Security Lunch

Stanford Computer Science Department

Autumn 2007

Date: 26 September 2007

Speaker sign up for fall slots

Date: 3 October 2007

Speaker: No talk today

Date: 10 October 2007

Speakers: John Gerth and Doantam Phan

Title: Going with the Flow: Using Network Traffic Data in Incident Response and Analysis


Since the spring of 2005, we have been collecting network flow records at the Cisco router for the Gates, Packard, and Allen builidings. Our sensor records TCP, UDP, and ICMP traffic at a rate of 0.5 - 3 million flows per hour, 20-30 million per day, and 500-700 million per month. The live flows are stored in heavily indexed MySQL tables. These are available to our network analysts for monitoring, incident handling, and forensics and have been used in dozens of investigations

We start with a brief review of the collection and database infrastructures concentrating on what we have learned about tuning for good query response. Next, we will describe how we have found flow data useful as an aid in isolating and reconstructing intrusion incidents ranging from the Windows worms of years past to today's more subtle and criminally motivated intrusions. The incidents described will include several in which flows were the critical, and sometimes the only, evidence available. The talk concludes with a sketch of efforts we are undertaking to automate some parts of flow analysis and to deal with tables containing a billion or more events.


Doantam Phan is a PhD student in the HCI group at Stanford where he is furiously working towards his defense.

John Gerth is manager of the Graphics Lab and part of the pro bono network security effort in EE and CS. Prior to coming to Stanford, he spent 17 years at IBM in software development and later research, but his most challenging job was three years teaching kindergarten.

Date: 17 October 2007

Speaker: Mike Hamburg

Title: Space-efficient identity-based encryption without pairings


Identity Based Encryption (IBE) systems are often constructed using bilinear maps (a.k.a. pairings) on elliptic curves. One exception is an elegant system due to Cocks which builds an IBE based on the quadratic residuosity problem modulo an RSA composite N. The Cocks system, however, produces long ciphertexts. Since the introduction of the Cocks system in 2001 it has been an open problem to construct a space-efficient IBE system without pairings. We present a new IBE system in which ciphertext size is short: an encryption of an l-bit message consists of a single element in Z/NZ, plus l + 1 additional bits. Security, as in the Cocks system, relies on the quadratic residuosity problem. The system is based on the theory of ternary quadratic forms and as a result, encryption and decryption are slower than in the Cocks system.

Date: 24 October 2007

Speaker: Collin Jackson

Title: Protecting Browsers from DNS Rebinding Attacks


DNS rebinding attacks subvert the same-origin policy of browsers and convert them into open network proxies. We describe a new type of DNS rebinding attack that exploits the interaction between browsers and their plug-ins, such as Flash Player and Java. These attacks can be used to circumvent firewalls and are highly cost-effective for sending spam email and defrauding pay-per-click advertisers. We show that the classic defense against these attacks, called "DNS pinning," is ineffective in modern browsers.

In April, we discussed DNS rebinding attacks at security lunch. Since then, further variations on the attacks have been discovered. We conducted an experiment on a live ad network showing that rebinding attacks require less than $100 to temporarily hijack 100,000 IP addresses. We developed a defense tool, dnswall, to stop DNS rebinding attacks that circumvent firewalls. We also worked with browser and plug-in vendors to implement DNS rebinding fixes, with successful deployment of a patch to Java.

Date: 31 October 2007

Speaker: Arnab Roy

Title: Formal Proofs of Cryptographic Security of Diffie-Hellman-Based Protocols


We present axioms and inference rules for reasoning about Diffie-Hellman-based key exchange protocols and use these rules to prove authentication and secrecy properties of two important protocol standards, the Diffie-Hellman variant of Kerberos, and IKEv2, the revised standard key management protocol for IPSEC. The new proof system is sound for an accepted semantics used in cryptographic studies. In the process of applying our system, we uncover a deficiency in Diffie-Hellman Kerberos that is easily repaired.

Date: 7 November 2007

Speaker: Martin Casado

Title: Towards a Network Operating System



Martin Casado recently received his PhD from the Stanford computer science department where he served as one of Professor McKeown's henchmen in the high performance networking group. Martin's primary doctoral research was focused on designing and implementing secure enterprise network architectures. Prior to enlisting in the PhD program, Martin hid from the public to do security research at Lawrence Livermore National Laboratory as part of the information operations and assurance group.

Date: 14 November 2007

No lunch this week

Date: 21 November 2007

No speaker: Thanksgiving recess

Date: 28 November 2007

Speaker: Matt Williamson (Principal Research Scientist, Sana Security)

Title: Malware landscape and trends


The talk will discuss the current malware landscape, using some data from malware detected by Sana Security's behavior based malware detection product. It will discuss how the interplay of defensive technologies (signature based/behavior based) affects this picture. The talk will also cover how technology changes (vista etc.) might affect the landscape.


Matthew Williamson is Principal Scientist at Sana Security, and is responsible for inventing and integrating new technologies into Sana's product lines. He is a primary inventor of the behavior based malware detection and removal technology that forms the core of Sana's flagship product, Primary Response SafeConnect. Prior to joining Sana, he worked at Hewlett-Packard Labs, on a virus containment technology called Virus Throttling. He was educated at the University of Oxford, and obtained both his Masters and PhD in Computer Science from the Massachusetts Institute of Technology.

Date: 5 December 2007

Speaker: Mike Dalton

Title: Preventing Buffer Overflows Using Dynamic Information Flow Tracking


Recent research has established that Dynamic Information Flow Tracking (DIFT) can be used to prevent buffer overflows on unmodified binaries. We present a hardware DIFT design to prevent both control and data pointer corruption attacks. Our design is evaluated using an FPGA-based prototype that is a full-fledged Linux SPARC workstation. We demonstrate that this approach can prevent buffer overflow attacks on real-world, unmodified applications without false positives.