Craig Shue - Research Interests and Publications

Contact	Education	Instruction	Research	Personal
Research Interests My interest lies in networking, security, and distributed systems. My latest work has focused on new designs for the future of the Internet. In particular, I am interested in creating an addressing scheme which can help us move away from a separate DNS infrastructure while also providing flexibility for future address space expansion and advanced services, such as host mobility and anycasting. I work in the Networking Research Group with my research advisor, Professor Minaxi Gupta. Publications Book Chapters Minaxi Gupta, Craig A. Shue, "Spoofing and Countermeasures," Book chapter in Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, edited by Jakobsson and Myers published by Wiley, ISBN: 0-471-78245-9, 2006. Journal Articles Craig A. Shue, Minaxi Gupta, Matthew P. Davy, "Packet Forwarding with Source Verification," Computer Networks, vol. 52, issue 8, pages 1567-1582, Jun. 2008. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment. Conferences and Workshops Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "Exploitable Redirects on the Web: Identification, Prevalence, and Defense," USENIX Workshop on Offensive Technologies (WOOT), Jul. 2008. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Web sites on the Internet often use redirection. Unfortunately, without additional security, many of the redirection links can be manipulated and abused to mask phishing attacks. In this paper, we prescribe a set of heuristics to identify redirects that can be exploited. Using these heuristics, we examine the prevalence of exploitable redirects present in today's Web. Finally, we propose techniques for Web servers to secure their redirects and for clients to protect themselves from being misled by manipulated redirects. Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "The Web is Smaller than it Seems," ACM/USENIX Internet Measurement Conference (IMC), San Diego, CA, Oct. 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] The Web has grown beyond anybody's imagination. While significant research has been devoted to understanding aspects of the Web from the perspective of the documents that comprise it, we have little data on the relationship among servers that comprise the Web. In this paper, we explore the extent to which Web servers are co-located with other Web servers in the Internet. In terms of the location of servers, we find that the Web is surprisingly smaller than it seems. Our work has important implications for the availability of Web servers in case of DoS attacks and blocklisting. Craig A. Shue, Minaxi Gupta, "Projecting IPv6 Forwarding Characteristics Under Internet-wide Deployment," ACM SIGCOMM 2007 IPv6 Workshop, Kyoto, Japan, Aug. 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] While routing table growth, its impact, and causes have been examined extensively for IPv4, little work in this direction exists for IPv6. This paper is the first step at examining performance aspects of IPv6 packet forwarding. We do so by using a software implementation of various packet forwarding algorithms used by routers and running them against IPv6 tables. In the lack of a wide deployment of IPv6, we generate IPv6 routing entries based on IAB allocation recommendations. We simulate growth of routing tables due to new prefix allocations and under partial deployment scenarios. Additionally, we consider factors that inflate routing table sizes artificially. These include load balancing, multi-homing, and failure to aggregate aggregatable prefixes. We conclude that if modern routers were to simply replace their IPv4 prefixes with an equivalent number of IPv6 prefixes, without changing anything else, an average lookup in the routing table will be 67% more expensive. Further, the IPv6 routing table will require at least 4.5 times more memory to store the same number of prefixes. Craig A. Shue, Minaxi Gupta, Steven A. Myers, "IPSec: Performance Analysis and Enhancements," IEEE International Conference on Communications, Glasgow, Scotland, June 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). In previous work, we examined the overheads incurred by an IPSec server in a single client setting. In this paper, we extend that work by examining the scaling of a VPN server in a multiple client environment and by evaluating the effectiveness of connection credential caching. Motivated by the potential benefits of caching, we also propose a cryptographically secure cache resumption protocol for IPSec connections to reduce the connection establishment overheads. Craig A. Shue, Minaxi Gupta, "Packet Forwarding: Name-based Vs. Prefix-Based," IEEE Global Internet Symposium, Anchorage, AK, May 2007. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Using domain names for routing, instead of IP prefixes, has the potential to address many of the core outstanding issues in today's Internet. To initiate research in that direction, this paper compares the performance of name-based routing in the core of the Internet with that of IPv4 routing. Our analysis concludes that name-based routing is well within the scope of feasibility. Jonathan Mills, Matt Parker, Bryce Himebaugh, Craig A. Shue, Brian Kopecky, Chris Weilemann, "'Empty Space' Computes: The Evolution of an Unconventional Supercomputer," ACM International Conference on Computing Frontiers, May 2006. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Lee A. Rubel defined the extended analog computer to avoid the limitations of Shannon's general purpose analog computer. Partial differential equation solvers were a "quintessential" part of Rubel's theoretical machine. These components have been implemented with "empty space," or VLSI circuits without transistors, as well as conductive plastic. For the past decade research at Indiana University has explored the design and applications of extended analog computers. The machines have become increasingly sophisticated and flexible. The "empty" computational area is devoted to solving partial differential equations. The rest of the space includes fuzzy logic elements, configuration memory and input/output channels. This paper describes the theoretical definition, architecture and implementation of these unconventional computers. Two parallel applications are described in detail. Rubel's model can be viewed as an abstract specification for a distributed supercomputer. We close with a description of an inexpensive 64-node processor that was designed using our current single processor. The next step is to return to VLSI with an improved understanding of the architecture -- and seek computation speeds approaching trillions of partial differential equations per second. Craig A. Shue, Youngsang Shin, Minaxi Gupta, Jong Youl Choi, "Analysis of IPSec Overheads for VPN Servers," IEEE ICNP's NPSec Workshop, Boston, MA, Nov. 2005. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). This paper evaluates the performance overheads associated with IPSec. We use Openswan, an open source implementation of IPSec, and measure the running times of individual security operations and also the speedup gained by replacing various IPSec components with no-ops. The main findings of this study include: VPN connection establishment and maintenance overheads for short sessions could be significantly higher than those incurred while transferring data, and cryptographic operations contribute 32-60% of the total IPSec overheads. Posters Craig A. Shue, Minaxi Gupta, "Freeing the Internet from the DNS," Indiana University Computer Science and Informatics Poster Session, Bloomington, IN, Mar. 2007. [ Poster ] Craig A. Shue, Minaxi Gupta, "Spoofing Resistant Packet Routing," Poster at IEEE International Conference on Networking Protocols (ICNP), Nov. 2005. [ Poster ] Technical Reports Craig A. Shue, Joshua Hursey, Arun Chauhan, "MPI over Scripting Languages: Usability and Performance Tradeoffs," IUCS Technical Report TR631, Feb. 2006. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] We present a comparative study of two popular implementations that make the MPI available on MATLAB-MatlabMPI and MPI-TB. We evaluate their performance through micro-benchmarks on a high-performance Linux cluster and compare those to their corresponding implementations on Octave as well as to the LAM/MPI library accessed through a C API. We have discovered that there are significant performance advantages to using an implementation of the MPI that utilizes highly tuned libraries built for high-speed interconnects, such as the Myrinet. However, a price must be paid in terms of higher installation and setup times and a more complicated API. We conclude that even though there are advantages to using the MPI within a high-level scripting language, such as MATLAB or Octave, there are important philosophical differences between the programming models of scripting languages and a relatively low-level communication library interface, such as the MPI. This points to the need for a more sophisticated long-term support for parallel programming from the language compiler and runtime system. Craig A. Shue, Brian Kopecky, Chris Weilemann, "Denial of Service Attack Detection Using Extended Analog Computers," IUCS Technical Report TR624, Jan. 2006. [ BibTeX Citation ] [ Abstract ] [ Full Paper ] Denial of Service (DoS) attacks, a damaging assault on computer networking infrastructure, have been extensively examined by the digital computing community. However, no work has been done to examine the ability of Extended Analog Computers (EAC) to detect DoS attacks. In this paper, we discuss how EACs could be used in DoS detection.

Book Chapters

Minaxi Gupta, Craig A. Shue, "Spoofing and Countermeasures," Book chapter in Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft, edited by Jakobsson and Myers published by Wiley, ISBN: 0-471-78245-9, 2006.

Journal Articles

Craig A. Shue, Minaxi Gupta, Matthew P. Davy, "Packet Forwarding with Source Verification," Computer Networks, vol. 52, issue 8, pages 1567-1582, Jun. 2008.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Routers in the Internet do not perform any verification of the source IP address contained in the packets, leading to the possibility of IP spoofing. The lack of such verification opens the door for a variety of vulnerabilities, including denial-of-service (DoS) and man-in-the-middle attacks. Currently proposed spoofing prevention approaches either focus on protecting only the target of such attacks and not the routing fabric used to forward spoofed packets, or fail under commonly occurring situations like path asymmetry. With incremental deployability in mind, this paper presents two complementary hop-wise packet tagging approaches that equip the routers to drop spoofed packets close to their point of origin. Our simulations show that these approaches dramatically reduce the amount of spoofing possible even under partial deployment.

Conferences and Workshops

Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "Exploitable Redirects on the Web: Identification, Prevalence, and Defense," USENIX Workshop on Offensive Technologies (WOOT), Jul. 2008.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Web sites on the Internet often use redirection. Unfortunately, without additional security, many of the redirection links can be manipulated and abused to mask phishing attacks. In this paper, we prescribe a set of heuristics to identify redirects that can be exploited. Using these heuristics, we examine the prevalence of exploitable redirects present in today's Web. Finally, we propose techniques for Web servers to secure their redirects and for clients to protect themselves from being misled by manipulated redirects.
Craig A. Shue, Andrew J. Kalafut, Minaxi Gupta, "The Web is Smaller than it Seems," ACM/USENIX Internet Measurement Conference (IMC), San Diego, CA, Oct. 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
The Web has grown beyond anybody's imagination. While significant research has been devoted to understanding aspects of the Web from the perspective of the documents that comprise it, we have little data on the relationship among servers that comprise the Web. In this paper, we explore the extent to which Web servers are co-located with other Web servers in the Internet. In terms of the location of servers, we find that the Web is surprisingly smaller than it seems. Our work has important implications for the availability of Web servers in case of DoS attacks and blocklisting.
Craig A. Shue, Minaxi Gupta, "Projecting IPv6 Forwarding Characteristics Under Internet-wide Deployment," ACM SIGCOMM 2007 IPv6 Workshop, Kyoto, Japan, Aug. 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
While routing table growth, its impact, and causes have been examined extensively for IPv4, little work in this direction exists for IPv6. This paper is the first step at examining performance aspects of IPv6 packet forwarding. We do so by using a software implementation of various packet forwarding algorithms used by routers and running them against IPv6 tables. In the lack of a wide deployment of IPv6, we generate IPv6 routing entries based on IAB allocation recommendations. We simulate growth of routing tables due to new prefix allocations and under partial deployment scenarios. Additionally, we consider factors that inflate routing table sizes artificially. These include load balancing, multi-homing, and failure to aggregate aggregatable prefixes. We conclude that if modern routers were to simply replace their IPv4 prefixes with an equivalent number of IPv6 prefixes, without changing anything else, an average lookup in the routing table will be 67% more expensive. Further, the IPv6 routing table will require at least 4.5 times more memory to store the same number of prefixes.
Craig A. Shue, Minaxi Gupta, Steven A. Myers, "IPSec: Performance Analysis and Enhancements," IEEE International Conference on Communications, Glasgow, Scotland, June 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). In previous work, we examined the overheads incurred by an IPSec server in a single client setting. In this paper, we extend that work by examining the scaling of a VPN server in a multiple client environment and by evaluating the effectiveness of connection credential caching. Motivated by the potential benefits of caching, we also propose a cryptographically secure cache resumption protocol for IPSec connections to reduce the connection establishment overheads.
Craig A. Shue, Minaxi Gupta, "Packet Forwarding: Name-based Vs. Prefix-Based," IEEE Global Internet Symposium, Anchorage, AK, May 2007.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Using domain names for routing, instead of IP prefixes, has the potential to address many of the core outstanding issues in today's Internet. To initiate research in that direction, this paper compares the performance of name-based routing in the core of the Internet with that of IPv4 routing. Our analysis concludes that name-based routing is well within the scope of feasibility.
Jonathan Mills, Matt Parker, Bryce Himebaugh, Craig A. Shue, Brian Kopecky, Chris Weilemann, "'Empty Space' Computes: The Evolution of an Unconventional Supercomputer," ACM International Conference on Computing Frontiers, May 2006.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Lee A. Rubel defined the extended analog computer to avoid the limitations of Shannon's general purpose analog computer. Partial differential equation solvers were a "quintessential" part of Rubel's theoretical machine. These components have been implemented with "empty space," or VLSI circuits without transistors, as well as conductive plastic. For the past decade research at Indiana University has explored the design and applications of extended analog computers. The machines have become increasingly sophisticated and flexible. The "empty" computational area is devoted to solving partial differential equations. The rest of the space includes fuzzy logic elements, configuration memory and input/output channels. This paper describes the theoretical definition, architecture and implementation of these unconventional computers. Two parallel applications are described in detail. Rubel's model can be viewed as an abstract specification for a distributed supercomputer. We close with a description of an inexpensive 64-node processor that was designed using our current single processor. The next step is to return to VLSI with an improved understanding of the architecture -- and seek computation speeds approaching trillions of partial differential equations per second.
Craig A. Shue, Youngsang Shin, Minaxi Gupta, Jong Youl Choi, "Analysis of IPSec Overheads for VPN Servers," IEEE ICNP's NPSec Workshop, Boston, MA, Nov. 2005.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Internet Protocol Security (IPSec) is a widely deployed mechanism for implementing Virtual Private Networks (VPNs). This paper evaluates the performance overheads associated with IPSec. We use Openswan, an open source implementation of IPSec, and measure the running times of individual security operations and also the speedup gained by replacing various IPSec components with no-ops. The main findings of this study include: VPN connection establishment and maintenance overheads for short sessions could be significantly higher than those incurred while transferring data, and cryptographic operations contribute 32-60% of the total IPSec overheads.

Posters

Craig A. Shue, Minaxi Gupta, "Freeing the Internet from the DNS," Indiana University Computer Science and Informatics Poster Session, Bloomington, IN, Mar. 2007.
[ Poster ]
Craig A. Shue, Minaxi Gupta, "Spoofing Resistant Packet Routing," Poster at IEEE International Conference on Networking Protocols (ICNP), Nov. 2005.
[ Poster ]

Technical Reports

Craig A. Shue, Joshua Hursey, Arun Chauhan, "MPI over Scripting Languages: Usability and Performance Tradeoffs," IUCS Technical Report TR631, Feb. 2006.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
We present a comparative study of two popular implementations that make the MPI available on MATLAB-MatlabMPI and MPI-TB. We evaluate their performance through micro-benchmarks on a high-performance Linux cluster and compare those to their corresponding implementations on Octave as well as to the LAM/MPI library accessed through a C API. We have discovered that there are significant performance advantages to using an implementation of the MPI that utilizes highly tuned libraries built for high-speed interconnects, such as the Myrinet. However, a price must be paid in terms of higher installation and setup times and a more complicated API.

We conclude that even though there are advantages to using the MPI within a high-level scripting language, such as MATLAB or Octave, there are important philosophical differences between the programming models of scripting languages and a relatively low-level communication library interface, such as the MPI. This points to the need for a more sophisticated long-term support for parallel programming from the language compiler and runtime system.
Craig A. Shue, Brian Kopecky, Chris Weilemann, "Denial of Service Attack Detection Using Extended Analog Computers," IUCS Technical Report TR624, Jan. 2006.
[ BibTeX Citation ] [ Abstract ] [ Full Paper ]
Denial of Service (DoS) attacks, a damaging assault on computer networking infrastructure, have been extensively examined by the digital computing community. However, no work has been done to examine the ability of Extended Analog Computers (EAC) to detect DoS attacks. In this paper, we discuss how EACs could be used in DoS detection.