Presentation is loading. Please wait.

Presentation is loading. Please wait.

Leveraging State Information for Automated Attack Discovery In Transport Protocol Implementations Samuel Jero, Hyojeong Lee, and Cristina Nita-Rotaru Purdue.

Published byVerity Gallagher Modified over 9 years ago

Similar presentations

Presentation on theme: "Leveraging State Information for Automated Attack Discovery In Transport Protocol Implementations Samuel Jero, Hyojeong Lee, and Cristina Nita-Rotaru Purdue."— Presentation transcript:

1 Leveraging State Information for Automated Attack Discovery In Transport Protocol Implementations Samuel Jero, Hyojeong Lee, and Cristina Nita-Rotaru Purdue University DSN 2015 1

2 Transport Protocols Critical to today’s Internet Used by many applications Underlie secure protocols like TLS Underlie network infrastructure protocols like BGP Numerous implementations Over 3,000 implementation variants detectable by nmap 2

3 TCP Attacked for 30 years! 3

4 Why So Many Attacks? Many designs and implementations Multiple variations, especially of congestion control Tahoe, Reno, New Reno, SACK, Vegas, BIC, CUBIC, others Over 20 RFCs defining variations or features Hundreds of implementations Complex goals Reliability, in-order delivery, congestion control, others Written in low level languages, part of OS Error-prone, but highly efficient Heavily optimized Prefer performance to ease of understanding and maintenance 4

5 Current Testing Methods Developer test suites Tests used by developer to make sure implementation is correct Packetdrill [USENIX 13] Fuzzing KiF [IPTComm 07], SNOOZE [ISC 06], EXT-NSFM [IMCCC 11] Find crashes by subjecting implementation to random inputs MAX [SIGCOMM 11] Automatically find manipulation attacks using symbolic execution Turret [ICDCS 14] Find performance attacks on distributed systems using greedy message modification 5 Ad-hoc, focused on benign scenarios Unable to cover entire protocol, difficulty reaching deep states Requires the user to select vulnerable lines of code Only focused on performance attacks, difficulty with transport protocols

6 Our Approach SNAKE: State-based Network AttacK Explorer Tests unmodified implementations Uses message-based attacks Finds performance, fairness, and resource exhaustion attacks Uses protocol state machine to enable efficient, systematic testing Found 5 new and 4 known attacks 5 protocol implementations 2 protocols 4 operating systems 6

7 Motivation Transport Protocols SNAKE: Design and Implementation Evaluation and Results Summary 7 Outline

8 Transport Protocols Responsible for end-to-end communication Provide guarantees to applications Reliability In-order delivery Flow control Congestion control Fairness Connection oriented to maintain state Connection establishment Data transfer Connection tear down 8 There are more than 13 RFCs dealing with TCP Congestion Control alone!

9 Malicious ClientsOff-path Attackers 9 Attacker Model Resource exhaustion attacks Fairness attacks Connection establishment attacks Throughput degradation attacks

10 Client application exits Client responds to all future data with Resets Resets are dropped Server must receive ACKs for all data before it can close connection 10 TCP CLOSE_WAIT Resource Exhaustion Attack Client can force server to keep socket state around for 13-30 minutes

11 How Do We Find Attacks? Attack injection scheme Identify points where message-based attacks could be inserted into a test scenario Impacts the practicality and effectiveness of the testing Practicality: Systematic, exhaustive testing should test all attack injection points Effectiveness: Testing can only find vulnerabilities that occur at attack injection points 11

12 Packet-Send-based Attack Injection 12 Pros Simple Systematic Cons Does not support injecting new packets No support for off-path attacks Only considers modifying a single packet per test For each packet, inject each message attack at packet send Not Scalable! Scales with packets * attacks Our two minute TCP tests generate about 13,000 packets 13,000 pkts * 53 attacks * 2 min = 22,967 hours = 956 days Not Scalable! Scales with packets * attacks Our two minute TCP tests generate about 13,000 packets 13,000 pkts * 53 attacks * 2 min = 22,967 hours = 956 days Misses Attacks! Unable to find off-path attacks Misses Attacks! Unable to find off-path attacks

13 n represents a trade off between scalability and coverage Minimum n is the time to transmit a minimum sized packet Pros Supports injecting new packets Cons Only considers applying a single attack per test 13 Time-based Attack Injection Cannot Achieve Scalability and Coverage! Scales with n*connection_length*attacks A minimum sized TCP packet takes 5 microseconds to transmit at 100Mbits/sec 12 million pkts*60 attacks*2min = 24 million hours Cannot Achieve Scalability and Coverage! Scales with n*connection_length*attacks A minimum sized TCP packet takes 5 microseconds to transmit at 100Mbits/sec 12 million pkts*60 attacks*2min = 24 million hours Every n seconds, inject each message attack and observe the result

14 Improved scalability and coverage State machine identifies key protocol areas Similar packet types received in the same state often perform similar actions Combine protocol state and packet type for attack injection 14 Protocol State Machine Attack Injection TCP State Machine

15 Protocol State Machine Attack Injection Consider the protocol state, packet type pairs and apply each message attack to each pair Pros Scalable---About 300 hours to test an implementation Can apply attacks to more than a single packet Cons Assumes state machine is available Assumes state machine is implemented correctly 15

16 SNAKE Virtual machines running unmodified implementations with an emulated network A malicious proxy in front of one VM performs attack injection Supported message attacks: Drop, Duplicate, Delay, Batch, Reflect, Lie about packet fields, Inject, and HitSeqWindow Current protocol state tracked by monitoring packets 16

17 SNAKE During testing, performance and resource usage information is collected to identify attacks Attack declared successful if: Throughput of a flow is above or below that of the competing flow’s by more than a factor of 2 Server resources are not released at the end of the test 17

18 Two transport protocols TCP DCCP Five implementations in four operating systems: Linux 3.0/Linux 3.13 Windows 95/Windows 8.1 Strategies tested: TCP: 5,500 DCCP: 4,500 Testing time per implementation: About 60 hours 18 Evaluation Found 9 vulnerabilities, 5 of them unknown

19 Results Summary ProtocolAttackImpactOSKnown TCPCLOSE_WAIT Resource Exhaustion Server DoSLinux 3.0/3.13 Partially TCPPackets with Invalid FlagsFingerprintingLinux 3.0 / Win 8.1 No TCPDuplicate Ack SpoofingPoor FairnessWin 95Yes TCPReset AttackClient DoSAllYes TCPSYN-Reset AttackClient DoSAllYes TCPDuplicate Ack Rate LimitingDegraded Throughput Win 8.1No DCCPAck Mung Resource Exhaustion Server DoSLinux 3.13No DCCPIn-window Ack Sequence Number Modification Degraded Throughput Linux 3.13No DCCPREQUEST Connection Termination Client DoSLinux 3.13No 19

20 Summary We propose a new, efficient technique for automated, systematic testing of transport protocol implementations based on the protocol’s state machine We have implemented this technique in SNAKE and applied it to 5 implementations of 2 transport protocols in 4 operating systems We found 9 attacks, 5 of which are unknown 20

21 21 Questions?

Download ppt "Leveraging State Information for Automated Attack Discovery In Transport Protocol Implementations Samuel Jero, Hyojeong Lee, and Cristina Nita-Rotaru Purdue."

Similar presentations

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.
Umut Girit 200535027.  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.
Remote Procedure Call (RPC)

Remote Procedure Call (RPC)
1 Transport Protocols & TCP CSE 3213 Fall 2007 130 April 2015.

1 Transport Protocols & TCP CSE 3213 Fall April 2015.
Computer Networks Transport Layer. Topics F Introduction (6.1)  F Connection Issues (6.2 - 6.2.3) F TCP (6.4)

Computer Networks Transport Layer. Topics F Introduction (6.1)  F Connection Issues ( ) F TCP (6.4)
CCNA – Network Fundamentals

CCNA – Network Fundamentals
Chapter 7: Transport Layer

Chapter 7: Transport Layer
CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.

CCNA2 Module 4. Discovering and Connecting to Neighbors Enable and disable CDP Use the show cdp neighbors command Determine which neighboring devices.
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
Chapter 7 – Transport Layer Protocols

Chapter 7 – Transport Layer Protocols
1 TCP CSE 6590 122 May 2015. 2 TCP Services Flow control Connection establishment and termination Congestion control 2.

1 TCP CSE May TCP Services Flow control Connection establishment and termination Congestion control 2.
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 OSI Transport Layer Network Fundamentals – Chapter 4.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.

1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.

William Stallings Data and Computer Communications 7 th Edition (Selected slides used for lectures at Bina Nusantara University) Transport Layer.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Gursharan Singh Tatla Transport Layer 16-May-2011 1

Gursharan Singh Tatla Transport Layer 16-May
What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.

What Can IP Do? Deliver datagrams to hosts – The IP address in a datagram header identify a host IP treats a computer as an endpoint of communication Best.
Chapter 16 Stream Control Transmission Protocol (SCTP)

Chapter 16 Stream Control Transmission Protocol (SCTP)
TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

TRANSPORT LAYER T.Najah Al-Subaie Kingdom of Saudi Arabia Prince Norah bint Abdul Rahman University College of Computer Since and Information System NET331.

Similar presentations

Ads by Google