Tamper Resistant Network Tracing Andrew G. Miklas, Stefan Saroiu
(University of Toronto), Alec Wolman (Microsoft Research), and
Angela Demke Brown (University of Toronto)

Summary: Raw traces have privacy implications.  Trace anonymization is used to
alleviate this.  However until the Raw trace is deleted it presents a
vulnerability.  The attack is that the raw data would be subpoenaed.

Online anonymization are more resistent, but it forces immense
processing requirements, especially if you need to parse the packets
online. 

The solution combines the good of offline and online mechanisms. The
design relies on IVM (Inaccessible VM) that contains the raw trace,
and provides no interactive access, and encryption using a temporary
key that is kept in volatile memory.  An accompanying VM (e.g. DOMU)
that uses a one-way pipe from the IVM; disk serves as a buffer. 

Andrew also described a prototype and the performance that was
observed. 

Q & A:

Q: What is the debugging process. 

A:  You caputre fresh error. If anonymyzation process is obfuscating some
systematic errors, then there may be a problem.

Q: What if the court orders to not turn off the machine.

A: Even if the machine is up, data cannot be accessed.

Q: Isn't packet traces and wire-tap illegal, as pointed out in a recent IMC
paper?

A: Constantine Dovrolis clarified that the law is more complex than
that.

Q: Some universities require inspection of the anonymization code.

A: The output of this system can be tested and verified.

Q: Are you gaining anything in particular from using Virtualization.
Could you not run on separate machine.

A: That is another way to it, we did it because we wanted do it on one
machine.

Q: Will you end up in trouble for not keeping the data.

A: No my understanding is that you cannot get in trouble for that.
Dave Clark concurred.