Pryde: A Modular Generalizable Workflow for Uncovering Evasion Attacks Against Stateful Firewall Deployments
Soo-jin Moon, Milind Srivastava, Yves Bieri, Ruben Martins, Vyas Sekar
IEEE Symposium on Security and Privacy 2024 · Day 3 · Continental Ballroom 4
In the realm of network security, **stateful firewall deployments** are a cornerstone, designed to protect internal networks from external threats by enforcing strict access policies. However, as presented by Milind Srivastava and his co-authors in their IEEE S&P talk, these critical defenses are susceptible to **evasion attacks** stemming from subtle, often overlooked bugs within their complex packet processing logic. The talk introduces Pryde, a novel, black-box framework engineered to systematically discover these elusive evasion attacks, providing a much-needed capability for both network operators and firewall vendors.
AI review
Pryde introduces a groundbreaking black-box framework for systematically uncovering elusive evasion attacks against stateful firewalls. Its novel modular, deployment-aware, and model-guided workflow successfully identifies critical vulnerabilities in commercial products, revealing idiosyncratic firewall behaviors and offering actionable insights for vendors and operators. This research sets a new standard for rigorous firewall security validation.