Overlapping IPv4, IPv6, and TCP data: exploring errors, test case context and multiple overlaps inside network stacks and NIDSes with PYROLYSE

TL;DR

This paper introduces PYROLYSE, a tool for testing IP and TCP reassembly policies, revealing diverse behaviors and security vulnerabilities in network stacks and NIDSes due to overlapping data handling.

Contribution

The paper presents PYROLYSE, an exhaustive testing tool for reassembly policies, and analyzes their diversity and security implications across multiple implementations.

Findings

Reassembly policies are more diverse than previously known.

Identified 8 security-impacting errors in OS, NIDS, and embedded stacks.

NIDS policies are often inconsistent with actual reassembly behaviors.

Abstract

IP fragmentation and TCP segmentation allow for splitting large data packets into smaller ones, e.g., for transmission across network links of limited capacity. These mechanisms permit complete or partial overlaps with different data on the overlapping portions. IPv4, IPv6, and TCP reassembly policies, i.e., the data chunk preferences that depend on the overlap types, differ across protocol implementations. This leads to vulnerabilities, as NIDSes may interpret the packet differently from the monitored host OSes. Some NIDSes, such as Suricata or Snort, can be configured so that their policies are consistent with the monitored OSes. The first contribution of the paper is PYROLYSE, an audit tool that exhaustively tests and describes the reassembly policies of various IP and TCP implementation types. This tool ensures that implementations reassemble overlapping chunk sequences without errors. The second contribution is the analysis of PYROLYSE artifacts. We first show that the reassembly policies are much more diverse than previously thought. Indeed, by testing all the overlap possibilities for n <= 3 test case chunks and different testing scenarios, we observe from 14 to 20 different behaviors out of 23 tested implementations depending on the protocol. Second, we report eight errors impacting one OS, two NIDSes, and two embedded stacks, which can lead to security issues such as NIDS pattern-matching bypass or DoS attacks. A CVE was assigned to a NIDS error. Finally, we show that implemented IP and TCP policies obtained through chunk pair testing are usually inconsistent with the observed triplet reassemblies. Therefore, contrarily to what they currently do, NIDSes or other network traffic analysis tools should not apply n = 2 pair policies when the number of overlapping chunks exceeds two.