reviewed.bib
@INPROCEEDINGS{calea,
title = {{Can They Hear me Now? A Security Analysis of Law Enforcement Wiretaps}},
author = {Micah Sherr and Gaurav Shah and Eric Cronin and Sandy Clark and Matt Blaze},
booktitle = {{16th ACM Conference on Computer and Communications Security (CCS '09)}},
month = {November},
year = {2009}
}
@INPROCEEDINGS{link-routing,
title = {{Scalable Link-Based Relay Selection for Anonymous Routing}},
author = {Micah Sherr and Matt Blaze and Boon Thau Loo},
booktitle = {{9th Privacy Enhancing Technologies Symposium (PETS '09)}},
year = 2009,
month = {August},
abstract = {The performance of an anonymous path can be described using many
network metrics -- e.g., bandwidth, latency, jitter, loss, etc.
However, existing relay selection algorithms have focused
exclusively on producing paths with high bandwidth. In contrast to
traditional {\em node-based} path techniques in which relay
selection is biased by relays' node-characteristics (i.e.,
bandwidth), this paper presents the case for {\em link-based} path
generation in which relay selection is weighted in favor of the
highest performing links. Link-based relay selection supports more
flexible routing, enabling anonymous paths with low latency, jitter,
and loss, in addition to high bandwidth. Link-based approaches are
also more secure than node-based techniques, eliminating
``hotspots'' in the network that attract a disproportionate amount
of traffic. For example, misbehaving relays cannot advertise
themselves as ``low-latency'' nodes to attract traffic, since
latency has meaning only when measured between two endpoints. We
argue that link-based path selection is practical for certain
anonymity networks, and describe mechanisms for efficiently storing
and disseminating link information.}
}
@INPROCEEDINGS{veracity-usenix,
title = {{Veracity: Practical Secure Network Coordinates via Vote-based Agreements}},
author = {Micah Sherr and Matt Blaze and Boon Thau Loo},
booktitle = {{USENIX Annual Technical Conference (USENIX '09)}},
documenturl = {/papers/veracity-usenix-atc09.pdf},
year = {2009},
month = {June},
abstract = {Decentralized network coordinate systems have been proposed as a
means of efficiently estimating network distances among end-hosts
over the Internet without having to contact them directly. These
systems support a wide range of network services, including
proximity-based routing, neighbor selection in overlays,
network-aware overlays, and replica placement in
content-distribution networks.
In this paper, we describe {\em Veracity}, a practical
fully-decentralized service for securing network coordinate systems.
In Veracity, all advertised coordinates and subsequent coordinate
updates must be independently verified by a small set of nodes via a
voting scheme. Unlike existing approaches, Veracity does not
require any {\em a priori} secrets or trusted parties, and does not
depend on outlier analysis of coordinates based on a fixed set of
neighbors. We have implemented Veracity by modifying an open-source
network coordinate system, and have demonstrated within a simulated
network environment and deployment on PlanetLab that Veracity
mitigates attacks for moderate sizes of malicious nodes (up to 30\%
of the network), even when coalitions of attackers coordinate their
attacks. We further show that Veracity is resistant to high levels
of churn and incurs only a modest communication overhead.}
}
@INPROCEEDINGS{ess-evt08,
title = {Security Evaluation of the ES\&S Voting Machines and Election Management System},
author = {Aviv, Adam and Cern\'y, Pavol and Clark, Sandy and Cronin, Eric and Shah, Gaurav and Sherr, Micah and Blaze, Matt},
booktitle = {Third USENIX/ACCURATE Electronic Voting Technology Workshop (EVT '08)},
year = {2008},
month = {August},
documenturl = {/papers/aviv-evt08.pdf},
abstract = {In response to growing concerns about the security and
reliability of electronic voting systems, Ohio Secretary of State
Jennifer Brunner initiated the ``Evaluation \& Validation of
Election-Related Equipment, Standards and Testing
(EVEREST)''~\cite{everest} study in October 2007. EVEREST was the
first major study of ES\&S voting systems and only the second
comprehensive study that examined all components -- from backend
registration systems to frontend ballot casting -- of an electronic
voting system. In this paper, we describe our experiences as security
auditors of the ES\&S voting system for the Ohio EVEREST study. We
identify numerous critical vulnerabilities in nearly every component
of the ES\&S system that enable attacks that could alter or forge
precinct results, install corrupt firmware, and erase audit records.
In particular, we highlight the architectural issues of the ES\&S
voting system and show how the {\em interaction} of the various
software and hardware modules leads to systemic vulnerabilities that
do not appear to be easily countered with election procedures or
software updates.}
}
@INPROCEEDINGS{confusion:wsp05,
author = {Eric Cronin and
Micah Sherr and
Matt Blaze},
title = {Listen Too Closely and You May Be Confused},
booktitle = {Security Protocols Workshop},
month = {April},
year = {2005},
abstract = {Among the most basic simplifying assumptions of modern
communications security is the notion that most communication channels
should, by their very nature, be considered vulnerable to
interception. It has long been considered almost reckless to suggest
depending on any supposed intrinsic security properties of the network
itself, and especially foolish in complex, decentralized,
heterogeneously-controlled networks such as the modern
Internet. Orthodox doctrine is that any security must be either
end-to-end (as with cryptography), or not considered to exist at all.
While this heuristic well serves cautious confidential communicators,
it is unsatisfying from the point of view of the
eavesdropper. Paradoxically, while end-to-end security may be a
prerequisite to robust confidentiality in most networks, it does not
follow that a lack of end-to-end security always makes it possible to
eavesdrop.},
documenturl = {/papers/confusion-listen.pdf}
}
@INPROCEEDINGS{isotropism-measurable,
title = {Measurable Security Through Isotropic Channels},
author = {Sherr, Micah and Cronin, Eric and Blaze, Matt},
booktitle = {Fifteenth International Workshop on Security Protocols},
year = 2007,
month = {May},
location = {Brno, Czech Republic},
abstract = {This position paper proposes the use of special
broadcast networks to achieve provable and measurable confidentiality
of messages. We call these networks {\em isotropic
channels}, broadcast channels in which receivers
cannot reliably determine whether a given message originated from any
particular sender and senders cannot prevent a message from reaching
any particular receiver. As long as eavesdroppers cannot reliably
(i.e., with probabilistic certainty) identify the sender of a message,
honest parties can efficiently exchange messages with confidentiality
that asymptotically approaches and in some cases reaches perfect
secrecy. Even under incorrect assumptions regarding the degree of
isotropism offered by a particular channel, a high measure of
confidentiality can be efficiently achieved.
This position paper makes the case that isotropic channels already
exist, and are, in fact, often used in practice. By leveraging
isotropic techniques, measurable information theoretic security can be
practically achieved.},
documenturl = {/papers/isotropism-spw.pdf}
}
@ARTICLE{seer,
title = {Metadata Tables to Enable Dynamic Data Modeling and Web Interface Design},
author = {Weiner, Mark and Sherr, Micah and Cohen, Abigail},
pages = {51-58},
year = 2002,
journal = {International Journal of Medical Informatics},
month = {April},
number = {1},
volume = 65,
abstract = {A wealth of information addressing health status, outcomes and resource utilization is compiled and made available
by various government agencies. While exploration of the data is possible using existing tools, in general, would-be
users of the resources must acquire CD-ROMs or download data from the web, and upload the data into their own
database. Where web interfaces exist, they are highly structured, limiting the kinds of queries that can be executed.
This work develops a web-based database interface engine whose content and structure is generated through
interaction with a metadata table. The result is a dynamically generated web interface that can easily accommodate
changes in the underlying data model by altering the metadata table, rather than requiring changes to the interface
code. This paper discusses the background and implementation of the metadata table and web-based front end and
provides examples of its use with the Surveillance, Epidemiology and End-Results (SEER) database.}
}
@INPROCEEDINGS{sherr:npsec05,
title = {Mitigating DoS Attack Through Selective Bin Verification},
author = {Sherr, Micah and Greenwald, Michael and Gunter, Carl A. and Khanna, Sanjeev and Venkatesh, Santosh S.},
booktitle = {First Workshop on Secure Network Protocols (NPSec)},
year = 2005,
month = {November},
filename = {npsec.pdf},
abstract = {Despite considerable attention from both the academic
and commercial communities, denial-of-service (DoS) attacks
represent a growing threat to network administrators
and service providers. A large number of proposed DoS
countermeasures attempt to detect an attack in-progress
and filter out the DoS attack packets. These techniques often
depend on the instantiation of sophisticated routing mechanisms
and the ability to differentiate between normal and
malicious messages. Unfortunately, neither of these prerequisites
may be practical or possible.
We propose and evaluate a defense against DoS attacks
which we call selective bin verification. The technique
shows promise against large DoS attacks, even when attack
packets are able to permeate the network and reach
the target of their attack. We explore the effectiveness of
our technique by implementing an experimental testbed in
which selective bin verification is successfully used to protect
against DoS attacks. We formally describe the mathematical
properties of our approach and
parameters for defending against various attacks.},
documenturl = {/papers/binning.pdf}
}
@INPROCEEDINGS{confusion:ifip,
title = {On the Reliability of Current Generation Network Eavesdropping Tools},
author = {Cronin, Eric and Sherr, Micah and Blaze, Matt},
booktitle = {Second Annual IFIP WG 11.9 International Conference on Digital Forensics},
year = 2006,
month = {January},
location = {Orlando, Florida},
abstract = {This paper analyzes the problem of interception of Internet
traffic from the eavesdropper's point of view. We focus on highly
favorable conditions for the eavesdropper in which the communicating
parties do not cooperate to obscure their traffic (e.g., messages are
sent using the standard protocols without the use of cryptography or
steganography). We show that this seemingly simple eavesdropping
problem is harder than previously thought, and that simple -- and
entirely unilateral -- countermeasures are sufficient to prevent
accurate traffic capture in many Internet interception configurations,
including those employed by every available eavesdropping system we
tested. Central to our approach is a new class of techniques that we
call {\em confusion}, which, unlike cryptography or steganography,
does not require cooperation by the communicating parties and, in some
case, can be employed entirely by a third party not involved in the
communication at all. We show the viability of these threats with a
practical and effective eavesdropping-countermeasures toolkit.}
}
@ARTICLE{confusion:ijsn,
title = {On the (un)Reliability of Eavesdropping},
author = {Cronin, Eric and Sherr, Micah and Blaze, Matt},
year = 2008,
month = {February},
journal = {International Journal of Security and Networks (IJSN)},
volume = {3},
number = {2},
abstract = {We investigate the reliability of current generation eavesdropping tools and show that obtaining 'high fidelity' transcripts is harder than previously assumed. Even in situations highly favourable to the eavesdropper, simple unilateral countermeasures are shown to be sufficient to prevent all tested systems from reliably reconstructing communicated messages. Less than a third of the tested systems report irregularities, and 45\% incorrectly interpret covertext chosen by the sending party. Unlike cryptography or steganography, the techniques introduced require no cooperation by the communicating parties and, in some case, can be employed entirely by a third party not involved in the communication at all.}
}
@INPROCEEDINGS{sensor-interesting,
title = {Sensor Network Security: More Interesting Than You Think},
author = {Anand, Madhukar and Cronin, Eric and Sherr, Micah and Blaze, Matt and Ives, Zachary and Lee, Insup},
booktitle = {First USENIX Workshop on Hot Topics in Security (HotSec)},
year = 2006,
month = {August},
abstract = {With the advent of low-power wireless sensor networks, a wealth of new applications at the interface of the real and digital worlds is emerging. A distributed computing platform that can measure properties of the real world, formulate intelligent inferences, and instrument responses, requires strong foundations in distributed computing, artificial intelligence, databases, control theory, and security.
Before these intelligent systems can be deployed in critical infrastructures such as emergency rooms and powerplants, the security properties of sensors must be fully understood. Existing wisdom has been to apply the traditional security models and techniques to sensor networks. However, sensor networks are not traditional computing devices, and as a result, existing security models and methods are ill suited. In this position paper, we take the first steps towards producing a comprehensive security model that is tailored for sensor networks. Incorporating work from Internet security, ubiquitous computing, and distributed systems, we outline security properties that must be considered when designing a secure sensor network. We propose challenges for networks sensorsecurity obstacles that, when overcome, will move us closer to decreasing the divide between computers and the physical world.},
documenturl = {/papers/sensor-interesting.pdf}
}
@ARTICLE{wiretapping,
title = {Signaling Vulnerabilities in Wiretapping Systems},
author = {Sherr, Micah and Cronin, Eric and Clark, Sandy and Blaze, Matt},
booktitle = {IEEE Security & Privacy},
pages = {13-25},
year = 2005,
journal = {IEEE Security & Privacy},
month = {November},
number = {6},
howpublished = {IEEE Security & Privacy},
volume = 3,
abstract = {Telephone wiretap and dialed number recording systems are used by law enforcement and national
security agencies to collect investigative intelligence and legal evidence. In this paper, we show that
many of these systems are vulnerable to simple, unilateral countermeasures that allow wiretap targets
to prevent their call audio from being recorded and/or cause false or inaccurate dialed digits and call
activity to be logged. The countermeasures exploit the unprotected in-band signals passed between the
telephone network and the collection system and are effective against many of the wiretapping technologies
currently used by US law enforcement, including at least systems. Possible
remedies and workarounds are proposed, and the broader implications of the security properties of these
systems are discussed.},
documenturl = {/papers/wiretap.pdf}
}
@INPROCEEDINGS{a3,
title = {Towards Application-Aware Anonymous Routing},
author = {Sherr, Micah and Loo, Boon Thau and Blaze, Matt},
booktitle = {Second USENIX Workshop on Hot Topics in Security (HotSec)},
year = 2007,
month = {August},
abstract = {This paper investigates the problem of designing anonymity networks that
meet application-specific performance and security constraints. We
argue that existing anonymity networks take a narrow view of performance
by considering only the strength of the offered anonymity. However,
real-world applications impose a myriad of communication requirements,
including end-to-end bandwidth and latency, trustworthiness of
intermediary routers, and network jitter.
We pose a grand challenge for anonymity: the development of a network
architecture that enables applications to customize routes that tradeoff
between anonymity and performance. Towards this challenge, we present
the {\em Application-Aware Anonymity (A$^3$)} routing service. We
envision that A$^3$ will serve as a powerful and flexible anonymous
communications layer that will spur the future development of anonymity
services.
},
documenturl = {/papers/a3-hotsec.pdf}
}
@INPROCEEDINGS{veracity,
title = {Veracity: A Fully Decentralized Service for Securing Network Coordinate Systems},
author = {Sherr, Micah and Loo, Boon Thau and Blaze, Matt},
booktitle = {7th International Workshop on Peer-to-Peer Systems (IPTPS 2008)},
year = 2008,
month = {February},
abstract = {Decentralized logical coordinate systems have been proposed as a means
of estimating network distances. These systems have widespread usage in
p2p networks, ranging from neighbor selection to replica
placement. Unfortunately, these systems are vulnerable to even a small
number of malicious nodes lying about their coordinates or
measurements. In this paper, we introduce {\em Veracity}, a {\em fully}
decentralized service for securing network coordinate systems. Unlike
prior proposals, Veracity requires neither the presence of a large number of
{\em a priori} trusted nodes nor the use of network triangle inequality
testing. Veracity utilizes a vote-based approach, where all advertised
coordinates are independently verified by a minimal set of nodes
before being used. Via detailed simulations in p2psim, we
demonstrate that Veracity mitigates a variety of known attacks against
Vivaldi for moderate sizes of malicious nodes, incurring acceptable
communication overhead, and in some cases, even reducing the convergence
time of the coordinate system.},
documenturl = {/papers/veracity.pdf}
}