Knocking down the HACIENDA with TCP Stealth

Size: px

Start display at page:

Download "Knocking down the HACIENDA with TCP Stealth"

Linda Oliver
5 years ago
Views:

1 Knocking down the HACIENDA with TCP Stealth Christian Grothoff Actual work: Julian Kirsch Technische Universität München May 8, 2015

2 Knocking down the HACIENDA 1/1

3 Knocking down the HACIENDA 2/1

4 Knocking down the HACIENDA 3/1

5 Knocking down the HACIENDA 4/1

6 Knocking down the HACIENDA 5/1

7 Knocking down the HACIENDA 6/1

8 Knocking down the HACIENDA 7/1

9 Knocking down the HACIENDA 8/1

10 Knocking down the HACIENDA 9/1

11 Knocking down the HACIENDA 10/1

12 Knocking down the HACIENDA 11/1

13 Knocking down the HACIENDA 12/1

14 Knocking down the HACIENDA 13/1

15 Knocking down the HACIENDA 14/1

16 Knocking down the HACIENDA 15/1

17 Knocking down the HACIENDA 16/1

18 Knocking down the HACIENDA 17/1

19 Knocking down the HACIENDA 18/1

20 Knocking down the HACIENDA 19/1

21 So, is it all lost? Knocking down the HACIENDA 20/1

22 Two Solutions Backwards-compatible minimally invasive hotfix Clean-slate principled rearchitecture Knocking down the HACIENDA 21/1

23 An Introduction to Port Knocking No knock, no fun Port knocking example Host 1 Host 2 Host 1 Host 2 SYN (SEQ = x 0 ) port 4242 SYN (SEQ = x) port 22 RST (SEQ = y 0, ACK = x 0 + 1) Time RST (SEQ = y, ACK = x + 1) Time SYN (SEQ = x 1 ) port 1337 RST (SEQ = y 1, ACK = x 1 + 1) SYN (SEQ = x 2 ) port 22 SYN (SEQ = y 2, ACK = x 2 + 1) (SEQ = x 2 + 1, ACK = y 2 + 1) Knocking down the HACIENDA 22/1

24 Design Overview 2. Practical and Secure Stealthy Servers Knocking down the HACIENDA 23/1

25 Design Stealthiness Source Port Sequence Number Acknowledgement Number Destination Port Data Offset Reserved U R G A CK P SH R ST S YN F IN Window Checksum Options Urgent Pointer Knocking down the HACIENDA 24/1

26 Design (v1) Security Destination IP address IP d Destination port P d TCP timestamp T Pre-Shared Key S Hash function h Authentication Security Token (AV) AV := h((ip d, P d, T), S) ISN := AV Knocking down the HACIENDA 25/1

27 Knocking down the HACIENDA 26/1

28 Design (v2) Security Destination IP address IP d Destination port P d TCP timestamp T Pre-Shared Key S Hash functions h, h Payload p TCP Payload Integrity Protector IH IH := h (S p) Authentication Security Token AV AV := h((ip d, P d, T, IH), S) ISN := AV IH Knocking down the HACIENDA 27/1

29 Host 1 Host 2 SYN (SEQ = x = (AV IH)) AV correct? Time RST (SEQ = y, ACK = x + 1) ACK (SEQ = y, ACK = x + 1) (SEQ = x + 1, ACK = y + 1) no yes IH correct? Payload RST (SEQ = y + 1, ACK = x + 2)... no yes Knocking down the HACIENDA 28/1

30 Design Ease of Use Source IP and Port not included in ISN generation Compatibility with NATs Knocking is implemented in the kernel No fiddling with config-files, firewall rules or daemons Trivial to use from an application developer s perspective Knocking down the HACIENDA 29/1

31 Design Ease of Use TCP Stealth Server 1 char s e c r e t [ 6 4 ] = " This i s my magic ID. " ; 2 i n t payload_len = 4 ; 3 i n t sock ; 4 5 sock = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP) ; 6 i f ( sock < 0) { 7 p r i n t f ( " socket ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 8 return 1 ; 9 } 10 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH, s e c r e t, s i z e o f ( s e c r e t ) ) ) { 11 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 12 return 1 ; 13 } 14 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH_INTEGRITY_LEN, 15 &payload_len, si ze of ( payload_len ) ) ) { 16 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 17 return 1 ; 18 } 19 / Continue with bind ( ), l i s t e n ( ), a c c e p t ( ), r e c v ( ),... / Knocking down the HACIENDA 30/1

32 Design Ease of Use TCP Stealth Client 1 char s e c r e t [ 6 4 ] = " This i s my magic ID. " ; 2 char payload [ 4 ] = " 1234 " ; 3 i n t sock ; 4 5 sock = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP) ; 6 i f ( sock < 0) { 7 p r i n t f ( " socket ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 8 return 1 ; 9 } 10 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH, s e c r e t, s i z e o f ( s e c r e t ) ) ) { 11 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 12 return 1 ; 13 } 14 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH_INTEGRITY, 15 payload, s i z e o f ( payload ) ) ) { 16 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 17 return 1 ; 18 } 19 / Continue with c o n n e c t ( ), send ( ),... / Knocking down the HACIENDA 31/1

33 Design Ease of Use libknockify Shared library for use at compile- or run-time Enables TCP Stealth functionality for legacy code $ LD_PRELOAD=./libknockify.so ncat knock-server application-port Configuration options (such as the TCP Stealth secret) are given as environment variables or via a special file Knocking down the HACIENDA 32/1

34 Limitations Distribution of the Pre-Shared Key ISN has only 32 bits Knocking down the HACIENDA 33/1

35 Limitations Distribution of the Pre-Shared Key ISN has only 32 bits Changes to ISN and TSVal by middle boxes: TCP Port Behavior Unchanged 126 (93%) 116 (82%) 128 (90%) Mod. outbound 5 (4%) 5 (4%) 6 (4%) Mod. inbound 0 (0%) 1 (1%) 1 (1%) Mod. both 4 (3%) 13 (9%) 7 (5%) Proxy (probably mod. both) 0 (0%) 7 (5%) 0 (0%) Total 135 (100%) 142 (100%) 142 (100%) Numbers by Honda et al. Is it Still Possible to Extend TCP? Knocking down the HACIENDA 33/1

36 Limitations Distribution of the Pre-Shared Key ISN has only 32 bits Changes to ISN and TSVal by middle boxes: TCP Port Behavior Unchanged 126 (93%) 116 (82%) 128 (90%) Mod. outbound 5 (4%) 5 (4%) 6 (4%) Mod. inbound 0 (0%) 1 (1%) 1 (1%) Mod. both 4 (3%) 13 (9%) 7 (5%) Proxy (probably mod. both) 0 (0%) 7 (5%) 0 (0%) Total 135 (100%) 142 (100%) 142 (100%) Numbers by Honda et al. Is it Still Possible to Extend TCP? IETF, Linux and FreeBSD communities so far fail to adopt Knocking down the HACIENDA 33/1

37 Cat break (sponsored by IRTF) Knocking down the HACIENDA 34/1

38 HACIENDA is a port mapper. Knocking down the HACIENDA 35/1

39 HACIENDA is a port mapper. What else does the NSA map? Knocking down the HACIENDA 35/1

40 HACIENDA is a port mapper. What else does the NSA map? Let s ask The Intercept... Knocking down the HACIENDA 35/1

41 Knocking down the HACIENDA 36/1

42 Time to Build a NEWGNU Network Knocking down the HACIENDA 37/1

43 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer Knocking down the HACIENDA 38/1

44 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer HTTPS/TCP/WLAN/... Knocking down the HACIENDA 38/1

45 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer CORE (OTR) HTTPS/TCP/WLAN/... Knocking down the HACIENDA 38/1

46 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer R 5 N DHT (KBR) CORE (OTR) HTTPS/TCP/WLAN/... Knocking down the HACIENDA 38/1

47 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer CADET (SCTP+Axolotl+TCP Stealth) R 5 N DHT (KBR) CORE (OTR) HTTPS/TCP/WLAN/... Knocking down the HACIENDA 38/1

48 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNU Name System CADET (SCTP+Axolotl+TCP Stealth) R 5 N DHT (KBR) CORE (OTR) HTTPS/TCP/WLAN/... Knocking down the HACIENDA 38/1

49 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer Applications GNU Name System CADET (SCTP+Axolotl+TCP Stealth) R 5 N DHT (KBR) CORE (OTR) HTTPS/TCP/WLAN/... Knocking down the HACIENDA 38/1

50 The NEWGNU Network (very simplified) Internet Google DNS/X.509 TCP/UDP IP/BGP Ethernet Phys. Layer GNUnet Applications GNU Name System CADET (SCTP+Axolotl+TCP Stealth) R 5 N DHT (KBR) CORE (OTR) HTTPS/TCP/WLAN/... Knocking down the HACIENDA 38/1

51 Limitations Distribution of the Pre-Shared Key use GNU Name System Knocking down the HACIENDA 39/1

52 Limitations Distribution of the Pre-Shared Key use GNU Name System ISN has only 32 bits use 256 bits Knocking down the HACIENDA 39/1

53 Limitations Distribution of the Pre-Shared Key use GNU Name System ISN has only 32 bits use 256 bits Changes to ISN and TSVal by middle boxes irrelevant in overlay Knocking down the HACIENDA 39/1

54 Limitations Distribution of the Pre-Shared Key use GNU Name System ISN has only 32 bits use 256 bits Changes to ISN and TSVal by middle boxes irrelevant in overlay IETF, Linux and FreeBSD communities so far fail to adopt all in userspace Knocking down the HACIENDA 39/1

55 Limitations Distribution of the Pre-Shared Key use GNU Name System ISN has only 32 bits use 256 bits Changes to ISN and TSVal by middle boxes irrelevant in overlay IETF, Linux and FreeBSD communities so far fail to adopt all in userspace More issues to address more research! (not done yet!) Knocking down the HACIENDA 39/1

56 A Pattern of Hope Spy Program Target Defense Started FTM/TRACFIN SWIFT/VISA/etc. DigiCash/GNU Taler 1990 TREASUREMAP Internet (all) Freenet/GNUnet/Tor 2000 HACIENDA vuln. TCP service Port Knocking 2000 BULLRUN/DUAL_EC_DRBG PRNG (backdoor) n/a 2004 BULLRUN/LONGHAUL TLS/IPSEC (keys) OTR/AXOLOTL 2004 MJOLNIR Long-path in Tor Tor PRISM US big data corps SecuShare 2009 MORECOWBELL DNS GNU Name System Knocking down the HACIENDA 40/1

57 Questions? Find more information at: Thanks to: JULIAN KIRSCH JACOB APPELBAUM MONIKA ERMERT LAURA POITRAS HENRIK MOLTKE MAURICE LECLAIRE ANDREAS ENGE BART POLOT LUCA SAIU THE SOURCE This work was funded by the Deutsche Forschungsgemeinschaft (DFG) under ENP GR 3688/1-1. Slides will be at Knocking down the HACIENDA 41/1

58 Limitations RFC 1323: TCP Extensions for High Performance Source Port Sequence Number Acknowledgement Number Destination Port Data Offset Reserved U R G A CK P SH R ST S YN F IN Window Checksum Options Urgent Pointer Kind=8 10 TS Value (TSval) TS Value (TSval) TS Echo Reply (TSecr) Options TS Echo Reply (TSecr) Options Knocking down the HACIENDA 42/1

Knocking down the HACIENDA with TCP Stealth

Knocking down the HACIENDA with TCP Stealth Christian Grothoff Actual work: Julian Kirsch Technische Universität München July 23, 2015 Knocking down the HACIENDA 1/29 Knocking down the HACIENDA 2/29 Knocking