No One In The Middle: Enabling Network Access Control Via Transparent Attribution

Commodity small networks typically rely on NAT as a perimeter defense, but are susceptible to a variety of well-known intra-network attacks, such as ARP spoofing. With the increased prevalence of oft-compromised Internet-of-Things (IoT) devices now taking up residence in homes and small businesses, the potential for abuse has never been higher. In this work, we present a novel mechanism for strongly attributing local network traffic to its originating principal, fully-compatible with existing legacy devices. We eliminate Man-in-the-Middle attacks at both the link and service discovery layers, and enable users to identify and block malicious devices from direct attacks against other endpoints. Despite the prevalence of prior work with similar goals, previous solutions have either been unsuited to non-Enterprise environments or have broken compatibility with existing network devices and therefore failed to be adopted. Our prototype imposes negligible performance overhead, runs on an inexpensive commodity router, and retains full compatibility with modern and legacy devices.

[1]  Danilo Bruschi,et al.  S-ARP: a secure address resolution protocol , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[2]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[3]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[4]  Franziska Roesner Designing Application Permission Models that Meet User Expectations , 2017, IEEE Security & Privacy.

[5]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[6]  Shi-Min Hu,et al.  Staying Secure and Unprepared: Understanding and Mitigating the Security Risks of Apple ZeroConf , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[7]  Adi Shamir,et al.  IoT Goes Nuclear: Creating a ZigBee Chain Reaction , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[8]  Stephen T. Kent,et al.  Internet Privacy Enhanced Mail , 1993, CACM.

[9]  Nan Zhang,et al.  HanGuard: SDN-driven protection of smart home WiFi devices from malicious mobile apps , 2017, WISEC.

[10]  A. Retrospective,et al.  The UNIX Time-sharing System , 1977 .

[11]  Jerome H. Saltzer,et al.  End-to-end arguments in system design , 1984, TOCS.