Universal Session Protocol: Mitigating Unauthenticated Remote Code Execution

TL;DR

The paper proposes a new TCP/IP session layer called the Universal Session Protocol that enforces authentication before data processing, significantly enhancing security for critical systems against anonymous attacks.

Contribution

It introduces a novel session layer in TCP/IP architecture that mandates authentication prior to data access, addressing a critical security vulnerability.

Findings

Provides a structured process for authentication negotiation.

Prevents data processing without successful authentication.

Enhances security for life-critical infrastructure.

Abstract

Currently, the TCP/IP model enables exploitation of vulnerabilities anonymously by unconditionally fulfilling every request for a connection into an application; the model only incorporates authentication within applications themselves, rather than as a precondition for access into applications. I am proposing the Universal Session Protocol as a change to the architecture of the TCP/IP model to include a session layer featuring a structured generalized process for authentication negotiation and fulfillment. The Universal Session Protocol addresses an urgent and vital need to eliminate unauthenticated data processing on security critical systems. Previous work regarding TCP/IP security has focused on the application design and implementation and existing protocol layers, but has failed to posit the addition of a session layer as a mitigating control. Failing to implement a distinct authentication layer leaves every resource connected to the global Internet, including life and security critical infrastructure, vulnerable to attacks from anonymous and untraceable sources. The Universal Session Protocol provides a solution by establishing a TCP/IP Session Layer that explicitly provides authentication before a data stream is accessible within an application. After authentication, an identity is associated with the data stream so that all data may be related back to that identity for forensic purposes. If authentication fails, the application will never process user data, rendering the service safe from anonymous bad actors.