automated attack discovery in tcp congestion control using ... · ack amplification off-path...
TRANSCRIPT
Automated Attack Discovery in TCP Congestion Control using a Model-
guided Approach SamuelJero1,EndadulHoque2,DavidChoffnes3,AlanMislove3,and
CristinaNita-Rotaru3
1PurdueUniversity,2FloridaInternationalUniversity,and3NortheasternUniversity
NDSS2018
1
A Day In the Life of the Internet
2
TLS TCP
TCP • TransportprotocolusedbyvastmajorityofInternettraffic• IncludingtrafficencryptedwithTLS• IncludingnetworkinfrastructureprotocolslikeBGP
• Thousandsofimplementations• Over5,000implementationvariantsdetectablebynmap
• Provides:• Reliability• In-orderdelivery• Flowcontrol• Congestioncontrol
3
TCP Congestion Control • Protectsagainstcongestioncollapse
• Majorityofsentdataisdroppedlateron• Causedthroughoutdecreaseof1000xin1988
• Alsoensuresfairnessbetweencompetingflows• Preventsoneflowfromstarvingothers
4
CongestionControlisCrucialforModernNetworks
• Generalscheme• AdditiveIncrease,probingformorebandwidth• Lossindicatescongestion• MultiplicativeDecrease,slowingdowntoclearcongestion
Throughp
ut
OfferedLoad
CongestionCollapse
Throughp
ut
Time
Starvation
Flow1Flow2
Throughp
ut
Time
Flow1Flow2
Throughp
ut
Time
Loss Loss
Long History of Powerful Attacks
Attacksmayresultin:• Decreasedthroughput• Increasedthroughputthatstarvescompetingflows• Stalleddatatransfer
5
1995 2000 2005 2010 2015
X
Why So Many Attacks? • Attacksleveragedesignedbehavior
• Congestioncontrolisdesignedtocontrolthroughput• Attacksconfusecongestioncontrolaboutnetworkconditions• Nocrashesorunusualcontrolflow
• Manydesignsandimplementations• MultipleVariations:Reno,NewReno,SACK,Vegas,BBR• MultipleOptimizations:PRR,TLP,DSACK,FRTO,RACK• Hundredsofimplementations
• Lackofunifiedspecifications• Individualcomponentsandoptimizationsarespecifiedseparately• Understandingunifiedbehaviorisdifficult
• Verydynamicbehavior• Congestioncontrolstatechangeswitheveryacknowledgement• Impactofindividualpacketdilutesquicklywithtime
6
Networkisgreat,keepsending
Networkisfull,slowdown
OK,continuingto
send
RFC793RFC5681RFC2581RFC2001RFC6298
RFC7323RFC3390RFC3465RFC2018RFC3042
RFC6582 RFC6675RFC2883 RFC4015RFC5682 RFC6528
RFC2861
RFC5827
RFC6937
RFC3708
RFC4653
Current Testing Methods • ManualInvestigation
• Securityresearchersmanuallyinvestigatepossibleattacks
• RegressionTesting• Manuallycreatetestsforknownattacks• Testeachimplementationforvulnerability
• MAX[SIGCOMM’11]• Automaticallyfindsmanipulationattacksonnetworkprotocols• Leveragessymbolicexecutiontoidentifymanipulations
• SNAKE[DSN’15]• Automaticallyfuzzestransportprotocolssearchingforavailabilityandperformanceattacks• Usesstate-machineattackinjectionforscalability
7
LaborIntensive,requireshumantoenumerateallpossibleattacks,doesnotscale
Unabletofindnewvulnerabilities,differentimplementationsmaynotbevulnerableinthesameway
Requiressourcecodeinaparticularlanguageandmanualannotations
Doesnotscaletohighlydynamicsystemsandcomplexattackswithmanysteps
Our Approach: TCPwn
• Testreal,unmodifiedimplementations• Scalabilitywasthemajorchallenge:attacksarecomplexandmulti-stage,systemishighlydynamic• ModelTCPcongestioncontrolasastatemachine• Usemodel-basedtestingtoidentifyallpossibleattacksinascalablemanner• Createtestableattacksusingpacketmanipulationandinjection• Findsattackscausing:• DecreasedThroughput• IncreasedThroughput• Aconnectionstall
8
Goal:AutomaticallytestTCPimplementationsforattacksonCongestionControl
SS
EB
CA
FR
Optimistic Ack Attack
• Acknowledgingnewdatacausesgreentransitionstobetaken
• Increasescwndandthusthroughputwitheachloop
• Avoidsredtransitionswhichreducecwndandthusthroughput
9
Increasesendingratebyacknowledgingdatathathasnotbeenreceivedyet
Ack--cwnd+=1
SlowStart
ExponentialBackoff
CongestionAvoidance
FastRecovery
TimeoutTimeout
Timeo
ut
3DuplicateAcks--cwnd=cwnd/2
NewAck--cwnd+=MSS
Ack--cwnd=0
NewAck--cwnd+=1
3DuplicateAcks--cwnd=cwnd/2
NewRenoCongestionControlStateMachine
KeyTakeaways:• Attacksattempttocausedesirabletransitions• Attacksmustrepeatedlyexecutetransitiontohavenoticeableimpact
Timeout
cwnd > ssthresh
Model-based Attack Generation
1. Considerstatemachinemodelofcongestioncontrol2. Identifycyclescontainingdesirabletransitions
• Abstractstrategygeneration
3. ForceTCPtofolloweachcycle• Concretestrategygeneration
10
1 23
StateMachine
1,2,1…1,2,3,1…
AbstractStrategies
DelayMsg1,DropMsg2DropMsg3,DupMsg4
ConcreteStrategies
Generateallcycleswiththefollowingpattern:• cwnd increases/decreasesalongcycle • AsetofactionsexistthatforceTCPtofollowthiscycle
Abstract Strategy Generation • Enumerateallpaths
• Nostandardgraphalgorithm• Weadaptdepthfirstsearchtothisproblem
• Checkthatpathcontainscycle• Checkthatcyclecontainsdesirabletransitions
• Anychangetocwnd • Addpathandtransitionconditionstoabstractstrategies
11
1
32
5
4
Cycle
DesirableTransitionAbstractstrategiesaremerelydesirable
cycles;theymaynotberealizableinpractice!
From Abstract to Concrete Strategies
• Limitedtopacketmanipulationandinjectiontocauseabstractstrategies• Considereachabstractstrategyseparately• Mapeachtransitiontoasetofbasicmaliciousactions
• Actionschosentocausetransition• Basedonattackercapabilities
12
1 2 3AbstractStrategy
InjectDupAckInjectPreAckInjectOffsetAck
DuplicateAckLimitAckPreAck
State1 State2State1:InjectDupAck,State2:DuplicateAckState1:InjectPreAck,State2:LimitAckState1:InjectOffsetAck,State2:PreAckState1:InjectDupAck,State2:DuplicateAcl…
WewanttotestimplementationsAttackerTypes:
Off-path:
On-path:
TCPwn Design
• Teststrategiescreatingusingmodel-basedtestingandourabstractandconcretestrategygenerators• Testingdonewithvirtualmachinesrunningrealimplementationsinadumbbelltestbednetwork• AttackInjectorappliesmaliciousactions• PerformanceoftargetTCPconnectionidentifiesattacks
13
Evaluation WetestedfiveTCPimplementations:
14
Found11classesofattacks,8ofthemunknown
Implementation Date CongestionControlUbuntu16.10(Linux4.8) 2016 CUBIC+SACK+FRTO+ER+PRR+TLPUbuntu14.04(Linux3.13) 2014 CUBIC+SACK+FRTO+ER+PRR+TLPUbuntu11.10(Linux3.0) 2011 CUBIC+SACK+FRTODebian2(Linux2.0) 1998 NewRenoWindows8.1 2014 CompoundTCP+SACK
Results Summary
15
AttackClass Attacker Impact OS New?
OptimisticAck On-path IncreasedThroughput ALL No
On-pathRepeatedSlowStart On-path IncreasedThroughput Ubuntu11.10,Ubuntu16.10 Yes
AmplifiedBursts On-path IncreasedThroughput Ubuntu11.10 Yes
DesyncAttack Off-path ConnectionStall ALL No
AckStormAttack Off-path ConnectionStall Debian2,Windows8.1 No
AckLostData Off-path ConnectionStall ALL Yes
SlowInjectedAcks Off-path DecreasedThroughput Ubuntu11.10 Yes
SawtoothAck Off-path DecreasedThroughput Ubuntu11.10,Ubuntu14.04,Ubuntu16.10,Windows8.1
Yes
DupAckInjection Off-path DecreasedThroughput Debian2,Windows8.1 Yes
AckAmplification Off-path IncreasedThroughput Ubuntu11.10,Ubuntu14.04,Ubuntu16.10,Windows8.1
Yes
Off-pathRepeatedSlowStart Off-path IncreasedThroughput Ubuntu11.10 Yes
Summary • Wedevelopedanew,model-guidedtechniquetosearchforpossibleattacksonTCPcongestioncontrol.Thistechniqueusesthecongestioncontrolstatemachinetogenerateabstractstrategieswhicharethenconvertedintoconcretestrategiesmadeupofmessage-basedactions• WeimplementedthistechniqueinTCPwn,whichisabletofindattacksonreal,unmodifiedimplementationsofTCPcongestioncontrol• Wetested5TCPimplementationsandfound11classesofattacks,8ofwhichwerepreviouslyunknown
16
Checkoutthecode!https://github.com/samueljero/TCPwn
Off-path Repeated Slow Start Attack • Linuxincludesadjustabledupackthreshold
• Basedonobservedduplicateandreorderedpackets• Attackerinjectsmanyduplicateacks
• Increasingdupackthreshold• Timeoutoccursbeforedupacklossdetection• EnterExponentialBackoffandthenSlowStart
• InsteadofFastRecovery• Short200mstimeoutcausesthroughputtobe>=normal• Competingconnectionsalsosufferbadlyduetorepeatedlosses
18
Time
SendingRate
RTO RTO RTO RTO RTO RTO
DupAcks
RTO
Off-pathattackercanincreasethroughputforLinuxsenders
Inferring Congestion Control State
• Approximatecongestioncontrolstateandassumenormalapplicationbehavior• Takeasmalltimesliceandobservethebytessentandacknowledgedbytheimplementation
19
SlowStart
CongestionAvoidance
FastRecovery
DataAck
Time
Sequ
enceNum
ber
Toapplyconcretestrategiestoanimplementation,weneedtoknowthesender’scongestioncontrolstate
BytesSent*2≈BytesAckedState:SlowStart
BytesSent≈BytesAckedState:CongestionAvoidance
RetransmittedpacketsorACKpkts>DatapktsState:FastRecovery
ACKpkts==0andDatapkts>0State:ExponentialBackoff
More on Congestion Control • Modelasastatemachine
• Input:AcksandTimers• Output:CongestionWindow(cwnd)
• Fourstates:• SlowStart—Quicklyfindavailablebandwidth• CongestionAvoidance—Steadystatesendingwithoccasionalprobeformorebandwidth• FastRecovery—Reacttolossbyslowingdown• ExponentialBackoff—Timeout,slowdown
20
Ack--cwnd+=1
SlowStart
ExponentialBackoff
CongestionAvoidance
FastRecovery
TimeoutTimeout
Timeo
ut
3DuplicateAcks--cwnd=cwnd/2
NewAck--cwnd+=MSS
Ack--cwnd=0
NewAck--cwnd+=1
3DuplicateAcks--cwnd=cwnd/2
NewRenoCongestionControlStateMachine
=sendingrate
Timeout
cwnd > ssthresh
Limitations • UseofNewRenoasmodel
• Modellimitedbyabilitytoinfersender’sstatefromnetworktraffic• Morepreciseinferenceorinstrumentationwouldenablemoreprecisemodeling• Wetradeoffprecisionforeaseofapplicationtoawiderangeofimplementations
• WhataboutCUBIC,SACK,etc?• Mostalgorithms/optimizationsaresimilartoNewReno
• Thisincludes:SACK,CUBIC,TLP,PRR• Weactuallytestedimplementationsoftheseandfoundattacks
• WhataboutalgorithmsnotsimilartoNewReno?• Forexample:BBR,TFRC,Vegas• Model-basedtestingstillreadilygeneratesabstractstrategies• Needamethodtoinfersender’scongestioncontrolstate
21
SS
EB
CA
FR