Workshop Program

In recent years, cyber security researchers have become burdened by the time and cost necessary to instantiate secure testbeds suitable for analyzing new threats or evaluating emerging technologies [1]. To alleviate this, DARPA initiated the National Cyber Range (NCR) program to develop the architecture and software tools needed for a secure, self-contained cyber testing facility. Among NCR’s goals was the development of a range capable of rapid and automated reconfiguration of resources, broad scalability, and support for running simultaneous experiments at different security levels [2].

In this paper we present our architecture for the Range-level Command & Control System (RangeC2) developed as part of the Johns Hopkins University Applied Physics Laboratory’s implementation of the NCR [3]. Our discussion includes the RangeC2’s functional and non-functional requirements, the rationale behind its partitioning into layered subsystems, an analysis of each subsystem’s fundamental mechanisms, and an in-depth look at their processing paradigms and data flows.

To meet the demands of this range, the RangeC2 was required to perform three primary jobs: 1) management of all range resources; 2) management of numerous concurrent experiments; and 3) enforcement of each experiment’s resource security and perimeter isolation. Our discussion of the architecture will show how these requirements were met while overcoming the RangeC2’s most critical challenges.

Security and performance evaluation of Internet protocols can be greatly aided by emulation in realistic deployment scenarios. We describe our implementation of such methods which uses high-level abstractions to bring simplicity into a virtualized test-lab.

We argue that current test-labs have not adequately captured those challenges, partly because their design is too static. To achieve more flexibility and to allow the experimenter to easily deploy many alternative scenarios we need abstractions that allow auto-configuration and auto-deployment of real router and server code in a multi-AS infrastructure. We need to be able to generate scenarios for multi-party players in a fully isolated emulated test-lab and deploy the network using virtualized routers, switches, and servers.

In this paper, our abstractions are specifically designed to evaluate the BGP security framework currently being documented by the IETF SIDR working group. We capture the relevant aspects of the SIDR security proposals, and allow experimenters to evaluate the technology in topologies of real router and server code. We believe such methods are also useful for teaching newcomers and operators, as it allows them to gain experience in a sandbox before deployment. It allows security experts to set up controlled experiments at various levels of complexity, and concentrate on discovering weaknesses, instead of having to spend time on tedious configuration tasks. Finally, it allows router vendors and implementers to test their code and to perform scalability evaluation.

Smart grids are susceptible to cyber-attack as a result of new communication, control and computation techniques employed in the grid. In this paper, we characterize and analyze the resiliency of smart grid communication architecture, specifically an RF mesh based architecture, under cyber attacks. We analyze the resiliency of the communication architecture by studying the performance of high-level smart grid functions such as metering, and demand response which depend on communication. Disrupting the operation of these functions impacts the operational resiliency of the smart grid. Our analysis shows that it takes an attacker only a small fraction of meters to compromise the communication resiliency of the smart grid. We discuss the implications of our result to critical smart grid functions and to the overall security of the smart grid.

Web-based malware is pervasive. Miscreants compromise insecure hosts or even set up dedicated servers to distribute malware to unsuspecting users. This scourge is mainly fought by the voluntary action of private actors who detect and report infections to affected site owners, hosting providers and registrars. In this paper we describe an experiment to assess whether sending reports to affected parties makes a measurable difference in cleaning up malware. Using community reports of malware submitted to StopBadware over two months in Fall 2011, we find evidence that detailed notices are immediately effective: 32% of malware-distributing websites are cleaned within one day of sending a notice, compared to just 13% of sites not receiving a notice. The improved cleanup rate holds for longer periods, too – 62% of websites receiving a detailed notice were cleaned up after 16 days, compared to 45% of websites not receiving a notice. It turns out that including details describing the compromise is essential for the notice to work – sending reports with minimal descriptions of the malware was found to be roughly as effective as not sending reports at all. Furthermore, we present evidence that sending multiple notices from two sources is not helpful. Instead, only the first transmitted notice makes a difference.

We conducted a study of student web browsing habits at Indiana University’s Bloomington campus, in which we examined the web page requests of over 1,000 students during a period of two months. In this paper, we discuss the details of the study development and implementation from the point of view of ethical design. Concerns with stakeholder privacy, the quality of study data collection, human subjects research protocols, and unexpected data anomalies are presented in order to illustrate the many difficulties and ethical pitfalls confronting network researchers even at this small scale. Success and failures to meet the principles of ethical design are highlighted. A secondary contribution is the evolution of the instruments that were developed through the human subjects process. Finally, we discuss the impact of the Menlo Report (DHS-2011-0074) and similar documents on the future directions of network and security research.

This paper describes our experiences as researchers and developers during red teaming exercises of the SAFEST anonymity system. We argue that properly evaluating an anonymity system — particularly one that makes use of topological information and diverse relay selection strategies, as does SAFEST— presents unique challenges that are not addressed using traditional red teaming techniques. We present our efforts towards meeting these challenges, and discuss the advantages of a collaborative red teaming paradigm in which developers play a supporting role during the evaluation process.

Information flow is still relevant, from browser privacy to side-channel attacks on cryptography. However, many of the seminal ideas come from an era when multi-level secure systems were the main subject of study. Students have a hard time relating the material to today’s familiar commodity systems.

We describe our experiences developing and utilizing an online version of the game Werewolves of Miller’s Hollow (a variant of Mafia). To avoid being eaten, students must exploit inference channels on a Linux system to discover “werewolves” among a population of “townspeople.” Because the werewolves must secretly discuss and vote about who they want to eat at night, they are forced to have some amount of keystroke and network activity in their remote shells at this time. In each instance of the game the werewolves are chosen at random from among the townspeople, creating an interesting dynamic where students must think about information flow from both perspectives and keep adapting their techniques and strategies throughout the semester.

This game has engendered a great deal of enthusiasm among our students, and we have witnessed many interesting attacks that we did not anticipate. We plan to release the game under an open source software license.

The rapid evolution of threat ecosystems and the shifting focus of adversarial actions complicate efforts to assure security of an organization’s computer networks. Efforts to build a rigorous science of security, one consisting of sound and reproducible empirical evaluations, start with measures of these threats, their impacts, and the factors that influence both attackers and victims. In this study, we present a careful examination of the issue of account compromise at two large academic institutions. In particular, we evaluate different hypotheses that capture common perceptions about factors influencing victims (e.g., demographics, location, behavior) and about the effectiveness of mitigation efforts (e.g., policy, education). While we present specific and sometimes surprising results of this analysis at our institutions, our goal is to highlight the need for similar in-depth studies elsewhere.