1
Jun Li Peter Reiher Gerald Popek
Computer Science Department
UCLA
NISS Conference
October 21, 1999

2
• Interruption threats are hard to counter
• Redundant transmission makes interruptions harder
• But redundant transmission is not as easy as using redundancy in other areas
• Sample uses
• Conclusion

3
Source Destination
An interruption attack occurs
Result?
No data flows to the destination

4
• Many kinds of interruption threats
– Corrupted routers drop packets
– Transmitting over packets on shared media
– Congesting links or routers
• Conventional approaches won’t help
– Encrypted/signed message can still be interrupted
• Acknowledgement won’t help either
– The acknowledgement itself is subject to interruption
– Retransmission means possibly failing again
• So?

5
• Don’t use a single path
– Any point on the single path is a point of failure receiver
• Use redundancy to secure transmission
– Only parallel redundancy considered here
• A node is expected to receive multiple copies of one message
• Successful if at least one copy is authentically received
• Redundancy has been widely used in other areas
– High availability storage
– Replicated execution
– And many others

Source
Normal delivery uses a default path
How does redundant deliver help?
6
What if a router is corrupted?
Destination
The redundant copy gets through despite a bad router

7 sender
• Redundant transmission is tough
– Discovering disjoint paths is difficult
• Routing is transparent to applications
– Using disjoint paths is difficult
– They may not exist at all
• Can try to be as disjoint as possible nevertheless
– An attacker has to find a choke point or break multiple points
• Scale can also cause big problems
• And what about costs of sending multiple copies?
receiver

8
• Revere
– Secure delivery of security updates
• General purpose redundant packet delivery service
– Redundancy for every network user?

9
- Goal: disseminate security updates to large number of machines
- Assume a trusted dissemination center
- Security updates
- Small size but critical information
- Examples:
- New virus signature
- New intrusion detection signature
- CRL (certificate revocation lists)
- Offending characteristics for a firewall to monitor

10
- Acks/Nacks inappropriate
- Scaling, lack of complete trust, etc.
- Use redundancy to send multiple copies to each node
- Each node can also forward security updates to others
- A node can contact multiple repository nodes for missed updates

11
• How could we add a redundant packet delivery service to the Internet?
• What would be the best method of achieving redundancy?
– Know a lot about the network?
– Or rely on randomness and obscurity?
• What are the costs of doing so?
• How could it be easily deployable?
– Proxy-based solutions?

12
- Conventional security approaches and transmission primitives don’t adequately counter interruption threats
- Redundancy is a promising tool
- But effective use of redundancy is challenging
- Are there other problems that redundancy can solve?
- Does redundancy itself lead to new security threats?

13
- Contact information
- Peter Reiher: reiher@cs.ucla.edu
- Jun Li: lijun@cs.ucla.edu
- Gerald Popek: popek@cs.ucla.edu