Stanford Security Lunch
Winter 2008

Get announcements: Mail Ical


January 16 Detecting botnets

Speaker: Fengmin Gong (FireEye, Inc.)

Speaker: Stuart Staniford (FireEye, Inc.)

Abstract: We'll discuss some of the issues that are emerging in detecting botnets in the current security environment. FireEye's product takes a hybrid approach where we use a variety of styles of statistical anomaly detection on monitored networks to detect potentially malicious flows, and then replay the packets in those flows to heavily instrumented virtual machines to decide which of the results of the anomaly detection are actually malicious. Bootstrapping from this VM-based determination, signatures for zero-day exploits and botnet command-and-control activities, as well as bot and server coordinates, are extracted to enable further control actions. We can do this with both attacks against servers and also attacks against clients. We'll give an overview of our detection process, and then discuss the kinds of evasion techniques that criminal botnet operators are currently employing.

January 23 Default off email

Speaker: David Erickson

Abstract: DOEmail is a publicly available, free, anti-SPAM solution. DOEmail enables its users to have very fine (or coarse) grained control over access control lists governing what happens to their email. These lists can be managed through user-friendly interfaces in Mozilla Thunderbird via our custom Add-on, or through the web. This talk will cover how DOEmail works, features, apparent effectiveness, and current challenges inherent in filtering SPAM.

January 30 Overshadow: retrofitting protection in commodity OS's

Speaker: Tal Garfinkel

Abstract: Commodity operating systems entrusted with securing sensitive data are remarkably large and complex, and consequently, frequently prone to compromise. To address this limitation, we introduce a virtual-machine-based system called overshadow that protects the privacy and integrity of application data, even in the event of a total OS compromise. Overshadow presents an application with a normal view of its resources, but the OS with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Thus, overshadow offers a last line of defense for application data.

Overshadow builds on multi-shadowing, a novel mechanism that presents different views of "physical" memory, depending on the context performing the access. This primitive offers an additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processor architectures. We present the design and implementation of overshadow and show how its new protection semantics can be integrated with existing systems. Our design has been fully implemented and used to protect a wide range of unmodified legacy applications running on an unmodified Linux operating system. We evaluate the performance of our implementation, demonstrating that this approach is practical.

Joint work with: Xiaoxin Chen, E. Christopher Lewis, Pratap Subrahmanyam, Carl A. Waldspurger, Dan Boneh, Jeffrey Dwoskin and Dan R.K. Ports

February 6 Securing frame communication in browsers

Speaker: Collin Jackson

Abstract: Web pages embed third-party content in frames, leveraging the browser's security policy to protect themselves from malicious content. Frames are often insufficient isolation primitives because most browsers are lenient and allow the framed content to interact with the rest of the page by navigating other frames. We evaluate current navigation policies, which we determine through extensive browser testing. Based on known and new attacks, we advocate a stricter navigation policy, which we implement and deploy in the open-source browsers. After examining frame isolation, we turn our attention to securing communication between frames. The first method we examine, navigation with fragment identifiers, provides confidentiality without authenticity, which we repair using concepts from a well-known network protocol. The second, postMessage, provides authentication but lacks confidentiality due to an attack we discover. Confidentiality can be added to postMessage by applying network security mechanisms, but this approach is tedious and error-prone. Instead, we advocate a backwards-compatible change to postMessage.

Joint work with: Adam Barth and John Mitchell

February 13 BotHunter: detecting malware infection through IDS-driven dialog correlation

Speaker: Phil Porras (SRI)

Abstract: We present a new kind of network perimeter monitoring strategy, which focuses on recognizing the infection and coordination dialog that occurs during a successful malware infection. BotHunter is an application designed to track the two-way communication flows between internal assets and external entities, developing an evidence trail of data exchanges that match a state-based infection sequence model.

BotHunter consists of a correlation engine that is driven by three malware-focused network packet sensors, each charged with detecting specific stages of the malware infection process, including inbound scanning, exploit usage, egg downloading, outbound bot coordination dialog, and outbound attack propagation. The BotHunter correlator then ties together the dialog trail of inbound intrusion alarms with those outbound communication patterns that are highly indicative of successful local host infection. When a sequence of evidence is found to match BotHunter’s infection dialog model, a consolidated report is produced to capture all the relevant events and event sources that played a role during the infection process.

We refer to this analytical strategy of matching the dialog flows between internal assets and the broader Internet as dialog-based correlation, and contrast this strategy to other intrusion detection and alert correlation methods. We present our experimental results using BotHunter in both virtual and live testing environments, and discuss our Internet release of the BotHunter prototype. BotHunter is made available both for operational use and to help stimulate research in understanding the life cycle of malware infections.

Joint work with: Guofei Gu, Vinod Yegneswaran, Martin Fong and Wenke Lee

February 20 Discussion: trends in malware and online advertising fraud

Speaker: Neil Daswani (Google)

Discussion:  Malware, its application in online advertising fraud, and emerging trends

February 27 Securing frame communication in browsers, part II: communication

Speaker: Adam Barth

Abstract: We turn our attention to securing communication between frames. The first method we examine, navigation with fragment identifiers, provides confidentiality without authenticity, which we repair using concepts from a well-known network protocol. The second, postMessage, provides authentication but lacks confidentiality due to an attack we discover. Confidentiality can be added to postMessage by applying network security mechanisms, but this approach is tedious and error-prone. Instead, we advocate a backwards-compatible change to postMessage.

Joint work with: Collin Jackson and John Mitchell

March 5 No talk

March 12 Should ad networks bother fighting click fraud?

Speaker: Bob Mungamuru

Abstract: Suppose an ad network detects that a given click-through is invalid (or "fraudulent"). The implication is that the ad network will not charge the advertiser for the click-through. Therefore, arguably, the ad network is "taking money out of his own pocket" by marking clicks invalid. As such, should ad networks even bother fighting fraud? We analyze a simple economic model of the online advertising market, and conclude that the answer is "yes".

Joint work with: Stephen Weis

March 14 Admit lunch with Theory group

Event:  Co-host lunch with the Theory group for new admits

Speakers:  PhD students in the Security and Theory group

Topic:  Current research projects

Location:  Gates 2A Open Space