At this year's top conference "Network and Distributed System Security Symposium (NDSS)" in San Diego, CA, researchers from the Chair of Systems Security present three papers. The conference, which will take place from February 23 to 26, is highly appreciated by representatives from research and industry and, according to the conference, has the goal to "encourage and enable the Internet community to apply, deploy, and advance the state of available security technologies”.
The Bochum researchers present these papers:
"HYPER-CUBE: High-Dimensional HypervisorFuzzing“
Sergej Schumilo, Cornelius Aschermann, Ali Abbasi, Simon Wörner and Thorsten Holz, Ruhr-Universität Bochum
Abstract:Virtual machine monitors (VMMs, also calledhy-pervisors) represent a very critical part of a modern softwarestack: compromising them could allow an attacker to take fullcontrol of the whole cloud infrastructure of any cloud provider.Hence their security is critical for many applications, especiallyin the context of Infrastructure-as-a-Service. In this paper, wepresent the design and implementation of HYPER-CUBE, a novelfuzzer that aims explicitly at testing hypervisors in an efficient,effective, and precise way. Our approach is based on a customoperating system that implements a custom bytecode interpreter.This high-throughput design for long-running, interactive targetsallows us to fuzz a large number of both open source andproprietary hypervisors. In contrast to one-dimensional fuzzerssuch as AFL, HYPER-CUBEcan interact withanynumber ofinterfaces inanyorder. Our evaluation results show that we canfind more bugs (over 2×) and coverage (as much as 2×) thanstate-of-the-art hypervisor fuzzers. In most cases, we were evenable to do so using multiple orders of magnitude less time thancomparable fuzzers. HYPER-CUBEwas also able to rediscover aset of well-known hypervisor vulnerabilities, such as VENOM, inless than five minutes. In total, we found 54 novel bugs, and so farobtained 43 CVEs. Our evaluation results demonstrate that next-generation coverage-guided fuzzers should incorporate a higher-throughput design for long-running targets such as hypervisors
Link to the PDF-Document
"On Using Application-Layer Middlebox Protocolsfor Peeking Behind NAT Gateways"
Teemu Rytilahti, Thorsten Holz, Ruhr University Bochum
Abstract: On Using Application-Layer Middlebox Protocolsfor Peeking Behind NAT GatewaysTeemu RytilahtiRuhr University Bochumteemu.firstname.lastname@example.orgThorsten HolzRuhr University Bochumthorsten.email@example.comAbstract—Typical port scanning approaches do not achieve a full coverage of all devices connected to the Internet as not alldevices aredirectlyreachable via a public (IPv4) address: due toIP address space exhaustion, firewalls, and many other reasons,an end-to-end connectivity is not achieved in today’s Internet anymore. Especially Network Address Translation(NAT) is widelydeployed in practice and it has the side effect of “hiding” devicesfrom being scanned. Some protocols, however, require end-to-endconnectivity to function properly and hence several methods weredeveloped in the past to enable crossing network borders.In this paper, we explore how an attacker can take advantageof such application-layer middlebox protocols to access deviceslocated behind these gateways. More specifically, we investigatedifferent methods for identifying such devices by using onlylegitimateprotocol features. We categorize the available protocolsinto two classes: First, there arepersistent protocolsthat aretypically port-forwarding based. Such protocols are used to allowlocal network devices to open and forward external ports to them.Second, there arenon-persistent protocolsthat are typically proxy-based to route packets between network edges, such as HTTPand SOCKS proxies. We perform a comprehensive, Internet-wideanalysis to obtain an accurate overview of how prevalent andwidespread such protocols are in practice. Our results indicatethat hundreds of thousands of hosts are vulnerable for differenttypes of attacks, e. g., we detect over 400,000 hosts that arelikely vulnerable for attacks involving the UPnP IGD protocol.More worrisome, we find empirical evidence that attackers arealready actively exploiting such protocols in the wild to accessdevices located behind NAT gateways. Amongst other findings,we discover that at least 24 % of all open Internet proxies aremisconfigured to allow accessing hosts on non-routable addresses
Link to the PDF-Document
"IMP4GT: IMPersonation Attacks in 4G NeTworks"
David Rupprecht, Katharina Kohls, Thorsten Holz, and Christina Pöpper, Ruhr University Bochum & New York University Abu Dhabi
Abstract: Long Term Evolution (LTE/4G) establishes mutualauthentication with a provably secure Authentication and KeyAgreement (AKA) protocol on layer three of the network stack.Permanent integrity protection of the control plane safeguardsthe traffic against manipulations. However, missing integrity pro-tection of the user plane still allows an adversary to manipulateand redirect IP packets, as recently demonstrated.In this work, we introduce a novel cross-layer attack thatexploits the existing vulnerability on layer two and extends itwith an attack mechanism on layer three. More precisely, we takeadvantage of the default IP stack behavior of operating systemsand show that combining it with the layer-two vulnerability allowsan active attacker to impersonate a user towards the networkand vice versa; we name these attacksIMP4GT(IMPersonationattacks in 4G neTworks). In contrast to a simple redirectionattack as demonstrated in prior work, our attack dramaticallyextends the possible attack scenarios and thus emphasizes theneed for user-plane integrity protection in mobile communicationstandards. The results of our work imply that providers can nolonger rely on mutual authentication for billing, access control,and legal prosecution. On the other hand, users are exposedto any incoming IP connection as an adversary can bypassthe provider’s firewall. To demonstrate the practical impact ofour attack, we conduct twoIMP4GTattack variants in a live,commercial network, which—for the first time—completely breakthe mutual authentication aim of LTE on the user plane in a real-world setting.
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.