Dissemination of Security Updates Jun Li Dissertation Proposal

Dissemination of Security Updates

Jun Li

Dissertation ProposalDissertation Proposal

Dissemination of security updatesDissemination of security updates 2

Motivation, challenges, and thesis Related work Protection against attacks Dissemination mechanism One strategy in initial study Dissertation plans Summary

Motivation, challenges, and thesis Related work Protection against attacks Dissemination mechanism One strategy in initial study Dissertation plans Summary

Outline


Motivation

Consider network security in general



Motivation

For instance, before taking action an attack may hide itself and penetrate into many machines

Wide-spread information sharing in a timely way is necessary The information is called security update

Consider network security in general

Security attack on just a single machine in a network environment is usually not the case


Security Update Examples

Virus signature (and remedy) Special events in distributed intrusion

detection Offending characteristics to be filtered by

a firewall Characteristics of a potential attack


Observation

They all share a common need of doing security update dissemination

But the need is addressed in various unsatisfactory ways (to be discussed later)


Solution to the problem

Provide a common facility for security update dissemination


Challenges Scalability Low latency High assurance

some machines may be subverted some machines may be disconnected

Topological adaptability Heterogeneity Low overhead High security itself


Thesis Dissemination of security updates while

simultaneously addressing each of the above challenges is feasible. Design and build a system that does the work

Call the system Revere


Outline Motivation, challenges, and thesis Related work Protection against attacks Dissemination mechanism One strategy in initial study Dissertation plans Summary


Related Work Information dissemination

simple transmission techniques mailing list distribution of software, virus signature, or key network time protocol push technology

Element management replicated data management intrusion detection


Simple Transmission Techniques

Broadcasting

network

Unicasting(one-to-one)

Flooding Multicasting


Mailing List Scalability Single path to reach

recipients Hard to interface with

other software ...

network


Distribution of Software, Virus Signature, or Key

Software distribution Virus signature distribution

Key distribution


Network Time Protocol Disseminating clock time to synchronize

machines on network manually configured no retransmission


Push Technology Some commercial products: BackWeb,

Ifusion, InCommon, Intermind, Marimba, NETdelivery, Wayfarer poll the server periodically, fetch if needed

Salamander build a substrate push data from suppliers to clients through the

substrate only single path from a supplier to a client no handling for disconnected machines


Element Management

Replicated data management each machine in Revere has a replica of

security update

Intrusion detection if we know which machines are subverted ...




Protecting Revere

Revere must protect itself against attacks otherwise, security update won’t be

disseminated successfully corrupted Revere is more dangerous if used by

enemy for own purpose


Attacks on Revere Corrupting a message

modification fabrication or forgery

Corrupting the transmission path blockage misdirection denial of service by replay overloading

Leakage of security update


Fight Against Attacks Message corruption

digital signature

Transmission path corruption redundancy by multiple paths be ready for replay attacks by logging

signatures of previous security updates

leakage of security update no secrecy when many millions of machines

are receivers to share same information




Dissemination Mechanism

High assurance Pulling by disconnected node Receiver based policy Opportunistic use of transmission options Scalability

Dissemination structure


implosion

1. High Assurance Using acknowledgement

ack can be dropped need to figure out what is missed by whom

Using negative ack only avoid implosion, and only feasible when knowing a security update is missed

Using redundancy

retransmission probably follows same old path

to achieve best effort

harder to corrupt all

accompanied with additional techniques, such as pulling


network

2. Pulling By Disconnected Node

Pulling from is not scalable and hard to handle

Repository nodes

High assurance pulling find best repository nodes


3. Receiver Based Policy Heterogeneous Revere node in terms of

different resiliency request• different environment (hostile or safe)

• different context itself different transmission characteristics different platform

• different ability of being aware of above


4. Opportunistic Use of Transmission Options When security update forwarded from

machine to machine(s), choose best option of available transmission type

Tradeoff among best performance resource usage delivery guarantee simplicity of

implementation

network


5. Scalability Be ready for millions of receivers, or even

more resource usage performance security

Any machine can only have partial information of the whole system distributed computing


Dissemination Structure Automatic configuration

an easy-to-use user interface needed• manual configuration hurts

Dynamic adjustment adaptively when a new node joins when an existing node quits when transmission characteristics changes when detecting security problems and so on …..


Outline

Motivation, challenges, and thesis Related work Protection against attacks Dissemination mechanism One Strategy in initial study Dissertation plans Summary


Dissemination w/ Sending Table Each Revere node has an associated

sending table locallyA unicast

B,C multicast

D ………….

(empty)

B floppyX broadcast

(empty)

C unicast w/ IP source routing


Building the Sending Table Requirements

automatic match dissemination mechanisms dynamically adjustable

Some information about dissemination sources are common knowledge addresses type of security updates to disseminate public keys

Maybe similar information of some existing Revere nodes


Join Request

Recommending Algorithm

Decision Making Algorithm

A Newborn

Machines listed in ’s sending table

Machines recommended to newborn

Machines selected

Detected info between newborn and recommendedRecommended machines listSelected machines list

Recursive Enrollment of Newborn


Enrollment Flexibility

A new Revere machine can attach itself to Revere system by sending enroll request(s) to any existing Revere node(s) based on trustfulness, or contact more than one


Outline



A Prototype w/ Basic Functionality Security update delivery analysis Dissemination structure formation and

management Dissemination process

push pull


Security Enforcement Authentication of security update

signing and verification of security update key management

Replay prevention don’t be fooled to send lots of replays since

Revere has big fan-out


Test the System

Build a testbed composed of heterogeneous machines and

transmission media small scale

Simulate possible attacks


Simulation Large scale

With some Revere nodes subverted and actively thwarting the dissemination

Understand the effects when lots of machines pull missed information

……………...


Outline



Summary

The goal is to be able to disseminate security updates securely, quickly, adaptively, to large number of heterogeneous machines with high assurance and low overhead

The work includes design, prototype, test, simulation, evaluation


Questions?

Documents

Dissemination of Security Updates Jun Li Dissertation Proposal