research-article

Public Access

Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks

Authors:

Qi Alfred Chen,

Yunhan Jack Jia,

Zhuoqing Morley MaoAuthors Info & Claims

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Pages 388 - 400

https://doi.org/10.1145/2810103.2813643

Published: 12 October 2015 Publication History

Abstract

Off-path packet injection attacks are still serious threats to the Internet and network security. In recent years, a number of studies have discovered new variations of packet injection attacks, targeting critical protocols such as TCP. We argue that such recurring problems need a systematic solution. In this paper, we design and implement PacketGuardian, a precise static taint analysis tool that comprehensively checks the packet handling logic of various network protocol implementations. The analysis operates in two steps. First, it identifies the critical paths and constraints that lead to accepting an incoming packet. If paths with weak constraints exist, a vulnerability may be revealed immediately. Otherwise, based on "secret" protocol states in the constraints, a subsequent analysis is performed to check whether such states can be leaked to an attacker.

In the second step, observing that all previously reported leaks are through implicit flows, our tool supports implicit flow tainting, which is a commonly excluded feature due to high volumes of false alarms caused by it. To address this challenge, we propose the concept of attacker-controlled implicit information leaks, and prioritize our tool to detect them, which effectively reduces false alarms without compromising tool effectiveness. We use PacketGuardian on 6 popular protocol implementations of TCP, SCTP, DCCP, and RTP, and uncover new vulnerabilities in Linux kernel TCP as well as 2 out of 3 RTP implementations. We validate these vulnerabilities and confirm that they are indeed highly exploitable.

References

[1]

Analysis result website.texttthttp://tinyurl.com/acketInjectionVulnerability.

[2]

STAC - Static Taint Analysis for C.texttthttp://code.google.com/p/tanalysis/.

[3]

M. Andrysco, D. Kohlbrenner, K. Mowery, R. Jhala, S. Lerner, and H. Shacham. On Subnormal Floating Point and Abnormal Timing. In IEEE Symposium on Security and Privacy, 2015.

[4]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In PLDI, 2014.

Digital Library

[5]

T. Bao, Y. Zheng, Z. Lin, X. Zhang, and D. Xu. Strict Control Dependence and its Effect on Dynamic Information Flow Analyses. In ACM ISSTA, 2010.

Digital Library

[6]

K. Bhargavan, D. Obradovic, and C. A. Gunter. Formal Verification of Standards for Distance Vector Routing Protocols. Journal of the ACM, 2002.

Digital Library

[7]

S. Bishop, M. Fairbairn, M. Norrish, P. Sewell, M. Smith, and K. Wansbrough. Rigorous Specification and Conformance Testing Techniques for Network Protocols, as Applied to TCP, UDP, and Sockets. SIGCOMM, 2005.

Digital Library

[8]

R. Chang, G. Jiang, F. Ivancic, S. Sankaranarayanan, and V. Shmatikov. Inputs of Coma: Static Detection of Denial-of-Service Vulnerabilities. In CSF, 2009.

Digital Library

[9]

P. Chapman and D. Evans. Automated Black-box Detection of Side-channel Vulnerabilities in Web Applications. In CCS, 2011.

Digital Library

[10]

Q. A. Chen, Z. Qian, and Z. M. Mao. Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks. In USENIX Security, 2014.

Digital Library

[11]

S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In IEEE Symposium on Security and Privacy, 2010.

Digital Library

[12]

C. Cowan, C. Pu, D. Maier, J. Walpole, and P. Bakke. StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks. In USENIX Security, 1998.

Digital Library

[13]

L. De Moura and N. Bjørner. Z3: An Efficient SMT Solver. In TACAS, 2008.

Digital Library

[14]

G. Doychev, D. Feld, B. Köpf, L. Mauborgne, and J. Reineke. CacheAudit: A Tool for the Static Analysis of Cache Side Channels. In Usenix Security, 2013.

Digital Library

[15]

E. Dumazet. Kernel discussion on ACK flag set.texttthttp://comments.gmane.org/gmane.linux.\\network/253369, 2012.

[16]

K. O. Elish, X. Shu, D. D. Yao, B. G. Ryder, and X. Jiang. Profiling User-trigger Dependence for Android Malware Detection. Computers & Security, 49:255--273, 2015.

Digital Library

[17]

C. Gibler, J. Crussell, J. Erickson, and H. Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In TRUST, 2012.

Digital Library

[18]

Y. Gilad and A. Herzberg. Off-Path Attacking the Web. In USENIX WOOT, 2012.

Digital Library

[19]

Y. Gilad and A. Herzberg. When tolerance causes weakness: the case of injection-friendly browsers. In WWW, 2013.

Digital Library

[20]

J. A. Goguen and J. Meseguer. Security Policies and Security Models. In IEEE Symposium on Security and Privacy, 1982.

[21]

M. I. Gordon, D. Kim, J. Perkins, L. Gilham, N. Nguyen, and M. Rinard. Information-flow Analysis of Android Applications in DroidSafe. In NDSS, 2015.

[22]

D. Gullasch, E. Bangerter, and S. Krenn. Cache Games--Bringing Access-based Cache Attacks on AES to Practice. In IEEE Symposium on Security and Privacy, 2011.

Digital Library

[23]

M. Hind, M. Burke, P. Carini, and J.-D. Choi. Interprocedural Pointer Alias Analysis. TOPLAS, 21(4):848--894, 1999.

Digital Library

[24]

S. Jana and V. Shmatikov. Memento: Learning Secrets from Process Footprints. In IEEE Symposium on Security and Privacy, 2012.

Digital Library

[25]

N. Jovanovic, C. Kruegel, and E. Kirda. Pixy: A Static Analysis Tool for Detecting Web Application Vulnerabilities. In IEEE Symposium on Security and Privacy (SP), 2006.

Digital Library

[26]

M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA

[27]

: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In NDSS, 2011.

[28]

A. Kieyzun, P. J. Guo, K. Jayaraman, and M. D. Ernst. Automatic creation of SQL injection and cross-site scripting attacks. In ICSE, 2009.

Digital Library

[29]

D. King, B. Hicks, M. Hicks, and T. Jaeger. Implicit flows: Can't Live with 'em, Can't Live Without 'em. Information Systems Security, Lecture Notes in Computer Science, 5352:56--70, 2008.

Digital Library

[30]

P. C. Kocher. Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and Other Systems. In CRYPTO, 1996.

Digital Library

[31]

N. Kothari, R. Mahajan, T. Millstein, R. Govindan, and M. Musuvathi. Finding Protocol Manipulation Attacks. In SIGCOMM, 2011.

Digital Library

[32]

F. Liu, Y. Yarom, Q. Ge, G. Heiser, and R. B. Lee. Last-Level Cache Side-Channel Attacks are Practical. In IEEE Symposium on Security and Privacy, 2015.

Digital Library

[33]

X. Luo, P. Zhou, E. W. Chan, W. Lee, R. K. Chang, and R. Perdisci. HTTPOS: Sealing Information Leaks with Browser-side Obfuscation of Encrypted Flows. In NDSS, 2011.

[34]

C. Meyer, J. Somorovsky, E. Weiss, J. Schwenk, S. Schinzel, and E. Tews. Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. In USENIX Security, 2014.

Digital Library

[35]

B. Muller. Whitepaper: Improved DNS Spoofing Using Node Re-delegation.texttthttps://www.sec-consult.com/fxdata/seccons/prod/downloads/whitepaper-dns-node-redelegation.pdf.

[36]

G. C. Necula, S. McPeak, S. P. Rahul, and W. Weimer. CIL: Intermediate Language and Tools for Analysis and Transformation of C programs. In CC, 2002.

Digital Library

[37]

L. Pedrosa, A. Fogel, N. Kothari, R. Govindan, R. Mahajan, and T. Millstein. Analyzing protocol implementations for interoperability. In NSDI, 2015.

Digital Library

[38]

Z. Qian and Z. M. Mao. Off-Path TCP Sequence Number Inference Attack -- How Firewall Middleboxes Reduce Security. In IEEE Symposium on Security and Privacy, 2012.

Digital Library

[39]

Z. Qian, Z. M. Mao, and Y. Xie. Collaborative tcp sequence number inference attack: how to crack sequence number under a second. In CCS, 2012.

Digital Library

[40]

Ramaiah, Anantha and Stewart, R and Dalal, Mitesh. Improving TCP's Robustness to Blind In-Window Attacks. rfc5961, 2010.

[41]

A. Rane, C. Lin, and M. Tiwari. Raccoon: Closing Digital Side-Channels through Obfuscated Execution. In USENIX Security, 2015.

Digital Library

[42]

S. Rasthofer, S. Arzt, and E. Bodden. A machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In NDSS, 2014.

[43]

T. Reps, S. Horwitz, and M. Sagiv. Precise Interprocedural Dataflow Analysis via Graph Reachability. In POPL, 1995.

Digital Library

[44]

A. Rountev, M. Sharp, and G. Xu. IDE Dataflow Analysis in the Presence of Large Object-oriented Libraries. In CC, 2008.

Digital Library

[45]

M. Sagiv, T. Reps, and S. Horwitz. Precise Interprocedural Dataflow Analysis with Applications to Constant Propagation. Theoretical Computer Science, 167(1):131--170, 1996.

Digital Library

[46]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In USENIX Security, 2001.

Digital Library

[47]

K. Smith-Strickland. We're Closer to an Encrypted Internet than You Think.texttthttp://gizmodo.com/two/-thirds-of-internet-traffic-could-be-encrypted-by-ne-1702659626#, May 2015.

[48]

S. Son and V. Shmatikov. The Hitchhiker's Guide to DNS Cache Poisoning. In Security and Privacy in Communication Networks, pages 466--483. Springer, 2010.

[49]

O. Tripp, M. Pistoia, S. J. Fink, M. Sridharan, and O. Weisman. TAJ: Effective Taint Analysis of Web Applications. In PLDI, 2009.

Digital Library

[50]

A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, And Tools (2nd Edition). Addison Wesley, 2006.

Digital Library

[51]

V. Varadarajan, T. Ristenpart, and M. Swift. Scheduler-based defenses against cross-vm side-channels. In Usenix Security, 2014.

Digital Library

[52]

R. P. Wilson and M. S. Lam. Efficient Context-sensitive Pointer Analysis for C Programs. In PLDI, 1995.

Digital Library

[53]

Y. Xie and A. Aiken. Saturn: A Scalable Framework for Error Detection using Boolean Satisfiability. TOPLAS, 2007.

Digital Library

[54]

F. Yamaguchi, N. Golde, D. Arp, and K. Rieck. Modeling and Discovering Vulnerabilities with Code Property Graphs. In IEEE Symposium on Security and Privacy (SP), 2014.

Digital Library

[55]

Y. Yarom and K. E. Falkner. FLUSH+RELOAD: A High Resolution, Low Noise, L3 Cache Side-Channel Attack. USENIX Security, 2014.

Digital Library

[56]

K. Zhang, Z. Li, R. Wang, X. Wang, and S. Chen. Sidebuster: Automated Detection and Quantification of Side-channel Leaks in Web Application Development. In CCS, 2010.

Digital Library

[57]

K. Zhang and X. Wang. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. In USENIX Security, 2009.

Digital Library

[58]

Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-VM side channels and their use to extract private keys. In CCS, 2012.

Digital Library

[59]

Y. Zhang and M. K. Reiter. Düppel: Retrofitting commodity operating systems to mitigate cache side channels in the cloud. In ACM CCS, 2013.

Digital Library

[60]

Y. Zheng and X. Zhang. Path Sensitive Static Analysis of Web Applications for Remote Code Execution Vulnerability Detection. In ICSE, 2013.

Digital Library

[61]

X. Zhou, S. Demetriou, D. He, M. Naveed, X. Pan, X. Wang, C. A. Gunter, and K. Nahrstedt. Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources. In CCS, 2013.

Digital Library

Cited By

Qian ZZhong SSun GXing XJin Y(2023)A Formal Approach to Design and Security Verification of Operating Systems for Intelligent Transportation Systems Based on Object ModelIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2022.322438524:12(15459-15467)Online publication date: Dec-2023
https://doi.org/10.1109/TITS.2022.3224385
Amusuo PMéndez RXu ZMachiry ADavis JBissyandé TKlein JBird CSarro F(2023)Systematically Detecting Packet Validation Vulnerabilities in Embedded Network StacksProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00095(926-938)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00095
Zeng JZhang CLiang ZYin HStavrou ACremers CShi E(2022)PalanTírProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560570(3135-3149)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560570
Show More Cited By

Index Terms

Static Detection of Packet Injection Vulnerabilities: A Case for Identifying Attacker-controlled Implicit Information Leaks
1. Networks
  1. Network protocols
    1. Transport protocols
  2. Network types
    1. Public Internet
2. Security and privacy
  1. Systems security
    1. Information flow control
    2. Operating systems security

Recommendations

Static analysis for detecting taint-style vulnerabilities in web applications

The number and the importance of web applications have increased rapidly over the last years. At the same time, the quantity and impact of security vulnerabilities in such applications have grown as well. Since manual code reviews are time-consuming, ...
Static detection of cross-site scripting vulnerabilities
ICSE '08: Proceedings of the 30th international conference on Software engineering

Web applications support many of our daily activities, but they often have security problems, and their accessibility makes them easy to exploit. In cross-site scripting (XSS), an attacker exploits the trust a web client (browser) has for a trusted ...
Securing web applications from injection and logic vulnerabilities

Context: Web applications are trusted by billions of users for performing day-to-day activities. Accessibility, availability and omnipresence of web applications have made them a prime target for attackers. A simple implementation flaw in the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

October 2015

1750 pages

ISBN:9781450338325

DOI:10.1145/2810103

General Chair:
Indrajit Ray
Colorado State University, USA
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Christopher Kruegel
University of California, Santa Barbara, USA

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 October 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS'15

Sponsor:

SIGSAC

CCS'15: The 22nd ACM Conference on Computer and Communications Security

October 12 - 16, 2015

Colorado, Denver, USA

Acceptance Rates

CCS '15 Paper Acceptance Rate 128 of 660 submissions, 19%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
984
Total Downloads

Downloads (Last 12 months)110
Downloads (Last 6 weeks)13

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Qian ZZhong SSun GXing XJin Y(2023)A Formal Approach to Design and Security Verification of Operating Systems for Intelligent Transportation Systems Based on Object ModelIEEE Transactions on Intelligent Transportation Systems10.1109/TITS.2022.322438524:12(15459-15467)Online publication date: Dec-2023
https://doi.org/10.1109/TITS.2022.3224385
Amusuo PMéndez RXu ZMachiry ADavis JBissyandé TKlein JBird CSarro F(2023)Systematically Detecting Packet Validation Vulnerabilities in Embedded Network StacksProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00095(926-938)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00095
Zeng JZhang CLiang ZYin HStavrou ACremers CShi E(2022)PalanTírProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560570(3135-3149)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3548606.3560570
Hao YZhang HLi GDu XQian ZSani ADwyer MDamian DZeller A(2022)Demystifying the dependency challenge in kernel fuzzingProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510126(659-671)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510126
Gao XXiao JWang HStavrou A(2022)Understanding the Security Implication of Aborting Virtual Machine Live MigrationIEEE Transactions on Cloud Computing10.1109/TCC.2020.298290010:2(1275-1286)Online publication date: 1-Apr-2022
https://doi.org/10.1109/TCC.2020.2982900
Zhang HChen WHao YLi GZhai YZou XQian ZKim YKim JVigna GShi E(2021)Statically Discovering High-Order Taint Style Vulnerabilities in OS KernelsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484798(811-824)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484798
Sun WXu LElbaum SZhao D(2021)Model-Agnostic and Efficient Exploration of Numerical Congestion Control State Space of Real-World TCP ImplementationsIEEE/ACM Transactions on Networking10.1109/TNET.2021.307816129:5(1990-2004)Online publication date: Oct-2021
https://doi.org/10.1109/TNET.2021.3078161
Hou FYu XQiu KLiu JShi ZLi Y(2021)Research on Off-Path Exploits of Network ProtocolsData Mining and Big Data10.1007/978-981-16-7476-1_7(73-80)Online publication date: 31-Oct-2021
https://doi.org/10.1007/978-981-16-7476-1_7
Wen HChen QLin ZCapkun SRoesner F(2020)Plug-N-PwnedProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489266(949-965)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489266
Zhang ZZhang QNguyen BSingapuram SMao ZMahlke SHamlen KLu L(2020)Automatic Feature Isolation in Network Protocol Software ImplementationsProceedings of the 2020 ACM Workshop on Forming an Ecosystem Around Software Transformation10.1145/3411502.3418425(29-34)Online publication date: 13-Nov-2020
https://dl.acm.org/doi/10.1145/3411502.3418425
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents