Archived Blog

Three Major Attack Papers of 2008

03.02.2009 - 8:00 AM

My name is Erik Buchanan, and I recently joined the Websense® Security Labs™. For the last two years I've been a masters student at UC San Diego, focusing on computer security in systems and networks in the Systems and Networking Group. Because there is often a gap between academic research and industry, I'm going to be issuing a few blogs highlighting academic security papers I found to be interesting, and from which I think members of the security community would benefit.

Here I will focus on some of the major attack papers of 2008. The first is one of the biggest ancient vulnerabilities announced in 2008 - the design flaw in the mechanism in DNS that keeps malicious hosts from associating their IP address with a target domain name. The second paper is from Princeton, and the compressed air and liquid nitrogen are what make it cool. Finally, a paper from my alma matter shows creativity in interdisciplinary security research.

Dan Kaminsky's DNS Vulnerability

Dan Kaminsky announced at Black Hat 2008 that he had discovered a vulnerability in the way DNS servers are designed that would allow him, if he chose, to impersonate any domain he wanted. The announcement was one of the most highly-anticipated in recent times, because the implications of the entire DNS system being compromised are seemingly limitless. His talk showed how name resolution delegation is used in the Internet, and how an attacker can respond to a name lookup request faster than the name server. Using a timing attack to guess the randomly generated transaction ID after a couple of hundred tries, he provided his own malicious name server to the client.

What's even more compelling is the list of products, services, technologies, and protocols that such an attack could compromise. According to Kaminsky, everything from passwords to email to SSL is threatened. Many existing attacks on networked systems could be launched in conjunction with a man-in-the-middle attack using a compromised domain name. It is hard to imagine a service running over the Internet that would be safe in Kaminsky's scary new world.

Fortunately, Dan had some foresight. Before detailing the attack to the general public, he worked with virtually all of the large vendors of threatened DNS technologies to simultaneously release patches to their customers. He reports that nearly all of them were able to implement and deploy promising stop-gap defenses. While not elegant or ideal, fixes such as source port randomization provide increased randomness that seems to provide "good enough" protection against the proposed attack. Interestingly, DJBDNS, PowerDNS, and MaraDNS had already implemented source port randomization, so Kaminsky was not able to compromise them.

For an explanation of the attack, descriptions of the weaknesses and design flaws in existing defenses, and to see if there is anything left that Kaminsky didn't exploit, check out his presentation.

Links
Toorcon Talk PDF: http://www.toorcon.org/tcx/1_Kaminsky.pdf
Black Hat Talk PowerPoint: http://www.doxpara.com/DMK_BO2K8.ppt
Dan Kaminsky: http://www.doxpara.com/

Lest We Remember: Cold Boot Attacks on Encryption Keys

Disk encryption will protect sensitive data on your laptop, right? Not if an adversary has physical access to your machine, it doesn't. DRAM is often assumed to lose its contents as soon as power to it is cut off, but that does not happen in practice. Researchers at Princeton have developed a technique known as a "cold boot attack" by which they can read the contents of your encrypted disk.

Imagine you're carrying some sensitive data through a security checkpoint. You have put your laptop to "sleep," and hand it over to be scanned. While you're passing through the metal detector, an adversary opens up the laptop case, removes the DRAM, and places it in his custom PC. The computer then dumps the contents of memory onto its own disk, and while the adversary replaces the memory into your laptop and returns it to you, the PC has run an algorithm to reconstruct your in-memory encryption keys. The contents of memory are largely intact, and can be preserved even more carefully by applying an inverted can of compressed air, which cools the DRAM chip and slows the information decay.

The attacks come in several variants, each designed to exploit a different degree of security. The paper, pictures, and even a video tutorial can be found on the project's Web site.

Links
Project homepage: http://citp.princeton.edu/memory/
Paper PDF: http://citp.princeton.edu/pub/coldboot.pdf
Slashdot: http://it.slashdot.org/article.pl?sid=08/02/21/1543234

Reconsidering Physical Key Secrecy: Teleduplication via Optical Decoding

Recent security efforts have focused on computer and Internet security, but are our front doors secure? Researchers at UC San Diego demonstrate that pictures of your belongings can compromise your physical security.

Using a telephoto camera and their Sneakey system, these researchers can take a picture of your house key from 200 feet away, and then cut the key and use it to let themselves into your house. They use standard equipment and computer vision algorithms to make a profound point: that the security that locks and keys provide is often overestimated. Users often assume that a key is private, meaning you must have it to gain access to the corresponding lock. However, much like copying a fingerprint or retinal scan, if someone can get a sufficient resolution picture of that private information, you'll have the same problem as someone finding your password.

Not only should you watch out for researchers on top of buildings with cameras pointed at your keys, though. Any photo-sharing site, such as Flickr, Photobucket, MySpace, or Facebook, is bound to have photographs containing personal sets of keys. If yours are among them, you may need to change your locks.

For more information on the project, including photographs, the paper, and coverage of the work in various news outlets, check the Sneakey Project Web site.

Links
Sneakey Project: http://vision.ucsd.edu/~blaxton/sneakey.html
MSNBC news article: http://www.msnbc.msn.com/id/27811359/
Paper PDF: http://cs.ucsd.edu/~savage/papers/CCS08OptDecode.pdf

Security Researcher: Erik Buchanan

Bookmark This Post: