revere — disseminating security updates at internet scale
DESCRIPTION
Revere — Disseminating Security Updates at Internet Scale. Jun Li Computer Science Department Laboratory for Advanced Systems Research University of California, Los Angeles Advisors: Peter Reiher and Gerald Popek. IP Addresses Compromised by the “CodeRed” Worm - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/1.jpg)
1
UCUCLALA
Revere—Disseminating Security Updates at Internet Scale
Jun Li
Computer Science Department Laboratory for Advanced Systems Research
University of California, Los Angeles
Advisors: Peter Reiher and Gerald Popek
![Page 2: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/2.jpg)
2
RevereMotivation• Threats propagate quickly through the Internet
– Viruses, worms, Trojan horses, etc.– e.g., Code Red worm
introduction RBone dissemination security measurement conclusions
Jul 19 6:00 AM Jul 19 12:00 PM Jul 19 6:00 PMTimes given are EDT ( GMT –4:00 )
http://www.cert.org/advisories/CA-2001-23.html Source incident data for CERT # 36881
# o
f U
niq
ue
IP A
dd
ress
es (
cum
ula
tive
)
IP Addresses Compromised by the “CodeRed” Worm(data for July 19, 2001 as reported to the CERT/CC)
0
300000
250000
200000
150000
100000
50000
• Critical security info throughout the Internet is often stale– Victims lack up-to-date knowledge of new threats
• We must react at the same speed
![Page 3: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/3.jpg)
3
RevereGoal of Revere
• To disseminate security updates throughout the Internet quickly, securely, and with high assurance– Early-warning signal– Virus signature– Intrusion detection event– Certificate revocation list– Offending characteristics recorded at firewall– Security patches– . . . . . .
introduction RBone dissemination security measurement conclusions
![Page 4: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/4.jpg)
4
RevereChallenges• Fast
– Must not be slower than the propagation of threats
• Secure– Revere is a tempting target for attackers– A corrupted Revere can be misused or abused
• Resilient– Interruption threats by compromised nodes, or any kind of
failure– Cryptography does not assure delivery– Authenticated acknowledgements are insufficient
• Scalable– Any Internet host is a potential recipient– Node disconnection will be common
introduction RBone dissemination security measurement conclusions
![Page 5: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/5.jpg)
5
RevereSimple Transmission Techniques
network
introduction RBone dissemination security measurement conclusions
network Xnetwork
• Unicasting
• Broadcasting
• Flooding
• IP multicasting
![Page 6: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/6.jpg)
6
RevereVirus Signature Distribution
• Let users download from a website
• Set up a central server
• A naïve peer-to-peer approach
introduction RBone dissemination security measurement conclusions
![Page 7: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/7.jpg)
7
RevereA Government Practice
• Typically, a Federal Computer Incident Response Capability team e-mails alerts to agencies
• But when facing the “I Love You” virus, many agencies shut down their email servers
• Thus, phoned and faxed alerts instead, one at a time– What a time-consuming tedious procedure !
• Afterwards . . .– A completely automated new system is designed that
claims to handle 96 phone lines and deliver 800 faxes/hour– They also look into an AM radio system for federal
employees to check every morningDiane Frank. “One if by phone, two if by fax,” Federal Computer Week, September 2000
introduction RBone dissemination security measurement conclusions
![Page 8: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/8.jpg)
8
RevereSo, How Would Revere Meet the Challenges?
• Non-centralized delivery structure
• Use redundancy to support information transmission resiliency
• Secure both the dissemination procedure and the delivery structure
introduction RBone dissemination security measurement conclusions
![Page 9: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/9.jpg)
9
RevereThe Revere Solution• Revere builds overlay
networks, called RBones, on top of the Internet
• . . . . and uses RBone to deliver security updates– Every node can also forward
updates– Disconnected nodes will be handled
• Runs at application level– Great flexibility– No changes to underlying network
infrastructure– Implemented in Java– Deployment is easy
Hardware layer
Application layer
introduction RBone dissemination security measurement conclusions
![Page 10: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/10.jpg)
10
RevereRBone: A Self-Organized Resilient Overlay Network
• Redundancy-based resiliency– Multiple delivery
paths• Therefore multiple
parents– Select as-disjoint-as-
possible paths
• Self-organized overlay– Easy join – Easy withdrawal– Broken nodes– Broken links
introduction RBone dissemination security measurement conclusions
X
![Page 11: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/11.jpg)
11
RevereRBone Join Procedure
• Search for existing nodes– Directory service– Multicast-based expanding-ring
or expanding-wheel search– Contact already-known existing
nodes
• Negotiate to select best parents– Again, multiple parents are
allowed!
• Three-way-handshake negotiation protocol– Reciprocal selection
Locate existing nodes
Process attach request
Selectparents
Attachnewchild
Potential child
Potential parent
New child
New parent
req
ack
confirm
introduction RBone dissemination security measurement conclusions
![Page 12: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/12.jpg)
12
RevereParent Selection
• What parental qualities matter?– Efficiency: is the delivery via this parent fast?– Resiliency: is the delivery via this parent disjoint with
other paths?• If not completely disjoint, how much is the
overlap?
1 2
3 4
5
introduction RBone dissemination security measurement conclusions
x
![Page 13: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/13.jpg)
13
RevereParent Selection (cont’d)
• The path vector of a node – Describes the fastest path:
• Latency• An ordered list of nodes to cross• Denoted as pv(n)
• The path vector associated with a parent– Described the fastest path through the parent– Denoted as pv(n, p)
• The resiliency level of a node’s parent– Calculated by comparing the path vector associated
with the parent and the path vector of the node
introduction RBone dissemination security measurement conclusions
![Page 14: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/14.jpg)
14
ReverePath-Vector-Based Parent Selection Algorithm
Suppose node c is deciding a potential parent xif (c has not reached the maximum number of parents)
select x;else if pv(c,x) is faster than pv(c)
select x; else if resiliency(x) better than resiliency(a current
parent)select x;
elsedo not select x;
![Page 15: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/15.jpg)
15
RevereRBone Maintenance
• Heartbeat messages – To verify node liveness– To update path info associated with every parent
• Carry timestamps• Deal with the broken parent, or any broken node
on a path
• Explicit messages– To tear down a parent-child relationship
• Corrupted security updates also trigger adjustment
introduction RBone dissemination security measurement conclusions
![Page 16: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/16.jpg)
16
RevereRBone with Multiple Dissemination Centers
• If a node wants to hear from multiple centers– it joins multiple RBones, each
rooted at a different center– this becomes undesirable if
too many centers
introduction RBone dissemination security measurement conclusions
• Build a common RBone rooted at a rendezvous– Every center delivers
updates to the rendezvous• Multiple rendezvous points can be set up
![Page 17: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/17.jpg)
17
RevereDissemination Procedure
• A dual mechanism– Pushing as the main method for broadcasting
security updates from a dissemination center– Pulling as the supplementary method for catching up
with missed security updates
• Security update format
seqno timestamp payload signaturetype
introduction RBone dissemination security measurement conclusions
![Page 18: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/18.jpg)
18
ReverePushing Security Updates• Adaptive transmission
– TCP– UDP– IP multicast– etc.
• Duplicate checking– Every Revere node
remembers the range of historical sequence numbers
• Security checking– (Will be addressed later)
introduction RBone dissemination security measurement conclusions
![Page 19: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/19.jpg)
19
ReverePulling Security Updates• By the time a disconnected
node reconnects, it may have missed some security updates– Parents do not keep old updates– Parents might no longer be parents– Retransmission by the dissemination
center is not scalable
• Repository servers– Nodes that keep old security updates– Usually maintain stable connection– Clients directly contact those servers
• A newly pulled security update is also forwarded to child nodes, if any
introduction RBone dissemination security measurement conclusions
![Page 20: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/20.jpg)
20
RevereSecurity Assumptions
• Center’s public key is wellknown
• Large percentage of nodes are cooperative
• Any node could be corrupted– The center cannot be corrupted, but its private key
could be compromised
• No uniform security scheme to protect node-to-node control messages– For example, some nodes may run the
Kerberos service to authenticate other nodes, some may employ public-key-based authentication
introduction RBone dissemination security measurement conclusions
![Page 21: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/21.jpg)
21
RevereSecuring the Dissemination Process
• Integrity of security updates– A dissemination center
has a public/private key pair
– Every security update carries a digital signature signed by the center
• Availability of security updates– Redundant delivery
public
private
introduction RBone dissemination security measurement conclusions
![Page 22: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/22.jpg)
22
RevereCenter Key Disclosure
public
private
introduction RBone dissemination security measurement conclusions
• Disastrous if the private key of a center is disclosed– The public key must be invalidated
• Public key invalidation – Send a key invalidation message
• Signed with the disclosed private key• Delivered in the same way as
updates– Every recipient verifies the message
with the current public key• Then discards this public key• And switches to the new public key
• How secure is this method?– Fine, if an attacker also distributes key
invalidation messages– Resilient, since it follows the same
routes as normal security updates
X
XX
X
X
X
public
private
X
![Page 23: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/23.jpg)
23
RevereSecuring RBone
• Every node can enforce several different security schemes– Node authentication– Message filtering– Etc. . . .
• The functionality of a specific security scheme can be easily plugged in
• Node-to-node communication is initiated with security scheme negotiation
introduction RBone dissemination security measurement conclusions
![Page 24: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/24.jpg)
25
RevereMetrics
• RBone maintenance bandwidth
• Dissemination bandwidth
• Join bandwidth
• Join latency
• Dissemination latency
• Dissemination resiliency
introduction RBone dissemination security measurement conclusions
![Page 25: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/25.jpg)
26
RevereWhat’s the challenge ?
• Revere is a large-scale distributed system
• Empirical experiments incur prohibitive cost – Required to obtain, access, configure, maintain, and collect
results from more than a few hundred machines
• Simulation is more scalable, but– Expensive to develop– Slow to run– Possibly inaccurate (hidden costs and subtle timing effects) & buggy– Must be validated against real system
introduction RBone dissemination security measurement conclusions
![Page 26: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/26.jpg)
27
RevereThe “Overloading” Approach
• A physical machine is overloaded with multiple (virtual) Revere nodes
• Each Revere node runs the real software
• Achieves larger scalability using multiple machines
11
1
1
1 1
1
11
33
3
33333
2 2 2
introduction RBone dissemination security measurement conclusions
Jun Li, Peter Reiher, Gerald Popek, Mark Yarvis, and Geoffrey Kuenning. “An approach to measuring large-scale distributed systems,” TestCom 2002, Berlin, Germany, March 2002.
![Page 27: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/27.jpg)
29
RevereMeasurement Environment
• A testbed of 10 machines– Overloaded with up to 3,000 Revere nodes
• Topology– GT-ITM topology generator – A topology server for node assignment
• Configuration– Every node must have 2 parents, but 10
children
introduction RBone dissemination security measurement conclusions
![Page 28: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/28.jpg)
30
RevereJoin Performance
• Join phase– Token-controlled resource-locking mechanism– One-at-a-time join– No contention because of serialization
introduction RBone dissemination security measurement conclusions
![Page 29: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/29.jpg)
31
RevereJoin Performance
Outbound join bandwidth per node (KB) Join latency per node (sec)
introduction RBone dissemination security measurement conclusions
4
8
12
16
20
24
28
0 500 1000 1500 2000 2500 3000
number of total Revere nodes
y=4.863ln(x)-19.219R2=0.953
0.0
0.5
1.0
1.5
2.0
0 500 1000 1500 2000 2500 3000
number of total Revere nodes
y=0.339ln(x)-1.128R2=0.919
![Page 30: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/30.jpg)
32
RevereDissemination Speed
• Measured in dissemination phase
• Dissemination Latency = kernel-crossing latency + processing latency +
communication latency
• Measured using divide-and-conquer method– Measure each subtask in non-overloaded
environments– Measure hop counts in full system, and then sum
introduction RBone dissemination security measurement conclusions
![Page 31: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/31.jpg)
34
RevereDissemination Speed (cont’d)
introduction RBone dissemination security measurement conclusions
Number of total Revere nodes
Average and maximum hop count per node
Average and maximum latency to reach a node (sec)
ho
ps
average: y = 0.079Ln(x) - 0.362
maximum: y = 0.279Ln(x) - 1.307
0.0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1.0
0 500 1000 1500 2000 2500 3000
number of total Revere nodes
R2=0.912
R2=0.9270
2
4
6
8
10
12
0 500 1000 1500 2000 2500 3000
number of total Revere nodes
average: y=0.771Lnx - 1.810R2=0.852
maximum: y=1.818Lnx-3.902R2=0.878
![Page 32: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/32.jpg)
35
RevereDissemination Speed (cont’d)
• Assuming the trends continue at higher scale, then in a 100M-node RBone:• average hop counts: 12• maximum hop counts: 30• average latency: 1.10s• latency to reach 2/3: 1.34s• latency to reach 90%: 1.88s• latency to reach 99%: 2.25s• latency to reach all: 3.83s
introduction RBone dissemination security measurement conclusions
Number of total Revere nodes
The latency to reach a certain percentage of nodes (sec)
ho
ps
0.0
0.2
0.4
0.6
0.8
1.0
0 500 1000 1500 2000 2500 3000
number of total Revere nodes
maximum: y=0.279Ln(x)-1.307(R2=0.912)
average : y=0.079Ln(x)-0.362(R2=0.927)
99%
2/3
90%
Trends:[99%] y=0.156ln(x)-0.628 (R2=0.881)[90%] y=0.136ln(x)-0.629 (R2=0.913)[ 2/3 ] y=0.098ln(x)-0.463 (R2=0.914)
![Page 33: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/33.jpg)
36
RevereDissemination Resiliency
Time (sec) (total nodes = 3000)
• Resiliency test phase– Every node assigned a uniform probability of failure– Measured a 3000-node RBone with maintenance
disabled
• Results:– All reachable with less than 2% failure probability– Still very resilient with higher failure probability
introduction RBone dissemination security measurement conclusions
Time (sec) (total nodes = 3000)
p=0.08
255
2722
23
p=0.16
457
2365
178
p=0.32
716
1437
847
p=0.64
612
321
2067
![Page 34: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/34.jpg)
37
RevereSome Related Work• RON – resilient overlay network
– Inserts an overlay network layer between routing and application
– Allows faster routing failure recovery & application-specific routing
• Other overlay networks– Tree-structured dissemination is not resilient– Nodes are not always connected at delivery time– Security handling is not sufficient
• Multi-path routing– A router-level implementation
• Primarily for load balancing or congestion control
– Must handle security issues at router level• Replay prevention, key distribution . . .
– Deployment is challenging
introduction RBone dissemination security measurement conclusions
![Page 35: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/35.jpg)
38
RevereWork Summary of Revere Project• Designed
– The structure, the dissemination, the security, the . . .
• Implemented– 45,010 lines of Java code in the prototype system
• Measured– The number of nodes varies from 250 to 3,000
• Demonstrated– DARPA Site Visit– UCLA Annual Research Review
• Published and presented– NSPW’99, NISSC’99, Testcom’02– Also submitted to OSDI’02– Dissertation draft is at your hand
introduction RBone dissemination security measurement conclusions
![Page 36: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/36.jpg)
39
RevereConclusions
• Necessary work: Since attackers already distribute malicious functions rapidly, an even faster notification system is required.
• Encouraging results: It is feasible to disseminate security updates to much of today’s connected Internet quickly, securely, and with high assurance.
• Broad applicability: Revere is not limited to only security updates.
introduction RBone dissemination security measurement conclusions
![Page 37: Revere — Disseminating Security Updates at Internet Scale](https://reader035.vdocuments.mx/reader035/viewer/2022062221/568148b2550346895db5c9df/html5/thumbnails/37.jpg)
40
Revere
The End