Network side channels have emerged as a notable threat vector in computer security, often bypassing conventional safeguards due to their elusive nature. In such attacks, the attacker leverages unintentionally leaked transformed information to derive the confidential secret on the victim. This research delves into the intricacies of these attacks, with an emphasis on DNS systems. While the vulnerabilities posed by TCP side channels have been somewhat explored, this thesis unveils the broader spectrum, especially emphasizing on UDP and ICMP side channels. The discovered flaws based on temporal and spatial shared resources lead to potent DNS cache poisoning attacks by effectively circumventing ephemeral port randomization defenses, which remains the critical defense of Dan Kaminsky's attack, rendering large portions of the Internet's open resolvers vulnerable. Specifically, 34% of these, including popular public resolvers like Quad 9, were found vulnerable.
Given these revelations, the pressing need for a robust, universal and automated detection tool became evident. Addressing this, the research introduces SACD, an automated tool built upon a novel methodology termed under-constrained dynamic symbolic execution. SACD identifies violations of the non-interference property, recognized as the underpinning of network side channels. Without relying on comprehensive prior modeling and domain knowledge, SACD scrutinizes multiple TCP and UDP implementations among Linux, FreeBSD and lwIP, discovering 14 network side channels, including seven previously undetected ones, at a false positive rate of 17.6%. The results reveal serious vulnerabilities, including those that can be used to compromise the previously patched Linux and FreeBSD kernels, making them susceptible to SADDNS attacks or off-path TCP exploits again.
Collectively, this thesis aims to enrich our comprehension of network side channels, paving the way for more fortified defenses in the realm of computer network security.