skip to main content
10.1145/3507509.3507510acmotherconferencesArticle/Chapter ViewAbstractPublication PagesiccnsConference Proceedingsconference-collections
research-article

The Side-Channel Vulnerability in Network Protocol

Published: 07 March 2022 Publication History

Abstract

Some recent studies have found that there are some side-channel vulnerabilities in the operating system. Attackers would exploit the side-channel vulnerability for malicious purpose, such as hijack connections, denial of service attacks, etc. Currently, most attacks are detected manually. In this paper, we found that the reason for the existence of network protocol side-channel vulnerability is the use of shared resources. Since the state of shared resource affects all connections, when a connection uses a shared resource, information about that connection can be inferred by observing the usage of the shared resource. In order to find the shared resources, we implemented a tool called TASR which is a method of static analysis. The first is to find out what shared resources are available by the definition of shared resources in static analysis. Then, the data packet is used as the taint source to search the tainted shared resources. The second step is to analyze the taint-transmission-path according to the acquired tainted shared variable. Then it can find the side-channel vulnerability. By using this method on TCP, UDP and ICMP protocols, we find the following four shared variables: challenge_count, tcp_memory_allocated, tcp_memory_pressure, sysctl_icmp_msg_per_sec. It is difficult for tcp_memory allocated and tcp_memory pressure to exploit, because they will go through multiple strict checks. Using challenge_count can hijack the connection and inject malicious packets. Using sysctl_icmp_msg_per_sec can assist in DNS cache poisoning attack.

References

[1]
Off-path attacking the web. In 6th USENIX Workshop on Offensive Technologies (WOOT 12), Bellevue, WA, August 2012. USENIX Association.
[2]
Aho, RaviSethi, and J. Ullman. Compilers, principles, techniques, and tools. Compilers, principles, techniques, and tools /, 2002.
[3]
Geoffrey Alexander and Jedidiah R. Crandall. Off-path round trip time measurement via TCP/IP side channels. In 2015 IEEE Conference on Computer Communications (INFOCOM), pages 1589–1597, Kowloon, Hong Kong, April 2015. IEEE.
[4]
Ahmed Osama Fathy Atya, Zhiyun Qian, Srikanth V. Krishnamurthy, Thomas La Porta, Patrick McDaniel, and Lisa M. Marvel. Catch Me if You Can: A Closer Look at Malicious Co-Residency on the Cloud. IEEE/ACM Transactions on Networking, 27(2):560–576, April 2019.
[5]
Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V Krishnamurthy, and Lisa M Marvel. Off-Path TCP Exploits: Global Rate Limit Considered Dangerous. page 17.
[6]
Yue Cao, Zhiyun Qian, Zhongjie Wang, Tuan Dao, Srikanth V. Krishnamurthy, and Lisa M. Marvel. Off-Path TCP Exploits of the Challenge ACK Global Rate Limit. IEEE/ACM Transactions on Networking, 26(2):765–778, April 2018.
[7]
Yue Cao, Zhongjie Wang, Zhiyun Qian, Chengyu Song, Srikanth V.Krishnamurthy, and Paul Yu. Principled Unearthing of TCP Side Channel Vulnerabilities. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pages 211–224, London United Kingdom, November 2019. ACM.
[8]
Xiao Cheng, Haoyu Wang, Jiayi Hua, Miao Zhang, Guoai Xu, Li Yi, and Yulei Sui. Static Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding. In 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS), pages 41–50, Guangzhou, China, November 2019. IEEE.
[9]
Roya Ensafi, Jong Chun Park, Deepak Kapur, and Jedidiah R Crandall. Idle Port Scanning and Non-interference Analysis of Network Protocol Stacks Using Model Checking. page 20.
[10]
Xuewei Feng, Chuanpu Fu, Qi Li, Kun Sun, and Ke Xu. Off-Path TCP Exploits of the Mixed IPID Assignment. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1323–1335, Virtual Event USA, October 2020. ACM.
[11]
J. A. Goguen and J. Meseguer. Security policies and security models. In 1982 IEEE Symposium on Security and Privacy, 1982.
[12]
Ben Hardekopf and Calvin Lin. The Ant and the Grasshopper: Fast and Accurate Pointer Analysis for Millions of Lines of Code. page 10.
[13]
Jeffrey Knockel and Jedidiah R Crandall. Counting Packets Sent Between Arbitrary Internet Hosts. page 8.
[14]
Lian Li, Cristina Cifuentes, and Nathan Keynes. Boosting the performance of flow-sensitive points-to analysis using value flow. In Proceedings of the 19th ACM SIGSOFT symposium and the 13th European conference on Foundations of software engineering, pages 343–353, 2011.
[15]
Keyu Man, Zhiyun Qian, Zhongjie Wang, Xiaofeng Zheng, Youjun Huang, and Haixin Duan. DNS Cache Poisoning Attack Reloaded: Revolutions with Side Channels. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pages 1337–1350, Virtual Event USA, October 2020. ACM.
[16]
Zhiyun Qian and Z. Morley Mao. Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security. In 2012 IEEE Symposium on Security and Privacy, pages 347–361, San Francisco, CA, USA, May 2012. IEEE.
[17]
QianZhiyun. A brief history of network protocol side channel vulnerabilities. https://news.tom.com/201908/4039953030.html.
[18]
Thomas Reps, Susan Horwitz, and Mooly Sagiv. Precise interprocedural dataflow analysis via graph reachability. In Proceedings of the 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL ’95, pages 49–61, San Francisco, California, United States, 1995. ACM Press.
[19]
G. Sangeetha and G. Sumathi. An optimistic technique to detect Cache based Side Channel attacks in Cloud. Peer-to-Peer Networking and Applications, September 2020.
[20]
Philipp Dominik Schubert, Ben Hermann, and Eric Bodden. PhASAR: An Inter-procedural Static Analysis Framework for C/C++. In Toma´sˇ Vojnar and Lijun Zhang, editors, Tools and Algorithms for the Construction and Analysis of Systems, volume 11428, pages 393–410. Springer International Publishing, Cham, 2019. Series Title: Lecture Notes in Computer Science.
[21]
Bjarne Steensgaard. Points-to analysis in almost linear time. In Proceedings of the 23rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages - POPL ’96, pages 32–41, St. Petersburg Beach, Florida, United States, 1996. ACM Press.
[22]
George Stergiopoulos, Alexander Talavari, Evangelos Bitsikas, and Dimitris Gritzalis. Automatic Detection of Various Malicious Traffic Using Side Channel Features on TCP Packets. In Javier Lopez, Jianying Zhou, and Miguel Soriano, editors, Computer Security, volume 11098, pages 346–362. Springer International Publishing, Cham, 2018. Series Title: Lecture Notes in Computer Science.
[23]
Yulei Sui and Jingling Xue. SVF: Interprocedural Static Value-Flow Analysis in LLVM. page 5.
[24]
Yulei Sui and Jingling Xue. Value-Flow-Based Demand-Driven Pointer Analysis for C and C++. IEEE Transactions on Software Engineering, 46(8):812–835, August 2020.
[25]
torvalds. Building linux with clang/llvm. https://github.com/torvalds/ linux.
[26]
Jan Wrobel. Reflection Scan: an Off-Path Attack on TCP. arXiv:1201.2074 [cs], January 2012. arXiv: 1201.2074.
[27]
Zhemin Yang and Min Yang. LeakMiner: Detect Information Leakage on Android with Static Taint Analysis. In 2012 Third World Congress on Software Engineering, pages 101–104, Wuhan, China, November 2012. IEEE.
[28]
Shifan Yujiazi. Self cultivation of programmers. Self cultivation of programmers, 2009.
[29]
Sangodoyin S, Werner F, Yilmaz B B, Side-Channel Propagation Measurements and Modeling for Hardware Security in IoT Devices[J]. IEEE Transactions on Antennas and Propagation, 2020, PP(99):1-1.

Cited By

View all
  • (2023)Detecting Parallel Covert Data Transmission Channels in Video Conferencing Using Machine LearningElectronics10.3390/electronics1205109112:5(1091)Online publication date: 22-Feb-2023

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences
ICCNS '21: Proceedings of the 2021 11th International Conference on Communication and Network Security
December 2021
106 pages
ISBN:9781450386425
DOI:10.1145/3507509
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 March 2022

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Network Protocol
  2. Shared Resource
  3. Side-Channel Vulnerability
  4. Taint Analysis

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ICCNS 2021

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)30
  • Downloads (Last 6 weeks)1
Reflects downloads up to 18 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Detecting Parallel Covert Data Transmission Channels in Video Conferencing Using Machine LearningElectronics10.3390/electronics1205109112:5(1091)Online publication date: 22-Feb-2023

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

HTML Format

View this article in HTML Format.

HTML Format

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media