Automated Attack Discovery in TCP Congestion Control using a Model-

guided Approach SamuelJero1,EndadulHoque2,DavidChoffnes3,AlanMislove3,and

CristinaNita-Rotaru3

1PurdueUniversity,2FloridaInternationalUniversity,and3NortheasternUniversity

NDSS2018

1

A Day In the Life of the Internet

2

TLS TCP

TCP •  TransportprotocolusedbyvastmajorityofInternettraffic•  IncludingtrafficencryptedwithTLS•  IncludingnetworkinfrastructureprotocolslikeBGP

•  Thousandsofimplementations•  Over5,000implementationvariantsdetectablebynmap

• Provides:•  Reliability•  In-orderdelivery•  Flowcontrol•  Congestioncontrol

3

TCP Congestion Control •  Protectsagainstcongestioncollapse

•  Majorityofsentdataisdroppedlateron•  Causedthroughoutdecreaseof1000xin1988

•  Alsoensuresfairnessbetweencompetingflows•  Preventsoneflowfromstarvingothers

4

CongestionControlisCrucialforModernNetworks

•  Generalscheme•  AdditiveIncrease,probingformorebandwidth•  Lossindicatescongestion•  MultiplicativeDecrease,slowingdowntoclearcongestion

Throughp

ut

OfferedLoad

CongestionCollapse

Throughp

ut

Time

Starvation

Flow1Flow2

Throughp

ut

Time

Flow1Flow2

Throughp

ut

Time

Loss Loss

Long History of Powerful Attacks

Attacksmayresultin:•  Decreasedthroughput•  Increasedthroughputthatstarvescompetingflows•  Stalleddatatransfer

5

1995 2000 2005 2010 2015

X

Why So Many Attacks? •  Attacksleveragedesignedbehavior

•  Congestioncontrolisdesignedtocontrolthroughput•  Attacksconfusecongestioncontrolaboutnetworkconditions•  Nocrashesorunusualcontrolflow

• Manydesignsandimplementations•  MultipleVariations:Reno,NewReno,SACK,Vegas,BBR•  MultipleOptimizations:PRR,TLP,DSACK,FRTO,RACK•  Hundredsofimplementations

•  Lackofunifiedspecifications•  Individualcomponentsandoptimizationsarespecifiedseparately•  Understandingunifiedbehaviorisdifficult

•  Verydynamicbehavior•  Congestioncontrolstatechangeswitheveryacknowledgement•  Impactofindividualpacketdilutesquicklywithtime

6

Networkisgreat,keepsending

Networkisfull,slowdown

OK,continuingto

send

RFC793RFC5681RFC2581RFC2001RFC6298

RFC7323RFC3390RFC3465RFC2018RFC3042

RFC6582 RFC6675RFC2883 RFC4015RFC5682 RFC6528

RFC2861

RFC5827

RFC6937

RFC3708

RFC4653

Current Testing Methods • ManualInvestigation

•  Securityresearchersmanuallyinvestigatepossibleattacks

• RegressionTesting•  Manuallycreatetestsforknownattacks•  Testeachimplementationforvulnerability

• MAX[SIGCOMM’11]•  Automaticallyfindsmanipulationattacksonnetworkprotocols•  Leveragessymbolicexecutiontoidentifymanipulations

•  SNAKE[DSN’15]•  Automaticallyfuzzestransportprotocolssearchingforavailabilityandperformanceattacks•  Usesstate-machineattackinjectionforscalability

7

LaborIntensive,requireshumantoenumerateallpossibleattacks,doesnotscale

Unabletofindnewvulnerabilities,differentimplementationsmaynotbevulnerableinthesameway

Requiressourcecodeinaparticularlanguageandmanualannotations

Doesnotscaletohighlydynamicsystemsandcomplexattackswithmanysteps

Our Approach: TCPwn

•  Testreal,unmodifiedimplementations•  Scalabilitywasthemajorchallenge:attacksarecomplexandmulti-stage,systemishighlydynamic•  ModelTCPcongestioncontrolasastatemachine•  Usemodel-basedtestingtoidentifyallpossibleattacksinascalablemanner•  Createtestableattacksusingpacketmanipulationandinjection•  Findsattackscausing:•  DecreasedThroughput•  IncreasedThroughput•  Aconnectionstall

8

Goal:AutomaticallytestTCPimplementationsforattacksonCongestionControl

SS

EB

CA

FR

Optimistic Ack Attack

•  Acknowledgingnewdatacausesgreentransitionstobetaken

•  Increasescwndandthusthroughputwitheachloop

•  Avoidsredtransitionswhichreducecwndandthusthroughput

9

Increasesendingratebyacknowledgingdatathathasnotbeenreceivedyet

Ack--cwnd+=1

SlowStart

ExponentialBackoff

CongestionAvoidance

FastRecovery

TimeoutTimeout

Timeo

ut

3DuplicateAcks--cwnd=cwnd/2

NewAck--cwnd+=MSS

Ack--cwnd=0

NewAck--cwnd+=1

3DuplicateAcks--cwnd=cwnd/2

NewRenoCongestionControlStateMachine

KeyTakeaways:•  Attacksattempttocausedesirabletransitions•  Attacksmustrepeatedlyexecutetransitiontohavenoticeableimpact

Timeout

cwnd > ssthresh

Model-based Attack Generation

1.  Considerstatemachinemodelofcongestioncontrol2.  Identifycyclescontainingdesirabletransitions

•  Abstractstrategygeneration

3.  ForceTCPtofolloweachcycle•  Concretestrategygeneration

10

1 23

StateMachine

1,2,1…1,2,3,1…

AbstractStrategies

DelayMsg1,DropMsg2DropMsg3,DupMsg4

ConcreteStrategies

Generateallcycleswiththefollowingpattern:•  cwnd increases/decreasesalongcycle •  AsetofactionsexistthatforceTCPtofollowthiscycle

Abstract Strategy Generation •  Enumerateallpaths

•  Nostandardgraphalgorithm• Weadaptdepthfirstsearchtothisproblem

• Checkthatpathcontainscycle• Checkthatcyclecontainsdesirabletransitions

•  Anychangetocwnd • Addpathandtransitionconditionstoabstractstrategies

11

1

32

5

4

Cycle

DesirableTransitionAbstractstrategiesaremerelydesirable

cycles;theymaynotberealizableinpractice!

From Abstract to Concrete Strategies

•  Limitedtopacketmanipulationandinjectiontocauseabstractstrategies•  Considereachabstractstrategyseparately• Mapeachtransitiontoasetofbasicmaliciousactions

•  Actionschosentocausetransition•  Basedonattackercapabilities

12

1 2 3AbstractStrategy

InjectDupAckInjectPreAckInjectOffsetAck

DuplicateAckLimitAckPreAck

State1 State2State1:InjectDupAck,State2:DuplicateAckState1:InjectPreAck,State2:LimitAckState1:InjectOffsetAck,State2:PreAckState1:InjectDupAck,State2:DuplicateAcl…

WewanttotestimplementationsAttackerTypes:

Off-path:

On-path:

TCPwn Design

•  Teststrategiescreatingusingmodel-basedtestingandourabstractandconcretestrategygenerators•  Testingdonewithvirtualmachinesrunningrealimplementationsinadumbbelltestbednetwork•  AttackInjectorappliesmaliciousactions•  PerformanceoftargetTCPconnectionidentifiesattacks

13

Evaluation WetestedfiveTCPimplementations:

14

Found11classesofattacks,8ofthemunknown

Implementation Date CongestionControlUbuntu16.10(Linux4.8) 2016 CUBIC+SACK+FRTO+ER+PRR+TLPUbuntu14.04(Linux3.13) 2014 CUBIC+SACK+FRTO+ER+PRR+TLPUbuntu11.10(Linux3.0) 2011 CUBIC+SACK+FRTODebian2(Linux2.0) 1998 NewRenoWindows8.1 2014 CompoundTCP+SACK

Results Summary

15

AttackClass Attacker Impact OS New?

OptimisticAck On-path IncreasedThroughput ALL No

On-pathRepeatedSlowStart On-path IncreasedThroughput Ubuntu11.10,Ubuntu16.10 Yes

AmplifiedBursts On-path IncreasedThroughput Ubuntu11.10 Yes

DesyncAttack Off-path ConnectionStall ALL No

AckStormAttack Off-path ConnectionStall Debian2,Windows8.1 No

AckLostData Off-path ConnectionStall ALL Yes

SlowInjectedAcks Off-path DecreasedThroughput Ubuntu11.10 Yes

SawtoothAck Off-path DecreasedThroughput Ubuntu11.10,Ubuntu14.04,Ubuntu16.10,Windows8.1

Yes

DupAckInjection Off-path DecreasedThroughput Debian2,Windows8.1 Yes

AckAmplification Off-path IncreasedThroughput Ubuntu11.10,Ubuntu14.04,Ubuntu16.10,Windows8.1

Yes

Off-pathRepeatedSlowStart Off-path IncreasedThroughput Ubuntu11.10 Yes

Summary • Wedevelopedanew,model-guidedtechniquetosearchforpossibleattacksonTCPcongestioncontrol.Thistechniqueusesthecongestioncontrolstatemachinetogenerateabstractstrategieswhicharethenconvertedintoconcretestrategiesmadeupofmessage-basedactions• WeimplementedthistechniqueinTCPwn,whichisabletofindattacksonreal,unmodifiedimplementationsofTCPcongestioncontrol• Wetested5TCPimplementationsandfound11classesofattacks,8ofwhichwerepreviouslyunknown

16

Checkoutthecode!https://github.com/samueljero/TCPwn

Questions?

SamuelJerosjero@sjero.net

Checkoutthecode!https://github.com/samueljero/TCPwn

Off-path Repeated Slow Start Attack •  Linuxincludesadjustabledupackthreshold

•  Basedonobservedduplicateandreorderedpackets•  Attackerinjectsmanyduplicateacks

•  Increasingdupackthreshold•  Timeoutoccursbeforedupacklossdetection•  EnterExponentialBackoffandthenSlowStart

•  InsteadofFastRecovery•  Short200mstimeoutcausesthroughputtobe>=normal•  Competingconnectionsalsosufferbadlyduetorepeatedlosses

18

Time

SendingRate

RTO RTO RTO RTO RTO RTO

DupAcks

RTO

Off-pathattackercanincreasethroughputforLinuxsenders

Inferring Congestion Control State

•  Approximatecongestioncontrolstateandassumenormalapplicationbehavior•  Takeasmalltimesliceandobservethebytessentandacknowledgedbytheimplementation

19

SlowStart

CongestionAvoidance

FastRecovery

DataAck

Time

Sequ

enceNum

ber

Toapplyconcretestrategiestoanimplementation,weneedtoknowthesender’scongestioncontrolstate

BytesSent*2≈BytesAckedState:SlowStart

BytesSent≈BytesAckedState:CongestionAvoidance

RetransmittedpacketsorACKpkts>DatapktsState:FastRecovery

ACKpkts==0andDatapkts>0State:ExponentialBackoff

More on Congestion Control • Modelasastatemachine

•  Input:AcksandTimers•  Output:CongestionWindow(cwnd)

•  Fourstates:•  SlowStart—Quicklyfindavailablebandwidth•  CongestionAvoidance—Steadystatesendingwithoccasionalprobeformorebandwidth•  FastRecovery—Reacttolossbyslowingdown•  ExponentialBackoff—Timeout,slowdown

20

Ack--cwnd+=1

SlowStart

ExponentialBackoff

CongestionAvoidance

FastRecovery

TimeoutTimeout

Timeo

ut

3DuplicateAcks--cwnd=cwnd/2

NewAck--cwnd+=MSS

Ack--cwnd=0

NewAck--cwnd+=1

3DuplicateAcks--cwnd=cwnd/2

NewRenoCongestionControlStateMachine

=sendingrate

Timeout

cwnd > ssthresh

Limitations •  UseofNewRenoasmodel

•  Modellimitedbyabilitytoinfersender’sstatefromnetworktraffic•  Morepreciseinferenceorinstrumentationwouldenablemoreprecisemodeling•  Wetradeoffprecisionforeaseofapplicationtoawiderangeofimplementations

• WhataboutCUBIC,SACK,etc?•  Mostalgorithms/optimizationsaresimilartoNewReno

•  Thisincludes:SACK,CUBIC,TLP,PRR•  Weactuallytestedimplementationsoftheseandfoundattacks

• WhataboutalgorithmsnotsimilartoNewReno?•  Forexample:BBR,TFRC,Vegas•  Model-basedtestingstillreadilygeneratesabstractstrategies•  Needamethodtoinfersender’scongestioncontrolstate

21

SS

EB

CA

FR