Cross Layer Attacks and How to Use Them (for DNS Cache Poisoning, Device Tracking and More)

We analyze the prandom pseudo random number generator (PRNG) in use in the Linux kernel (which is the kernel of the Linux operating system, as well as of Android) and demonstrate that this PRNG is weak. The prandom PRNG is in use by many "consumers" in the Linux kernel. We focused on three consumers at the network level -- the UDP source port generation algorithm, the IPv6 flow label generation algorithm and the IPv4 ID generation algorithm. The flawed prandom PRNG is shared by all these consumers, which enables us to mount "cross layer attacks" against the Linux kernel. In these attacks, we infer the internal state of the prandom PRNG from one OSI layer, and use it to either predict the values of the PRNG employed by the other OSI layer, or to correlate it to an internal state of the PRNG inferred from the other protocol. Using this approach we can mount a very efficient DNS cache poisoning attack against Linux. We collect TCP/IPv6 flow label values, or UDP source ports, or TCP/IPv4 IP ID values, reconstruct the internal PRNG state, then predict an outbound DNS query UDP source port, which speeds up the attack by a factor of x3000 to x6000. This attack works remotely, but can also be mounted locally, across Linux users and across containers, and (depending on the stub resolver) can poison the cache with an arbitrary DNS record. Additionally, we can identify and track Linux and Android devices -- we collect TCP/IPv6 flow label values and/or UDP source port values and/or TCP/IPv4 ID fields, reconstruct the PRNG internal state and correlate this new state to previously extracted PRNG states to identify the same device.

[1]  Benny Pinkas,et al.  From IP ID to Device ID and KASLR Bypass (Extended Version) , 2019, USENIX Security Symposium.

[2]  Steven M. Bellovin,et al.  A technique for counting natted hosts , 2002, IMW '02.

[3]  Andrzej Duda,et al.  Don't Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic , 2020, PAM.

[4]  Benny Pinkas,et al.  DNS Cache-Based User Tracking , 2019, NDSS.

[5]  Haya Shulman,et al.  SMap: Internet-wide Scanning for Ingress Filtering Draft (February 2020) , 2020 .

[6]  Scott Rose,et al.  DNS Security Introduction and Requirements , 2005, RFC.

[7]  Michael Waidner,et al.  The Impact of DNS Insecurity on Time , 2020, 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[8]  Robert Beverly,et al.  Network Hygiene, Incentives, and Regulation: Deployment of Source Address Validation in the Internet , 2019, CCS.

[9]  Zhijun Ding,et al.  Accelerometer-Based Mobile Device Identification System for the Realistic Environment , 2019, IEEE Access.

[10]  Juan Hernández-Serrano,et al.  Modeling the Lion Attack in Cognitive Radio Networks , 2011, EURASIP J. Wirel. Commun. Netw..

[11]  Amir Herzberg,et al.  Fragmentation Considered Poisonous , 2012, ArXiv.

[12]  Baojun Liu,et al.  Poison Over Troubled Forwarders: A Cache Poisoning Attack Targeting DNS Forwarding Devices , 2020, USENIX Security Symposium.

[13]  Amir Herzberg,et al.  DNS-DNS: DNS-Based De-NAT Scheme , 2018, CANS.

[14]  D. Shanks Class number, a theory of factorization, and genera , 1971 .

[15]  Paul E. Hoffman,et al.  Specification for DNS over Transport Layer Security (TLS) , 2016, RFC.

[16]  Roxana Radu,et al.  Consolidation in the DNS resolver market – how much, how fast, how dangerous? , 2020, Journal of Cyber Policy.

[17]  Steven J. Murdoch,et al.  Hot or not: revealing hidden services by their clock skew , 2006, CCS '06.

[18]  Donald F. Towsley,et al.  Exploiting the IPID Field to Infer Network Path and End-System Characteristics , 2005, PAM.

[19]  Benny Pinkas,et al.  Flaw Label: Exploiting IPv6 Flow Label , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[20]  Wenke Lee,et al.  Increased DNS forgery resistance through 0x20-bit encoding: security via leet queries , 2008, CCS.

[21]  Murray S. Kucherawy,et al.  DomainKeys Identified Mail (DKIM) Signatures , 2011, RFC.

[22]  T. Kohno,et al.  Remote physical device fingerprinting , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[23]  John S. Baras,et al.  Cross-layer attacks in wireless ad hoc networks 1 , 2004 .

[24]  Anja Feldmann,et al.  A Multi-perspective Analysis of Carrier-Grade NAT Deployment , 2016, Internet Measurement Conference.

[25]  Artur Janc,et al.  Information Leaks via Safari's Intelligent Tracking Prevention , 2020, ArXiv.

[26]  Paul E. Hoffman,et al.  DNS Queries over HTTPS (DoH) , 2018, RFC.

[27]  Nael B. Abu-Ghazaleh,et al.  Collaborative Client-Side DNS Cache Poisoning Attack , 2019, IEEE INFOCOM 2019 - IEEE Conference on Computer Communications.

[28]  Haya Shulman,et al.  Domain Validation++ For MitM-Resilient PKI , 2018, CCS.

[29]  Kazunori Fujiwara Measures against cache poisoning attacks using IP fragmentation in DNS , 2019 .

[30]  Premala A REVIEW ON DIFFERENT CROSS LAYER ATTACKS AND THEIR DEFENCES IN MANET , 2016 .

[31]  Sharon Goldberg,et al.  The Unintended Consequences of Email Spam Prevention , 2018, PAM.

[32]  Brian Wellington,et al.  Secret Key Transaction Authentication for DNS (TSIG) , 2000, RFC.

[33]  M. Rabinovich,et al.  Revisiting Comparative Performance of DNS Resolvers in the IPv6 and ECS Era , 2020, ArXiv.