Off-Path TCP Exploits of the Mixed IPID Assignment

In this paper, we uncover a new off-path TCP hijacking attack that can be used to terminate victim TCP connections or inject forged data into victim TCP connections by manipulating the new mixed IPID assignment method, which is widely used in Linux kernel version 4.18 and beyond to help defend against TCP hijacking attacks. The attack has three steps. First, an off-path attacker can downgrade the IPID assignment for TCP packets from the more secure per-socket-based policy to the less secure hash-based policy, building a shared IPID counter that forms a side channel on the victim. Second, the attacker detects the presence of TCP connections by observing the shared IPID counter on the victim. Third, the attacker infers the sequence number and the acknowledgment number of the detected connection by observing the side channel of the shared IPID counter. Consequently, the attacker can completely hijack the connection, i.e., resetting the connection or poisoning the data stream. We evaluate the impacts of this off-path TCP attack in the real world. Our case studies of SSH DoS, manipulating web traffic, and poisoning BGP routing tables show its threat on a wide range of applications. Our experimental results show that our off-path TCP attack can be constructed within 215 seconds and the success rate is over 88%. Finally, we analyze the root cause of the exploit and develop a new IPID assignment method to defeat this attack. We prototype our defense in Linux 4.18 and confirm its effectiveness through extensive evaluation over real applications on the Internet

Identification and Mitigation of Information Leakage Caused by Side Channel Vulnerabilities in Network Stack

Keeping users sensitive information secure and private in todays network is challenging. Networks are large, complicated distributed systems and are subject to a wide variety of attacks, such as eavesdropping, identity spoofing, hijacking, etc. What is worse, encrypting data is often not enough in light of advanced threats such as side channel attacks, which enable malicious attackers to infer sensitive data from insignificant network information unexpectedly. For this purpose, we pro- pose series of techniques to prevent such information leakage at different layers in network stacks, and raise awareness of its severity. More specifically, 1) we propose a practical physical (PHY) layer security framework FOG, for effective packet header obfuscation using MIMO, to keep eavesdroppers from receiving any meaningful packet information; 2) we identify and fix a subtle yet serious pure off-path side channel vulnerability (CVE-2016-5696) introduced in both TCP specification and its implementation in Linux kernel, which prevents malicious attackers from exploiting it to indicate arbitrary connections state, reset the connection or even further hijack the connection; 3) we propose a principled TCP side channel vulnerability discovery solution based on model checking and program analysis, and automatically identify 12 new side channel vulnerabilities (and 3 old ones) from TCP implementation in Linux and FreeBSD kernel code. The ultimate goal is to help guide the future design and implementation of network stacks.Keeping users’ sensitive information secure and private in today’s network is challenging. Network nowadays are subject to a wide variety of attacks, such as eavesdropping, identity spoofing, denial of service, etc. What is worse, encrypting sensitive data is often not enough in light of advanced threats such as side channel attacks, which enable malicious attackers to infer sensitive data from “insignificant” network information unexpectedly. For this purpose, we propose series of techniques to prevent such information leakage at different layers in network stack, and raise awareness of its severity. In our first work, we propose a practical physical (PHY) layer security framework FOG, for effective packet header obfuscation using MIMO, to prevent eavesdroppers from receiving any packet headers to profile users. Secondly, we identify and fix a subtle yet serious pure off-path side channel vulnerability (CVE-2016-5696) introduced in both TCP specification and its implementation in Linux kernel. This vulnerability allows malicious attackers to indicate arbitrary TCP connection’s state, reset the connection or even further hijack the connection. Motivated by the fact that most previous TCP side channel vulnerabilities are manually identified, in our last work, we propose a principled TCP side channel vulnerability discovery solution based on model checking and program analysis. It automatically identifies 12 new side channel vulnerabilities (and 3 old ones) from TCP implementation in Linux and FreeBSD kernel code. The ultimate goal of my research is to help guide the future design and implementation of network stacks

Design and Test of an Event Detector and Locator for the ReflectoActive™ Seals System

The purpose of this thesis was to research, design, develop and test a novel instrument for detecting fiber optic loop continuity and spatially locating fiber optic breaches. The work is for an active seal system called ReflectoActive™ Seals whose purpose is to provide real time container tamper indication. A Field Programmable Gate Array was used to implement a loop continuity detector and a spatial breach locator based on a high acquisition speed single photon counting optical time domain reflectometer. Communication and other control features were added in order to create a usable instrument that met defined requirements. A host graphical user interface was developed to illustrate system use and performance. The resulting device meets performance specifications by exhibiting a dynamic range of 27dB and a spatial resolution of 1.5 ft. The communication scheme used expands installation options and allows the device to communicate to a central host via existing Local Area Networks and/or the Internet

Cyber Attack Surface Mapping For Offensive Security Testing

Security testing consists of automated processes, like Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST), as well as manual offensive security testing, like Penetration Testing and Red Teaming. This nonautomated testing is frequently time-constrained and difficult to scale. Previous literature suggests that most research is spent in support of improving fully automated processes or in finding specific vulnerabilities, with little time spent improving the interpretation of the scanned attack surface critical to nonautomated testing. In this work, agglomerative hierarchical clustering is used to compress the Internet-facing hosts of 13 representative companies as collected by the Shodan search engine, resulting in an average 89% reduction in attack surface complexity. The work is then extended to map network services and also analyze the characteristics of the Log4Shell security vulnerability and its impact on attack surface mapping. The results highlighted outliers indicative of possible anti-patterns as well as opportunities to improve how testers and tools map the web attack surface. Ultimately the work is extended to compress web attack surfaces based on security relevant features, demonstrating via accuracy measurements not only that this compression is feasible but can also be automated. In the process a framework is created which could be extended in future work to compress other attack surfaces, including physical structures/campuses for physical security testing and even humans for social engineering tests

IoT-HASS: A Framework For Protecting Smart Home Environment

While many solutions have been proposed for smart home security, the problem that no single solution fully protects the smart home environment still exists. In this research we propose a security framework to protect the smart home environment. The proposed framework includes three engines that complement each other to protect the smart home IoT devices. The first engine is an IDS/IPS module that monitors all traffic in the home network and then detects, alerts users, and/or blocks packets using anomaly-based detection. The second engine works as a device management module that scans and verifies IoT devices in the home network, allowing the user to flag any suspect device. The third engine works as a privacy monitoring module that monitors and detects information transmitted in plaintext and alerts the user if such information is detected. We call the proposed system IoT-Home Advanced Security System or IoT-HASS for short. IoT-HASS was developed using Python 3 and can be implemented in two modes of operation. The in-line mode allows the IoT-HASS to be installed in-line with the traffic inside a Raspberry Pi or a Router. In the in-line mode IoT-HASS acts as an IPS that can detect and block threats as well as alert the user. The second mode is the passive mode where IoT-HASS in not installed in-line with the traffic and can act as an IDS that passively monitors the traffic, detecting threats and alerting the user, but not blocking the attack. IoT-HASS was evaluated via four testing scenarios. It demonstrated superior performance in all testing scenarios in detecting attacks such as DDoS attacks, Brute Force Attacks, and Cross Site Scripting (XSS) Attacks. In each of the four test scenarios, we also tested the device management functionality, which we found to successfully scan and display IoT devices for the homeowner. The extensive evaluating and testing of IoT-HASS showed that IoT-HASS can successfully run in a small device such as a Raspberry Pi, and thus, it will most likely run in an embedded device as an IoT device. Our future research will concentrate on strengthening the current features of IoT-HASS to include additional functionalities

Development of PCI Embedded Card Useful for Microcontroller Trainer

Not availabl

Ceramic applications in turbine engines

Development testing activities on the 1900 F-configuration ceramic parts were completed, 2070 F-configuration ceramic component rig and engine testing was initiated, and the conceptual design for the 2265 F-configuration engine was identified. Fabrication of the 2070 F-configuration ceramic parts continued, along with burner rig development testing of the 2070 F-configuration metal combustor in preparation for 1132 C (2070 F) qualification test conditions. Shakedown testing of the hot engine simulator (HES) rig was also completed in preparation for testing of a spin rig-qualified ceramic-bladed rotor assembly at 1132 C (2070 F) test conditions. Concurrently, ceramics from new sources and alternate materials continued to be evaluated, and fabrication of 2070 F-configuration ceramic component from these new sources continued. Cold spin testing of the critical 2070 F-configuration blade continued in the spin test rig to qualify a set of ceramic blades at 117% engine speed for the gasifier turbine rotor. Rig testing of the ceramic-bladed gasifier turbine rotor assembly at 108% engine speed was also performed, which resulted in the failure of one blade. The new three-piece hot seal with the nickel oxide/calcium fluoride wearface composition was qualified in the regenerator rig and introduced to engine operation wiwth marginal success

Using program behaviour to exploit heterogeneous multi-core processors

Multi-core CPU architectures have become prevalent in recent years. A number of multi-core CPUs consist of not only multiple processing cores, but multiple different types of processing cores, each with different capabilities and specialisations. These heterogeneous multi-core architectures (HMAs) can deliver exceptional performance; however, they are notoriously difficult to program effectively. This dissertation investigates the feasibility of ameliorating many of the difficulties encountered in application development on HMA processors, by employing a behaviour aware runtime system. This runtime system provides applications with the illusion of executing on a homogeneous architecture, by presenting a homogeneous virtual machine interface. The runtime system uses knowledge of a program's execution behaviour, gained through explicit code annotations, static analysis or runtime monitoring, to inform its resource allocation and scheduling decisions, such that the application makes best use of the HMA's heterogeneous processing cores. The goal of this runtime system is to enable non-specialist application developers to write applications that can exploit an HMA, without the developer requiring in-depth knowledge of the HMA's design. This dissertation describes the development of a Java runtime system, called Hera-JVM, aimed at investigating this premise. Hera-JVM supports the execution of unmodified Java applications on both processing core types of the heterogeneous IBM Cell processor. An application's threads of execution can be transparently migrated between the Cell's different core types by Hera-JVM, without requiring the application's involvement. A number of real-world Java benchmarks are executed across both of the Cell's core types, to evaluate the efficacy of abstracting a heterogeneous architecture behind a homogeneous virtual machine. By characterising the performance of each of the Cell processor's core types under different program behaviours, a set of influential program behaviour characteristics is uncovered. A set of code annotations are presented, which enable program code to be tagged with these behaviour characteristics, enabling a runtime system to track a program's behaviour throughout its execution. This information is fed into a cost function, which Hera-JVM uses to automatically estimate whether the executing program's threads of execution would benefit from being migrated to a different core type, given their current behaviour characteristics. The use of history, hysteresis and trend tracking, by this cost function, is explored as a means of increasing its stability and limiting detrimental thread migrations. The effectiveness of a number of different migration strategies is also investigated under real-world Java benchmarks, with the most effective found to be a strategy that can target code, such that a thread is migrated whenever it executes this code. This dissertation also investigates the use of runtime monitoring to enable a runtime system to automatically infer a program's behaviour characteristics, without the need for explicit code annotations. A lightweight runtime behaviour monitoring system is developed, and its effectiveness at choosing the most appropriate core type on which to execute a set of real-world Java benchmarks is examined. Combining explicit behaviour characteristic annotations with those characteristics which are monitored at runtime is also explored. Finally, an initial investigation is performed into the use of behaviour characteristics to improve application performance under a different type of heterogeneous architecture, specifically, a non-uniform memory access (NUMA) architecture. Thread teams are proposed as a method of automatically clustering communicating threads onto the same NUMA node, thereby reducing data access overheads. Evaluation of this approach shows that it is effective at improving application performance, if the application's threads can be partitioned across the available NUMA nodes of a system. The findings of this work demonstrate that a runtime system with a homogeneous virtual machine interface can reduce the challenge of application development for HMA processors, whilst still being able to exploit such a processor by taking program behaviour into account

Holistic Network Defense: Fusing Host and Network Features for Attack Classification

This work presents a hybrid network-host monitoring strategy, which fuses data from both the network and the host to recognize malware infections. This work focuses on three categories: Normal, Scanning, and Infected. The network-host sensor fusion is accomplished by extracting 248 features from network traffic using the Fullstats Network Feature generator and from the host using text mining, looking at the frequency of the 500 most common strings and analyzing them as word vectors. Improvements to detection performance are made by synergistically fusing network features obtained from IP packet flows and host features, obtained from text mining port, processor, logon information among others. In addition, the work compares three different machine learning algorithms and updates the script required to obtain network features. Hybrid method results outperformed host only classification by 31.7% and network only classification by 25%. The new approach also reduces the number of alerts while remaining accurate compared with the commercial IDS SNORT. These results make it such that even the most typical users could understand alert classification messages