[Bro] Re: Bug on Anon.cc

Jose M. Gonzalez chema at cs.berkeley.edu
Sat Sep 10 17:53:50 PDT 2005


FYI, the IP anonymizer code in mode PREFIX_PRESERVING_MD5 didn't do 
what it was supposed to do. Such mode is based on "On the Design and 
Performance of Prefix-Preserving IP Traffic Trace Anonymization", by 
Xu et al (IMW 2001), where it is suggested to anonymize 
X=x_0...x_{n-1} as X'=x'_0...x'_{n-1}, where:
	x_i' = x_i ^ f_{i-1}, 
	f_{i-1} = LSB(HK(PAD(x_0 ... x_{i-1}), hashkey))
	LSB: less significative bit function
	HK: cryptographic hash function (using hashkey)
	PAD(x_0 ... x_{i-1}) = x_0 ... x_{i-1} 0 ... 0

Two bugs in the old code: (a) it used addresses in network order, so 
prefixes didn't make too much sense. (b) it did the hash of an 8-byte 
struct composed of the prefix length and the input, instead of the 
prefix of the input (4 bytes). 

I also added some comments explaining the function. 
 
-Chema

PS: The patch didn't include context. I enclose a context patch. 

I wrote:
> Hi,
> 
> I think I found a bug in the IP anonymizer code, more concretely in 
> the PREFIX_PRESERVING_MD5 mode (well, considering that the anonymized 
> addresses do not preserve prefixes, I'd say it is a bug). I include 
> a patch. 
> 
> -Chema
> 

-------------- next part --------------
Index: Anon.cc
===================================================================
RCS file: /home/portnoy/u2/src/projects/bro/src/Anon.cc,v
retrieving revision 1.1
diff -u -r1.1 Anon.cc
--- Anon.cc	14 Jul 2004 20:15:39 -0000	1.1
+++ Anon.cc	11 Sep 2005 00:43:04 -0000
@@ -99,24 +99,36 @@
 	return output;
 	}
 
+/*
+ * this code is from "On the Design and Performance of Prefix-Preserving 
+ * IP Traffic Trace Anonymization", by Xu et al (IMW 2001)
+ * 
+ * http://www.imconf.net/imw-2001/proceedings.html
+ */
 ipaddr32_t AnonymizeIPAddr_PrefixMD5::anonymize(ipaddr32_t input)
 	{
 	uint8 digest[16];
 	ipaddr32_t prefix_mask = 0xffffffff;
+	input = ntohl(input);
 	ipaddr32_t output = input;
 
 	for ( int i = 0; i < 32; ++i )
 		{
-		prefix.len = 32 - i;
-		prefix.prefix = input & prefix_mask;
+		/* PAD(x_0 ... x_{i-1}) = x_0 ... x_{i-1} 0 ... 0 */
+		prefix.len = 31 - i;
+		prefix.prefix = input & ~(prefix_mask>>prefix.len);
 
-		hmac_md5(sizeof(prefix), (u_char*)(&prefix), digest);
+		/* HK(PAD(x_0 ... x_{i-1})) */
+		hmac_md5(sizeof(prefix.prefix), (u_char*)(&prefix.prefix), digest);
 
+		/* f_{i-1} = LSB(HK(PAD(x_0 ... x_{i-1}))) */
 		ipaddr32_t bit_mask = (digest[0] & 1) << i;
+
+		/* x_i' = x_i ^ f_{i-1} */
 		output ^= bit_mask;
 		}
 
-	return output;
+	return htonl(output);
 	}
 
 AnonymizeIPAddr_A50::~AnonymizeIPAddr_A50()


More information about the Bro mailing list