skip to main content
10.1145/3589608.3593817acmconferencesArticle/Chapter ViewAbstractPublication PagessacmatConference Proceedingsconference-collections
keynote

Access Control Vulnerabilities in Network Protocol Implementations: How Attackers Exploit Them and What To Do About It

Published: 24 May 2023 Publication History

Abstract

Authentication and access control mechanisms should verify the identity of users of a system and ensure that these users only act within their intended permissions. These mechanisms, alongside audit or intrusion detection, have been called the "foundation for information and system security'' [8]. There has been a large amount of research proposing authentication and authorization mechanisms for network protocols and devices used in Operational Technology (OT) and the Internet of Things (IoT) [7]. Although these devices run our critical infrastructure, most of them still rely on simple password-based mechanisms to prevent unauthorized operations [1]. More worryingly, even these simple mechanisms often have flawed implementations, allowing malicious actors to bypass them [6].
this talk, I will discuss several findings from our research into vulnerabilities in network protocol implementations of IoT, OT and IT systems, giving special attention to those stemming from flawed authentication and access control implementations. Examples include buffer overflows when processing user credentials, use of weak cryptography, credentials transmitted in plaintext, hardcoded credentials, authentication bypasses via MAC or IP spoofing, client-side authentication, missing critical steps in authentication, insufficient session expiration and message parsing before establishing a peer's identity. These issues were identified in implementations as diverse as embedded TCP/IP stacks [2,3], routing suites and engineering protocols for OT devices from major vendors [9]. This type of vulnerability enables attackers to take devices offline, manipulate their operational parameters, and in many cases execute arbitrary code.
I will also present statistics from a set of OT- and IoT-specific honeypots about attacks exploiting authentication bypasses, brute forcing passwords and leaking credentials. These statistics show that the most common initial access technique for these systems consist of the exploitation of remote management protocols by guessing or leaking either generic or application-specific credentials [4].
Finally, I will discuss the importance of collaborative threat intelligence and modern network access control as methods to prevent, detect and respond to such attacks [5].

References

[1]
Adeen Ayub, Hyunguk Yoo, and Irfan Ahmed. 2021. Empirical Study of PLC Authentication Protocols in Industrial Control Systems. In 2021 IEEE Security and Privacy Workshops (SPW). 383--397. https://doi.org/10.1109/SPW53761.2021.00058
[2]
A. Borcherding, P. Takacs, and J. Beyerer. 2022. Cluster Crash: Learning from Recent Vulnerabilities in Communication Stacks. In Proceedings of the 8th International Conference on Information Systems Security and Privacy. SciTePress, 334--344. https://doi.org/10.5220/0010806300003120 46.23.04; LK 01.
[3]
Daniel Ricardo dos Santos, Stanislav Dashevskyi, Amien Amri, Uriel Malin, Tal Zohar, and Yuval Halaban. 2021. NUCLEUS: 13 - Dissecting the Nucleus TCP/IP stack. https://www.forescout.com/resources/nucleus13-research-report-dissecting-the-nucleus-tcpip-stack/
[4]
Foresout. 2023. 2022 Threat Roundup: The Emergence of Mixed IT/IoT Threats. https://www.forescout.com/resources/2022-threat-roundup-report-the-emergence-of-mixed-itiot-threats/
[5]
Cristoffer Leite, Jerry den Hartog, Daniel Ricardo dos Santos, and Elisa Costante. 2023. Actionable Cyber Threat Intelligence for Automated Incident Response. In Secure IT Systems: 27th Nordic Conference, NordSec 2022, Reykjavic, Iceland, November 30-December 2, 2022, Proceedings. Springer, 368--385.
[6]
Georgios Michail Makrakis, Constantinos Kolias, Georgios Kambourakis, Craig Rieger, and Jacob Benjamin. 2021. Industrial and Critical Infrastructure Security: Technical Analysis of Real-Life Security Incidents. IEEE Access, Vol. 9 (2021), 165295--165325. https://doi.org/10.1109/ACCESS.2021.3133348
[7]
Sowmya Ravidas, Alexios Lekidis, Federica Paci, and Nicola Zannone. 2019. Access control in Internet-of-Things: A survey. Journal of Network and Computer Applications, Vol. 144 (2019), 79--101. https://doi.org/10.1016/j.jnca.2019.06.017
[8]
Ravi S Sandhu, Pierangela Samarati, et al. 1997. Authentication, Access Controls, and Intrusion Detection. The Computer Science and Engineering Handbook, Vol. 1 (1997), 929--1.
[9]
Jos Wetzels, Daniel Ricardo dos Santos, and Mohammad Ghafari. 2023. Insecure by Design in the Backbone of Critical Infrastructure. CoRR, Vol. abs/2303.12340 (2023). https://arxiv.org/abs/2303.12340

Index Terms

  1. Access Control Vulnerabilities in Network Protocol Implementations: How Attackers Exploit Them and What To Do About It

          Recommendations

          Comments

          Information & Contributors

          Information

          Published In

          cover image ACM Conferences
          SACMAT '23: Proceedings of the 28th ACM Symposium on Access Control Models and Technologies
          May 2023
          218 pages
          ISBN:9798400701733
          DOI:10.1145/3589608
          Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

          Sponsors

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          Published: 24 May 2023

          Check for updates

          Author Tags

          1. internet of things
          2. network protocol
          3. operational technology
          4. vulnerability

          Qualifiers

          • Keynote

          Conference

          SACMAT '23
          Sponsor:

          Acceptance Rates

          Overall Acceptance Rate 177 of 597 submissions, 30%

          Contributors

          Other Metrics

          Bibliometrics & Citations

          Bibliometrics

          Article Metrics

          • 0
            Total Citations
          • 134
            Total Downloads
          • Downloads (Last 12 months)45
          • Downloads (Last 6 weeks)3
          Reflects downloads up to 20 Jan 2025

          Other Metrics

          Citations

          View Options

          Login options

          View options

          PDF

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader

          Media

          Figures

          Other

          Tables

          Share

          Share

          Share this Publication link

          Share on social media