October 2, 2022

Archives for September 2022

Cross-Layer Security: A Holistic View of Internet Security 

By Henry Birge-Lee, Liang Wang, Grace Cimaszewski, Jennifer Rexford and Prateek Mittal

On February 3, 2022, attackers launched a highly effective attack against the Korean cryptocurrency exchange KLAYswap. We discussed the details of this attack in our earlier blog post “Attackers exploit fundamental flaw in the web’s security to steal $2 million in cryptocurrency.” However, in that post we only scratched the surface of potential countermeasures that could prevent such attacks. In this new post, we will discuss how we can defend the web ecosystem against attacks like these. This attack was composed of multiple exploits at different layers of the network stack. We term attacks like this,  “cross-layer attacks,” and offer our perspective on why they are so effective. Furthermore, we propose a practical defense strategy against them that we call “cross-layer security.” 

As we discuss below, cross-layer security involves security technologies at different layers of the network stack working in harmony to defend vulnerabilities that are difficult to catch at a single layer alone.

At a high level, the adversary’s attack affected many layers of the networking stack:

  • The network layer is responsible for providing reachability between hosts on the Internet. The first part of the adversary’s attack involved targeting the network layer with a Border Gateway Protocol (BGP) attack that manipulated routes to hijack traffic intended for the victim.
  • The session layer is responsible for secure end-to-end communication over the network. To attack the session layer, the adversary leveraged its attack on the network layer to obtain a digital certificate for the victim’s domain from a trusted Certificate Authority (CA). With this digital certificate the adversary established encrypted and secure TLS sessions with KLAYswap users.
  • The application layer is responsible for interpreting and processing data that is sent over the network. The adversary used the hijacked TLS sessions with KLAYswap customers to serve malicious Javascript code that compromised the KLAYswap web application and caused users to unknowingly transfer their funds to the adversary.

The difficulty of fully protecting against cross-layer vulnerabilities like these is that they exploit the interactions between the different layers involved: a vulnerability in the routing system can be used to exploit a weak link in the PKI, and even the web-development ecosystem is involved in this attack because of the way javascript is loaded. The cross-layer nature of these vulnerabilities often leads developers working in each layer to dismiss the vulnerability as a problem with other layers. 

There have been several attempts to secure the web against these kinds of attacks at the HTTP layer. Interestingly, these technologies often ended up dead-in-the-water (as was the case with HTTP pinning and Extended Validation certificates). This is because the HTTP layer alone does not have the routing information needed to properly detect these attacks and can only rely on information that is available to end-user applications. This potentially causes HTTP-only defenses to block connections when benign events take place, like when a domain chooses to move to a new hosting provider or changes its certificate configuration because these look very similar to routing attacks at the HTTP layer. 

Due to the cross-layer nature of these vulnerabilities, we need a different mindset to fix the problem: people at all layers need to fully deploy any security solutions that are realistic at that layer. As we will explain below, there is no silver bullet that can be quickly deployed at any layer; instead, our best hope is more modest (but easier to deploy) security improvements for all the layers involved. Working under a “the other layer will fix the problem” attitude simply perpetuates these vulnerabilities.

Below are some short-term and ideal long-term expectations for each layer of the stack involved in these attacks. While in theory, any layer implementing one of these “long-term” security improvements could drastically reduce the attack surface, these technologies have still not seen the type of deployment needed for us to rely on them in the short term. On the other hand, all the technologies in the short-term list have seen some degree of production-level/real-world deployment and are something members of these communities can start using today without much difficulty.

Short-Term ChangesLong-Term Goals
Web apps (application layer)Reduce the use of code loaded from external domainsSign and authenticate all code being executed
The PKI/TLS (session layer)Universally deploy multiple vantage point validationAdopt a technology to verify identity based on cryptographically-protected DNSSEC which provides security in the presence of powerful network attacks
Routing (network layer)Sign and verify routes with RPKI and follow the security practices outlined by MANRSDeploy BGPSec for near-complete elimination of routing attacks

To elaborate:

At the application layer: Web apps are downloaded over the Internet and are completely decentralized. For the time being, there is no mechanism in place to universally vouch for the authenticity of code or content that is contained in a web app. If an adversary can obtain a TLS certificate for google.com and intercept your connection to Google, your browser (right now) will have no way of knowing that it is being served content that did not actually come from Google’s servers. However, developers can remember that any third-party-dependency (particularly those loaded from different domains) can be a third-party-vulnerability and limit the use of third-party code on their website (or host third-party code locally to reduce the attack surface). Furthermore, both locally hosted and third-party hosted content can be secured with subresource integrity where a cryptographic hash (included on the webpage) vouches for the integrity of dependencies. This lets developers provide cryptographic signatures for the dependencies on their webpage. Doing this vastly reduces the attack surface forcing the attacks to target only a single connection with the victim’s web server as opposed to the many different connections involved in retrieving different dependencies.

At the session layer: CAs need to establish the identity of customers requesting certificates and, while there are proposals to use cryptographic DNSSEC to verify identity (like DANE), the status quo is to verify identity via network communications with the domains listed in certificate requests. Thus, global routing attacks are likely to be very effective against CAs unless we make more substantial changes to the way certificates are issued. But this does not mean all hope is lost. Many network attacks are not global but are actually localized to a specific part of the Internet. CAs are capable of mitigating these attacks by verifying domains from several vantage points spread throughout the Internet. This allows some of the CAs vantage points to be unaffected by the attack and communicate with the legitimate domain owner. Our group at Princeton designed multiple vantage point validation and worked with the world’s largest web PKI CA Let’s Encrypt to develop the first ever production deployment of it. CAs can and should use multiple vantage points to verify domains making them immune to localized network attacks and ensuring that they see a global perspective on routing.

At the network layer: In routing, protecting against all BGP attacks is difficult. It requires expensive public-key operations on every BGP update using a protocol called BGPsec that current routers do not support. However, recently there has been significantly increased adoption of a technology called the Resource Public Key Infrastructure (RPKI) that prevents global attacks by establishing a cryptographic database of which networks on the Internet control which IP address blocks. Importantly, when properly configured, RPKI also specifies what size IP prefix should be announced which prevents global and highly-effective sub-prefix attacks. In a sub-prefix attack the adversary announces a longer, more-specific IP prefix than the victim and benefits from longest-prefix-match routing to have its announcement preferred by the vast majority of the Internet. RPKI is fully compatible with current router hardware. The only downside is that RPKI can still be evaded with certain local BGP attacks where, instead of claiming to own the victim’s IP address which is checked against the database, an adversary simply claims to be an Internet provider of the victim. The full map of which networks are connected to which other networks is not currently secured by the RPKI. This leaves a window for some types of BGP attacks which we have seen in the wild. However the impact of these attacks is significantly reduced and often affects only a part of the Internet. In addition, the MANRS project provides recommendations for best operational practices including RPKI that help prevent and mitigate BGP hijacks.

Using Cross-Layer Security to Defend Cross-Layer Attacks

Looking across these layers we see a common trend: in every layer there are proposed security technologies that could potentially stop attacks like the KLAYswap attack. However, these technologies all face deployment challenges. In addition, there are more modest technologies that are seeing extensive real-world deployment today. But each of these deployed technologies alone can be evaded by an adaptive adversary. For example, RPKI can be evaded by local attacks, multiple-vantage-point validation can be evaded by global attacks, etc. However, if we instead look at the benefit offered by all of these technologies together deployed at different layers, things look more promising. Below is a table summarizing this:

Security Technology/LayerGood at detecting routing attacks which affect the entire InternetGood at detecting routing attacks which affect part of the InternetLimits the number of potential targets for routing attacks
RPKI at the Network LayerYesNoNo
Multiple-Vantage-Point Validation at the Session LayerNoYesNo
Subresource Integrity and Locally Hosted Content at the Application LayerNoNoYes

This synergy of security technologies deployed at different layers is what we call cross-layer-security. RPKI alone can be evaded by clever adversaries (using attack techniques we are seeing more and more in the wild). However, the attacks that evade RPKI tend to be local (i.e., not affecting the entire Internet). This synergizes with multiple-vantage-point validation that is best at catching local attacks. Furthermore, because even these two technologies working together do not fully eliminate the attack surface, improvements at the web layer that reduce the reliance on code loaded from external domains help to even further reduce the attack surface. At the end of the day, the entire web ecosystem can benefit tremendously from each layer deploying security technologies that leverage the information and tools available exclusively to that layer. Furthermore, when working in unison, these technologies together can do something that none of them could do alone: stop cross-layer attacks.

Cross-layer attacks are surprisingly effective because no one layer has enough information about the attack to completely prevent it. Hopefully, each layer does have the ability to protect against a different portion of the attack surface. If developers across these different communitie know what type of security is realistic and expected of their layer in the stack, we will see some meaningful improvements.

Even though the ideal endgame is to deploy a security technology that is capable of fully defending against cross-layer attacks, we have not yet seen wide scale adoption of any such technology. In the meantime if we continue to solely focus security against cross-layer attacks in a single layer, these attacks will take significantly longer to protect against. Changing our mindset and seeing the strengths and weaknesses of each layer lets us protect against these attacks much more quickly by increasing the use of  synergistic technologies at different layers that have already seen real-world deployment.

We are releasing three longitudinal datasets of Yelp review recommendations with over 2.5M unique reviews.

By Ryan Amos, Roland Maio, and Prateek Mittal

Online reviews are an important source of consumer information, play an important role in consumer protection, and have a substantial impact on businesses’ economic outcomes. Some of these reviews may be problematic; for example, incentivized reviews, reviews with a conflict of interest, irrelevant reviews, and entirely fabricated reviews. To address this problem, many review platforms develop systems to determine which reviews to show to users. Little is known about how such online reviews recommendations change over time.

We introduce a novel dataset of Yelp reviews to study these changes, which we call reclassification. Studying reclassification can help understand the validity of prior work that depends on Yelp’s labels, evaluate the existing classifier, and shed light on the fairly opaque process of review recommendation.

Data Overview

Our data is sourced from Yelp between 2020 and 2021 and contains reviews that Yelp classifies as “Recommended” and “Not Recommended,” with a total of 2.2 million reviews described in 12.5 million data points. Our data release consists of three datasets: a small dataset with an eight year span (when combined with prior work), a large dataset concentrated in the Chicago area, and a large dataset spread across the US and stratified by population density and household income.

The data is pseudonymized to protect reviewer privacy, and the analyses in our corresponding paper can be reproduced with the pseudonymous data.

Obtaining Access

Please visit our website for more information on requesting access:

https://sites.google.com/princeton.edu/longitudinal-review-data

Is Internet Voting Secure? The Science and the Policy Battles

I will be presenting a similarly titled paper at the 2022 Symposium Contemporary Issues in Election Law run by the University of New Hampshire Law review, October 7th in Concord, NH. The paper will be published in the UNH Law Review in 2023 and is available now on SSRN.

I have already serialized parts of this paper on Freedom-to-Tinker: Securing the Vote; unsurprising and surprising insecurities in Democracy Live’s OmniBallot; the New Jersey lawsuit (and settlement); the New York (et al.) lawsuit; lawsuits in VA, NJ, NY, NH, and in NC; inherent insecurity; accommodating voters with disabilities; and Switzerland’s system.

Now here it is in one coherent whole, with footnotes.

Abstract. No known technology can make internet voting secure, according to the clear scientific consensus. In some applications—such as e-pollbooks (voter sign-in), voter registration, and absentee ballot request—it is appropriate to use the internet, as the inherent insecurity can be mitigated by other means. But the insecurity of paperless transmission of a voted ballot through the internet, cannot be mitigated.

The law recognizes this in several ways. Courts have enjoined the use of certain paperless or internet-connected voting systems. Federal law requires states to allow voters to use the internet to request absentee ballots, but carefully stops short of internet ballot return (i.e., voting).

But many U.S. states and a few countries go beyond what is safe: they have adopted internet voting, for citizens living abroad and (in some cases) for voters with disabilities.

Most internet voting systems have an essentially common architecture, and they are insecure at least at the same key point, after the voter has reviewed the ballot but before it is transmitted. I review six internet voting systems deployed 2006-2021 that were insecure in practice, just as predicted by theory—and some were also insecure in surprising new ways, “unforced errors”.

We can’t get along without the assistance of computers. U.S. ballots are too long to count entirely by hand unless the special circumstances of a recount require it. So computer-counted paper ballots play a critical role in the security and auditability of our elections. But audits cannot be used to secure internet voting systems, which have no paper ballots that form an auditable paper trail.

So there are policy controversies: trustworthiness versus convenience, security versus accessibility. In 2019-22 there were lawsuits in Virginia, New Jersey, New York, New Hampshire, and North Carolina; legislation enacted in Rhode Island and withdrawn in California. There is a common pattern to these disputes, which have mostly resolved in a way that provides remote accessible vote by mail (RAVBM) but stops short of permitting electronic ballot return (internet voting).

What would it take to thoroughly review a proposed internet voting system to be assured whether it delivers the security it promises? Switzerland provides a case study. In Switzerland, after a few years of internet voting pilot projects, the Federal Chancellery commissioned several extremely thorough expert studies of their deployed system. These reports teach us not only about their internet voting system itself but about how to study those systems before making policy decisions.

Accessibility of election systems to voters with disabilities is a genuine problem. Disability-rights groups have been among those lobbying for internet voting (which is not securable) and other forms of remote accessible vote by mail (which can be adequately securable). I review statistics showing that internet voting is probably not the most effective way to serve voters with disabilities.