Moving Target Defense for IP-based Control Vahid Heydari University of Alabama in Huntsville vahid.heydari@uah.edu
Outline IP-based Control Remote attacks and zero-day vulnerability Moving target defense Related work Mobile IPv6 and route optimization MTM6D Implementation of MTM6D
Why use IP for Remote Control? Faster communication Scalability Large number of off-the-shelf test and simulation applications Remote connection capability through satellites using the Internet
IP-based Control
Boeing Uninterruptible Autopilot Take control of an aircraft away from the pilot or flight crew in the event of a hijacking through wireless connection between the aircraft and a ground station. prevent tragic events such as the 9/11 attack, the Malaysia Airlines flight 370 crash, or the Germanwings flight 9525 crash. Problem: The technology would allow cyberterrorists to hack into an airliner s controls.
Remote Attacks Attack from unlimited distance Two main categories: Denial-of-Service (DoS) attacks Remote exploits Take advantage of a bug or vulnerability Countermeasure IPsec Intrusion Detection and Prevention Systems (IDPS) Firewall Vulnerability scanner (Nessus) Penetration testing (Metasploit)
Zero-Day Vulnerability Undisclosed and uncorrected computer application vulnerability that could be exploited. Zero-day exploits can defeat the best firewalls and IDPSs. Knowing the IP address of a victim is enough to attack.
Moving Target Defense The first step of cyber-attacks: finding information about attack surface IP scanning, port scanning, etc. Solution: changing randomly some of the features of the attack surface Static IP addresses: Easily discoverable Long time access A mechanism to change the IP addresses randomly and dynamically is Moving Target Defense (MTD)
MT6D (Related Work) Proactive network layer MTD Rapidly changes IPv6 mid-session without dropping sessions. Peers use the same algorithm with pre-shared symmetric key Generate a random IPv6 per each time interval based on the MAC address as input. Use the peer s MAC address as input to find the peer s IP during the current time interval. Encapsulated by UDP
Limitations of MT6D Possibility of packet loss because of address collision For example lack of access to an aircraft, that is in uninterruptible autopilot, during 10 seconds could make a disaster. Key management limitation Relatively tight time synchronization is needed Static address rotation interval
Our Approach Static IP is needed to be transparent to the upper layers. Should not be accessible through the Internet. Dynamic IP is needed for connecting to other nodes. Changing the dynamic IP should not cause any delay or packet loss in the network. A mechanism is needed to update peer nodes with the new IP. Add capability of having dynamic address rotation interval. Combination of standard protocols should be used instead of creating a new protocol because: New protocol can add new vulnerabilities to the system. New protocols may have security or scalability problems. Avoid adding new requirements like time synchronization.
Mobile IPv6 Overview (RFC 6275) Mobile Node (MN) Home Agent (HA): Acts on behalf of MN (like a proxy) Home address (HoA): Permanent IP of MN typically attached to the HA Care-of-address (CoA): Actual IP that MN uses while in a foreign network Corresponding Node (CN): A node that MN is communicating with Binding Update (BU) message: Updating the HA and correspondent nodes with MN s current CoA Image source: Q. Li, T. Jinmei and K. Shima, IPv6 advanced protocols implementation. Amsterdam: Elsevier/Morgan Kaufmann Publishers, 2007.
Route Optimization (RFC 6275) Routing packets between a MN and a CN using the shortest possible path Return routability procedure Home Test: Verify the "right" of the MN to use a specific HoA Care-of Test: Verify the validity of the claimed CoA Image source: Q. Li, T. Jinmei and K. Shima, IPv6 advanced protocols implementation. Amsterdam: Elsevier/Morgan Kaufmann Publishers, 2007.
Route Optimization (RFC 4449) Static shared key method Uses a shared symmetric key to omit all messages relating to the return routability tests. Pros: HA is not needed in this process. Low signaling overhead for route optimization. Cons: The CN should have a good reason to trust the actions of the MN. (trust the peer or use Care-of Test) Shared symmetric keys between a MN and each CN are needed. (solved by IPsec + IKEv2) Cannot resist against replay attacks. (solved by IPsec + IKEv2)
Moving Target Mobile IPv6 Defense (MTM6D) Use a permanent IP (HoA) to avoid disrupting TCP sessions and a temporary IP for connecting to other nodes (CoA) as explained in Mobile IPv6. Each peer acts like a mobile node of Mobile IPv6. MTM6D dynamically changes the CoA for moving targets. Permanent home address is not accessible through the Internet because we do not have any HA in the network.
IP Address Rotator Script Randomly generate a new IP address as the CoA of the MN. Create a random 64 bits address Combine it with the highest significant 64 bits of current CoA to generate the new CoA. This new CoA is checked to be unoccupied by sending a neighbor solicitation message before registering it. Regenerate a new CoA if address collision is occurred. Remove the previous CoA after registering the new CoA. According to the Mobile IPv6, each MN will send the BU message to another MN to inform it of its new CoA.
Peer-to-Peer Lossless MTM6D Dynamic IPs on both peers (MN-to-MN communication). Send Binding Updates directly to the peer node s CoA. Solution for IP-based control: Dynamic IPs on both peers Zero packet loss by Multiple CoAs Security by IPsec
Implementation
Implementation (cont d)
Conclusion A novel mobile IPv6 based moving target defense strategy is designed to continuously change IP addresses such that attackers are difficult to find them. Zero extra network delay Zero packet loss Overhead: Signaling overhead: Each round of changing IP needs two message transmissions at each MN (BU and BA messages) with each being 158 bytes (using IPsec). Transmission overhead: For each data packet, we have 24 bytes of overhead due to the use of IPsec (ESP).
References P. K. Manadhata and J. M. Wing, An Attack Surface Metric, IEEE Trans. Softw. Eng., vol. 37, no. 3, pp. 371 386, May 2011 M. Dunlop, S. Groat, W. Urbanski, R. Marchany, and J. Tront, MT6D: A Moving Target IPv6 Defense, in Proceedings of Military Communications Conference - MILCOM 2011, 2011, pp. 1321 1326 E. D. Brown, D. C. Cameron, K. R. Krothapalli, W. v. K. Jr, and T. M. Williams, System and method for automatically controlling a path of travel of a vehicle, U.S. Patent US7142971 B2, Nov., 2006, [Online]. Available: http://www.google.com.au/patents/us7142971 V. Heydari and S.M. Yoo. Securing Critical Infrastructure by Moving Target Defense. 11 th International Conference on Cyber Warfare and Security, (ICCWS 2016). V. Heydari, S. Kim, and S.M. Yoo. Anti-Censorship Framework using Mobile IPv6 based Moving Target Defense. In Proceedings of ACM 11 th Annual Cyber and Information Security Research, (CISR 2016). V. Heydari, S. Kim, and S.M. Yoo. Secure VPN using Mobile IPv6 based Moving Target Defense. Submitted to IEEE GLOBECOM 2016. V. Heydari and S.M. Yoo. Preventing Remote Cyber Attacks against Aircraft Avionics Systems. Submitted to IEEE MILCOM 2016.
Thank you! QUESTIONS?