Securing Information Transmission by Redundancy

1
Securing Information Transmission by Redundancy

• Jun Li Peter Reiher Gerald Popek
• Computer Science Department
• UCLA
• NISS Conference
• October 21, 1999

2
Outline

• Interruption threats are hard to counter
• Redundant transmission makes interruptions harder
• But redundant transmission is not as easy as
  using redundancy in other areas
• Sample uses
• Conclusion

3
Interruption Threats

Destination
Source
An interruption attack occurs
Result? No data flows to the destination
4
Problem

• Many kinds of interruption threats
• Corrupted routers drop packets
• Transmitting over packets on shared media
• Congesting links or routers
• Conventional approaches wont help
• Encrypted/signed message can still be interrupted
• Acknowledgement wont help either
• The acknowledgement itself is subject to
  interruption
• Retransmission means possibly failing again
• So?

5
Using Redundancy To Counter Interruptions

• Dont use a single path
• Any point on the single path is a point of
  failure
• Use redundancy to secure transmission
• Only parallel redundancy considered here
• A node is expected to receive multiple copies of
  one message
• Successful if at least one copy is authentically
  received
• Redundancy has been widely used in other areas
• High availability storage
• Replicated execution
• And many others

6
A Simple Example
Source
Normal delivery uses a default path

The redundant copy gets through despite a bad
router
Destination
7
But . . .

• Redundant transmission is tough
• Discovering disjoint paths is difficult
• Routing is transparent to applications
• Using disjoint paths is difficult
• They may not exist at all
• Can try to be as disjoint as possible
  nevertheless
• An attacker has to find a choke point or break
  multiple points
• Scale can also cause big problems
• And what about costs of sending multiple copies?

8
Sample Uses of Redundancy

• Revere
• Secure delivery of security updates
• General purpose redundant packet delivery service
• Redundancy for every network user?

9
Revere

• Goal disseminate security updates to large
  number of machines
• Assume a trusted dissemination center
• Security updates
• Small size but critical information
• Examples
• New virus signature
• New intrusion detection signature
• CRL (certificate revocation lists)
• Offending characteristics for a firewall to
  monitor

10
Revere Structure

• Acks/Nacks inappropriate
• Scaling, lack of complete trust, etc.
• Use redundancy to send multiple copies to each
  node
• Each node can also forward security updates to
  others
• A node can contact multiple repository nodes for
  missed updates

11
General Redundant Packet Delivery Services

• How could we add a redundant packet delivery
  service to the Internet?
• What would be the best method of achieving
  redundancy?
• Know a lot about the network?
• Or rely on randomness and obscurity?
• What are the costs of doing so?
• How could it be easily deployable?
• Proxy-based solutions?

12
Conclusion

• Conventional security approaches and transmission
  primitives dont adequately counter interruption
  threats
• Redundancy is a promising tool
• But effective use of redundancy is challenging
• Are there other problems that redundancy can
  solve?
• Does redundancy itself lead to new security
  threats?

13
Questions

• Contact information
• Peter Reiher reiher_at_cs.ucla.edu
• Jun Li lijun_at_cs.ucla.edu
• Gerald Popek popek_at_cs.ucla.edu