Internet DRAFT - draft-song-router-backdoor
draft-song-router-backdoor
INTERNET-DRAFT H. Song
Intended Status: Informational N. Zong
Expires: April 30, 2015 Huawei
October 27, 2014
A Threat Model for Router Backdoor
draft-song-router-backdoor-00
Abstract
This document elaborates a threat model for inherent backdoor in a
telecom router. We assume a malicious router can have inherent
backdoor with an interest in eavesdropping or disabling the
functioning of the router or the whole network. It is intended to
demonstrate to the system designers and network administrators how
the backdoor works, so as to assist in the security evaluation of the
routers, and especially the standard design that is immune to
inherent backdoors.
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Copyright and License Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
Song & Zong Expires April 30, 2015 [Page 1]
INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3 Backdoor Classification . . . . . . . . . . . . . . . . . . . . 4
3.1 Implementation classification . . . . . . . . . . . . . . . 4
3.2 Purpose Classification . . . . . . . . . . . . . . . . . . 5
4 Behaviors of Traffic Eavesdropping . . . . . . . . . . . . . . 5
5 Behavior of Equipment Malfunctioning . . . . . . . . . . . . . 6
6 Backdoor of Black Platform . . . . . . . . . . . . . . . . . . 6
7 Potential Solutions . . . . . . . . . . . . . . . . . . . . . . 6
8 Security Considerations . . . . . . . . . . . . . . . . . . . . 7
9 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7
10 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
11 References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
11.1 Informative References . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8
Song & Zong Expires April 30, 2015 [Page 2]
INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014
1 Introduction
In recent years, telecom routers sometimes might be doubted having
backdoors, and the main suspicion is the equipment might be used for
eavesdropping, because telecom routers are the key equipments for
packet forwarding, it handles huge amount of traffic forwarding all
the time. So it might have the opportunity to take its network
position advantage to analyze information for unknown purposes. But
equipment vendors always claim they have no backdoors. Usually there
is no evidence for it, but this kind of distrust among each other
harms the industry. This document is going to introduce a threat
model of telecom routers in detail.
In one aspect, vendors would like to verify its innocence. Now they
usually would like to find a third party organization to evaluate and
assign a certificate to authenticate their products. With this
authentication, it more or less helps to setup a trust between each
other. Sometimes they are required to open their source code to the
regulators, but most vendors consider their source code as their
business secret, and the key to achieve their business success. So
they often would not like the idea of opening source code.
In another aspect, operators/regulators would like to make sure the
equipment is secure. But there lack of standard mechanisms to
evaluate whether a backdoor exists in the router or not. And of
course, the operators would not like to spend a lot of manpower to
evaluate the source code of the router either. They usually also
trust the evaluation of third party. But now third party can only
provide the service to authenticate if the equipment is secure under
some common attacks, or if it abides some secure programming rules ,
there is no way for a third party to guarantee the non-existence of
backdoor.
The motivation is to address the aforementioned problem from both
sides. One direction is prevention. That means, a well designed
standard solution/guidance can be found to prevent/avoid the
occurrence of back doors. For example, standard design
specifications that can prevent backdoors.
Another potential way might be running time detection. Some designed
tools can be running to detect the malicious behavior of the router
immediately, just like people run anti-virus software (e.g. 360 or
Symantec) in their computers. The potential challenge is that the
malicious behavior is unknown. But it is still effective if the
detector can detect and then block such malicious behaviors.
The third possible way might be analysis afterwards. But which needs
huge storage space (when you consider a router of 40Gbps, if you
Song & Zong Expires April 30, 2015 [Page 3]
INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014
store the raw data, then it needs about 18T bytes storage space per
hour), and might become useless if the malicious behaviors have
already happened. It is helpful in a slow manner for people to adopt
measures after some detected accidents.
With the above efforts, there can be three results.
Result 1: No backdoor. Then it can certify the innocence of vendors.
The operators and the regulators are also glad to dismiss the
suspicion to the vendors.
Result 2: Yes, there is backdoor. Then in the opposite aspect, it
helps the administrators to detect it.
Result 3: Still NOT Sure. It has not detected the malicious behavior,
but it can mitigate the distrust between each other, because both
parties agree on a solution.
The problem space of this document includes the threat models of
inherent router backdoors, but leaves the solutions of prevention,
detection and afterwards analysis for future study. And anything
related to third party implanted backdoors or system vulnerabilities
are out of scope, as well as anything related for protection against
attacks to the routers.
2 Terminology
Backdoor: A backdoor is a method of bypassing normal authentication,
securing unauthorized remote access to a equipment, obtaining access
to functioning components or enabling hidden functions, while
attempting to remain undetected.
Inherent backdoor: An on-purpose designed backdoor in an equipment
when a customer gets the equipment from the provider, and it is not a
backdoor implanted by any third party after the customer operates the
equipment, implemented by either software or hardware. The assumption
is that the software and hardware of the equipment is not changed
during the delivery chain.
3 Backdoor Classification
3.1 Implementation classification
From the implementation perspective, we classify the backdoor into
hardware and software. For hardware backdoors, they can be specific
designed transistor, or shadow circuit. For software backdoors, it
Song & Zong Expires April 30, 2015 [Page 4]
INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014
could be hidden software functions triggered by specific designed
packets, or hidden ports, for example, the notorious TCP 32764
backdoor.
3.2 Purpose Classification
From the purpose perspective of a backdoor, we can classify the
backdoor into classes with following purposes.
One purpose of the backdoor is for traffic eavesdropping, which is
mainly suspected in various cases. The traffic eavesdropping can have
a definite target (a person, a line or a user account), or can be
pervasive.
Another purpose of backdoor might be to make the equipment
malfunction. An adversary can get the root control of the router, and
can control over time, location, component, and in which behavior to
make the router malfunction.
A possible purpose of backdoor could also be for management and
operation of the device, for example, for the update of the device.
But un-documented method to access the device must also be seen as a
backdoor attack.
4 Behaviors of Traffic Eavesdropping
The main suspected behavior is traffic eavesdropping. An easiest way
that a spying router can do is to encapsulate the original user
packet (no matter targeted or pervasive) and send to another
destination for information collection and analysis. The pervasive
monitoring cannot be done during the network traffic peak time, as it
will produce too much traffic from the device. But the targeted
user/line packet replication and monitoring can be done at any time.
Note that in this way, there are new eavesdropping packets generated
by the router. And the source IP address could be of the router
itself or any fake IP address. And the destination of the
eavesdropping packet could be a malicious NMS or any other controlled
destination. The eavesdropping packets can be encrypted.
Another way for traffic eavesdropping is to use an existing session
instead of a new session from the router. A spying router monitors
user packets information, and then encapsulates that information to
an existing e2e session that was designed for eavesdropping. Please
note there is no new packet from the router in this scenario, due to
its utilization of an existing session. It is very hard to find it
with traffic monitoring in the router interfaces. And of course, the
eavesdropping packets can be encrypted. This kind of eavesdropping is
Song & Zong Expires April 30, 2015 [Page 5]
INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014
hard to be used for pervasive monitoring due to the capability of a
spying session.
A more complicated way for traffic eavesdropping of a router is that
the spying router monitors and analyzes user packets, and the
extracted information is sent to the adversary when needed, either
through router to NMS messages, or a new session/an existing session.
In this case, there are no continuous eavesdropping messages.
Eavesdropping messages can also be encrypted. But this method
requires the malicious router to have a powerful analysis tool for
big data, which might be not so easy to hide.
A spying router can also have a backdoor of storage, and provides
access to it through manual or remote control access. A spying router
can leave illegal root control to the adversary, and the information
is only accessed when needed.
The functioning of the eavesdropping function can be triggered by
special designed packets or other means.
5 Behavior of Equipment Malfunctioning
A back door can make the router malfunction. With enabling the
backdoor in a router located in the key path in a network topology,
it can even destroy the functioning of a whole network.
Usually, the adversary gets root control over the router, and then
can operate the router as its will. The malfunctioning behaviors
include but not limited to: packet dropping, illegal routing table
modification, illegal packet modification, or turning off the router.
6 Backdoor of Black Platform
The back door in a router can provide a platform, so that the
adversary can implant various other unlawful plug-ins functions
secretarially. The platform is just like an engine for any future
risks. The malicious plug-in can be installed or uninstalled from the
platform freely. The adversary gets broad and extensible control over
the router. The adversary can develop new malicious plug-in for new
services when needed, or new plug-ins to protect other malicious
functions from being detected. It can also uninstall the plug-in from
the router after it completes its task so as to avoid detection.
7 Potential Solutions
Song & Zong Expires April 30, 2015 [Page 6]
INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014
The main purpose of this document is about the treat model instead of
solution guidance. This section generally discusses the direction of
solution.
As introduced in section 1, the prevention solution may include: (a)
Source code examination (which could be done by using open source
code) and (b)Authoritative third party authentication and
certification.
And the running time detection may include an anti-virus like
backdoor-detection application in the router, or outside of the
router but to monitor the traffic in and out of the router, so as to
check if there is abnormal traffic patterns. There is also method to
trace the code running in the machine, and report any suspicious
behaviors.
The afterwards analysis needs big data capability, to gather all
related information from the router, including those reported from
the router or monitored information from other tools. The big data
analysis should take both data plane and control plane in scope.
8 Security Considerations
This document explores the security threats of network forwarding
equipments inherent backdoors, It does not provide any detailed
specifications on how to avoid or detect such backdoors. But it hopes
the standard development organizations can work on the solutions.
9 IANA Considerations
There is no IANA consideration with this specification.
10 Acknowledgements
The authors would like to thank the following people for their
support and comments with the discussion of this problem: Stephen
Farrell, Melinda Shore, Jari Akro, Dacheng Zhang.
11 References
11.1 Informative References
[RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to
Protect Firmware Packages", RFC 4108, August 2005.
Song & Zong Expires April 30, 2015 [Page 7]
INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014
[I-D.trammell-perpass-ppa] Trammell, B., Borkmann, D., and C.
Huitema, "A Threat Model for Pervasive Passive Surveillance", draft-
trammell-perpass-ppa-01, November, 2013.
Authors' Addresses
Haibin Song
Huawei Technologies, Co. Ltd
Nanjing, China
EMail: haibin.song@huawei.com
Ning Zong
Huawei Technologies, Co. Ltd
Nanjing, China
Email: zongning@huawei.com
Song & Zong Expires April 30, 2015 [Page 8]