TY - GEN
T1 - Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking
AU - Ensafi, Roya
AU - Park, Jong Chun
AU - Kapur, Deepak
AU - Crandall, Jedidiah R.
N1 - Publisher Copyright:
copyright © 2010 USENIX Security Symposium.All right reserved.
PY - 2010
Y1 - 2010
N2 - Idle port scanning uses side-channel attacks to bounce scans off of a "zombie" host to stealthily scan a victim IP address or infer IP-based trust relationships between the zombie and victim. We present results from building a transition system model of a network protocol stack for an attacker, victim, and zombie, and testing this model for non-interference properties using model checking. Two new methods of idle scans resulted from our modeling effort, based on TCP RST rate limiting and SYN caches, respectively. Through experimental verification of these attacks, we show that it is possible to scan victims which the attacker is not able to route packets to, meaning that protected networks or ports closed by firewall rules can be scanned. This is not possible with the one currently known method of idle scan in the literature that is based on non-random IPIDs. For the future design of network protocols, a notion of trusted vs. untrusted networks and hosts (based on existing IP-based trust relationships) will enable shared, limited resources to be divided. For a model complex enough to capture the details of each attack and where a distinction between trusted and untrusted hosts can be made, we modeled RST rate limitations and a split SYN cache structure. Non-interference for these two resources was verified with symbolic model checking and bounded model checking to depth 1000, respectively. Because each transition is roughly a packet, this demonstrates that the two respective idle scans are ameliorated by separating these resources.
AB - Idle port scanning uses side-channel attacks to bounce scans off of a "zombie" host to stealthily scan a victim IP address or infer IP-based trust relationships between the zombie and victim. We present results from building a transition system model of a network protocol stack for an attacker, victim, and zombie, and testing this model for non-interference properties using model checking. Two new methods of idle scans resulted from our modeling effort, based on TCP RST rate limiting and SYN caches, respectively. Through experimental verification of these attacks, we show that it is possible to scan victims which the attacker is not able to route packets to, meaning that protected networks or ports closed by firewall rules can be scanned. This is not possible with the one currently known method of idle scan in the literature that is based on non-random IPIDs. For the future design of network protocols, a notion of trusted vs. untrusted networks and hosts (based on existing IP-based trust relationships) will enable shared, limited resources to be divided. For a model complex enough to capture the details of each attack and where a distinction between trusted and untrusted hosts can be made, we modeled RST rate limitations and a split SYN cache structure. Non-interference for these two resources was verified with symbolic model checking and bounded model checking to depth 1000, respectively. Because each transition is roughly a packet, this demonstrates that the two respective idle scans are ameliorated by separating these resources.
UR - http://www.scopus.com/inward/record.url?scp=84906789612&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84906789612&partnerID=8YFLogxK
M3 - Conference contribution
AN - SCOPUS:84906789612
T3 - Proceedings of the 19th USENIX Security Symposium
SP - 257
EP - 272
BT - Proceedings of the 19th USENIX Security Symposium
PB - USENIX Association
T2 - 19th USENIX Security Symposium
Y2 - 11 August 2010 through 13 August 2010
ER -