Adam Aviv, Pavol Cerný, Sandy Clark, Eric Cronin, Gaurav Shah, Micah Sherr, and Matt Blaze. Security evaluation of the es&s voting machines and election management system. In Third USENIX/ACCURATE Electronic Voting Technology Workshop (EVT '08), August 2008. [ bib | .pdf ]
In response to growing concerns about the security and reliability of electronic voting systems, Ohio Secretary of State Jennifer Brunner initiated the “Evaluation & Validation of Election-Related Equipment, Standards and Testing (EVEREST)” [?] study in October 2007. EVEREST was the first major study of ES&S voting systems and only the second comprehensive study that examined all components - from backend registration systems to frontend ballot casting - of an electronic voting system. In this paper, we describe our experiences as security auditors of the ES&S voting system for the Ohio EVEREST study. We identify numerous critical vulnerabilities in nearly every component of the ES&S system that enable attacks that could alter or forge precinct results, install corrupt firmware, and erase audit records. In particular, we highlight the architectural issues of the ES&S voting system and show how the interaction of the various software and hardware modules leads to systemic vulnerabilities that do not appear to be easily countered with election procedures or software updates.
Eric Cronin, Micah Sherr, and Matt Blaze. On the (un)reliability of eavesdropping. International Journal of Security and Networks (IJSN), 3(2), February 2008. [ bib ]
We investigate the reliability of current generation eavesdropping tools and show that obtaining 'high fidelity' transcripts is harder than previously assumed. Even in situations highly favourable to the eavesdropper, simple unilateral countermeasures are shown to be sufficient to prevent all tested systems from reliably reconstructing communicated messages. Less than a third of the tested systems report irregularities, and 45% incorrectly interpret covertext chosen by the sending party. Unlike cryptography or steganography, the techniques introduced require no cooperation by the communicating parties and, in some case, can be employed entirely by a third party not involved in the communication at all.
Micah Sherr, Boon Thau Loo, and Matt Blaze. Veracity: A fully decentralized service for securing network coordinate systems. In 7th International Workshop on Peer-to-Peer Systems (IPTPS 2008), February 2008. [ bib | .pdf ]
Decentralized logical coordinate systems have been proposed as a means of estimating network distances. These systems have widespread usage in p2p networks, ranging from neighbor selection to replica placement. Unfortunately, these systems are vulnerable to even a small number of malicious nodes lying about their coordinates or measurements. In this paper, we introduce Veracity, a fully decentralized service for securing network coordinate systems. Unlike prior proposals, Veracity requires neither the presence of a large number of a priori trusted nodes nor the use of network triangle inequality testing. Veracity utilizes a vote-based approach, where all advertised coordinates are independently verified by a minimal set of nodes before being used. Via detailed simulations in p2psim, we demonstrate that Veracity mitigates a variety of known attacks against Vivaldi for moderate sizes of malicious nodes, incurring acceptable communication overhead, and in some cases, even reducing the convergence time of the coordinate system.
Micah Sherr, Boon Thau Loo, and Matt Blaze. Towards application-aware anonymous routing. In Second USENIX Workshop on Hot Topics in Security (HotSec), August 2007. [ bib | .pdf ]
This paper investigates the problem of designing anonymity networks that meet application-specific performance and security constraints. We argue that existing anonymity networks take a narrow view of performance by considering only the strength of the offered anonymity. However, real-world applications impose a myriad of communication requirements, including end-to-end bandwidth and latency, trustworthiness of intermediary routers, and network jitter.We pose a grand challenge for anonymity: the development of a network architecture that enables applications to customize routes that tradeoff between anonymity and performance. Towards this challenge, we present the Application-Aware Anonymity (A3) routing service. We envision that A3 will serve as a powerful and flexible anonymous communications layer that will spur the future development of anonymity services.
Micah Sherr, Eric Cronin, and Matt Blaze. Measurable security through isotropic channels. In Fifteenth International Workshop on Security Protocols, May 2007. [ bib | .pdf ]
This position paper proposes the use of special broadcast networks to achieve provable and measurable confidentiality of messages. We call these networks isotropic channels, broadcast channels in which receivers cannot reliably determine whether a given message originated from any particular sender and senders cannot prevent a message from reaching any particular receiver. As long as eavesdroppers cannot reliably (i.e., with probabilistic certainty) identify the sender of a message, honest parties can efficiently exchange messages with confidentiality that asymptotically approaches and in some cases reaches perfect secrecy. Even under incorrect assumptions regarding the degree of isotropism offered by a particular channel, a high measure of confidentiality can be efficiently achieved.This position paper makes the case that isotropic channels already exist, and are, in fact, often used in practice. By leveraging isotropic techniques, measurable information theoretic security can be practically achieved.
Madhukar Anand, Eric Cronin, Micah Sherr, Matt Blaze, Zachary Ives, and Insup Lee. Sensor network security: More interesting than you think. In First USENIX Workshop on Hot Topics in Security (HotSec), August 2006. [ bib | .pdf ]
With the advent of low-power wireless sensor networks, a wealth of new applications at the interface of the real and digital worlds is emerging. A distributed computing platform that can measure properties of the real world, formulate intelligent inferences, and instrument responses, requires strong foundations in distributed computing, artificial intelligence, databases, control theory, and security.Before these intelligent systems can be deployed in critical infrastructures such as emergency rooms and powerplants, the security properties of sensors must be fully understood. Existing wisdom has been to apply the traditional security models and techniques to sensor networks. However, sensor networks are not traditional computing devices, and as a result, existing security models and methods are ill suited. In this position paper, we take the first steps towards producing a comprehensive security model that is tailored for sensor networks. Incorporating work from Internet security, ubiquitous computing, and distributed systems, we outline security properties that must be considered when designing a secure sensor network. We propose challenges for networks sensorsecurity obstacles that, when overcome, will move us closer to decreasing the divide between computers and the physical world.
Eric Cronin, Micah Sherr, and Matt Blaze. On the reliability of current generation network eavesdropping tools. In Second Annual IFIP WG 11.9 International Conference on Digital Forensics, January 2006. [ bib ]
This paper analyzes the problem of interception of Internet traffic from the eavesdropper's point of view. We focus on highly favorable conditions for the eavesdropper in which the communicating parties do not cooperate to obscure their traffic (e.g., messages are sent using the standard protocols without the use of cryptography or steganography). We show that this seemingly simple eavesdropping problem is harder than previously thought, and that simple - and entirely unilateral - countermeasures are sufficient to prevent accurate traffic capture in many Internet interception configurations, including those employed by every available eavesdropping system we tested. Central to our approach is a new class of techniques that we call confusion, which, unlike cryptography or steganography, does not require cooperation by the communicating parties and, in some case, can be employed entirely by a third party not involved in the communication at all. We show the viability of these threats with a practical and effective eavesdropping-countermeasures toolkit.
Micah Sherr, Michael Greenwald, Carl A. Gunter, Sanjeev Khanna, and Santosh S. Venkatesh. Mitigating dos attack through selective bin verification. In First Workshop on Secure Network Protocols (NPSec), November 2005. [ bib | .pdf ]
Despite considerable attention from both the academic and commercial communities, denial-of-service (DoS) attacks represent a growing threat to network administrators and service providers. A large number of proposed DoS countermeasures attempt to detect an attack in-progress and filter out the DoS attack packets. These techniques often depend on the instantiation of sophisticated routing mechanisms and the ability to differentiate between normal and malicious messages. Unfortunately, neither of these prerequisites may be practical or possible.We propose and evaluate a defense against DoS attacks which we call selective bin verification. The technique shows promise against large DoS attacks, even when attack packets are able to permeate the network and reach the target of their attack. We explore the effectiveness of our technique by implementing an experimental testbed in which selective bin verification is successfully used to protect against DoS attacks. We formally describe the mathematical properties of our approach and parameters for defending against various attacks.
Micah Sherr, Eric Cronin, Sandy Clark, and Matt Blaze. Signaling vulnerabilities in wiretapping systems. IEEE Security & Privacy, 3(6):13-25, November 2005. [ bib | .pdf ]
Telephone wiretap and dialed number recording systems are used by law enforcement and national security agencies to collect investigative intelligence and legal evidence. In this paper, we show that many of these systems are vulnerable to simple, unilateral countermeasures that allow wiretap targets to prevent their call audio from being recorded and/or cause false or inaccurate dialed digits and call activity to be logged. The countermeasures exploit the unprotected in-band signals passed between the telephone network and the collection system and are effective against many of the wiretapping technologies currently used by US law enforcement, including at least systems. Possible remedies and workarounds are proposed, and the broader implications of the security properties of these systems are discussed.
Eric Cronin, Micah Sherr, and Matt Blaze. Listen too closely and you may be confused. In Security Protocols Workshop, April 2005. [ bib | .pdf ]
Among the most basic simplifying assumptions of modern communications security is the notion that most communication channels should, by their very nature, be considered vulnerable to interception. It has long been considered almost reckless to suggest depending on any supposed intrinsic security properties of the network itself, and especially foolish in complex, decentralized, heterogeneously-controlled networks such as the modern Internet. Orthodox doctrine is that any security must be either end-to-end (as with cryptography), or not considered to exist at all. While this heuristic well serves cautious confidential communicators, it is unsatisfying from the point of view of the eavesdropper. Paradoxically, while end-to-end security may be a prerequisite to robust confidentiality in most networks, it does not follow that a lack of end-to-end security always makes it possible to eavesdrop.
Mark Weiner, Micah Sherr, and Abigail Cohen. Metadata tables to enable dynamic data modeling and web interface design. International Journal of Medical Informatics, 65(1):51-58, April 2002. [ bib ]
A wealth of information addressing health status, outcomes and resource utilization is compiled and made available by various government agencies. While exploration of the data is possible using existing tools, in general, would-be users of the resources must acquire CD-ROMs or download data from the web, and upload the data into their own database. Where web interfaces exist, they are highly structured, limiting the kinds of queries that can be executed. This work develops a web-based database interface engine whose content and structure is generated through interaction with a metadata table. The result is a dynamically generated web interface that can easily accommodate changes in the underlying data model by altering the metadata table, rather than requiring changes to the interface code. This paper discusses the background and implementation of the metadata table and web-based front end and provides examples of its use with the Surveillance, Epidemiology and End-Results (SEER) database.