| |
| |
| Foreword | |
| |
| |
| |
| Introduction | |
| |
| |
| A Few Words about Me | |
| |
| |
| About This Book | |
| |
| |
| |
| The Source | |
| |
| |
| |
| I can Hear You Typing | |
| |
| |
| The Need for Randomness | |
| |
| |
| Automated Random Number Generation | |
| |
| |
| The Security of Random Number Generators | |
| |
| |
| I/O Entropy: This Is Your Mouse Speaking | |
| |
| |
| Delivering Interrupts: A Practical Example | |
| |
| |
| One-Way Shortcut Functions | |
| |
| |
| The Importance of Being Pedantic | |
| |
| |
| Entropy Is a Terrible Thing to Waste | |
| |
| |
| Attack: The Implications of a Sudden Paradigm Shift | |
| |
| |
| A Closer Look at Input Timing Patterns | |
| |
| |
| Immediate Defense Tactics | |
| |
| |
| Hardware RNG: A Better Solution? | |
| |
| |
| Food for Thought | |
| |
| |
| Remote Timing Attacks | |
| |
| |
| Exploiting System Diagnostics | |
| |
| |
| Reproducible Unpredictability | |
| |
| |
| |
| Extra Efforts Never Go Unnoticed | |
| |
| |
| Boole's Heritage | |
| |
| |
| Toward the Universal Operator | |
| |
| |
| DeMorgan at Work | |
| |
| |
| Convenience Is a Necessity | |
| |
| |
| Embracing the Complexity | |
| |
| |
| Toward the Material World | |
| |
| |
| A Nonelectric Computer | |
| |
| |
| A Marginally More Popular Computer Design | |
| |
| |
| Logic Gates | |
| |
| |
| From Logic Operators to Calculations | |
| |
| |
| From Electronic Egg Timer to Computer | |
| |
| |
| Turing and Instruction Set Complexity | |
| |
| |
| Functionality, at Last | |
| |
| |
| Holy Grail: The Programmable Computer | |
| |
| |
| Advancement through Simplicity | |
| |
| |
| Split the Task | |
| |
| |
| Execution Stages | |
| |
| |
| The Lesser Memory | |
| |
| |
| Do More at Once: Pipelining | |
| |
| |
| The Big Problem with Pipelines | |
| |
| |
| Implications: Subtle Differences | |
| |
| |
| Using Timing Patterns to Reconstruct Data | |
| |
| |
| Bit by Bit | |
| |
| |
| In Practice | |
| |
| |
| Early-Out Optimization | |
| |
| |
| Working Code-Do It Yourself | |
| |
| |
| Prevention | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Ten Heads of the Hydra | |
| |
| |
| Revealing Emissions: TEMPEST in the TV | |
| |
| |
| Privacy, Limited | |
| |
| |
| Tracking the Source: "He Did It!" | |
| |
| |
| "Oops" Exposure: *_[tilde]lq'@@...and the Password Is | |
| |
| |
| |
| Working for the Common Good | |
| |
| |
| |
| Safe Harbor | |
| |
| |
| |
| Blinkenlights | |
| |
| |
| The Art of Transmitting Data | |
| |
| |
| From Your Email to Loud Noises ... Back and Forth | |
| |
| |
| The Day Today | |
| |
| |
| Sometimes, a Modem Is Just a Modem | |
| |
| |
| Collisions Under Control | |
| |
| |
| Behind the Scenes: Wiring Soup and How We Dealt with It | |
| |
| |
| Blinkenlights in Communications | |
| |
| |
| The Implications of Aesthetics | |
| |
| |
| Building Your Own Spy Gear | |
| |
| |
| ... And Using It with a Computer | |
| |
| |
| Preventing Blinkenlights Data Disclosure-and Why It Will Fail | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Echoes of the Past | |
| |
| |
| Building the Tower of Babel | |
| |
| |
| The OSI Model | |
| |
| |
| The Missing Sentence | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Secure in Switched Networks | |
| |
| |
| Some Theory | |
| |
| |
| Address Resolution and Switching | |
| |
| |
| Virtual Networks and Traffic Management | |
| |
| |
| Attacking the Architecture | |
| |
| |
| CAM and Traffic Interception | |
| |
| |
| Other Attack Scenarios: DTP, STP, Trunks | |
| |
| |
| Prevention of Attacks | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Us Versus Them | |
| |
| |
| Logical Blinkenlights and Their Unusual Application | |
| |
| |
| Show Me Your Typing, and I Will Tell You Who You Are | |
| |
| |
| The Unexpected Bits: Personal Data All Around | |
| |
| |
| Wi-Fi Vulnerabilities | |
| |
| |
| |
| Out in the Wild | |
| |
| |
| |
| Foreign Accent | |
| |
| |
| The Language of the Internet | |
| |
| |
| Naive Routing | |
| |
| |
| Routing in the Real World | |
| |
| |
| The Address Space | |
| |
| |
| Fingerprints on the Envelope | |
| |
| |
| Internet Protocol | |
| |
| |
| Protocol Version | |
| |
| |
| The Header Length Field | |
| |
| |
| The Type of Service Field (Eight Bits) | |
| |
| |
| The Total Packet Length (16 Bits) | |
| |
| |
| The Source Address | |
| |
| |
| The Destination Address | |
| |
| |
| The Fourth Layer Protocol Identifier | |
| |
| |
| Time to Live (TTL) | |
| |
| |
| Flags and Offset Parameters | |
| |
| |
| Identification Number | |
| |
| |
| Checksum | |
| |
| |
| Beyond Internet Protocol | |
| |
| |
| User Datagram Protocol | |
| |
| |
| Introduction to Port Addressing | |
| |
| |
| UDP Header Summary | |
| |
| |
| Transmission Control Protocol Packets | |
| |
| |
| Control Flags: The TCP Handshake | |
| |
| |
| Other TCP Header Parameters | |
| |
| |
| TCP Options | |
| |
| |
| Internet Control Message Protocol Packets | |
| |
| |
| Enter Passive Fingerprinting | |
| |
| |
| Examining IP Packets: The Early Days | |
| |
| |
| Initial Time to Live (IP Layer) | |
| |
| |
| The Don't Fragment Flag (IP Layer) | |
| |
| |
| The IP ID Number (IP Layer) | |
| |
| |
| Type of Service (IP Layer) | |
| |
| |
| Nonzero Unused and Must Be Zero Fields (IP and TCP Layers) | |
| |
| |
| Source Port (TCP Layer) | |
| |
| |
| Window Size (TCP Layer) | |
| |
| |
| Urgent Pointer and Acknowledgment Number Values (TCP Layer) | |
| |
| |
| Options Order and Settings (TCP Layer) | |
| |
| |
| Window Scale (TCP Layer, Option) | |
| |
| |
| Maximum Segment Size (TCP Layer, Option) | |
| |
| |
| Time-Stamp Data (TCP Layer, Option) | |
| |
| |
| Other Passive Fingerprinting Venues | |
| |
| |
| Passive Fingerprinting in Practice | |
| |
| |
| Exploring Passive-Fingerprinting Applications | |
| |
| |
| Collecting Statistical Data and Incident Logging | |
| |
| |
| Content Optimization | |
| |
| |
| Policy Enforcement | |
| |
| |
| Poor Man's Security | |
| |
| |
| Security Testing and Preattack Assessment | |
| |
| |
| Customer Profiling and Privacy Invasion | |
| |
| |
| Espionage and Covert Reconnaissance | |
| |
| |
| Prevention of Fingerprinting | |
| |
| |
| Food for Thought: The Fatal Flaw of IP Fragmentation | |
| |
| |
| Breaking TCP into Fragments | |
| |
| |
| |
| Advanced Sheep-Counting Strategies | |
| |
| |
| Benefits and Liabilities of Traditional Passive Fingerprinting | |
| |
| |
| A Brief History of Sequence Numbers | |
| |
| |
| Getting More Out of Sequence Numbers | |
| |
| |
| Delayed Coordinates: Taking Pictures of Time Sequences | |
| |
| |
| Pretty Pictures: TCP/IP Stack Gallery | |
| |
| |
| Attacking with Attractors | |
| |
| |
| Back to System Fingerprinting | |
| |
| |
| ISNProber-Theory in Action | |
| |
| |
| Preventing Passive Analysis | |
| |
| |
| Food for Thought | |
| |
| |
| |
| In Recognition of Anomalies | |
| |
| |
| Packet Firewall Basics | |
| |
| |
| Stateless Filtering and Fragmentation | |
| |
| |
| Stateless Filtering and Out-of-Sync Traffic | |
| |
| |
| Stateful Packet Filters | |
| |
| |
| Packet Rewriting and NAT | |
| |
| |
| Lost in Translation | |
| |
| |
| The Consequences of Masquerading | |
| |
| |
| Segment Size Roulette | |
| |
| |
| Stateful Tracking and Unexpected Responses | |
| |
| |
| Reliability or Performance: The DF Bit Controversy | |
| |
| |
| Path MTU Discovery Failure Scenarios | |
| |
| |
| The Fight against PMTUD, and Its Fallout | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Stack Data Leaks | |
| |
| |
| Kristjan's Server | |
| |
| |
| Surprising Findings | |
| |
| |
| Revelation: Phenomenon Reproduced | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Smoke and Mirrors | |
| |
| |
| Abusing IP: Advanced Port Scanning | |
| |
| |
| Tree in the Forest: Hiding Yourself | |
| |
| |
| Idle Scanning | |
| |
| |
| Defense against Idle Scanning | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Client Identification: Papers, Please! | |
| |
| |
| Camouflage | |
| |
| |
| Approaching the Problem | |
| |
| |
| Towards a Solution | |
| |
| |
| A (Very) Brief History of the Web | |
| |
| |
| A HyperText Transfer Protocol Primer | |
| |
| |
| Making HTTP Better | |
| |
| |
| Latency Reduction: A Nasty Kludge | |
| |
| |
| Content Caching | |
| |
| |
| Managing Sessions: Cookies | |
| |
| |
| When Cookies and Caches Mix | |
| |
| |
| Preventing the Cache Cookie Attack | |
| |
| |
| Uncovering Treasons | |
| |
| |
| A Trivial Case of Behavioral Analysis | |
| |
| |
| Giving Pretty Pictures Meaning | |
| |
| |
| Beyond the Engine ... | |
| |
| |
| ... And Beyond Identification | |
| |
| |
| Prevention | |
| |
| |
| Food for Thought | |
| |
| |
| |
| The Benefits of Being a Victim | |
| |
| |
| Defining Attacker Metrics | |
| |
| |
| Protecting Yourself: Observing Observations | |
| |
| |
| Food for Thought | |
| |
| |
| |
| The Big Picture | |
| |
| |
| |
| Parasitic Computing, or How Pennies Add Up | |
| |
| |
| Nibbling at the CPU | |
| |
| |
| Practical Considerations | |
| |
| |
| Parasitic Storage: The Early Days | |
| |
| |
| Making Parasitic Storage Feasible | |
| |
| |
| Applications, Social Considerations, and Defense | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Topology of the Network | |
| |
| |
| Capturing the Moment | |
| |
| |
| Using Topology Data for Origin Identification | |
| |
| |
| Network Triangulation with Mesh-Type Topology Data | |
| |
| |
| Network Stress Analysis | |
| |
| |
| Food for Thought | |
| |
| |
| |
| Watching the Void | |
| |
| |
| Direct Observation Tactics | |
| |
| |
| Attack Fallout Traffic Analysis | |
| |
| |
| Detecting Malformed or Misdirected Data | |
| |
| |
| Food for Thought | |
| |
| |
| Closing Words | |
| |
| |
| Bibliographic Notes | |
| |
| |
| Index | |