1 evaluating the security threat of instruction corruptions in firewalls shuo chen, jun xu,...
TRANSCRIPT
![Page 1: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/1.jpg)
1
Evaluating the Security Threat of Instruction Corruptions in Firewalls
Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant
Center of Reliable and High Performance Computing
Coordinated Science Laboratory
University of Illinois at Urbana-Champaign
June 24, 2002
![Page 2: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/2.jpg)
2
Objectives Can transient errors cause security
vulnerabilities in firewall software?
Combine fault injection measurement with processor architecture details to develop a SAN model depicting the reliability, performance, and security of the firewall.
Use the SAN model and publicly available security data to assess the relative significance of error-caused security violations.
![Page 3: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/3.jpg)
3
Definitions of Terms
Error-caused security vulnerability occurs when an error results in putting the software in a state where any packet can enter the system unchecked.
Window of vulnerability is the time period during which such a vulnerability persists
Security violation occurs when a number of malicious packets sufficient to launch an actual attack enter the system during a window of vulnerability
![Page 4: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/4.jpg)
4
Errors, Vulnerabilities and Security Violations
Temporary SV
Erroneous instruction is evicted from cache Permanent
SV
Detected by intrusion detection systems, or system crash by new faults or latent faults
Fault is not manifested
Window of temporary security vulnerability
Window of permanent security vulnerability
Fault crashes the system
Fault crashes the system
Error Security vulnerability window System reboot
Time
t1t2 t3 t4
t5 t6 t7 t8
Malicious packets
![Page 5: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/5.jpg)
5
Fault Injection Experiment
Address PoolAddress Pool
Driver-based Linux Kernel Fault Injector
Driver-based Linux Kernel Fault Injector
Rule: Reject packet from attacker machine.
Firewall Code
Firewall machine
Attacker Machine
1
2 3
4
Firewall
LogLog
5
![Page 6: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/6.jpg)
6
Outcomes of Fault Injection Experiments
Four categories of outcomes Not Activated or Not manifested: 78% CRASH + HANG: 20% Temporary security vulnerability: disappears when the
erroneous location is overwritten, cached out or the system is re-booted. 2%
Permanent security vulnerability: corrupts the semantic or structural integrity of the permanent data structures. Removing the errors does not eliminate the permanent security vulnerability. 0.05%
Fault injection results used as parameters in the SAN model.
![Page 7: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/7.jpg)
7
Error Sub-model
Input Gates
Workload Sub-model
Overview of the SAN Model
error
error occurrenceprocessor
execution core
cachecache replacement cache fetch maintenance reboot
crash/hang
P_SV
T_SV
reboot
not manifested error
CPU working
packet
firewall enable
packet processing
non- firewall workload
idle
non-firewall workload processing
idle time
job dispatchjob
non-firewall workload execution
firewall execution
non-firewall workload enable
rp _out
Error sub-model
Workload sub-model
flush all places
task switch
SAN Model: quantifies the relationship between processor architecture, workload, and error’s characteristics
![Page 8: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/8.jpg)
8
Error Sub-Model
error
error occurrence rateprocessor
execution core
cache
cache replacement
cache fetch
Crash+Hang
Perm. Security Vulnerability
Temp. Security Vulnerability
NA+NM
non-firewall workload ex
firewall ex
• Calculate the probability that a token arrives into Temporary Security Vulnerability or Permanent Security Vulnerability places
• Calculate the number of packets getting through the firewall in a single vulnerability window
0.78
0.200.02
0.0005
![Page 9: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/9.jpg)
9
Workload Sub-Model
packet packet processing
non-firewall workload
idle
non-firewall workload processing
idle time
job dispatch
job
![Page 10: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/10.jpg)
10
Rates of Security Vulnerabilities
0.0
2.0
4.0
6.0
8.0
10.0
12.0
14.0
16.0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8
Processor Utilization by Firewall
TS
V R
ate
(per
yea
r)
non-firewall workload 0%
non-firewall workload 10%
non-firewall workload 20%
0.000
0.050
0.100
0.150
0.200
0.250
0.300
0.350
0.400
0.450
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8
Processor Utilization by Firewall
PS
V R
ate
(per
yea
r)
non-firewall workload 0%
non-firewall workload 10%
non-firewall workload 20%
Rate of Temporary Security Vulnerability (TSV) with 0.1 Error/Day for 20 Firewall Machines
Rate of Permanent Security Vulnerability (PSV) with 0.1 Error/Day for 20 Firewall Machines
Average 14.9/year Average 0.37/year
![Page 11: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/11.jpg)
11
Size of Vulnerability Windows
0.0
1.0
2.0
3.0
4.0
5.0
6.0
0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8
Processor Utilization by Firewall
Num
ber o
f Pac
kets
non-firewall workload 0%
non-firewall workload 10%
non-firewall workload 20%
• Vulnerability window size links security vulnerabilities and security violations
• In order to calculate the rates of security violations, we need the distribution of the size of the security vulnerability window
Assume 30% packets are malicious
![Page 12: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/12.jpg)
12
Distribution of Number of Packets in a Vulnerability Window
Probability Distribution: Processor Utilization by firewall = 50% non-firewall workload=10% malicious packet rate=30%
0%
5%
10%
15%
20%
25%
30%
35%
40%
1 6 11 16Number of Malicious Packet
Fre
qu
ency
Probability of Security Violation, given a security vulnerability
P(security violation | security vulnerability)=0.197
![Page 13: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/13.jpg)
13
Frequency of Security Violations
Network protected by 20 firewallsFirewall Processor Util.: 50%Non-firewall workload: 10%
Error rate: 0.1 error/day
Malicious packet percentage
Rate of error-cause violations per year
20% 0.88
30% 1.82
40% 2.76
OperatingSystem
# kernel-related security vulnerabilities
Time period Rate of software security bugs per year
RedHat Linux 12 11/2000-12/2001
11.1
Solaris 2.6 15 2/2000-12/2001 7.8
Windows 2000 29 2/2000-12/2001 15.1
Rate of Kernel-Related Software Security Bugs
Rate of Error-Caused Security Violations
![Page 14: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/14.jpg)
14
Conclusions
There exist error-caused security vulnerabilities in firewall software.
Transient errors can cause permanent security vulnerability. Errors propagate to permanent data structures.
There is a non-negligible probability that error-caused security vulnerabilities become security violations.
![Page 15: 1 Evaluating the Security Threat of Instruction Corruptions in Firewalls Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant Center of Reliable and](https://reader035.vdocument.in/reader035/viewer/2022081518/55147627550346414e8b6339/html5/thumbnails/15.jpg)
15
Major References
D. Stott. Automated Fault-Injection-Based Dependability Analysis of Distributed Computer Systems. Ph.D. Dissertation, UIUC, 2001.
A. Ghosh et al. “An Automated Approach for Identifying Potential Vulnerabilities in Software”. IEEE Symp. on Security and Privacy, May 1998.
J. Xu, S. Chen, Z. Kalbarczyk, R. Iyer. “An Experimental Study of Security Vulnerabilities Caused by Errors”. IEEE DSN’01. July 2001.
http://www.securityfocus.com. 12/30/2001