微信服务号

微信订阅号

2025年5月11日 13:11 星期日
首页 > 过刊浏览>2024年第35卷第5期 >2503-2521. DOI:10.13328/j.cnki.jos.006941
PDF HTML阅读 XML下载 导出引用 引用提醒
轻量级链式验证的网络传输层安全性增强方法
作者:
基金项目:

国家重点研发计划(2022YFB3102300);国家自然科学基金(61825204,61932016,62132011);北京高校卓越青年科学家计划(BJJWZYJH01201910003011)


Method for Enhancing Network Security of Transport Layer by Leveraging Lightweight Chain Verification
Author:
  • 摘要
    • | |
  • 访问统计
    • |
  • 参考文献 [36]
    • |
  • 相似文献 [20]
    • |
  • 引证文献
    • | |
  • 文章评论
    摘要:

    传输层是网络协议栈的关键组成部分, 负责为不同主机间的应用程序提供端到端的服务. 已有的传输层协议如TCP等为用户提供了基本的差错控制和确认应答等安全保护机制, 在一定程度上保证了不同主机间应用程序收发报文的一致性. 但现有的传输层安全保护机制存在严重的缺陷, 如TCP报文的序列号容易被猜测推理, 报文校验和的计算依赖于有漏洞的补码求和算法等. 这导致现有的传输层安全机制并不能保证报文的完整性和安全性, 从而允许一个远程的攻击者伪造出一个报文, 注入到目标网络流中, 对目标网络流形成污染或攻击. 针对传输层的攻击发生在网络协议栈的基础层次, 可以旁路掉上层应用的安全保护机制, 对网络基础设施造成严重的危害. 深入研究近年来针对网络协议栈的各种攻击和相关安全漏洞, 提出一种基于轻量级链式验证的传输层安全性增强方法LightCTL. 所提方法基于哈希验证的方式, 使TCP连接双方能够对传输层报文形成彼此可验证的共识, 避免攻击者或中间人窃取和伪造敏感信息, 从而解决网络协议栈面临的典型安全威胁, 包括基于序列号推理的TCP连接重置攻击、TCP劫持攻击、SYN洪泛攻击、中间人攻击、报文重放攻击等. LightCTL不需要修改中间网络设备如路由器等的协议栈, 只需对终端协议栈中的校验和相关部分进行修改, 因此方法易于部署, 同时显著提升了网络系统的安全性.

    Abstract:

    The transport layer is a key component in the network protocol stack, which is responsible for providing end-to-end services for applications between different hosts. Existing transport layer protocols such as TCP provide users with some basic security protection mechanisms, e.g., error controls and acknowledgments, which ensures the consistency of datagrams sent and received by applications between different hosts to a certain extent. However, these security protection mechanisms of the transport layer have serious flaws. For example, the sequence number of TCP datagrams is easy to be guessed and inferred, and the calculation of the datagram’s checksum depends on the vulnerable sum of the complement algorithm. As a result, the existing transport layer security mechanisms cannot guarantee the integrity and security of the datagram, which allows a remote attacker to craft a fake datagram and inject it into the target network stream, thus poisoning the target network stream. The attack against the transport layer occurs at the basic layers of the network protocol stack, which can bypass the security protection mechanisms enforced at the upper application layer and thus cause serious damage to the network infrastructure. After investigating various attacks over network protocols and the related security vulnerabilities in recent years, this study proposes a method for enhancing the security of the transport layer? based on lightweight chain verification, namely LightCTL. Based on the hash verification, LightCTL enables both sides of a TCP connection to create a mutually verifiable consensus on transport layer datagrams, so as to prevent attackers or middlemen from stealing and forging sensitive information. As a result, LightCTL can successfully foil various attacks against the network protocol stack, including TCP connection reset attacks based on sequence number inferring, TCP hijacking attacks, SYN flooding attacks, man-in-the-middle attacks, and datagram replay attacks. Besides, LightCTL does not need to modify the protocol stack of intermediate network devices such as routers. It only needs to modify the checksum and the related parts of the end protocol stack. Therefore, LightCTL can be easily deployed and significantly improves the security of network systems.

    参考文献
    [1] Feng XW, Fu CP, Li Q, Sun K, Xu K. Off-path TCP exploits of the mixed IPID assignment. In:Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2020. 1323-1335.
    [2] 丑义凡, 易波, 王兴伟, 贾杰, 黄敏. IPv6网络中基于MF-DL的DDoS攻击快速防御机制. 计算机学报, 2021, 44(10):2047-2060.[doi:10.11897/SP.J.1016.2021.02047]
    Chou YF, Yi B, Wang XW, Jia J, Huang M. A rapid defense mechanism based on MF-DL for DDoS attack in IPv6 networks. Chinese Journal of Computers, 2021, 44(10):2047-2060 (in Chinese with English abstract).[doi:10.11897/SP.J.1016.2021.02047]
    [3] Nam SY, Jurayev S, Kim SS, Choi K, Choi GS. Mitigating ARP poisoning-based man-in-the-middle attacks in wired or wireless LAN. EURASIP Journal on Wireless Communications and Networking, 2012, 2012(1):89.[doi:10.1186/1687-1499-2012-89]
    [4] Luckie M, Beverly R, Koga R, Keys K, Kroll JA, Claffy K. Network hygiene, incentives, and regulation:Deployment of source address validation in the Internet. In:Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. London:ACM, 2019. 465-480.
    [5] Ensafi R, Knockel J, Alexander G, Crandall JR. Detecting intentional packet drops on the internet via TCP/IP side channels. In:Proc. of the 15th Int'l Conf. on Passive and Active Network Measurement. Los Angeles:Springer, 2014. 109-118.
    [6] Ensafi R, Park JC, Kapur D, Crandall JR. Idle port scanning and non-interference analysis of network protocol stacks using model checking. In:Proc. of the 19th USENIX Conf. on Security. Washington:USENIX Association, 2010. 17.
    [7] Herzberg A, Shulman H. Fragmentation considered poisonous, or:One-domain-to-rule-them-all.org. In:Proc. of the 2013 IEEE Conf. on Communications and Network Security. National Harbor:IEEE, 2013. 224-232.
    [8] Brandt M, Dai TX, Klein A, Shulman H, Waidner M. Domain validation++ for MitM-resilient PKI. In:Proc. of the 2018 ACM SIGSAC Conf. on Computer and Communications Security. Toronto:ACM, 2018. 2060-2076.
    [9] Zheng XF, Lu CY, Peng J, Yang QS, Zhou DJ, Liu BJ, Man KY, Hao S, Duan HX, Qian ZY. Poison over troubled forwarders:A cache poisoning attack targeting DNS forwarding device. In:Proc. of the 29th USENIX Conf. on Security Symp. Boston:USENIX Association, 2020. 33.
    [10] Bellovin SM. Security problems in the TCP/IP protocol suite. ACM SIGCOMM Computer Communication Review, 1989, 19(2):32-48.[doi:10.1145/378444.378449]
    [11] Bellovin SM. A look back at "security problems in the TCP/IP protocol suite". In:Proc. of the 20th Annual Computer Security Applications Conf. Tucson:IEEE, 2004. 229-249.
    [12] Nakibly G, Kirshon A, Gonikman D, Boneh D. Persistent OSPF attacks. In:Proc. of the 19th Annual Network and Distributed System Security Symp. San Diego, 2012. 1-12.
    [13] Nakibly G, Sosnovich A, Menahem E, Waizel A, Elovici Y. OSPF vulnerability to persistent poisoning attacks:A systematic analysis. In:Proc. of the 30th Annual Computer Security Applications Conf. New Orleans:ACM, 2014. 336-345.
    [14] Nordström O, Dovrolis C. Beware of BGP attacks. ACM SIGCOMM Computer Communication Review, 2004, 34(2):1-8.[doi:10.1145/997150.997152]
    [15] Sermpezis P, Kotronis V, Dainotti A, Dimitropoulos X. A survey among network operators on BGP prefix hijacking. ACM SIGCOMM Computer Communication Review, 2018, 48(1):64-69.[doi:10.1145/3211852.3211862]
    [16] Cho S, Fontugne R, Cho K, Dainotti A, Gill P. BGP hijacking classification. In:Proc. of the 2019 Network Traffic Measurement and Analysis Conf. Paris:IEEE, 2019. 25-32.
    [17] Cao Y, Qian ZY, Wang ZJ, Dao T, Krishnamurthy SV, Marvel LM. Off-path TCP exploits:Global rate limit considered dangerous. In:Proc. of the 25th USENIX Conf. on Security Symp. Austin:USENIX Association, 2016. 209-225.
    [18] Cao Y, Qian ZY, Wang ZJ, Dao T, Krishnamurthy SV, Marvel LM. Off-path TCP exploits of the challenge ACK global rate limit. IEEE/ACM Transactions on Networking, 2018, 26(2):765-778.[doi:10.1109/TNET.2018.2797081]
    [19] Chen WT, Qian ZY. Off-path TCP exploit:How wireless routers can jeopardize your secrets. In:Proc. of the 27th USENIX Conf. on Security Symp. Baltimore:USENIX Association, 2018. 1581-1598.
    [20] Man KY, Qian ZY, Wang ZJ, Zheng XF, Huang YJ, Duan HX. DNS cache poisoning attack reloaded:Revolutions with side channels. In:Proc. of the 2020 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2020. 1337-1350.
    [21] Man KY, Zhou XA, Qian ZY. DNS cache poisoning attack:Resurrections with side channels. In:Proc. of the 2021 ACM SIGSAC Conf. on Computer and Communications Security. ACM, 2021. 3400-3414.
    [22] Jeitner P, Shulman H, Waidner M. The impact of DNS insecurity on time. In:Proc. of the 50th Annual IEEE/IFIP Int'l Conf. on Dependable Systems and Networks. Valencia:IEEE, 2020. 266-277.
    [23] Chen JJ, Jiang J, Duan HX, Weaver N, Wan T, Paxson V. Host of troubles:Multiple host ambiguities in HTTP implementations. In:Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security. New York:ACM, 2016. 1516-1527.
    [24] Pandove K, Jindal A, Kumar R. Email spoofing. International Journal of Computer Applications, 2010, 5(1):27-30.[doi:10.5120/881-1252]
    [25] Rahman FMA, Kamal P. A holistic approach to ARP poisoning and countermeasures by using practical examples and paradigm. International Journal of Advancements in Technology, 2014, 5(2):82-95.
    [26] 徐恪, 付松涛, 李琦, 刘冰洋, 江伟玉, 吴波, 冯学伟. 互联网内生安全体系结构研究进展. 计算机学报, 2021, 44(11):2149-2172.[doi:10.11897/SP.J.1016.2021.02149]
    Xu K, Fu ST, Li Q, Liu BY, Jiang WY, Wu B, Feng XW. The research progress on intrinsic internet security architecture. Chinese Journal of Computers, 2021, 44(11):2149-2172 (in Chinese with English abstract).[doi:10.11897/SP.J.1016.2021.02149]
    [27] Boneh D. The decision diffie-Hellman problem. In:Proc. of the 3rd Int'l Algorithmic Number Theory Symp. Portland:Springer, 1998. 48-63.
    [28] Qian ZY, Mao ZM, Xie YL. Collaborative TCP sequence number inference attack:How to crack sequence number under a second. In:Proc. of the 2012 ACM Conf. on Computer and Communications Security. Raleigh North:ACM, 2012. 593-604.
    [29] Qian ZY, Mao ZM. Off-path TCP sequence number inference attack-how firewall middleboxes reduce security. In:Proc. of the 2012 IEEE Symp. on Security and Privacy. San Francisco:IEEE, 2012. 347-361.
    [30] Aumasson JP, Bernstein DJ. SipHash:A fast short-input PRF. In:Proc. of the 12th Int'l Conf. on Cryptology in India. Kolkata:Springer, 2012. 489-508.
    [31] Henke C, Schmoll C, Zseby T. Empirical evaluation of hash functions for multipoint measurements. ACM SIGCOMM Computer Communication Review, 2008, 38(3):39-50.[doi:10.1145/1384609.1384614]
    [32] 孙泽民, 芦天亮, 周阳. 基于BGP协议的TCP MD5加密认证的破解技术分析. 信息网络安全, 2015, (9):37-40.[doi:10.3969/j.issn.1671-1122.2015.09.009]
    Sun ZM, Lu TL, Zhou Y. Analysis of the technique of breaking TCP MD5 encryption and authentication for BGP. Netinfo Security, 2015, (9):37-40 (in Chinese with English abstract).[doi:10.3969/j.issn.1671-1122.2015.09.009]
    [33] Fumy W, Landrock P. Principles of key management. IEEE Journal on Selected Areas in Communications, 1993, 11(5):785-793.[doi:10.1109/49.223881]
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

冯学伟,徐恪,李琦,杨宇翔,朱敏,付松涛.轻量级链式验证的网络传输层安全性增强方法.软件学报,2024,35(5):2503-2521

复制
相关视频

分享
文章指标
  • 点击次数:544
  • 下载次数: 1703
  • HTML阅读次数: 909
  • 引用次数: 0
历史
  • 收稿日期:2022-06-16
  • 最后修改日期:2022-12-06
  • 在线发布日期: 2023-08-23
  • 出版日期: 2024-05-06
文章二维码
友情链接:中国科学院软件研究所中国计算机学会中国科学院国家自然科学基金委员会CCF数字图书馆Int'l J of Softw Info计算机系统应用
您是第19923180位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京市海淀区中关村南四街4号,邮政编码:100190
电话:010-62562563 传真:010-62562533 Email:jos@iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号