Gabi Nakibly

OSS: Using Online Scanning Services for Censorship Circumvention

We introduce the concept of a web-based online scanning service, or OSS for short, and show that these OSSes can be covertly used as proxies in a censorship circumvention system. Such proxies are suitable both for short one-time rendezvous messages and bulk bidirectional data transport. We show that OSSes are widely available on the Internet and blocking all of them can be difficult and harmful. We measure the number of round trips and the amount of data that can be pushed through various OSSes and show that we can achieve throughputs of about 100 KB/sec. To demonstrate the effectiveness of our approach we built a system for censored users to communicate with blocked Tor relays using available OSS providers. We report on its design and performance.

Finding security vulnerabilities in a network protocol using parameterized systems

This paper presents a novel approach to automatically finding security vulnerabilities in the routing protocol OSPF --- the most widely used protocol for Internet routing. We start by modeling OSPF on (concrete) networks with a fixed number of routers in a specific topology. By using the model checking tool CBMC, we found several simple, previously unpublished attacks on OSPF. In order to search for attacks in a family of networks with varied sizes and topologies, we define the concept of an abstract network which represents such a family. The abstract network

Optimizing data plane resources for multipath flows

{\cal A}

Network-based intrusion detection systems go active!

has the property that if there is an attack on

ACTIDS: an active strategy for detecting and localizing network attacks

{\cal A}

Analyzing Internet Routing Security Using Model Checking

then there is a corresponding attack on each of the (concrete) networks represented by

Gyrophone: recognizing speech from gyroscope signals

{\cal A}

Mobile Device Identification via Sensor Fingerprinting

. The attacks we have found on abstract networks reveal security vulnerabilities in the OSPF protocol, which can harm routing in huge networks with complex topologies. Finding such attacks directly on the huge networks is practically impossible. Abstraction is therefore essential. Further, abstraction enables showing that the attacks are general. That is, they are applicable in a large (even infinite) number of networks. This indicates that the attacks exploit fundamental vulnerabilities, which are applicable to many configurations of the network.

Persistent OSPF Attacks.

In many modern networks, such as datacenters, optical networks, and multiprotocol label switching (MPLS), the delivery of a traffic flow with a certain bandwidth demand over a single network path is either not possible or not cost-effective. In these cases, it is very often possible to improve the networks bandwidth utilization by splitting the traffic flow over multiple efficient paths. While using multiple paths for the same traffic flow increases the efficiency of the network, it consumes expensive forwarding resources from the network nodes, such as TCAM entries of Ethernet/MPLS switches and wavelengths/lightpaths of optical switches. In this paper, we define several problems related to splitting a traffic flow over multiple paths while minimizing the consumption of forwarding resources, and present efficient algorithms for solving these problems.

Hardware Fingerprinting Using HTML5

In this work we investigate a new approach for detecting network-wide attacks that aim to degrade the networks Quality of Service (QoS). To this end, a new network-based intrusion detection system (NIDS) is proposed. In contrast to the passive approach which most contemporary NIDS follow and which relies solely on production traffic monitoring, the propose NIDS takes the active approach where special crafted probes are sent according to a known probability distribution in order to monitor the network for anomalous behavior. The proposed approach takes away much of the variability of network traffic that makes it so difficult to classify, and therefore can detect subtle attacks which would not be detected passively. Furthermore, the active probing approach allows the NIDS to be effectively trained using only examples of the networks normal states, hence enabling an effective detection of zero-day attacks. Preliminary results on a real-life ISP network topology demonstrate the advantages of the proposed NIDS.