Open System Security - an Architectural Framework
Abstract: This Ph.D Dissertation bring a semi-formal model for the security of communications between peer entities within an OSI layer and between entire application instances.
Robert T. Morris,
A Weakness in the 4.2BSD Unix TCP/IP Software
Abstract: The 4.2 Berkeley Software Distribution of the Unix operating system (4.2BSD for short) features an extensive body of software based on the "TCP/IP" family of protocols. In particular, each 4.2BSD system "trusts" some set of other systems, allowing users logged into trusted systems to execute commands via a TCP/IP network without supply* ing a password. These notes describe how the design of TCP/IP and the 4.2BSD imple* mentation allow users on untrusted and possibly very distant hosts to masquerade as users on trusted hosts. Bell Labs has a growing TCP/IP network connecting machines with varying security needs; perhaps steps should be taken to reduce their vulnerability to each other.
Matt Blaze, John Ioannidis,
The Architecture and Implementation of Network-Layer Security
Abstract: swIPe is a network-layer security protocol for the IP protocol suite. This paper presents the architecture, design philosophy, and performance of an implementation of swIPe under several variants of Unix. swIPe provides authentication, integrity, and confidentiality of IP datagrams, and is completely compatible with the existing IP infrastructure. To maintain this compatibility, swIPe is implemented using an encapsulation protocol. Mechanism (the details of the protocol) is decoupled from policy (what and when to protect and key management). swIPe under Unix is implemented using a virtual network interface. The parts of the implementation that process incoming and outgoing packets are entirely in the kernel; parameter setting and exception handling, however, are managed by user-level processes. The performance of swIPe on modern workstations is primarily limited only by the speed of the underlying authentication and encryption algorithms; the mechanism overhead is negligible in our prototype.
Steven M. Bellovin,
A Best-Case Network Performance Model
Abstract: Network performance measures usually focus on average throughput. We, however, were concerned with best-case behavior: how fast could a packet traverse the network if there were no contention for resources. By subtracting the path time to a node from the path time through the node, we were able to develop a simple best-case delay model. This model was sensitive enough to determine the board-level configuration of a router 750 miles away.
OARnet Security Procedures
Abstract: This document discusses a variety of possible measures to enhance network security for an organization intending to connect to a regional network. These are just general principles for building firewalls and security. Absolute solutions are possible only when exact configurations are available, and are outside the scope of this document.
Hiarie Orman, Sean O'Malley, Richard Schroeppel, David Schwartz,
Paving the Road To Network Security or the Value of Small
Abstract: The methods demonstrated in this paper illustrate how configuration flexibility can be achieved and how complex services can be constructed, all using the same building block modules.
Steven M. Bellovin,
Found on an Internet
Abstract: As part of our security measures, we spend a fair amount of time and effort looking for things that might otherwise be ignored. Apart from assorted attempted penetrations, we have also discovered many examples of anomalous behavior. These range from excessive ICMP messages to nominally local broadcast packets that have reached us from around the world.
Security Problems in the TCP/IP Protocol Suite
Abstract: The TCP/IP protocol suite, which is very widely used today, was developed under the sponsorship of the Department of Defense. Despite that, there are a number of serious security flaws inherent in the protocols, regardless of the correctness of any implementations. This paper describes a variety of attacks based on these flaws, including sequence number spoofing, routing attacks, source address spoofing, and authentication attacks. It also presents defense against these attacks, and conclude with a discussion of broad-spectrum defenses such as encryption.
David K. Hess, David R. Safford, Udo W. Pooch,
A Unix Network Protocol Security Study: Network Information
Abstract: This paper is a study of the security weaknesses present in a widely used Unix network protocol, Network Information Service(NIS).
The Office of
Technology Assessment (OTA),
INFORMATION SECURITY AND PRIVACY IN NETWORK
Abstract: Information technologies are transforming the ways we create, gather, process, and share information. Computer networking is driving many of these changes. But the transformation brought about by networking also raises new concerns for the security and privacy of networked information. If these concerns are not properly resolved, they threaten to limit networking's full potential, in terms of both participation and usefulness. Thus appropriate institutional and technological safeguards are required for a broad range of personal, copyrighted, sensitive, or proprietary information. The OTA report on Information Security and Privacy in Network Environments examines policy issues in three areas: 1) cryptography policy, including federal information processing standards and export controls; 2) guidance on safeguarding unclassified information in federal agencies; and 3) legal issues and information security, including electronic commerce, privacy, and intellectual property.
A Security Analysis of the NTP Protocol
Abstract: The Network Time Protocol is being used throughout the Internet to provide an accurate time service. This paper examines the security requirements of such a service, analyzes the NTP protocol to determine how well it meets these requirements, and suggests improvements where appropriate.
Alec Muffett '95 USENIX Security Symposium Presentation
Keywords: AutoHack, WanHack, USENIX, Presentation
Abstract: These are the (slightly bugfixed) slides from my presentation at the USENIX Security Symposium in June 1995; they were done in "xfig" and seem to have problems under *some* PostScript Browsers.
WAN-hacking with AutoHack, Auditing security behind the
Keywords: audit, wan, firewall, wanhack
Abstract: This paper is a review of an ongoing project to simplify security auditing of the world-wide TCP/IP network of some thirty thousand hosts, internal to Sun Microsystems. The paper also examines the issues which this project raises; it details the conception, design, development of, and one year's results gathered from, AutoHack, a tool specially created to probe, audit, and produce security reports for, a TCP/IP network of this size..
A Few Attacks on the Zero Knowledge State In Novell's
Keywords: Novell Netware, cryptographic attack, zero-knowledge proof, Man in the middle attack, Chessmaster attack
Abstract: Novell's NetWare has employed a number of security measures to ensure the protection of data on both the workstation and the server. However, a few design flaws allows even the most secure version of NetWare (NetWare 4.0) to fall to attacks. The attacks employed have been well known throughout the cryptographic community for several years. The features Novell has added include packet signatures and two different elaborate login protocols (one for NetWare 3.x and one for 4.x). I will show that these added features fail to provide the security they intend to as well as feasible means of implementing the attacks on a NetWare internetwork.
A. Curry, Samuel D.
Kimery, Kent C. De La
Croix, Jeffrey R. Schwab,
An Account Creation and Maintenance System for Distributed UNIX
Abstract: ACMAINT is a network-based, centralized database system used to manage computer account creation and maintenance on the Purdue University Engineering Computer Network. ACMAINT allows the system administrator to perform account-related admintrative chores for any machine on the network from any attached system. Using ACMAINT, the system adminstrator can create new user accounts, add or delete accounts for existing users, change the global or per-account information associated with a user, place a message on a user's accounts, and enable or disable a user's accounts. Group information and mail aliases are managed in a similar fashion. ACMAINT utilizes a central database, stored on a single network machine, which contains a copy of all data under ACMAINT's control. The system administrator makes changes to the database via a network server running on the database machine, which in turn makes changes around the network via the use of another network server which runs on each machine. Programs which read, but do not write, the standard UNIX system databases such as the password file do not need to be modified to work with ACMAINT. Programs which write the standard databases must be modified or rewritten to converse with the ACMAINT database server. ACMAINT operates transparently to the user, uses minimal network and system resources, and can be used with binary-only UNIX systems.
NFS Tracing By Passive Network Monitoring
Abstract: Traces of filesystem activity have proven to be useful for a wide variety of purposes, rang- ing from quantitative analysis of system behavior to trace-driven simulation of filesystem algo- rithms. Such traces can be difficult to obtain, however, usually entailing modification of the filesystems to be monitored and runtime overhead for the period of the trace. Largely because of these difficulties, a surprisingly small number of filesystem traces have been conducted, and few sample workloads are available to filesystem researchers. This paper describes a portable toolkit for deriving approximate traces of NFS  activity by non-intrusively monitoring the Ethernet traffic to and from the file server. The toolkit uses a promiscuous Ethernet listener interface (such as the Packetfilter) to read and reconstruct NFS-related RPC packets intended for the server. It produces traces of the NFS activity as well as a plausible set of corresponding client system calls. The tool is currently in use at Princeton and other sites, and is available via anonymous ftp.
S. M. Bellovin, Pseudo-Network
Drivers and Virtual Networks
Abstract: Many operating systems have long had persudo-teletypes, inter-process communication channels that provide terminal semantics on one end, and a smart server program on the other. This paper describes an analogous concept, pseudo-network drivers. One end of the driver appears to be a real network device, with the appropriate inerface and semantics: data writen to it goes to a program, however, rather than to a physical medium. Using this and some auxiliary mechanisms, the author present a variety of applications, including system test, network monitoring, dail-up TCP/IP, and ways to both improve and subvert network security.
Pseudo-Network Drivers and Virtual Networks
Abstract: Many operating systems have long had pseudo-teletypes, inter-process communication channels that provide terminal semantics on one end, and a smart server program on the other. We describe an analogous concept, pseudo-network drivers. One end of the driver appears to be a real network device, with the appropriate interface and semantics; data written to it goes to a program, however, rather than to a physical medium. Using this and some auxiliary mechanisms, we present a variety of applications, including system test, network monitoring, dial-up TCP/IP, and ways to both improve and subvert network security. Most notably, we show how pseudo-network devices can be used to create virtual networks and to provide encrypted communications capability. We describe two implementations, one using a conventional driver for socket-based systems, and one using stream pipes for System V.
L. Schuba, Eugene
Addressing Weaknesses in the Domain Name System
Abstract: This paper describes problems with the DNS and one of its implementations that allow the abuse of name based authentication, also outlines the current design and implementation of the DNS, demonstrates these weaknesses by describing the necessary modifications in authoritative DNS data and Domain Name System code.
L. Schuba, Eugene
Countering Abuse of Name-Based Authentication
Abstract: This paper describes problems of name-based authentication requiring late binding such as that provided by the DNS for host-name-to-address associations. It states the problem in an abstract way and in concrete case of the DNS, also analyzes the conditions that facilitate the exploitation of the problem and explains the weakness that are present in the DNS, then explores some possible solutions to the problem.
S. M. Bellovin, The
"Session Tty" Manager
Abstract: In many Unix systems, it is possible for a program to retain access to the login terminal after the user has logged out. THis poses obvious security rishs and can also confuse the modem control signals. People solve this for System V by adding a layer of indirection known as the session tty driver. At login time, a session device is linked to the physical terminal. User program have access to the session device only, and may not open the physical line. Upon logout or carrier drop, the link is servered. New login sessions are given new session devices is controlled by a new system process known as the session manager, by means of suitable plumbing primitives, a 'reconnect after line drop' facility can easily be implemented.
David R. Safford, David K. Hess, Douglas Lee Schales, Secure
RPC Authentication (SRA) for TELNET and FTP
Abstract: TELNET and FTP currently exchange user authentication (passwords) in plain text, which is easily eavesdropped. Several techniques, such as Kerberos and SPX, have been proposed in draft RFCs to implement secure authentication. These techniques, however, have several drawbacks, including technical complexity, poor vendor support, and organizational problems. This paper presents SRA, a very simple and tested technique based on Secure RPC which, while certainly not as strong as RSA, is reasonably strong, fast, and trivial to implement immediately for both inter and intra domain communication.
Dennis Draheim, Barton Miller, Steven Snyder, A
Reliable and Secure UNIX Connection Service
Keywords: reliable, connection, distributed programs, authentication, network
Abstract: Distributed programs require a method for processes residing on different machines to identify each other and establish communication. One method is to provide a special connection service to perform this task. A good connection service should be easy to use. It should allow arbitrary processes to connect to each other as well as helping client processes to connect to server processes. It should provide location transparency; that is, the programmer should not have to know the network address of a process to connect to it. The connection service should be reliable. It should provide a way for a process to establish the iden tity of the user associated with the process to which it has connected, and to communicate securely with that process. We have implemented a connection service for Berkeley UNIX that is reliable, available, secure, and easy to use. The connection service achieves ease of use through a simple interface based on the library routine meet. Meet allows one process to connect to another by specifying arbitrary names for itself and the other process. The connection service imposes no naming conventions of its own so it can be used with most name spaces and naming services. . The service is location-transparent. It also provides a routine for posting services.
TCP WRAPPER Network monitoring, access control, and booby
Abstract: This paper presents a simple tool to monitor and control incoming network traffic. The tool has been successfully used for shielding off systems and for detection of cracker activity. It has no impact on legal computer users, and does not require any change to existing systems software or configuration files. The tool has been installed world-wide on numerous UNIX systems without any source code change.
Ramon Caceres, Peter B. Danzig, Sugih Jamin, Danny J. Mitzel , Characteristics
of Wide-Area TCP/IP Conversations
Abstract: In this paper, we characterize wide-area network applications that use the TCP transport protocol. We also describe a new way to model the wide-area traffic generated by a stub network. We believe the traffic model presented here will be useful in studying congestion control, routing algorithms, and other resource management schemes for exis future networks. Our model is based on trace analysis of TCP/IP wide area internetwork traffic. We collected the data from USC, UCB and Bellcore networks at the point they connect with their respective regional access networks. We then wrote a handful of programs to analyze the traces. Our model characterizes individual TCP conversations by the distributions of: number of bytes transferred, duration, number of packets transferred, packet size, and packet interarrival time.
Abstract: This publication is issued by the National Computer Security Center(NCSC) as part of its program to promulgate technical computer security guidelines. The interpretations extend the evaluation classes of the Trusted Systems Evaluation Criteria (DOD 5200.28-STD) to trusted network systems and components.
A Guide to Understanding Trusted Distribution in Trusted
Abstract: This document is the latest in the series of technical guidelines that are being published by the National Computer Security Center. These publications are designed to provide insight to the Trusted Computer Systems Evaluation Criteria requirements and guidance for meeting each requirement.
Built by Mark Crosbie and Ivan Krsul.
Security Archive Homepage.
COAST Project (CERIAS)Page.
Purdue CS Dept page.