Reconfigurable message-delivery preconditions for delivering attacks to analyze the security of networked systems

US 8,316,447 B2
Filed: 11/08/2006
Issued: 11/20/2012
Est. Priority Date: 09/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method for analyzing vulnerability of a network device under analysis (DUA) to protocol abuse of a higher-layer network protocol from a layered network protocol, the layered network protocol including lower-layer network protocols that work with the higher-layer network protocol, the method comprising:

discovering using black box testing a plurality of valid lower-layer message-delivery preconditions for the DUA to receive a message in the higher-layer network protocol, where the plurality of valid lower layer message-delivery preconditions are not known a priori, the discovering comprising repeatedly;

selecting a lower-layer network protocol from the layered network protocol,selecting a configuration of the lower-layer network protocol from a plurality of configurations associated with the lower-layer network protocol, andsending a first message toward the DUA using the selected lower-layer network protocol and the selected configuration;

based on a response or non-response to the first message, determining whether the selected configuration of the selected lower-layer network protocol comprises a valid lower-layer message-delivery precondition by determining whether the selected lower-layer network protocol as implemented in the DUA (1) supports the selected configuration, and (2) is used by the DUA to receive messages in the higher-layer network protocol; and

for at least two of the discovered plurality of valid lower-layer message-delivery preconditions, attacking the DUA multiple times, the attacking comprising;

establishing a lower-layer connection with the DUA using the lower-layer network protocol according to the one of the discovered valid lower-layer message-delivery preconditions,on top of the lower-layer connection, establishing a higher-layer connection with the DUA using the higher-layer network protocol, andthrough the higher-layer connection, sending to the DUA test messages that are invalid mutations of valid messages with respect to the higher-layer network protocol.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security analyzer analyzes a security of a device-under-analysis (DUA). In one embodiment, the security analyzer identifies two or more valid message-delivery preconditions for a communication protocol supported by the DUA. One of the identified valid message-delivery preconditions is selected and the security analyzer delivers an attack to the DUA according to the selected message-delivery precondition. The same or similar attacks can also be delivered to the DUA via other message-delivery preconditions. Based on the DUA'"'"'s response, the security analyzer determines whether a vulnerability has been found.

112 Citations

19 Claims

1. A method for analyzing vulnerability of a network device under analysis (DUA) to protocol abuse of a higher-layer network protocol from a layered network protocol, the layered network protocol including lower-layer network protocols that work with the higher-layer network protocol, the method comprising:
- discovering using black box testing a plurality of valid lower-layer message-delivery preconditions for the DUA to receive a message in the higher-layer network protocol, where the plurality of valid lower layer message-delivery preconditions are not known a priori, the discovering comprising repeatedly;
  
  selecting a lower-layer network protocol from the layered network protocol,selecting a configuration of the lower-layer network protocol from a plurality of configurations associated with the lower-layer network protocol, andsending a first message toward the DUA using the selected lower-layer network protocol and the selected configuration;
  
  based on a response or non-response to the first message, determining whether the selected configuration of the selected lower-layer network protocol comprises a valid lower-layer message-delivery precondition by determining whether the selected lower-layer network protocol as implemented in the DUA (1) supports the selected configuration, and (2) is used by the DUA to receive messages in the higher-layer network protocol; and
  
  for at least two of the discovered plurality of valid lower-layer message-delivery preconditions, attacking the DUA multiple times, the attacking comprising;
  
  establishing a lower-layer connection with the DUA using the lower-layer network protocol according to the one of the discovered valid lower-layer message-delivery preconditions,on top of the lower-layer connection, establishing a higher-layer connection with the DUA using the higher-layer network protocol, andthrough the higher-layer connection, sending to the DUA test messages that are invalid mutations of valid messages with respect to the higher-layer network protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 15)
- - 2. The method of claim 1 wherein the selecting a configuration of the lower-layer network protocol comprises:
    - selecting a proper protocol state for the lower layer network protocol.
  - 3. The method of claim 1, wherein the selecting a configuration of the lower-layer network protocol comprises:
    - selecting a feature of the lower-layer network protocol, wherein determining whether the configuration of the lower-layer network protocol comprises a valid lower-layer message-delivery precondition comprises determining whether the feature is enabled in the lower-layer network protocol as implemented in the DUA.
  - 4. The method of claim 1, wherein the lower-layer network protocol comprises at least one selected from a group consisting of:
    - transport layer protocols, network layer protocols, data link layer protocols, and tunneling protocols.
  - 5. The method of claim 2, wherein the proper protocol state comprises at least one selected from a group consisting of:
    - a proper authentication scheme and a proper initial protocol negotiation option.
  - 6. The method of claim 3, wherein the lower-layer network protocol comprises an Internet Protocol (IP), and the feature comprises Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6).
  - 7. The method of claim 1, wherein the determining whether the configuration of the lower-layer network protocol comprises a valid lower-layer message-delivery precondition comprises:
    - sending a test message to the DUA using the lower-layer network protocol according to the configuration; and
      
      analyzing a response from the DUA to determine whether the configuration of the lower-layer network protocol comprises a valid lower-layer message-delivery precondition.
  - 8. The method of claim 1,wherein the selecting the lower-layer network protocol comprises selecting two or more lower-layer network protocols from the layered network protocol,wherein the selecting the configuration of the lower-layer network protocol comprises selecting a configuration for each of the two or more lower-layer network protocols, andwherein the determining whether the configuration of the lower-layer network protocol comprises a valid lower-layer message-delivery precondition further comprises determining, for each of the two or more lower-layer network protocols, whether the lower-layer network protocol as implemented in the DUA (1) supports the configuration, and (2) is used by the DUA to receive a message in the higher-layer network protocol.
  - 9. The method of claim 1, further comprising:
    - detecting network protocols implemented by the DUA; and
      
      adding the detected network protocols into the layered network protocol.
  - 10. The method of claim 1, wherein the higher-layer network protocol comprises an application layer protocol.
  - 11. The method of claim 1, wherein the higher-layer network protocol comprises at least one selected from a group consisting of:
    - Simple Mail Transfer Protocol (SMTP), File Transfer Protocol (FTP), and Hyper Text Transfer Protocol (HTTP).
  - 12. The method of claim 1, wherein attacking the DUA further comprises:
    - sending to the DUA test messages that are invalid with respect to the lower-layer network protocol.
  - 15. The method of claim 2, wherein establishing a lower-layer connection with the DUA using the lower-layer network protocol according to the one of the discovered valid lower-layer message-delivery preconditions comprises:
    - selecting the proper protocol state for the lower layer network protocol that allows delivery of the higher layer test messages and that was identified;
      
      transmitting messages using the lower level protocol that change the state of the lower level protocol to the proper state.

13. A security analyzer apparatus for analyzing a security of a device under analysis (DUA), comprising:
- a non-transitory computer-readable storage medium encoded with executable computer program code for analyzing vulnerability of a network device under analysis (DUA) to protocol abuse of a higher-layer network protocol from a layered network protocol, the layered network protocol including lower-layer network protocols that work with the higher-layer network protocol, the computer program code comprising program code configured to;
  
  discover using black box testing a plurality of valid lower-layer message-delivery preconditions for the DUA to receive a message in the higher-layer network protocol, where the plurality of valid lower layer message-delivery preconditions are not known a priori, the discovering comprising repeatedly;
  
  selecting a lower-layer network protocol from the layered network protocol,selecting a configuration of the lower-layer network protocol from a plurality of configurations associated with the lower-layer network protocol, andsending a first message toward the DUA using the selected lower-layer network protocol and the selected configuration;
  
  based on a response or non-response to the first message, determining whether the selected configuration of the selected lower-layer network protocol comprises a valid lower-layer message-delivery precondition by determining whether the selected lower-layer network protocol as implemented in the DUA (1) supports the selected configuration, and (2) is used by the DUA to receive messages in the higher-layer network protocol; and
  
  ,for at least two of the discovered plurality of valid lower-layer message-delivery preconditions, attack the DUA multiple times, the attack comprising;
  
  establishing a lower-layer connection with the DUA using the lower-layer network protocol according to the one of the discovered valid lower-layer message-delivery preconditions,on top of the lower-layer connection, establishing a higher-layer connection with the DUA using the higher-layer network protocol, andthrough the higher-layer connection, sending to the DUA test messages that are invalid mutations of valid messages with respect to the higher-layer network protocol.
- View Dependent Claims (18, 19)
- - 18. The security analyzer of claim 13, wherein the selecting a configuration of the lower-layer network protocol comprises:
    - selecting a proper protocol state for the lower layer network protocol.
  - 19. The security analyzer of claim 18, wherein establishing a lower-layer connection with the DUA using the lower-layer network protocol according to the one of the discovered valid lower-layer message-delivery preconditions comprises:
    - selecting the proper protocol state for the lower layer network protocol that allows delivery of the higher layer test messages;
      
      transmitting messages using the lower level protocol that change the state of the lower level protocol to the proper state.

14. A non-transitory computer-readable storage medium encoded with executable computer program code for analyzing vulnerability of a network device under analysis (DUA) to protocol abuse of a higher-layer network protocol from a layered network protocol, the layered network protocol including lower-layer network protocols that work with the higher-layer network protocol, the computer program code comprising program code configured to:
- discover using black box testing a plurality of valid lower-layer message-delivery preconditions for the DUA to receive a message in the higher-layer network protocol, where the plurality of valid lower layer message-delivery preconditions are not known a priori, the discovering comprising repeatedly;
  
  selecting a lower-layer network protocol from the layered network protocol,selecting a configuration of the lower-layer network protocol from a plurality of configurations associated with the lower-layer network protocol, andsending a first message toward the DUA using the selected lower-layer network protocol and the selected configuration;
  
  based on a response or non-response to the first message, determining whether the selected configuration of the selected lower-layer network protocol comprises a valid lower-layer message-delivery precondition by determining whether the selected lower-layer network protocol as implemented in the DUA (1) supports the selected configuration, and (2) is used by the DUA to receive messages in the higher-layer network protocol; and
  
  ,for at least two of the discovered plurality of valid lower-layer message-delivery preconditions, attack the DUA multiple times, the attack comprising;
  
  establishing a lower-layer connection with the DUA using the lower-layer network protocol according to the one of the discovered valid lower-layer message-delivery preconditions,on top of the lower-layer connection, establishing a higher-layer connection with the DUA using the higher-layer network protocol, andthrough the higher-layer connection, sending to the DUA test messages that are invalid mutations of valid messages with respect to the higher-layer network protocol.
- View Dependent Claims (16, 17)
- - 16. The medium of claim 14, wherein the selecting a configuration of the lower-layer network protocol comprises:
    - selecting a proper protocol state for the lower layer network protocol.
  - 17. The medium of claim 16, wherein establishing a lower-layer connection with the DUA using the lower-layer network protocol according to the one of the discovered valid lower-layer message-delivery preconditions comprises:
    - selecting the proper protocol state for the lower layer network protocol that allows delivery of the higher layer test messages;
      
      transmitting messages using the lower level protocol that change the state of the lower level protocol to the proper state.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Spirent Communications Incorporated
Original Assignee
Mu Dynamics, Inc.
Inventors
Guruswamy, Kowsik
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Branske, Hilary

Application Number

US11/557,945
Publication Number

US 20080072322A1
Time in Patent Office

2,204 Days
Field of Search

713/187, 713/188, 726/3, 726/4, 726/5, 726/11, 726/22, 726/23, 726/24, 726/25, 714/41, 714/38, 714/39, 714/43, 709/223, 709/224, 370/252
US Class Current

726/25
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 2221/2105   Dual mode as a secondary as...

H04L 63/1433   Vulnerability analysis

Reconfigurable message-delivery preconditions for delivering attacks to analyze the security of networked systems

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Reconfigurable message-delivery preconditions for delivering attacks to analyze the security of networked systems

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links