Evandro's Thesis Clone in English
Rec 15-mar-2007 08:30
While Googling around, yesterday I stumbled on Daniel Susid's a master thesis dissertation titled "
An evaluation of network based sniffer detection; Sentinel". It struck me as almost an english version of Evandro Hora's thesis: both cover the same theme, namely, remote sniffer detection. Despite using different methodologies and the drastically different writing styles, they both reach the same conclusion: remote sniffer detection tools don't work.
Having been written in 1999, Evandro's thesis came first. However, it's in portuguese and I don't even know if there's an online version. You can find an
ultra-condensed version of it as a paper published in
SSI'2001.
Susid's thesis is from 2004; however, being in English, it's accessible to a much wider audience. I found the institution particularly interesting: Department of Informatics of the School of Economics and Commercial Law from the University of Göteborg. A commercial law school sounds to me an unusual place for a infosec master thesis.
The story behind Evandro's thesis is full of interesting twists. The presentation lecture was a bizarre show. Evandro was heavily criticized by the invited panel judge, prof.
Paulo Lício. It was shocking to see Evandro, known for his wits and sharp tongue, stammer in search of words to reply.
After the lecure, recovered from the experience and already bearing the title of Master, Evandro remarked:
-- "I now know why this is called a thesis defense."
-- "Why, Evandro?", I asked, frowning.
-- "Because they attack!"
I could even agree with some of the criticisms relating to the presentation, methodology or writing. But that day it also became clear to me how detached from reality Brazilian academy can be: prof. Paulo Lício stated that a sniffer would be useless in a switched Ethernet network because switches would only send frames to the source and destination machines, preventing the eavesdropper from intercepting anything. Nothing could be further from the truth: in IP-over-Ethernet networks, there's a classic attack called "ARP Spoofing" that allows an attacker, under pretty general conditions, to convince victims to send her their traffic, no matter what the switch does or doesn't do.
At the time I was shocked to see how a
Ph.D. would say such a nonsense. On further reflection I saw that, in a strict logical sense, he wasn't totally wrong; he recited what theory preaches, but put too much faith on it. He ignored a small detail from the real world: the fact that the switch doesn't exist alone in the Universe. Over it lies the transport layer: the IP protocol, typically. And, specifically, that there's an
adaptation protocol between those two layers: the
ARP protocol, which turns out to be the vulnerable spot.
Far from me, however, to throw the first stone: despite conscious effort against it, I can easily remember many occasions where I said stupid things either because I didn't know what I was talking about, or because I didn't consider the issue on a larger scale or just by sheer impulsiveness.
This incident was one among many inspirations that drove me, years later and along with Prof. João Gondim from UNB, to write a
scientific paper about how to detect ARP spoofing attacks on switched Ethernet networks (also see this
extended versions). In this work we provide a thorough presentation of the ARP Spoofing attack and our experience in unsing some attack tools -- essential to be able to propose methods to detect the attack. This paper won the SSI'2003 Best Paper Award -- whose comittee chair was none other than Prof. Paulo Lício.
Thus, despite not having been widely read, Evandro's thesis did have some interesting consequences -- and years before its enlish clone.
top