skip to main content

Illinois Security Research in the Spotlight

3/3/2010 10:52:00 AM

Two major cyber-security stories have just broken in the national media, and some leading experts at the University of Illinois are weighing in with their perspectives.

On, Tuesday, February 16, a large-scale simulated cyberattack on the United States was carried out in Washington D.C. In the exercise, dubbed “Cyber ShockWave,” a group of former top U.S. officials role-played responses to a scenario in which a malicious smartphone virus spread rapidly through information networks. The conclusion was that the U.S. is simply “unprepared for cyber threats,” and that a similar attack in real life could easily have catastrophic consequences, potentially bringing much of the country to a standstill.

Then, on February 18, the real-life existence of a massive, now 18-month-old botnet attack became public. The attack, which has not yet been halted or traced to its perpetrators, has stolen massive amounts of valuable personal and corporate data. At least tens of thousands of machines, belonging to over 2,400 companies in almost 200 countries, have been infiltrated.

CS affiliate professor David M. Nicol (ECE), who conducts research at the Information Trust Institute (ITI), has offered his thoughts on the events of recent days. “Worms that were of interest to us back in the early portion of this decade were loud, fast, and noisy; the people who were doing them were doing them for bragging rights,” he explained. “They caused damage but they weren’t trying to steal anything; for the most part they weren’t trying to wipe disks or anything like that. It was more like, who can capture the most machines the fastest?” Times have changed, and today’s botnets are often geared towards criminal activities like stealing information. However, the attacks to date have been nowhere near as bad as they could be, in terms of the technological opportunities now available to attackers.

“This latest one, you know, people are talking about this great big botnet that’s got 25,000 or 30,000 owned hosts; but just a year ago, Conficker passed through, and that had millions,” said Nicol. “Now, Conficker turned out mostly to be used to spam. Although it had the capability to be loaded to go after sensitive information, it mostly wasn’t being used that way. What’s scary about this new one is that it is doing that. It’s going after the sensitive stuff. You can imagine if you had something that is like Conficker in size, doing the sorts of things that this present one is doing! You know, we’d go back to using gold coins instead of credit cards!”

Nicol played a major role in a previous Department of Homeland Security cyberattack exercise similar to this week’s Cyber ShockWave, and he explained that there are a variety of kinds of cyberattack exercises. In so-called “tabletop exercises,” of which Cyber ShockWave is an example, “they’re trying to get the decision-makers to be presented with problems and find out what decisions they have to make, and find out where their policies need to be clarified so they can deal with something like this. I think Cyber Shockwave did exactly what it was set out to do, and that was to push those people. There was really no technology involved in it.” Other kinds of cyberattack simulations are much more technical in nature, and involve operators of networks, Internet service providers, and other technical personnel. In those exercises, simulations and more realistic technology come into play. “And frankly,” added Nicol, “we come off looking just as bad in those as we do in Cyber ShockWave.”

The University of Illinois boasts a large number of leading cyber-security experts, some of whom are pursuing research directly relevant to the problems of defending against botnets.

Nicol himself, for example, has built a simulator for use in training exercises such as those described above. It became the basis for the simulator currently used in ITI’s $26.3 million Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) Center, where it is used for simulating attacks, including worm and botnet attacks, and evaluating the effectiveness of defenses against those attacks. In addition, his student Kurt Thomas is currently pursuing a botnet that is spreading through Twitter and Facebook by means of messages from infected members to their friends. Thomas has infiltrated this botnet so that he is now talking to the software that controls the botnet in such a way that it thinks he’s part of the botnet. In that way, Nicol explains, “he can learn more about what’s happening and how things work inside this botnet. And the information that we learn about how this and other ones work will give us the data so that we can create high-fidelity models of the way these things propagate.”
In addition, collaborating with Prof. Bill Sanders, programmer Mouna Seri, and student Sankalp Singh, Nicol has developed the Access Policy Tool (APT), which fights botnets by specifying the kinds of traffic that are and are not allowed in communication channels, particularly in process control systems. This approach takes advantage of the fact that botnets must have open communication paths between an owned machine and the botnet’s owner, or else the owner has no way to use the captured machine. By limiting traffic only to the traffic that is explicitly needed for the appropriate use of the system, APT closes many possible avenues of botnet communication.

In other botnet-related work at Illinois, CS affiliate professor Nikita Borisov (ECE) and CS professor Matthew Caesar, both of whom are also members of ITI, are collaborating on techniques to identify peer-to-peer (P2P) botnets on the Internet. P2P botnets use a decentralized command-and-control structure, making them resilient to individual node failures and difficult to detect through normal means.  Borisov and Caesar’s research focuses on combining data across Internet service providers and identifying connection patterns that create an efficient communication structure.

This work will allow the identification of previously unknown botnets, and also detect the botnet “partners” of hosts known to be compromised. It is particularly effective against extremely large-scale botnets, such as Conficker.

Computer science professor and ITI researcher Sam King faults the underlying architecture of current web browsers for many of the security breaches that we see today, including the recent hacking attempt on Google’s China operations that exploited a bug in Internet Explorer and many of the botnet attacks that appear in the news.

"From a security perspective, browsers are completely broken," King says. The problem with traditional browsers is that the way people use the Web has changed. Instead of just looking up information on static pages coded with HTML, or HyperText Markup Language, people are using the browser to run Web versions of applications that used to reside on a PC, such as e-mail, social networking, and online banking.”
To address these deficiencies, King is working to create a redefined web browser – on that has security in mind from the ground up.  His Opus Palladianum borrows concepts typically seen in operating systems to securely manage web applications and data access. 

“With our approach, your browser is the last line of defense, instead of the gate that lets the attackers in,” says King.

King is further turning the security model on its head with his efforts to close the increasingly common security vulnerabilities in hardware.  King and his team are working on methods to identify potentially risky sections of hardware, by using software to enforce the behavior of the hardware.

“The complexity in creating hardware is every bit the same as it is for software – but as of now, people generally only think about security issues in software.  We’re taking a look at implementing the same kind of security measures for hardware as we currently do for software,” explains King.
Other Illinois security researchers are pursuing a broad range of approaches, addressing today’s computing security challenges from every angle.

  • Prof. Carl Gunter of CS and ITI is developing improved theoretical models for DoS to inspire and analyze new types of DoS countermeasures.  “Denial of Service (DoS) attacks deplete the resources of target systems to deny service to legitimate users. Preventing such attacks is quite difficult because of fundamental design decisions in the Internet and in wireless systems,” says Gunter.
  • Additionally, Gunter is developing theory, architectures, and applications for communication and information systems based on automated use and management of attributes to improve the privacy and efficiency of messaging and the management of access permissions to enterprise data resources. 
  • Prof. Matt Caesar, in addition to the botnet work described above, is devising network management approaches, protocols, and systems that bootstrap, configure, and troubleshoot network problems with only minimal manual intervention. “Forcing humans to configure and manage networks increases reaction time to faults, introduces the potential for misconfiguration, and substantially increases operating costs,” remarks Caesar. “What is lacking today is a principled look at how to make systems manage themselves. We need a fresh approach to designing networks and protocols with self-management in mind.” 
  • Prof. Roy Campbell of CS and ITI  is seeking new solutions for the security assessment of SCADA networks, and operating system dependability and security.
  • Prof. Marianne Winslett of CS, ITI, and the Advanced Digital Sciences Center is creating a new approach to access control and authentication in open computing environments.  She is participating in the TrustBuilder project to develop automated trust negotiation.