Check out the new USENIX Web site.
USENIX Security Symposium, August 4-8, 2003, Washington, DC, USA
USENIX '03 Home  | USENIX Home  | Events  | Publications  | Membership



At a Glance


Technical Sessions

Ask the Experts







Program PDF



Author Instructions

Speaker Instructions

Call for Papers

Past Proceedings


Session Chair: Kevin Fu

Session Agenda

2:00-2:04 Conference announcements Various
2:05-2:10 Analysis of an Electronic Voting System Adam Stubblefield
2:11-2:16 A WIP of ill repute Kevin Fu
2:17-2:22 Validator: testing firewalls Clif Flynt
2:23-2:28 Using Link Cuts to Attack Internet Routing Steve Bellovin
2:29-2:34 Stream: a transparent encryption system Simson L. Garfinkel
2:35-2:40 A Framework for Receipt Issuing, Contendable Remote Poll-Site Voting Prashanth Bungale
2:41-2:46 Wireless LAN Location-Sensing for Security Applications Algis Rudys
2:47-2:52 Trends in Denial of Service Attacks Jose Nazario
2:53-2:58 SonicKey Greg Rose
2:59-3:04 A Rekeying Protocol for Wireless Sensor Networks David Molnar
3:05-3:10 Wormholes and a Honeyfarm: Automatically Detecting Novel Worms Nicholas C Weaver
3:11-3:16 Honeyd—A Virtual Honeypot Daemon Niels Provos
3:17-3:22 Denial of Service through Regular Expressions Scott Crosby
3:23-3:28 Still Cleartext After All These Years monkeys

Conference CFPs

Network and Distributed System Security (NDSS) 2004, Dan Boneh

Security '04, 13th USENIX Security Symposium, Matt Blaze

Analysis of an Electronic Voting System

Adam Stubblefield, Johns Hopkins University
astubble at


Recent election problems have sparked great interest in managing the election process through the use of electronic voting systems. While computer scientists, for the most part, have been warning of the perils of such action, vendors have forged ahead with their products, claiming increased security and reliability. Many municipalities have adopted electronic systems, and the number of deployed systems is rising. For these new computerized voting systems, neither source code nor the results of any third-party certification analyses have been available for the general population to study, because vendors claim that secrecy is a necessary requirement to keep their systems secure. Recently, however, the source code purporting to be the software for a voting system from a major manufacturer appeared on the Internet. This manufacturer's systems were used in Georgia's state-wide elections in 2002, and the company just announced that the state of Maryland awarded them an order valued at up to $55.6 million to deliver touch screen voting systems. This unique opportunity for independent scientific analysis of voting system source code demonstrates the fallacy of the closed-source argument for such a critical system. Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We highlight several issues including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. For example, common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal. Furthermore, we show that even the most serious of our outsider attacks could have been discovered without the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable. We conclude that, as a society, we must carefully consider the risks inherent in electronic voting, as it places our very democracy at risk.


A WIP of ill repute

Kevin Fu, MIT
fubob at


This WIP will demonstrate how a traditional reputation system works.


Validator: testing firewalls

Clif Flynt, Noumena Corporation
clif at


Validator is a software framework for testing and validating firewalls. The framework is open ended to allow creating customized validation applications and scripts.

The validation system consist of pairs of attack and monitor applications that use a dual-LAN test platform to send attacks and legitimate interactions to the 'outside' interface of the test firewall while monitoring the log files via the 'inside' interface.

This approach differs from the SATAN/SAINT approach of scanning for active ports in that it provides information about how attacks and legitimate uses are being processed by the test firewall. For example, SAINT/SATAN can report that a port is not accessible, while a mis-written firewall rule could be generating log data on each attempt (creating a full disk DOS attack.)

The application is currently working at the Proof-of-Concept stage. It consists of a packet generator, snort signature parser (to generate attack packets), legitimate-use scripts (for telnet/ftp), monitor applications, and a framework.

By August, I expect to have the framework filled in with more test applications.

The implementation of subsystems is being described in ;login: magazine, in a series of "Tclsh Spot" articles.

Using Link Cuts to Attack Internet Routing

Steve Bellovin, AT&T Research
smb at


Attacks on the routing system, with the goal of diverting traffic past an enemy-controlled point for purposes of eavesdropping or connection-hijacking, have long been known. In principle, at least, these attacks can be countered by use of appropriate authentication techniques. We demonstrate a new attack, based on link-cutting, that cannot be countered in this fashion. Armed with a topology map and a list of already-compromised links and routers, an attacker can calculate which links to disable, in order to force selected traffic to pass the compromised elements. The calculations necessary to launch this attack are quite efficient; in our implementation, most runs took less than half a second, on databases of several hundred nodes. We also suggest a number of work-arounds, including one based on using intrusion detection systems to modify routing metrics.

Stream: a transparent encryption system

Simson L. Garfinkel, MIT Computer Science and AI Lab
simsong at


Stream is a "co-pilot" for email encryption that provides for transparent opportunistic encryption and key distribution. Stream operates as a POP and SMTP proxy, encrypting or decrypting email whenever possible. Stream adopts a principle of "0-click" interaction. Currently Stream interoperates with PGP/GPG, it will soon interoperate with S/MIME as well. We believe that stream makes email encryption accessible for a broad user community in much the same way that SSL and SSH dramatically increased the use of cryptography for HTTP and remote login.

A Framework for Receipt Issuing, Contendable Remote Poll-Site Voting

Prashanth Bungale, Department of Computer Science, The Johns Hopkins University
prash at


We present a new framework for an electronic voting system in which a voter can vote not only from his home poll-site, but from any poll-site, in a manner that guarantees total voter anonymity and privacy. The core concentration of our work is the design of a mechanism in which a voter can be given a receipt to acknowledge his vote and at the same time preventing any occurrence of vote-selling or voter coercion. The voter shall be able to verify his vote - from anywhere - after election results have been published. If deemed necessary, the voter shall be able to anonymously contend the election results from any election office.

Much of the present literature views receipt-freeness as the necessity for precluding vote-selling and voter coercion. They present a "clear" picture of a tradeoff between the "mutually exclusive" issues of receipt issuance and voter security. The solution we propose overcomes this tradeoff and thus ensures the voter's confidence in that his vote has been counted as cast, without compromising voter security and privacy.

URL: Prashanth Bungale, Swaroop Sridhar

Wireless LAN Location-Sensing for Security Applications

Algis Rudys, Rice University
arudys at


This project considers the problem of using wireless LAN location-sensing for security applications. Recently, Bayesian methods have been successfully used to determine location from wireless LAN signals, but such methods have the drawback that a model must first be built from training data. The introduction of model error can drastically reduce the robustness of the location estimates and such errors can be actively induced by malicious users intent on hiding their location. This paper provides a technique for increasing robustness in the face of model error and experimentally validates this technique by testing against unmodeled hardware, modulation of power levels, and the placement of devices outside the trained workspace. Our results have interesting ramifications for location privacy in wireless networks.


Trends in Denial of Service Attacks

Jose Nazario, Arbor Networks, Ann Arbor, MI
jose at


We have been performing a long term study using blackhole collection and analysis techniques to observe denial of service activity. Using this method, we collect the backscatter from denial of service attacks which involve source address forgery. Collecting packets destined to a globally unused /8 network, we have been able to infer denial of service activity and observe trends over the past year and half.

Our findings demonstrate several trends in denial of service attacks. The primary change is in the protocols used in the attacks, which have shifted from being focused on TCP based attacks to primarily UDP based attacks. Secondly, we have observed that while the diribution of the duration of backscatter events has remained similar in this time period, packet and byte counts per event has been increasing, suggesting that attacks are increasing in severity. Lastly, while most attack targets are observed only a small number of times, a handful of networks are frequently attacked, with the cumulative effect equalling very long lived attacks.



Greg Rose, QUALCOMM Australia
ggr at


SonicKey is primarily an authentication primitive, using public-key technology and audio modulation, that can be implemented in a standalone token or as an application on a cellphone. It can be extended to electronic commerce and payment systems.

A Rekeying Protocol for Wireless Sensor Networks

David Molnar, Harvard University
dmolnar at


Wireless sensor networks are networks of low-power, low-CPU devices with short-range radios. Link-layer security in the Berkley TinyOS sensor platform is provided by a component called TinySEC. Unfortunately, keys in TinySEC are fixed at compile time and cannot change over the life of the device. We motivate adding runtime rekeying capability to TinySEC and describe some of the challenges involved. We are currently implementing such a capability on the Mica2 mote platform and will release our code to the community.


Wormholes and a Honeyfarm: Automatically Detecting Novel Worms

Nicholas C Weaver, University of California at Berkeley
nweaver at


A key problem in developing robust worm defenses is Internet-level detection: automatically discovering, classifying, and analyzing new worms before large numbers of hosts are infected. A collection of honeypots, scattered throughout the Internet, would create a sensitive worm detector but is impractical due to the distributed cost and trust required. Yet by separating the network endpoints from the honeypots themselves, a robust and sensitive worm detector becomes feasible.

We propose a series of wormholes which forward all communication to a honeyfarm, a centralized collection of honeypots and analysis tools. The wormholes are simple, low cost appliances, distributed throughout the Internet, which securely tunnel all received traffic to the honeyfarm. When the honeyfarm receives this traffic, it dynamically reconfigures a honeypot, completing the illusion that the honeypot is at the wormhole's location. By analyzing the spreading behavior of an infected honeypot and challenging the worm against other configurations, the honeyfarm can automatically detect and classify new worms. Neither the honeyfarm nor the wormholes trust each other, while only the honeyfarm provides an alarm for the rest of the Internet.


Honeyd - A Virtual Honeypot Daemon

Niels Provos, UMich CITI
provos at


Honeypots are closely monitored network decoys serving several purposes: they can distract adversaries from more valuable machines, they can provide early warning of and response to new attacks and they allow in-depth examination of adversaries during and after exploitation of a honeypot. However, deploying physical honeypots is often time intensive and expensive as different operating systems require specialized hardware and every honeypot requires its own physical system.

This WIP presents recent improvements to Honeyd, a framework for virtual honeypots, that simulates virtual computer systems at the network level. To fool network fingerprinting tools, Honeyd simulates the networking stack of different operating systems and can provide arbitrary routing topologies and services for an arbitrary number of virtual systems. The Honeyd framework can help in many areas of system security; examples range from detecting worms and distracting adversaries to preventing the spread of spam email.

Denial of Service through Regular Expressions

Scott Crosby, Rice University
scrosby at


My talk will demonstrate how common backtracking regular expression matching systems can take exponential time. We will discuss some of the theory behind these systems and will use examples taken from real systems to point out how real software exhibits these vulnerabilities.

still cleartext after all these years

marius eriksen, niels provos, jose nazario
{marius, provos,jose} at,


what's really preventing the deployment and adoption of encrypted communications cuts significantly deeper than we've wanted to believe. even at a "security conference" like usenix security 03, professionals and industry vanguards alike still transmit confidential data in the clear. we haven't learned the lessons from "passwords found on a wireless network" [song, 2000]. we haven't learned the lessons we teach.

using simple, commonplace tools, we have managed to snag your password, your confidential email, interactive communications, and are happy to share your secrets. a rousing game of "match the password to the username" will be available.

?Need help? Use our Contacts page.

Last changed: 11 Aug. 2003 aw