Donika Mirdita,Haya Schulmann,Niklas Vogel,Michael Waidner

2023-12-04

Abstract:Over recent years, the Resource Public Key Infrastructure (RPKI) has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes. Systems interact with the RPKI over Relying Party (RP) implementations that fetch RPKI objects and feed BGP routers with the validated prefix-ownership data. Consequently, any vulnerabilities or flaws within the RP software can substantially threaten the stability and security of Internet routing. We uncover severe flaws in all popular RP implementations, making them susceptible to path traversal attacks, remotely triggered crashes, and inherent inconsistencies, violating RPKI standards. We report a total of 18 vulnerabilities that canbe exploited to downgrade RPKI validation in border routers or, worse, enable poisoning of the validation process, resulting in malicious prefixes being wrongfully validated and legitimate RPKI-covered prefixes failing validation. Furthermore, our research discloses inconsistencies in the validation process, with two popular implementations leaving 8149 prefixes unprotected from hijacks, 6405 of which belong to Amazon. While these findings are significant in their own right, our principal contribution lies in developing CURE, the first-of-its-kind system to systematically detect bugs, vulnerabilities, and RFC compliance issues in RP implementations via automated test generation. CURE is a powerful RPKI publication point emulator that enables easy and efficient fuzzing of complex RP validation pipelines. It is designed with a set of novel techniques, utilizing differential and stateful fuzzing. We generated over 600 million test cases and tested all popular RPs on them. Following our disclosure, the vendors already assigned CVEs to the vulnerabilities we found.

Cryptography and Security

Donika Mirdita,Haya Schulmann,Michael Waidner

2024-08-22

Abstract:The Resource Public Key Infrastructure (RPKI) is the main mechanism to protect inter-domain routing with BGP from prefix hijacks. It has already been widely deployed by large providers and the adoption rate is getting to a critical point. Almost half of all the global prefixes are now covered by RPKI and measurements show that 27% of networks are already using RPKI to validate BGP announcements. Over the past 10 years, there has been much research effort in RPKI, analyzing different facets of the protocol, such as software vulnerabilities, robustness of the infrastructure or the proliferation of RPKI validation. In this work we compile the first systemic overview of the vulnerabilities and misconfigurations in RPKI and quantify the security landscape of the global RPKI deployments based on our measurements and analysis. Our study discovers that 56% of the global RPKI validators suffer from at least one documented vulnerability. We also do a systematization of knowledge for existing RPKI security research and complement the existing knowledge with novel measurements in which we discover new trends in availability of RPKI repositories, and their communication patterns with the RPKI validators. We weave together the results of existing research and our study, to provide a comprehensive tableau of vulnerabilities, their sources, and to derive future research paths necessary to prepare RPKI for full global deployment.

Cryptography and Security

Jens Friess,Donika Mirdita,Haya Schulmann,Michael Waidner

2024-05-01

Abstract:To protect against prefix hijacks, Resource Public Key Infrastructure (RPKI) has been standardized. To enjoy the security guarantees of RPKI validation, networks need to install a new component, the relying party validator, which fetches and validates RPKI objects and provides them to border routers. However, recent work shows that relying parties experience failures when retrieving RPKI objects and are vulnerable to attacks, all of which can disable RPKI validation. Therefore even the few adopters are not necessarily secure.

Cryptography and Security

Matthias Wählisch,Robert Schmidt,Thomas C. Schmidt,Olaf Maennel,Steve Uhlig,Gareth Tyson

DOI: https://doi.org/10.1145/2834050.2834102

2015-11-02

Abstract:Web content delivery is one of the most important services on the Internet. Access to websites is typically secured via TLS. However, this security model does not account for prefix hijacking on the network layer, which may lead to traffic blackholing or transparent interception. Thus, to achieve comprehensive security and service availability, additional protective mechanisms are necessary such as the RPKI, a recently deployed Resource Public Key Infrastructure to prevent hijacking of traffic by networks. This paper argues two positions. First, that modern web hosting practices make route protection challenging due to the propensity to spread servers across many different networks, often with unpredictable client redirection strategies, and, second, that we need a better understanding why protection mechanisms are not deployed. To initiate this, we empirically explore the relationship between web hosting infrastructure and RPKI deployment. Perversely, we find that less popular websites are more likely to be secured than the prominent sites. Worryingly, we find many large-scale CDNs do not support RPKI, thus making their customers vulnerable. This leads us to explore business reasons why operators are hesitant to deploy RPKI, which may help to guide future research on improving Internet security.

Networking and Internet Architecture,Cryptography and Security

Haya Schulmann,Niklas Vogel,Michael Waidner

2024-09-23

Abstract:The Resource Public Key Infrastructure (RPKI) protocol was standardized to add cryptographic security to Internet routing. With over 50% of Internet resources protected with RPKI today, the protocol already impacts significant parts of Internet traffic. In addition to its growing adoption, there is also increasing political interest in RPKI. The White House indicated in its Roadmap to Enhance Internet Routing Security, on 4 September 2024, that RPKI is a mature and readily available technology for securing inter-domain routing. The Roadmap attributes the main obstacles towards wide adoption of RPKI to a lack of understanding, lack of prioritization, and administrative barriers. This work presents the first comprehensive study of the maturity of RPKI as a viable production-grade technology. We find that current RPKI implementations still lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges, raising significant security concerns. The deployments lack experience with full-fledged strict RPKI-validation in production environments and operate in fail-open test mode. We provide recommendations to improve RPKI resilience and guide stakeholders in securing their deployments against emerging threats. The numerous issues we have discovered with the current RPKI specifications and implementations inevitably lead to the question: Is RPKI sufficiently stable to align with the expectations outlined in the White House roadmap? Certainly, it is not perfect, but is it good enough? The answer, as we will explore, varies depending on one's viewpoint.

Cryptography and Security

Tomas Hlavacek,Haya Shulman,Niklas Vogel,Michael Waidner

2023-03-21

Abstract:IP prefix hijacks allow adversaries to redirect and intercept traffic, posing a threat to the stability and security of the Internet. To prevent prefix hijacks, networks should deploy RPKI and filter bogus BGP announcements with invalid routes. In this work we evaluate the impact of RPKI deployments on the security and resilience of the Internet. We aim to understand which networks filter invalid routes and how effective that filtering is in blocking prefix hijacks. We extend previous data acquisition and analysis methodologies to obtain more accurate identification of networks that filter invalid routes with RPKI. We find that more than 27% of networks enforce RPKI filtering and show for the first time that deployments follow the business incentives of inter-domain routing: providers have an increased motivation to filter in order to avoid losing customers' traffic. Analyzing the effectiveness of RPKI, we find that the current trend to deploy RPKI on routeservers of Internet Exchange Points (IXPs) only provides a localized protection against hijacks but has negligible impact on preventing their spread globally. In contrast, we show that RPKI filtering in Tier-1 providers greatly benefits the security of the Internet as it limits the spread of hijacks to a localized scope. Based on our observations, we provide recommendations on the future roadmap of RPKI deployment. We make our datasets available for public use [<a class="link-external link-https" href="https://sit4.me/rpki" rel="external noopener nofollow">this https URL</a>].

Networking and Internet Architecture,Cryptography and Security

SU Yingying,LI Dan,YE Honglin

DOI: https://doi.org/10.11959/j.issn.1000-0801.2021050

2021-01-01

Abstract:The BGP (border gateway protocol) did not fully consider security issues at the beginning of its design.With the rapid growth of the Internet, its security risks have become incrementally obvious.Academia and industry have proposed many solutions to the security issues faced by inter-domain routing, and what is really deployed is the RPKI (resource public key infrastructure) promoted by the IETF (the Internet Engineering Task Force).The development status and research advances of RPKI were surveyed, with emphasis on problems of RPKI, existing solutions, and related limitations.Moreover, latest achievements on RPKI function extension were introduced.Finally, future research directions were concluded.

Yingying Su,Dan Li,Li Chen,Qi Li,Sitong Ling

DOI: https://doi.org/10.14722/ndss.2024.24368

2024-01-01

Abstract:Although Resource Public Key Infrastructure (RPKI) is critical for securing inter-domain routing, we find that its key component, the RPKI Repository, is under studied.We conduct the first data-driven analysis of the existing RPKI Repository infrastructure, including a survey of worldwide AS administrators and a large-scale measurement of the existing RPKI Repository.Based on the findings of our study, we identify three key problems.Firstly, misbehaving RPKI authorities can easily manipulate RPKI objects, and Internet Number Resources holders (INRs holders) and Relying Parties (RPs) can neither prevent malicious behaviors of misbehaving authorities nor hold them accountable.Secondly, RPKI Repository is sensitive to failures: An attack or downtime of any repository Publication Point (PP) will prevent RPs from obtaining complete RPKI object views.Finally, we identify scalability issues with the current RPKI Repository, which are expected to worsen with the further deployment of Route Origin Authorization (ROA).To address these problems, we propose dRR, an architecture that enhances the security, robustness, and scalability of the RPKI Repository while being compatible with standard RPKI.By introducing two new entities: Certificate Servers (CSs) and Monitors, dRR forms a decentralized federation of CSs, which enables the RPKI Repository to proactively defend against malicious behavior from authorities and to tolerate PPs' failures.dRR is also scalable for future large-scale deployment.We present the design of dRR in detail and implement a prototype of dRR on a global Internet testbed spanning 15 countries.Experimental results show that, although new security features are introduced, dRR only incurs negligible latency for certificate issuance and revocation.The throughput of certificate updates achieved by dRR is 450 times higher than the current maximum RPKI certificate update frequency.

Bernd Prünster,Alexander Marsalek,Thomas Zefferer

DOI: https://doi.org/10.48550/arXiv.2011.00874

2020-11-02

Abstract:Peer-to-peer networks are an attractive alternative to classical client-server architectures in several fields of application such as voice-over-IP telephony and file sharing. Recently, a new peer-to-peer solution called the InterPlanetary File System (IPFS) has attracted attention, which promises to re-decentralise the Web. Being increasingly used as a stand-alone application, IPFS has also emerged as the technical backbone of various other decentralised solutions and was even used to evade censorship. Decentralised applications serving millions of users rely on IPFS as one of their crucial building blocks. This popularity makes IPFS attractive for large-scale attacks. We have identified a conceptual issue in one of IPFS's core libraries and demonstrate their exploitation by means of a successful end-to-end attack. We evaluated this attack against the IPFS reference implementation on the public IPFS network, which is used by the average user to share and consume IPFS content. Results obtained from mounting this attack on live IPFS nodes show that arbitrary IPFS nodes can be eclipsed, i.e. isolated from the network, with moderate effort and limited resources. Compared to similar works, we show that our attack scales linearly even beyond current network sizes and can disrupt the entire public IPFS network with alarmingly low effort. The vulnerability set described in this paper has been assigned CVE-2020-10937. Responsible disclosure procedures are currently being carried out and have led to mitigations being deployed, with additional fixes to be rolled out in future releases.

Cryptography and Security

Wenjie Xu,Deliang Chang,Xing Li

2019-01-01

Abstract:BGP is the default inter-domain routing protocol in today's Internet, but has serious security vulnerabilities [1]. One of them is (sub)prefix hijacking. IETF standardizes RPKI to validate the AS origin but RPKI has a lot of problems [2] [3] [4] [5], among which is potential false alarm. Although some previous work [4] [2] points it out explicitly or implicitly, further measurement and analysis remain to be done. Our work measures and analyzes the invalid prefixes systematically. We first classify the invalid prefixes into six different types and then analyze their stability. We show that a large proportion of the invalid prefixes very likely result from traffic engineering, IP address transfer and failing to aggregate rather than real hijackings.

Ken Ivanov

DOI: https://doi.org/10.48550/arXiv.1609.03047

2016-09-10

Abstract:The paper describes two important design flaws in Online Certificate Status Protocol (OCSP), a protocol widely used in PKI environments for managing digital certificates' credibility in real time. The flaws significantly reduce the security capabilities of the protocol, and can be exploited by a malicious third party to generate forged signed certificate statuses and, in the worst scenario, forged certificates. Description of the flaws, along with expected exploitation routes, consequences for consuming application layer protocols, and proposed countermeasures, is given.

Cryptography and Security

Felix Klement,Alessandro Brighente,Michele Polese,Mauro Conti,Stefan Katzenbeisser

2024-05-03

Abstract:In this paper, we investigate the security implications of virtualized and software-based Open Radio Access Network (RAN) systems, specifically focusing on the architecture proposed by the O-RAN ALLIANCE and O-Cloud deployments based on the O-RAN Software Community (OSC) stack and infrastructure. Our key findings are based on a thorough security assessment and static scanning of the OSC Near Real-Time RAN Intelligent Controller (RIC) cluster. We highlight the presence of potential vulnerabilities and misconfigurations in the Kubernetes infrastructure supporting the RIC, also due to the usage of outdated versions of software packages, and provide an estimation of their criticality using various deployment auditing frameworks (e.g., MITRE ATT&CK and the NSA CISA). In addition, we propose methodologies to minimize these issues and harden the Open RAN virtualization infrastructure. These encompass the integration of security evaluation methods into the deployment process, implementing deployment hardening measures, and employing policy-based control for RAN components. We emphasize the need to address the problems found in order to improve the overall security of virtualized Open RAN systems.

Cryptography and Security

Yuyang Zhou,Jing Guo,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2020.101754

IF: 5.836

2020-01-01

Journal of Systems Architecture

Abstract:The Snowden incident shows that powerful attackers can compromise users' machines to steal users' private information. Currently, many encryption schemes that have proven to be secure cannot detect vulnerabilities. These vulnerabilities may reveal users' secrets, e.g., a machine hides some backdoors without a user's awareness, and an attacker can steal the user's private information through these backdoors. In 2015, Mironov and Stephens-Davidowitz proposed a new framework for solving this problem: cryptographic reverse firewall (CRF). However, their protocols can't protect certificateless public key encryption (CL-PKE). In this paper, we design a CRF protocol for CL-PKE, which is a one-round CL-PKE with CRFs (CL-PKE-CRF) deployed on a receiver and a key generating centre (KGC). This protocol is proved to achieve indistinguishability against chosen plaintext attack (IND-CPA). Compared with existing protocol with CRFs and two CL-PKE schemes, our protocol has the least communication cost. Meanwhile, we use JPBC library to implement our one-round CL-PKE-CRF. The experimental results indicate that under high security levels, our protocol has a advantage in the percentage of the running time. Since our protocol can resist exfiltration attacks from internal attackers, it is efficient and practical. Finally, we apply the same method to design a secure and effective one-round certificateless public key signature with a CRF (CL-PKS-CRF). This means that our protocol is not only targeted at a single CL-PKE scheme, but also can inspire the design of other certificateless public key cryptography schemes with CRFs.

Tong Liu,Zizhuang Deng,Guozhu Meng,Yuekang Li,Kai Chen

2024-11-20

Abstract:LLMs show promise in transforming software development, with a growing interest in integrating them into more intelligent apps. Frameworks like LangChain aid LLM-integrated app development, offering code execution utility/APIs for custom actions. However, these capabilities theoretically introduce Remote Code Execution (RCE) vulnerabilities, enabling remote code execution through prompt injections. No prior research systematically investigates these frameworks' RCE vulnerabilities or their impact on applications and exploitation consequences. Therefore, there is a huge research gap in this field. In this study, we propose LLMSmith to detect, validate and exploit the RCE vulnerabilities in LLM-integrated frameworks and apps. To achieve this goal, we develop two novel techniques, including 1) a lightweight static analysis to examine LLM integration mechanisms, and construct call chains to identify RCE vulnerabilities in frameworks; 2) a systematical prompt-based exploitation method to verify and exploit the found vulnerabilities in LLM-integrated apps. This technique involves various strategies to control LLM outputs, trigger RCE vulnerabilities and launch subsequent attacks. Our research has uncovered a total of 20 vulnerabilities in 11 LLM-integrated frameworks, comprising 19 RCE vulnerabilities and 1 arbitrary file read/write vulnerability. Of these, 17 have been confirmed by the framework developers, with 11 vulnerabilities being assigned CVE IDs. For the 51 apps potentially affected by RCE, we successfully executed attacks on 17 apps, 16 of which are vulnerable to RCE and 1 to SQL injection. Furthermore, we conduct a comprehensive analysis of these vulnerabilities and construct practical attacks to demonstrate the hazards in reality. Last, we propose several mitigation measures for both framework and app developers to counteract such attacks.

Cryptography and Security

Elias Heftrig,Haya Schulmann,Niklas Vogel,Michael Waidner

2024-06-05

Abstract:Availability is a major concern in the design of DNSSEC. To ensure availability, DNSSEC follows Postel's Law [RFC1123]: "Be liberal in what you accept, and conservative in what you send." Hence, nameservers should send not just one matching key for a record set, but all the relevant cryptographic material, e.g., all the keys for all the ciphers that they support and all the corresponding signatures. This ensures that validation succeeds, and hence availability, even if some of the DNSSEC keys are misconfigured, incorrect or correspond to unsupported ciphers. We show that this design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, we develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as the worst attack on DNS ever discovered. Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver. We disclosed KeyTrap to vendors and operators on November 2, 2023, confidentially reporting the vulnerabilities to a closed group of DNS experts, operators and developers from the industry. Since then we have been working with all major vendors to mitigate KeyTrap, repeatedly discovering and assisting in closing weaknesses in proposed patches. Following our disclosure, the industry-wide umbrella CVE-2023-50387 has been assigned, covering the DNSSEC protocol vulnerabilities we present in this work.

Cryptography and Security

Dor Israeli,Alon Noy,Yehuda Afek,Anat Bremler-Barr

DOI: https://doi.org/10.1007/s12095-024-00750-x

2024-11-11

Cryptography and Communications

Abstract:This paper presents a new localhost browser based vulnerability and corresponding attack that opens the door to new attacks on private networks and local devices. We show that this new vulnerability may put hundreds of millions of internet users and their IoT devices at risk. We demonstrate the viability of the attack on a real product, "Folding@Home", of which we did a responsible disclosure of the specific vulnerability . Following the attack presentation, we suggest three new protection mechanisms to mitigate this vulnerability, across the different entities of the attack (broswer, localhost server, and attacked IOT). This new attack bypasses recently suggested protection mechanisms designed to stop browser-based attacks on private devices and local applications (Chromium and Rigoudy 2021, Afek et al. 2019), of which we also did a responsible disclosure.

computer science, theory & methods,mathematics, applied

Wei Yang,Yuan Wang,Zhixiang Lai,Yadong Wan,Zhuo Cheng

DOI: https://doi.org/10.1109/cyberc.2018.00020

2018-01-01

Abstract:RPL is a routing protocol for Low-Power and Lossy Networks, which is the routing protocol standardized for the Internet of Things (IoT). However, RPL has many serious vulnerabilities which can be exploited by attackers. In this paper, we adopt an finite state machines(FSM) based vulnerability discovering approach to analyze the security vulnerabilities of RPL, which can successfully discover sinkhole attack, selective forwarding attack and hello flood attack. Then we propose some security countermeasures to defend against the attacks. Finally, we run a thorough set of simulations to assess the impact of the sinkhole attack and the effectiveness of proposed countermeasure. The results show that the attack can significantly damage the RPL and the countermeasure can successfully detect the malicious node.

Yiming Zhang,Baojun Liu,Chaoyi Lu,Zhou Li,Haixin Duan,Jiachen Li,Zaifeng Zhang

DOI: https://doi.org/10.1145/3460120.3484768

2021-01-01

Abstract:HTTPS secures communications in the web and heavily relies on the Web PKI for authentication. In the Web PKI, Certificate Authorities (CAs) are organizations that provide trust and issue digital certificates. Web clients rely on public root stores maintained by operating systems or browsers, with hundreds of audited CAs as trust anchors. However, as reported by security incidents, hidden root CAs beyond the public root programs have been imported into local root stores, which allows adversaries to gain trust from web clients. In this paper, we provide the first client-side, nation-wide view of hidden root CAs in the Web PKI ecosystem. Through cooperation with a leading browser vendor, we analyze certificate chains in web visits, together with their verification statuses, from volunteer users in 5 months. In total, over 1.17 million hidden root certificates are captured and they cause a profound impact from the angle of web clients and traffic. Further, we identify around 5 thousand organizations that hold hidden root certificates, including fake root CAs that impersonate large trusted ones. Finally, we highlight that the implementation of hidden root CAs and certificates is highly flawed, and issues such as weak keys and signature algorithms are prevalent. Our findings uncover that the ecosystem of hidden root CAs is massive and dynamic, and shed light on the landscape of Web PKI security. Finally, we call for immediate efforts from the community to review the integrity of local root stores.

Elias Heftrig,Haya Shulman,Michael Waidner

DOI: https://doi.org/10.1145/3548606.3563517

2023-02-14

Abstract:Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. In this work we show that the cryptographic agility in DNSSEC, although critical for provisioning DNS with strong cryptography, also introduces a vulnerability. We find that under certain conditions, when new algorithms are listed in signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new ciphers may in fact cause the resolvers not to validate DNSSEC. We exploit this to develop DNSSEC-downgrade attacks and experimentally and ethically evaluate them against popular DNS resolver implementations, public DNS providers, and DNS services used by web clients worldwide. We find that major DNS providers as well as 45% of DNS resolvers used by web clients are vulnerable to our attacks.

Cryptography and Security

Yixin Sun,Anne Edmundson,Laurent Vanbever,Oscar Li,Jennifer Rexford,Mung Chiang,Prateek Mittal

DOI: https://doi.org/10.48550/arXiv.1503.03940

2015-03-13

Abstract:The Tor network is a widely used system for anonymous communication. However, Tor is known to be vulnerable to attackers who can observe traffic at both ends of the communication path. In this paper, we show that prior attacks are just the tip of the iceberg. We present a suite of new attacks, called Raptor, that can be launched by Autonomous Systems (ASes) to compromise user anonymity. First, AS-level adversaries can exploit the asymmetric nature of Internet routing to increase the chance of observing at least one direction of user traffic at both ends of the communication. Second, AS-level adversaries can exploit natural churn in Internet routing to lie on the BGP paths for more users over time. Third, strategic adversaries can manipulate Internet routing via BGP hijacks (to discover the users using specific Tor guard nodes) and interceptions (to perform traffic analysis). We demonstrate the feasibility of Raptor attacks by analyzing historical BGP data and Traceroute data as well as performing real-world attacks on the live Tor network, while ensuring that we do not harm real users. In addition, we outline the design of two monitoring frameworks to counter these attacks: BGP monitoring to detect control-plane attacks, and Traceroute monitoring to detect data-plane anomalies. Overall, our work motivates the design of anonymity systems that are aware of the dynamics of Internet routing.

Networking and Internet Architecture,Cryptography and Security