Zhiyun Qian
ABSTRACT
In this study, we discover a new class of unknown side channels --- "sequence-number-dependent" host packet counters --- that exist in Linux/Android and BSD/Mac OS to enable TCP sequence number inference attacks. It allows a piece of unprivileged on-device malware to collaborate with an off-path attacker to infer the TCP sequence numbers used between a client and a server, leading to TCP injection and hijacking attacks. We show that the inference takes, in common cases, under a second to complete and is quick enough for attackers to inject malicious Javascripts into live Facebook sessions and to perform malicious actions on behalf of a victim user. Since supporting unprivileged access to global packet counters is an intentional design choice, we believe our findings provide important lessons and offer insights on future system and network design.
- Blind TCP/IP Hijacking is Still Alive. http://www.phrack.org/issues.php?issue=64&id=15.Google Scholar
- CERT Advisory CA-1995-01 IP Spoofing Attacks and Hijacked Terminal Connections. http://www.cert.org/advisories/CA-1995-01.html.Google Scholar
- Golomb Ruler. http://en.wikipedia.org/wiki/Golomb_ruler.Google Scholar
- Linux Blind TCP Spoofing Vulnerability. http://www.securityfocus.com/bid/580/info.Google Scholar
- Linux: TCP Random Initial Sequence Numbers. http://kerneltrap.org/node/4654.Google Scholar
- MSN Messenger Protocol. http://www.hypothetic.org/docs/msn/.Google Scholar
- RFC 1948 - Defending Against Sequence Number Attacks. http://tools.ietf.org/html/rfc1948.Google Scholar
- RFC 5961 - Improving TCP's Robustness to Blind In-Window Attacks. http://tools.ietf.org/html/rfc5961.Google Scholar
- RFC 793 - Transmission Control Protocol. http://tools.ietf.org/html/rfc793.Google Scholar
- Stateful Firewall and Masquerading on Linux. http://www.puschitz.com/FirewallAndRouters.shtml.Google Scholar
- sysctl Mac OS X Manual. https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man3/sysctl.3.html#//apple_ref/doc/man/3/sysctl.Google Scholar
- TCP Delayed Ack in Linux. http://wiki.hsc.com/wiki/Main/InsideLinuxTCPDelayedAck.Google Scholar
- S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow. In Proc. of IEEE Security and Privacy, 2010. Google ScholarDigital Library
- M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight Provenance for Smart Phone Operating Systems. In Proc. of USENIX Security Symposium, 2011. Google ScholarDigital Library
- M. Egele, C. Kruegel, E. Kirda, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In NDSS, 2011.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In OSDI, 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proc. of USENIX Security Symposium, 2011. Google ScholarDigital Library
- R. Ensafi, J. C. Park, D. Kapur, and J. R. Crandall. Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks using Model Checking. In Proc. of USENIX Security Symposium, 2010. Google ScholarDigital Library
- A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-delegation: Attacks and Defenses. In Proc. of USENIX Security Symposium, 2011. Google ScholarDigital Library
- Y. Gilad and A. Herzberg. Off-Path Attacking the Web. In Proc. of USENIX Workshop on Offensive Technologies (WOOT), 2012. Google ScholarDigital Library
- S. Guha and P. Francis. Characterization and Measurement of TCP Traversal through NATs and Firewalls. In Proc. ACM SIGCOMM IMC, 2005. Google ScholarDigital Library
- S. Jana and V. Shmatikov. Memento: Learning secrets from process footprints. In Proc. of IEEE Security and Privacy, 2012. Google ScholarDigital Library
- L. Joncheray. A Simple Active Attack against TCP. In Proc. of USENIX Security Symposium, 1995. Google ScholarDigital Library
- G. LEECH, P. RAYSON, and A. WILSON. Procfs Analysis. http://www.nsa.gov/research/_files/selinux/papers/slinux/node57.shtml.Google Scholar
- R. Morris. A Weakness in the 4.2BSD Unix TCP/IP Software. Technical report, 1985.Google Scholar
- Z. Qian and Z. M. Mao. Off-Path TCP Sequence Number Inference Attack -- How Firewall Middleboxes Reduce Security. In Proc. of IEEE Security and Privacy, 2012. Google ScholarDigital Library
- Z. Qian, Z. M. Mao, Y. Xie, and F. Yu. Investigation of Triangular Spamming: A Stealthy and Efficient Spamming Technique. In Proc. of IEEE Security and Privacy, 2010. Google ScholarDigital Library
- R. Schlegel, K. Zhang, X. yong Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. In NDSS, 2011.Google Scholar
- D. X. Song, D. Wagner, and X. Tian. Timing Analysis of Keystrokes and Timing Attacks on SSH. In Proc. of USENIX Security Symposium, 2001. Google ScholarDigital Library
- M. Vuagnoux and S. Pasini. Compromising electromagnetic emanations of wired and wireless keyboards. In Proc. of USENIX Security Symposium, 2009. Google ScholarDigital Library
- Z. Wang, Z. Qian, Q. Xu, Z. M. Mao, and M. Zhang. An Untold Stody of Middleboxes in Cellular Networks. In SIGCOMM, 2011. Google ScholarDigital Library
- P. A. Watson. Slipping in the Window: TCP Reset Attacks. In CanSecWest, 2004.Google Scholar
- K. Zhang and X. Wang. Peeping Tom in the Neighborhood: Keystroke Eavesdropping on Multi-User Systems. In Proc. of USENIX Security Symposium, 2009. Google ScholarDigital Library
Index Terms
- Collaborative TCP sequence number inference attack: how to crack sequence number under a second
Recommendations
Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security
SP '12: Proceedings of the 2012 IEEE Symposium on Security and PrivacyIn this paper, we report a newly discovered "off-path TCP sequence number inference" attack enabled by firewall middle boxes. It allows an off-path (i.e., not man-in-the-middle) attacker to hijack a TCP connection and inject malicious content, ...
Application-based TCP hijacking
EUROSEC '09: Proceedings of the Second European Workshop on System SecurityWe present application-based TCP hijacking (ABTH), a new attack on TCP applications that exploits flaws due to the interplay between TCP and application protocols to inject data into an application session without either server or client applications ...
Analysis of low-rate TCP DoS attack against FAST TCP
ISDA '06: Proceedings of the Sixth International Conference on Intelligent Systems Design and Applications - Volume 03Low rate TCP DoS attack is a novel kind of attacks discovered by Kuzmanovic. According to several experiments, it is very effective in degrading the normal TCP sender's throughput. FAST TCP is a delay-based transport layer protocol; it is used to ...
Comments