More interesting papers to read…

I’ve got a number of papers that I typically share with students in my class.  I’ve selected these because I think they’re interesting, not necessarily because they’re the most current on the various topics.  I gather these from a variety of sources including Usenix (I’m a huge Usenix fan, though I haven’t been able to attend any of the conferences lately), DefCon and BlackHat.  There are also a number of authors I stalk, er, track.  One of them is Vern Paxson – you’ll see that several of the papers below have his name on them.

Measuring Pay-per-Install: The Commoditization of Malware Distribution“, by Juan Caballero, IMDEA Software Institute; Chris Grier, Christian Kreibich, and Vern Paxson, University of California, Berkeley.  This talks about the ways that miscreants can pay for installation of malware.

The Nuts and Bolts of a Forum Spam Automator” by Youngsang Shin, Minaxi Gupta, Steven Myers, School of Informatics and Computing, Indiana University discusses a highly automated forum spam automator.  I get a chuckle out of thinking of competing automated systems posting spam to web forums in response to each other’s postings, and of automated systems trying to detect the same and remove the spam and block the posters…

This one is  fun: “SkyNET: a 3G-enabled mobile attack drone and stealth botmaster“, by Theodore Reed, Joseph Geis and Sven Dietrich, all of the Stevens Institute of Technology.  Follow up by watching the Terminator movies… 🙂

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” by Jason Franklin (Carnegie Mellon University), Adrian Perrig (Cylab/CMU), Vern Paxson (ICSI), and Stefan Savage (UC San Diego) discusses how miscreants on the Internet get their $$.  Great paper, must read!  The title is a play on the title of a book by Adam Smith: “An Inquiry into the Nature and Causes of the Wealth of Nations“.

The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments” by Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, and John F. Farrell (all of the NSA) argues that the security of modern systems depends on having secure operating systems.  Which we (still) mostly don’t have.

Manufacturing Compromise: The Emergence of Exploit-as-a-Service” by Chris Grier (UC Berkeley), Lucas Ballard (Google), Juan Caballero (IMDEA), Neha Chachra (UC San Diego), Christian J. Dietrich (University of Applied Sciences Gelsenkirchen), Kirill Levchenko (UC San Diego), Panayiotis Mavrommatis (Google), Damon McCoy (George Mason University), Antonio Nappa (IMDEA), Andreas Pitsillidis (ICSI), Niels Provos (Google), M. Zubair Rafique (IMDEA), Moheeb Abu Rajab (Google), Christian Rossow (University of Applied Sciences Gelsenkirchen), Kurt Thomas (UC Berkeley), Vern Paxson (UC Berkeley, ICSI), Stefan Savage (ICSI) and Geoffrey M. Voelker (UC San Diego) (whew!) investigates the use of browse drive-by infections in the underground economy.

What’s Clicking What? Techniques and Innovations of Today’s Clickbots” by Brad Miller (UC Berkeley), Paul Pearce (UC Berkeley), and Chris Grier (UC Berkeley, ICSI), Christian Kreibich (ICSI), and Vern Paxson (UC Berkeley and ICSI) talks about click-bots – used to conduct click fraud.  Wondering what that is?  Read!

Insights from the Inside: A View of Botnet Management from Infiltration” by Chia Yuan Cho (UC Berkeley), Juan Caballero (Carnegie Mellon University and UC Berkeley), Chris Grier (UC Berkeley), Vern Paxson (UC Berkeley, ICSI), and Dawn Song (UC Berkeley) explores the internal workings of the MegaD botnet, which they infiltrated.

— Steve

Reading material for a rainy day…

Helen recently pointed us to a Palo Alto blog posting on “security must reads”.  I thought the Palo Alto post was interesting, but while I certainly encourage reading (whether for work or for fun), some of their entries seem a little goofy.

For example, I like William Gibson, and “Neuromancer” is one of my favorite books – I can’t tell you how many times I’ve read it.  Many.  I like “Mona Lisa Overdrive” even better.  But a “must read” for a security professional?  Hmmm…

I do have a list of “security papers must reads”, though.  I was going to post this big long list, but I think I’ll start with some of my all-time general favorites and save the rest for later.

At the top of my list is Ken Thompson’s “Reflections on Trusting Trust“.  This is a classic that I think really helps frame some of the challenges in Information Security.  I’ll leave it to you to read the paper (its short and fairly easy to follow) and have your own “aha” moment.

Another “formative” paper for me was Robert Baldwin’s dissertation “Rule Based Analysis of Computer Security“, 1987.  He describes (and implemented) an AI based system for analyzing the security of Unix systems.  I was exposed to this through using Dan Farmer’s “COPS” software (see “The COPS Security Checker System“), which includes a modified version of Baldwin’s Kuang software.  The name “Kuang” comes from “Neuromancer“, by the way, so perhaps I should rescind my comment about it not being a “must-read” above 🙂  The basic gist of Baldwin’s paper was to use AI techniques like backward chaining using the current system state and rules that describe the security model for a system to see whether there were ways to reach certain goals (such as “become root”) from a given start state (“I’m logged in as a non-root user”.)  I spent some time using and trying to improve the software, which was very instructive for me.  Kuang led to the development of other systems, like NetKuang.  I frequently wonder what the future of AI and Information Security is, especially in these days of “Big Everything”…

I’ll also list Dan Geer’s essays on monocultures, especially “Cyberinsecurity: The Price of Monopoly“.  I don’t think people think about this enough (or about separation of “trust domains”).  There’s an attraction to the scalability of monocultures: I know from experience that its a lot easier to manage a few platforms rather than dozens, and its a lot easier to manage hundreds/thousands of systems if they’re all cut from the same pattern.  But if something bad happens, it could happen to all of them at the same time.  Oh, check this out also: “Heartbleed as Metaphor“, along the same theme…

Last one I’ll mention today is Bill Bryant’s “Designing an Authentication System: A Dialogue in Four Scenes“.  This presents a fictional account of the design of Kerberos, one of the cornerstone’s of MIT’s Project Athena which has become one of the foundations of authentication systems across the Internet.  If you’ve ever wanted to understand why authentication systems are designed the way they are, or why they are so hard to get right, but don’t want a uber-technical treatment of the subject THIS is the paper for you!

— Steve