Finding Protocol Manipulation Attacks
ACM SIGCOMM Conference (SIGCOMM 2011), Toronto, Canada, August 15-19, 2011.
Nupur Kothari, Ratul Mahajan, Todd Millstein, Ramesh Govindan, Madanlal Musuvathi
We develop a method to help discover manipulation attacks in
protocol implementations. In these attacks, adversaries induce honest
nodes to exhibit undesirable behaviors by misrepresenting their
intent or network conditions. Our method is based on a novel
combination of static analysis with symbolic execution and dynamic
analysis with concrete execution. The former finds code paths that are
likely vulnerable, and the latter emulates adversarial actions that
lead to effective attacks. Our method is precise (i.e., no false
positives) and we show that it scales to complex protocol
implementations. We apply it to four diverse protocols, including TCP, the
802.11 MAC, ECN, and SCTP, and show that it is able to find all
manipulation attacks that have been previously reported for these
protocols. We also find a previously unreported attack for SCTP. This
attack is a variant of a TCP attack but must be mounted differently
in SCTP because of subtle semantic differences between the two
protocols.
[PDF]