Ben Mixon-Baca is an ICFP fellow with the Censored Planet team at the University of Michigan, a PhD candidate at Arizona State University, and co-founder of BreakpointingBad.
Ben’s recent work focused on reverse engineering and tool development using Panda-re where he discovered a vulnerability in VPN software. The current project, “Automatically Identifying Applications with Poor Transport Security” is focused on identifying applications that use poor or no encryption in the transport layer.
While Transport Layer Security (TLS) 1.3 is now enabled by default in popular browsers and 81% of network traffic is encrypted according to Mozilla telemetry, this project focuses on the remaining 19% of unencrypted traffic and aims to identify applications with poor or no transport layer security via monitoring at an Internet gateway. Ben hypothesizes that transport layer security weaknesses are both common among, and dangerous to, at-risk users in particular. The project also aims to identify the distribution of applications with poor transport security to characterize geographic regions that are most affected by poor transport security. Performing this analysis presents novel ethical and technical challenges because while it may be easy to spot no encryption, it is not trivial to ethically analyze the unencrypted data which may contain sensitive information such as user names, passwords, social security numbers, etc.
Ben has looked into several techniques for addressing these challenges. One particularly interesting technique, called content sifting, was originally designed to identify worm traffic automatically. Content sifting works by extracting substrings common to many flows in the traffic. Because the identified substrings are common to a large number of unique IP addresses they are, by definition, not personally identifiable information. Because these substrings are not not unique, they cannot be linked to any one person or machine. This technique has the potential to address both technical issues of scalability and ethical issues of collecting and analyzing unencrypted traffic. Content sifting and related techniques have not been applied to privacy preserving network analytics or data leak detection and their performance in this context is an open question that needs to be answered before deploying these techniques at larger scales.
The project will address this question by building a tool in Zeek network monitoring system that can be easily deployed to an ISP or other large network vantage point. This tool will generate statistics about poor transport security, as well as information broken down across regions. Ben will explore content sifting and other related techniques to determine which among them most effectively identifies poor transport security. The end goal is a tool written in Zeek that can be easily deployed to an ISP or other large network vantage point. This tool will generate statistics about poor transport security, as well as information broken down across regions.
Ben previously carried out a seasonal fellowship with OTF in 2015 to determine how to better assist at-risk organizations in accurately detecting man-in-the-middle and man-on-the-side attacks. With the help of Citizen Lab at the Munk School of Global Affairs at the University of Toronto, Ben developed a plugin for existing detection software and also trained multiple organizations on how to use the plugin (and numerous other tools) to quickly detect attacks. These tools (and the knowledge of how to use them) will greatly increase these organizations’ ability to respond quickly and effectively to threats. Ben’s work will further serve as a template for the rising number of organizations globally subject to similar attacks.