Riccardo Bettati

On flow correlation attacks and countermeasures in mix networks

In this paper, we address issues related to flow correlation attacks and the corresponding countermeasures in mix networks. Mixes have been used in many anonymous communication systems and are supposed to provide countermeasures that can defeat various traffic analysis attacks. In this paper, we focus on a particular class of traffic analysis attack, flow correlation attacks, by which an adversary attempts to analyze the network traffic and correlate the traffic of a flow over an input link at a mix with that over an output link of the same mix. Two classes of correlation methods are considered, namely time-domain methods and frequency-domain methods. Based on our threat model and known strategies in existing mix networks, we perform extensive experiments to analyze the performance of mixes. We find that a mix with any known batching strategy may fail against flow correlation attacks in the sense that for a given flow over an input link, the adversary can correctly determine which output link is used by the same flow. We also investigated methods that can effectively counter the flow correlation attack and other timing attacks. The empirical results provided in this paper give an indication to designers of Mix networks about appropriate configurations and alternative mechanisms to be used to counter flow correlation attacks.

End-to-end scheduling to meet deadlines in distributed systems

Algorithms for scheduling a class of systems in which all the tasks execute on different processors in turn in the same order are described. This end-to-end scheduling problem is known as the flow-shop problem. Two cases in which the problem is tractable are presented, and a heuristic for the NP-hard general case is evaluated. The traditional flow-shop model is generalized in two directions. First, an algorithm for scheduling flow shops in which tasks can be serviced more than once by some processors is presented. Second, a heuristic algorithm for scheduling flow shops with periodic tasks is described. Scheduling systems with more than one flow shop are considered.<<ETX>>

Reactive speed control in temperature-constrained real-time systems

In this paper, we study temperature-constrained real-time systems, where real-time guarantees must be met without exceeding safe temperature levels within the processor. We give a short review on temperature issues in processors and describe how speed control can be used to trade-off task delays against processor temperature. In this paper, we describe how traditional worst-case execution scenarios do not apply in temperature-constrained situations. As example, we adopt a simple reactive speed control technique. We show how this simple reactive scheme can improve the processor utilization compared with any constant-speed scheme.

PERTS: A prototyping environment for real-time systems

PERTS is a prototyping environment for real-time systems. It contains schedulers and resource access protocols for time-critical applications, together with a comprehensive set of tools for the analysis, validation, and evaluation of real-time systems built on the scheduling paradigms supported by these building blocks. This paper describes the underlying models of real-time systems supported by PERTS, as well as its capabilities and intended use. A key component is the schedulability analyzer. The basic version of this system of tools supports the validation and evaluation of real-time systems built on the framework of the periodic-task model. This system of tools is now available.<<ETX>>

Providing absolute differentiated services for real-time applications in static-priority scheduling networks

In this paper, we propose and analyze a methodology for providing absolute differentiated services for real-time applications. We develop a method that can be used to derive delay bounds without specific information on flow population. With this new method, we are able to successfully employ a utilization-based admission control approach for flow admission. This approach does not require explicit delay computation at admission time and, hence, is scalable to large systems. We assume the underlying network to use static-priority schedulers. We design and analyze several priority assignment algorithms and investigate their ability to achieve higher utilization bounds. Traditionally, schedulers in differentiated services networks assign priorities on a class-by-class basis, with the same priority for each class on each router. In this paper, we show that relaxing this requirement, that is, allowing different routers to assign different priorities to classes, achieves significantly higher utilization bounds.

NetCamo: camouflaging network traffic for QoS-guaranteed mission critical applications

This paper presents the general approach, design, implementation, and evaluation of NetCamo, which is a system to prevent traffic analysis in systems with real-time requirements. Integrated support for both security and real-time is becoming necessary for computer networks that support mission critical applications. This study focuses on how to integrate both the prevention of traffic analysis and guarantees for worst-case delays in an internetwork. We propose and analyze techniques that efficiently camouflage network traffic and correctly plan and schedule the transmission of payload traffic so that both security and real-time requirements are met. The performance evaluation shows that our NetCamo system is effective and efficient. By using the error between target camouflaged traffic and the observed (camouflaged) traffic as metric to measure the quality of the camouflaging, we show that NetCamo achieves very high levels of camouflaging without compromising real-time requirements.

Delay Analysis in Temperature-Constrained Hard Real-Time Systems with General Task Arrivals

In this paper, we study temperature-constrained hard real-time systems, where real-time guarantees must be met without exceeding safe temperature levels within the processor. Dynamic speed scaling is one of the major techniques to manage power so as to maintain safe temperature levels. As example, we adopt a simple reactive speed control technique in our work. We design a methodology to perform delay analysis for general task arrivals under reactive speed control with first-in-first-out (FIFO) scheduling and static-priority (SP) scheduling. As a special case, we obtain a close-form delay formula for the leaky-bucket task arrival model. Our data show how simple reactive speed control can decrease the delay of tasks compared with any constant-speed scheme

Anonymity vs. Information Leakage in Anonymity Systems

Measures for anonymity in systems must be on one hand simple and concise, and on the other hand reflect the realities of real systems. Such systems are heterogeneous, as are the ways they are used, the deployed anonymity measures, and finally the possible attack methods. Implementation quality and topologies of the anonymity measures must be considered as well. We therefore propose a new measure for the anonymity degree, which takes into account possible heterogeneity. We model the effectiveness of single mixes or of mix networks in terms of information leakage and measure it in terms of covert channel capacity. The relationship between the anonymity degree and information leakage is described, and an example is shown

An optimal strategy for anonymous communication protocols

For many Internet applications, the ability to protect the identity of participants in a distributed applications is critical. For such applications, a number of anonymous communication systems have been realized over the recent years. The effectiveness of these systems relies greatly on the way messages are routed among the participants. (We call this the route selection strategy.) In this paper we describe how to select routes so as to maximize the ability of the anonymous communication systems to protect anonymity To measure this ability, we define a metric (anonymity degree), and we design and evaluate an optimal route selection strategy that maximizes the anonymity degree of a system. Our analytical and experimental data shows that the anonymity degree may not always monotonically increase as the length of communication paths increase. We also found that variable path-length strategies perform better than fixed-length strategies.

Static priority scheduling for ATM networks

Static priority scheduling is popular for traffic scheduling in ATM switches because it is less costly than dynamic priority scheduling while being sensitive to the delay constraints of connections. We study delay computation and priority assignment problems in an ATM network with static priority scheduling. Given an ATM network with arbitrary topology, it is possible that the traffic on it may become unstable (i.e., packet delays become unbounded) due to the potential cyclic dependency of the traffic. An unstable network is definitely unacceptable for many delay sensitive applications. We start by formally deriving a simple condition under which the network is guaranteed to be stable. We then develop a numerical method to compute worst case end to end delays in an ATM network with arbitrary topology. Convergence of the method is formally proved and a closed form for the computing error is obtained. Despite its advantages, static priority scheduling remains sensitive to proper priority assignment. We describe two simple priority assignment methods, which we show to outperform other commonly used methods.