Saved in:
Bibliographic Details
Main Authors: Aubard, Lucas, Mazel, Johan, Guette, Gilles, Chifflier, Pierre
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2504.21618
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866908343975542784
author Aubard, Lucas
Mazel, Johan
Guette, Gilles
Chifflier, Pierre
author_facet Aubard, Lucas
Mazel, Johan
Guette, Gilles
Chifflier, Pierre
contents IPv4, IPv6, and TCP have a common mechanism allowing one to split an original data packet into several chunks. Such chunked packets may have overlapping data portions and, OS network stack implementations may reassemble these overlaps differently. A Network Intrusion Detection System (NIDS) that tries to reassemble a given flow data has to use the same reassembly policy as the monitored host OS; otherwise, the NIDS or the host may be subject to attack. In this paper, we provide several contributions that enable us to analyze NIDS resistance to overlapping data chunks-based attacks. First, we extend state-of-the-art insertion and evasion attack characterizations to address their limitations in an overlap-based context. Second, we propose a new way to model overlap types using Allen's interval algebra, a spatio-temporal reasoning. This new modeling allows us to formalize overlap test cases, which ensures exhaustiveness in overlap coverage and eases the reasoning about and use of reassembly policies. Third, we analyze the reassembly behavior of several OSes and NIDSes when processing the modeled overlap test cases. We show that 1) OS reassembly policies evolve over time and 2) all the tested NIDSes are (still) vulnerable to overlap-based evasion and insertion attacks.
format Preprint
id arxiv_https___arxiv_org_abs_2504_21618
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Overlapping data in network protocols: bridging OS and NIDS reassembly gap
Aubard, Lucas
Mazel, Johan
Guette, Gilles
Chifflier, Pierre
Cryptography and Security
IPv4, IPv6, and TCP have a common mechanism allowing one to split an original data packet into several chunks. Such chunked packets may have overlapping data portions and, OS network stack implementations may reassemble these overlaps differently. A Network Intrusion Detection System (NIDS) that tries to reassemble a given flow data has to use the same reassembly policy as the monitored host OS; otherwise, the NIDS or the host may be subject to attack. In this paper, we provide several contributions that enable us to analyze NIDS resistance to overlapping data chunks-based attacks. First, we extend state-of-the-art insertion and evasion attack characterizations to address their limitations in an overlap-based context. Second, we propose a new way to model overlap types using Allen's interval algebra, a spatio-temporal reasoning. This new modeling allows us to formalize overlap test cases, which ensures exhaustiveness in overlap coverage and eases the reasoning about and use of reassembly policies. Third, we analyze the reassembly behavior of several OSes and NIDSes when processing the modeled overlap test cases. We show that 1) OS reassembly policies evolve over time and 2) all the tested NIDSes are (still) vulnerable to overlap-based evasion and insertion attacks.
title Overlapping data in network protocols: bridging OS and NIDS reassembly gap
topic Cryptography and Security
url https://arxiv.org/abs/2504.21618