INTERNET-DRAFT H. Song Intended Status: Informational N. Zong Expires: April 30, 2015 Huawei October 27, 2014 A Threat Model for Router Backdoor draft-song-router-backdoor-00 Abstract This document elaborates a threat model for inherent backdoor in a telecom router. We assume a malicious router can have inherent backdoor with an interest in eavesdropping or disabling the functioning of the router or the whole network. It is intended to demonstrate to the system designers and network administrators how the backdoor works, so as to assist in the security evaluation of the routers, and especially the standard design that is immune to inherent backdoors. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright and License Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. Song & Zong Expires April 30, 2015 [Page 1] INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3 Backdoor Classification . . . . . . . . . . . . . . . . . . . . 4 3.1 Implementation classification . . . . . . . . . . . . . . . 4 3.2 Purpose Classification . . . . . . . . . . . . . . . . . . 5 4 Behaviors of Traffic Eavesdropping . . . . . . . . . . . . . . 5 5 Behavior of Equipment Malfunctioning . . . . . . . . . . . . . 6 6 Backdoor of Black Platform . . . . . . . . . . . . . . . . . . 6 7 Potential Solutions . . . . . . . . . . . . . . . . . . . . . . 6 8 Security Considerations . . . . . . . . . . . . . . . . . . . . 7 9 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 10 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 11 References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 11.1 Informative References . . . . . . . . . . . . . . . . . . 7 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 Song & Zong Expires April 30, 2015 [Page 2] INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014 1 Introduction In recent years, telecom routers sometimes might be doubted having backdoors, and the main suspicion is the equipment might be used for eavesdropping, because telecom routers are the key equipments for packet forwarding, it handles huge amount of traffic forwarding all the time. So it might have the opportunity to take its network position advantage to analyze information for unknown purposes. But equipment vendors always claim they have no backdoors. Usually there is no evidence for it, but this kind of distrust among each other harms the industry. This document is going to introduce a threat model of telecom routers in detail. In one aspect, vendors would like to verify its innocence. Now they usually would like to find a third party organization to evaluate and assign a certificate to authenticate their products. With this authentication, it more or less helps to setup a trust between each other. Sometimes they are required to open their source code to the regulators, but most vendors consider their source code as their business secret, and the key to achieve their business success. So they often would not like the idea of opening source code. In another aspect, operators/regulators would like to make sure the equipment is secure. But there lack of standard mechanisms to evaluate whether a backdoor exists in the router or not. And of course, the operators would not like to spend a lot of manpower to evaluate the source code of the router either. They usually also trust the evaluation of third party. But now third party can only provide the service to authenticate if the equipment is secure under some common attacks, or if it abides some secure programming rules , there is no way for a third party to guarantee the non-existence of backdoor. The motivation is to address the aforementioned problem from both sides. One direction is prevention. That means, a well designed standard solution/guidance can be found to prevent/avoid the occurrence of back doors. For example, standard design specifications that can prevent backdoors. Another potential way might be running time detection. Some designed tools can be running to detect the malicious behavior of the router immediately, just like people run anti-virus software (e.g. 360 or Symantec) in their computers. The potential challenge is that the malicious behavior is unknown. But it is still effective if the detector can detect and then block such malicious behaviors. The third possible way might be analysis afterwards. But which needs huge storage space (when you consider a router of 40Gbps, if you Song & Zong Expires April 30, 2015 [Page 3] INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014 store the raw data, then it needs about 18T bytes storage space per hour), and might become useless if the malicious behaviors have already happened. It is helpful in a slow manner for people to adopt measures after some detected accidents. With the above efforts, there can be three results. Result 1: No backdoor. Then it can certify the innocence of vendors. The operators and the regulators are also glad to dismiss the suspicion to the vendors. Result 2: Yes, there is backdoor. Then in the opposite aspect, it helps the administrators to detect it. Result 3: Still NOT Sure. It has not detected the malicious behavior, but it can mitigate the distrust between each other, because both parties agree on a solution. The problem space of this document includes the threat models of inherent router backdoors, but leaves the solutions of prevention, detection and afterwards analysis for future study. And anything related to third party implanted backdoors or system vulnerabilities are out of scope, as well as anything related for protection against attacks to the routers. 2 Terminology Backdoor: A backdoor is a method of bypassing normal authentication, securing unauthorized remote access to a equipment, obtaining access to functioning components or enabling hidden functions, while attempting to remain undetected. Inherent backdoor: An on-purpose designed backdoor in an equipment when a customer gets the equipment from the provider, and it is not a backdoor implanted by any third party after the customer operates the equipment, implemented by either software or hardware. The assumption is that the software and hardware of the equipment is not changed during the delivery chain. 3 Backdoor Classification 3.1 Implementation classification From the implementation perspective, we classify the backdoor into hardware and software. For hardware backdoors, they can be specific designed transistor, or shadow circuit. For software backdoors, it Song & Zong Expires April 30, 2015 [Page 4] INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014 could be hidden software functions triggered by specific designed packets, or hidden ports, for example, the notorious TCP 32764 backdoor. 3.2 Purpose Classification From the purpose perspective of a backdoor, we can classify the backdoor into classes with following purposes. One purpose of the backdoor is for traffic eavesdropping, which is mainly suspected in various cases. The traffic eavesdropping can have a definite target (a person, a line or a user account), or can be pervasive. Another purpose of backdoor might be to make the equipment malfunction. An adversary can get the root control of the router, and can control over time, location, component, and in which behavior to make the router malfunction. A possible purpose of backdoor could also be for management and operation of the device, for example, for the update of the device. But un-documented method to access the device must also be seen as a backdoor attack. 4 Behaviors of Traffic Eavesdropping The main suspected behavior is traffic eavesdropping. An easiest way that a spying router can do is to encapsulate the original user packet (no matter targeted or pervasive) and send to another destination for information collection and analysis. The pervasive monitoring cannot be done during the network traffic peak time, as it will produce too much traffic from the device. But the targeted user/line packet replication and monitoring can be done at any time. Note that in this way, there are new eavesdropping packets generated by the router. And the source IP address could be of the router itself or any fake IP address. And the destination of the eavesdropping packet could be a malicious NMS or any other controlled destination. The eavesdropping packets can be encrypted. Another way for traffic eavesdropping is to use an existing session instead of a new session from the router. A spying router monitors user packets information, and then encapsulates that information to an existing e2e session that was designed for eavesdropping. Please note there is no new packet from the router in this scenario, due to its utilization of an existing session. It is very hard to find it with traffic monitoring in the router interfaces. And of course, the eavesdropping packets can be encrypted. This kind of eavesdropping is Song & Zong Expires April 30, 2015 [Page 5] INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014 hard to be used for pervasive monitoring due to the capability of a spying session. A more complicated way for traffic eavesdropping of a router is that the spying router monitors and analyzes user packets, and the extracted information is sent to the adversary when needed, either through router to NMS messages, or a new session/an existing session. In this case, there are no continuous eavesdropping messages. Eavesdropping messages can also be encrypted. But this method requires the malicious router to have a powerful analysis tool for big data, which might be not so easy to hide. A spying router can also have a backdoor of storage, and provides access to it through manual or remote control access. A spying router can leave illegal root control to the adversary, and the information is only accessed when needed. The functioning of the eavesdropping function can be triggered by special designed packets or other means. 5 Behavior of Equipment Malfunctioning A back door can make the router malfunction. With enabling the backdoor in a router located in the key path in a network topology, it can even destroy the functioning of a whole network. Usually, the adversary gets root control over the router, and then can operate the router as its will. The malfunctioning behaviors include but not limited to: packet dropping, illegal routing table modification, illegal packet modification, or turning off the router. 6 Backdoor of Black Platform The back door in a router can provide a platform, so that the adversary can implant various other unlawful plug-ins functions secretarially. The platform is just like an engine for any future risks. The malicious plug-in can be installed or uninstalled from the platform freely. The adversary gets broad and extensible control over the router. The adversary can develop new malicious plug-in for new services when needed, or new plug-ins to protect other malicious functions from being detected. It can also uninstall the plug-in from the router after it completes its task so as to avoid detection. 7 Potential Solutions Song & Zong Expires April 30, 2015 [Page 6] INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014 The main purpose of this document is about the treat model instead of solution guidance. This section generally discusses the direction of solution. As introduced in section 1, the prevention solution may include: (a) Source code examination (which could be done by using open source code) and (b)Authoritative third party authentication and certification. And the running time detection may include an anti-virus like backdoor-detection application in the router, or outside of the router but to monitor the traffic in and out of the router, so as to check if there is abnormal traffic patterns. There is also method to trace the code running in the machine, and report any suspicious behaviors. The afterwards analysis needs big data capability, to gather all related information from the router, including those reported from the router or monitored information from other tools. The big data analysis should take both data plane and control plane in scope. 8 Security Considerations This document explores the security threats of network forwarding equipments inherent backdoors, It does not provide any detailed specifications on how to avoid or detect such backdoors. But it hopes the standard development organizations can work on the solutions. 9 IANA Considerations There is no IANA consideration with this specification. 10 Acknowledgements The authors would like to thank the following people for their support and comments with the discussion of this problem: Stephen Farrell, Melinda Shore, Jari Akro, Dacheng Zhang. 11 References 11.1 Informative References [RFC4108] Housley, R., "Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages", RFC 4108, August 2005. Song & Zong Expires April 30, 2015 [Page 7] INTERNET DRAFT A Threat Model for Router Backdoor October 27, 2014 [I-D.trammell-perpass-ppa] Trammell, B., Borkmann, D., and C. Huitema, "A Threat Model for Pervasive Passive Surveillance", draft- trammell-perpass-ppa-01, November, 2013. Authors' Addresses Haibin Song Huawei Technologies, Co. Ltd Nanjing, China EMail: haibin.song@huawei.com Ning Zong Huawei Technologies, Co. Ltd Nanjing, China Email: zongning@huawei.com Song & Zong Expires April 30, 2015 [Page 8]