The CURE To Vulnerabilities in RPKI Validation
- URL: http://arxiv.org/abs/2312.01872v1
- Date: Mon, 4 Dec 2023 13:09:37 GMT
- Title: The CURE To Vulnerabilities in RPKI Validation
- Authors: Donika Mirdita, Haya Schulmann, Niklas Vogel, Michael Waidner,
- Abstract summary: RPKI has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes.
We report a total of 18 vulnerabilities that can be exploited to downgrade RPKI validation in border routers.
We generate over 600 million test cases and tested all popular RPs on them.
- Score: 19.36803276657266
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Over recent years, the Resource Public Key Infrastructure (RPKI) has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes. Systems interact with the RPKI over Relying Party (RP) implementations that fetch RPKI objects and feed BGP routers with the validated prefix-ownership data. Consequently, any vulnerabilities or flaws within the RP software can substantially threaten the stability and security of Internet routing. We uncover severe flaws in all popular RP implementations, making them susceptible to path traversal attacks, remotely triggered crashes, and inherent inconsistencies, violating RPKI standards. We report a total of 18 vulnerabilities that canbe exploited to downgrade RPKI validation in border routers or, worse, enable poisoning of the validation process, resulting in malicious prefixes being wrongfully validated and legitimate RPKI-covered prefixes failing validation. Furthermore, our research discloses inconsistencies in the validation process, with two popular implementations leaving 8149 prefixes unprotected from hijacks, 6405 of which belong to Amazon. While these findings are significant in their own right, our principal contribution lies in developing CURE, the first-of-its-kind system to systematically detect bugs, vulnerabilities, and RFC compliance issues in RP implementations via automated test generation. CURE is a powerful RPKI publication point emulator that enables easy and efficient fuzzing of complex RP validation pipelines. It is designed with a set of novel techniques, utilizing differential and stateful fuzzing. We generated over 600 million test cases and tested all popular RPs on them. Following our disclosure, the vendors already assigned CVEs to the vulnerabilities we found.
Related papers
- Is Crunching Public Data the Right Approach to Detect BGP Hijacks? [46.60173408970299]
Border Gateway Protocol (BGP) remains a fragile pillar of Internet routing.<n>Recent approaches like DFOH and BEAM apply machine learning (ML) to analyze data from globally distributed BGP monitors.<n>This paper shows that state-of-the-art hijack detection systems like DFOH and BEAM are vulnerable to data poisoning.
arXiv Detail & Related papers (2025-07-27T22:35:21Z) - Pruning the Tree: Rethinking RPKI Architecture From The Ground Up [2.340368527699536]
Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP.<n>RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols.<n>We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment.
arXiv Detail & Related papers (2025-07-02T08:24:50Z) - CyberGym: Evaluating AI Agents' Cybersecurity Capabilities with Real-World Vulnerabilities at Scale [46.76144797837242]
Large language model (LLM) agents are becoming increasingly skilled at handling cybersecurity tasks autonomously.<n>Existing benchmarks fall short, often failing to capture real-world scenarios or being limited in scope.<n>We introduce CyberGym, a large-scale and high-quality cybersecurity evaluation framework featuring 1,507 real-world vulnerabilities.
arXiv Detail & Related papers (2025-06-03T07:35:14Z) - In-House Evaluation Is Not Enough: Towards Robust Third-Party Flaw Disclosure for General-Purpose AI [93.33036653316591]
We call for three interventions to advance system safety.
First, we propose using standardized AI flaw reports and rules of engagement for researchers.
Second, we propose GPAI system providers adopt broadly-scoped flaw disclosure programs.
Third, we advocate for the development of improved infrastructure to coordinate distribution of flaw reports.
arXiv Detail & Related papers (2025-03-21T05:09:46Z) - Learning to Identify Conflicts in RPKI [0.0]
We introduce a new mechanism, LOV, designed for whitelisting benign conflicts on an Internet scale.
We measure live BGP updates using LOV during a period of half a year and whitelist 52,846 routes with benign origin errors.
arXiv Detail & Related papers (2025-02-05T17:16:44Z) - Poster: From Fort to Foe: The Threat of RCE in RPKI [16.84312626844573]
We present a novel severe buffer-overflow vulnerability in the RPKI validator Fort.
This vulnerability allows an attacker to achieve Remote Code Execution on the machine running the software.
arXiv Detail & Related papers (2024-11-25T16:01:02Z) - RPKI: Not Perfect But Good Enough [18.399905446335904]
The Resource Public Key Infrastructure protocol was standardized to add cryptographic security to Internet routing.
The White House indicated in its Roadmap to Enhance Internet Security, on 4 September 2024, that RPKI is a mature and readily available technology for securing inter-domain routing.
This work presents the first comprehensive study of the maturity of RPKI as a viable production-grade technology.
arXiv Detail & Related papers (2024-09-22T16:21:14Z) - SoK: An Introspective Analysis of RPKI Security [19.075820340282938]
The Resource Public Key Infrastructure (RPKI) is the main mechanism to protect inter-domain routing with BGP from prefix hijacks.
Almost half of all the global prefixes are now covered by RPKI and measurements show that 27% of networks are already using RPKI to validate BGP announcements.
arXiv Detail & Related papers (2024-08-22T12:57:09Z) - PatUntrack: Automated Generating Patch Examples for Issue Reports without Tracked Insecure Code [6.6821370571514525]
We propose PatUntrack to automatically generate patch examples from vulnerable issue reports (IRs) without tracked insecure code.
It first generates the completed description of the Vulnerability-Triggering Path (VTP) from vulnerable IRs.
It then corrects hallucinations in the VTP description with external golden knowledge.
Finally, it generates Top-K pairs of Insecure Code and Patch Example based on the corrected VTP description.
arXiv Detail & Related papers (2024-08-16T09:19:27Z) - Rethinking the Vulnerabilities of Face Recognition Systems:From a Practical Perspective [53.24281798458074]
Face Recognition Systems (FRS) have increasingly integrated into critical applications, including surveillance and user authentication.
Recent studies have revealed vulnerabilities in FRS to adversarial (e.g., adversarial patch attacks) and backdoor attacks (e.g., training data poisoning)
arXiv Detail & Related papers (2024-05-21T13:34:23Z) - Byzantine-Secure Relying Party for Resilient RPKI [17.461853355858022]
We develop BRP, a Byzantine-Secure relying party implementation.
We show through simulations and experiments that BRP, as an intermediate RPKI service, results in less load on RPKI publication points and a robust output despite RPKI repository failures, jitter, and attacks.
arXiv Detail & Related papers (2024-05-01T14:04:48Z) - Anchoring Path for Inductive Relation Prediction in Knowledge Graphs [69.81600732388182]
APST takes both APs and CPs as the inputs of a unified Sentence Transformer architecture.
We evaluate APST on three public datasets and achieve state-of-the-art (SOTA) performance in 30 of 36 transductive, inductive, and few-shot experimental settings.
arXiv Detail & Related papers (2023-12-21T06:02:25Z) - Sound and Complete Verification of Polynomial Networks [55.9260539566555]
Polynomial Networks (PNs) have demonstrated promising performance on face and image recognition recently.
Existing verification algorithms on ReLU neural networks (NNs) based on branch and bound (BaB) techniques cannot be trivially applied to PN verification.
We devise a new bounding method, equipped with BaB for global convergence guarantees, called VPN.
arXiv Detail & Related papers (2022-09-15T11:50:43Z) - PASS: Protected Attribute Suppression System for Mitigating Bias in Face
Recognition [55.858374644761525]
Face recognition networks encode information about sensitive attributes while being trained for identity classification.
Existing bias mitigation approaches require end-to-end training and are unable to achieve high verification accuracy.
We present a descriptors-based adversarial de-biasing approach called Protected Attribute Suppression System ( PASS)'
Pass can be trained on top of descriptors obtained from any previously trained high-performing network to classify identities and simultaneously reduce encoding of sensitive attributes.
arXiv Detail & Related papers (2021-08-09T00:39:22Z) - Robust Deep Reinforcement Learning against Adversarial Perturbations on
State Observations [88.94162416324505]
A deep reinforcement learning (DRL) agent observes its states through observations, which may contain natural measurement errors or adversarial noises.
Since the observations deviate from the true states, they can mislead the agent into making suboptimal actions.
We show that naively applying existing techniques on improving robustness for classification tasks, like adversarial training, is ineffective for many RL tasks.
arXiv Detail & Related papers (2020-03-19T17:59:59Z) - (De)Randomized Smoothing for Certifiable Defense against Patch Attacks [136.79415677706612]
We introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size.
Our method is related to the broad class of randomized smoothing robustness schemes.
Our results effectively establish a new state-of-the-art of certifiable defense against patch attacks on CIFAR-10 and ImageNet.
arXiv Detail & Related papers (2020-02-25T08:39:46Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.