Characterization and measurement of TCP traversal through NATs and firewalls
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A Simple active attack against TCP
SSYM'95 Proceedings of the 5th conference on USENIX UNIX Security Symposium - Volume 5
Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Investigation of Triangular Spamming: A Stealthy and Efficient Spamming Technique
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Compromising electromagnetic emanations of wired and wireless keyboards
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
An untold story of middleboxes in cellular networks
Proceedings of the ACM SIGCOMM 2011 conference
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Quire: lightweight provenance for smart phone operating systems
SEC'11 Proceedings of the 20th USENIX conference on Security
Off-path TCP Sequence Number Inference Attack - How Firewall Middleboxes Reduce Security
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Memento: Learning Secrets from Process Footprints
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
WOOT'12 Proceedings of the 6th USENIX conference on Offensive Technologies
Fragmentation Considered Vulnerable
ACM Transactions on Information and System Security (TISSEC)
When tolerance causes weakness: the case of injection-friendly browsers
Proceedings of the 22nd international conference on World Wide Web
Hi-index | 0.00 |
In this study, we discover a new class of unknown side channels --- "sequence-number-dependent" host packet counters --- that exist in Linux/Android and BSD/Mac OS to enable TCP sequence number inference attacks. It allows a piece of unprivileged on-device malware to collaborate with an off-path attacker to infer the TCP sequence numbers used between a client and a server, leading to TCP injection and hijacking attacks. We show that the inference takes, in common cases, under a second to complete and is quick enough for attackers to inject malicious Javascripts into live Facebook sessions and to perform malicious actions on behalf of a victim user. Since supporting unprivileged access to global packet counters is an intentional design choice, we believe our findings provide important lessons and offer insights on future system and network design.