Stealth Computing Abuses TCP Checksums
http://fyi.cnn.com/2001/TECH/internet/08/29/stealth.computing/index.html http://slashdot.org/article.pl?sid=01/08/29/199205&mode=thread A group of researchers at Notre Dame figured out how to use the TCP Checksum calculations to get other computers to do number-crunching for them. "Below, we present an implementation of a parasitic computer using the checksum function. In order for this to occur, one needs to design a special message that coerces a target server into performing the desired computation." The article has the amount of great mathematical depth you'd expect from CNN :-) But it does say that the paper will be published in "Nature" this week. It's a really cool hack, though not especially efficient for real work. Of course, the Slashdot discussion follows typical structure - there's an interesting technical suggestion (ICMP checksums may be usable and are probably more efficient than TCP), some trolls and flamers, the obligatory "Imagine a Beowulf Cluster of those!" comment, and some speculation about the potential legalities and other uses for it. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
At 11:25 PM 8/29/01 -0700, Bill Stewart <bill.stewart@pobox.com> wrote:
A group of researchers at Notre Dame figured out how to use the TCP Checksum calculations to get other computers to do number-crunching for them.
"Below, we present an implementation of a parasitic computer using the checksum function. In order for this to occur, one needs to design a special message that coerces a target server into performing the desired computation."
The article has the amount of great mathematical depth you'd expect from CNN :-) But it does say that the paper will be published in "Nature" this week.
And the message in my mailbox immediately after the above was Nature's ToC including: Parasitic computing A-L BARABASI, V W FREEH, H JEONG & J B BROCKMAN http://www.nature.com/nlink/v412/n6850/abs/412894a0_fs.html Cheers, Paul Pomes
--On Wednesday, 29 August, 2001 23:25 -0700 Bill Stewart <bill.stewart@pobox.com> wrote:
http://fyi.cnn.com/2001/TECH/internet/08/29/stealth.computing/index.html http://slashdot.org/article.pl?sid=01/08/29/199205&mode=thread
A group of researchers at Notre Dame figured out how to use the TCP Checksum calculations to get other computers to do number-crunching for them.
"Below, we present an implementation of a parasitic computer using the checksum function. In order for this to occur, one needs to design a special message that coerces a target server into performing the desired computation."
The article has the amount of great mathematical depth you'd expect from CNN :-) But it does say that the paper will be published in "Nature" this week.
for those who didn't see the nature article, the authors have the article (and supplementary material) available at http://www.nd.edu/~parasite/ -paul
. "Below, we present an implementation of a parasitic computer . using the checksum function. In order for this to occur, . one needs to design a special message that coerces a target server . into performing the desired computation." This is the same principle that underlies denial of service attacks -- the irreducible residual vulnerability of a system to denial of service is proportional to the amount of work (or time) that system must do (or consume) before it can conclude its initial authorization decision. Ironically, the more precise and complex that authorization decision process, the greater the amount of work that the active (initiating) side of the connection can call on the passive side to perform. This critically bears on protocol and application security design. --dan
On 1 Sep 2001, at 1:38, Dan Geer wrote:
. "Below, we present an implementation of a parasitic computer . using the checksum function. In order for this to occur, . one needs to design a special message that coerces a target server . into performing the desired computation."
This is the same principle that underlies denial of service attacks -- the irreducible residual vulnerability of a system to denial of service is proportional to the amount of work (or time) that system must do (or consume) before it can conclude its initial authorization decision. Ironically, the more precise and complex that authorization decision process, the greater the amount of work that the active (initiating) side of the connection can call on the passive side to perform. This critically bears on protocol and application security design.
--dan
Since I haven't noticed anyone else point this out (apologies for my redundancy if I just somehow missed it), it's worth mentioning that the original result was more of a "gee whiz, it's interesting we can do this in principle" type of thing than an actual threat of something anybody would ever actually do. Yes, you can trick a remote host into performing calculations for you with a specially prepared message, but it requires a hell of a lot more effort to prepare the message than it would to perform the calculation yourself. George
On Sunday, September 2, 2001, at 09:23 AM, georgemw@speakeasy.net wrote:
On 1 Sep 2001, at 1:38, Dan Geer wrote:
. "Below, we present an implementation of a parasitic computer . using the checksum function. In order for this to occur, . one needs to design a special message that coerces a target server . into performing the desired computation."
This is the same principle that underlies denial of service attacks -- the irreducible residual vulnerability of a system to denial of service is proportional to the amount of work (or time) that system must do (or consume) before it can conclude its initial authorization decision. Ironically, the more precise and complex that authorization decision process, the greater the amount of work that the active (initiating) side of the connection can call on the passive side to perform. This critically bears on protocol and application security design.
--dan
Since I haven't noticed anyone else point this out (apologies for my redundancy if I just somehow missed it), it's worth mentioning that the original result was more of a "gee whiz, it's interesting we can do this in principle" type of thing than an actual threat of something anybody would ever actually do. Yes, you can trick a remote host into performing calculations for you with a specially prepared message, but it requires a hell of a lot more effort to prepare the message than it would to perform the calculation yourself.
Why would you think this is always so? It would not take much effort to arrange a computation that consumed a lot of CPU cycles and returned a result, once one has gotten access to a remote machine. The case of the corportate employee using machines he could access to compute a screensaver/P2P job for a possible winning payoff comes to mind. Granted, he may have had permissions to access these machines, but the general point is that someone who got past these permissions could have done the same compute-intensive thing. I see no reason to believe that "it requires a hell of a lot more effort to prepare the message than it would to perform the calculation yourself." Sometimes it does, sometimes it doesn't. --Tim May
On 2 Sep 2001, at 9:37, Tim May wrote:
Since I haven't noticed anyone else point this out (apologies for my redundancy if I just somehow missed it), it's worth mentioning that the original result was more of a "gee whiz, it's interesting we can do this in principle" type of thing than an actual threat of something anybody would ever actually do. Yes, you can trick a remote host into performing calculations for you with a specially prepared message, but it requires a hell of a lot more effort to prepare the message than it would to perform the calculation yourself.
Why would you think this is always so?
Gut hunch.
It would not take much effort to arrange a computation that consumed a lot of CPU cycles and returned a result, once one has gotten access to a remote machine. The case of the corportate employee using machines he could access to compute a screensaver/P2P job for a possible winning payoff comes to mind. Granted, he may have had permissions to access these machines, but the general point is that someone who got past these permissions could have done the same compute-intensive thing.
I was referring to the specific type of exploit where the "parasite" is abusing the TCP checksum. I suspect the same result is likely to hold with attempts to exploit other protocols. Obviously, if an attacker "owns" your machine, that's a completely different kettle of fish.
I see no reason to believe that "it requires a hell of a lot more effort to prepare the message than it would to perform the calculation yourself."
Sometimes it does, sometimes it doesn't.
Right, and I suspect I have a fair idea which is which. If you can get a remote host to execute arbitrary code, with loops and branches, or to evaluate complicated functions, then it may be worth your while to do it. If all you can do is get it to add up a list of numbers, then it's almost certainly going to be easier to just do the addition yourself. If there's also a bunch of extra effort required to turn an abstract problem into a series of addition problems, the advantage of solving the problem yourself (without this intermediate step) is even greater. George
--Tim May
participants (6)
-
Bill Stewart -
Dan Geer -
georgemw@speakeasy.net -
Paul Krumviede -
Paul Pomes -
Tim May