On civilian monitoring, technology, tools, and terrorism

I try to stay away from politically-charged topics in my posts, but many times politics and information security overlap, leaving me no choice. There has been a lot of press recently involving various activities the NSA has undertaken in the past few years. Since 9/11, the US has been willing to sacrifice personal privacy in the name of security; specifically, with increasingly broad monitoring techniques using modern technologies and tools. This has spawned a virtual arms race between privacy advocates and law enforcement, with more advanced monitoring leading to more advanced protection mechanisms, and vice versa.

One of the tools developed by privacy advocates, with the help of the EFF, is The Onion Router, or TOR. At a very high level, this software attaches your computer to a network of other active TOR clients and routes network traffic randomly through these nodes, obfuscating the true source of the activity. While the implementation isn't perfect, it's a good way to provide one layer of obfuscation to requests made from one's computer. Recently, TOR was identified by a three-letter government agency as a potential threat; a tool that could be used for malicious activity, possibly by terrorists. The distribution of this document is restricted, so I am unable to reference it here.

Does anyone else find it ironic that tools being developed to protect individuals' rights in response to draconian monitoring policies are being identified as terrorist threats by the governments instituting such policies? It seems as though such policies are providing ammunition to the threats they are intended to counter. The more governments infringe on the privacy of ordinary citizens, the more prevalent and complex tools that have dual use like TOR will become, aiding terrorists and privacy advocates alike. I fear that this erosion of privacy and and misplaced trust in the tradeoffs between privacy and security will leave us with nothing to show in terms of national security. Our government needs to accurately identify the threat and focus its resources there, rather than on the wholesale collection of data.

Bruce Schneier, who was interviewed by CNN when the USAToday story broke, has a great opinion article on this topic as well. Note that it was written before the recent article that I mention above.


Address space randomization

First, on the subject of administrivia: it's been awhile since this blog has been updated. It's been a busy few months, and I've managed to draft a number of entries, so expect a barrage of updates in the next few weeks.

I've recently completed a paper discussing an effective implementation of address-space randomization. In short, randomizing the location of critical objects in memory has been proposed as a means to counter arbitrary code execution. The PaX and GRSecurity groups have implemented this in the form of a Linux kernel patch, along with a number of other protections. This has been criticized as ineffective by Shacham, et al., amongst others. My solution proposes a simple watcher process that addresses the shortcomings brought forward by this paper. The abstract is pasted below:

The true protection offered by randomization of the memory address space has been widely debated, most notably by Shacham, et al[1]. The limited entropy afforded by memory addresses of 32-bit architectures, specifically, allows for brute-force discovery of the randomized locations of critical system objects. In this paper, it is shown that a watcher process can successfully stymie attempts to remotely discover randomized memory address offsets. In this implementation, address-space randomization becomes an effective protection measure against arbitrary code execution.