of IP addresses which it doesn’t actually own, it would have to be able to respond rapidly to queries from all over the world. In order to achieve this, it would have to essentially intercept traffic from everywhere in the world leading to the intended addresses. “There are only two ways in which this can be done. One is if the attacker is already located between an organization and the rest of the world. Maybe an organization has a single Internet service provider (ISP), which is the interface between it and the rest of the world, and can passively monitor all of its traffic. Then, if something is sent to the organization, it can be intercepted,” outlines Professor Schapira. This is not the major concern, as it’s unusual for organizations to be attacked by their own ISPs. The other kind of attack is when someone tries actively to hijack traffic,” says Professor
Illustration of the routing of traffic through an attacker’s network in Belarus in 2013, due to an attack on the Border Gateway Protocol (BGP).
Strengthening the borders of the internet Much of the core infrastructure underlying the Internet was designed decades ago, at a time when security was not always the foremost consideration. The Internet has since evolved significantly to play a central role in the economy, national security, and social interactions, yet its communication infrastructure remains alarmingly vulnerable to attack, as Professor Michael Schapira explains. The basic mechanisms
that enable us to send data via the Internet from one point to another were devised decades ago. This was a very different era; the Internet was much smaller, and it was largely used for communication between trusted parties, yet it has since grown and evolved significantly. “People didn’t necessarily foresee today’s world, where tens of thousands of organizational networks owned by selfinterested, often competing, entities, are stitched together to make up the Internet,” says Professor Michael Schapira, the Principal Investigator of the SIREN Project. While security was not always the foremost consideration in the initial design of the Internet’s core infrastructure, it is a primary concern today, as Internet outages have a significant social and economic impact. Yet, addressing this is a complex task in the current context, given how central the Internet is to everyday life. “Any solution to the Internet’s security vulnerabilities has to be backwards compatible with existing technologies,” says Professor Schapira.
SIREN project This is a topic at the heart of the SIREN project, an ERC-backed initiative hosted by the Hebrew University of Jerusalem, which is exploring a new approach to securing the routing of Internet traffic. Currently, Internet traffic typically goes through several organizational networks along the way before it is eventually directed to the intended
52
destination. “There is a protocol that specifies how traffic should be forwarded towards its destinations,” outlines Professor Schapira. This is the Border Gateway Protocol (BGP), which was designed around 30 years ago, along with the rest of the Internet’s core communication infrastructure. “In a way, the BGP is the most important part of the Internet’s infrastructure, because it’s the glue that holds the organizational networks comprising the Internet together,” explains Professor Schapira. “While it’s proved effective, it’s also a security vulnerability.” The reason for BGP’s insecurity is rooted in the way the protocol itself works. A destination of traffic advertises to the world the Internet addresses that belong to it, and then this information is propagated onwards by the neighbouring parties. “It’s really about trust. An organization advertises its Internet addresses, and other parties trust it to do so correctly,” explains Professor Schapira. The routing system can be subverted, however, and it is not uncommon for major organizations to be disconnected from the Internet or attacked in some other way. “An entity can advertise Internet addresses that don’t belong to it there are many reasons why they might want to do something like this. For example, it might want to prevent an organization from communicating with the world, or it may want to monitor traffic or eavesdrop on it,” says Professor Schapira. “There is currently no widely deployed mechanism to prevent an organization from advertising incorrect
Internet addresses, which represents a significant point of vulnerability.” A lot of energy has been focused on using heavyweight machinery to achieve very high levels of security and combat these types of attacks, yet it has proved difficult to develop an easily deployable solution. Professor Schapira and his colleagues in the project are exploring a different approach, developing a flat, decentralised design to achieve a very high level of security, while at the same time taking the wider economic context into account and considering what will incentivize organizations to change. “The cost of transition should be low, and it should also lead to some tangible benefits,” he says. It’s not practical to replace BGP entirely, so Professor Schapira and his colleagues in the project are rather looking to effectively jump-start security. “We do this through a combination of techniques, building on two high-level ideas. The first is about setting a very high bar for the attacker,” he says. One option is establishing ownership of Internet addresses by sending data packets to these addresses from many locations in the world, and requesting a response from the owner organization to each and every one. “This is essentially a way of checking de facto ownership of these Internet addresses,” says Professor Schapira. “It’s like calling you from many different locations in the world and expecting you to pick up the phone.” This is actually a very high bar for an attacker to deal with, as to prove ownership
EU Research
developed during the course of the project are applicable to other contexts. One example is the Network Time Protocol (NTP), which deals with clock synchronisation, something crucial to the security of many Internet applications. “For example, for financial applications, it’s important to know that something was done before something else,” points out Professor Schapira. However, the NTP is also vulnerable to attacks. “If I can push your time settings five seconds forward or back, then that has consequences. It’s fairly easy to launch such attacks,” says Professor Schapira. “We’ve been working to develop a solution called Chronos that provides security and can be installed on your device – say your smartphone or laptop – without having to change other elements of the Internet infrastructure.”
In a way, the Border Gateway Protocol is the most important part of the Internet’s infrastructure, because it’s the glue that holds the organizational networks comprising it together. While it’s proved effective, it’s also a security vulnerability. Schapira. However, explains Professor Schapira, this makes the attack highly visible and the victim can be alerted. The second high-level idea is not setting the bar too high in terms of desired security guarantees at the expense of non-trivial and error-prone mechanisms that are unlikely to be adopted. This requires characterizing the most dangerous and common attacks and identifying the minimum effort needed to protect against these, instead of trying to defend against all attacks by leveraging heavyweight machinery whose adoption faces significant obstacles. Professor Schapira quotes Sir Robert Alexander Watson-Watt, the British pioneer of radar technology, who said; “Give them the third best to go on with; the second best comes too late, the best never comes.” Professor Schapira is also exploring whether the techniques that have been
Internet Engineering Task Force This work holds clear importance for governments and other major organizations, who are keen to minimise the risk of attacks and improve the security of the Internet. Professor Schapira and his team are working with governance organizations with the aim not just of developing deployable solutions, but also influencing the way practitioners think about Internet security. “For this reason we’re actively working with cyber bureaus in Israel and abroad,” stresses Professor Schapira. Researchers in the project are also actively engaging with the Internet Engineering Task Force (IETF), the entity responsible for standardising Internet protocols. “There are working groups in the IETF that are tasked with standardising such solutions. That’s another arena where we can influence the debate,” says Professor Schapira.
SIREN Securing Internet Routing from the Ground Up Project Objectives
The aim of the planned research project is to put forth and explore a radically new paradigm for securing routing on the Internet. The proposed alternative roadmap for securing the Internet consists of two steps: • Jumpstarting BGP security: A novel approach to routing security that bypasses existing obstacles. Specifically, the proposed design will be flat, decentralized, fully automated, avoid dependency on a single rootof-trust, and not require the modification/ replacement of legacy BGP routers. • A long-term vision for Internet routing: Leveraging the vast computational resources in modern datacenters, and research on Secure Multi-Party Computation, to outsource routing to a small number of entities while retaining flexibility, autonomy and privacy. The belief is that, taken together, these two steps can lead to a more secure Internet in the shortrun, and outline a promising, as yet uncharted, new direction for the future of Internet routing.
Project Funding
European Research Council - Starting Grant
Contact Details
Project Coordinator, Professor Michael Schapira School of Computer Science and Engineering, Hebrew University of Jerusalem E: schapiram@cs.huji.ac.il W: http://www.cs.huji.ac.il/~schapiram/ W: https://cordis.europa.eu/project/ rcn/200038/factsheet/en Professor Michael Shapira
Michael Shapira is an Associate Professor in the School of Computer Science and Engineering at the Hebrew University of Jerusalem. Previously he was a visiting scientist at Google in New York, and also held postdoctoral research positions at Princetop University, UC Berkeley, and Yale University.
SIREN Man in the middle attacker An NTP client synchronises time by communicating with a set of NTP servers.
www.euresearcher.com
53