Finding Security Vulnerabilities in a Network Protocol Using Parameterized Systems

This paper presents a novel approach to automatically finding security vulnerabilities in the routing protocol OSPF – the most widely used protocol for Internet routing. We start by modeling OSPF on (concrete) networks with a fixed number of routers in a specific topology. By using the model checking tool CBMC, we found several simple, previously unpublished attacks on OSPF. In order to search for attacks in a family of networks with varied sizes and topologies, we define the concept of an abstract network which represents such a family. The abstract network A has the property that if there is an attack on A then there is a corresponding attack on each of the (concrete) networks represented by A. The attacks we have found on abstract networks reveal security vulnerabilities in the OSPF protocol, which can harm routing in huge networks with complex topologies. Finding such attacks directly on the huge networks is practically impossible. Abstraction is therefore essential. Further, abstraction enables showing that the attacks are general. That is, they are applicable in a large (even infinite) number of networks. This indicates that the attacks exploit fundamental vulnerabilities, which are applicable to many configurations of the network.