Table of Contents
Fetching ...

Overlapping data in network protocols: bridging OS and NIDS reassembly gap

Lucas Aubard, Johan Mazel, Gilles Guette, Pierre Chifflier

TL;DR

This work tackles overlap-based data ambiguities in IPv4, IPv6, and TCP fragmentation, which can cause OS and NIDS reassembly to diverge and enable evasion or insertion of malicious payloads. It introduces Allen's interval algebra as a formal framework to exhaustively model overlap relations, enabling comprehensive overlap-test coverage and policy comparison across systems. By surveying a broad set of modern OSes and three major NIDS (Snort, Suricata, Zeek), the study reveals evolving OS reassembly policies and partial inconsistencies between NIDS and OS reassembly, highlighting exploitable opportunities for overlap-based attacks and assigning CVEs to disclosed issues. The findings underscore the need for NIDS to maintain configurable, up-to-date, context-aware reassembly policies or implement robust alerting for inconsistent overlaps, guiding future testing of multi-chunk contexts and policy alignment to strengthen network defense against overlap-based techniques.

Abstract

IPv4, IPv6, and TCP have a common mechanism allowing one to split an original data packet into several chunks. Such chunked packets may have overlapping data portions and, OS network stack implementations may reassemble these overlaps differently. A Network Intrusion Detection System (NIDS) that tries to reassemble a given flow data has to use the same reassembly policy as the monitored host OS; otherwise, the NIDS or the host may be subject to attack. In this paper, we provide several contributions that enable us to analyze NIDS resistance to overlapping data chunks-based attacks. First, we extend state-of-the-art insertion and evasion attack characterizations to address their limitations in an overlap-based context. Second, we propose a new way to model overlap types using Allen's interval algebra, a spatio-temporal reasoning. This new modeling allows us to formalize overlap test cases, which ensures exhaustiveness in overlap coverage and eases the reasoning about and use of reassembly policies. Third, we analyze the reassembly behavior of several OSes and NIDSes when processing the modeled overlap test cases. We show that 1) OS reassembly policies evolve over time and 2) all the tested NIDSes are (still) vulnerable to overlap-based evasion and insertion attacks.

Overlapping data in network protocols: bridging OS and NIDS reassembly gap

TL;DR

This work tackles overlap-based data ambiguities in IPv4, IPv6, and TCP fragmentation, which can cause OS and NIDS reassembly to diverge and enable evasion or insertion of malicious payloads. It introduces Allen's interval algebra as a formal framework to exhaustively model overlap relations, enabling comprehensive overlap-test coverage and policy comparison across systems. By surveying a broad set of modern OSes and three major NIDS (Snort, Suricata, Zeek), the study reveals evolving OS reassembly policies and partial inconsistencies between NIDS and OS reassembly, highlighting exploitable opportunities for overlap-based attacks and assigning CVEs to disclosed issues. The findings underscore the need for NIDS to maintain configurable, up-to-date, context-aware reassembly policies or implement robust alerting for inconsistent overlaps, guiding future testing of multi-chunk contexts and policy alignment to strengthen network defense against overlap-based techniques.

Abstract

IPv4, IPv6, and TCP have a common mechanism allowing one to split an original data packet into several chunks. Such chunked packets may have overlapping data portions and, OS network stack implementations may reassemble these overlaps differently. A Network Intrusion Detection System (NIDS) that tries to reassemble a given flow data has to use the same reassembly policy as the monitored host OS; otherwise, the NIDS or the host may be subject to attack. In this paper, we provide several contributions that enable us to analyze NIDS resistance to overlapping data chunks-based attacks. First, we extend state-of-the-art insertion and evasion attack characterizations to address their limitations in an overlap-based context. Second, we propose a new way to model overlap types using Allen's interval algebra, a spatio-temporal reasoning. This new modeling allows us to formalize overlap test cases, which ensures exhaustiveness in overlap coverage and eases the reasoning about and use of reassembly policies. Third, we analyze the reassembly behavior of several OSes and NIDSes when processing the modeled overlap test cases. We show that 1) OS reassembly policies evolve over time and 2) all the tested NIDSes are (still) vulnerable to overlap-based evasion and insertion attacks.
Paper Structure (13 sections, 2 figures, 3 tables)

This paper contains 13 sections, 2 figures, 3 tables.

Figures (2)

  • Figure 1: Data overlap ambiguity illustration.
  • Figure 2: The considered threat model.

Theorems & Definitions (3)

  • definition thmcounterdefinition: $p$ protocol data buffer synchronization
  • definition thmcounterdefinition: Evasion in a data overlap-based context
  • definition thmcounterdefinition: Insertion in a data overlap-based context