shared Users may often be sharing private data without being aware of it Although theoretically the user controls what subdirectories he/she makes available to peer users, sometimes more subdirectories are shared than is known or intended

15 Screenshot Downloading 260 megabytes Inbox file from KaZaA Several Inbox.dbx in search results from edonkey From Kostya Kortchinsky s slides

16 Advices bearshare.com/help/citizen..com/help/citizen.htm htm «You don't need to get rid of your firewall completely, you just need to "drill a hole" in it for BearShare. It won't decrease your security because BearShare doesn't contain any security holes. Please read BearShare Firewall Tutorial for instructions how to configure your firewall.»

17 went bad! securityfocus.com/bid/5888 «The BearShare webserver is prone to directory traversal attacks. This may allow remote attackers to break out of the web root directory and browse the filesystem of the host running the software. This issue is a variant of the vulnerability described in Bugtraq ID The variant issue was unsuccessfully addressed in version It is still possible to disclose files with a malicious URL encoded request to the webserver.»

18 Easy to face external attacks securityfocus.com/bid/4951 «The edonkey 2000 Windows client includes a handler for a custom URI, ed2k://. It has been reported that the handler for edonkey 2000 is vulnerable to a buffer overflow condition when parsing maliciously constructed URIs. This may be exploited to crash the user's browser or execute arbitrary code on the victim client.»

19 Easy to face external attacks securityfocus.com/bid/6747 «KaZaA version is vulnerable to a denial of service attack caused by a buffer overflow. By sending a malicious response to an affected system for the automated advertisement download, a remote attacker could overflow a buffer and cause the system to crash or possibly execute code on the system.»

20 The Sybil Attack The Sybil Attack

21 Background P2P systems use multiple, independent entities to mitigate possible damage by other hostile entities Replication Computations Storage Fragmentation Protects against privacy violations Sybil Attack Attacker can assume multiple identities Aims to control substantial fraction of system

22 Model Overview Generic distributed computing environment Entities E Correct C union Faulty F = E Send messages Pipe Messages cloud Messages Uninterrupted, finite-length bit string Cloud Broadcast Bounded time Guaranteed Unordered

23 Model Definitions Identity Abstract representation that persists across multiple communication events Entities perceive other entities through identities Present Each entity presents an identity to other entities in the system Local entity L A specific entity that results are stated with respect to Accept If an entity e successfully presents an identity i for itself to L, L accepts i

24 Model Characteristics General Leaves internals of cloud unspecified Includes any topology/geometry Friendly Limits obstructive power of corrupt entities DoS attacks not possible Strengthens negative results Entities can perform operations with complexity polynomial in n Allows public-key cryptography Entities can establish point-to-point communication

25 Model Main Idea Each entity e attempts to present one legitimate identity Each faulty entity f additionally attempts to present one or more counterfeit identities Goal: system should accept all legitimate identities, zero counterfeit

26 Lemmas Four lemmas Collectively show impracticality of establishing distinct identities in large-scale distributed system Proofs trivial (refer to paper) In absence of trusted authority, entities accept identities only when identity is: 1. Validated by entity itself (direct validation) Lemmas 1 and 2 2. Vouched for by other already validated identities (indirect validation) Lemmas 3 and 4

27 Lemma 1: Resources Let min = minimally capable entity R x = resources of x ρ = R f / R min f can present floor(ρ) distinct identities to L Gives lower bound on damage achievable by f

28 Lemma 1: Counter measurements Communication limitation L broadcasts request for identities and accept replies that come within given time interval Storage limitation L challenges identities to store large amount of unique, uncompressible data Computation limitation L challenges identities to solve unique computational puzzle

29 Lemma 2: Concurrency If L accepts entities not validated simultaneously Single f can present an arbitrary large number of counterfeit identities to L f presents a distinct identity to L using R f R f is freed and f repeats process

30 Lemma 2: Counter measurements Insurmountable for temporal resources (computation and communication), not for storage L can indefinitely extend challenge duration: periodically demand different data excerpts Challenge consumes R, so real work limited

31 Lemma 3: Resources If L accepts any identity vouched for by q accepted identities, a group F can present many counterfeit identities to L if either: Size of group F >= q R F >= resources taken by q + F minimally capable entities

32 Lemma 4: Concurrency If correct entities C do not coordinate time intervals to accept identities, and if L accepts any identity vouched for by q accepted identities Minimally capable f can present floor( C / q ) counterfeit identities to L

33 Lemma 4: Concurrency Shows need for multiple entities in C to issue concurrent challenges May or may not be possible depending on resource Communication: possible because of broadcast cloud Storage: information theory says probably not Computation: possible by combining puzzles

34 Conclusion Without centralized authority, Sybil attacks always possible except when: All entities have nearly identical resources All presented identities are validated simultaneously When accepting identities not directly validated, required number of vouchers exceeds number of system-wide failures Not justifiable as assumptions Not practically realizable as requirements

35 Distributed Hash Table issues

36 Attacks on Nodes Goal of the adversary is to fragment the network Since p2p networks follow power-law an adversary can selectively knock down highly connected nodes

37 Attacks on Routing P2P routing mechanism in general A key identifier space A node identifier space Rules for associating keys to particular nodes Per-node routing tables that refer to other nodes Rules for updating the tables as nodes join and leave Routing Attacks Incorrect Lookup Routing Incorrect Routing Updates Partitioning

38 Incorrect Lookup Routing Malicious node forwards lookups to incorrect or non-existence node Detection Mechanism: At each hop lookup is suppose to get closer to the key identifier For the detection to work, querier must be allowed to observe lookup progress Criteria for verifiable lookup Querier should ensure that the destination itself agrees that it is the correct termination point Assign keys to nodes in a verifiable way Long term identities using public-keys

39 Incorrect Routing Update A malicious node could corrupt the routing table with incorrect updates to neighbors Systems that have the freedom to choose between multiple routes are especially vulnerable Detection Mechanism: Verifiable routing updates e.g. Pastry s update prefix requirements

40 Partitioning Set of malicious nodes form a parallel network and trap new nodes inside them rendering the network useless for new nodes Detection Mechanism: Incorrect functioning of the network/queries etc. Criteria for reliable join: Use history of queries and verify the current network s results with random queries Out-of-band trusted source Use of public-key for trust systems

41 Semantic Attacks Goal is not to knock down the entire system but to make the system look inefficient or faulty to the user and convince them to abandon the system (probably what RIAA will do) E.g. For all the queries to MP3 return false data but queries for text files return proper results Semantic Attacks Storage and Retrieval Attacks Flooding Face/Off

42 Storage & Retrieval Storage and Retrieval Attacks Disinformation about storage Deny access to stored data (natural on p2p) Return incorrect data (overpeering inc.) Detection Mechanism: Wrong results, denial of service etc. Criteria for Reliable Storage & Retrieval: Maintain replication invariant Avoid single point responsibilities Verification queries from different sources

43 Miscellaneous Attacks Face/Off Just like the movie Show good face to part of the network and the other face to rest Flooding/DoS As usual Replication may provide certain level of defense Rapid Joins & Leaves Unsolicited Messages

44 Security for Structured Peer-to-peer Overlay Networks

45 What is the paper about and not about Not about traditional attacks SYN flood, IP Spoofing, Buffer overflow, DoS attacks on resource access Keep in mind these attacks still work About unique security problems in P2P Goal: Secured Routing Ensure that when a correct node sends a message to a key, the message reaches all correct replica roots for the key with very high probability.

46 What s new in P2P for security? Nodes are MUCH more powerful Assign nodeid themselves Act as a router: has routing table, forwarding messages.. Fully Decentralized no authorization and authentication You can trust nobody Dynamic & self-organizing

47 Typical Routing Model Routing Given a key, locate the corresponding node with high probability Pastry, Tapestry Internet topology-aware in routing-table Chord, CAN Routing-table constrained Performance and security assumption: nodeid uniform random distribution

48 Fault model Byzantine failure model N: number of total nodes f: (0<=f<=1) the fraction of nodes that may be faulty c: (1/N<=c<=f) bound size of independent coalitions

49 Network model Assumption: no NAT, no DHCP Network level and Overlay level Adversary has complete control over network-level communication

50 Sub-problems Securely assigning IDs to nodes attacker may capture all replicas for an object attacker may target a particular victim Securely maintaining routing tables attackers may populate with faulty entries most messages are routed to faulty nodes Securely forwarding messages even with proper routing tables, faulty nodes can corrupt, drop, misroute messages

51 NodeID Assignment Attack What if attacker can choose nodeid? Surround a victim node Partition a p2p network become the key holder (root) Self ID generation Random (freenet), bad hash IP (chord), bad

52 Solution: Certified nodeids Offline certification authorities assign random IDs to nodes certificate binds the ID to public key and IP attacker cannot swap IDs between his nodes bad for dynamic address assignment, host mobility, or organizational changes CAN nodeids change when nodes join and depart Avoid giving multiple IDs to one entity (Sybil attack) charge for each certificate increases cost of attack bind IDs to existing trustworthy identities

53 Attack on maintaining routing table Fake the closest node, or during update Supply faulty routing update Faulty info propagate (1-f)*f+f*1>f Routing algorithm related

54 Attack on forwarding Probability of routing successfully between two non-faulty nodes is (1-f) h-1 h is log 2 b(n) for Pastry Probability of routing correctly to a non- faulty replica root is (1-f) h Tradeoff: increasing b decreases the number of hops but also increases the amount of state information

55 Solution on forwarding The most important part of Secure Routing Basic Idea Apply failure test to determine if routing worked correctly. If no, use redundant and/or iterative routing. Goal accomplish in reasonable time/expense

56 Now we have Secure Routing Ensure that when a correct node sends a message to a key, the message reaches all correct replica roots for the key with very high probability. Slow, expensive Use common routing as possible as we can