The Art of Software Security Assessment

Chapter 14 - Network Protocols

blog December 19th, 2006

Overview

There were really two things on our mind when we were creating this chapter. First, auditing low-level networking code is a lot of fun, as the vulnerabilities one encounters tend to be creative and encompass design, logic, and implementation flaws. Second, every security professional needs to have a good handle on TCP/IP in order to evaluate the software that’s built on top of it. So, our goal with this chapter was to intersperse a discussion of the core protocols’ security-relevant attributes with lots of interesting vulnerabilities in the lower-level networking software that processes it.

External Resources

RFC 791 - Internet Protocol
W. Richard Steven’s TCP/IP Illustrated, Volume 1
RFC 826 - An Ethernet Address Resolution Protocol
IANA list of IP Parameters
RFC 768 - User Datagram Protocol
RFC 793 - Transmission Control Protocol

External References

Solaris IP Options code (Page 850)
Anthony Osborne’s Windows IP Source Routing Vulnerability (Page 853)
Adam Osuchowski and Tomasz Dubinski’s Netfilter TCP Option Advisory (page 868)
HERT FreeBSD ISN PRNG Advisory (page 877)
Zalewski’s "Strange Attractors and TCP/IP Sequence Number Analysis." (page 877)
Watson’s "Slipping In The Window." (page 879)
IETF’s "Improving TCP’s Robustness to Blind In-Window Attacks." (page 880)
Zalewski’s TCP Fragmentation Blind Spoofing Bugtraq Post (page 880)
Anthony Osborne’s Linux Blind TCP Spoofing Vulnerability (page 881)
CORE-SDI Snort TCP Stream Reassembly Vulnerability (page 885)

Mirrored Software

sniffer.c - IP Header Validation Vulnerability, page 837
linsniffer.c - IP Variable Length Options Vulnerability, page 838
tcpdump 3.5 - tcpdump Header Length Vulnerability, page 839
Snort 1.0 - Snort Header Validation Vulnerability, page 841
Linux 2.6.0 net/ipv4/netfilter/ip_tables.c - Netfilter IP Option Sign-Extension, page 868
Linux 2.2.0 drivers/char/random.c - Linux ISN Vulnerability, page 877
Linux 2.0.31 net/ipv4/ - Linux TCP Blind Spoofing Vulnerability, page 881
Snort 1.9.1 - Snort TCP Reassembly Vulnerability, page 885

Relevant Blog Posts

Zalewski-vision

One Response to “Chapter 14 - Network Protocols”

# anonymouson 29 Dec 2006 at 1:31 am

That’s Vern Paxson, with an ’s’.

Permanent Link | Trackback URI | Comments RSS

The Book

This blog provides running commentary from Mark Dowd, John McDonald, and Justin Schuh, the authors of the book: The Art of Software Security Assessment. You can purchase a copy from Amazon, or directly from the publisher, Addison-Wesley, and peruse the sample chapter on C Language vulnerabilities.
Tags
- Errata (5)
- Discussion (31)
- Auditing (9)
  - Windows (6)
  - Unix (3)
  - C/C++ (9)
  - SQL (2)
  - Web (5)
- Spot the Vuln (2)
Archives
- July 2009 (2)
- November 2008 (2)
- October 2008 (1)
- August 2008 (2)
- June 2008 (1)
- May 2008 (1)
- April 2008 (2)
- February 2008 (2)
- January 2008 (2)
- August 2007 (1)
- July 2007 (1)
- April 2007 (1)
- February 2007 (6)
- January 2007 (6)
- December 2006 (13)

Continued ramblings on software security and code auditing

Chapter 14 - Network Protocols

Overview

External Resources

External References

Mirrored Software

Relevant Blog Posts

Further Reading and Discussion

One Response to “Chapter 14 - Network Protocols”

Leave a Reply

The Book

Tags

Archives