Yossi Gilad

Algorand: Scaling Byzantine Agreements for Cryptocurrencies

Algorand is a new cryptocurrency that confirms transactions with latency on the order of a minute while scaling to many users. Algorand ensures that users never have divergent views of confirmed transactions, even if some of the users are malicious and the network is temporarily partitioned. In contrast, existing cryptocurrencies allow for temporary forks and therefore require a long time, on the order of an hour, to confirm transactions with high confidence. Algorand uses a new Byzantine Agreement (BA) protocol to reach consensus among users on the next set of transactions. To scale the consensus to many users, Algorand uses a novel mechanism based on Verifiable Random Functions that allows users to privately check whether they are selected to participate in the BA to agree on the next set of transactions, and to include a proof of their selection in their network messages. In Algorands BA protocol, users do not keep any private state except for their private keys, which allows Algorand to replace participants immediately after they send a message. This mitigates targeted attacks on chosen participants after their identity is revealed. We implement Algorand and evaluate its performance on 1,000 EC2 virtual machines, simulating up to 500,000 users. Experimental results show that Algorand confirms transactions in under a minute, achieves 125x Bitcoins throughput, and incurs almost no penalty for scaling to more users.

Spying in the dark: TCP and tor traffic analysis

We show how to exploit side-channels to identify clients without eavesdropping on the communication to the server, and without relying on known, distinguishable traffic patterns. We present different attacks, utilizing different side-channels, for two scenarios: a fully off-path attack detecting TCP connections, and an attack detecting Tor connections by eavesdropping only on the clients. Our attacks exploit three types of side channels: globally-incrementing IP identifiers, used by some operating systems, e.g., in Windows; packet processing delays, which depend on TCP state; and bogus-congestion events, causing impact on TCPs throughput (via TCPs congestion control mechanism). Our attacks can (optionally) also benefit from sequential port allocation, e.g., deployed in Windows and Linux. The attacks are practical - we present results of experiments for all attacks in different network environments and scenarios. We also present countermeasures for these attacks.

LOT: A Defense Against IP Spoofing and Flooding Attacks

We present LOT, a lightweight plug and play secure tunneling protocol deployed at network gateways. Two communicating gateways, A and B, running LOT would automatically detect each other and establish an efficient tunnel, securing communication between them. LOT tunnels allow A to discard spoofed packets that specify source addresses in B’s network and vice versa. This helps to mitigate many attacks, including DNS poisoning, network scans, and most notably (Distributed) Denial of Service (DoS). LOT tunnels provide several additional defenses against DoS attacks. Specifically, since packets received from LOT-protected networks cannot be spoofed, LOT gateways implement quotas, identifying and blocking packet floods from specific networks. Furthermore, a receiving LOT gateway (e.g., B) can send the quota assigned to each tunnel to the peer gateway (A), which can then enforce near-source quotas, reducing waste and congestion by filtering excessive traffic before it leaves the source network. Similarly, LOT tunnels facilitate near-source filtering, where the sending gateway discards packets based on filtering rules defined by the destination gateway. LOT gateways also implement an intergateway congestion detection mechanism, allowing sending gateways to detect when their packets get dropped before reaching the destination gateway and to perform appropriate near-source filtering to block the congesting traffic; this helps against DoS attacks on the backbone connecting the two gateways. LOT is practical: it is easy to manage (plug and play, requires no coordination between gateways), deployed incrementally at edge gateways (not at hosts and core routers), and has negligible overhead in terms of bandwidth and processing, as we validate experimentally. LOT storage requirements are also modest.

Synthesis, biological studies and molecular dynamics of new anticancer RGD-based peptide conjugates for targeted drug delivery.

New cyclic RGD peptide-anticancer agent conjugates, with different chemical functionalities attached to the parent peptide were synthesized in order to evaluate their biological activities and to provide a comparative study of their drug release profiles. The Integrin binding c(RGDfK) penta-peptide was used for the synthesis of Camptothecin (CPT) carbamate and Chlorambucil (CLB) amide conjugates. Substitution of the amino acid Lys with Ser resulted in a modified c(RGDfS) with a new attachment site, which enabled the synthesis of an ester CLB conjugate. Functional versatility of the conjugates was reflected in the variability of their drug release profiles, while the conserved RGD sequence of a selective binding to the αv integrin family, likely preserved their recognition by the Integrin and consequently their favorable toxicity towards targeted cancer cells. This hypothesis was supported by a computational analysis suggesting that all conjugates occupy conformational spaces similar to that of the Integrin bound bio-active parent peptide.

Dual‐drug RGD conjugates provide enhanced cytotoxicity to melanoma and non‐small lung cancer cells

To enhance the efficacy of targeted drug delivery, four new peptide‐ligand conjugates were synthesized, each consisting of a cyclic RGDfK penta‐peptide loaded with two anticancer drugs. The drug release profiles in different media of these new compounds and their cytotoxic activity against melanoma and non‐small lung cancer cell lines were evaluated and compared with those of their singly loaded analogs. The cyclic RGDfK penta‐peptide was selected as a targeting moiety because of its high affinity and selectivity to the αvβ3integrin receptor, which is frequently over‐expressed in various types of cancer cells. The peptides core was modified at the side chain of its Lys residue by coupling it with a sixth amino acid (AA) ‐ either Lys (5a) or Ser (5b) (Lys/Ser splitter), resulting in two functional sites which enabled the loading of two therapeutic equivalents onto a single targeting carrier. Using Lys as a splitter resulted in two primary amines. Consequently, conjugates 1a and 1b were synthesized by coupling of 2 Chlorambucils (CLBs) or 2 Camptothecins (CPTs), respectively, to the primary amines of 5a. Conjugate 1c was synthesized from 5b by loading two equivalents of CLB on the amine and the hydroxyl of the Ser splitter, resulting in a homodimeric system with two distinct conjugation sites – amide and ester. The heterodimeric conjugate 1d of CLB and CPT was synthesized by loading each one of the primary amines of 5a with two different drugs ‐ CLB and CPT. The doubling of drug equivalents loaded onto the targeting peptide correlated with enhanced cytotoxic efficacy of the conjugates towards cancer cells. The versatility of chemical linkages of the drugs to the peptides resulted in conjugates with different drug release profiles. Molecular dynamics simulations performed on conjugate 1d demonstrated that this compound occupies a conformational space similar to the bio‐active conformation of an integrin‐bound cyclic RGD peptide reference peptide (c(RGDf(NMe)V). The modified position in 1d (relative to the reference peptide) points away from the integrin, leading us to hypothesize that this peptide binds the integrin in a manner similar to that of the reference peptide thereby fulfilling a crucial requirement for targeted delivery. The strategy of dual drug loading on a single peptide carrier, gives rise to drugs with different mechanisms of action and release profiles, thus substantially increasing the efficacy of selective killing of tumor cells and while reducing the risk of the development of drug resistance.

Fragmentation Considered Vulnerable

We show that fragmented IPv4 and IPv6 traffic is vulnerable to effective interception and denial-of-service (DoS) attacks by an off-path attacker. Specifically, we demonstrate a weak attacker intercepting more than 80% of the data between peers and causing over 94% loss rate. We show that our attacks are practical through experimental validation on popular industrial and open-source products, with realistic network setups that involve NAT or tunneling and include concurrent legitimate traffic as well as packet losses. The interception attack requires a zombie agent behind the same NAT or tunnel-gateway as the victim destination; the DoS attack only requires a puppet agent, that is, a sandboxed applet or script running in web-browser context. The complexity of our attacks depends on the predictability of the IP Identification (ID) field which is typically implemented as one or multiple counters, as allowed and recommended by the IP specifications. The attacks are much simpler and more efficient for implementations, such as Windows, which use one ID counter for all destinations. Therefore, much of our focus is on presenting effective attacks for implementations, such as Linux, which use per-destination ID counters. We present practical defenses for the attacks presented in this article, the defenses can be deployed on network firewalls without changes to hosts or operating system kernel.

One Hop for RPKI, One Giant Leap for BGP Security

Extensive standardization and R&D efforts are dedicated to establishing secure interdomain routing. These efforts focus on two complementary mechanisms: origin authentication with RPKI, and path validation with BGPsec. However, while RPKI is finally gaining traction, the adoption of BGPsec seems not even on the horizon. This is due to inherent, possibly insurmountable, obstacles, including the need to replace todays routing infrastructure, meagre benefits in partial deployment and online cryptography. We propose path-end validation, a much easier to deploy alternative to BGPsec. Path-end validation is a modest extension to RPKI that does not require modifications to BGP message format nor online cryptography. Yet we show, through extensive simulations on empirically-derived datasets, that path-end validation yields significant security benefits, even with very limited partial deployment. We present an open-source prototype implementation of path-end validation, which does not require changing todays routers, illustrating the deployability advantage over BGPsec.

Off-Path TCP Injection Attacks

We present practical off-path TCP injection attacks for connections between current, nonbuggy browsers and Web servers. The attacks allow Web-cache poisoning with malicious objects such as spoofed Web pages and scripts; these objects can be cached for a long period of time, exposing any user of that cache to cross-site scripting, cross-site request forgery, and phishing attacks. In contrast to previous TCP injection attacks, we do not require MitM capabilities or malware running on the client machine. Instead, our attacks rely on a weaker assumption, that the user only enters a malicious Web site, but does not download or install any application. Our attacks exploit subtle details of the TCP and HTTP specifications, and features of legitimate (and very common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with most popular Web sites are vulnerable. We conclude this work with practical client- and server-end defenses against our attacks.

When tolerance causes weakness: the case of injection-friendly browsers

We present a practical off-path TCP-injection attack for connections between current, non-buggy browsers and web-servers. The attack allows web-cache poisoning with malicious objects; these objects can be cached for long time period, exposing any user of that cache to XSS, CSRF and phishing attacks. In contrast to previous TCP-injection attacks, we assume neither vulnerabilities such as client-malware nor predictable choice of client port or IP-ID. We only exploit subtle details of HTTP and TCP specifications, and features of legitimate (and common) browser implementations. An empirical evaluation of our techniques with current versions of browsers shows that connections with popular websites are vulnerable. Our attack is modular, and its modules may improve other off-path attacks on TCP communication. We present practical patches against the attack; however, the best defense is surely adoption of TLS, that ensures security even against the stronger Man-in-the-Middle attacker.

Stadium: A Distributed Metadata-Private Messaging System

Private communication over the Internet remains a challenging problem. Even if messages are encrypted, it is hard to deliver them without revealing metadata about which pairs of users are communicating. Scalable anonymity systems, such as Tor, are susceptible to traffic analysis attacks that leak metadata. In contrast, the largest-scale systems with metadata privacy require passing all messages through a small number of providers, requiring a high operational cost for each provider and limiting their deployability in practice. This paper presents Stadium, a point-to-point messaging system that provides metadata and data privacy while scaling its work efficiently across hundreds of low-cost providers operated by different organizations. Much like Vuvuzela, the current largest-scale metadata-private system, Stadium achieves its provable guarantees through differential privacy and the addition of noisy cover traffic. The key challenge in Stadium is limiting the information revealed from the many observable traffic links of a highly distributed system, without requiring an overwhelming amount of noise. To solve this challenge, Stadium introduces techniques for distributed noise generation and differentially private routing as well as a verifiable parallel mixnet design where the servers collaboratively check that others follow the protocol. We show that Stadium can scale to support 4x more users than Vuvuzela using servers that cost an order of magnitude less to operate than Vuvuzela nodes.