Leveraging State Information for Automated Attack Discovery In Transport Protocol Implementations Samuel Jero, Hyojeong Lee, and Cristina Nita-Rotaru Purdue.

Slides:



Advertisements
Similar presentations
Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.
Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Remote Procedure Call (RPC)
1 Transport Protocols & TCP CSE 3213 Fall April 2015.
Computer Networks Transport Layer. Topics F Introduction (6.1)  F Connection Issues ( ) F TCP (6.4)
CCNA – Network Fundamentals
Chapter 7: Transport Layer
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Chapter 7 – Transport Layer Protocols
1 TCP CSE May TCP Services Flow control Connection establishment and termination Congestion control 2.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Gursharan Singh Tatla Transport Layer 16-May
What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.
Chapter 16 Stream Control Transmission Protocol (SCTP)
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.
Lect3..ppt - 09/12/04 CIS 4100 Systems Performance and Evaluation Lecture 3 by Zornitza Genova Prodanoff.
1 Transport Layer Computer Networks. 2 Where are we?
ISO Layer Model Lecture 9 October 16, The Need for Protocols Multiple hardware platforms need to have the ability to communicate. Writing communications.
Presentation on Osi & TCP/IP MODEL
1 Chapter Client-Server Interaction. 2 Functionality  Transport layer and layers below  Basic communication  Reliability  Application layer.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Transport Layer Introduction to Networking.
10/1/2015 9:14 PM1 TCP in Mobile Ad-hoc Networks ─ Split TCP CSE 6590.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
1 Version 3.0 Module 11 TCP Application and Transport.
26-TCP Dr. John P. Abraham Professor UTPA. TCP  Transmission control protocol, another transport layer protocol.  Reliable delivery  Tcp must compensate.
CS332, Ch. 26: TCP Victor Norman Calvin College 1.
University of the Western Cape Chapter 12: The Transport Layer.
Section 5: The Transport Layer. 5.2 CS Computer Networks John Mc Donald, Dept. of Computer Science, NUI Maynooth. Introduction In the previous section.
Transport Layer: UDP, TCP
TCP1 Transmission Control Protocol (TCP). TCP2 Outline Transmission Control Protocol.
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
1 TCP: Reliable Transport Service. 2 Transmission Control Protocol (TCP) Major transport protocol used in Internet Heavily used Completely reliable transfer.
CSE679: Computer Network Review r Review of the uncounted quiz r Computer network review.
Chapter 15 – Part 2 Networks The Internal Operating System The Architecture of Computer Hardware and Systems Software: An Information Technology Approach.
High-speed TCP  FAST TCP: motivation, architecture, algorithms, performance (by Cheng Jin, David X. Wei and Steven H. Low)  Modifying TCP's Congestion.
1 TCP - Part II Relates to Lab 5. This is an extended module that covers TCP data transport, and flow control, congestion control, and error control in.
Chapter 24 Transport Control Protocol (TCP) Layer 4 protocol Responsible for reliable end-to-end transmission Provides illusion of reliable network to.
1 Client-Server Interaction. 2 Functionality Transport layer and layers below –Basic communication –Reliability Application layer –Abstractions Files.
Improving TCP Performance over Wireless Networks
Transmission Control Protocol (TCP) BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
4343 X2 – The Transport Layer Tanenbaum Ch.6.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 16 Stream Control Transmission.
1 Computer Communication & Networks Lecture 23 & 24 Transport Layer: UDP and TCP Waleed Ejaz
Data Communications and Networks Chapter 6 – IP, UDP and TCP ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Process-to-Process Delivery:
1 Ad-hoc Transport Layer Protocol (ATCP) EECS 4215.
UDP: User Datagram Protocol. What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host – treats a computer as an.
Fast Retransmit For sliding windows flow control we waited for a timer to expire before beginning retransmission of a packet TCP uses an additional mechanism.
Process-to-Process Delivery, TCP and UDP protocols
Long-haul Transport Protocols
PART 5 Transport Layer Computer Networks.
Chapter 6: Transport Layer (Part I)
TCP - Part II Relates to Lab 5. This is an extended module that covers TCP flow control, congestion control, and error control in TCP.
Automated Attack Discovery in TCP Congestion Control using a Model-guided Approach Samuel Jero1, Endadul Hoque2, David Choffnes3, Alan Mislove3, and Cristina.
Chapter 6 The Transport Layer The Transport Service & Elements of Transport Protocols.
Dr. John P. Abraham Professor UTPA
Dr. John P. Abraham Professor UTPA
CPEG514 Advanced Computer Networkst
Leveraging Textual Specifications for Grammar-based Fuzzing of Network Protocols Samuel Jero, Maria Leonor Pacheco, Dan Goldwasser, Cristina Nita-Rotaru.
Computer Networks Protocols
Transport Layer 9/22/2019.
Presentation transcript:

Leveraging State Information for Automated Attack Discovery In Transport Protocol Implementations Samuel Jero, Hyojeong Lee, and Cristina Nita-Rotaru Purdue University DSN

Transport Protocols Critical to today’s Internet Used by many applications Underlie secure protocols like TLS Underlie network infrastructure protocols like BGP Numerous implementations Over 3,000 implementation variants detectable by nmap 2

TCP Attacked for 30 years! 3

Why So Many Attacks? Many designs and implementations Multiple variations, especially of congestion control Tahoe, Reno, New Reno, SACK, Vegas, BIC, CUBIC, others Over 20 RFCs defining variations or features Hundreds of implementations Complex goals Reliability, in-order delivery, congestion control, others Written in low level languages, part of OS Error-prone, but highly efficient Heavily optimized Prefer performance to ease of understanding and maintenance 4

Current Testing Methods Developer test suites Tests used by developer to make sure implementation is correct Packetdrill [USENIX 13] Fuzzing KiF [IPTComm 07], SNOOZE [ISC 06], EXT-NSFM [IMCCC 11] Find crashes by subjecting implementation to random inputs MAX [SIGCOMM 11] Automatically find manipulation attacks using symbolic execution Turret [ICDCS 14] Find performance attacks on distributed systems using greedy message modification 5 Ad-hoc, focused on benign scenarios Unable to cover entire protocol, difficulty reaching deep states Requires the user to select vulnerable lines of code Only focused on performance attacks, difficulty with transport protocols

Our Approach SNAKE: State-based Network AttacK Explorer Tests unmodified implementations Uses message-based attacks Finds performance, fairness, and resource exhaustion attacks Uses protocol state machine to enable efficient, systematic testing Found 5 new and 4 known attacks 5 protocol implementations 2 protocols 4 operating systems 6

Motivation Transport Protocols SNAKE: Design and Implementation Evaluation and Results Summary 7 Outline

Transport Protocols Responsible for end-to-end communication Provide guarantees to applications Reliability In-order delivery Flow control Congestion control Fairness Connection oriented to maintain state Connection establishment Data transfer Connection tear down 8 There are more than 13 RFCs dealing with TCP Congestion Control alone!

Malicious ClientsOff-path Attackers 9 Attacker Model Resource exhaustion attacks Fairness attacks Connection establishment attacks Throughput degradation attacks

Client application exits Client responds to all future data with Resets Resets are dropped Server must receive ACKs for all data before it can close connection 10 TCP CLOSE_WAIT Resource Exhaustion Attack Client can force server to keep socket state around for minutes

How Do We Find Attacks? Attack injection scheme Identify points where message-based attacks could be inserted into a test scenario Impacts the practicality and effectiveness of the testing Practicality: Systematic, exhaustive testing should test all attack injection points Effectiveness: Testing can only find vulnerabilities that occur at attack injection points 11

Packet-Send-based Attack Injection 12 Pros Simple Systematic Cons Does not support injecting new packets No support for off-path attacks Only considers modifying a single packet per test For each packet, inject each message attack at packet send Not Scalable! Scales with packets * attacks Our two minute TCP tests generate about 13,000 packets 13,000 pkts * 53 attacks * 2 min = 22,967 hours = 956 days Not Scalable! Scales with packets * attacks Our two minute TCP tests generate about 13,000 packets 13,000 pkts * 53 attacks * 2 min = 22,967 hours = 956 days Misses Attacks! Unable to find off-path attacks Misses Attacks! Unable to find off-path attacks

n represents a trade off between scalability and coverage Minimum n is the time to transmit a minimum sized packet Pros Supports injecting new packets Cons Only considers applying a single attack per test 13 Time-based Attack Injection Cannot Achieve Scalability and Coverage! Scales with n*connection_length*attacks A minimum sized TCP packet takes 5 microseconds to transmit at 100Mbits/sec 12 million pkts*60 attacks*2min = 24 million hours Cannot Achieve Scalability and Coverage! Scales with n*connection_length*attacks A minimum sized TCP packet takes 5 microseconds to transmit at 100Mbits/sec 12 million pkts*60 attacks*2min = 24 million hours Every n seconds, inject each message attack and observe the result

Improved scalability and coverage State machine identifies key protocol areas Similar packet types received in the same state often perform similar actions Combine protocol state and packet type for attack injection 14 Protocol State Machine Attack Injection TCP State Machine

Protocol State Machine Attack Injection Consider the protocol state, packet type pairs and apply each message attack to each pair Pros Scalable---About 300 hours to test an implementation Can apply attacks to more than a single packet Cons Assumes state machine is available Assumes state machine is implemented correctly 15

SNAKE Virtual machines running unmodified implementations with an emulated network A malicious proxy in front of one VM performs attack injection Supported message attacks: Drop, Duplicate, Delay, Batch, Reflect, Lie about packet fields, Inject, and HitSeqWindow Current protocol state tracked by monitoring packets 16

SNAKE During testing, performance and resource usage information is collected to identify attacks Attack declared successful if: Throughput of a flow is above or below that of the competing flow’s by more than a factor of 2 Server resources are not released at the end of the test 17

Two transport protocols TCP DCCP Five implementations in four operating systems: Linux 3.0/Linux 3.13 Windows 95/Windows 8.1 Strategies tested: TCP: 5,500 DCCP: 4,500 Testing time per implementation: About 60 hours 18 Evaluation Found 9 vulnerabilities, 5 of them unknown

Results Summary ProtocolAttackImpactOSKnown TCPCLOSE_WAIT Resource Exhaustion Server DoSLinux 3.0/3.13 Partially TCPPackets with Invalid FlagsFingerprintingLinux 3.0 / Win 8.1 No TCPDuplicate Ack SpoofingPoor FairnessWin 95Yes TCPReset AttackClient DoSAllYes TCPSYN-Reset AttackClient DoSAllYes TCPDuplicate Ack Rate LimitingDegraded Throughput Win 8.1No DCCPAck Mung Resource Exhaustion Server DoSLinux 3.13No DCCPIn-window Ack Sequence Number Modification Degraded Throughput Linux 3.13No DCCPREQUEST Connection Termination Client DoSLinux 3.13No 19

Summary We propose a new, efficient technique for automated, systematic testing of transport protocol implementations based on the protocol’s state machine We have implemented this technique in SNAKE and applied it to 5 implementations of 2 transport protocols in 4 operating systems We found 9 attacks, 5 of which are unknown 20

21 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.