Adrian Perrig's research while affiliated with ETH Zurich and other places
What is this page?
This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.
If you're a ResearchGate member, you can follow this page to keep up with this author's work.
If you are this author, and you don't want us to display this page anymore, please let us know.
Publications (451)
Many critical computing applications rely on secure and dependable time which is reliably synchronized across large distributed systems. Today's time synchronization architectures are commonly based on global navigation satellite systems at the considerable risk of being exposed to outages, malfunction, or attacks against availability and accuracy....
In a world with increasing simplicity to store, transfer, and analyze large volumes of data, preserving data confidentiality and integrity of Internet traffic by default becomes more and more important. Unfortunately, a large gap exists between low-security opportunistic encryption and trust-on-first-use (TOFU) protocols, and high-security communic...
Adversaries can exploit inter-domain routing vulnerabilities to intercept communication and compromise the security of critical Internet applications. Meanwhile the deployment of secure routing solutions such as Border Gateway Protocol Security (BGPsec) and Scalability, Control and Isolation On Next-generation networks (SCION) are still limited. Ho...
The construction of distributed systems is extremely challenging—especially for systems that operate in adversarial environments. SCION is no exception. A SCION network consists of a variety of different components such as routers, beacon servers, path servers, and edge devices.
Translating human-readable names to network addresses (among other information), a naming service is indispensable in making digital communication practically usable. Almost every connection over the Internet starts with a name resolution query to the Domain Name System (DNS). Likewise, for the setup of SCION connections, proper name resolution sho...
In the previous chapters we have motivated the need for formal methods—both at the design level and the code level—and discussed techniques for both levels. We have seen the results of verification efforts related to the SCION data plane and the N-Tube algorithm and discussed example code from the SCION border router.
In contrast to the control-plane PKI (presented in §3.1), whose main purpose is to authenticate ASes, an end-entity PKI enables the authentication of end systems such as web servers. It also facilitates the design of RHINE, a next-generation secure and reliable Internet naming system (Chapter 19). The most widely used end-entity PKI is the HTTPS pu...
Given the extensive list of topics covered in this book, a wealth of related work exists. Balancing relevance, completeness and readability, we focus on related work specifically in the areas of future Internet architectures, deployment of new Internet architectures, and inter-domain multipath routing protocols. Current efforts to secure the curren...
Throughout this book, we have seen how path-aware network architectures enable the creation of new applications and services, as they provide users with advanced communication features such as multipath, efficient key distribution, or geofencing.
This chapter describes SCION's control plane, whose main purpose is to create and manage path segments, which can then be combined into forwarding paths to transmit packets in the data plane. We first discuss how path exploration is realized through beaconing and how path segments are registered. We then discuss path lookup and present the SCION Co...
Numerous events have made the inadequacies of today’s Internet increasingly apparent. As SCION is able to achieve desirable properties for stakeholders in a wide variety of use cases, there exist many reasons to adopt SCION1 to overcome those limitations. In this chapter, we highlight some of the most promising use cases and applications that can b...
SCION’s extensible architecture enables new systems that can take advantage of the novel properties and mechanisms provided. As compared to the current Internet, most of the benefits are achieved through the use of packet-carried forwarding state (PCFS), path transparency, and control. In this chapter, we describe three control-plane systems to sup...
In Chaps. 2–5, we have presented the main components of the SCION architecture: beacon service, certificate service, and path service; the concept of ISDs and their trust root configuration (TRC); the CP-PKI and symmetrickey infrastructure; the path-exploration (beaconing), -registration, and -lookup mechanisms; and the SCION forwarding process.
In various contexts of networking research, end-host path selection has recently regained momentum as a design principle. While such path selection has the potential to increase performance and security of networks, there is a prominent concern that it could also lead to network instability (i.e., flow-volume oscillation) if paths are selected in a...
This paper presents a security analysis of the InfiniBand architecture, a prevalent RDMA standard, and NVMe-over-Fabrics (NVMe-oF), a prominent protocol for industrial disaggregated storage that exploits RDMA protocols to achieve low-latency and high-bandwidth access to remote solid-state devices. Our work, NeVerMore, discovers new vulnerabilities...
This chapter starts with an introduction of classic routing protocols, followed by examining different addressing techniques. A key set of principles and requirements for routing and addressing for future Internet are discussed in detail from different perspectives, and special considerations are given to routing security and resilience. A few nove...
In order to guarantee secure operation of Network 2030s inter-domain infrastructure, we pursue a systematic design approach in this chapter. This systematic approach starts with concretizing the security properties that the network infrastructure should fulfill. In particular, we identify improved trust, path control, source authentication, and ava...
Many systems today rely heavily on virtual private network (VPN) technology to connect networks and protect their services on the Internet. While prior studies compare the performance of different implementations, they do not consider adversarial settings. To address this gap, we evaluate the resilience of VPN implementations to flooding-based deni...
In various contexts of networking research, end-host path selection has recently regained momentum as a design principle. While such path selection has the potential to increase performance and security of networks, there is a prominent concern that it could also lead to network instability (i.e., flow-volume oscillation) if paths are selected in a...
Network traffic measurement keeps track of the amount of traffic sent by each flow in the network. It is a core functionality in applications such as traffic engineering and network intrusion detection. In high-speed networks, it is impossible to keep an exact count of the flow traffic, due to limitations with respect to memory and computational sp...
In various contexts of networking research, end-host path selection has recently regained momentum as a design principle. While such path selection has the potential to increase performance and security of networks, there is a prominent concern that it could also lead to network instability (i.e., flow-volume oscillation) if paths are selected in a...
We present F-PKI, an enhancement to the HTTPS public-key infrastructure that gives trust flexibility to both clients and domain owners while giving certification authorities (CAs) means to enforce stronger security measures. In today's web PKI, all CAs are equally trusted, and security is defined by the weakest link. We address this problem by intr...
To address the raising demand for strong packet delivery guarantees in networking, we study a novel way to perform graph resource allocation. We first introduce allocation graphs, in which nodes can independently set local resource limits based on physical constraints or policy decisions. In this scenario we formalize the distributed path-allocatio...
The current state of security and availability of the Internet is far from being commensurate with its importance. The number and strength of DDoS attacks conducted at the network layer have been steadily increasing. However, the single path (SP) routing used in today’s Internet lacks a mitigation scheme to rapidly recover from network attacks or l...
Path-aware networks (PANs) are emerging as an intriguing new paradigm with the potential to significantly improve the dependability and efficiency of networks. However, the benefits of PANs can only be realized if the adoption of such architectures is economically viable. This paper shows that PANs enable novel interconnection agreements among auto...
With the meteoric rise of the QUIC protocol, the supremacy of TCP as the de facto transport protocol underlying web traffic will soon cease. HTTP/3, the next version of the HTTP protocol, will not support TCP. Current website-fingerprinting literature has ignored the introduction of this new protocol to all modern browsers. In this work, we investi...
By delegating path control to end-hosts, future Internet architectures offer flexibility for path selection. However, a concern arises that the distributed routing decisions by endhosts, in particular load-adaptive routing, can lead to oscillations if path selection is performed without coordination or accurate load information. Prior research has...
To address the rising demand for strong packet delivery guarantees in networking, we study a novel way to perform graph resource allocation. We first introduce allocation graphs, in which nodes can independently set local resource limits based on physical constraints or policy decisions. In this scenario we formalize the distributed path-allocation...
Current probabilistic flow-size monitoring can only detect heavy hitters (e.g., flows utilizing 10 times their permitted bandwidth), but cannot detect smaller overuse (e.g., flows utilizing 50-100% more than their permitted bandwidth). Thus, these systems lack accuracy in the challenging environment of high-throughput packet processing, where fast-...
By delegating path control to end-hosts, future Internet architectures offer flexibility for path selection. However, there is a concern that the distributed routing decisions by end-hosts, in particular load-adaptive routing, can lead to oscillations if path selection is performed without coordination or accurate load information. Prior research h...
By delegating path control to end-hosts, future Internet architectures offer flexibility for path selection. However, there is a concern that the distributed routing decisions by end-hosts, in particular load-adaptive routing, can lead to oscillations if path selection is performed without coordination or accurate load information. Prior research h...
Byzantine fault tolerant protocols enable state replication in the presence of crashed, malfunctioning, or actively malicious processes. Designing such protocols without the assistance of verification tools, however, is remarkably error-prone. In an adversarial environment, performance and flexibility come at the cost of complexity, making the veri...
User authentication can rely on various factors (e.g., a password, a cryptographic key, and/or biometric data) but should not reveal any secret information held by the user. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authenticat...
Path selection by selfish agents has traditionally been studied by comparing social optima and equilibria in the Wardrop model, i.e., by investigating the Price of Anarchy in selfish routing. In this work, we refine and extend the traditional selfish-routing model in order to answer questions that arise in emerging path-aware Internet architectures...
Path selection by selfish agents has traditionally been studied by comparing social optima and equilibria in the Wardrop model, i.e., by investigating the Price of Anarchy in selfish routing. In this work, we refine and extend the traditional selfish-routing model in order to answer questions that arise in emerging path-aware Internet architectures...
Several "NewSpace" companies have launched the first of thousands of planned satellites for providing global broadband Internet service. The resulting low-Earth-orbit (LEO) constellations will not only bridge the digital divide by providing service to remote areas, but they also promise much lower latency than terrestrial fiber for long-distance ro...
Is it possible to design a packet-sampling algorithm that prevents the network node that performs the sampling from treating the sampled packets preferentially? We study this problem in the context of designing a "network-transparency" system. In this system, networks emit receipts for a small sample of the packets they observe, and a monitor colle...
The lack of transparency for Internet communication prevents effective mitigation of today's security threats: i) Source addresses cannot be trusted and enable untraceable reflection attacks. ii) Malicious communication is opaque to all network entities, except for the receiver; and although ISPs are control points that can stop such attacks, effec...
User authentication can rely on various factors (e.g., a password, a cryptographic key, biometric data) but should not reveal any secret or private information. This seemingly paradoxical feat can be achieved through zero-knowledge proofs. Unfortunately, naive password-based approaches still prevail on the web. Multi-factor authentication schemes a...
The ability to quickly revoke a compromised key is critical to the security of a public-key infrastructure. Regrettably, most certificate revocation schemes suffer from latency, availability, or privacy issues. The problem is exacerbated by the lack of a native delegation mechanism in TLS, which increasingly leads domain owners to engage in dangero...
Is it possible to design a packet-sampling algorithm that prevents the network node that performs the sampling from treating the sampled packets preferentially? We study this problem in the context of designing a "network-transparency'' system. In this system, networks emit receipts for a small sample of the packets they observe, and a monitor coll...
Is it possible to design a packet-sampling algorithm that prevents the network node that performs the sampling from treating the sampled packets preferentially? We study this problem in the context of designing a "network transparency'' system. In this system, networks emit receipts for a small sample of the packets they observe, and a monitor coll...
Internet users today have few solutions to cover a large space of diverse privacy requirements. We introduce the concept of privacy domains, which provide flexibility in expressing users' privacy requirements. Then, we propose three privacy services that construct meaningful privacy domains and can be offered by ISPs. Furthermore, we illustrate tha...
The Internet will undergo a major transformation as satellite-based Internet service providers start to disrupt the market. Constellations of hundreds to thousands of satellites promise to offer low-latency Internet to even the most remote areas. We anticipate exciting business and research opportunities.
Motivated by the potential of the new satel...
Monitoring software of low-end devices is a key part of defense in depth for IoT systems. These devices are particularly susceptible to memory corruption vulnerabilities because the limited computational resources restrict the types of countermeasures that can be implemented. Run-time monitoring therefore is fundamental for the security of these de...
This paper describes BlockPKI, a blockchain-based public-key infrastructure that enables an automated, resilient, and transparent issuance of digital certificates. Our goal is to address several shortcomings of the current TLS infrastructure and its proposed extensions. In particular, we aim at reducing the power of individual certification authori...