Skip directly to content

Minimize RSR Award Detail

Research Spending & Results

Award Detail

Doing Business As Name:University of New Mexico
  • Jedidiah Crandall
  • (505) 417-8207
Award Date:07/23/2014
Estimated Total Award Amount: $ 458,033
Funds Obligated to Date: $ 473,870
  • FY 2015=$15,837
  • FY 2014=$458,033
Start Date:08/01/2014
End Date:07/31/2017
Transaction Type:Grant
Awarding Agency Code:4900
Funding Agency Code:4900
CFDA Number:47.070
Primary Program Source:040100 NSF RESEARCH & RELATED ACTIVIT
Award Title or Description:TWC: Small: Developing Advanced Digital Forensic Tools Based on Network Stack Side Channels
Federal Award ID Number:1420716
DUNS ID:868853094
Parent DUNS ID:784121725
Program:Secure &Trustworthy Cyberspace
Program Officer:
  • Thyagarajan Nandagopal
  • (703) 292-4550

Awardee Location

Street:1700 Lomas Blvd. NE, Suite 2200
Awardee Cong. District:01

Primary Place of Performance

Organization Name:University of New Mexico
Cong. District:01

Abstract at Time of Award

This project is developing the next generation of network measurement tools for penetration testers, digital forensics experts, and other cybersecurity professionals who sometimes need to know more about the Internet or a specific network. It is developing techniques based on TCP/IP side channel inferences, where it is possible to infer something about a remote machine's view of the network based on the use of shared, limited resources. Because of this, the tools being developed as part of this project are able to overcome fundamental limitations of existing tools such as traceroute and nmap. For example, traceroute cannot detect tunnels along a path because it can only see the network from the perspective of the machine on which traceroute is running, whereas the methods being developed here can infer maximum transmission units bidirectionally at every hop and thus provide some information about potential tunnels. This is important because criminals often use tunnels to hide their illicit online activities. The research team plans to release all tools developed by this project under an open source license, so that there will be a paradigm shift in how cybersecurity practitioners conduct their jobs. TCP/IP side channels have the potential to change the science of Internet and network measurement in a fundamental way.

Publications Produced as a Result of this Research

Note: When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).

Some links on this page may take you to non-federal websites. Their policies may differ from this site.

Roya Ensafi, Philipp Winter, Abdullah Mueen, Jedidiah R. Crandall "Analyzing the Great Firewall of China Over Space and Time" Proceedings on Privacy Enhancing Technologies (PoPETs), v.1, 2015, p.61. doi:10.1515/popets-2015-0005 

Roya Ensafi, Philipp Winter, Abdullah Mueen, Jedidiah R. Crandall "Analyzing the Great Firewall of China Over Space and Time" Proceedings on Privacy Enhancing Technologies (PoPETs), v.1, 2015, p.61. doi:10.1515/popets-2015-0005 

Project Outcomes Report


This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.

A fundamental limitation of Internet measurement is that in order to measure the Internet between two points, A and B, you have to be at A or at B.  This is very limiting, for example, in measurements of Internet censorship where A may be a server that researchers have no special access to and B can be any client in a given country, but for reasons of scale or risk the researchers have no volunteers in that country to perform the measurement to see if A is censored in that country.


This research project challenged the basic assumption that you can't measure the Internet in places where you don't have measurement machines.  By developing off-path measurement techniques based on TCP/IP side channels, we made it possible to measure the Internet from the perspective of virtually any machine.  This is accomplished by spoofing packets to A from B (or vice versa) and then analyzing resource usage and other information flows within A or B to make inferences about their interactions with one another.


We developed techniques for off-path measurement of TCP/IP reachability (with applications to measuring Internet censorship), round-trip times (with applications in geolocation, which is important for digital forensics, malware analysis, and Internet censorship research), and hidden machines behind firewalls (with applications to penetration testing).  We also engaged the research community in a discussion about the ethics of these measurements and their alternatives.


Also as part of our research into network forensics, we assessed the security and privacy properties of several pieces of software from a variety of vendors.  For example, we demonstrated:


  • flaws in the design and implementation of end-to-end cryptography for many applications, including a messaging application that is heavily used by at-risk users (e.g., journalists and activists) in Asia
  • privacy violations by three of the most-used web browsers in the world
  • man-in-the-middle attacks on the update mechanisms of several programs, some of them very widely used
  • a TCP/IP side channel in the Linux operating system, which is used by the majority of servers on the Internet, that enabled an off-path attacker to count the packets any server on the Internet sent to any client (and therefore perform traffic analysis, violating privacy)

The project also supported many middle school and high school outreach activities, the development of educational technologies (including Werewolves, a game that teaches cybersecurity), and PI Crandall's involvement with Net Alerts, a site that targets at-risk populations, such as journalists and activists, with easy-to-understand materials about threats to their online freedoms:

The project produced one Ph.D.'s (Roya Ensafi, now on the faculty at the University of Michigan), as well as one Bachelor's Honors Thesis (Benjamin Mixon-Baca, now a Ph.D. student at the Univ. of New Mexico).  Three more Ph.D. students involved with the project are expected to defend their dissertations within the next two semesters.  Several undergraduates involved with the project are now in graduate school, including Danny Adams, a McNair Scholar who is now in the Ph.D. program in Computer Science at Cornell University.


Last Modified: 10/28/2017
Modified by: Jedidiah Crandall

For specific questions or comments about this information including the NSF Project Outcomes Report, contact us.