Network Security Via Reverse Engineering of TCP Code:
`Vulnerability Analysis and Proposed Solutions
`
`Biswaroop Guha and Biswanath Mukherjee
`Department of Computer Science
`University of California
`Davis, CA  , U.S.A.
`
`fguha, mukherjeg@cs.ucdavis.edu
`
`f- ,
`g
`Tel: + - -
`-
`Fax: + - --
`Corresponding Author: Biswanath Mukherjee
`
`November , 
`
`Abstract
`
`The Transmission Control ProtocolInternet Protocol TCPIP   suite is a very widely
`used technique that is employed to interconnect computing facilities in modern network envi-
`ronments. However, there exist several security vulnerabilities in the TCP specication and
`additional weaknesses in a number of widely-available implementations of TCP. These vulner-
`abilities may enable an intruder to attack" TCP-based systems, enabling himher to hijack"
`a TCP connection or cause denial of service to legitimate users. We analyze TCP code via a
`reverse engineering" technique called slicing" to identify several of these vulnerabilities, espe-
`cially those that are related to the TCP state-transition diagram. We discuss many of the aws
`present in the TCP implementation of many widely used operating systems, such as SUNOS
`. . , SVR, and ULTRIX . . We describe the corresponding TCP attack signatures" in-
`cluding the well-known  Christmas Day Mitnick Attack and provide recommendations to
`improve the security state of a TCP-based system, e.g., incorporation of a timer escape route"
`from every TCP state.
`
`Keywords and Phrases: Network Security, TCP, IP, Reverse Engineering, Slicing, Vulnerability
`
`Analysis, State Transitions, Timer Escape Route.
`
`

`

`
`
`Introduction
`
`Internetworking is an approach that allows dissimilar computers on dissimilar networks to com-
`
`municate with one another in a seamless fashion by hiding the details of the underlying network
`
`hardware. The most widely used form of internetworking is provided by the Transmission Control
`
`ProtocolInternet Protocol TCPIP suite.
`
`There are some inherent security problems in the TCPIP suite  which makes the situation
`
`conducive to intruders. TCP sequence number prediction, IP address spoong  , misuse of IP’s
`
`source routing principle, use of Internet Control Message Protocol ICMP messages for denial of
`
`service, etc. are some methods to exploit the network’s vulnerabilities. Considering the fact that most
`
`important application programs such as Simple Mail Transfer Protocol SMTP, telnet, r-commands
`
`rlogin, rsh, etc, File Transfer Protocol FTP, etc. have TCP as their transport layer, security aws
`
`in TCP can prove to be very hazardous for the network.
`
`The objectives of this paper are to identify and analyze the vulnerabilities of TCPIP and to
`
`develop security enhancements to overcome these aws. Our work is based on analyzing the state-
`
`transition diagram of TCP and determining the security relevance of some of the improperly-dened"
`
`transitions between dierent states in the state-transition diagram of many widely used TCP code im-
`
`plementations. Also, we determine the importance of timers in dierent states and security problems
`
`associated with them if a state does not have the necessary timer-backup or escape route.
`
`We analyze the TCP state-transition diagram using a reverse engineering" technique called slic-
`
`ing  . Program slicing is an abstraction mechanism in which code that might inuence the value
`
`of a given variable at a location is extracted from the full source code of the program. We employ
`
`slicing to lter out the relevant state-transition information from the TCP source code. In partic-
`
`ular, using the slicing techniques discussed later in the paper, a  line C le implementation of
`
`state-transitions in TCP along with all the header le denitions has been reduced to a very small
`
`and manageable size of approximately  lines of sliced code, which contains only the relevant
`
`state-transition information. This process aids in abandoning unnecessary information and simpli-
`
`fying the code. In this process, we have been able to locate extraneous state-transitions present in
`
`some implementations of TCP. In other words, using the method of slicing, we have determined the
`
`
`
`EX.1104.002
`
`DELL
`
`

`

`presence of several spurious state-transitions in a number of TCP implementations such as SUNOS
`
`. . , SVR, and ULTRIX . ; these transitions are not dened in the TCP protocol specication.
`
`Using our approach, we can identify various sequences of packets in the network which can be po-
`
`tentially hazardous to the security state of the system. These attack signatures" represent TCP
`
`vulnerabilities, which can possibly be exploited by an intruder. Any network-snier" will be able to
`
`determine these signatures and inform the system’s security administrator of the intrusion. We also
`
`provide several recommendations to enhance the security state of a TCP-based system.
`
`The paper is organized as follows. Section  provides an overview of TCP with special emphasis
`
`on its state-transition diagram. Section discusses dierent scenarios having security relevance to
`
`the TCPIP suite. Section  discusses our slicing approach to identify extraneous state-transitions
`
`in TCP’s state-transition diagram. Section  provides information on our analytic approach, and
`
`the results we have obtained after employing slicing techniques on the TCP source code. Section 
`
`discusses the attack signatures", the test-bed which we have developed to test the vulnerabilities of
`
`TCP code in various implementations, and various recommendations to enhance the security state
`
`of a system. Section  concludes the paper including future research directions.
`
` Basics of TCPIP
`
`. Networking with TCPIP
`
`Network protocols employ a structured and layered approach, with each layer performing a separate
`
`function. This approach helps in developing individual layers without modifying other adjacent
`
`layers. Networking using the TCPIP suite can be viewed as a combination of four layers as shown
`
`in Fig. . Note the correspondence between these layers and those of the International Standard
`
`Organization ISO seven-layer model: Layers and  of the ISO model are combined into the lowest
`
`layer of the model in Fig. , while ISO Layers - are merged into the top-most layer in Fig. .
`
`The responsibilities of the dierent layers of the model in Fig. are well-dened.
`
`
`
` The lowest layer, the data-link layer,contains
`
`the network interface layer, connecting the
`
`system with the physical media. It includes device drivers in the operating system and network
`
`
`
`EX.1104.003
`
`DELL
`
`

`

`interface cards connected to the cable. Data-link layers of dierent systems exchange data
`
`
`
`packets.
`
`
`
` The next layer is the internet layer or the network layer.
`
`It assists with the movement rout-
`
`ing of packets in the network. Internet Protocol IP provides a best-eort, connectionless,
`
`and unreliable packet delivery service for the higher layer.
`
`
`
` User processes interact with the network layer through the transport layer.
`
`The Trans-
`
`mission Control Protocol TCP is the most common transport layer used in modern
`
`networking environments. TCP provides reliable data transfer between dierent application
`
`processes over the network. TCP provides ow control and congestion control as well.
`
` The Application layer handles the details of a particular application. This layer interacts
`
`with the user, gets data from the user, and sends the buered data to the transport layer. At
`
`the same time, this layer gets data from transport layer and conveys it to the corresponding
`
`application. The application layer shields the user from the details of the transport layer.
`
`When data is sent from the application layer down to the machine hardware, it moves through
`
`the dierent layers and each lower layer adds a header to the data it receives from the previous upper
`
`layer. This process of encapsulation enables a layer to easily interpret and parse the data that
`
`it receives from a lower layer and it has to pass on to the upper layer. Fig.    illustrates the
`
`encapsulation process that occurs in the TCPIP suite, assuming an Ethernet physical network.
`
`. Transport Layer
`
`Among all of the transport layers, TCP is the most popular. Below, we examine the details of the
`
`header format of TCP along with the TCP state-transition diagram and TCP timers.
`
`.. TCP Header
`
`The size of the TCP header is  bytes, without counting its options, as we observe in Fig.  .
`
`Each TCP segment contains the source and destination port number to identify the sending and
`
`receiving application programs, respectively. The sequence number is essential to maintain the bytes
`
`
`
`EX.1104.004
`
`DELL
`
`

`

`of data from the sender to the receiver in proper order. By communicating the sequence number
`
`
`
`and the corresponding acknowledgment number,
`
`the sender and the receiver can determine lost or
`
`retransmitted data in the connection. There are six ag bits in the TCP header, namely URG, ACK,
`
`PSH, RST, SYN and FIN. At any given time, one or more of these ag bits can be set.
`
`
`
`TCP provides ow control by advertising the window size.
`
`The checksum covers TCP header and
`
`TCP data and assists in determining any error in transmission of TCP header or data. TCP’s urgent
`
`mode is a method for the sender to transmit emergencyurgent data. The urgent pointer is valid
`
`only if the URG ag is set in the header. It helps to locate the sequence number of the last byte of
`
`urgent data. There is an optional options eld as well, taking care of vendor specic information.
`
`.. TCP State-Transition Diagram
`
`Initiation, establishment, and termination of a connection is governed by the TCP state-transition
`
`diagram, which consists of well-dened states and transition arcs between these states see Fig. 
`
`.
`
`.. TCP Timers
`
`
`
`The TCP state-transition diagram is very closely associated with timers.
`
`There are various timers
`
`associated with connection establishment or termination, ow control, and retransmission of data.
`
` A connection-establishment timer is set when the SYN packet is sent during the connection-
`
`establishment phase. If a response is not received within  seconds in most TCP implemen-
`
`tations, the connection establishment is aborted.
`
` A FIN
`
`

`

` There is a TIME
`
`

`

`attack on Shimomura’s machine, two dierent intrusion mechanisms were employed  . IP source
`
`address spoong and TCP sequence-number prediction were used to gain initial access to a diskless
`
`workstation, being used mostly as an X terminal. After obtaining root access, Mitnick hijacked" an
`
`existing connection to another system by means of a loadable kernel STREAMS module  .
`
` . . Methodology
`
`Let us assume that there are three hosts, host A,
`
`host B,
`
`and the intruder-controlled host X.
`
`Let
`
`us assume that B grants A some special privileges, and thus A can get some actions performed by
`
`B. The goal of X is to get the same action done by B for itself. In order to achieve this goal, X has
`
`to perform two operations: rst, establish a forged connection with B, and second, prevent A from
`
`informing B of any malfunction of the network authentication system. Host X has to spoof the IP
`
`address of A in order to make B believe that the packets from X are actually being sent by A.
`
`Let us also assume that the hosts A and B communicate with one another by following the
`
`three-way handshake mechanism of TCPIP. The handshake method is depicted below.
`
`A -- B : SYN Seq. no. = M
`
`B -- A : SYN Seq. no. = N, ACK Ack. no. = M+ 
`
`A -- B : ACK Ack. no. = N+ 
`
`Host X does the following to perform IP spoong. First, it sends a SYN packet to host B with
`
`some random sequence number, posing as host A. Host B responds to it by sending a SYN+ACK
`
`packet back to host A with an acknowledgment number which is equal to one added to the original
`
`sequence number. At the same time, host B generates its own sequence number and sends it along
`
`with the acknowledgment number. In order to complete the three-way handshake, host X should
`
`send an ACK packet back to host B with an acknowledgment number which is equal to one added
`
`to the sequence number sent by host B to host A. If we assume that the host X is not present in the
`
`same subnet as A or B so that it cannot sni" B’s packets, host X has to gure out B’s sequence
`
`number in order to create the TCP connection. These steps are described below .
`
`

`

`X -- B : SYN Seq. no. = M, SRC = A
`
`B -- A : SYN Seq. no. = N, ACK Ack. no. = M+ 
`
`X -- B : ACK Ack. no. = N+ , SRC = A
`
`At the same time, host X should take away host A’s ability to respond to the packets of host B.
`
`To achieve this, X may either wait for host A to go down for some reason, or block the protocol
`
`part of the operating system so that it does not respond back to host B, for example, by ooding B
`
`with incomplete connections. We shall discuss this in more details in next subsection.
`
` . . The Attack
`
`During the Christmas Day, , attack, Shimomura observed a sequence of packets that were gener-
`
`ated to perform IP spoong  . Let us continue with the previous example with X as the intruder-
`
`controlled system and observe the actions performed by the intruder.
`
` . X sends a number of probe packets to B and A, trying to determine whether there exists any
`
`
`
`kind of trust relationship among hosts A and B. Commands such as showmount,
`
`
`
`rpcinfo,
`
`and
`
`nger   were utilized for this purpose.
`
`. X sends a number of TCP SYN packets, i.e., packets containing the SYN ag set with some
`
`arbitrary initial sequence numbers to host A. However, the source IP address of these packets
`
`have been forged, so that they appear to be coming from some host which does not exist in the
`
`network. Host A responds to these packets by sending corresponding SYN-ACK packets to the
`
`non-existent host. As there are no corresponding ACK packets to the packets sent by A, the
`
`three-way handshake is never complete. The connection queue for port  the login port of
`
`A are lled up with connection-setup requests; thus, the port will not be able to generate RST
`
`packets in response to unexpected SYN-ACK packets.
`
` . X sends a number of connection-request packets SYN packets to host B. When host B responds
`
`to them by sending corresponding SYN-ACK packets to X, X sends RST packets to B. Thus,
`
`the three-way handshake is not completed and TCP connections are never established between
`
`B and X. The purpose of this step is to determine the behavior of B’s TCP sequence-number
`
`
`
`EX.1104.008
`
`DELL
`
`

`

`generator. The sequence numbers obtained from B for each new connection are analyzed by X.
`
`The periodicity of these numbers is determined, and this data will be used by X in the next
`
`step to generate and send a forged packet to B with a forged sequence number.
`
`. X creates a forged SYN packet with the source IP address same as that of host A. X sends this
`
`packet to B. B sends a corresponding SYN-ACK packet to A. However, A is ignoring all of the
`
`new packets coming to its login port; it will not send any RST packet to B in response to the
`
`unexpected SYN-ACK packets from B.
`
`. X does not receive the SYN-ACK packet sent by B to A assuming X is present in a dierent
`
`subnet. However, X is in a position to predict the sequence number present in B’s SYN-ACK
`
`packet. X generates and sends a forged ACK packet to B with the source host address same
`
`as that of A and an acknowledgment number corresponding to the sequence number in B’s
`
`SYN-ACK packet. B assumes that the three-way handshake is successfully performed. Hence,
`
`there is a one-way TCP connection established from X to B.
`
`Host X is now in a position to send commands to B. B will perform these commands, assuming
`
`that they are being sent by the trusted host A.
`
` . Problems with TCP State Transitions
`
`Let us take a closer look at Step  of Section . . . The intruder-controlled host X is able to stall the
`
`login-port of host A by sending a series of SYN packets but not sending ACK packets corresponding
`
`to the SYN-ACK packets from A to X. As we have observed before, TCP maintains a connection-
`
`
`
`establishment timer.
`
`If a connection does not get established within a stipulated time typically
`
` seconds, TCP resets the connection. Thus, in our previous example, the server port will not be
`
`able to respond for a duration of  seconds.
`
` .. Extraneous State Transitions
`
`Consider a sequence of packets between hosts X and A. X sends a packet to A, with both SYN and
`
`FIN ags set. A responds by sending an ACK packet back to X, as illustrated below.
`
`
`
`EX.1104.009
`
`DELL
`
`

`

`X -- A : SYN FIN Seq. no. = M
`
`A -- X : ACK Ack. no. = M+ 
`
`Examining the state-transition diagram in Fig. , we observe that A is initially in state LISTEN.
`
`When it receives the packet from X, it starts processing the packet. It processes the SYN ag rst,
`
`then transitions to the SYN
`
`

`

`Thus, we observe that extraneous state-transitions exist in several implementations of TCP and
`
`these may lead to severe security violations of the system.
`
` . Problem with Timers
`
`As we have discussed before, whenever the process of connection setup is in progress, a connection-
`
`establishment timer is turned on. If the connection does not get established within a stipulated time,
`
`TCP reverts back to the CLOSED state.
`
` . . Simultaneous Open
`
`During establishment of a simultaneous open connection between two hosts, we have found that
`
`the connection-establishment timer behaves in a dierent way. Let us consider our example of hosts
`
`A and X. Host A sends a SYN packet to X, expecting a SYN-ACK packet back in response. Let us
`
`assume that, almost at the same time, host X wants to start a connection with A and sends a SYN
`
`packet to A. Both A and X send a SYN-ACK packet to each other when they receive the SYN packet
`
`from the other party. When each receives the SYN-ACK packet from the other party, it assumes
`
`that the connection is established. In this scenario, the connection-establishment timer is switched
`
`o when the host receives the SYN packet from the other host , as shown below.
`
`X -- A : SYN Seq. no. = M
`
`A -- X : SYN Seq. no. = N
`
`X -- A : SYN Seq. no. = M, ACK Ack. no. = N+ 
`
`A -- X : SYN Seq. no. = N, ACK Ack. no. = M+ ,
`
` . . Security Relevance
`
`Let us consider the sequence of steps followed by an intruder-controlled host X and host A.
`
`

`

` . Host X sends a FTP request to host A. A TCP connection is established between X and A to
`
`transfer control signals. Host A sends a SYN packet to X in order to start a TCP connection
`
`for data-transfer and performs a state-transition to the state SYN
`
`

`

`values of some set of variables at some set of statements, then the specication is said to be slicing
`
`criterion  .
`
`The concept of breaking down a large program into smaller and simpler modules for analysis is
`
`observed in  . Zislis denes busy variables" as variables that will be used later in the program.
`
`He employed these variables as the criteria to group related program statements and form a program
`
`slice. Weiser   used data-dependence to group statements together. There are several other ways
`
`to slice a program, namely backward data-ow slicing, forward data-ow slicing, control-ow slicing,
`
`etc. There are two essential properties of a program slice  , as follows.
`
` . The program slice must be executable.
`
`. For the same input values, the variables must have identical values at the corresponding lo-
`
`cations both in the slice and the original program. This assists in maintaining the semantic
`
`meaning of the program.
`
`Finding the exact and smallest program slice from a given program is an undecidable problem.
`
`However, data-ow analysis can determine an approximate program slice by nding all of the program
`
`code that might have inuenced the specied behavior. A simple approach would have been to delete
`
`source statements; but this will lead to ungrammatical program slices. For example, removing
`
`the THEN clause from an IF-THEN-ELSE statement leaves an ungrammatical program fragment,
`
`assuming that a null" statement is not allowed between THEN and ELSE. A more ecient but
`
`elaborate method will be to translate the input program into an intermediate form, apply program
`
`slicing to it, and then reconstruct the slice into a complete program.
`
`Slicing is a valuable tool in debugging, testing, and maintenance of software when only a portion
`
`of a program’s behavior is to be examined. It identies the portion of the program that aects the
`
`specied behavior and produces slices that are signicantly simpler, and smaller, than the original
`
`program.
`
`. Slicing Criteria
`
`As we mentioned before, slicing is carried out with respect to a slicing criterion. In the simplest form,
`
`a criterion is a variable, andor a location in the program. More complex criteria involve multiple
`
`
`
`EX.1104.013
`
`DELL
`
`

`

`variables, multiple locations, and more complex program analysis.
`
`A program slice is represented by a set of nodes. Anything that can be described in terms of
`
`nodes in a dataow graph can serve as a slicing criterion  . At the same time, it is possible to
`
`combine the eects of dierent slicing methods using dierent criteria by simply manipulating the
`
`sets of nodes. Features such as set-union, set-dierences, etc. can be accomplished on these set of
`
`nodes. This approach facilitates better analysis of a given program using multiple slicing criteria.
`
`There exist a number of dierent techniques to slice a given program, the most common being
`
`the backward slice approach. A basic backward slice of a program is produced by rst generating
`
`a combined control and data ow graph of the program, based upon the parse tree of the program.
`
`Nodes that correspond to the slicing criteria form the basis of the slice. A node is added to the slice
`
`if it is a denition of the value of a node in the slice, if it is used in a computation of a node in the
`
`slice, or if it is a part of a control point which dominates a node in the slice  . The nal slice is
`
`the subset of the nodes of the ow graph which have been identied by the above procedure.
`
`The forward slice technique works forward through the parse tree. It traces the fan-out eect
`
`of a ow node. Combination of backward and forward slicing techniques can produce slices which
`
`characterize the behavior of a program in a more lucid way.
`
`. Example
`
`Let us examine the program in Fig. . It computes the mean and the maximum value of all the data
`
`elements in the array data. We want to retain the part of the program that computes the mean
`
`of all the data elements. Hence, we slice this program with respect to the variable mean". The
`
`program slicer computes the control and data dependence and creates the slice. In order to compute
`
`the value of mean in line , the slicer needs the values of the variables sum and n. Data-ow analysis
`
`tells the slicer to use the values of the variable sum dened in lines , , and . Similarly, the
`
`program slicer will examine the lines , , and for the variable n. Continuing in this fashion,
`
`the nal program slice looks as shown in Fig. .
`
`Thus, from the original program, we obtain a subprogram which is functionally complete, and
`
`which focuses on the variable mean and the way it is referred to and computed in the program.
`
` 
`
`EX.1104.014
`
`DELL
`
`

`

`. TCP State-Transition Diagram
`
`The TCPIP protocol stack is implemented in the kernel space for most commercial implementation
`
`of UNIX systems. The TCP part of the code usually consists of six C les and seven header les. Out
`
`of these les, the le tcp
`
`

`

`NetBSD source code, released on June  , . This le deals with validating the input segment
`
`obtained from the IP layer, processing the segment with respect to the ags, and the present state
`
`of the TCP machine", sending ACK or FIN packets to the IP layer, initializing timers for various
`
`TCP functionalities, updating the timer values for round-trip delay, etc. We are interested in the
`
`state-transitions of TCP and hence we choose our slicing criteria to be the variable t
`
`

`

`not in a position to send a close" signal to the TCP. Thus, TCP remains stalled until the keep-
`
`alive timer resets the connection back to the CLOSED state. This approach can be eectively
`
`utilized by an intruder to start the process of IP spoong, as we have examined before recall
`
`Mitnick’s Christmas Day Attack.
`
` The transitions from the ESTABLISHED, FIN
`
`

`

`. . IP Spoong
`
`If an IP-spoong attack occurs over a network which has a snier" installed on it, we may observe the
`
`following sequence of packets. Assume that the attack is being initiated from an intruder machine
`
`X to another machine B, after temporarily stalling the network port of a server machine A.
`
` Initially, the snier" will observe a urry of TCP SYN packets from some host to the login
`
`port of host A. In response, host A will send corresponding SYN-ACK packets. The purpose of
`
`the SYN packets is to create a number of half-open TCP connections with host A, thus lling
`
`the connection queue of its login port.
`
` A number of TCP SYN packets from host X to host B will pass through the network. This will
`
`generate SYN-ACK packets from host B to host X. Then, host X will respond back by RST
`
`packets. This sequence of SYNSYN-ACKRST packets enables the intruder to understand
`
`the behavior of TCP sequence-number generator of host B.
`
` A SYN packet arrives at host B from host A. In reality, this is a forged" packet being sent by
`
`host X. This packet is followed by a corresponding SYN-ACK packet from host B back to A,
`
`and an ACK packet from host A actually from X to B. Using this step, the intruder is able
`
`to establish a one-way TCP connection with host B.
`
`. . Spurious State Transitions
`
`When an intruder attempts to stall a network port of a server for a considerably long time duration,
`
`using the state-transition from state SYN
`
`

`

` Host X does NOT send any other packet to B. TCP machine" of host B is in the CLOSE
`
`

`

`.. Setup
`
`A device driver is a software component that provides an interface between the operating system
`
`and a device . The driver controls the device in response to requests from the kernel. This device
`
`may be a physical device, such as a disk, in which case the driver is termed as a hardware driver.
`
`A software driver, also called a pseudo driver, controls software, which in turn may interface with
`
`a hardware device or another software device. In our experiment, we congured a SUN SPARC ,
`
`running the Solaris . operating system, as our intruder" machine. We performed the following
`
`tasks to set up our machine.
`
` We obtained the source code for Solaris . operating system.
`
` We manipulated the tcp device driver code. We modied some portions of the code so that the
`
`tcp device" responds to incoming TCP packets in a dierent" way.
`
` We compiled the code with the -D
`
`

`

`The sequence of packets, as observed by the output of tcpdump   is as follows.
`
` :: . Kongur.  Ararat.ftp:
`
`S   :   win  mss  DF
`
` :: .  Ararat.ftp Kongur.  :
`
`S  :   ack    win   mss 
`
`We observe that port  of Kongur sends a SYN packet to the ftp" port of Ararat
`
`with an initial sequence number of   , initial window advertisement of  at time
`
` :: . . Ararat, in turn, responds back with a SYN-ACK packet, with an initial se-
`
`quence number of   and an acknowledgement number of    at time  :: . .
`
`However, Kongur did not send any other packet and so Ararat gets stuck in the SYN
`
`

`

`Had there been no spurious state-transition from SYN
`
`

`

`S  :   win   mss 
`
` ::. Kongur.ftp Ararat.  :
`
`S  :   win  mss  DF
`
` ::. Ararat.   Kongur.ftp:
`
`S  :   ack   win   mss 
`
`Netstat command in Ararat gave us the following output.
`
`tcp
`
`
`
`
`
`Ararat.  
`
`Kongur.ftp
`
`SYN_RCVD
`
`We obtain similar result with TCP implementation of ULTRIX . OS Denali as well.
`
`. Recommendations
`
` There is no way easy way to prevent IP spoong. We may perform the following tasks to
`
`protect our systems from this sort of attack. First, we may congure the routers and the
`
`gateways in our networks such that they do not allow connections from outside with a source
`
`IP address the same as that of any of the systems within the local subnet. Also, they should
`
`not route packets from a host in the local subnet to the outside when the source IP address
`
`of the packet is something not present in the local subnet. Second, encrypt the packets before
`
`sending them to the network. Though this process requires extensive change in the present
`
`networking environment, it will ensure the integrity and authenticity of data.
`
` To prevent the spurious state-transition from SYN
`
`

`

`route". Presently, we have observed that only a few states such as CLOSING does not have
`
`any timer associated with it. It may be possible for an intruder machine to force the host TCP
`
`machine" to perform a state-transition to this state. Since the state does not have any timer
`
`backo, if the intruder does not send proper packets, the host may get stalled in this state.
`
` Conclusion
`
`The main objective of this paper was to identify and analyze some new vulnerabilities of TCPIP. We
`
`have discussed dierent attacks that can be launched by an intruder who manipulates the security
`
`aws in the TCPIP specication as well as its implementations. We have analyzed the TCP source
`
`code and identied spurious state-transitions present in the implementation of TCP in several oper-
`
`ating systems. Using our test-bed, we have analyzed how TCP behaves for various combination of
`
`input packets. Finally, we provide several recommendations to plug some of these aws in TCP and
`
`its implementations. In future, we would like to improve the TA Tester’s Assistant. We would also
`
`like to detect more vulnerabilities in the TCP. We would also like to investigate automated detection
`
`of vulnerabilities in privileged programs using TCP as their transport layer  .
`
`References
`
`
`
`  J. Postel, Transmission Control Protocol, R
`
`FC  ,  .
`
` D. E. Comer, Internetworking with TCPIP: Vol. I - Principles, Protocols, and Architecture,
`
`
`Third Edition, Prentice Hall, .
`
`
`
`  W. R. Stevens, TCPIP Illustrated Vol. - The Protocols,
`
`Addison-Wesley, .
`
` W. R. Stevens and G. R. Wright, TCPIP Illustrated Vol.  - The Implementation,
`
`
`Wesley, .
`
`Addison-
`
` STREAMS Programmer’s Guide - Solaris .,
`
`SunSoft, Sun Microsystem, Inc., .
`
` S. M Bellovin, There be dragons," Proceedings of  USENIX Security Symposium,
`
`
`September .
`
`pp. - ,
`
` S. M Bellovin, Security Problems in the TCPIP Protocol Suite," Computer Communications
`
`Review, V
`ol. , No. , pp. -, April  .
`
`
`
`EX.1104.024
`
`DELL
`
`

`

` B. Cheswick, An evening with Berferd: In which a cracker is lured, endured and studied,"
`
`Proceedings of the Winter USENIX Conference,
`January .
`
`  R. T. Morris, A Weakness in the .BSD UNIX TCPIP Software," Computing Science Tech-
`nical Report No. , A T&T Bell Laboratories, Murray Hill, New Jersey.
`
`  IP Spoong Attacks and Hijacked Terminal Connections," CERT Advisory, CA- : ,
`
`
` .
`
`Jan.  ,
`
`Thief took bite out of security; hacker’s breach shows vulnerability
`  J. Marko, New York Times,
`
`of computer networks," Nation, Jan. .
`
`  T. Shimomura, Technical details of the attack described by Marko in NYT," Usenix news-
`
`groups: comp.protocols.tcp-ip, comp.security.misc,
`Jan. , .
`
`  M. Weiser, Program Slicing," IEEE Transactions on Software Engineering, V
`
`
` - , July .
`
`ol. SE- , pp.
`
`  G. Fink and K. Levitt, Property-based testing of privileged programs," Proc., Computer Secu-
`
`rity Applications Conference,
`pp. -  , Dec. .
`
`  R. W. Lo, Static Analysis of Programs with Application to Malicious Code Detection, PhD
`Dissertation, University of California, Davis, .
`
`  P. M. Zislis, Semantic Decomposition of Computer Programs: An Aid to Program Testing,"
`
`Acta Informatica,
`pp. - , .
`
`  C. Ko, G. Fink, K. Levitt, Automated detection of vulnerabilities in privileged