Ruhr-Uni-Bochum

Systems Security Team presents 3 paper at NDSS-Symposium

The Network and Distributed System Security Symposium (NDSS) takes place from February 23 to 26.

At this year's top conference "Network and Distributed System Security Symposium (NDSS)" in San Diego, CA, researchers from the Chair of Systems Security present three papers. The conference, which will take place from February 23 to 26, is highly appreciated by representatives from research and industry and, according to the conference, has the goal to "encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies”.

The Bochum researchers present these papers:

"HYPER-CUBE: High-Dimensional HypervisorFuzzing“

Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner and Thorsten Holz, Ruhr-Universität Bochum

Abstract:Virtual machine monitors (VMMs, also calledhy-pervisors) represent a very critical part of a modern softwarestack: compromising them could allow an attacker to take fullcontrol of the whole cloud infrastructure of any cloud provider.Hence their security is critical for many applications, especiallyin the context of Infrastructure-as-a-Service. In this paper, wepresent the design and implementation of HYPER-CUBE, a novelfuzzer that aims explicitly at testing hypervisors in an efficient,effective, and precise way. Our approach is based on a customoperating system that implements a custom bytecode interpreter.This high-throughput design for long-running, interactive targetsallows us to fuzz a large number of both open source andproprietary hypervisors. In contrast to one-dimensional fuzzerssuch as AFL, HYPER-CUBEcan interact withanynumber ofinterfaces inanyorder. Our evaluation results show that we canfind more bugs (over 2×) and coverage (as much as 2×) thanstate-of-the-art hypervisor fuzzers. In most cases, we were evenable to do so using multiple orders of magnitude less time thancomparable fuzzers. HYPER-CUBEwas also able to rediscover aset of well-known hypervisor vulnerabilities, such as VENOM, inless than five minutes. In total, we found 54 novel bugs, and so farobtained 43 CVEs. Our evaluation results demonstrate that next-generation coverage-guided fuzzers should incorporate a higher-throughput design for long-running targets such as hypervisors

Link  to the PDF-Document

 

"On Using Application-Layer Middlebox Protocolsfor Peeking Behind NAT Gateways"

Teemu Rytilahti, Thorsten Holz, Ruhr University Bochum

Abstract: On Using Application-Layer Middlebox Protocolsfor Peeking Behind NAT GatewaysTeemu RytilahtiRuhr University Bochumteemu.rytilahti@rub.deThorsten HolzRuhr University Bochumthorsten.holz@rub.deAbstract—Typical port scanning approaches do not achieve a full coverage of all devices connected to the Internet as not alldevices aredirectlyreachable via a public (IPv4) address: due toIP address space exhaustion, firewalls, and many other reasons,an end-to-end connectivity is not achieved in today’s Internet anymore. Especially Network Address Translation(NAT) is widelydeployed in practice and it has the side effect of “hiding” devicesfrom being scanned. Some protocols, however, require end-to-endconnectivity to function properly and hence several methods weredeveloped in the past to enable crossing network borders.In this paper, we explore how an attacker can take advantageof such application-layer middlebox protocols to access deviceslocated behind these gateways. More specifically, we investigatedifferent methods for identifying such devices by using onlylegitimateprotocol features. We categorize the available protocolsinto two classes: First, there arepersistent protocolsthat aretypically port-forwarding based. Such protocols are used to allowlocal network devices to open and forward external ports to them.Second, there arenon-persistent protocolsthat are typically proxy-based to route packets between network edges, such as HTTPand SOCKS proxies. We perform a comprehensive, Internet-wideanalysis to obtain an accurate overview of how prevalent andwidespread such protocols are in practice. Our results indicatethat hundreds of thousands of hosts are vulnerable for differenttypes of attacks, e. g., we detect over 400,000 hosts that arelikely vulnerable for attacks involving the UPnP IGD protocol.More worrisome, we find empirical evidence that attackers arealready actively exploiting such protocols in the wild to accessdevices located behind NAT gateways. Amongst other findings,we discover that at least 24 % of all open Internet proxies aremisconfigured to allow accessing hosts on non-routable addresses

Link to the PDF-Document

 

"IMP4GT: IMPersonation Attacks in 4G NeTworks"

David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper, Ruhr University Bochum & New York University Abu Dhabi

Abstract: Long Term Evolution (LTE/4G) establishes mutualauthentication  with  a  provably  secure  Authentication  and  KeyAgreement  (AKA)  protocol  on  layer  three  of  the  network  stack.Permanent  integrity  protection  of  the  control  plane  safeguardsthe traffic against manipulations. However, missing integrity pro-tection of the user plane still allows an adversary to manipulateand  redirect  IP  packets,  as  recently  demonstrated.In  this  work,  we  introduce  a  novel  cross-layer  attack  thatexploits  the  existing  vulnerability  on  layer  two  and  extends  itwith an attack mechanism on layer three. More precisely, we takeadvantage  of  the  default  IP  stack  behavior  of  operating  systemsand show that combining it with the layer-two vulnerability allowsan  active  attacker  to  impersonate  a  user  towards  the  networkand  vice  versa;  we  name  these  attacksIMP4GT(IMPersonationattacks  in  4G  neTworks).  In  contrast  to  a  simple  redirectionattack  as  demonstrated  in  prior  work,  our  attack  dramaticallyextends  the  possible  attack  scenarios  and  thus  emphasizes  theneed for user-plane integrity protection in mobile communicationstandards.  The  results  of  our  work  imply  that  providers  can  nolonger  rely  on  mutual  authentication  for  billing,  access  control,and  legal  prosecution.  On  the  other  hand,  users  are  exposedto  any  incoming  IP  connection  as  an  adversary  can  bypassthe  provider’s  firewall.  To  demonstrate  the  practical  impact  ofour  attack,  we  conduct  twoIMP4GTattack  variants  in  a  live,commercial network, which—for the first time—completely breakthe mutual authentication aim of LTE on the user plane in a real-world  setting.

https://imp4gt-attacks.net/

 

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.