short-paper

Securing ARP From the Ground Up

Authors:

Jing (Dave) Tian,

Kevin R.B. Butler,

Patrick D. McDaniel,

Padma KrishnaswamyAuthors Info & Claims

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

Pages 305 - 312

https://doi.org/10.1145/2699026.2699123

Published: 02 March 2015 Publication History

Abstract

The basis for all IPv4 network communication is the Address Resolution Protocol (ARP), which maps an IP address to a device's Media Access Control (MAC) identifier. ARP has long been recognized as vulnerable to spoofing and other attacks, and past proposals to secure the protocol have often involved modifying the basic protocol.

This paper introduces arpsec, a secure ARP/RARP protocol suite which a) does not require protocol modification, b) enables continual verification of the identity of the tar- get (respondent) machine by introducing an address binding repository derived using a formal logic that bases additions to a host's ARP cache on a set of operational rules and properties, c) utilizes the TPM, a commodity component now present in the vast majority of modern computers, to augment the logic-prover-derived assurance when needed, with TPM-facilitated attestations of system state achieved at viably low processing cost. Using commodity TPMs as our attestation base, we show that arpsec incurs an overhead ranging from 7% to 15.4% over the standard Linux ARP implementation and provides a first step towards a formally secure and trustworthy networking stack.

References

[1]

S. M. Bellovin. Security problems in the ICP/IP protocol suite. Comp. Comm. Review, 2:32{48, April 1989.

Digital Library

[2]

D. Bruschi, A. Ornaghi, and E. Rosti. S-ARP: a Secure Address Resolution Protocol. In ACSAC, 2003.

Digital Library

[3]

D. Diaz et al. The GNU Prolog web site. http://gprolog.org/.

[4]

R. Finlayson et al. A Reverse Address Resolution Protocol. http://tools.ietf.org/rfc/rfc903.txt, June 1984.

[5]

B. Issac. Secure AP and Secure DHCP Protocols to Mitigate Security Attacks. International Journal of Network Security, 8:107{118, March 2009.

[6]

T. Jaeger, R. Sailer, and U. Shankar. PRIMA: policy-reduced integrity measurement architecture. In ACM SACMAT, 2006.

Digital Library

[7]

J. M. McCune et al. TrustVisor: Efficient TCB Reduction and Attestation. In IEEE S&P, 2010.

Digital Library

[8]

B. Kauer. OSLO: Improving the security of Trusted Computing. In USENIX Security Symposium, 2007.

Digital Library

[9]

LBNL Network Research Group. arpwatch: the ethernet monitor program. http://ee.lbl.gov/, 2006.

[10]

W. Lootah, W. Enck, and P. McDaniel. TARP: Ticket-based Address Resolution Protocol. ACSAC, 2005.

Digital Library

[11]

J. M. McCune et al. Flicker: An Execution Infrastructure for TCB Minimization. In ACM EuroSys, 2008.

Digital Library

[12]

Microsoft Technet. Address Resolution Protocol. http://technet.microsoft.com/en-us/library/cc940021.aspx.

[13]

T. Narten, E. Nordmark, W. Simpson, and H. Soliman. Neighbor Discovery for IP version 6 (IPv6). https://tools.ietf.org/html/rfc4861, September 2007.

[14]

J. Nathan. Nemesis. http://nemesis.sourceforge.net/.

[15]

A. Ornaghi and M. Valleri. Man in the middle attacks Demos. http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf, Blackhat 2003.

[16]

A. P. Ortega et al. Preventing ARP Cache Poisoning Attacks: A Proof of Concept using OpenWrt. In Net. Ops. & Mgmt. Symp., 2009.

[17]

B. Parno. Bootstrapping trust in a "trusted" platform. In USENIX HotSec, 2008.

Digital Library

[18]

A. D. Pasquale. ArpOn: ARP Handler Inspection. http://arpon.sourceforge.net/index.html, 2008.

[19]

Perez, Ronald, Reiner Sailer, and Leendert van Doorn and others. vTPM: Virtualizing the Trusted Platform Module. In USENIX Security Symposium, 2006.

Digital Library

[20]

D. C. Plummer. An Ethernet Address Resolution Protocol or Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware. http://tools.ietf.org/search/rfc826, November 1982.

[21]

R. Sailer, X. Zhang, T. Jaeger, and L. van Doorn. Design and Implementation of a TCG-based Integrity Measurement Architecture. In USENIX Security, 2004.

Digital Library

[22]

J. Schmitz, J. Loew, J. Elwell, D. Ponomarev, and N. Abu-Ghazaleh. A Framework for Performance Evaluation of Trusted Platform Modules. In DAC, 2011.

Digital Library

[23]

C. Schridde, M. Smith, and B. Freisleben. TureIP: Prevention of IP Spoofing Attacks Using Identity-Based Cryptography. In SIN'09 Proc. 2nd Intl. Conf. on Security of information and networks, pages 128{137, 2009.

Digital Library

[24]

L. Senecal. Understanding and preventing attacks at layer 2 of the OSI reference model. In Proc. 4th Comm. Networks & Services Research Conf, 2006.

Digital Library

[25]

S. Frankel, R. Graveman, J. Pearce, and Mark Rooks. Guidelines for the Secure Deployment of IPv6. http://csrc.nist.gov/publications/nistpubs/800--119/sp800--119.pdf, 2010. NIST.

[26]

D. Song. dsniff. http://monkey.org/~dugsong/dsniff/, 2000.

[27]

Symantec. Solaris Kernel Tuning for Security. http://www.symantec.com/connect/articles/solaris-kernel-tuning-security, Dec 20, 2000.

[28]

C. Tarnovsky. Deconstructing a 'Secure' processor. Black Hat DC, 2010.

[29]

J. Tian, K. Butler, P. McDaniel, and P. Krishnaswamy. Securing ARP From the Ground Up. Tech. Report REP-2015--573, Univ. of Florida, Jan. 2015.

[30]

M. V. Tripunitara and P. Dutta. A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning. In ACSAC, 1999.

Digital Library

[31]

TrouSerS. The open-source TCG Software Stack. http://trousers.sourceforge.net/.

[32]

Trusted Computing Group. TPM Main Specification. http://www.trustedcomputinggroup.org/resources/tpm_main_specification.

[33]

Trusted Computing Group. Glossary. http://www.trustedcomputinggroup.org/developers/glossary.

[34]

A. Wang, L. Jia, C. Liu, B. T. Loo, et al. Formally verifable networking. In ACM HotNets, 2009.

[35]

S. Whalen. An Introduction to ARP Spoofing. http://rootsecure.net/content/downloads/pdf/arp_spoofing_intro.pdf, 2001.

[36]

T. Zanussi et al. relay (formerly relayfs). http://relayfs.sourceforge.net/.

[37]

Z. Zhou, M. Yu, and V. Gligor. Dancing with Giants: Wimpy Kernels for On-demand Isolated I/O. In IEEE S&P, 2014.

Digital Library

[38]

Z. Zhou, V. Gligor, J. Newsome, and J. M. McCune. Building Verifiable Trusted Path on Commodity x86 Computers. In IEEE S&P, 2012.

Digital Library

Cited By

Bruschi DDi Pasquale ALanzi APagani E(2024)Ensuring cybersecurity for industrial networks: A solution for ARP-based MITM attacksJournal of Computer Security10.3233/JCS-230023(1-29)Online publication date: 1-Feb-2024
https://doi.org/10.3233/JCS-230023
Tian DButler KChoi JMcDaniel PKrishnaswamy P(2017)Securing ARP/NDP From the Ground UpIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.269598312:9(2131-2143)Online publication date: Sep-2017
https://doi.org/10.1109/TIFS.2017.2695983

Index Terms

Securing ARP From the Ground Up
1. Security and privacy
  1. Security services
    1. Authentication
  2. Systems security
    1. Operating systems security

Recommendations

Comparison between safety and efficient security of the ARP protocol
SIN '15: Proceedings of the 8th International Conference on Security of Information and Networks

Due to the Stateless Property of the ARP protocol (It means that a response can be processed despite the request was never received), which introduces some security flaws that makes it vulnerable to various types of attacks resulting in leaks and/or ...
An enhanced secure ARP protocol and LAN switch for preveting ARP based attacks
IWCMC '09: Proceedings of the 2009 International Conference on Wireless Communications and Mobile Computing: Connecting the World Wirelessly

After the ARP protocol was drafted, a subtle weakness in the protocol was discovered. In fact, ARP provides no means to establish the authenticity of the source of incoming ARP packets. That's why any host of a LAN network can forge an ARP message ...
Securing ARP/NDP From the Ground Up
The basis for all IPv4 network communication is the address resolution protocol (ARP), which maps an IP address to a device’s media access control identifier. ARP has long been recognized as vulnerable to spoofing and other attacks, and past ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '15: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy

March 2015

362 pages

ISBN:9781450331913

DOI:10.1145/2699026

General Chair:
Jaehong Park
University of Texas at San Antonio, USA
,
Program Chair:
Anna Squicciarini
The Pennsylvania State University, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 March 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Short-paper

Funding Sources

National Science Foundation

Conference

CODASPY'15

Sponsor:

SIGSAC

CODASPY'15: Fifth ACM Conference on Data and Application Security and Privacy

March 2 - 4, 2015

Texas, San Antonio, USA

Acceptance Rates

CODASPY '15 Paper Acceptance Rate 19 of 91 submissions, 21%;

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
275
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Bruschi DDi Pasquale ALanzi APagani E(2024)Ensuring cybersecurity for industrial networks: A solution for ARP-based MITM attacksJournal of Computer Security10.3233/JCS-230023(1-29)Online publication date: 1-Feb-2024
https://doi.org/10.3233/JCS-230023
Tian DButler KChoi JMcDaniel PKrishnaswamy P(2017)Securing ARP/NDP From the Ground UpIEEE Transactions on Information Forensics and Security10.1109/TIFS.2017.269598312:9(2131-2143)Online publication date: Sep-2017
https://doi.org/10.1109/TIFS.2017.2695983

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents