Fighting Spam May Be Easier Than You Think

Cynthia DworkMicrosoft Research SVC

2

Why?

Huge problemIndustry: costs in worker attention, infrastructure

Individuals: increased ISP fees

Hotmail: huge storage costs, (was?) 65-85%

FTC: fraud, confidence crimes

Ruining e-mail, devaluing the Internet

3

Principal Techniques Filtering

Everyone: text-based Brightmail: decoys; rules updates Microsoft Research: (seeded) trainable filters SpamCloud: collaborative filtering SpamCop, Osirusoft, etc: IP addresses, proxies, …

Make Sender Pay Computation [Dwork-Naor’92; Back’97] Human Attention [Naor’96, SRC patent] Money [Gates’96] and Bonds [Vanquish]

4

Outline The Computational Approach (“puzzles”)

Overview; economic considerations Burrows’ suggestion: memory-bound functions Social and Technical issues

Turing Tests Architectures

Point-to-Point & AmanuensisCentralized Ticket Server

Deeper Discussion of Memory-Bound Functions3 Approaches and Small-Space CryptanalysesNew Proposal (joint with A. Goldberg and M. Naor)

5

Computational Approach

If I don’t know you:Prove you spent ten seconds CPU time,

just for me, and just for this message

User Experience:Automatically and in the backgroundChecking proof extremely easy

All unsolicited mail treated equally

6

Economics (80,000 s/day) / (10s/message) = 8,000 msgs/day

Hotmail’s billion daily spams: 125,000 CPUs Up front capital cost just for HM: circa $150,000,000

The spammers can’t afford it.

7

Who Are the Spammers?

"Most of the spammers are not wealthy people," said Stephen Kline, a lawyer for the New York State attorney general's office.

8

9

Who Are the Spammers? Spamhaus ROKSO 100/90% Circa 300 people total; very top few spammers

make a few million/year (F. Krueger, SMN; also, see the recent articles about Alan Ralsky)

Comparison: FastClick, with 30% of popunder market, has profit of $2 mil/yr (income of $4 mil/yr)

Biggest publicly traded company: eUniverse ($6 mil profit); list of 108 “good” names

Hit ratio: 10-6 to 10-5

10

Cryptographic Puzzles

Hard to compute; f(S,R,t,nonce) can’t be amortizedlots of work for the sender

Easy to check “z = f(S,R,t,nonce)”little work for receiver

Parameterized to scale with Moore's Laweasy to exponentially increase computational cost, while

barely increasing checking cost

Can be based on (carefully) weakened signature schemes, hash collisions

Can arrange a “shortcut” for post office

11

Burrows’ Suggestion CPU speeds vary widely across machines, but

memory latencies vary much less (10+ vs 4)

So: design a puzzle leading to a large number of cache misses

12

Social Issues

Who chooses f?One global f? Who sets the price?

Autonomously chosen f’s?

How is f distributed (ultimately)?Global f built into all mail clients? (1-pass)

Directory? Query-Response? (3-pass)

13

Technical Issues Distribution Lists (!)

Awkward Introductory PeriodOld versions of mail programs; bounces

Very Slow/Small-Memory MachinesCan implement “post office” (CPU), but:

Who gets to be the Post Office? Trust?

Cache Thrashing (memory-bound)

The Subverters

14

Turing Tests: Payment in Kind [N’96;SRC] CAPTCHAs (Completely Automated Public T. test

for telling Computers and Humans Apart)Defeat automated account generation

5-10% drop in subscription rate

Teams of conjectured-humans (8-hour shifts)

Yes: Distorted images of simple word

No: ``Find 3 words in image with multiple overlapping images of words''

Others: subject classification, audio

M. Blum: people have done preprocessing

15

Social and Technical Issues Social (especially in enterprise setting)

ADA, S.508 (blind, dyslexic) Not ``professional'' Productivity cost: context switch (may be mitigated in

architecture supporting pre-computation) Wrong direction: we should offload crap onto machines

Technical No theory; if broken, can’t scale. Idrive, AltaVista, broken [J] EZ Gimpy (Yahoo!) broken [M+]

16

Turing Test Economic Issues Human time in poor country has roughly

same cost as computer time (even if 8/5 wk) Also need computer, but it can be slow, cheap10s same ballpark as some Turing tests

Suppose we’re wrong about cost (a few hundredths of a cent), and really the price should be 1 cent1-cent challenge costs 2 minutes. No one not

being paid would dream of submitting to this.

17

Cycle Stealing Stealing cycles from humans: Pornography companies

require random users to solve a CAPTCHA before seeing the next image [vABL]

Worse for computational challenges

Economics: lots of currency means currency is devalued. Prices go up.

There are lots of cycles, but anyone can buy them. Can go into business brokering cycles.

18

Point-to-Point Architecture

(Ideal Message Flow)Single-pass “send-and-forget”Can augment with amanuensis to handle slow machinesCan add post office / pricing authority to handle money paymentsTime mostly used as nonce for avoiding replays (cache tags, discard

duplicates; time controls size of cache)

Sender client

S

Sender client

S

Recipient client

R

Recipient client

R

m, f(S,R,t,nonce)

19

Here to There (and There’)

Three e-mail messages R’s mail client caches m, S, R, t, nonce Bounce (viral marketing opportunity)

html attachment with Java Script for f contains parameters for f (S, R, t,nonce)clicking on link causes computation, sending e-mail(optional) link for download of client software

Ignorant Sender

S

Ignorant Sender

S

Spam-Protected

Recipient

R

Spam-Protected

Recipient

R

m

bouncebounce

release mrelease m

20

Point-to-Point: Issues Social

Senders trust code (transition period)?

(Who gets to be a pricing authority?)

TechnicalNo pre-computation possible (slow machines)

Function update requires new download

Sender’s browser must be configured for sending e-mail (transition period)

21

Remark: Web-Based Mail Computation done by client (applet or

JavaScript)

Verification and safelist checking done by server

22

(Ideal Message Flow)

Ticket kit = (#, puzzle)

Ticket = (#, response) Any payment method Tickets may be accumulated in

advance (pre-computation). Useful if price is high.

Refunds (not shown) Centralization eases updates

Ticket Server [ABBW]

Sender

RecipientServer

Ticket Server

GetTicket

Kit

HTTP

MSG + TicketSMTP

HTTP TicketOK?

1,2

4,5

3

23

Social and Technical Issues Social

Who gets to be a ticket server? Trust? Privacy?

Federation?

Trust code (transition period)

TechnicalComplex; 5 flows (7 with refund)

T may be on different continent than S, R

Target of choice for subverters

24

Memory-Bound Functions [ABMW’02]

Devilish model! assume cache size (of spammer’s big

machine) is half the size of memory (of weakest sending machine)

must avoid exploitation of locality, cache lines (factors of 64 or even 16 matter)

watch out for low-space crypto attacks

25

Meet in Middle (eg, using DES)Input: x, y partially specified K1, K2

Output: K1, K2

Si = {keys consistent with Ki }

Create table T with all EK1(x), (so |T| = |S1|)

8 K2 2 S2:

compute z=(EK2)-1 (y)

check if z 2 T

Optimism: need lots of space to store T; won’t fit in cache; hard to generate the z’s in useful order

DES

DES

x

y

K1

K2

26

Analysis of Meet-in-the-Middle Tradeoff: cache size c < |S1| yields time

proportional to |S1|¢|S2|/c with no cache misses

Sequentiality attacks [AB]: Once T is prepared, cache-sized blocks can be loaded sequentially.

Luck: challenge may be resolved in cache. Example: if c = |S1|/4 then there is a ¼ chance of resolution with no further cache misses once the cache has been loaded with the first block of T.

27

Subset Sum Input: Random 2k-bit numbers a1, … , a2k, T

Output: subset of ai’s summing to T mod 22k

Optimism:LLL lattice basis reduction dynamic programming: simultaneously O(2k)

time and space

Analysis: killed by Schroeppel and Shamir,

Simultaneous T=O(2k), S=O(2k/2)

28

Easy Functions [ABMW’02]

(simplified construction) f: n bits to n bits, easy Given xk 2 range(f(k)), find a

pre-image with certain properties

Hope: best solved by building table for f-1 and working back from xk

Choose n=22 so f -1 fits in small memory, but not in cache

Optimism: xk is root of tree of expected size k2

29

Analysis of Easy Functions Vulnerable to T/S tradeoffs for inverting

functions [Hellman; Fiat-Naor]TS2 = O(N2)cpuf

Cost of inverting f without memory accesses is only O(4) times cost of computing f (S=N/2); no cache misses!

As clock speeds increase, must increase cpuf

30

Interpretation: Easy-Function challenges are cpu-bound, but

their structure (the cpu-avoiding, table-lookup method) dampens the effect of Moore’s Law.

Verifier’s costs increase with Moore’s Lawk ¢ cpuf cycles

31

Our Approach

The sender makes a sequence of random memory accesses and sends a proof of having done so to the receiver, who needs a small number of accesses for verification. The memory access pattern leads to many cache misses, making the computation memory-bound.

How to generate random-looking access pattern?

What is an easily verifiable proof?

32

High Level Description Shared array of random numbers T A path is a sequence of inherently sequential

accesses to T Sender must search a set S of paths to find a

desired path Process is message/recipient dependent Sender sends a proof of finding desired path to

receiver, who must verify Ratio of sender/receiver work is S

33

Incompressibility and RC4 Big (222) Fixed-Forever Truly Random T

Model walk on prg of RC4 stream cipher

Intuition: Use the pr bit stream (seeded by message) to choose

entries of T to access.

These, in turn, affect the stream (defending against pre-processing to order T so as to exploit locality).

34

RC4 (Partial Description)

Initialize A to pseudo-random permutation of {1, 2, …, 256} using a seed K

Initialize Indices:i = 0; j = 0

PR generation loop:i = i + 1

j = j + A[i]

Swap (A[i], A[j]);

Output z = A[A[i] + A[j]]

35

DGN: Initializing A and Basic Step Fixed-Forever truly

random A of size 256; 32-bit words

Given m and trial number i, compute strong cryptographic 256-word mask M.

Set A = M © A.

c = A mod 222

Initialize Indices:d=0; e=0

Walk:d = d + 1

e = e + A[d]

A[d] = A[d] © T[c]

Swap (A[d], A[e])

c = T[c] © A[A[e] + A[d]]

36

Side by SideGenerate pseudo-

random permutation of {1, 2, …, 256} using a seed K

Fixed-Forever truly random A of size 256; 32-bit words

Given m and trial number i, compute strong cryptographic 256-word mask M.

Set A = M © A.

c = A mod 222

37

Side by Side Initialize Indices:

i = 0; j = 0

PR generation loop:i = i + 1

j = j + A[i]

Swap (A[i], A[j])

Output z = A[A[i]+A[j]]

Initialize Indices: d=0; e=0

Walk:d = d + 1

e = e + A[d]

A[d] = A[d] © T[c]

Swap (A[d], A[e])

c = T[c] © A[A[e] + A[d]]

38

Full DGN

E: factor by which computation cost exceeds verification

L: length of walk

Trial i succeeds if hash of A after ith walk ends in 1+log2E zeroes (expected number of trials is E).

Verification: trace the walk (L memory accesses)

39

Parallel Attack [ABMW] Process many paths in parallel; do

memory accesses in sorted order to take advantage of cache lines

Say attack succeeds if the number of occupied cache lines is ¾ the number of parallel paths (ie, reduce #lines by 1/3)

Probabilistic analysis shows attack needs over 217 paths, but only 214 different A’s fit into 16MB cache

40

Parameters

Want ELt=10s, whereL = path length

t = memory latency = 0.2 microseconds

Reasonable choices: E = 24,000, L = 2048

41

Intuition for Why it Works

Fight tradeoffs using incompressible T

Fight preprocessing of T by using message+trial dependent A in computing walk

Fight preprocessing of A by modifying using T

Fight locality: choice of E and trial-dependence of A

Good statistics for walks by analogy with statistics for heavily-studied RC4 (?)

42

Lower Bound for Abstract Version

General formal model

Abstraction of our algorithm using idealized hash functions

Proof that amortized number of cache misses is linear in desired number

43

Summary

Discussed computational approach, Turing tests, economics, cycle-stealing

Briefly mentioned two architectures

Examined difficulties of constructing memory-bound pricing functions and proposed a new one designed to avoid these difficulties

Lower bounds for idealization.

44

Future Work and Open Questions

Stanford undergrads just completed simple Outlook proxy and Unix filters; web-based implementation in progress; next steps: handle bounces, add signatures

Distribution Lists

Good MB functions with short descriptions (will subset product work)?