Many security systems today rely on Anomaly, Heuristic, Signature, Pattern, Reputation and Rule-Based architectures which need in many cases an understanding of the vulnerability or attack to be identified as malicious in nature.
These systems today may be insufficient in capability, singly or in combination, due to foundational architectural design decisions in TCP/IP as noted in RFC1122 and RFC3117 to proactively identify and mitigate protocol evasion attacks. Reactive-based mitigation capabilities have been proven to date to be capable and conform to industry de-facto generally acceptable practices.
This gap which allows protocol evasion to occur, is referred to as the robustness principle, or Postel’s Law, which specifies: “be conservative in what you do, be liberal in what you accept from others.", there is as Steffen Ullrich notes, a “Semantic Gap” at the application level for many protocols, such as HTTP, which his tool demonstrates.
This “Semantic Gap” is caused by incorrect, incomplete, unclear, or contradicting specifications with unique or incorrect interpretations by each platform. In many cases, it is up to the developers of application layer protocols to make the decision of what to provide, and how much of it to provide, and how it is provided.
For example, if a security system based on TCP/IP identifies a traffic flow between a client with a specific operating system, the version of that operating system, it’s network stack, version of stack, the browser, and the version of that browser, as well as the communication protocol, and version of that protocol, to the server and its variations for communication back to the client, it may be able to take action on that particular event in that particular moment.
Or, it may not.
As there is no defined behavior in many instances, different application implementations handle data differently and respond according to the rules that were written by the developer for that implementation.
The handling of this data depends upon the security devices architecture, and all of the implementation rules it is built upon to determine what to do with that message and any associated data at that point in time. Therefore, different security systems, implemented with different development architectures, teams and tools, will react differently to the same messages with the same data.
Also, if a message is compressed or encrypted, it may be difficult to identify as a malicious event if it has not been seen before and originates from a reputable source. If that message is malformed, but valid, due to incorrect software development by design or accident the security device may produce false-positive events, and break the application. Alternately it may recognize the application as valid and pass it through for compatibility purposes.
Four unique event types have been identified where protocol evasion awareness becomes a concern:
The traffic destined to or through the security device is valid, the associated data/message is malicious, and may or may not be compressed or encrypted.
The traffic is destined to or through the security device is invalid, no associated data/message is attached to the traffic.
The traffic destined to or through the security device is invalid, the associated data/message is malicious, and may or may not be compressed or encrypted.
The traffic destined to or through the security device is invalid, the associated data/message is not malicious, and may or may not be compressed or encrypted.
Given four combinations of opportunity, as well as obfuscation / encryption capabilities of traffic that may be implemented due to network owners’ designs, which could obscure the originating system details, such as the use of proxy or relay services and obfuscating browsers, it becomes increasingly difficult for existing security systems to be able to identify, mitigate, and alert on potential protocol-based evasion attacks implemented by malicious actors.
Once identified, these attacks can be responded to by signature, protocol anomaly, and other rules-based detection security systems, and future incidents can be mitigated.
In any of these cases, the intent is by a threat actor is to subvert the system maliciously to evade the rules of the system to perform actions by the attacker that the system is not intending to be authorized to perform.
As a member of ICASI we, and the other members of ICASI, are committed to ongoing research and product enhancement related to protocol evasion attack vectors.
SRX-Series and Sky Advanced Threat Protection deliver dynamic advanced malware detection and deep inspection in cloud-based sandboxes. When used with complimentary services, such as IDP, AV, and Firewall rulesets and configured for detection of HTTP Evader, a 100% successful detection rate is reached.
Juniper Networks is committed to ongoing research and product enhancement related to protocol evasion attack vectors.
Juniper Networks published sigpack #2596 in response to Steffen Ullrich’s publication and in testing with our Partner, IBM, achieved a 100% successful detection rate of the published bypass mechanisms.
Juniper Networks and ICASI would like to thank Steffen Ullrich and Craig Dods Chief Security Architect, IBM Security for providing details related to the issue, vulnerabilities, mitigation methods and research on this subject.