NDSS 2018 is in full swing in San Diego this week and a couple of papers that really grabbed my attention were both in the same session on Network Security and Cellular Networks yesterday.
Samuel Jero, a PhD student at Purdue University and past IRTF Applied Networking Research Prize Winner, presented a fascinating paper on “Automated Attack Discovery in TCP Congestion Control Using a Model-guided Approach”. Of the many protocols and algorithms that are in daily use on the Internet, some are more fundamental and important than others and it doesn’t get much more fundamental and important than TCP congestion control.
TCP congestion control is what makes it possible for millions of autonomous devices and networks to seamlessly, and more-or-less fairly, share available bandwidth. Without it the network would literally collapse.
Attacks against congestion control to manipulate senders’ or receivers’ understanding of the state of the network have been known for some time. Jero and his co-authors Endadul Hoque, David Choffnes, Alan Mislove and Cristina Nita-Rotaru developed an approach using model-based testing to address the scalability challenges of previous work to automate the discovery of manipulation attacks against congestion control algorithms.
By building abstract models of several congestion control algorithms from IETF RFCs, the team were able to generate abstract attack strategies. These abstract strategies could then be mapped to concrete attack strategies including details of how attack packets should be created and timing information for injecting malicious traffic to effect an attack. Both off-path and on-path attackers were considered.
Armed with a set of concrete attack strategies, the team built a platform on which to test them against different congestion control implementations running on a variety of OS environments. Evaluating five TCP implementations from four Linux distributions and Windows 8 they found 11 classes of attacks, eight of which were previously unknown.
This work illustrates the vulnerability of transport protocols that carry their signalling in the clear, as TCP does. It is relatively trivial for an attacker to confuse congestion control state machines about the state of the network which leads to the large and diverse set of attack methods discovered. The new and rapidly developing QUIC protocol is perhaps one of the key next steps in defending the Internet against these kinds of manipulations: QUIC encrypts signalling by design.
In his paper, “LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE”, Syed Hussain (with co-authors Omar Chowdhury, Shagufta Mehnaz and Elisa Bertino) also employs a model-based testing approach to uncover 10 new attacks against the three fundamental protocol operations of the 4G LTE protocol (attach, detach and paging).
To ensure that the theoretical attacks were actually practical against real deployed 4G LTE networks, the team validated eight attacks using a real-world testbed. The most interesting attack discovered in this way is referred to as the ‘authentication relay attack,’ which enables an adversary to poison the core network’s knowledge of the location of a victim device, without possessing any legitimate credentials. This attack could provide a means to create a false alibi or plant fake evidence during a criminal investigation for example.
Both of these papers illustrate the power of applying model-based testing approaches to deployed systems to effectively automate the process of vulnerability discovery. As the dependence of modern society on Internet and cellular technologies continues to grow, this kind of work is crucial to help us move beyond the ‘whack-a-mole’ response to security vulnerabilities we’re familiar with.
These two papers are great examples of the strength of the work presented at NDSS and the importance of the research undertaken by this community for the security of our networked, distributed future. Both papers are already on the NDSS website, and slides and videos from these and all other presentations will be posted shortly after NDSS.