I am a PhD student at the University of California San Diego (UCSD), working with Aaron Schulman, Geoff Voelker, and Stefan Savage.
Research Interests
Internet Measurement | Security | Privacy | Networking
Current Projects
DNS Interception
While working on Trufflehunter, we discovered that some of our queries were getting intercepted
before they could arrive at the resolver we sent them to. Furthermore, the responses we received were
spoofed to look like they had come from the query's original destination. The responses were not
otherwise changed: this interception is transparent from the point of view of the users. Upon
investigation, we discovered the culprit: our own Customer Premises Equipment (CPE), also known as
a home router. We conducted a measurement study to find out if this interception happens anywhere else,
and if so, where in the network the interceptors are located. Our results were published at IMC 2021 in
a short paper entitled Home is Where the Hijacking Is: Understanding DNS Interception by Residential Routers.
Bounce Tracking
Some browsers, such as Safari, Firefox, and Brave, are moving towards blocking
third-party tracking cookies by default. Trackers have responded by developing
new techniques for tracking users between websites. For example, say a tracker
wishes to track a user from website A to website B. The tracker can manipulate the link
on A that points to B, by stuffing a user identifier into a
query parameter in the link when it is clicked. The tracker could also redirect
the link: instead of taking the user directly to site B, the link redirects from site A
to site "track.com" to site B. Visiting "track.com" as a top level frame allows
the tracker to set a cookie in a first party context. This redirection-based technique is called
"bounce tracking." During an internship with Brave Software, we
crawled the web to measure the prevalence of bounce tracking and query stuffing.
This work is currently ongoing.
Blockchain DNS
Traditional DNS relies on centralized entities (registries and registrars) that control
who can purchase domain names. These entities have the power to remove domain names from
zone files and prevent them from being accessed. Due to a perception that this power
can lead to censorship, "blockchain DNS" has arisen as a censorship-proof alternative
to traditional DNS. In blockchain DNS, DNS records are stored within various blockchains,
which means no central organization has the ability to remove them. Unfortunately,
this arrangement has proven attractive to malware authors, who use blockchain DNS to record
the records of their command and control servers. By some estimates, the majority of
domains in some DNS-supporting blockchains are associated with malware. We intend to study this ecosystem and
present possible solutions to the rampant abuse. This work is ongoing.
Selected Past Projects
Trufflehunter
Certain phenomena on the Internet, such as the prevalence of
stalkerware, contract cheating services, or phishing domains, are
difficult to measure because of their sensitive and rare natures. However,
all of these phenomena are visible within the Domain Name System. With the
rise of public DNS resolvers such as Google Public DNS, Cloudflare DNS
OpenDNS, and Quad9, a new opportunity has arisen to study the
prevalence of such occurrences using DNS cache sniffing. Cache sniffing on
public resolvers, in contrast to previous work published on small,
misconfigured open resolvers, can yield far more information, while at the
same time preserving privacy. However, public resolvers have complex and
unique caching behaviors that also make cache sniffing far more difficult.
We studied the caching strategies of four public DNS resolvers and
present a method for using DNS cache sniffing on each of them. We then built a tool, Trufflehunter, to
estimate the popularity of the aforementioned applications, which is difficult to measure by other means. This work was published at IMC 2020.
Network Hygiene
Common security advice includes injunctions such as "Update your operating system," "run antivirus," and "change your passwords frequently."
However, there isn't much information available about if this advice actually lowers a user's chances of getting infected by malware.
Working with a unique network vantage point, we measured the correlations between user behaviors and infection rates
to see what behavioral factors are actually likely to get you owned online. This work was published at IMC 2019.
