Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456 Steven J. Murdoch
In my spare time, I also enjoy photography. You may be interested
in my
photo collection.
My research interests include:
Side-channels, covert channels, watermarking and steganography
Operating system and network security
Data collection and visualisation techniques
Software engineering, maintainability and reverse-engineering
Cryptography and security protocols
Distributed databases, filesystems and versioning
Smartcards and financial security
Privacy, anonymity and traffic analysis
Structured information formats (XML, SGML, LDAP, etc.) and markup languages
Physical security and optical document security
News and Updates
14 October 2008
The slides and paper for “An Improved Clock-skew Measurement Technique for Revealing Hidden Services” presented at the 2008 USENIX Security Symposium, are now available.
23 July 2008
The slides and paper for “Metrics for Security and Performance in Low-Latency Anonymity Systems”, presented at the 2008 Privacy Enhancing Technologies Symposium, are now available.
18 May 2008
The slides and paper for “Thinking Inside the Box: System-level Failures of Tamper Proofing”, presented at the 2008 IEEE Symposium on Security and Privacy, are now available.
17 April 2008
My paper, “Hardened Stateless Session Cookies”, presented at the Cambridge Protocols Workshop 2008, is now available.
I am interested in improving the explanatory power and
typographical quality of graphical representations of data in papers I
write. To this end, I have written some functions for GNU R to produce data-rich
graphs, based on ideas presented by Edward Tufte in his book, The Visual Display
of Quantitative Information.
In the course of a different research project, I have worked with
Dallas iButtons. I dismantled two of them, and while these are
sensors, not designed to have any significant security properties, the
photos
may still be of interest.
Chip and PIN
Along with colleagues from the Security Group, I have been
investigating security aspects of the recent Chip and PIN deployment.
Our initial comments are summarised in Chip and Spin.
Since that document was published, we have been looking at issues in
PIN distribution and, in particular, the tamper-evidence of
laser-printed PIN mailers. Our Laser-printed
PIN Mailer Vulnerability Report describes some problems we found.
This document was distributed to users and manufacturers of
tamper-evident mailers in November 2004 and since then they have been
working to deploy improved products. As of August 2005 this report
is now publicly available.
Our work on "snooping" the account number and PIN over the
communication between card and terminal was featured in a program on
ARD
TV's Plusminus, by Sabina Wolf and on ITN news by Chris Choi.
There is further information about this work on our interceptor
page.
Recent printers, scanners and image manipulation software identify
images of currency, will not process the image and display an error
message linking to www.rulesforuse.org. The
detection algorithm is not disclosed, however it is possible to test
sample images as to whether they are identified as currency. This
webpage shows an initial analysis of the algorithm's properties, based
on results from the automated generation and testing of images.
In order to allow information to be easily exchanged a data format
must exist, which facilitates sharing between different applications
and different geographical locations throughout the evolution of both
the data schema and software. There are a great number of existing
solutions for this problem, each making different trade-offs and so
resulting in radically different approaches. As a first step in
exploring this area I have compiled a growing survey of general-purpose data-representation formats and markup languages.
I have done some work on developing software
for the Symbian OS, in
particular on the Sony Ericsson
P800. As part of that work I have written a brief "getting
started" guide for developing Symbian OS applications on
Windows using GCC.
A full list of my papers can be found on the publications page.
An Improved Clock-skew Measurement Technique for Revealing Hidden Services Sebastian Zander, Steven J. Murdoch
The Tor anonymisation network allows services, such as web servers, to be operated under a pseudonym. In previous work Murdoch described a novel attack to reveal such hidden services by correlating clock skew changes with times of increased load, and hence temperature. Clock skew measurement suffers from two main sources of noise: network jitter and timestamp quantisation error. Depending on the target’s clock frequency the quantisation noise can be orders of magnitude larger than the noise caused by typical network jitter. Quantisation noise limits the previous attacks to situations where a high frequency clock is available. It has been hypothesised that by synchronising measurements to the clock ticks, quantisation noise can be reduced. We show how such synchronisation can be achieved and maintained, despite network jitter. Our experiments show that synchronised sampling significantly reduces the quantisation error and the remaining noise only depends on the network jitter (but not clock frequency). Our improved skew estimates are up to two magnitudes more accurate for low-resolution timestamps and up to one magnitude more accurate for high-resolution timestamps, when compared to previous random sampling techniques. The improved accuracy not only allows previous attacks to be executed faster and with less network traffic but also opens the door to previously infeasible attacks on low-resolution clocks, including measuring skew of a HTTP server over the anonymous channel. 17th USENIX Security Symposium, San Jose, CA, USA, 28 July–01 August 2008.
[ paper | slides ]
Tools and Technology of Internet Filtering Steven J. Murdoch, Ross Anderson
In 2008 the OpenNet Initiative published the results of their survey of global Internet filtering. This chapter gives an introduction to the concepts and technologies needed to better appreciate the results presented in the rest of the book. A short Internet primer is followed with a description of the different approaches to filtering, and their various advantages and disadvantages. Finally the role of filtering within a more general censorship regime is discussed.
The full text of the other introductory chapters are available on the book website. Also available are the results of the survey itself. In Access Denied: The Practice and Policy of Global Internet Filtering, Ronald Deibert, John Palfrey, Rafal Rohozinski, Jonathan Zittrain, eds., (Cambridge: MIT Press), 2008.
[ chapter ]
Metrics for Security and Performance in Low-Latency Anonymity Systems Steven J. Murdoch, Robert N.M. Watson
In this paper we explore the tradeoffs between security and performance in anonymity networks such as Tor. Using probability of path compromise as a measure of security, we explore the behaviour of various path selection algorithms with a Tor path simulator. We demonstrate that assumptions about the relative expense of IP addresses and cheapness of bandwidth break down if attackers are allowed to purchase access to botnets, giving plentiful IP addresses, but each with relatively poor symmetric bandwidth. We further propose that the expected latency of data sent through a network is a useful performance metric, show how it may be calculated, and demonstrate the counter-intuitive result that Tor's current path selection scheme, designed for performance, both performs well and is good for anonymity in the presence of a botnet based adversary. 8th Privacy Enhancing Technologies Symposium (PETS 2008), Leuven, Belgium, 23–25 July 2008.
[ paper | slides ]
Thinking Inside the Box: System-level Failures of Tamper Proofing Saar Drimer, Steven J. Murdoch, Ross Anderson
PIN entry devices (PEDs) are critical security components in EMV smartcard payment systems as they receive a customer's card and PIN. Their approval is subject to an extensive suite of evaluation and certification procedures. In this paper, we demonstrate that the tamper proofing of PEDs is unsatisfactory, as is the certification process. We have implemented practical low-cost attacks on two certified, widely-deployed PEDs – the Ingenico i3300 and the Dione Xtreme. By tapping inadequately protected smartcard communications, an attacker with basic technical skills can expose card details and PINs, leaving cardholders open to fraud. We analyze the anti-tampering mechanisms of the two PEDs and show that, while the specific protection measures mostly work as intended, critical vulnerabilities arise because of the poor integration of cryptographic, physical and procedural protection. As these vulnerabilities illustrate a systematic failure in the design process, we propose a methodology for doing it better in the future. These failures also demonstrate a serious problem with the Common Criteria. So we discuss the incentive structures of the certification process, and show how they can lead to problems of the kind we identified. Finally, we recommend changes to the Common Criteria framework in light of the lessons learned. 2008 IEEE Symposium on Security and Privacy, Oakland, CA, US, 18–21 May 2008.
[ paper | slides | extended technical report – UCAM-CL-TR-711 | further information – videos, letters from vendors, FAQ ]
Hardened Stateless Session Cookies Steven J. Murdoch
Stateless session cookies allow web applications to alter their behaviour based on user preferences and access rights, without maintaining server-side state for each session. This is desirable because it reduces the impact of denial of service attacks and eases database replication issues in load-balanced environments. The security of existing session cookie proposals depends on the server protecting the secrecy of a symmetric key, which for engineering reasons is usually stored in a database, and thus at risk of accidental leakage or disclosure via application vulnerabilities. In this paper we show that by including a salted iterated hash of the user password in the database, and its pre-image in a session cookie, an attacker with read access to the server is unable to spoof an authenticated session. By extending an existing session cookie scheme, we maintain all the previous security guarantees, but also preserve security under partial compromise. Sixteenth International Workshop on Security Protocols, Cambridge, UK, 16–18 April 2008.
[ paper | slides ]
Recent talks
A full list of my talks can be found on the talks page.
Relay attacks on card payment: vulnerabilities and defences Saar Drimer, Steven J. Murdoch
Relay attacks allow criminals to use credit or debit cards for fraudulent transactions, completely bypassing protections in today's electronic payment systems. This talk will show how using easily available electronics, it is possible to carry out such attacks. Also, we will describe techniques for improving payment systems in order to close this vulnerability.
The UK, like many other countries, has moved from comparatively insecure magnetic stripe cards to smartcards, for electronic payment. These smartcards, capable of sophisticated cryptography, provide a high assurance of tamper resistance and while implementation standards varies, have the potential to provide good security. Although extracting secrets out of smartcards requires resources beyond the means of many would-be thieves, the manner in which they are used can still be exploited for fraud.
Cardholders authorize financial transactions by presenting the card and disclosing a PIN to a terminal without any assurance as to the amount being charged or who is to be paid, and have no means of discerning whether the terminal is authentic or not. Even the most advanced smartcards cannot protect customers from being defrauded by the simple relaying of data from one location to another. We describe the development of such an attack, and show results from live experiments on the UK's EMV implementation, Chip & PIN. We discuss previously proposed defences, and show that these cannot provide the required security assurances. A new defence is described and implemented, which requires only modest alterations to current hardware and software. This allows payment terminals to securely establish a maximum distance bound between itself and the legitimate card. As far as we are aware, this is the first complete design and implementation of a secure distance bounding protocol. Future smartcard generations could use this design to provide cost-effective resistance to relay attacks, which are a genuine threat to deployed applications. 24th Chaos Communication Congress, Berlin, Germany, 27–30 December 2007.
[ slides | video | related paper ]
Hot or Not: Fingerprinting hosts through clock skew Steven J. Murdoch, Sebastian Zander
Every computer has a unique clock skew, even ones of the same model, so this acts as a fingerprint. Even if that computer moves location and changes ISP, it can be later identified through this phenomenon.
By collecting TCP timestamps or sequence numbers, clock skew can be accurately remotely measured. In addition to varying between computers, clock skew also changes depending on temperature. Thus a remote attacker, monitoring timestamps, can make an estimate of a computer's environment, which has wide-scale implications on security and privacy. Through measuring day length and time-zone, the location of a computer could be estimated, which is a particular concern with anonymity networks and VPNs. Local temperature changes caused by air-conditioning or movements of people can identify whether two machines are in the same location, or even are virtual machines on one server. The temperature of a computer can also be influenced by CPU load, so opening up a low-bandwidth covert channel. This could be used by processes which are prohibited from communicating for confidentiality reasons and because this is a physical covert channel, it can even cross "air-gap" security boundaries.
The talk will demonstrate how to use this channel to attack the hidden service feature offered by the Tor anonymity system. Here, an attacker can repeatedly access a hidden service, increasing CPU load and inducing a temperature change. This will affect clock skew, which the attacker can monitor on all candidate Tor servers. When there is a match between the load pattern and the clock skew, the attacker has linked the real IP address of a hidden server to its pseudonym, violating the anonymity properties Tor is designed to provide.
The talk will also present a separate illustration of the temperature covert channel technique, such as investigating a suspected attack on the Tor network in August 2006, by a well equipped adversary. Invited talk, EuroBSDCon 2007, Copenhagen, Denmark, 14–15 September 2007.
[ slides | video ]
Experiences as an e-counting election observer in the UK Steven J. Murdoch
In May 2007, I acted as an election observer during the e-counting trials in the UK, on behalf of the Open Rights Group (ORG). This talk summarizes the ORG report and I add a few personal observations. Workshop on Trustworthy Elections, Ottawa, Canada, 20–21 June 2007.
[ slides ]
EMV flaws and fixes: vulnerabilities in smart card payment systems Steven J. Murdoch
The EMV protocol suite, used for smart card based payments worldwide, was devised in 1993, and has been revised a number of times to fix flaws and adapt to new threats. Despite this long heritage there remains several vulnerabilities, some in the EMV protocol itself, others as a result of how it has been deployed and yet more when smart card based payments are considered as part of the wider financial landscape. This talk will describe the EMV protocol both in the abstract and as a concrete implementation. Examples of flaws will be given, as well as mitigation techniques. Particular emphasis will be put on defences which respect existing implementation and business restrictions, so making their deployment more likely than conventional protocol fixes. COSIC Seminar, K.U. Leuven, Belgium, 11 June 2007.
[ slides ]
Detecting temperature through clock skew – Hot or Not: Defeating anonymity by monitoring clock skew to remotely detect the temperature of a PC Steven J. Murdoch
The end of my 22C3 talk showed how a side effect of TCP/IP steganography detection was to precisely measure the error of a computers system clock (skew). This talk will review and expand on that material, showing the various other mechanisms for monitoring clock skew and discussing the tradeoffs involved. Because every computer has a unique clock skew, even ones of the same model, this acts as a fingerprint. Even if that computer moves location and changes ISP, it can be later identified through this clock skew. In addition to varying between computers, clock skew also changes depending on temperature. Thus a remote attacker, monitoring timestamps, can make an estimate of a computers environment, which has wide-scale implications on security and privacy. Through measuring day length and time-zone, the location of a computer could be estimated, which is a particular concern with anonymity networks and VPNs. Local temperature changes caused by air-conditioning or movements of people can identify whether two machines are in the location, or even are virtual machines on one server. The temperature of a computer can also be influenced by CPU load, so opening up a low-bandwidth covert channel. This could be used by processes which are prohibited from communicating for confidentiality reasons and because this is a physical covert channel, it can even cross "air-gap" security boundaries. The talk will demonstrate how to use this channel to attack the hidden service feature offered by the Tor anonymity system. Here, an attacker can repeatedly access a hidden service, increasing CPU load and inducing a temperature change. This will affect clock skew, which the attacker can monitor on all candidate Tor servers. When there is a match between the load pattern and the clock skew, the attacker has linked the real IP address of a hidden server to its pseudonym, violating the anonymity properties Tor is designed to provide. The talk will also present a separate illustration of the temperature covert channel technique, investigating a suspected attack on the Tor network in August 2006, by a well equipped adversary. 23rd Chaos Communication Congress, Berlin, Germany, 27–30 December 2006.
[ slides | code | related paper ]
Miscellaneous
OpenID protocol diagram Steven J. Murdoch
I found that the OpenID
specifications did not give a clear overview of the
protocol message flow. So I produced a protocol diagram, which summarises
the roles of the various parties, messages sent between them and their
important components. Not all details are covered, and only the normal
protocol traces are considered so it certainly should not be considered
as an alternative to the specification, but I hope it will provide
some clarification.
[ protocol diagram (PDF 68K) ]
Contact Details
email (preferred):
Steven.Murdoch at cl.cam.ac.uk
To send me encrypted email see my PGP keys page.
post:
Steven J. Murdoch
University of Cambridge
Computer Laboratory
15 JJ Thomson Avenue
Cambridge
CB3 0FD
United Kingdom
phone:
+44 1223 763566
mobile:
+44 7866 807 628
fax:
+44 1223 334678
Last modified 2008-10-03 14:27 +0100
Note for search engines: My name is commonly misspelt as Steve Murdoch, Steve J. Murdoch, Stephen Murdoch, Stephen J. Murdoch, even sjm217 and sjmurdoch. I haven't seen anyone try 9803674m or murdocsj, which were my identifiers at the University of Glasgow, but in principle they might.