School of Computer Science Technical Report Series

Series

School of Computer Science Technical Report Series

Permanent Link

https://hdl.handle.net/1853/71007

Series Type

Publication Series

Associated Organization(s)

Organizational Unit

College of Computing

Organizational Unit

School of Computer Science

Full item page

Publication Search Results

Now showing 1 - 10 of 36

Evaluating Bluetooth as a Medium for Botnet Command and Control

(Georgia Institute of Technology, 2009) Jain, Nehil ; Lee, Wenke ; Sangal, Samrit ; Singh, Kapil ; Traynor, Patrick

Malware targeting mobile phones is being studied with increasing interest by the research community. While such attention has previously focused on viruses and worms, many of which use near-field communications in order to propagate, none have investigated whether more complex malware such as botnets can effectively operate in this environment. In this paper, we investigate the challenges of constructing and maintaining mobile phone-based botnets communicating nearly exclusively via Bluetooth. Through extensive large-scale simulation based on publicly available Bluetooth traces, we demonstrate that such a malicious infrastructure is possible in many areas due to the largely repetitive nature of human daily routines. In particular, we demonstrate that command and control messages can propagate to approximately 2/3 of infected nodes within 24 hours of being issued by the botmaster. We then explore how traditional defense mechanisms can be modified to take advantage of the same information to more effectively mitigate such systems. In so doing, we demonstrate that mobile phone-based botnets are a realistic threat and that defensive strategies should be modified to consider them.
Rotalumè: A Tool for Automatic Reverse Engineering of Malware Emulators

(Georgia Institute of Technology, 2009) Sharif, Monirul I. ; Lanzi, Andrea ; Giffin, Jonathon ; Lee, Wenke

Malware authors have recently begun using emulation technology to obfuscate their code. They convert native malware binaries into bytecode programs written in a randomly generated instruction set and paired with a native binary emulator that interprets the bytecode. No existing malware analysis can reliably reverse this obfuscation technique. In this paper, we present the first work in automatic reverse engineering of malware emulators. Our algorithms are based on dynamic analysis. We execute the emulated malware in a protected environment and record the entire x86 instruction trace generated by the emulator. We then use dynamic data-flow and taint analysis over the trace to identify data buffers containing the bytecode program and extract the syntactic and semantic information about the bytecode instruction set. With these analysis outputs, we are able to generate data structures, such as control-flow graphs, that provide the foundation for subsequent malware analysis. We implemented a proof-of-concept system called Rotalumè and evaluated it using both legitimate programs and malware emulated by VMProtect and Code Virtualizer. The results show that Rotalumè accurately reveals the syntax and semantics of emulated instruction sets and reconstructs execution paths of original programs from their bytecode representations.
Towards an Internet Connectivity Market

(Georgia Institute of Technology, 2009) Feamster, Nick ; Hassan, Umayr ; Sundaresan, Srikanth ; Valancius, Vytautas ; Johari, Ramesh ; Vazirani, Vijay V.

Today’s Internet achieves end-to-end connectivity through bilateral contracts between neighboring networks; unfortunately, this “one size fits all” connectivity results in less efficient paths, unsold capacity and unmet demand, and sometimes catastrophic market failures that result in global disconnectivity. This paper presents the design and evaluation of MINT, a Market for Internet Transit. MINT is a connectivity market and corresponding set of protocols that allows ISPs to offer path segments on an open market. Edge networks bid for end-to-end paths, and a mediator matches bids for paths to collections of path segments that form end-to-end paths. MINT can be deployed using protocols that are present in today’s routers, and it operates in parallel with the existing routing infrastructure and connectivity market. We present MINT’s market model and protocol design; evaluate how MINT improves efficiency, the utility of edge networks, and the profits of transit networks; and how MINT can operate at Internet scale.
Derandomization of Probabilistic Auxiliary Pushdown Automata Classes

(Georgia Institute of Technology, 2009) Venkateswaran, H.
Designing Enforceable Network Contracts

(Georgia Institute of Technology, 2009) Lychev, Robert ; Feamster, Nick

Internet connectivity depends on contractual agreements between cooperating entities, such as administrative domains (AD), where an agreement over a certain level of service is made. Contracts (e.g., SLAs) for providing certain levels of service must be enforceable, and ADs must have an incentive to meet their contractual obligations. Previous work has designed mechanisms for both pricing and network accountability, but no existing work examines contract structures with respect to different accountability frameworks, and how together they may affect an AD’s incentives to fulfill contracts. We study how different contract structures—in particular, path-based versus pairwise contracts—affect ADs’ incentives to establish contracts (which, in turn, can affect overall connectivity) and, once contracts are established, to forward traffic according accordingly. This paper presents several contributions. First, we derive sufficient conditions for path-based contract systems and accountability frameworks for entities to have an incentive to forward traffic according to their contracts, provided that all parties involved are rational. Second, we show that for path-based contracts at equilibrium where nodes are encouraged to fulfill their contracts, only a constant amount of monitoring is required for every participant to make a positive profit; this is not the case for pairwise contracts. Third, we show how systems that rely on pairwise contracts are prone to depeering in presence of sufficient supply and demand due to coarse granularity, a contractual failure that systems which rely on path-based contracts are immune to. We propose modifications to pairwise contracts that could prevent such failures. Finally, we present situations of depeering that may be unpreventable due to maliciously behaving parties for both pairwise and path-based contract structures. For such scenarios, we show that while path-based contracts allow the sender of traffic to get reimbursed, this is not guaranteed in pairwise contract systems.
Pushing Enterprise Security Down the Network Stack

(Georgia Institute of Technology, 2009) Clark, Russ ; Feamster, Nick ; Nayak, Ankur ; Reimers, Alex

Network security is typically reactive: Networks provide connectivity and subsequently alter this connectivity according to various security policies, as implemented in middleboxes, or at higher layers. This approach gives rise to complicated interactions between protocols and systems that can cause incorrect behavior and slow response to attacks. In this paper, we propose a proactive approach to securing networks, whereby security-related actions (e.g., dropping or redirecting traffic) are embedded into the network fabric itself, leaving only a fixed set of actions to higher layers. We explore this approach in the context of network access control. Our design uses programmable switches to manipulate traffic at lower layers; these switches interact with policy and monitoring at higher layers. We apply our approach to Georgia Tech’s network access control system, show how the new design can both overcome the current shortcomings and provide new security functions, describe our proposed deployment, and discuss open research questions.
A Model of Interdomain Network Formation, Economics and Routing

(Georgia Institute of Technology, 2009) Dhamdhere, Amogh ; Dovrolis, Constantine

The Internet at the interdomain level is highly dynamic, as autonomous networks change their connectivity to optimize either monetary cost, profit and/or performance. Internet Service Providers (ISPs), for example, are mainly concerned with maximizing their profits, and they attempt to do so by changing their set of providers or peers. It is not well understood, however, what the properties of the resulting internetwork are, in terms of topology, economics and performance. In this paper, we propose ITER, a first-principles model of interdomain network formation that incorporates the effects of economics, interdomain traffic flow, geography, pricing/cost structures and interdomain routing policies. We use an agent-based computational method (treating networks as selfish agents) to find the equilibrium that results as each network uses a certain provider and peer selection strategy (such as “peer by traffic ratios” or “peer by necessity”). We study the properties of this equilibrium in terms of topology, traffic flow and economics. We also investigate the effect of factors such as the interdomain traffic matrix, geography, and customer preferences on the properties of the equilibrium network.
Visualization of Exception Handling Constructs to Support Program Understanding

(Georgia Institute of Technology, 2009) Shah, Hina ; Görg, Carsten ; Harrold, Mary Jean

This paper presents a new visualization technique for supporting the understanding of exception-handling constructs in Java programs. To understand the requirements for such a visualization, we surveyed a group of software developers, and used the results of that survey to guide the creation of the visualizations. The technique presents the exception-handling information using three views: the quantitative view, the flow view, and the contextual view. The quantitative view provides a high-level view that shows the throw-catch interactions in the program, along with relative numbers of these interactions, at the package level, the class level, and the method level. The flow view shows the type-throw-catch interactions, illustrating information such as which exception types reach particular throw statements, which catch statements handle particular throw statements, and which throw statements are not caught in the program. The contextual view shows, for particular type-throw-catch interactions, the packages, classes, and methods that contribute to that exception-handling construct. We implemented our technique in an Eclipse plugin called EnHanCe and conducted a usability and utility study with participants in industry.
Message Ferries as Generalized Dominating Sets in Intermittently Connected Mobile Networks

(Georgia Institute of Technology, 2009) Ammar, Mostafa H. ; Polat, Bahadir K. ; Sachdeva, Pushkar ; Zegura, Ellen W.

Message ferrying is a technique for routing data in wireless and mobile networks in which one or more mobile nodes are tasked with storing and carrying data between sources and destinations. To achieve connectivity between all nodes, message ferries may need to relay data to each other. While useful as a routing technique for wireless mobile networks in general, message ferrying is particularly useful in intermittently connected networks where traditional MANET routing protocols are not usable. A wireless and mobile network is said to possess intrinsic message ferrying capability if a subset of the nodes can act as message ferries by virtue of their own mobility pattern, without introducing additional nodes or modifying existing node mobility. Our goal in this work is to provide a formalism by which one can characterize intrinsic message ferrying capability. We first observe that the use of message ferries is the mobile generalization of the well-known use of connected dominating set-based routing in wireless networks. We next consider the problem of identifying the set of nodes in a mobile network which can act as message ferries by virtue of their mobility pattern. To this end, we define the concept of a connected message ferry dominating set (CMFDS) in a manner that achieves data delivery within certain performance bounds. We then develop algorithms that can be used to find such a set within a mobile, wireless network. The general CMFDS algorithm is built around a core algorithm that determines whether a single node in the network can act as a ferry. We provide some illustrative examples to show the application of our algorithm to several mobility patterns.
Spending Constraint Utilities, With Applications To The Adwords Market

(Georgia Institute of Technology, 2009) Vazirani, Vijay V.

The notion of a "market" has undergone a paradigm shift with the Internet - totally new and highly successful markets have been defined and launched by Internet companies, which already form an important part of today's economy and are projected to grow considerably in the future. Another major change is the availability of massive computational power for running these markets in a centralized or distributed manner. In view of these new realities, the study of market equilibria, an important, though essentially non-algorithmic, theory within mathematical economics, needs to be revived and rejuvenated via an inherently algorithmic approach. Such a theory should not only address traditional market models but also define new models for some of the new markets. We present a new, natural class of utility functions which allow buyers to explicitly provide information on their relative preferences as a function of the amount of money spent on each good. These utility functions offer considerable expressivity, especially in Google's Adwords market. In addition, they lend themselves to efficient computation, while still possessing some of the nice properties of traditional models.