Takashi Matsunaka

Passive OS Fingerprinting by DNS Traffic Analysis

In this paper, we propose a new passive OS fingerprinting method which only requires DNS traffic analysis. The method utilizes characteristics on DNS queries specific to each OS, e.g. unique domain names, query patterns, time interval etc. The method can estimate the number of devices with each OS from the number of queries by utilizing the characteristics of the time interval patterns. The method considers the likelihood of irregular events that some queries are sent at less than regular time intervals, and some other queries are sent at more than regular time intervals. We analyze DNS traffic sent by each OS and extract the characteristics for OS fingerprinting. Then, we examine our estimation method by using DNS traffic in our intra-network. According to our examination, some results of our estimation method are close to the results of DHCP fingerprinting.

On the Feasibility of Deploying Software Attestation in Cloud Environments

We present XSWAT (Xen SoftWare ATtestation), a system that makes use of timing based software attestation to verify the integrity of cloud computing platforms. We believe that ours is the first instance of a system that uses this attestation technique in a cloud environment and results obtained indicate the feasibility of its deployment. An overview of the XSWAT system and the associated threat model, along with a study of cloud environment impacts on performance, is presented. Environmental parameters include types of interconnects between the XSWAT verifier and measurement agent as well as the number of concurrently executing virtual machines on the platform being verified. Conversely, we also study the impact of XSWAT execution using well known system benchmarks and find this to be insignificant, thereby strengthening the case for XSWAT. We also discuss novel XSWAT mechanisms for addressing TOCTOU attacks.

Runtime Attestation for IAAS Clouds.

We present the RIC (Runtime Attestation for Iaas Clouds) system which uses timing-based attestation to verify the integrity of a running Xen Hypervisor as well as the guest virtual machines running on top of it. As part of the RIC system we present a novel attestation technique which includes not only the guest operating system’s static code and read-only data sections but also the guest OS’ dynamically loadable kernel modules. These attestations are conducted periodically at run-time to provide a stronger guarantee of correctness than that offered by load-time verification techniques. A system such as RIC can be used in cloud computing scenarios to verify the environment in which the cloud services ultimately run. Furthermore we offer a method to decrease the performance impact that this process has on the virtual machines that run the cloud services since these services often have very strict performance and availability requirements. This scheme effectively extends the root of trust on the cloud machines from the Xen hypervisor upward to include the guest OS that runs within each virtual machine. This work represents an important step towards secure cloud computing platforms which can help cloud providers offer new services that require higher levels of security than are possible in cloud data centers today.