Towards more trustworthy trust-based systems for anonymity and web security

Zhou, Peng

Author:	Zhou, Peng
Title:	Towards more trustworthy trust-based systems for anonymity and web security
Advisors:	Chang, Rocky K. C. (COMP)
Degree:	Ph.D.
Year:	2014
Subject:	Internet -- Security measures. Computer security. Hong Kong Polytechnic University -- Dissertations
Department:	Department of Computing
Pages:	xiii, 139 pages : illustrations ; 30 cm
Language:	English
Abstract:	In today’s Internet, trust has been widely used to design anonymity and security enhanced systems. Some of these trust-based systems have been successfully deployed in the Internet for a long time and benefit a large population of Internet users. In particular, trust-based onion routing network is a representative example for the use of trust in protecting anonymity. As one of the most popular onion routing systems, Tor serves more than 3 millions of Internet users. It hides Internet users’ identities behind a circuit of selected onion routers but runs a high risk of being compromised by attackers who employ malicious onion routers to launch correlation-like attacks. Without an effective trust model, it is very difficult for Internet users to evade attackers’ routers when establishing onion circuits. As a result, recent research proposes trust-based onion routing to thwart the correlation-like attacks. Using a priori trust that users have readily assigned to routers’ owners, attackers’ routers are likely to be identified and excluded from users’ onion circuits. As an example to demonstrate the effectiveness and popularity of trust in protecting security, we study the public key infrastructure (PKI for short) which has been successfully deployed in the web for more than two decades. This infrastructure employs a well-known certification based trust model for website authentication. Based on this trust model, modern browsers trust a group of trust anchors (also known as root certificate authorities or CAs for short) in advance, and authenticate remote websites by checking whether the site certificate is signed by one of the pre-trusted trust anchors. Although trust-based systems are widely used for securing anonymous communications and web services, recent studies reveal that the use of trust could incur new problems. For example, despite that trust-based onion routing successfully defeats correlation-like attacks by using a priori trust among users, the use of trust for onion routing still suffers from two challenging problems due to the inherent weakness of trust. One is the biased trust distributions among users, and the other is how to verify the correctness of trust one person assigns to the other. The biased distribution will reduce the entropy (i.e., anonymity) of the whole routing system and hence induce a new inference attack, whereas the incorrect trust could render trust-based onion routing ineffective in protecting anonymity. On the other hand, the trust-based systems that secure web services are also vulnerable due to the inadequate use of trust. For instance, the certification based trust model can be subverted globally if a single trust anchor is compromised. The root cause is that the trust model treats every trust anchor equally and accepts site certificate issued by any one of the pre-trusted trust anchors. This serious design flaw has been exploited to successfully hijack around 300, 000 Gmail users. As a result, these problems largely limit the effectiveness of even the state-of-the-art trust-based systems. Motivated by these challenges, the overall objective of this thesis is to make the aforementioned trusted-based systems more trustworthy. We present our research results in three parts. First, we propose the use of trust degree and global trust to address the biased trust distribution problem. Our trust degree based routing algorithm encourages users to select the onion routers that are trusted by more other users with a higher probability, hence reducing the possibility that the user's identity can be inferred by attackers. The global trust, on the other hand, is designed to guide users to discover and trust more honest routers, thus mitigating the bias of trust distributions. We also aggregate group trust from mutual friends to verify the correctness of users’ trust assignments. The group trust is designed based on a key insight: the trust from a group of honest people is more likely to be correct than the trust from a single honest person. We design a novel trust graph based onion routing algorithm that offers these new trust features, and show that this algorithm is more effective than existing trust-based onion routing systems. Second, we use an active approach to correct the flaw in the certification based trust model. Our approach is designed to maximize the protection against man-in-the-middle attacks by actively exhausting available trust anchors and exploiting Internet path diversity. Equipped with our approach, compromising a single trust anchor cannot compromise the entire trust model. Instead, subverting the entire trust model requires compromising a large number of trust anchors and hijacking nearly all the Internet paths to victim websites. Our approach consists of four distinct countermeasures, each of which has a unique tradeoff between the ease of deployment and the capability of defending against various man-in-the-middle attacks. These new countermeasures overcome the weaknesses of the existing countermeasures, which can neither defend first-time authentication nor resist man-in-the-middle attacks with two compromised trust anchors. We confirm the effectiveness of our approach using a real-world certificate data set and Internet experiments. Third, relating to web security, we also survey the landscape of file download vulnerabilities across different domains and countries, and discover the weak protection against this vulnerability in many web systems today. Our further investigation discloses the root causes of this weak protection: existing protection systems against file download vulnerability rely on either ad hoc user input sanitization mechanisms (whose implementations are error-prone) or directory based permission control (that suffers from undesirable flexibility). Based on this observation, we propose FileGuard, a new protection system that secures file download in the script engine layer. The basic idea is to isolate the web files from the rest of local filesystem through the embedding of dedicated ownership information into extended file attributes. Using this ownership information, a reliable and fine-grained access control can be performed to block illegal file downloads. FileGuard can mitigate the impact of erroneous implementations, because it provides a unified protection regardless of specific file download logic and achieves desirable flexibility due to per-file ownership statement. We have implemented a proof-of-concept proto-type of FileGuard by modifying the source code of PHP5 script engine and have confirmed that FileGuard can provide more reliable protections.
Rights:	All rights reserved
Access:	open access

Files in This Item:

File	Description	Size	Format
b27804951.pdf	For All Users	3.25 MB	Adobe PDF	View/Open

Copyright Undertaking

As a bona fide Library user, I declare that:

I will abide by the rules and legal ordinances governing copyright regarding the use of the Database.
I will use the Database for the purpose of my research or private study only and not for circulation or further reproduction or any other purpose.
I agree to indemnify and hold the University harmless from and against any loss, damage, cost, liability or expenses arising from copyright infringement or unauthorized usage.

By downloading any item(s) listed above, you acknowledge that you have read and understood the copyright undertaking as stated above, and agree to be bound by all of its terms.

Show full item record

Please use this identifier to cite or link to this item: https://theses.lib.polyu.edu.hk/handle/200/7856