1

Evaluating the Security Threat of Instruction Corruptions in Firewalls

Shuo Chen, Jun Xu, Ravishankar K. Iyer, Keith Whisnant

Center of Reliable and High Performance Computing

Coordinated Science Laboratory

University of Illinois at Urbana-Champaign

June 24, 2002

2

Objectives Can transient errors cause security

vulnerabilities in firewall software?

Combine fault injection measurement with processor architecture details to develop a SAN model depicting the reliability, performance, and security of the firewall.

Use the SAN model and publicly available security data to assess the relative significance of error-caused security violations.

3

Definitions of Terms

Error-caused security vulnerability occurs when an error results in putting the software in a state where any packet can enter the system unchecked.

Window of vulnerability is the time period during which such a vulnerability persists

Security violation occurs when a number of malicious packets sufficient to launch an actual attack enter the system during a window of vulnerability

4

Errors, Vulnerabilities and Security Violations

Temporary SV

Erroneous instruction is evicted from cache Permanent

SV

Detected by intrusion detection systems, or system crash by new faults or latent faults

Fault is not manifested

Window of temporary security vulnerability

Window of permanent security vulnerability

Fault crashes the system

Fault crashes the system

Error Security vulnerability window System reboot

Time

t1t2 t3 t4

t5 t6 t7 t8

Malicious packets

5

Fault Injection Experiment

Address PoolAddress Pool

Driver-based Linux Kernel Fault Injector

Driver-based Linux Kernel Fault Injector

Rule: Reject packet from attacker machine.

Firewall Code

Firewall machine

Attacker Machine

1

2 3

4

Firewall

LogLog

5

6

Outcomes of Fault Injection Experiments

Four categories of outcomes Not Activated or Not manifested: 78% CRASH + HANG: 20% Temporary security vulnerability: disappears when the

erroneous location is overwritten, cached out or the system is re-booted. 2%

Permanent security vulnerability: corrupts the semantic or structural integrity of the permanent data structures. Removing the errors does not eliminate the permanent security vulnerability. 0.05%

Fault injection results used as parameters in the SAN model.

7

Error Sub-model

Input Gates

Workload Sub-model

Overview of the SAN Model

error

error occurrenceprocessor

execution core

cachecache replacement cache fetch maintenance reboot

crash/hang

P_SV

T_SV

reboot

not manifested error

CPU working

packet

firewall enable

packet processing

non- firewall workload

idle

non-firewall workload processing

idle time

job dispatchjob

non-firewall workload execution

firewall execution

non-firewall workload enable

rp _out

Error sub-model

Workload sub-model

flush all places

task switch

SAN Model: quantifies the relationship between processor architecture, workload, and error’s characteristics

8

Error Sub-Model

error

error occurrence rateprocessor

execution core

cache

cache replacement

cache fetch

Crash+Hang

Perm. Security Vulnerability

Temp. Security Vulnerability

NA+NM

non-firewall workload ex

firewall ex

• Calculate the probability that a token arrives into Temporary Security Vulnerability or Permanent Security Vulnerability places

• Calculate the number of packets getting through the firewall in a single vulnerability window

0.78

0.200.02

0.0005

9

Workload Sub-Model

packet packet processing

non-firewall workload

idle

non-firewall workload processing

idle time

job dispatch

job

10

Rates of Security Vulnerabilities

0.0

2.0

4.0

6.0

8.0

10.0

12.0

14.0

16.0

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

Processor Utilization by Firewall

TS

V R

ate

(per

yea

r)

non-firewall workload 0%

non-firewall workload 10%

non-firewall workload 20%

0.000

0.050

0.100

0.150

0.200

0.250

0.300

0.350

0.400

0.450

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

Processor Utilization by Firewall

PS

V R

ate

(per

yea

r)

non-firewall workload 0%

non-firewall workload 10%

non-firewall workload 20%

Rate of Temporary Security Vulnerability (TSV) with 0.1 Error/Day for 20 Firewall Machines

Rate of Permanent Security Vulnerability (PSV) with 0.1 Error/Day for 20 Firewall Machines

Average 14.9/year Average 0.37/year

11

Size of Vulnerability Windows

0.0

1.0

2.0

3.0

4.0

5.0

6.0

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8

Processor Utilization by Firewall

Num

ber o

f Pac

kets

non-firewall workload 0%

non-firewall workload 10%

non-firewall workload 20%

• Vulnerability window size links security vulnerabilities and security violations

• In order to calculate the rates of security violations, we need the distribution of the size of the security vulnerability window

Assume 30% packets are malicious

12

Distribution of Number of Packets in a Vulnerability Window

Probability Distribution: Processor Utilization by firewall = 50% non-firewall workload=10% malicious packet rate=30%

0%

5%

10%

15%

20%

25%

30%

35%

40%

1 6 11 16Number of Malicious Packet

Fre

qu

ency

Probability of Security Violation, given a security vulnerability

P(security violation | security vulnerability)=0.197

13

Frequency of Security Violations

Network protected by 20 firewallsFirewall Processor Util.: 50%Non-firewall workload: 10%

Error rate: 0.1 error/day

Malicious packet percentage

Rate of error-cause violations per year

20% 0.88

30% 1.82

40% 2.76

OperatingSystem

# kernel-related security vulnerabilities

Time period Rate of software security bugs per year

RedHat Linux 12 11/2000-12/2001

11.1

Solaris 2.6 15 2/2000-12/2001 7.8

Windows 2000 29 2/2000-12/2001 15.1

Rate of Kernel-Related Software Security Bugs

Rate of Error-Caused Security Violations

14

Conclusions

There exist error-caused security vulnerabilities in firewall software.

Transient errors can cause permanent security vulnerability. Errors propagate to permanent data structures.

There is a non-negligible probability that error-caused security vulnerabilities become security violations.

15

Major References

 D. Stott. Automated Fault-Injection-Based Dependability Analysis of Distributed Computer Systems. Ph.D. Dissertation, UIUC, 2001.

A. Ghosh et al. “An Automated Approach for Identifying Potential Vulnerabilities in Software”. IEEE Symp. on Security and Privacy, May 1998.

J. Xu, S. Chen, Z. Kalbarczyk, R. Iyer. “An Experimental Study of Security Vulnerabilities Caused by Errors”. IEEE DSN’01. July 2001.

http://www.securityfocus.com. 12/30/2001