Knocking down the HACIENDA with TCP Stealth

Size: px

Start display at page:

Download "Knocking down the HACIENDA with TCP Stealth"

Merryl Conley
5 years ago
Views:

1 Knocking down the HACIENDA with TCP Stealth Christian Grothoff Actual work: Julian Kirsch Technische Universität München July 23, 2015

2 Knocking down the HACIENDA 1/29

3 Knocking down the HACIENDA 2/29

4 Knocking down the HACIENDA 3/29

5 Knocking down the HACIENDA 4/29

6 Knocking down the HACIENDA 5/29

7 Knocking down the HACIENDA 6/29

8 Knocking down the HACIENDA 7/29

9 Knocking down the HACIENDA 8/29

10 Knocking down the HACIENDA 9/29

11 Knocking down the HACIENDA 10/29

12 Knocking down the HACIENDA 11/29

13 Knocking down the HACIENDA 12/29

14 So, is it all lost? Knocking down the HACIENDA 13/29

15 Two Solutions Backwards-compatible minimally invasive hotfix (TCP Stealth) Clean-slate principled rearchitecture Knocking down the HACIENDA 14/29

16 An Introduction to Port Knocking No knock, no fun Port knocking example Host 1 Host 2 Host 1 Host 2 SYN (SEQ = x 0 ) port 4242 SYN (SEQ = x) port 22 RST (SEQ = y 0, ACK = x 0 + 1) Time RST (SEQ = y, ACK = x + 1) Time SYN (SEQ = x 1 ) port 1337 RST (SEQ = y 1, ACK = x 1 + 1) SYN (SEQ = x 2 ) port 22 SYN (SEQ = y 2, ACK = x 2 + 1) (SEQ = x 2 + 1, ACK = y 2 + 1) Knocking down the HACIENDA 15/29

17 Design Overview 2. Practical and Secure Stealthy Servers Knocking down the HACIENDA 16/29

18 Design Stealthiness Source Port Sequence Number Acknowledgement Number Destination Port Data Offset Reserved U R G A CK P SH R ST S YN F IN Window Checksum Options Urgent Pointer Knocking down the HACIENDA 17/29

19 Design (v1) Security Destination IP address IP d Destination port P d TCP timestamp T Pre-Shared Key S Hash function h Authentication Security Token (AV) AV := h((ip d, P d, T), S) ISN := AV Knocking down the HACIENDA 18/29

20 Knocking down the HACIENDA 19/29

21 Design (v2) Security Destination IP address IP d Destination port P d TCP timestamp T Pre-Shared Key S Hash functions h, h Payload p TCP Payload Integrity Protector IH IH := h (S p) Authentication Security Token AV AV := h((ip d, P d, T, IH), S) ISN := AV IH Knocking down the HACIENDA 20/29

22 Host 1 Host 2 SYN (SEQ = x = (AV IH)) AV correct? Time RST (SEQ = y, ACK = x + 1) ACK (SEQ = y, ACK = x + 1) (SEQ = x + 1, ACK = y + 1) no yes IH correct? Payload RST (SEQ = y + 1, ACK = x + 2)... no yes Knocking down the HACIENDA 21/29

23 Design Ease of Use Source IP and Port not included in ISN generation Compatibility with NATs Knocking is implemented in the kernel No fiddling with config-files, firewall rules or daemons Trivial to use from an application developer s perspective Knocking down the HACIENDA 22/29

24 Design Ease of Use TCP Stealth Server 1 char s e c r e t [ 6 4 ] = " This i s my magic ID. " ; 2 i n t payload_len = 4 ; 3 i n t sock ; 4 5 sock = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP) ; 6 i f ( sock < 0) { 7 p r i n t f ( " socket ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 8 return 1 ; 9 } 10 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH, s e c r e t, s i z e o f ( s e c r e t ) ) ) { 11 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 12 return 1 ; 13 } 14 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH_INTEGRITY_LEN, 15 &payload_len, si ze of ( payload_len ) ) ) { 16 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 17 return 1 ; 18 } 19 / Continue with bind ( ), l i s t e n ( ), a c c e p t ( ), r e c v ( ),... / Knocking down the HACIENDA 23/29

25 Design Ease of Use TCP Stealth Client 1 char s e c r e t [ 6 4 ] = " This i s my magic ID. " ; 2 char payload [ 4 ] = " 1234 " ; 3 i n t sock ; 4 5 sock = socket ( AF_INET, SOCK_STREAM, IPPROTO_TCP) ; 6 i f ( sock < 0) { 7 p r i n t f ( " socket ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 8 return 1 ; 9 } 10 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH, s e c r e t, s i z e o f ( s e c r e t ) ) ) { 11 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 12 return 1 ; 13 } 14 i f ( setsockopt ( sock, IPPROTO_TCP, TCP_STEALTH_INTEGRITY, 15 payload, s i z e o f ( payload ) ) ) { 16 p r i n t f ( " setsockopt ( ) f a i l e d, %s\n", s t r e r r o r ( errno ) ) ; 17 return 1 ; 18 } 19 / Continue with c o n n e c t ( ), send ( ),... / Knocking down the HACIENDA 24/29

26 Design Ease of Use libknockify Shared library for use at compile- or run-time Enables TCP Stealth functionality for legacy code $ LD_PRELOAD=./libknockify.so ncat knock-server application-port Configuration options (such as the TCP Stealth secret) are given as environment variables or via a special file Knocking down the HACIENDA 25/29

27 Limitations Distribution of the Pre-Shared Key ISN has only 32 bits Knocking down the HACIENDA 26/29

28 Limitations Distribution of the Pre-Shared Key ISN has only 32 bits Changes to ISN and TSVal by middle boxes: TCP Port Behavior Unchanged 126 (93%) 116 (82%) 128 (90%) Mod. outbound 5 (4%) 5 (4%) 6 (4%) Mod. inbound 0 (0%) 1 (1%) 1 (1%) Mod. both 4 (3%) 13 (9%) 7 (5%) Proxy (probably mod. both) 0 (0%) 7 (5%) 0 (0%) Total 135 (100%) 142 (100%) 142 (100%) Numbers by Honda et al. Is it Still Possible to Extend TCP? Knocking down the HACIENDA 26/29

29 Working Code... Implemented for 3+ Linux kernel versions Implemented for FreeBSD Holger Kenn (MSFT) said would be easy to do in W32-Kernel(s) Sample client and server programs Patches for OpenSSH, GNUnet, systemd libknockify(.so) LD_PRELOAD Master s thesis, presentations, website, article in 5 languages Tested in big-endian/little-endian platforms (incl. compatibility) Draft has test vectors, detailed protocol specification Based on 1 year of community feedback, authors clueless about what else to do. Except find the right WG. Spencer solved that. Knocking down the HACIENDA 27/29

30 Why standardize... Port scanning is a well-known vulnerability. We need to address it. Implementations need to be compatible. Kernels must offer it for ease of deployment. Kernels will only ship by default if standardized. (Some GNU/Linux distributions already ship this anyway.) This does not solve all issues, but as many as we can with maximum backwards compatiability. Knocking down the HACIENDA 28/29

31 ... and rough consensus? Find more information at: Thanks to: JULIAN KIRSCH JACOB APPELBAUM MONIKA ERMERT LAURA POITRAS HENRIK MOLTKE MAURICE LECLAIRE ANDREAS ENGE BART POLOT LUCA SAIU THE SOURCE This work was funded by the Deutsche Forschungsgemeinschaft (DFG) under ENP GR 3688/1-1. Slides will be at Knocking down the HACIENDA 29/29

Knocking down the HACIENDA with TCP Stealth

Knocking down the HACIENDA with TCP Stealth Christian Grothoff Actual work: Julian Kirsch Technische Universität München May 8, 2015 Knocking down the HACIENDA 1/1 Knocking down the HACIENDA 2/1 Knocking