Secure Network Provenance
Operators of distributed systems often find themselves needing to answer a
diagnostic or forensic question. Some part of the system is found to be in
an unexpected state; for example, a suspicious routing table entry is
discovered, or a proxy cache is found to contain an unusually large number of
advertisements. The operators must determine the causes of this state before
they can decide on an appropriate response. On the one hand, there may be an
innocent explanation: the routing table entry could be the result of a misconfiguration,
and the cache entries could have appeared due to a workload change. On the
other hand, the unexpected state may be the symptom of an ongoing attack: the
routing table entry could be the result of route hijacking, and the cache
entries could be a side-effect of a malware infection. In this situation, it
would be helpful to be able to ask the system to "explain"
its own state, e.g., by describing a chain of events that link the state
to its root causes, such as external inputs.
As long as the system is working correctly, emerging network provenance
techniques can construct such explanations. However, if some of the nodes are
faulty or have been compromised by an adversary, the situation is complicated
by the fact that the adversary can cause the nodes under his control to lie,
suppress information, tamper with existing data, or report nonexistent events.
This can cause the provenance system to turn from an advantage into a liability:
its answers may cause operators to stop investigating an ongoing attack
because everything looks fine.
The goal of this project is to provide secure network provenance, that is,
the ability to correctly explain system states even when (and especially when)
the system is faulty or under attack. Towards this goal, we are substantially
extending and generalizing the concept of network provenance by adding capabilities
needed in a forensic setting, we are developing techniques for securely storing
provenance without trusted components, and we are designing methods for
efficiently querying secure provenance. We are evaluating our techniques
in the context of concrete applications, such as Hadoop MapReduce or BGP
- Detecting Covert Timing Channels with Time-Deterministic Replay
Ang Chen, W. Brad Moore, Hanjun Xiao, Andreas Haeberlen, Linh Thi Xuan Phan, Micah Sherr, and Wenchao Zhou
11th USENIX Symposium on
Operating Systems Design and Implementation (OSDI '14),
Broomfield, CO, October 2014.
- Never Been KIST: Tor's Congestion Management Blossoms with Kernel-Informed Socket Transport
Rob Jansen, John Geddes, Chris Wacek, Micah Sherr, and Paul Syverson
23rd USENIX Security Symposium, San Diego, CA, August 2014.
- Diagnosing Missing Events in Distributed Systems with Negative Provenance
Yang Wu, Mingchen Zhao, Andreas Haeberlen, Wenchao Zhou, and Boon Thau Loo
Proceedings of ACM SIGCOMM 2014, Chicago, IL, August 2014.
[PDF] [BibTex] [Technical report] [Yang's slides]
- Privacy-Aware Message Exchanges for Humanets
Adam Aviv, Micah Sherr, Matt Blaze, and Jonathan Smith
Elsevier Journal of Computer Communications, vol. 48, pages 30-43, July 2014.
- Censorship Resistance as a Side-Effect
Henry Tan and Micah Sherr
22nd International Workshop on Security Protocols, Cambridge, UK, March 2014.
- Let SDN be your eyes: Secure Forensics in Data Center Networks
Adam Bates, Kevin Butler, Andreas Haeberlen, Micah Sherr, and Wenchao Zhou
NDSS Workshop on
Security of Emerging Network Technologies (SENT '14), San Diego,
CA, February 2014.
- The Design and Implementation of the A3 Application-Aware Anonymity Platform
Micah Sherr, Harjot Gill, Taher Aquil Saeed, Andrew Mao, William R. Marczak, Saravana Soundararajan, Wenchao Zhou, Boon Thau Loo, and Matt Blaze
Elsevier Computer Networks, vol. 58, pages 206-227, February 2014
- Validating Web Content with Senser
Jordan Wilberding, Andrew Yates, Micah Sherr, and Wenchao Zhou
2013 Annual Computer Security Applications Conference (ACSAC'13), New Orleans, LA, December 2013.
- Answering Why-Not Queries in Software-Defined Networks with
Yang Wu, Andreas Haeberlen, Wenchao Zhou, and Boon Thau Loo
12th ACM Workshop
on Hot Topics in Networks (HotNets-XII), College Park, MD,
- Towards Privacy-Preserving Fault Detection
Antonis Papadimitriou, Mingchen Zhao, and Andreas Haeberlen
9th Workshop on Hot Topics in
Dependable Systems (HotDep '13), Farmington, PA, November 2013.
- Users Get Routed: Traffic Correlation on Tor By Realistic Adversaries
Aaron Johnson, Chris Wacek, Rob Jansen, Micah Sherr, and Paul Syverson
20th ACM Conference on Computer and Communications Security (CCS '13), Berlin, Germany, November 2013.
- Distributed Time-Aware Provenance
Wenchao Zhou, Suyog Mapara, Yiqing Ren, Yang Li, Andreas Haeberlen, Zachary Ives, Boon Thau Loo, and Micah Sherr
39th International Conference on Very Large Data Bases (VLDB '13), Riva del Garda, Italy, August 2013.
- Private and Verifiable Interdomain Routing Decisions
Mingchen Zhao, Wenchao Zhou, Alexander J. T. Gurney, Andreas Haeberlen, Micah Sherr,
and Boon Thau Loo
SIGCOMM 2012, Helsinki, Finland, August 2012
[PDF] [BibTex] [Technical report]
- Privacy-Aware Message Exchanges for Geographically Routed Human Movement
Adam J. Aviv, Micah Sherr, Matt Blaze, and Jonathan M. Smith
17th European Symposium on
Research in Computer Security (ESORICS), Pisa, Italy, September 2012
- $100,000 Prize Jackpot. Call Now! Identifying the Pertinent Features of SMS Spam
Henry Tan, Nazli Goharian, and Micah Sherr
Poster, presented at: ACM Conference on Research and Development in Information Retrieval
(SIGIR), Portland, OR, August 2012
- Querying Provenance for Ranking and Recommending
Zachary G. Ives, Andreas Haeberlen, Tao Feng, and Wolfgang Gatterbauer
4th USENIX Workshop on the Theory and Practice of Provenance (TaPP'12), Boston, MA, June 2012
- Accountable Wiretapping -or- I Know They Can Hear You Now
Adam Bates, Kevin Butler, Micah Sherr, Clay Shields, Patrick Traynor, and Dan Wallach
19th Annual Network and Distributed System Security
Symposium (NDSS), San Diego, CA, February 2012
- Exploring the Potential Benefits of Expanded Rate Limiting in Tor: Slow and Steady Wins the Race With Tortoise
Brad Moore, Chris Wacek, and Micah Sherr
Annual Computer Security Applications Conference (ACSAC), Orlando, FL, December 2011
- Having your Cake and Eating it too: Routing Security with Privacy Protections
Alexander J. T. Gurney, Andreas Haeberlen, Wenchao Zhou, Micah Sherr, and Boon Thau Loo
10th ACM Workshop on Hot Topics in Networks
(HotNets-X), Cambridge, MA, November 2011.
- Secure Network Provenance
Wenchao Zhou, Qiong Fei, Arjun Narayan, Andreas Haeberlen, Boon Thau
Loo, and Micah Sherr
23rd ACM Symposium on Operating Systems Principles
(SOSP '11), Cascais, Portugal, October 2011.
[PDF] [BibTex] [Technical report]
- TAP: Time-aware Provenance for Distributed Systems
Wenchao Zhou, Ling Ding, Andreas Haeberlen, Zachary Ives, and Boon Thau Loo
3rd USENIX Workshop on the Theory and Practice of Provenance (TaPP '11), Heraklion, Greece, June 2011.
- NetTrails: A Declarative Platform for Maintaining and Querying Provenance in Distributed Systems
Wenchao Zhou, Qiong Fei, Shengzhi Sun, Tao Tao, Andreas Haeberlen, Zachary Ives, Boon Thau Loo, and Micah Sherr
Demo. ACM SIGMOD International Conference on Management of Data (SIGMOD '11 demo), Athens, Greece, June 2011.
- Tracking Adversarial Behavior in Distributed Systems with Secure Network Provenance
Wenchao Zhou, Andreas Haeberlen, Boon Thau Loo, and Micah Sherr.
Technical Report MS-CIS-10-28, University of Pennsylvania, August 2010.
Boon Thau Loo
Zachary G. Ives
Students and postdocs:
W. Brad Moore
Wenchao Zhou (now faculty at Georgetown)
Alexander Gurney (now at Comcast)
Qiong Fei (now at Amazon)
This work is funded by the National Science Foundation
under the Trustworthy
Computing program (grant number CNS-1065130).