Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
153 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

The CURE To Vulnerabilities in RPKI Validation (2312.01872v1)

Published 4 Dec 2023 in cs.CR

Abstract: Over recent years, the Resource Public Key Infrastructure (RPKI) has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes. Systems interact with the RPKI over Relying Party (RP) implementations that fetch RPKI objects and feed BGP routers with the validated prefix-ownership data. Consequently, any vulnerabilities or flaws within the RP software can substantially threaten the stability and security of Internet routing. We uncover severe flaws in all popular RP implementations, making them susceptible to path traversal attacks, remotely triggered crashes, and inherent inconsistencies, violating RPKI standards. We report a total of 18 vulnerabilities that canbe exploited to downgrade RPKI validation in border routers or, worse, enable poisoning of the validation process, resulting in malicious prefixes being wrongfully validated and legitimate RPKI-covered prefixes failing validation. Furthermore, our research discloses inconsistencies in the validation process, with two popular implementations leaving 8149 prefixes unprotected from hijacks, 6405 of which belong to Amazon. While these findings are significant in their own right, our principal contribution lies in developing CURE, the first-of-its-kind system to systematically detect bugs, vulnerabilities, and RFC compliance issues in RP implementations via automated test generation. CURE is a powerful RPKI publication point emulator that enables easy and efficient fuzzing of complex RP validation pipelines. It is designed with a set of novel techniques, utilizing differential and stateful fuzzing. We generated over 600 million test cases and tested all popular RPs on them. Following our disclosure, the vendors already assigned CVEs to the vulnerabilities we found.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (51)
  1. S. M. Bellovin, “Security problems in the tcp/ip protocol suite,” ACM SIGCOMM Computer Communication Review, vol. 19, no. 2, pp. 32–48, 1989.
  2. Arstechnica, “BGP event sends European mobile traffic through China Telecom for 2 hours,” https://arstechnica.com/informationtechnology/2019/06/bgp-mishap-sends-europeanmobile-traffic-through-china-telecom -for-2-hours, 2019.
  3. H. Ballani, P. Francis, and X. Zhang, “A Study of Prefix Hijacking and Interception in the Internet,” in ACM SIGCOMM Computer Communication Review, vol. 37.   ACM, 2007, pp. 265–276.
  4. S. Janardhan, “More details about the October 4 outage,” https://engineering.fb.com/2021/10/05/networking-traffic/outage-details/, 2021.
  5. R. NCC, “YouTube Hijacking: A RIPE NCC RIS case study,” 2008.
  6. Renesys, “The New Threat: Targeted Internet Traffic Misdirection,” http://www.renesys.com/2013/11/mitm-internet-hijacking/, 2013.
  7. A. Toonk, “Hijack Event Today by Indosat,” http://www.bgpmon.net/hijack-event-today-by-indosat/, 2014.
  8. A. Toonk, “Turkey Hijacking IP Addresses for Popular Global DNSProviders,” https://www.bgpmon.net/turkey-hijacking-ip-addresses-for-popular- -global-dns-providers/, 2014.
  9. P.-A. Vervier, O. Thonnard, and M. Dacier, “Mind Your Blocks: On the Stealthiness of Malicious BGP Hijacks,” in NDSS, 2015.
  10. M. Lepinski and K. Sriram, “Rfc 8205: Bgpsec protocol specification,” 2017.
  11. A. Azimov, E. Bogomazov, R. Bush, K. Patel, and J. Snijders, “Verification of AS_PATH Using the Resource Certificate Public Key Infrastructure and Autonomous System Provider Authorization,” November, 2020, https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-aspa-verification-06.
  12. C. Morris, A. Herzberg, B. Wang, and S. Secondo, “Bgp-isec: Improved security of internet routing against post-rov attacks,” in NDSS, 2024.
  13. T. Hlavacek, H. Schulmann, N. Vogel, and M. Waidner, “Keep your friends close, but your routeservers closer: Insights into RPKI validation in the internet,” in 32nd USENIX Security Symposium, USENIX Security 2023, Anaheim, CA, USA, August 9-11, 2023, J. A. Calandrino and C. Troncoso, Eds.   USENIX Association, 2023, pp. 4841–4858.
  14. T. Hlavacek, P. Jeitner, D. Mirdita, H. Shulman, and M. Waidner, “Behind the scenes of RPKI,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022.   ACM, 2022, pp. 1413–1426.
  15. H. Shulman, N. Vogel, and M. Waidner, “Poster: Insights into global deployment of rpki validation,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 3467–3469.
  16. T. Chung and W. Li, “Rovista,” 2023. [Online]. Available: https://rovista.netsecurelab.org/
  17. APNIC, “Rov measurement,” 2023, accessed: 28.06.2023. [Online]. Available: https://stats.labs.apnic.net/rpki
  18. “Stalloris: RPKI Downgrade Attack,” in 31st USENIX Security Symposium (USENIX Security 22).   Boston, MA: USENIX Association, Aug. 2022. [Online]. Available: https://www.usenix.org/conference/usenixsecurity22/presentation/hlavacek
  19. T. Hlavacek, P. Jeitner, D. Mirdita, H. Schulmann, and M. Waidner, “Beyond limits: How to disable validators in secure networks,” in Proceedings of the ACM SIGCOMM 2023 Conference, ACM SIGCOMM 2023, New York, NY, USA, 10-14 September 2023, H. Schulzrinne, V. Misra, E. Kohler, and D. A. Maltz, Eds.   ACM, 2023, pp. 950–966.
  20. D. Mirdita, H. Shulman, and M. Waidner, “Poster: Rpki kill switch,” in Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, 2022, pp. 3423–3425.
  21. K. van Hove, J. van der Ham, and R. van Rijswijk-Deij, “Rpkiller: Threat analysis from an RPKI relying party perspective,” CoRR, vol. abs/2203.00993, 2022. [Online]. Available: https://doi.org/10.48550/arXiv.2203.00993
  22. H. Liang, X. Pei, X. Jia, W. Shen, and J. Zhang, “Fuzzing: State of the art,” IEEE Transactions on Reliability, vol. 67, no. 3, pp. 1199–1218, 2018.
  23. J. Ba, M. Böhme, Z. Mirzamomen, and A. Roychoudhury, “Stateful greybox fuzzing,” in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 3255–3272.
  24. W. M. McKeeman, “Differential testing for software,” Digital Technical Journal, vol. 10, no. 1, pp. 100–107, 1998.
  25. Z. Durumeric, E. Wustrow, and J. A. Halderman, “Zmap: Fast internet-wide scanning and its security applications.” in Usenix Security, vol. 2013, 2013.
  26. C. Partridge and M. Allman, “Ethical considerations in network measurement papers,” Communications of the ACM, vol. 59, no. 10, pp. 58–64, 2016.
  27. J. Krupp, I. Grishchenko, and C. Rossow, “Ampfuzz: Fuzzing for amplification ddos vulnerabilities,” in 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, K. R. B. Butler and K. Thomas, Eds.   USENIX Association, 2022, pp. 1043–1060.
  28. S. Schumilo, C. Aschermann, R. Gawlik, S. Schinzel, and T. Holz, “kafl: Hardware-assisted feedback fuzzing for os kernels.” in USENIX Security Symposium, 2017, pp. 167–182.
  29. J. De Ruiter and E. Poll, “Protocol state fuzzing of {{\{{TLS}}\}} implementations,” in 24th {normal-{\{{USENIX}normal-}\}} Security Symposium ({normal-{\{{USENIX}normal-}\}} Security 15), 2015, pp. 193–206.
  30. R. Kande, A. Crump, G. Persyn, P. Jauernig, A. Sadeghi, A. Tyagi, and J. Rajendran, “Thehuzz: Instruction fuzzing of processors using golden-reference models for finding software-exploitable vulnerabilities,” in 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, K. R. B. Butler and K. Thomas, Eds.   USENIX Association, 2022, pp. 3219–3236.
  31. M. Eddington, “Peach fuzzing platform,” Peach Fuzzer, vol. 34, pp. 32–43, 2011.
  32. A. Fioraldi, D. Maier, H. Eißfeldt, and M. Heuse, “AFL++: Combining incremental steps of fuzzing research,” in 14th USENIX Workshop on Offensive Technologies (WOOT 20).   USENIX Association, Aug. 2020.
  33. K. Serebryany, “Oss-fuzz-google’s continuous fuzzing service for open source software,” in USENIX Security symposium.   USENIX Association, 2017.
  34. S. K. R. Kakarla, R. Beckett, T. Millstein, and G. Varghese, “{{\{{SCALE}}\}}: Automatically finding {{\{{RFC}}\}} compliance bugs in {{\{{DNS}}\}} nameservers,” in 19th USENIX Symposium on Networked Systems Design and Implementation (NSDI 22), 2022, pp. 307–323.
  35. Z. Wang, Y. Zhang, and Q. Liu, “Rpfuzzer: A framework for discovering router protocols vulnerabilities based on fuzzing.” KSII Transactions on Internet & Information Systems, vol. 7, no. 8, 2013.
  36. P. Godefroid, M. Y. Levin, D. A. Molnar et al., “Automated whitebox fuzz testing.” in NDSS, vol. 8, 2008, pp. 151–166.
  37. P. Godefroid, A. Kiezun, and M. Y. Levin, “Grammar-based whitebox fuzzing,” in Proceedings of the 29th ACM SIGPLAN conference on programming language design and implementation, 2008, pp. 206–215.
  38. M. Böhme, V.-T. Pham, and A. Roychoudhury, “Coverage-based greybox fuzzing as markov chain,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1032–1043.
  39. S. Yan, C. Wu, H. Li, W. Shao, and C. Jia, “Pathafl: Path-coverage assisted fuzzing,” in Proceedings of the 15th ACM Asia Conference on Computer and Communications Security, 2020, pp. 598–609.
  40. Google, “american fuzzy lop,” 2023. [Online]. Available: https://github.com/google/AFL
  41. C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov, “Using frankencerts for automated adversarial testing of certificate validation in ssl/tls implementations,” in 2014 IEEE Symposium on Security and Privacy.   IEEE, 2014, pp. 114–129.
  42. X. Zhou and B. Wu, “Web application vulnerability fuzzing based on improved genetic algorithm,” in 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), vol. 1.   IEEE, 2020, pp. 977–981.
  43. J. Wang, B. Chen, L. Wei, and Y. Liu, “Superion: Grammar-aware greybox fuzzing,” in 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE).   IEEE, 2019, pp. 724–735.
  44. G. Torres, D. Pesavento, J. Shi, and L. Benmohamed, “Nfdfuzz: A stateful structure-aware fuzzer for named data networking,” in Proceedings of the 7th ACM Conference on Information-Centric Networking, 2020, pp. 169–171.
  45. H. Kim, Y. Jeong, W. Choi, D. H. Lee, and H. J. Jo, “Efficient ecu analysis technology through structure-aware can fuzzing,” IEEE Access, vol. 10, pp. 23 259–23 271, 2022.
  46. Google, “Atheris: A coverage-guided, native python fuzzer,” 2023. [Online]. Available: https://github.com/google/atheris
  47. Cisco, “ Routing Configuration Guide for Cisco ASR 9000 Series Routers, IOS XR Release 6.2.x ,” https://www.cisco.com/c/en/us/td/docs/routers/asr9000/software/asr9k-r6-2/routing/configuration/guide/b-routing-cg-asr9000-62x/b-routing-cg-asr9000-62x_chapter_010.html, 2023.
  48. J. Networks, “Junos OS: BGP User Guide,” https://www.juniper.net/documentation/us/en/software/junos/bgp/topics/ref/statement/session-edit-routing-options-validation.html, 2023.
  49. FRR, “FRRouting,” https://docs.frrouting.org/en/latest/bgp.html#configuring-rpki-rtr-cache-servers, 2023.
  50. N. R. Monitor, “NIST RPKI Monitor,” https://rpki-monitor.antd.nist.gov/, 2023.
  51. P. H. Friedemann, N. Rodday, and G. D. Rodosek, “Assessing the rpki validator ecosystem,” in 2022 Thirteenth International Conference on Ubiquitous and Future Networks (ICUFN).   IEEE, 2022, pp. 295–300.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now