Formal Black-Box Analysis of Routing Protocol Implementations

The Internet infrastructure relies entirely on open standards for its routing protocols. However, the overwhelming majority of routers on the Internet are proprietary and closed-source. Hence, there is no straightforward way to analyze them. Specifically, one cannot easily and systematically identify deviations of a router’s routing functionality from the routing protocol’s standard. Such deviations (either deliberate or inadvertent) are particularly important to identify since they present non-standard functionalities which have not been openly and rigorously analyzed by the security community. Therefore, these deviations may degrade the security or resiliency of the network. A model-based testing procedure is a technique that allows to systematically generate tests based on a model of the system to be tested; thereby finding deviations in the system compared to the model. However, applying such an approach to a complex multi-party routing protocol requires a prohibitively high number of tests to cover the desired functionality. We propose efficient and practical optimizations to the model-based testing procedure that are tailored to the analysis of routing protocols. These optimizations mitigate the scalability issues and allow to devise a formal black-box method to unearth deviations in closed-source routing protocols’ implementations. The method relies only on the ability to test the targeted protocol implementation and observe its output. Identification of the deviations is fully automatic. We evaluate our method against one of the complex and widely used routing protocols on the Internet – OSPF. We search for deviations in the OSPF implementation of Cisco. Our evaluation identified numerous significant deviations that can be abused to compromise the security of a network. The deviations were confirmed by Cisco. We further employed our method to analyze the OSPF implementation of the Quagga Routing Suite – a popular open source routing software. The analysis revealed one significant deviation. Subsequent to the disclosure of the deviations some of them were also identified by IBM, Lenovo and Huawei in their own products.