Mina Guirguis

Exploiting the transients of adaptation for RoQ attacks on Internet resources

We expose an unorthodox adversarial attack that exploits the transients of a systems adaptive behavior, as opposed to its limited steady-state capacity. We show that a well orchestrated attack could introduce significant inefficiencies that could potentially deprive a network element from much of its capacity, or significantly reduce its service quality, while evading detection by consuming an unsuspicious, small fraction of that elements hijacked capacity. This type of attack stands in sharp contrast to traditional brute-force, sustained high-rate DoS attacks, as well as recently proposed attacks that exploit specific protocol settings such as TCP timeouts. We exemplify what we term as reduction of quality (RoQ) attacks by exposing the vulnerabilities of common adaptation mechanisms. We develop control-theoretic models and associated metrics to quantify these vulnerabilities. We present numerical and simulation results, which we validate with observations from real Internet experiments. Our findings motivate the need for the development of adaptation mechanisms that are resilient to these new forms of attacks.

Reduction of quality (RoQ) attacks on Internet end-systems

Current computing systems depend on adaptation mechanisms to ensure that they remain in quiescent operating regions. These regions are often defined using efficiency, fairness, and stability properties. To that end, traditional research works in scalable server architectures and protocols have focused on promoting these properties by proposing even more sophisticated adaptation mechanisms, without the proper attention to security implications. In this paper, we exemplify such security implications by exposing the vulnerabilities of admission control mechanisms that are widely deployed in Internet end systems to reduction of quality (RoQ) attacks. RoQ attacks target the transients of a systems adaptive behavior as opposed to its limited steady-state capacity. We show that a well orchestrated RoQ attack on an end-system admission control policy could introduce significant inefficiencies that could potentially deprive an Internet end-system from much of its capacity, or significantly reduce its service quality, while evading detection by consuming an unsuspicious, small fraction of that systems hijacked capacity. We develop a control theoretic model for assessing the impact of RoQ attacks on an end-systems admission controller. We quantify the damage inflicted by an attacker through deriving appropriate metrics. We validate our findings through real Internet experiments performed in our lab.

Reduction of Quality (RoQ) Attacks on Dynamic Load Balancers: Vulnerability Assessment and Design Tradeoffs

One key adaptation mechanism often deployed in networking and computing systems is dynamic load balancing. The goal from employing dynamic load balancers is to ensure that the offered load would be judiciously distributed across resources to optimize the overall performance. To that end, this paper discovers and studies new instances of Reduction of Quality (RoQ) attacks that target the dynamic operation of load balancers. Our exposition is focused on a number of load balancing policies that are either employed in current commercial products or have been proposed in literature for future deployment. Through queuing theory analysis, numerical solutions, simulations and Internet experiments, we are able to assess the impact of RoQ attacks through the potency metric. We identify the key factors, such as feedback delay and averaging parameters, that expose the trade-offs between resilience and susceptibility to RoQ attacks. These factors could be used to harden load balancers against RoQ attacks. To the best of our knowledge, this work is the first to study adversarial exploits on the dynamic operation of load balancers.

Providing soft bandwidth guarantees using elastic TCP-based tunnels

The best-effort nature of the Internet poses a significant obstacle to the deployment of many applications that require guaranteed bandwidth. We present a novel approach that enables two edge/border routers which we call Internet traffic managers (ITM) - to use an adaptive number of TCP connections to set up a tunnel of desirable bandwidth between them. The number of TCP connections that comprise this tunnel is elastic in the sense that it increases/decreases in tandem with competing cross traffic to maintain a target bandwidth. An origin ITM would then schedule incoming packets from an application requiring guaranteed bandwidth over that elastic tunnel. Unlike many proposed solutions that aim to deliver soft QoS guarantees, our elastic-tunnel approach does not require any support from core routers (as with IntServ and DiffServ); it is scalable in the sense that core routers do not have to maintain per-flow state (as with IntServ); and it is readily deployable within a single ISP or across multiple ISPs. To evaluate our approach, we develop a flow-level control theoretic model to study the transient behavior of established elastic TCP-based tunnels. The model captures the effect of cross-traffic connections on our bandwidth allocation policies. Through extensive simulations, we confirm the effectiveness of our approach in providing soft bandwidth guarantees.

Can You Help Me Run These Code Segments on Your Mobile Device

The proliferation of mobile devices, coupled by the increase in their capabilities, have enabled the establishment of a rich mobile computing platform for various applications. In this paper we propose a probabilistic code distribution model that enables a mobile device to execute code segments through the help of nearby mobile devices in a secure and resilient manner. The model relies on randomization and replication techniques against unhelpful devices that do not execute their assigned code segments and malicious ones that try to reveal the overall application. We derive bounds to ensure the success of our scheme with a very high probability. Simulation and implementation experiments using MICAz sensors are conducted to validate our model and study the performance of our scheme.

Adversarial exploits of end-systems adaptation dynamics

Internet end-systems employ various adaptation mechanisms that enable them to respond adequately to legitimate requests in overload situations. Today, these mechanisms are incorporated in most scalable end-systems through the use of one or more component subsystems such as admission controllers, traffic shapers, content transcoders, QoS Controllers, and load balancers. While the design of these components has been heavily investigated and significantly fine-tuned for efficiency and scalability purposes, the security implication of the adaptation mechanisms used in these components has not been on the radar to system designers. To that end, this paper exposes adversarial exploits of the dynamics that result from the adaptive nature of these components. We show that a well orchestrated Reduction of Quality (RoQ) attack could induce significant inefficiencies or reduce the service quality of end-systems, without resorting to brute-force Denial-of-Service (DoS) exploits that target the limited steady-state capacity of these end-systems. We present a general analytical framework that captures the effect of RoQ exploits on the underlying optimization process of the adaptation mechanisms. Using detailed models, we instantiate this general framework for some of the aforementioned end-system adaptation mechanisms, focusing on admission controllers and load balancers. Our exposition is supported with numerical solutions of analytical models, which are validated using results from detailed simulations, and measurements from real Internet experiments performed in our lab.

itmBench: generalized API for Internet traffic managers

Internet traffic managers (ITMs) are special machines placed at strategic places in the Internet. itmBench is an interface that allows users (e.g. network managers, service providers, or experimental researchers) to register different traffic control functionalities to run on one ITM or an overlay of ITMs. Thus itmBench offers a tool that is extensible and powerful yet easy to maintain. ITM traffic control applications could be developed either using a kernel API so they run in kernel space, or using a user-space API so they run in user space. We demonstrate the flexibility of itmBench by showing the implementation of a kernel module that provides a differentiated network service. Due to space limitations, we refer the reader to Gali Diamant et al. (December 16, 2003) for a user-space module that provides an overlay routing service. Our itmBench Linux-based prototype is free software and can be obtained from http: //www.cs.bu.edu/groups/itm/.

Secure Mobile Cloud Computing and Security Issues

The proliferation of mobile devices, coupled by the increase in their capabilities, have enabled the establishment of a rich mobile computing platform that can be utilized in conjunction with cloud services. In this chapter, we overview the latest mobile computing models and architectures focusing on their security properties. In particular, we study a wide range of threats against the availability, privacy and integrity of mobile cloud computing architectures in which the mobile devices and the cloud jointly perform computation. We then present defense mechanisms that ensure the security of mobile cloud computing architectures and their applications. Throughout the chapter, we identify potential threats as well as possible opportunities for defenses.

Collaborative Computing On-demand: Harnessing Mobile Devices in Executing On-the-Fly Jobs

Systems employing mobile devices (e.g., sensors, smart phones, robots) are emerging with growing capabilities in performing a wide variety of tasks. Due to their abundance and wide deployments, they are posed to play a dominant role in providing a rich mobile computing platform for various jobs, especially for new ones that are created on-the-fly. Realizing this platform is challenging since it is hard to predict the exact equipment present in an environment, what types of information need to be communicated to the devices to execute their tasks, and how to reprogram these devices. This work proposes a new on-demand collaborative computing framework that maps a new job as a set of tasks onto the mobile devices for execution. The mapping is done in a manner that takes into account the capabilities of the devices, the dependency between the tasks, the adjacency of the devices, and the requirements of the requested new job. Our proposed framework is implemented as a test-bed in our Mobile Cyber-Physical Systems lab with MICAz sensors and iRobot Create robots.

Stealthy IP Prefix Hijacking: Don't Bite Off More Than You Can Chew

In prefix hijacking, an Autonomous System (AS) advertises routes for prefixes that are owned by another AS, and ends up hijacking traffic that is intended to the owner. While misconfigurations and/or misunderstandings of policies are the likely reasons behind the majority of those incidents, malicious incidents have also been reported. Recent works have focused on malicious scenarios that aim to maximize the amount of hijacked traffic from all ASes, without considering scenarios where the attacker is aiming to avoid detection. In this paper, we expose a new class of prefix hijacking that is stealthy in nature. The idea is to craft path(s) - of tunable lengths - that deceive only a small subset of ASes. By finely tuning the degree to which ASes are effected, the attacker can handle the hijacked traffic while the victimized AS would not observe a major reduction in its incoming traffic that would raise an alarm. We give upper bounds on the impact of those attacks via simulations on real BGP Internet announcements obtained from Route-Views. We discuss shortcomings in current proposed defense mechanisms against attackers which can falsify traceroute replies. We also present a defense mechanism against stealthy prefix hijacking attacks.