SeaK: Rethinking the Design of a Secure Allocator for OS Kernel
Zicheng Wang, Yicheng Guang, et al.
USENIX Security 2024
The Domain Name System Security Extension (DNSSEC) leverages public-key cryptography to provide data integrity, source authentication, and denial of existence for DNS responses. To complement DNSSEC operations, DNSSEC Look-Aside Validation (DLV) is designed for alternative off-path validation. Although DNS privacy attracts a lot of attention, the privacy implications of DLV are not fully investigated and understood. In this paper, we take a first in-depth look into DLV, highlighting its lax specifications and privacy implications. By performing extensive experiments over datasets of domain names under comprehensive experimental settings, our findings firmly confirm the privacy leakages caused by DLV. We discover that a large number of domains that should not be sent to DLV servers are being leaked. We explore the root causes, including the lax specifications of DLV. We also propose two approaches to fix the privacy leakages. Our approaches require trivial modifications to the existing DNS standards, and we demonstrate their cost in terms of latency and communication.
Zicheng Wang, Yicheng Guang, et al.
USENIX Security 2024
Aziz Mohaisen, Zhongshu Gu, et al.
PAC 2017
Chad Spensky, Aravind MacHiry, et al.
DSN 2021
Kexin Pei, Zhongshu Gu, et al.
ACSAC 2016