Finding Security Vulnerabilities in a Network Protocol Using Parameterized Systems

Sosnovich, Adi; Grumberg, Orna; Nakibly, Gabi

doi:10.1007/978-3-642-39799-8_51

Cited by 9 publications

(6 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These parts include the LSA flooding procedure, the fight-back mechanism, the LSA message structure, and the LSA purge procedure. We leverage and extend an OSPF model that was proposed by [34] and [27]. The model was previously used in the context of model checking to find vulnerabilities in the protocol's standard itself.…”

Section: The Ospf Symbolic Modelmentioning

confidence: 99%

See 1 more Smart Citation

Formal Black-Box Analysis of Routing Protocol Implementations

Sosnovich¹,

Grumberg²,

Nakibly³

2017

Preprint

Self Cite

View full text Add to dashboard Cite

The Internet infrastructure relies entirely on open standards for its routing protocols. However, the overwhelming majority of routers on the Internet are proprietary and closed-source. Hence, there is no straightforward way to analyze them. Specifically, one cannot easily and systematically identify deviations of a router's routing functionality from the routing protocol's standard. Such deviations (either deliberate or inadvertent) are particularly important to identify since they present non-standard functionalities which have not been openly and rigorously analyzed by the security community. Therefore, these deviations may degrade the security or resiliency of the network.A model-based testing procedure is a technique that allows to systematically generate tests based on a model of the system to be tested; thereby finding deviations in the system compared to the model. However, applying such an approach to a complex multi-party routing protocol requires a prohibitively high number of tests to cover the desired functionality. We propose efficient and practical optimizations to the model-based testing procedure that are tailored to the analysis of routing protocols. These optimizations mitigate the scalability issues and allow to devise a formal black-box method to unearth deviations in closed-source routing protocols' implementations. The method relies only on the ability to test the targeted protocol implementation and observe its output. Identification of the deviations is fully automatic.We evaluate our method against one of the complex and widely used routing protocols on the Internet -OSPF. We search for deviations in the OSPF implementation of Cisco. Our evaluation identified numerous significant deviations that can be abused to compromise the security of a network. The deviations were confirmed by Cisco. We further employed our method to analyze the OSPF implementation of the Quagga Routing Suite -a popular open source routing software. The analysis revealed one significant deviation. Subsequent to the dis-closure of the deviations some of them were also identified by IBM, Lenovo and Huawei in their own products.

show abstract

Section: The Ospf Symbolic Modelmentioning

confidence: 99%

“…Several works have analyzed the OSPF standard itself for security vulnerabilities [27,34,23]. A few of these works have used the same threat model and even the same formal model of the OSPF standard, as we did here.…”

Section: Ospf Analysismentioning

confidence: 99%

Formal Black-Box Analysis of Routing Protocol Implementations

Sosnovich¹,

Grumberg²,

Nakibly³

2017

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

“…Here the behavior of a system is specified as a transition relation between finite state and a checker can verify that all reachable states from a starting configuration are safe (i.e., do not cause any invariant violation). Tools such as NICE [7], HSA [20] and others [39] rely on this technique. However these techniques scale exponentially with the number of states and for even moderately large problems one must choose between being able to verify in reasonable time and completeness.…”

Section: Related Workmentioning

confidence: 99%

Verifying Reachability in Networks with Mutable Datapaths

Panda¹,

Lahav²,

Argyraki³

et al. 2016

Preprint

View full text Add to dashboard Cite

Recent work has made great progress in verifying the forwarding correctness of networks [19][20][21]26]. However, these approaches cannot be used to verify networks containing middleboxes, such as caches and firewalls, whose forwarding behavior depends on previously observed traffic. We explore how to verify reachability properties for networks that include such "mutable datapath" elements. We want our verification results to hold not just for the given network, but also in the presence of failures. The main challenge lies in scaling the approach to handle large and complicated networks, We address by developing and leveraging the concept of slices, which allow network-wide verification to only require analyzing small portions of the network. We show that with slices the time required to verify an invariant on many production networks is independent of the size of the network itself.

show abstract

“…Here the behavior of a system is specified as a transition relation between finite state and a checker can verify that all reachable states from a starting configuration are safe (i.e., do not cause any invariant violation). Tools such as NICE [4], HSA [19] and others [35] rely on this technique. However these techniques scale exponentially with the number of states and for even moderately large problems one must chose between being able to verify in reasonable time and completeness.…”

Section: Related Workmentioning

confidence: 99%

Verifying Isolation Properties in the Presence of Middleboxes

Panda,

Lahav,

Argyraki

et al. 2014

Preprint

View full text Add to dashboard Cite

Great progress has been made recently in verifying the correctness of router forwarding tables [17,19,20,26]. However, these approaches do not work for networks containing middleboxes such as caches and firewalls whose forwarding behavior depends on previously observed traffic. We explore how to verify isolation properties in networks that include such "dynamic datapath" elements using model checking. Our work leverages recent advances in SMT solvers, and the main challenge lies in scaling the approach to handle large and complicated networks. While the straightforward application of model checking to this problem can only handle very small networks (if at all), our approach can verify simple realistic invariants on networks containing 30,000 middleboxes in a few minutes.

show abstract

Finding Security Vulnerabilities in a Network Protocol Using Parameterized Systems

Cited by 9 publications

References 11 publications

Formal Black-Box Analysis of Routing Protocol Implementations

Formal Black-Box Analysis of Routing Protocol Implementations

Verifying Reachability in Networks with Mutable Datapaths

Verifying Isolation Properties in the Presence of Middleboxes

Contact Info

Product

Resources

About