SIPPING
From RemzaWiki
Contents |
[edit] Abstract
SIPPING BAYES - A Session Initiation Protocol (SIP) investigation into ``man-in-the middle" attacks on a SIP User Agent (UA) and the usefulness of a naïve Bayes ``SIP message" classifier.
The Session Initiation Protocol (SIP) is not an easy protocol to secure. RFC 3261 [1], identifies a few of the more common security risks found in most deployments of SIP. The risks associated with SIP are: ``registration hijacking", ``impersonation of server", ``message body exploitation", ``mid-session exploitation" and ``susceptibility to DoS". We will investigate these vulnerabilities and implement key attacks for demonstration purposes.
Some of these exploits can be avoided by using a Peer-to-peer (P2P) architecture [2]. However, there are security risks inherent in P2P that need to be addressed. A survey of the current state of P2PSIP will be undertaken and these security issues will be examined.
Bayes' theorem has had many applications to Computer Science over the last ten years [3]. The final part of SIPPING BAYES will attempt to construct a naïve Bayes ``SIP message" classifier.
[1] RFC 3261, SIP: Session Initiation Protocol. http://tools.ietf.org/html/rfc3261#section-26.1 (2001).
[2] Internet-Draft, Security Issues and Solutions in Peer-to-peer Systems for Realtime Communications. http://tools.ietf.org/html/draft-irtf-p2prg-rtc-security-05 (2009).
[3] M. Kanellos, 18th-century theory is new force in computing. http://news.cnet.com/Old-school-theory-is-a-new-force/2009-1001_3-984695.html (2003).
[edit] Introduction
[edit] Background and motivation
The Session Initiation Protocol (SIP) is an IETF RFC. That means it is a standard protocol agreed upon by a proportion of the Internet industry. Bayesian inference ``is statistical inference in which evidence or observations are used to update or to newly infer the probability that a hypothesis may be true"<ref>Wikipedia</ref>. The aim of this project is to fuse these two subjects areas into single application to explore machine learning's usefulness in achieving a level of security, i.e. identifying classes of attacks and SPIT (SIP spam).
[edit] Theory
[edit] SIP
The Session Initiation Protocol (SIP) has been widely used on the Internet as a point-to-point signalling protocol for Voice over IP (VoIP). It begins, maintains and ends billions of calls each year. Initially, it was welcomed. In November 2000, just a year after becoming a ratified IETF RFC, it was accepted as a 3GPP signalling protocol and as a permanent element of the IP Multimedia Subsystem (IMS) architecture that has been engineered to enable future ``fixed-mobile convergence" technology.
It is not as well known as its ``inspiration", the Hypertext Transport Protocol (HTTP). This could be due to the huge success of Skype which uses a propriety signalling protocol.
[edit] Protocol analysis
SIP is located in the application layer of the Internet stack and in the session layer of the OSI model.
[edit] Actors and network elements
User agents, proxies and servers make up the core SIP functional components. Servers can be in many forms, supplying different services such as acting as a registrar or providing redirection. In a Peer-to-peer architecture, servers are replaced by peers.
[edit] Basic SIP message exposition
INVITE sip:bob@lon.ac.uk:5060;transport=udp SIP/2.0 Call-ID: 9b63be1959e120fea01a1309559c79fd@lon.ac.uk CSeq: 1 INVITE From: "Alice" <sip:alice@lon.ac.uk:5060>;tag=SIPPING_DIALOGGER_CLIENT To: "Bob" <sip:bob@lon.ac.uk:5060> Via: SIP/2.0/UDP lon.ac.uk:5060;branch=z9hG4bK8955e90e3e6347f79f7835c2282a01a3 Contact: "Alice" <sip:alice@lon.ac.uk:5060> Content-Length: 0
[edit] Context, transactions and state machines
SIP uses a transactional model to allow user agents to associate state with individual SIP messages. Like HTTP, messages are either a request or a response. However, SIP requests can be sent asynchronously unlike HTTP.
RFC 3261 specifies that a SIP stack implementation should use a finite state machine to model a transaction's lifespan. There are two categories of transaction: client and server. Within these two categories of transaction, the state machine chosen depends on which method the SIP message invokes (i.e. INVITE, ACK, REGISTER, etc.).
[edit] Dialog diagnosis
Despite the American spelling, a ``dialog" is synonymous to a session (in VoIP terms, a call). Dialogs, if used in an implementation, provide an extra layer of context to SIP transactions.
[edit] Exemplar ``stateful" SIP sequence
The diagram below depicts how two end-points interact using the two user agent roles UAC (client) and UAS (server).
UAC UAS
| 1. INVITE |
- |----------------------------->| -
Client / | 2. TRYING (100) | \ Server
Transaction { |<-----------------------------| } Transaction
\ | 3. OK (200) | /
UAC =====> |<-----------------------------| <===== UAS automatically
creates a new | | creates a new dialog
dialog (client) | | (server) when an OK
when it receives | | response is sent
an OK response, | 4. ACK | :
then sends an ACK |----------------------------->| ??? If no ACK is received
using this dialog | | within a certain timeframe
: | | the dialog is automatically
~ ~ ~ popped off the UAS stack
: | 5. BYE | :
: |----------------------------->| :
: | 6. OK (200) | :
Dialog is =====> |<-----------------------------| <===== Dialog is terminated
terminated when | | after OK response sent
response received
[edit] Architectures
[edit] Client/server
[edit] Peer-to-peer
[edit] Security
The section plans to examine the end-to-end integrity of a standards-based deployment of SIP.
[edit] Interactive Connectivity Establishment (ICE)
[edit] Bayesian inference
[edit] Reverend Thomas Bayes
[edit] Bayes' theorem
[edit] Naïve Bayes classifer
[edit] SIPPING BAYES
[edit] Prototype implementation
