Verisign Labs: Projects

These efforts are focused on identifying current online behavioural trends that work around the limitations of existing technologies in order to predict future trends for social networking technologies.

Researchers are assessing different naming architectures, ways to separate naming-address translation from trust, support for mobile users and services, and protection against related black hole or man-in-the-middle attacks.

In collaboration with researchers at Purdue University, we are investigating extensions to the current state-of-the-art intrusion detection systems by utilising the publicly available social behavioural information of hackers.

The researchers will study how social platforms can be utilised to identify trends/outbreaks in the security of deployed systems. They will utilise collective intelligence retrieval and activated knowledge-based decision making to create a system of proactive threat detection that relies on the social nature of hackers to help mitigate outbreaks before they reach end users. Rather than providing insights into merely integrating various ideas, this work intends to open a new general direction for understanding threats and adding a social element to the present-day state-of-the-art intrusion detection systems.

The researchers will apply behavioural economic techniques to machine learning. Through the understanding of relevance, uniqueness and similarity in context in decisions about domain names, the research will help us build a cognitive map and quantitative representations of users' preferences and enhance our ability to analyse factors that influence consumer online purchasing behaviour.

In particular, we studied how recursive name servers choose among multiple authoritative servers for a given zone, and their retransmission algorithms when under duress (i.e., packet loss and delay). We also simulated different networking conditions to see how different latencies can affect the resolver's server selection algorithm and imposed simulated packet loss to understand the resolver's retransmit and backoff algorithms. These results may help make decisions about the right mix of anycast and unicast name servers.

This research concentrates on the challenges faced by malware obfuscation tools and that malware’s dependence on network access creates, to collect useful information about malware. The researchers at the Georgia Tech Information Security Centre (GTISC) (link to collaboration page) have developed a horizontally scalable, automated malware analysis system that utilises isolation, hardware virtualisation, and network analysis to improve the extraction of information about malware.

• Notable Malware for Enterprises and Agencies (Form)

It will provide a more sophisticated understanding of the role of the internet’s infrastructure in facilitating botnet attacks such as spam, scam hosting, and denial-of-service attacks. Bots have exploited various internet protocols such as the Border Gateway Protocol (BGP) and the Domain Name System (DNS) to move from one portion of the internet to another. This monitoring infrastructure will identify key components of this underlying infrastructure, specifically autonomous systems that facilitate BGP agility, and name servers and registrars that facilitate DNS agility. As a result, this system may provide cutting-edge intelligence for reputation systems for both DNS hosting infrastructure and autonomous systems.

All indications suggest that the use of SSL/TLS will grow considerably in the coming years. SSL/TLS is currently designed as a two-party protocol between a browser and a web server.

We are working with Stanford University on this project to investigate the possibility of adapting SSL/TLS to be a three-party protocol where the third party is a DNS server (preferably a DNSSEC server). Currently, the DNS server is used to resolve the web server's IP address, but plays no further role in setting up a secure session with the server. The main goal of this project is to show that by extending SSL/TLS to include DNS as a third party, the protocol can be made more efficient and in some cases more secure.

The existing ecosystems of tools to unlock the performance potential of the hardware have created gaps. Software environments which address the gaps and unlock the breadth and depth of the hardware need to be created. This project investigates the AMP design option as a means of providing the highest possible performance from the hardware.

The tool shows a step-by-step validation of a given domain name and highlights any problems found.

To use the tool, begin by visiting http://dnssec-debugger.verisignlabs.com and entering a domain name to be tested. The tool begins with a query to a root name server. It then follows the referrals to the authoritative name server, validating DNSSEC keys and signatures as it goes. Each step in the process is given either a good (green), warning (yellow), or error (red) status code. You can move your mouse over the warning and error icons to view a longer explanation. Press the plus (+) and minus (-) keys to increase or decrease debugging. At the highest debugging level you can see the full, raw DNS messages for almost all of the queries.

Here's some sample output from the tool for the whitehouse.gov domain:

• DNSSEC Debugger

We estimate IANA will allocate the last /8s within the next year and the first RIR will exhaust all its IPv4 space shortly thereafter. As a result, we hypothesise that the scarcity of IPv4 addresses, the result of this so-called "IPv4 exhaustion", will have profound effects on several of the desirable properties of the internet. These impacted properties include, but are not limited to: support for heterogeneity and openness, security, scalability, reliability, availability, concurrency and transparency. In an effort to understand the impact of scarcity on these desirable properties, we plan to study the techniques and methodologies by which addresses are allocated and how these resources are subsequently used. While no fully-formed scarcity models for IPv4 addresses exist, we conjecture that several interesting phenomena warrant study: rate of transition to IPv6, increased use of NAT’ing, finer-grained routing, deallocation and block reclamation, and market-based address allocation. For the sake of tractability, this proposal focuses on measuring the transition from IPv4 to the IPv6 space. We are specifically concerned with questions which shed light on adoption rates, and eventual usage patterns in IPv6. While interesting from a modelling and characterisation perspective, we also believe this work has significant impact on operations, assisting in uncovering inconsistencies as we transfer, as well as supporting capacity planning and optimisation.

• A Preliminary Investigation of Naming in the IPv6 Internet (PDF)
• The Transition to IPv6
• Preparing for IPv6: Verisign’s Perspective (PDF)

Such interdependency can be introduced by large numbers of authoritative DNS servers being placed at the same location (e.g. either in the same geographic area or in the same ISP network), or more commonly by the increased trend of DNS server outsourcing which has led to the concentration of the DNS services of a large number of zones on a few DNS service providers. Consequently, a single failure can potentially bring down the DNS servers for a large number of domains.

• Measuring the Placement of DNS Servers in the Top-Level-Domain (PDF)

We examine domain names that are known to be used for phishing attacks, spam and malware-related activities to determine if they can be identified based on DNS query patterns. To date, we have found that malicious domain names tend to exhibit more variance in the networks that look up the domains and we also found that these domains become popular faster after the time of their initial registration. We also noted that miscreant domains exhibit distinct clusters relating to the networks that look up these domains. The distinct spatial and temporal characteristics of these domains, and their tendency to exhibit similar lookup behaviour suggests that it may be possible to develop more effective and timely blacklisting techniques based on these differing lookup patterns.

• An Internet-Wide View of DNS Lookup Patterns (PDF)

DNSSEC adds new security features to the DNS protocol that prevents attacks such as cache poisoning. Because DNSSEC packets are different in size and structure from traditional DNS packets, some IT infrastructure components like routers and firewalls may not handle DNSSEC requests and responses correctly, causing failures in the internet infrastructure and in enterprise computing environments.

The Interoperability Lab consists of a standalone environment with a suite of over 8,000 test cases encompassing a wide range of possible failures. The Interoperability Lab is a free service that Verisign Labs offers to the community for testing a wide range of IT solutions. If you would like more information please contact us at dnssec@verisign.com.

The DNS client/server affinity visualisation tool sheds new light on the complexities of DNS traffic. Within this OpenGL-based application, DNS clients are represented as dots of varying size and colour. Servers are placed in three-dimensional space. Each time a client sends a DNS query to a particular server, it moves a little bit closer to that server. The size and colour of a client is determined by its query rate.

The visualisation is useful for understanding how clients behave when choosing among multiple authoritative name servers, such as the 13 root name servers. Many clients do not exhibit strong affinity and will not wander close to any particular server. Some clients, on the other hand, can clearly be seen to be favouring a particular server.

The tool is equally useful for visualising the behaviour of BGP routing within an anycast cluster. The sample data for A-root on 09 February 2010 shows how clients migrate from one anycast node to another as routes are withdrawn and replaced over time.

The source code for the visualisation tool is located on the Verisign Labs Subversion server. This can be accessed via a web browser or a Subversion client.

The AES-NI “combinatorial logic” replaces the software-based table lookup of the FIPS 197 AES symmetric encryption standard. This project builds upon instructions AESENC, AESENCLAST, AESDEC, AESDECLAST, CLMUL, AESIMC, and AESKEYGENASSIST to perform 10 (128-bit), 12 (192-bit), and 14 (256-bit) rounds. The project continues to verify the durability of side channel attack protection and the ability to use the building blocks to accelerate Elliptic, ECHO, SHAVITE-3, etc. Additional design points include, but are not limited to, using pipelined combinatorial logic operations for other applications, full disk encryption, and interoperability with other projects such as OpenSSL. If AES-NI introduces durable cryptographic performance within the network stall cycle of the computer, how can and should this change the consumer internet experience? Can these instructions replace expensive cryptographic co-processor cards? This research will be re-conducted upon the introduction of the Intel “Sandy Bridge” AVX CPU to evaluate the new hardware features implemented.

• An Evaluation of New Processor Instructions for Accelerating Selected Cryptographic Algorithms (PDF)

Although the newly introduced devices share the same name as their legacy counterparts, the number of threads and interconnected hardware structures has vastly improved along with the introduction of integer capability. What are the integer and floating point characteristics of the new units? Can they be introduced into highly available architectures? Can a client-server-like computing model be successfully re-implemented using a GPU on a server? What are the characteristics of programming in OpenCL versus CUDA?

• An Evaluation of GPUs in Accelerating a Selected String Searching Algorithm (PDF)