Security and Vulnerability of PING Presented By: Raquel S. Whittlesey-Harris 10/30/02

Contents I. Introduction II. PING Protocol III. The PING Adversary IV. Security of PING V. Vulnerability of PING VI. Preventing DoS Attacks VII. Summary VIII. References 11/18/2018

I. Introduction Recent Denial of Service (DoS) attacks on the Internet have been permitted through the exploitation of vulnerabilities in the PING protocol. The following 2 questions have been raised as a result, Is the PING protocol secure? Can the PING protocol be made secure enough to prevent DoS attacks? 11/18/2018

I. Introduction Three concepts of convergence theory (closure, convergence and protection) are used to answer these questions and to show that PING is actually secure. Convergence, If p is a program that consists of a set of variables and a finite set of processes. And each process consists of a finite set of actions of the form, <guard>  <statement> where the guard is a Boolean expression over program variables, and the statement updates zero or more program variables and always terminates upon execution. 11/18/2018

I. Introduction A state of p is defined by a value for each variable of p. A state predicate, S, of p is a Boolean expression over the variables of p. If S evaluates to true at some state, it is said that the state predicate holds at that state. An action is enabled at a state iff its guard holds at that state. A process is enabled at a state iff some action in the process is enabled at that state. Define: S is closed in p iff for each action B  st in each process of p, executing st starting from a state where BS holds results in a state where S holds. 11/18/2018

I. Introduction Define: If S and T are state predicates of p. T converges to S in p iff, S is closed in p, T is closed in p, in each computation of p, starting at any state where T holds, there exists a state where S holds. PING, however is not secure enough to prevent DoS attacks. Techniques are briefly addressed which can safeguard computer systems from this type of attack. 11/18/2018

I. Introduction PING is described in a version of Abstract Protocol Notation Each process is defined by a set of constants, set of variables, set of parameters and set of actions Example below shows process p, where, p and q are processes with two channels (pq and qp) Constants have fixed values. Variables of p can be read an updated by the actions of process p. Each action is of the form <guard>  <statement> A guard is either, A Boolean expression over the constants and variables of p, A receive guard of the form rcv <message> from q, Or a timeout guard that contains a Boolean expression over the constants and variables of every process and the contents of the 2 channels 11/18/2018

I. Introduction Each parameter is used to write a finite set of actions as one action with one action for each possible value of the parameter, e.g., the definitions var x : 0 .. n-1 par I : 0 .. n-1 and the action X = i  x := x + i Is shorthand for x = 0  x := x + 0 [] … [] x = n-1  x := x + n-1 Execution of actions of different processes in a protocol proceeds according to three rules, An action is executed only when its guard is true, The actions in a protocol are executed one at a time, An action whose guard is continuously true is eventually executed (progress) Execution of an action of process p can cause a message to be sent to process q. Messages sent from p to q remain in the channel until it is eventually received by q or lost. Messages in the channel simultaneously form a set and are received or lost one at a time, in any order and not necessarily in the order they were sent. 11/18/2018

II. PING Protocol PING (Packet Internet Groper protocol) allows a computer to test if a specified computer in the Internet is running. The following shows the sequence of the test in the cases where p receives a reply from q, and where p does not receive a reply 11/18/2018

II. PING Protocol In the last two cases shown above, p is unable to determine whether q is up or down. p stores the test results in a local variable array named up which is declared as, var up : array [0..n-1] of Boolean where n is the number of computers being tested. 11/18/2018

II. PING Protocol If up[i] is true at the end of a test session, then it can be determined that q was up at some time during this session. If up[i] is false at the end of the test session, then no firm conclusion can be reached as to the state of q during the time of the session execution. 11/18/2018

II. PING Protocol p places a random id into the message request being sent to i to ensure that an echo reply corresponds to an echo request. p checks whether the id[i] in the erply(id[i]) message received from q corresponds to the id[i] sent in its erqst(id[i]) message sent to q for that session. If the id[i]s correspond, p accepts the message and assigns the corresponding up[i] element to true, If not, the message is discarded. The process for testing is defined below, 11/18/2018

II. PING Protocol Three actions are defined for p In the first action, p is no longer waiting for any erply(id[i]) messages from the last session with q[i], The next session is started by selecting a new random id[i] and sending the maximum (cmax) number of echo requests to process q[i]. In the second action, p receives an erply (id[i]) messages from any process q[i] and decides whether to accept or discard the message, If accepted, up[i] is set to true. In the third action, p has timed out on waiting p has not received any erply(id[i]) messages from any q[i] p sets wait[i] to false to discontinue the session. 11/18/2018

II. PING Protocol The process for a computer q[i] being tested in the PING protocol is presented to the top right. Input up describes the current state of q[i]. For simplicity, assume that the value of up remains constant. Only one action is defined for process q, where q[i] receives an echo request, erqst(x) from p and either, sends a echo reply, erply(x) to p, if up is true, or, discards the message (up is false) The state transition diagram (with 3 nodes) for PING is shown to the bottom right. Each of the nodes represent a set of states of the PING protocol Each node, v, is labeled with the state predicate, S.v.i, whose value is true at it’s respective node, v. The three state predicates in the STD are defined as, S.0.i = ~wait[i]  B.i = 0  C.i = 0 S.1.i = wait[i]  B.i > 0  C.i = 0  X.i  Y.i S.2.i = wait[i]  B.i = 0  C.i = 0  Y.I 11/18/2018

II. PING Protocol Where, The directed edges in the STD represent executions of actions The edge S.0.i  S.1.i = the 1st action of process p, Edge, S.1.i  S.2.i = the 2nd action in p, Edge, S.2.i  S.0.i = either, Execution of the action in q[i] Execution of the 2nd action in p, or The loss of a message from one of the two channels. 11/18/2018

III. The PING Adversary A WEAK Adversary, Can insert a finite number of erqst(x) messages into the channel from p to a q[i], and Can insert a finite number of erply(x) messages into the channel from a process q[i] to process p. The id[i] inserted into the messages are different from the identifiers of the current session and any future sessions. p will discard the message if it receives a erply(id[i]) from the adversary, Any message with a id[i] that differs from the current session’s or future session’s id[i] is considered an adversary message (Adv) 11/18/2018

III. The PING Adversary A STRONG Adversary, May convince p that q[i] is up by sending a erply(x) with an x that is equivalent to the current or future session’s id[i]. The PING protocol in its current design can overcome the activities of a weak adversary. Keeps the protocol simple and efficient A STD describing the activities of the PING protocol and a weak adversary is presented below, Three additional nodes are defined to the bottom right. B.i, C.i, X.i, and Y.i are defined as they are above. 11/18/2018

III. The PING Adversary Predicate U.v.i is equivalent to the corresponding S.v.i except for the conjunct C.i = 0 in S.v.i is replaced with the conjunct C.i > 0 in U.v.I Edges labeled, “Adv” represent an adversary action One or more adversary messages are inserted into some channel(s) Edges labeled, “u” represent an execution of some protocol action where an adversary msg is either, received by q[i] (and another adversary msg is sent from q[i] to p), or received by p (and discarded). The state predicate Y.i holds at every S.2.i state and every U.2.i state regardless of the adversary involvement Y.i holds at the end of every session between p and q[i] of the PING Protocol 11/18/2018

IV. Security of PING To show that PING is secure against a weak adversary, P is partitioned into safe states and unsafe states, Critical variables are identified Variables that need to be protected from actions against adversary D And the conditions of closure, convergence, and protection must be shown to hold. 11/18/2018

IV. Security of PING Closure The set of safe states is closed under any execution of a P action, and the set of reachable states (defined as the union of the safe state set and the unsafe state set) is closed under any execution of a P or D action. No action executed by P will result in an unsafe state Any action executed by D will result in a state in the set of defined safe and unsafe states 11/18/2018

IV. Security of PING Convergence Starting from any unsafe state, any infinite execution of P actions leads P to safe states. Any action in P from an unsafe state eventually leads to a defined safe state 11/18/2018

IV. Security of PING Protection s(V) p s’(V’) If an execution of a P action starting at an unsafe state s changes the values of the critical variables (CV) of P from V to V’, then there is a safe state s’ such that the values of the CV in s equals to V, and execution of the same action starting at s changes the values of the critical variables of P from V to V’. s(V) p s’(V’) The values of V’ does not violate the safety of P 11/18/2018

IV. Security of PING Safe states of the PING protocol are specified by state predicate S.i., where S.i = S.0.i  S.1.i  S.2.I Unsafe states of the PING are specified by state predicate U.i, where U.i = U.0.i  U.1.i  U.2.i Reachable states of the PING are specified by state predicates S.i  U.i Array up in P is the only Critical Variable specified in the PING 11/18/2018

IV. Security of PING Satisfying Closure: Satisfying Convergence: From STD1, the set of safe states is closed under any execution of an action of the PING From STD2, the set of reachable states is closed under any execution of an action of the PING Satisfying Convergence: The following conditions hold, No adversary msg is added to the channel from p to a q[i] Each adversary msg in a channel from p to a q[i] is eventually discarded (if up = false in q[i]), or replaced by another adversary message in the channel from a q[i] to p (if up = true in q[i]) Each adversary message in a channel from a q[i] to p is eventually discarded Mismatching id[i] values 11/18/2018

IV. Security of PING Satisfying Protection: Starting from an unsafe state s, the value of array up is changed in p Action: p receives an erply(x) from q[i], where x = id erply not considered and adversary up[i] in p is set to true s’ is the state resulting from removing all adversary msgs that exist in state s From STD2, s’ is a safe state Msg erply(x) is still in the channel q[i]  p Therefore, p will execute a receive on msg erply(x) and will set up[i] to true 11/18/2018

IV. Security of PING PING is not secure against a STRONG Adversary Starting from unsafe state s, where a strong adversary, D, has inserted msgs with id[i] equivalent to the current session identifier, D  ereply(x), where x = id[i]  p q[i]’s input value up = false p  ereply(x), sets up[i] = true No action execution starting at any safe state changes the value of element up[i] in p from false to true, The protection condition does not hold 11/18/2018

V. Vulnerability of PING The Closure condition states that, The unsafe states (U.I) are the furthest that the adversary can lead the protocol away from its safe states (S.i) The Convergence condition states that, When the adversary stops inserting adversary messages into the channels, the PING eventually converges from its current unsafe state to the safe states The Protection condition states that, While the PING is in its unsafe states, the critical array “up” in p is updated as if the protocol is in a safe state 11/18/2018

V. Vulnerability of PING While PING may handle attacks from weak adversaries, it is vulnerable to the weak adversary If an adversary inserts a large amount of adversary messages into the channels, the processes become very busy processing and eventually discarding the messages Called a Denial of Service (DoS) attack Unable to perform other services The only way to secure against DoS attacks is to prevent the adversary messages from reaching the protocol processes Requires detection and discarding of adversary messages 11/18/2018

VI. Preventing DoS Attacks Routers in the Internet need to be modified to perform the tasks of detection and discarding Detect and discard any messages with an incorrect source addresses May be achieved by using these complementary mechanisms, Ingress Filtering A router that receives a message, supposedly from an adjacent host H, forwards the message only if the source address recorded in the message is that of H Hop Integrity A router that receives a message, supposedly from an adjacent router R, forwards the message only after it checks that the message was indeed sent by R 11/18/2018

VI. Preventing DoS Attacks Soft Firewalls can also be used as another mechanism for detecting and discarding adversary messages A soft firewall for p is another process fp that satisfies the following conditions, Output Observation: Each message p intends for q is first sent to the fp before it is forwarded to q Input Observation: Each message from q intended for p is first sent to fp before it is forwarded to q Input Filtering: fp maintains a coarse image of the local state of p, and uses the image to detect and discard any inappropriate message intended for p from any other process or adversary 11/18/2018

VI. Preventing DoS Attacks A possible implementation of an fp for p, fp maintains a one bit “w” as a coarse state for array “wait” in p Whenever fp receives an erqst(x) msg from p, intended for q[i], fp assigns its bit w = 1 fp keeps w = 1 for one minute since it received the last erqst(x) from p, then fp assigns w = 0 Whenever fp receives an erply(x) msg for p, fp checks w and forwards the erply(x) to p only if w = 1 11/18/2018

VII. Summary PING is a secure protocol against weak adversaries This was shown in a demonstration of protocol closure, convergence, and protection. PING is insecure against strong adversaries Modification of routers can prevent such attacks with the added layer of protection which validates source address PING and other communication protocols are vulnerable to DoS attacks Soft firewalls or router modifications (ingress and hop integrity filtering) can reduce the penetration of these attacks by detecting these messages and discarding them before PING penetration 11/18/2018

VIII. References Gouda, M.G., Huang, C., Arora, A.: On the Security and Vunerability of PING Arora, A., Gouda, M.G.: Closure and Convergence: A foundatation for fault-tolerant computing. IEEE Transactions on Software Engineering, Vol. 19, No. 3 (1993) 1015 - 1027 11/18/2018