Formal Black-Box Analysis of Routing Protocol Implementations

The Internet infrastructure relies entirely on open standards for its routing protocols. However, the majority of routers on the Internet are closed-source. Hence, there is no straightforward way to analyze them. Specifically, one cannot easily identify deviations of a router's routing functionality from the routing protocol's standard. Such deviations (either deliberate or inadvertent) are particularly important to identify since they may degrade the security or resiliency of the network. A model-based testing procedure is a technique that allows to systematically generate tests based on a model of the system to be tested; thereby finding deviations in the system compared to the model. However, applying such an approach to a complex multi-party routing protocol requires a prohibitively high number of tests to cover the desired functionality. We propose efficient and practical optimizations to the model-based testing procedure that are tailored to the analysis of routing protocols. These optimizations allow to devise a formal black-box method to unearth deviations in closed-source routing protocols' implementations. The method relies only on the ability to test the targeted protocol implementation and observe its output. Identification of the deviations is fully automatic. We evaluate our method against one of the complex and widely used routing protocols on the Internet -- OSPF. We search for deviations in the OSPF implementation of Cisco. Our evaluation identified numerous significant deviations that can be abused to compromise the security of a network. The deviations were confirmed by Cisco. We further employed our method to analyze the OSPF implementation of the Quagga Routing Suite. The analysis revealed one significant deviation. Subsequent to the disclosure of the deviations some of them were also identified by IBM, Lenovo and Huawei in their own products.

[1]  Dawn Xiaodong Song,et al.  Inference and analysis of formal models of botnet command and control protocols , 2010, CCS '10.

[2]  Zhenkai Liang,et al.  Towards Automatic Discovery of Deviations in Binary Implementations with Applications to Error Detection and Fingerprint Generation , 2007, USENIX Security Symposium.

[3]  Vitaly Shmatikov,et al.  Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[5]  David Lee,et al.  A model-based approach to security flaw detection of network protocol implementations , 2008, 2008 IEEE International Conference on Network Protocols.

[6]  Larry Apfelbaum,et al.  Model Based Testing , 1997 .

[7]  Ramon Janssen,et al.  Learning Fragments of the TCP Network Protocol , 2014, FMICS.

[8]  Lionel C. Briand,et al.  Black-Box System Testing of Real-Time Embedded Systems Using Random and Search-Based Testing , 2010, ICTSS.

[9]  Dana Angluin,et al.  Learning Regular Sets from Queries and Counterexamples , 1987, Inf. Comput..

[10]  Ralph Johnson,et al.  Non-compliant and Proud: A Case Study of HTTP Compliance , 2008 .

[11]  Michael Norrish,et al.  Rigorous specification and conformance testing techniques for network protocols, as applied to TCP, UDP, and sockets , 2005, SIGCOMM '05.

[12]  Gabi Nakibly,et al.  Finding Security Vulnerabilities in a Network Protocol Using Parameterized Systems , 2013, CAV.

[13]  Peter R. Pietzuch,et al.  Rule-Based Verification of Network Protocol Implementations Using Symbolic Execution , 2011, 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN).

[14]  Shyhtsun Felix Wu,et al.  JiNao: Design and Implementation of a Scalable Intrusion Detection System for the OSPF Routing Proto , 1999 .

[15]  Ivan Beschastnikh,et al.  NetCheck: Network Diagnoses from Blackbox Traces , 2014, NSDI.

[16]  Peter R. Pietzuch,et al.  SymbexNet: Testing Network Protocol Implementations with Symbolic Execution and Rule-Based Specifications , 2014, IEEE Transactions on Software Engineering.

[17]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[18]  Koushik Sen,et al.  CUTE and jCUTE: Concolic Unit Testing and Explicit Path Model-Checking Tools , 2006, CAV.

[19]  Koushik Sen DART: Directed Automated Random Testing , 2009, Haifa Verification Conference.

[20]  Kevin C. Almeroth,et al.  SNOOZE: Toward a Stateful NetwOrk prOtocol fuzZEr , 2006, ISC.

[21]  Chris Forman,et al.  Can Vendors Influence Switching Costs and Compatibility in an Environment with Open Standards? , 2006, MIS Q..

[22]  Simon Knight,et al.  VIRL: the virtual internet routing lab , 2015, SIGCOMM.

[23]  Gabi Nakibly,et al.  OSPF vulnerability to persistent poisoning attacks: a systematic analysis , 2014, ACSAC '14.

[24]  Angelos D. Keromytis,et al.  SFADiff: Automated Evasion Attacks and Fingerprinting Using Black-box Differential Automata Learning , 2016, CCS.

[25]  Bruno Legeard,et al.  A taxonomy of model‐based testing approaches , 2012, Softw. Test. Verification Reliab..

[26]  Shyhtsun Felix Wu,et al.  Secure Routing Protocols: Theory and Practice* , 2001 .

[27]  John Moy,et al.  OSPF Version 2 , 1998, RFC.

[28]  Shyhtsun Felix Wu,et al.  An experimental study of insider attacks for OSPF routing protocol , 1997, Proceedings 1997 International Conference on Network Protocols.

[29]  Nikolaj Bjørner,et al.  Z3: An Efficient SMT Solver , 2008, TACAS.

[30]  Richard McNally,et al.  Fuzzing: The State of the Art , 2012 .

[31]  Roland Groz,et al.  Inferring Mealy Machines , 2009, FM.

[32]  Gabi Nakibly,et al.  Persistent OSPF Attacks , 2012, NDSS.