@article{mirdita2026rpki,
  author = {Mirdita, Donika and Schulmann, Haya and Waidner, Michael},
  journal = {IEEE Transactions on Dependable and Secure Computing},
  title = {All That Glitters Is Not Gold: RPKI’s Stumbling Speedrun To The Top},
  year = {2026},
  volume = {},
  number = {},
  pages = {1-12},
  abstract = {The democratization of access has transformed the Internet into the primary platform for social interaction and economic activity. The COVID-19 pandemic significantly accelerated the digitalization of services, finance and communication. As critical infrastructure increasingly moves online, routing security is becoming a national security concern. U.S. regulatory bodies were the first to sound the alarm by formally recognizing the urgency of Internet routing security and calling for nationwide adoption of security protocols. The Resource Public Key Infrastructure (RPKI) protocol is already the leading standard for protecting Internet routing from hijacking attacks and route leaks. However, RPKI is not secure by design. Research on its security guarantees has shown that despite the minimal public facing interfaces, the software implementations are not only rife with issues, but the nature of these issues is such that they can be easily triggered and disconnect the RPKI security framework from Internet routing, thus severely downgrading RPKI protection benefits. In this work, we evaluate the security properties of RPKI, analyze its attack surface, the required attacker capabilities to launch them, and their consequences on global routing security. We propose that RPKI requires fundamental changes and improvements to mitigate its vulnerabilities, and become robust enough to withstand the eye of the storm.},
  keywords = {Security;Routing;Internet;Software;Border Gateway Protocol;Routing protocols;Standards;Proposals;Robustness;Protection},
  doi = {10.1109/TDSC.2026.3655083},
  issn = {1941-0018},
  month = {}
}

@inproceedings{schulmann2026pruning,
  author = {Haya Schulmann and Niklas Vogel},
  title = {Pruning the Tree: Rethinking RPKI Architecture From The Ground Up},
  address = {San Diego, California, USA},
  publisher = {The Internet Society},
  year = {2026},
  url = {https://arxiv.org/abs/2507.01465/},
  abstract = {Resource Public Key Infrastructure (RPKI) is a critical security mechanism for BGP, but the complexity of its architecture is a growing concern as its adoption scales. Current RPKI design heavily reuses legacy PKI components, such as X.509 EE-certificates, ASN.1 encoding, and XML-based repository protocols, which introduce excessive cryptographic validation, redundant metadata, and inefficiencies in both storage and processing. We show that these design choices, although based on established standards, create significant performance bottlenecks, increase the vulnerability surface, and hinder scalability for wide-scale Internet deployment.
In this paper, we perform the first systematic analysis of the root causes of complexity in RPKI's design and experimentally quantify their real-world impact. We show that over 70% of validation time in RPKI relying parties is spent on certificate parsing and signature verification, much of it unnecessary. Building on this insight, we introduce the improved RPKI (iRPKI), a backwards-compatible redesign that preserves all security guarantees while substantially reducing protocol overhead. iRPKI eliminates EE-certificates and ROA signatures, merges revocation and integrity objects, replaces verbose encodings with Protobuf, and restructures repository metadata for more efficient access. We experimentally demonstrate that our implementation of iRPKI in the Routinator validator achieves a 20x speed-up of processing time, 18x improvement of bandwidth requirements and 8x reduction in cache memory footprint, while also eliminating classes of vulnerabilities that have led to at least 10 vulnerabilities in RPKI software. iRPKI significantly increases the feasibility of deploying RPKI at scale in the Internet, and especially in constrained environments. Our design may be deployed incrementally without impacting existing operations. },
  series = {NDSS 2026}
}

@inproceedings{schulmann2025stopprodtesting,
  author = {Tobias Kirsch and Haya Schulmann and Niklas Vogel},
  title = {Demo: Stopping Production Testing: A Graphical RPKI Test-Suite},
  year = {2025},
  isbn = {9798400715259},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3719027.3760705},
  doi = {10.1145/3719027.3760705},
  abstract = {The Resource Public Key Infrastructure (RPKI) is increasingly protecting global BGP routing and major players are pushing for wide-scale adoption. RPKI protection relies on correct publication and validity of RPKI objects: If a prefix has no valid covering RPKI object, e.g., because the object is invalid or expired, the prefix is not protected from hijacks. At the same time, ASes that issue RPKI objects lack any feedback whether their objects are considered valid by all RPKI validation software. This lack of feedback has repeatedly led to operational issues, and problems with object validity are persistent to this day. Oftentimes, issues with objects are only detected in production, after they have caused damage to routing. A prominent example of this is an issue with Amazon objects in 2023 that left 6000 of its prefixes open to hijack in any AS using a specific RPKI validator software implementation. In this work, we present a novel RPKI toolsuite that allows for comprehensive testing of RPKI objects, enabling operators to detect issues in their object configurations before production use. For this, our tool allows parsing arbitrary DER/base64 encoded objects, editing their content and structure, and live-testing them against all current RPKI validator implementations to probe for inconsistent validation results, errors, and even vulnerabilities. Our work provides an important foundation to ensure RPKI resilience against misconfigurations and facilitates future research into RPKI security. We make our tool open-source and provide a hosted web application to enable usage by the community.},
  booktitle = {Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {4722--4723},
  numpages = {2},
  keywords = {asn1, cure, rpki, x.509},
  location = {Taipei, Taiwan},
  series = {CCS '25}
}

@inproceedings{schulmann2025algoagility,
  author = {Katharina Miesch and Haya Schulmann and Niklas Vogel},
  title = {Poster: The Rocky Road Towards RPKI Algorithm Agility},
  year = {2025},
  isbn = {9798400715259},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3719027.3760719},
  doi = {10.1145/3719027.3760719},
  abstract = {The Resource Public Key Infrastructure (RPKI) already protects around 50% of announced BGP prefixes, and around 28% of systems enforce RPKI validity in routing. RPKI binds ownership of prefixes to public keys inside certificates, which are signed by the respective issuer. For signatures and keys, RPKI currently exclusively supports RSA-2048, forbidding other algorithms and key sizes. In this work, we practically show that RPKI efficiency could significantly benefit from algorithm agility, allowing for smaller more efficient algorithms like Elliptic Curve Cryptography (ECC). We further illustrate that current plans for shifting algorithms, which will eventually become necessary to shift towards quantum-secure algorithms, are infeasible due to bandwidth limitations, validation overhead, and issues with patch management. From our observations, we derive a new agility procedure that uses separate repository versions additional to two separate trees (a mixed tree and a legacy tree) to enable incremental deployment of a new algorithm. In contrast to existing approaches, our procedure provides benefits also for early adopters, facilitating deployment.},
  booktitle = {Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {4767--4769},
  numpages = {3},
  keywords = {algorithm migration, bgp, mixed tree, rpki},
  location = {Taipei, Taiwan},
  series = {CCS '25}
}

@inproceedings{schulmann2025repositories,
  author = {Haya Schulmann and Niklas Vogel},
  title = {Poster: We must talk about RPKI Repositories},
  year = {2025},
  isbn = {9798400715259},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3719027.3760715},
  doi = {10.1145/3719027.3760715},
  abstract = {The Resource Public Key Infrastructure (RPKI) increasingly protects global routing against attacks. RPKI protection builds on the security and availability of RPKI objects, which are stored in public RPKI repositories. Despite their critical role, not much is known about the technical specifics of these repositories. Which implementations do they use? Is the software maintained and secure? Which vulnerabilities persist? Answering these questions is essential to evaluate security and resilience of current RPKI architecture. In this work, we develop the first methods for fingerprinting RPKI repositories based on RPKI specification, using undefined implementation-specifics like arbitrary element order or naming conventions as fingerprinting metrics. We evaluate our methodology on all current production RPKI repositories and identify 7 different deployed implementations. We find implementations diversity, especially for large providers, but also identify that most repositories (56%) use the same software, Krill. Fingerprinting shows that most deployed software (71%) is vulnerable to attacks, and 4 repositories use software deprecated over 7 years ago. Our work is not only an important step towards a complete view of RPKI ecosystem security, but it also shows that specification analysis serves as a powerful basis for fingerprinting.},
  booktitle = {Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {4755--4757},
  numpages = {3},
  keywords = {fingerprinting, pp, rpki},
  location = {Taipei, Taiwan},
  series = {CCS '25}
}

@inproceedings{schulmann2025rpkilandscape,
  author = {Donika Mirdita and Haya Schulmann and Michael Waidner},
  title = {Poster: Exploring the Landscape of RPKI Relying Parties},
  year = {2025},
  isbn = {9798400715259},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3719027.3760721},
  doi = {10.1145/3719027.3760721},
  abstract = {The Resource Public Key Infrastructure (RPKI) is the most successful routing defense mechanism currently deployed throughout critical Internet infrastructures around the world. According to recent works, RPKI deployment boasts over 55% global prefix resource coverage, and at least 27% global protocol enforcement; all this success over a short period of time. In this work, we investigate for the first time deployment trends of the Relying Party (RP), the RPKI component responsible for collecting and enforcing RPKI on routers. We map RP locations, deployment parameters, vulnerability distributions, and describe the evolution of deployment trends over two measurement periods three years apart. Through this exploratory analysis, we map global patterns and the preferred deployment configurations by network operators. We observe how within three years, RP traffic increased by 45%, while 89% of traffic stems from one software type. Our measurements show a strong preference by operators to self-host, coupled with inadequate rates of RP vulnerability mitigation.},
  booktitle = {Proceedings of the 2025 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {4773--4775},
  numpages = {3},
  keywords = {bgp, relying party, rpki},
  location = {Taipei, Taiwan},
  series = {CCS '25}
}

@inproceedings{schulmann2025stealth,
  author = {Haya Schulmann and Shujie Zhao},
  title = {Stealth BGP Hijacks with uRPF Filtering},
  booktitle = {19th USENIX WOOT Conference on Offensive Technologies (WOOT 25)},
  year = {2025},
  isbn = {978-1-939133-50-2},
  address = {Seattle, WA, USA},
  pages = {129--138},
  url = {https://www.usenix.org/conference/woot25/presentation/schulmann},
  publisher = {USENIX Association},
  abstract = {Unicast Reverse Path Forwarding (uRPF) is the primary and the standard Source Address Validation (SAV) mechanism to combat IP spoofing and mitigate Denial-of-Service (DoS) and other attacks. However, in this study, we reveal a critical and previously unexplored vulnerability in uRPF that adversaries can stealthily exploit through Border Gateway Protocol (BGP) hijacking. We introduce Stealthy BGP Attack against uRPF (SBA-uRPF), a novel attack vector that leverages prefix hijacking to manipulate uRPF filtering decisions, resulting in the unintended blocking of legitimate traffic and the facilitation of persistent DoS attacks. Due to its hidden nature, SBA-uRPF attacks could pose a significant and persistent security risk.

Through extensive simulation-based analysis, we demonstrate that 99.3% of networks are vulnerable to SBA-uRPF under a full deployment of uRPF, with a potential maximum impact affecting over 59,115 networks (76.3%). Unlike conventional BGP hijacks, which often result in noticeable routing anomalies, SBA-uRPF remains undetectable to the affected networks, making it a particularly dangerous threat. The attack exploits BGP routing loop prevention and customer-preferred routing policies to induce widespread traffic blackholing of victim networks. We show that adversaries can also target fundamental Internet systems, such as DNS, or Internet services, like the web.

Our findings reveal a fundamental weakness in the global routing ecosystem, where a security mechanism designed to prevent attacks can be subverted and turned into an attack vector. We discuss countermeasures, including improvements to BGP security mechanisms such as Route Origin Validation (ROV) and BGPsec. We also consider the challenges in mitigating SBA-uRPF in real-world deployments, and the need for more comprehensive approaches, including solutions involving deployment strategies for uRPF.

Our code and datasets are available at https://github.com/zsjstart/Stealthy-uRPF-Attack/tree/v1.1.0.},
  month = {August}
}

@article{mirdita2025sok,
  author = {Donika Mirdita and Haya Schulmann and Michael Waidner},
  title = {SoK: An Introspective Analysis of RPKI Security},
  booktitle = {34th USENIX Security Symposium (USENIX Security 25)},
  year = {2025},
  isbn = {978-1-939133-52-6},
  address = {Seattle, WA, USA},
  pages = {3649--3665},
  url = {https://www.usenix.org/conference/usenixsecurity25/presentation/mirdita},
  publisher = {USENIX Association},
  abstract = {The Resource Public Key Infrastructure (RPKI) is the main mechanism to protect inter-domain routing with BGP from prefix hijacks. It has already been widely deployed by large providers and the adoption rate is getting to a critical point. Almost half of all the global prefixes are now covered by RPKI and measurements show that 27% of networks are already using RPKI to validate BGP announcements. Over the past 10 years, there has been much research effort in RPKI, analyzing different facets of the protocol, such as software vulnerabilities, robustness of the infrastructure or the proliferation of RPKI validation. In this work, we compile the first systemic overview of the vulnerabilities and misconfigurations in RPKI and quantify the security landscape of the global RPKI deployments based on our measurements and analysis. Our study discovers that 56% of the global RPKI validators suffer from at least one documented vulnerability. We also do a systematization of knowledge for existing RPKI security research and complement the existing knowledge with novel measurements in which we discover new trends in availability of RPKI repositories, and their communication patterns with the RPKI validators. We weave together the results of existing research and our study, to provide a comprehensive tableau of vulnerabilities, their sources, and to derive future research paths necessary to prepare RPKI for full global deployment.},
  month = {August}
}

@inproceedings{friess2025validator,
  author = {Jens Frie\ss and Haya Schulmann and Michael Waidner},
  title = {ValidaTor: Domain Validation over Tor},
  booktitle = {22nd USENIX Symposium on Networked Systems Design and Implementation (NSDI 25)},
  year = {2025},
  isbn = {978-1-939133-46-5},
  address = {Philadelphia, PA, USA},
  pages = {1367--1380},
  url = {https://www.usenix.org/conference/nsdi25/presentation/friess},
  publisher = {USENIX Association},
  abstract = {Domain Validation (DV) is the primary method used by Certificate Authorities (CAs) to confirm administrative control over a domain before issuing digital certificates. Despite its widespread use, DV is vulnerable to various attacks, prompting the adoption of multiple vantage points to enhance security, such as the state of the art DV mechanism supported by Let’s Encrypt. However, even distributed static vantage points remain susceptible to targeted attacks. In this paper we introduce ValidaTor, an HTTP-based domain validation system that leverages the Tor network to create a distributed and unpredictable set of validators. By utilizing Tor’s exit nodes, ValidaTor significantly increases the pool of available validators, providing high path diversity and resilience against strong adversaries. Our empirical evaluations demonstrate that ValidaTor can achieve the validation throughput of a commercial CA and has the potential to scale to a validation volume comparable to Let’s Encrypt, while using minimal dedicated infrastructure and only a small fraction (~0.1%) of Tor’s available bandwidth. While unpredictable selection of validators makes ValidaTor fully resistant to targeted attacks on validators, we also show the use of Tor nodes improves path diversity and thereby the resilience of DV to subversion by well-positioned ASes, reducing the number of Autonomous Systems (ASes) capable of issuing fraudulent certificates by up to 27% compared to Let’s Encrypt. Lastly, we show that the chance of subversion by malicious, colluding exit nodes is negligible (≤ 1% even with a quarter of existing exit nodes). We make the code of ValidaTor as well as the datasets and measurements publicly available for use, reproduction, and future research.},
  month = {April}
}

@inproceedings{schulmann2025learning,
  author = {Haya Schulmann and Shujie Zhao},
  title = {Learning to Identify Conflicts in RPKI},
  year = {2025},
  isbn = {9798400714108},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3708821.3710833},
  doi = {10.1145/3708821.3710833},
  abstract = {The long history of misconfigurations and errors in RPKI indicates that they cannot be easily avoided and will most probably persist also in the future. These errors create conflicts between BGP announcements and their covering ROAs, causing the RPKI validation to result in status invalid. Networks that enforce RPKI filtering with Route Origin Validation (ROV) would block such conflicting BGP announcements and as a result lose traffic from the corresponding origins. Since the business incentives of networks are tightly coupled with the traffic they relay, filtering legitimate traffic leads to a loss of revenue, reducing the motivation to filter invalid announcements with ROV.In this work, we introduce a new mechanism, LOV, designed for whitelisting benign conflicts on an Internet scale. The resulting whitelist is made available to RPKI supporting ASes to avoid filtering RPKI-invalid but benign routes. Saving legitimate traffic resolves one main obstacle towards RPKI deployment. We measure live BGP updates using LOV during a period of half a year and whitelist 52,846 routes with benign origin errors.},
  booktitle = {Proceedings of the 20th ACM Asia Conference on Computer and Communications Security},
  pages = {1490--1505},
  numpages = {16},
  keywords = {RPKI, ROV, BGP, Routing, Hijacks, Benign conflicts},
  location = {Hanoi, Vietnam},
  series = {ASIA CCS '25}
}

@article{schulmann2024cybernation,
  author = {Haya Schulmann and Michael Waidner},
  title = {Wie Deutschland zur Cybernation wird},
  journal = {Datenschutz und Datensicherheit},
  volume = {48},
  number = {1},
  pages = {11--15},
  year = {2024},
  month = {August},
  url = {https://doi.org/10.1007/s11623-023-1806-9},
  doi = {10.1007/S11623-023-1806-9},
  abstract = {Die Voraussetzungen für Innovationen in der Cybersicherheit sind, weltweit betrachtet, hervorragend. Der Bedarf ist hoch, es gibt viel Forschung und Entwicklung. Der Cybersicherheitsmarkt wächst mit über 13% deutlich schneller als der IT-Markt insgesamt. In der Cybersicherheitsforschung ist Deutschland gut aufgestellt, im internationalen Cybersicherheitsmarkt spielt Deutschland aber keine vergleichbar führende Rolle. Was hindert uns daran, zu den Innovationsführern USA und Israel aufzuschließen?}
}

@article{schulmann2024zpredict,
  author = {Haya Schulmann and Shujie Zhao},
  title = {ZPredict: ML-Based IPID Side-channel Measurements},
  year = {2024},
  issue_date = {November 2024},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  volume = {27},
  number = {4},
  issn = {2471-2566},
  url = {https://doi.org/10.1145/3672560},
  doi = {10.1145/3672560},
  abstract = {Network reconnaissance and measurements play a central role in improving Internet security and are important for understanding the current deployments and trends. Such measurements often require coordination with the measured target. This limits the scalability and the coverage of the existing proposals. IP Identification (IPID) provides a side channel for remote measurements without requiring the targets to install agents or visit the measurement infrastructure. However, current IPID-based techniques have technical limitations due to their reliance on the idealistic assumption of stable IPID changes or prior knowledge, making them challenging to adopt for practical measurements. In this work, we aim to tackle the limitations of existing techniques by introducing a novel approach: predictive analysis of IPID counter behavior. This involves utilizing a machine learning (ML) model to understand the historical patterns of IPID counter changes and predict future IPID values. To validate our approach, we implement six ML models and evaluate them on realistic IPID data collected from 4,698 Internet sources. Our evaluations demonstrate that among the six models, the Gaussian Process (GP) model has superior accuracy in tracking and predicting IPID values. Using the GP-based predictive analysis, we implement a tool, called ZPredict, to infer various favorable information about target networks or servers. Our evaluation on a large dataset of public servers demonstrates its effectiveness in idle port scanning, measuring Russian censorship, and inferring Source Address Validation. Our study methodology is ethical and was developed to mitigate any potential harm, taking into account the concerns associated with measurements.},
  journal = {ACM Trans. Priv. Secur.},
  month = {September},
  articleno = {28},
  numpages = {33},
  keywords = {Network measurement, IPID side channel, machine learning}
}

@inproceedings{heftrig2024fixes,
  author = {Elias Heftrig and Haya Schulmann and Niklas Vogel and Michael Waidner},
  title = {Protocol Fixes for KeyTrap Vulnerabilities},
  year = {2024},
  isbn = {9798400707230},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3673422.3674902},
  doi = {10.1145/3673422.3674902},
  abstract = {The security and availability of DNS are of major concern for many critical Internet services. Recently, KeyTrap algorithmic complexity Denial of Service attacks were demonstrated against DNSSEC-validating DNS resolvers [6]. The attacks exploit the validation complexity in DNSSEC to stall DNS resolvers, some for as long as 16h with just a single DNS response. Although short term patches were immediately implemented by the vendors, the attack can still produce a heavy load in some patched DNS resolvers.This work proposes new protocol-level mitigations for the KeyTrap vulnerabilities, using a new DNSSEC record that outlaws keytag collisions while ensuring backward compatibility. Further, this work raises the question of how much RFCs could and should dictate implementation-level limits to prevent DoS through complex validation routines. With our discussions, we aim to provide a solid foundation to improve the DNSSEC standard, mitigating KeyTrap and providing more robust recommendations for DNS implementations in the future.},
  booktitle = {Proceedings of the 2024 Applied Networking Research Workshop},
  pages = {74--80},
  numpages = {7},
  location = {Vancouver, AA, Canada},
  series = {ANRW '24}
}

@inproceedings{gelernter2024external,
  author = {Nethanel Gelernter and Haya Schulmann and Michael Waidner},
  editor = {Jianying Zhou and Tony Q. S. Quek and Debin Gao and Alvaro A. C'ardenas},
  title = {External Attack-Surface of Modern Organizations},
  year = {2024},
  isbn = {9798400704826},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3634737.3656295},
  doi = {10.1145/3634737.3656295},
  abstract = {Navigating the maze of contemporary organizational attack surfaces is paramount in fortifying our defenses against the relentless tide of cyber incidents. However, existing network reconnaissance and security measurements, which enumerate IP addresses or scan popular domains searching for vulnerabilities, capture only a fragmented view of the risk landscape, neglecting the nuanced reality of modern organizational assets. We experimentally show that such scans miss out on most assets of large organizations since they do not consider the increasingly complex IT architectures.We perform the first security analysis of the external attack surface of the 100-top enterprises in Europe. We discover the digital assets belonging to the enterprises and analyze the security of the services per 3 attack surface areas: (1) self-hosted on on-premises, (2) the services hosted on cloud, and (3) the services outsourced to external providers. The last one is usually shadowed under the traditional on-premises and the modern Cloud and has not been studied or compared to them. Our analysis shows that it is a large and significant part of the digital footprint of enterprises. In general, our analysis shows that organizations in different sectors have distinct IT architectures and are built differently, as a result, the security issues vary across the sectors. More importantly, for each sector, the security issues in each of the 3 areas differ from each other. This demonstrates the need for a more granular approach when analyzing organizations.Based on our findings, we provide recommendations per sector per area. We also initiated a disclosure campaign notifying the enterprises of the identified vulnerabilities.},
  booktitle = {Proceedings of the 19th ACM Asia Conference on Computer and Communications Security},
  pages = {589--604},
  numpages = {16},
  keywords = {cloud, on-premise, security study, vulnerability scans},
  location = {Singapore, Singapore},
  series = {ASIA CCS '24}
}

@inproceedings{friess2024byzrp,
  author = {Jens Frie\ss and Donika Mirdita and Haya Schulmann and Michael Waidner},
  editor = {Bo Luo and Xiaojing Liao and Jun Xu and Engin Kirda and David Lie},
  title = {Byzantine-Secure Relying Party for Resilient RPKI},
  year = {2024},
  isbn = {9798400706363},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3658644.3690368},
  doi = {10.1145/3658644.3690368},
  abstract = {BGP is a gaping hole in Internet security, as evidenced by numerous hijacks and outages. The significance of BGP for stability and security of the Internet has made it a top priority on the cyber security agenda of the US government, with CISA, FCC, and other federal agencies leading the efforts.To protect against prefix hijacks, Resource Public Key Infrastructure (RPKI) has been standardized. Yet, RPKI validation is still not widely supported. To enjoy the security guarantees of RPKI, networks need to install a new component, the Relying Party validator, which fetches and validates RPKI objects and provides them to border routers. However, research showed that Relying Parties experience failures when retrieving RPKI objects and are vulnerable to a range of attacks, all of which can disable RPKI validation. Therefore, even the few adopters are not necessarily secure.We propose a Byzantine-secure Relying Party functionality, we call ByzRP, and show that it significantly improves the resilience and security of RPKI validation. With ByzRP, Relying Party nodes redundantly validate RPKI objects and reach a global consensus through a voting process. ByzRP removes the need for networks to install, operate, and upgrade their own Relying Party instances on the one hand, and does not require to trust the individual operators of ByzRP nodes on the other hand.We show through simulations and experimental evaluations that ByzRP, as an intermediate RPKI service, reduces the load on RPKI publication points and produces a robust output, despite RPKI repository failures, jitters, and attacks. We engineer ByzRP to be fully backward compatible and readily deployable - it does not require any changes to border routers and RPKI repositories. We demonstrate that ByzRP can protect networks transparently, either with a decentralized or a centralized deployment and it enables users to independently verify the correctness of its operation.},
  booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
  pages = {49--63},
  numpages = {15},
  keywords = {bgp, byzantine security, rpki},
  location = {Salt Lake City, UT, USA},
  series = {CCS '24}
}

@inproceedings{heftrig2024keytrap,
  author = {Elias Heftrig and Haya Schulmann and Niklas Vogel and Michael Waidner},
  editor = {Bo Luo and Xiaojing Liao and Jun Xu and Engin Kirda and David Lie},
  title = {The Harder You Try, The Harder You Fail: The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC},
  year = {2024},
  isbn = {9798400706363},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3658644.3670389},
  doi = {10.1145/3658644.3670389},
  abstract = {Availability is a major concern in the design of DNSSEC. To ensure availability, DNSSEC follows Postel's Law [RFC1123]: "Be liberal in what you accept, and conservative in what you send." Hence, nameservers should send not just one matching key for a record set, but all the relevant cryptographic material, e.g., all the keys for all the ciphers that they support and all the corresponding signatures. This ensures that validation succeeds, and hence availability, even if some of the DNSSEC keys are misconfigured, incorrect or correspond to unsupported ciphers.We show that this design of DNSSEC is flawed. Exploiting vulnerable recommendations in the DNSSEC standards, we develop a new class of DNSSEC-based algorithmic complexity attacks on DNS, we dub KeyTrap attacks. All popular DNS implementations and services are vulnerable. With just a single DNS packet, the KeyTrap attacks lead to a 2.000.000x spike in CPU instruction count in vulnerable DNS resolvers, stalling some for as long as 16 hours. This devastating effect prompted major DNS vendors to refer to KeyTrap as "the worst attack on DNS ever discovered". Exploiting KeyTrap, an attacker could effectively disable Internet access in any system utilizing a DNSSEC-validating resolver.We disclosed KeyTrap to vendors and operators on November 2, 2023, confidentially reporting the vulnerabilities to a closed group of DNS experts, operators and developers from the industry. Since then we have been working with all major vendors to mitigate KeyTrap, repeatedly discovering and assisting in closing weaknesses in proposed patches. Following our disclosure, the industry-wide umbrella CVE-2023-50387 has been assigned, covering the DNSSEC protocol vulnerabilities we present in this work.},
  booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
  pages = {497--510},
  numpages = {14},
  keywords = {DNS, DNSSEC, denial-of-service attack},
  location = {Salt Lake City, UT, USA},
  series = {CCS '24}
}

@inproceedings{cattepoel2024krill,
  author = {Louis Cattepoel and Donika Mirdita and Haya Schulmann and Michael Waidner},
  editor = {Bo Luo and Xiaojing Liao and Jun Xu and Engin Kirda and David Lie},
  title = {Poster: Kill Krill or Proxy RPKI},
  year = {2024},
  isbn = {9798400706363},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3658644.3691390},
  doi = {10.1145/3658644.3691390},
  abstract = {Resource Public Key Infrastructure (RPKI), designed to protect Internet routing from hijacks, is gaining traction: over 50% of prefixes have digital certificates, at least 27% of Autonomous Systems actively validate certificates against BGP announcements, and filter invalid routing announcements. In this study, we present the first security analysis of Krill, the only public and open-source RPKI publication point software. Publication points are hosted by the five Regional Internet Registries across the globe, or by independent Internet operators that wish to manage their own RPKI repositories. Through a detailed investigation of Krill, involving API, command line, configuration parsings, and static code analysis, we identify significant vulnerabilities such as transient dependencies and Denial-of-Service (DoS) exploits. Our key findings reveal Krill's susceptibility to path traversal attacks in case of misconfigured Nginx proxies, and a DoS vulnerability stemming from the h2 rust library. We develop an attack vector that exploits the rust library vulnerability, which leads to a 350x performance degradation. Our results indicate that RPKI is not yet production-grade ready as its main component, the publication points - which host the RPKI objects, are vulnerable to information leaks and DoS attacks.},
  booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
  pages = {4922--4924},
  numpages = {3},
  keywords = {bgp, krill, rpki},
  location = {Salt Lake City, UT, USA},
  series = {CCS '24}
}

@inproceedings{tchokodeu2024login,
  author = {Kevin Nsieyanji Tchokodeu and Haya Schulmann and Gil Sobol and Michael Waidner},
  editor = {Bo Luo and Xiaojing Liao and Jun Xu and Engin Kirda and David Lie},
  title = {Poster: Security of Login Interfaces in Modern Organizations},
  year = {2024},
  isbn = {9798400706363},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3658644.3691413},
  doi = {10.1145/3658644.3691413},
  abstract = {Login pages, including those for processes like sign-up, registration, and password recovery are interfaces that implement access control to company services or functionalities. Insufficient security on these pages could allow malicious individuals to gain access to services and network of an organization and launch attacks. In this work, we perform a comprehensive study of the security of 73.4k login interfaces of the 100-top European companies from the Fortune report, which we call EU100. We find over 9 million vulnerabilities, which we analyze from a technical perspective, and categorize them according to the hosting model. Our work provides details on the most commonly observed vulnerabilities on login pages across different sectors and according to the hosting strategy adopted by each company.},
  booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
  pages = {4925--4927},
  numpages = {3},
  keywords = {cloud, on-premise, security, vulnerability scans},
  location = {Salt Lake City, UT, USA},
  series = {CCS '24}
}

@inproceedings{jacobsen2024patching,
  author = {Oliver Jacobsen and Haya Schulmann},
  editor = {Bo Luo and Xiaojing Liao and Jun Xu and Engin Kirda and David Lie},
  title = {Poster: Patching NSEC3-Encloser: The Good, the Bad, and the Ugly},
  year = {2024},
  isbn = {9798400706363},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3658644.3691395},
  doi = {10.1145/3658644.3691395},
  abstract = {This paper evaluates the effectiveness of patches designed to mitigate the NSEC3-encloser attack in DNS resolvers. NSEC3, used in DNSSEC to authenticate non-existence of records, can be exploited to exhaust resolver resources through excessive SHA-1 hashing. Despite recent patches, our study reveals that major DNS resolvers remain vulnerable. We test the NSEC3 exhaustion attacks against pre- and post-patch versions of popular DNS resolvers (Unbound, BIND9, PowerDNS, and Knot Resolver), and observe a 72-fold increase in CPU instructions during attacks. PowerDNS 5.0.5 and Knot Resolver 5.7.3 showed improvements, limiting CPU load with strict hash limits. Conversely, BIND9 exhibited marginal improvement, and Unbound 1.20.0 experienced increased CPU load. At an attack rate of 150 malicious NSEC3 records per second, benign DNS request loss rates ranged from 2.7% to 30%. Our study indicates the need for robust countermeasures to address NSEC3 vulnerabilities.},
  booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
  pages = {4937--4939},
  numpages = {3},
  keywords = {denial-of-service, dns, dnssec, nsec3, vulnerability},
  location = {Salt Lake City, UT, USA},
  series = {CCS '24}
}

@inproceedings{jacobsen2024fort,
  author = {Oliver Jacobsen and Haya Schulmann and Niklas Vogel and Michael Waidner},
  editor = {Bo Luo and Xiaojing Liao and Jun Xu and Engin Kirda and David Lie},
  title = {Poster: From Fort to Foe: The Threat of RCE in RPKI},
  year = {2024},
  isbn = {9798400706363},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3658644.3691387},
  doi = {10.1145/3658644.3691387},
  abstract = {In this work, we present a novel severe buffer-overflow vulnerability in the RPKI validator Fort, that allows an attacker to achieve Remote Code Execution (RCE) on the machine running the software. We discuss the unique impact of this RCE on networks that use RPKI, illustrating that RCE vulnerabilities are especially severe in the context of RPKI. The design of RPKI makes RCE easy to exploit on a large scale, allows compromise of RPKI validation integrity, and enables a powerful vector for additional attacks on other critical components of the network, like the border routers. We analyze the vulnerability exposing to this RCE and identify indications that the discovered vulnerability could constitute an intentional backdoor to compromise systems running the software over a benign coding mistake. We disclosed the vulnerability, which has been assigned a CVE rated 9.8 critical (CVE-2024-45237).},
  booktitle = {Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security},
  pages = {5015--5017},
  numpages = {3},
  keywords = {relying party, remote code execution, rpki, vulnerability},
  location = {Salt Lake City, UT, USA},
  series = {CCS '24}
}

@inproceedings{friess2024crowdsourced,
  author = {Jens Frie\ss and Haya Schulmann and Michael Waidner},
  title = {Crowdsourced Distributed Domain Validation},
  year = {2024},
  isbn = {9798400712722},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3696348.3696869},
  doi = {10.1145/3696348.3696869},
  abstract = {Domain validation is the primary method used by Certificate Authorities for affirming administrative control over a domain for issuing TLS certificates. Prior work has repeatedly shown its vulnerability to hijacking, prompting the use of multiple vantage points for validation. However, the use of static vantage points, as in Let's Encrypt's MultiVA system, is still subject to targeted attacks. Validators should therefore be both distributed and selected in an unpredictable fashion, which is expensive to achieve with dedicated infrastructure.We take a novel approach to tackle the limitations imposed by dedicated infrastructure on domain validation. We develop a system, dubbed ADDVent, that leverages advertisement networks (adnets) to recruit and orchestrate web clients as a massively distributed and unpredictably arranged set of validators, resistant to targeted hijacking. We experimentally demonstrate that, at lower cost than with dedicated infrastructure, ADDVent achieves performance comparable to Let's Encrypt. We characterize the effects of key parameters to control cost and throughput and we show that the system achieves less exposure to interception than the MultiVA deployment, through better distribution of validators.Since ADD Vent uses an untrusted pool of web clients, we discuss a variety of countermeasures to address possible manipulation through Sybil attacks, including methods based on the coordination of secrets between adnet and orchestration server for separating legitimate and malicious clients.},
  booktitle = {Proceedings of the 23rd ACM Workshop on Hot Topics in Networks},
  pages = {318--325},
  numpages = {8},
  keywords = {Advertisement Networks, Domain Validation, PKI},
  location = {Irvine, CA, USA},
  series = {HotNets '24}
}

@inproceedings{mirdita2024cure,
  author = {Donika Mirdita and Haya Schulmann and Niklas Vogel and Michael Waidner},
  title = {The CURE to Vulnerabilities in RPKI Validation},
  booktitle = {31st Annual Network and Distributed System Security Symposium},
  address = {San Diego, California, USA},
  publisher = {The Internet Society},
  year = {2024},
  url = {https://www.ndss-symposium.org/ndss-paper/the-cure-to-vulnerabilities-in-rpki-validation/},
  doi = {10.14722/ndss.2024.241093},
  abstract = {Over recent years, the Resource Public Key Infrastructure (RPKI) has seen increasing adoption, with now 37.8% of the major networks filtering bogus BGP routes. Systems interact with the RPKI over Relying Party (RP) implementations that fetch RPKI objects and feed BGP routers with the validated prefix-ownership data. Consequently, any vulnerabilities or flaws within the RP software can substantially threaten the stability and security of Internet routing.

We uncover severe flaws in all popular RP implementations, making them susceptible to path traversal attacks, remotely triggered crashes, and inherent inconsistencies, violating RPKI standards. We report a total of 18 vulnerabilities that can be exploited to downgrade RPKI validation in border routers or, worse, enable poisoning of the validation process, resulting in malicious prefixes being wrongfully validated and legitimate RPKI-covered prefixes failing validation. Furthermore, our research discloses inconsistencies in the validation process, with two popular implementations leaving 8149 prefixes unprotected from hijacks, 6405 of which belong to Amazon.

While these findings are significant in their own right, our principal contribution lies in developing CURE, the first-of-its-kind system to systematically detect bugs, vulnerabilities, and RFC compliance issues in RP implementations via automated test generation. The statefulness of RPKI, the lack of rigorous RPKI specifications for recognizing bugs in the object suite, the complexity and diversity of RP implementations, and the inaccessibility of their critical functionalities render this a highly challenging research task. CURE is a powerful RPKI publication point emulator that enables easy and efficient fuzzing of complex RP validation pipelines. It is designed with a set of novel tech-
niques, utilizing differential and stateful fuzzing. We generated over 600 million test cases and tested all popular RPs on them.

Following our disclosure, the vendors already assigned CVEs to the vulnerabilities we found. We are releasing our fuzzing system along with the CURE tool to enable the vendors improve the quality of RP implementations.},
  series = {NDSS 2024}
}

@inproceedings{friess2024cloudy,
  author = {Jens Frie\ss and Tobias Gattermayer and Nethanel Gelernter and Haya Schulmann and Michael Waidner},
  editor = {Laurent Vanbever and Irene Zhang},
  title = {Cloudy with a Chance of Cyberattacks: Dangling Resources Abuse on Cloud Platforms},
  booktitle = {21st USENIX Symposium on Networked Systems Design and Implementation (NSDI 24)},
  year = {2024},
  isbn = {978-1-939133-39-7},
  address = {Santa Clara, CA, USA},
  pages = {1977--1994},
  url = {https://www.usenix.org/conference/nsdi24/presentation/friess},
  publisher = {USENIX Association},
  abstract = {Recent works showed that it is feasible to hijack resources on cloud platforms. In such hijacks, attackers can take over released resources that belong to legitimate organizations. It was proposed that adversaries could abuse these resources to carry out attacks against customers of the hijacked services, e.g., through malware distribution. However, to date, no research has confirmed the existence of these attacks.

We identify, for the first time, real-life hijacks of cloud resources. This yields a number of surprising and important insights. First, contrary to previous assumption that attackers primarily target IP addresses, our findings reveal that the type of resource is not the main consideration in a hijack. Attackers focus on hijacking records that allow them to determine the resource by entering freetext. The costs and overhead of hijacking such records are much lower than those of hijacking IP addresses, which are randomly selected from a large pool.

Second, identifying hijacks poses a substantial challenge. Monitoring resource changes, e.g., changes in content, is insufficient, since such changes could also be legitimate. Retrospective analysis of digital assets to identify hijacks is also arduous due to the immense volume of data involved and the absence of indicators to search for. To address this challenge, we develop a novel approach that involves analyzing data from diverse sources to effectively differentiate between malicious and legitimate modifications. Our analysis has revealed 20,904 instances of hijacked resources on popular cloud platforms. While some hijacks are short-lived (up to 15 days), 1/3 persist for more than 65 days.

We study how attackers abuse the hijacked resources and find that, in contrast to the threats considered in previous work, the majority of the abuse (75%) is blackhat search engine optimization. We also find fraudulent certificates and stolen cookies. We cluster the abuse resources and abuse content to identify about 1,800 individual attacking infrastructures.},
  month = {April}
}

@inproceedings{schulmann2024insights,
  author = {Haya Schulmann and Shujie Zhao},
  editor = {Philipp Richter and Vaibhav Bajpai and Esteban Carisimo},
  title = {Insights into SAV Implementations in the Internet},
  booktitle = {Passive and Active Measurement},
  year = {2024},
  location = {Virtual Event},
  publisher = {Springer},
  address = {Cham},
  pages = {69--87},
  url = {https://link.springer.com/chapter/10.1007/978-3-031-56252-5_4},
  abstract = {Source Address Validation (SAV) is designed to block packets with spoofed IP addresses. Obtaining insights into the deployment and implementation of SAV is essential for understanding the potential impact of attacks that exploit spoofed IP addresses and also poses an interesting research question.},
  isbn = {978-3-031-56252-5},
  series = {PAM 2024}
}

@inproceedings{gruza2024attack,
  author = {Olivia Gruza and Elias Heftrig and Oliver Jacobsen and Haya Schulmann and Niklas Vogel and Michael Waidner},
  title = {Attacking with Something That Does Not Exist: \textquoterightProof of Non-Existence\textquoteright Can Exhaust DNS Resolver CPU},
  booktitle = {18th USENIX WOOT Conference on Offensive Technologies (WOOT 24)},
  year = {2024},
  isbn = {978-1-939133-43-4},
  address = {Philadelphia, PA, USA},
  pages = {45--57},
  url = {https://www.usenix.org/conference/woot24/presentation/gruza},
  publisher = {USENIX Association},
  abstract = {NSEC3 is a proof of non-existence in DNSSEC, which provides an authenticated assertion that a queried resource does not exist in the target domain. NSEC3 consists of alphabetically sorted hashed names before and after the queried hostname. To make dictionary attacks harder, the hash function can be applied in multiple iterations, which however also increases the load on the DNS resolver during the computation of the SHA-1 hashes in NSEC3 records. Concerns about the load created by the computation of NSEC3 records on the DNS resolvers were already considered in the NSEC3 specifications RFC5155 and RFC9276. In February 2024, the potential of NSEC3 to exhaust DNS resolvers’ resources was assigned a CVE-2023-50868, confirming that extra iterations of NSEC3 created substantial load. However, there is no published evaluation of the attack and the impact of the attack on the resolvers was not clarified.

In this work we perform the first evaluation of the NSEC3-encloser attack against DNS resolver implementations and find that the NSEC3-encloser attack can still create a 72x increase in CPU instruction count, despite the victim resolver following RFC5155 recommendations in limiting hash iteration counts. The impact of the attack varies across the different DNS resolvers, but we show that with a sufficient volume of DNS packets the attack can increase CPU load and cause packet loss. We find that at a rate of 150 malicious NSEC3 records per second, depending on the DNS implementation, the loss rate of benign DNS requests varies between 2.7% and 30%. We provide a detailed description and implementation of the NSEC3-encloser attack. We also develop the first analysis how each NSEC3 parameter impacts the load inflicted on the victim resolver during NSEC3-encloser attack.

We make the code of our NSEC3-encloser attack implementation along with the zonefile and the evaluation data available for public use: https://github.com/Goethe-Universitat-Cybersecurity/NSEC3-Encloser-Attack.},
  month = {August}
}

@article{schulmann2024rpki,
  author = {Haya Schulmann and Niklas Vogel and Michael Waidner},
  title = {RPKI: Not Perfect But Good Enough},
  journal = {CoRR},
  volume = {abs/2409.14518},
  year = {2024},
  url = {https://doi.org/10.48550/arXiv.2409.14518},
  doi = {10.48550/ARXIV.2409.14518},
  eprinttype = {arXiv},
  eprint = {2409.14518},
  abstract = {The Resource Public Key Infrastructure (RPKI) protocol was standardized to add cryptographic security to Internet routing. With over 50% of Internet resources protected with RPKI today, the protocol already impacts significant parts of Internet traffic. In addition to its growing adoption, there is also increasing political interest in RPKI. The White House indicated in its Roadmap to Enhance Internet Routing Security, on 4 September 2024, that RPKI is a mature and readily available technology for securing inter-domain routing. The Roadmap attributes the main obstacles towards wide adoption of RPKI to a lack of understanding, lack of prioritization, and administrative barriers.
This work presents the first comprehensive study of the maturity of RPKI as a viable production-grade technology. We find that current RPKI implementations still lack production-grade resilience and are plagued by software vulnerabilities, inconsistent specifications, and operational challenges, raising significant security concerns. The deployments lack experience with full-fledged strict RPKI-validation in production environments and operate in fail-open test mode. We provide recommendations to improve RPKI resilience and guide stakeholders in securing their deployments against emerging threats.
The numerous issues we have discovered with the current RPKI specifications and implementations inevitably lead to the question: Is RPKI sufficiently stable to align with the expectations outlined in the White House roadmap? Certainly, it is not perfect, but is it good enough? The answer, as we will explore, varies depending on one's viewpoint.}
}

@article{schulmann2023aktive,
  author = {Haya Schulmann and Michael Waidner},
  title = {Aktive Cyberabwehr},
  journal = {Datenschutz und Datensicherheit},
  volume = {47},
  number = {8},
  pages = {497--502},
  year = {2023},
  month = {August},
  url = {https://doi.org/10.1007/s11623-023-1806-9},
  doi = {10.1007/S11623-023-1806-9},
  abstract = {Aktive Cyberabwehr ist ein wichtiges, aber meist schlecht verstandenes und unterschätztes Instrument zur Erhöhung der Cybersicherheit. Der Artikel gibt einen Überblick über die prinzipiellen technischen Möglichkeiten und deren Risiken.}
}

@article{friess2023revocation,
  author = {Jens Frie\ss and Haya Schulmann and Michael Waidner},
  title = {Revocation Speedrun: How the WebPKI Copes with Fraudulent Certificates},
  year = {2023},
  issue_date = {December 2023},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  volume = {1},
  number = {CoNEXT3},
  pages = {26:1--26:20},
  url = {https://doi.org/10.1145/3629148},
  doi = {10.1145/3629148},
  abstract = {The TLS ecosystem depends on certificates to bootstrap secure connections. Certificate Authorities (CAs) are trusted to issue these correctly. However, as a result of security breaches or attacks, certificates may be issued fraudulently and need to be revoked prematurely.Revocation, as a reactive measure, is fundamentally damage control and, as such, time is critical. Therefore, measuring reaction delay is the first step to identifying how well the revocation system functions.In this paper we attempt to characterize the current performance of the WebPKI in dealing with fraudulent certificates. We present measurements of each step in the revocation process: the detection of certificate issuance through Certificate Transparency (CT) monitoring, the administrative revocation process at popular CAs, and the revocation checking behavior of end-user clients, both in a controlled virtualized environment and in the wild. We perform two live measurements, in 2022 and 2023, respectively, to provide a longitudinal comparison.We find that detection and revocation of fraudulent certificates is quick and efficient when leveraging CT and can be completed within 6.5 hours on average. Furthermore, CT is being increasingly enforced by some browsers. However, ∼83% of the clients we observed, across popular browsers, brands and OSes, completely disregard a certificate's status, whileall of the studied browsers still display soft-fail behavior, making them vulnerable to attackers capable of interfering with the network. Of the clients that do check revocation, we find that 35% can be made to accept a revoked certificate through the use of OCSP Stapling. We expect this number to grow with client-side adoption of OCSP Stapling [RFC6961]. Current OCSP expiration times allow a revoked certificate to remain fully valid for up to 7 days for the majority of CAs, exposing clients to attacks.},
  journal = {Proceedings of the ACM on Networking (PACMNET)},
  month = {November},
  articleno = {26},
  numpages = {20},
  keywords = {PKI, certificate transparency, certificates, revocation}
}

@inproceedings{kaiser2023longitudinal,
  author = {Fabian Kaiser and Haya Schulmann and Michael Waidner},
  editor = {Weizhi Meng and Christian Damsgaard Jensen and Cas Cremers and Engin Kirda},
  title = {Poster: Longitudinal Analysis of DoS Attacks},
  year = {2023},
  isbn = {9798400700507},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3576915.3624382},
  doi = {10.1145/3576915.3624382},
  abstract = {Denial-of-Service (DoS) attacks have become a regular occurrence in the digital world of today. Easy-to-use attack software via download and botnet services that can be rented cheaply in the darknet enable adversaries to conduct such attacks without requiring a comprehensive knowledge of the techniques.To investigate this threat, we conduct a study on DoS attacks that occurred between 1 January 2015 and 31 December 2022. We gather statistics regarding the victims and on how the attacks were conducted. Furthermore, we show possible side effects of such attacks on critical Internet infrastructure.This study provides interesting insights as well as observations and is useful for researchers and experts for developing defenses to mitigate DoS attacks. We therefore make our dataset publicly available.},
  booktitle = {Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {3573--3575},
  numpages = {3},
  keywords = {availability, dataset, denial-of-service attack, dos, security, side effects},
  location = {Copenhagen, Denmark},
  series = {CCS '23}
}

@inproceedings{hlavacek2023beyond,
  author = {Tomas Hlavacek and Philipp Jeitner and Donika Mirdita and Haya Schulmann and Michael Waidner},
  editor = {Henning Schulzrinne and Vishal Misra and Eddie Kohler and David A. Maltz},
  title = {Beyond Limits: How to Disable Validators in Secure Networks},
  year = {2023},
  isbn = {9798400702365},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3603269.3604861},
  doi = {10.1145/3603269.3604861},
  abstract = {Relying party validator is a critical component of RPKI: it fetches and validates signed authorizations mapping prefixes to their owners. Routers use this information to block bogus BGP routes.Since the processing time of validators is not limited, malicious repositories could stall them. To limit the time that RPKI validators spend on downloading RPKI objects, thresholds were introduced into all popular implementations.We perform the first analysis of the thresholds. On the one hand, we show that the current thresholds are too permissive and hence do not prevent attacks. On the other hand, we show that even those permissive thresholds cause 11.78% failure rate in validators. We find experimentally that although stricter thresholds would make attacks more difficult they would significantly increase the failure rates. Our analysis shows that no matter what balance between permissive-strict thresholds is struck, one of the problems, either failures or exposure to attacks, will always persist.As a solution against attacks and failures we develop a sort-and-limit algorithm for validators. We demonstrate through extensive evaluations on a simulated platform that our algorithm prevents the attacks and failures not only in the current but also in full RPKI deployment.},
  booktitle = {Proceedings of the ACM SIGCOMM 2023 Conference},
  pages = {950--966},
  numpages = {17},
  keywords = {RPKI, downgrade attacks, BGP security, BGP prefix hijacks},
  location = {New York, NY, USA},
  series = {ACM SIGCOMM '23}
}

@inproceedings{schulmann2023lemon,
  author = {Haya Schulmann and Shujie Zhao},
  editor = {Henning Schulzrinne and Vishal Misra and Eddie Kohler and David A. Maltz},
  title = {Poster: LeMon: Global Route Leak Monitoring Service},
  year = {2023},
  isbn = {9798400702365},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3603269.3610852},
  doi = {10.1145/3603269.3610852},
  abstract = {We develop LeMon for real-time detection of route leaks and explain how we resolved the shortcomings in previous approaches. We perform extensive evaluations of LeMon on heuristically derived datasets as well as on live BGP traffic demonstrating its performance and accuracy. We also confirm the events identified by LeMon with survey of network operators. We provide access to our implementation of LeMon and to the datasets.},
  booktitle = {Proceedings of the ACM SIGCOMM 2023 Conference},
  pages = {1111--1113},
  numpages = {3},
  keywords = {BGP, route leaks},
  location = {New York, NY, USA},
  series = {ACM SIGCOMM '23}
}

@inproceedings{heftrig2023offpath,
  author = {Elias Heftrig and Haya Schulmann and Michael Waidner},
  title = {Poster: Off-Path DNSSEC Downgrade Attacks},
  year = {2023},
  isbn = {9798400702365},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3603269.3610840},
  doi = {10.1145/3603269.3610840},
  abstract = {Recent works found that signing zones with new cryptographic ciphers may disable DNSSEC validation in DNS resolvers. Adversaries could exploit this to manipulate algorithm numbers of ciphers in DNS responses, to make them appear as unknown, hence maliciously downgrading DNSSEC validation. In this work we show that these manipulation of DNSSEC records can also be launched remotely by off-path adversaries. We develop a DNSSEC downgrade attack using IP fragmentation. The idea is to create large DNS responses, that exceed the Maximum Transmission Unit on that path. The off-path adversary injects a malicious IP fragment, which when reassembled with the genuine IP fragment, overwrites the algorithm number of the ciphers in DNSSEC records.Our experimental evaluation of the off-path attack with a victim resolver that we set up identified 7.7K vulnerable domains out of 43K DNSSEC-signed 1M-top Tranco domains. We provide recommendations to mitigate the vulnerabilities.},
  booktitle = {Proceedings of the ACM SIGCOMM 2023 Conference},
  pages = {1120--1122},
  numpages = {3},
  keywords = {DNS, DNSSEC, off-path attacks, downgrade attacks},
  location = {New York, NY, USA},
  series = {ACM SIGCOMM '23}
}

@inproceedings{hlavacek2023insights,
  author = {Tomas Hlavacek and Haya Schulmann and Niklas Vogel and Michael Waidner},
  editor = {Joseph A. Calandrino and Carmela Troncoso},
  title = {Keep Your Friends Close, but Your Routeservers Closer: Insights into RPKI Validation in the Internet},
  booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
  year = {2023},
  isbn = {978-1-939133-37-3},
  address = {Anaheim, CA, USA},
  pages = {4841--4858},
  url = {https://www.usenix.org/conference/usenixsecurity23/presentation/hlavacek},
  publisher = {USENIX Association},
  abstract = {IP prefix hijacks allow adversaries to redirect and intercept traffic, posing a threat to the stability and security of the Internet. To prevent prefix hijacks, networks should deploy RPKI and filter bogus BGP announcements with invalid routes. In this work we evaluate the impact of RPKI deployments on the security and resilience of the Internet. We aim to understand which networks filter invalid routes and how effective that filtering is in blocking prefix hijacks. We extend previous data acquisition and analysis methodologies to obtain more accurate identification of networks that filter invalid routes with RPKI. We find that more than 27% of networks enforce RPKI filtering and show for the first time that deployments follow the business incentives of inter-domain routing: providers have an increased motivation to filter in order to avoid losing customers' traffic.

Analyzing the effectiveness of RPKI, we find that the current trend to deploy RPKI on routeservers of Internet Exchange Points (IXPs) only provides a localized protection against hijacks but has negligible impact on preventing their spread globally. In contrast, we show that RPKI filtering in Tier-1 providers greatly benefits the security of the Internet as it limits the spread of hijacks to a localized scope. Based on our observations, we provide recommendations on the future roadmap of RPKI deployment.

We make our datasets available for public use.},
  month = {August}
}

@inproceedings{heftrig2023downgrading,
  author = {Elias Heftrig and Haya Schulmann and Michael Waidner},
  editor = {Joseph A. Calandrino and Carmela Troncoso},
  title = {Downgrading DNSSEC: How to Exploit Crypto Agility for Hijacking Signed Zones},
  booktitle = {32nd USENIX Security Symposium (USENIX Security 23)},
  year = {2023},
  isbn = {978-1-939133-37-3},
  address = {Anaheim, CA, USA},
  pages = {7429--7444},
  url = {https://www.usenix.org/conference/usenixsecurity23/presentation/heftrig},
  publisher = {USENIX Association},
  abstract = {Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. Significant operational and research efforts are dedicated to pushing the deployment of new algorithms in DNSSEC forward. Recent research shows that DNSSEC is gradually achieving algorithm agility: most DNSSEC supporting resolvers can validate a number of different algorithms and domains are increasingly signed with cryptographically strong ciphers.

In this work we show for the first time that the cryptographic agility in DNSSEC, although critical for making DNS secure with strong cryptography, also introduces a severe vulnerability. We find that under certain conditions, when new, unsupported algorithms are listed in signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new ciphers, risk exposing the validating resolvers to cache poisoning attacks. We use this to develop DNSSECdowngrade attacks and experimentally and ethically evaluate our attacks against popular DNS resolver implementations, public DNS providers, and DNS resolvers used by web clients.

We validate the success of DNSSEC-downgrade attacks by poisoning the resolvers: we inject fake records, in signed domains, into the caches of validating resolvers. Our evaluations showed that during 2021 major DNS providers, such as Google Public DNS and Cloudflare, as well as 35% of DNS resolvers used by the web clients were vulnerable to our attacks. After coordinated disclosure with the affected operators, that number reduced to 5.03% in 2022.

We trace the factors that led to this situation and provide recommendations.},
  month = {August}
}

@article{bertino2022esorics,
  author = {Elisa Bertino and Haya Schulmann and Michael Waidner},
  title = {Special issue ESORICS 2021},
  journal = {Journal of Computer Security},
  volume = {30},
  number = {6},
  pages = {753--755},
  year = {2022},
  doi = {10.3233/JCS-220951},
  url = {https://journals.sagepub.com/doi/abs/10.3233/JCS-220951},
  eprint = {https://journals.sagepub.com/doi/pdf/10.3233/JCS-220951}
}

@inproceedings{hlavacek2022behind,
  author = {Tomas Hlavacek and Philipp Jeitner and Donika Mirdita and Haya Schulmann and Michael Waidner},
  title = {Behind the Scenes of RPKI},
  year = {2022},
  isbn = {9781450394505},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3548606.3560645},
  doi = {10.1145/3548606.3560645},
  abstract = {Best practices for making RPKI resilient to failures and attacks recommend using multiple URLs and certificates for publication points as well as multiple relying parties. We find that these recommendations are already supported by 63% of the ASes with RPKI. In this work we explore the dependency of the RPKI deployments on their DNS components. We find that the resilience of RPKI can be subverted through DNS. We identify two key factors.  First, we find that 42.8% of the ASes with multiple relying parties use a single resolver for looking up the RPKI publication points and the DNS resolvers of 82.9% of the relying parties are all located on a single AS. Both introduce a single point of failure. Second, we also find problems with DNSSEC deployments: more than 24% of the resolvers in RPKI experience failures with signed DNS responses and as a result cannot locate the RPKI publication points and cannot validate RPKI, and 60% of the resolvers that support DNSSEC do not validate records signed with new algorithms, accepting responses also with invalid signatures.  We experimentally find that adversaries can disable RPKI in 56.7% of the ASes that have vulnerable DNS components. Our simulations show that disabling RPKI exposes ASes to prefix hijack attacks. Our work demonstrates, that resilience of systems, like RPKI, cannot be achieved in isolation due to complex inter-dependencies with other systems.},
  booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {1413--1426},
  numpages = {14},
  keywords = {bgp, dns, dnssec, resilience, rpki},
  location = {Los Angeles, CA, USA},
  series = {CCS '22}
}

@inproceedings{heftrig2022unintended,
  author = {Elias Heftrig and Haya Schulmann and Michael Waidner},
  title = {Poster: The Unintended Consequences of Algorithm Agility in DNSSEC},
  year = {2022},
  isbn = {9781450394505},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3548606.3563517},
  doi = {10.1145/3548606.3563517},
  abstract = {Cryptographic algorithm agility is an important property for DNSSEC: it allows easy deployment of new algorithms if the existing ones are no longer secure. In this work we show that the cryptographic agility in DNSSEC, although critical for provisioning DNS with strong cryptography, also introduces a vulnerability. We find that under certain conditions, when new algorithms are listed in signed DNS responses, the resolvers do not validate DNSSEC. As a result, domains that deploy new ciphers may in fact cause the resolvers not to validate DNSSEC. We exploit this to develop DNSSEC-downgrade attacks and experimentally and ethically evaluate them against popular DNS resolver implementations, public DNS providers, and DNS services used by web clients worldwide. We find that major DNS providers as well as 45% of DNS resolvers used by web clients are vulnerable to our attacks.},
  booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {3363--3365},
  numpages = {3},
  keywords = {cryptographic agility, dnssec, downgrade attacks},
  location = {Los Angeles, CA, USA},
  series = {CCS '22}
}

@inproceedings{mirdita2022killswitch,
  author = {Donika Mirdita and Haya Schulmann and Michael Waidner},
  editor = {Heng Yin and Angelos Stavrou and Cas Cremers and Elaine Shi},
  title = {Poster: RPKI Kill Switch},
  year = {2022},
  isbn = {9781450394505},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3548606.3563536},
  doi = {10.1145/3548606.3563536},
  abstract = {Relying party implementations are an important component of RPKI: they fetch and validate the signed authorizations mapping prefixes to their owners. Border routers use this information to check which Autonomous Systems (ASes) are authorized to originate given prefixes and to enforce Route Origin Validation (ROV) in order to block bogus BGP announcements, preventing accidental and malicious prefix hijacks. In 2021 the RPKI relying party implementations were patched against attacks by malicious publication points. In such attacks the relying parties are stalled processing malformed RPKI objects. In this work we perform a black-box analysis of the patched relying party implementations and find that out of five popular relying parties, two major implementations (Routinator and OctoRPKI) have vulnerabilities that can be exploited to cause large scale blackouts in the RPKI ecosystem. We show that the vulnerabilities we found apply to 84.9% of the networks supporting RPKI. We analyze the code to understand the factors causing the bugs. We show that these vulnerabilities can be exploited to crash the deployed relying parties, disabling RPKI validation and exposing the networks to prefix hijack attacks.},
  booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {3423--3425},
  numpages = {3},
  keywords = {bgp, rpki, vulnerability},
  location = {Los Angeles, CA, USA},
  series = {CCS '22}
}

@inproceedings{schulmann2022insights,
  author = {Haya Schulmann and Niklas Vogel and Michael Waidner},
  editor = {Heng Yin and Angelos Stavrou and Cas Cremers and Elaine Shi},
  title = {Poster: Insights into Global Deployment of RPKI Validation},
  year = {2022},
  isbn = {9781450394505},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3548606.3563523},
  doi = {10.1145/3548606.3563523},
  abstract = {IP prefix hijacks, due to malicious attacks or benign misconfigurations, pose a threat to the Internet's stability and security. RPKI was designed to enable networks to block prefix hijacks by enforcing Route Origin Validation (ROV). In this work we evaluate the effectiveness of the global ROV deployment in blocking prefix hijacks. We perform control-plane and data-plane experiments and provide an in-depth analysis of the collected results. Our analysis is based on new methodologies we developed that allow more accurate identification of ROV enforcing ASes. Our analysis shows that the current ROV enforcement rate is significantly higher than found in previous studies: in contrast to 0.6% in a study from 2021, in our work we find that 37.8% enforce ROV. Our results indicate that ROV has finally gained traction and offers substantial protection against prefix hijacks.},
  booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {3467--3469},
  numpages = {3},
  keywords = {rpki, prefix hijacks, bgp},
  location = {Los Angeles, CA, USA},
  series = {CCS '22}
}

@inproceedings{schulmann2022dnsinrouters,
  author = {Haya Schulmann and Michael Waidner},
  editor = {Heng Yin and Angelos Stavrou and Cas Cremers and Elaine Shi},
  title = {Poster: DNS in Routers Considered Harmful},
  year = {2022},
  isbn = {9781450394505},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3548606.3563509},
  doi = {10.1145/3548606.3563509},
  abstract = {To save costs residential routers often do not implement most of the functionalities and security features of DNS, yet they still contain DNS forwarders which merely proxy the clients' requests to another address. These forwarders separate the network configuration of the internal client network from the network of the ISP. This provides connectivity without the need for synchronization. History of cache poisoning attacks shows however that such simplified implementations expose a wide range of vulnerabilities. We propose to remove DNS from routers. We show that the performance impact is negligible, while security gain is substantial. We discuss a number of ways for implementing our approach},
  booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
  pages = {3471--3473},
  numpages = {3},
  keywords = {routers, injections, dns, attacks},
  location = {Los Angeles, CA, USA},
  series = {CCS '22}
}

@inproceedings{schulmann2022howtonot,
  author = {Haya Schulmann},
  title = {How (Not) to Deploy Cryptography on the Internet},
  year = {2022},
  isbn = {9781450392204},
  publisher = {Association for Computing Machinery},
  address = {New York, NY, USA},
  url = {https://doi.org/10.1145/3508398.3511270},
  doi = {10.1145/3508398.3511270},
  abstract = {The core protocols in the Internet infrastructure play a central role in delivering packets to their destination. The inter-domain routing with BGP (Border Gateway Protocol) computes the correct paths in the global Internet, and DNS (Domain Name System) looks up the destination addresses. Due to their critical function they are often attacked: the adversaries redirect victims to malicious servers or networks by making them traverse incorrect routes or reach incorrect destinations, e.g., for cyber-espionage, for spam distribution, for theft of crypto-currency, for censorship [1, 4-6]. This results in relatively stealthy attacks which cannot be immediately detected and prevented [2, 3]. By the time the attacks are detected, damage was already done.The frequent attacks along with the devastating damages that they incur, motivates the deployment of cryptographic defences to secure the Internet infrastructure. Multiple efforts are devoted to protecting the core Internet protocols with cryptographic mechanisms, BGP with RPKI and DNS with DNSSEC. Recently the deployment of these defences took off, and many networks and DNS servers in the Internet already adopted them. We review the deployed defences and show that the tradeoffs made by the operators or developers can be exploited to disable the cryptographic defences. We also provide mitigations and discuss challenges in their adoption.},
  booktitle = {Proceedings of the Twelfth ACM Conference on Data and Application Security and Privacy},
  pages = {1},
  numpages = {1},
  keywords = {rpki, dnssec, dns cache poisoning, bgp prefix hijacks},
  location = {Baltimore, MD, USA},
  series = {CODASPY '22}
}

@inproceedings{hlavacek2022smartrpki,
  author = {Tomas Hlavacek and Haya Schulmann and Michael Waidner},
  editor = {Vijayalakshmi Atluri and Roberto Di Pietro and Christian Damsgaard Jensen and Weizhi Meng},
  title = {Smart RPKI Validation: Avoiding Errors and Preventing Hijacks},
  booktitle = {Computer Security -- ESORICS 2022},
  series = {Lecture Notes in Computer Science},
  location = {Copenhagen, Denmark},
  volume = {13554},
  pages = {509--530},
  year = {2022},
  publisher = {Springer},
  address = {Cham},
  doi = {10.1007/978-3-031-17140-6_25},
  url = {https://doi.org/10.1007/978-3-031-17140-6_25},
  isbn = {978-3-031-17140-6},
  abstract = {Resource Public Key Infrastructure (RPKI) was designed to authorize ownership of prefixes in the Internet, which routers use to filter bogus BGP announcements to prevent prefix hijacks. Although already 360K routes have valid covering Route Origin Authorizations (ROAs), RPKI is not widely validated. Erroneous ROAs are one of the obstacles towards wide filtering of bogus BGP announcements with Route Origin Validation (ROV). Erroneous ROAs conflict with BGP announcements and appear similar to hijacking announcements. Blocking such conflicting announcements can disconnect networks and hence demotivates enforcement of ROV.}
}

@inproceedings{hlavacek2022stalloris,
  author = {Tomas Hlavacek and Philipp Jeitner and Donika Mirdita and Haya Schulmann and Michael Waidner},
  title = {Stalloris: RPKI Downgrade Attack},
  booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
  year = {2022},
  isbn = {978-1-939133-31-1},
  address = {Boston, MA, USA},
  pages = {4455--4471},
  url = {https://www.usenix.org/conference/usenixsecurity22/presentation/hlavacek},
  publisher = {USENIX Association},
  month = {August},
  abstract = {We demonstrate the first downgrade attacks against RPKI. The key design property in RPKI that allows our attacks is the tradeoff between connectivity and security: when networks cannot retrieve RPKI information from publication points, they make routing decisions in BGP without validating RPKI. We exploit this tradeoff to develop attacks that prevent the retrieval of the RPKI objects from the public repositories, thereby disabling RPKI validation and exposing the RPKI-protected networks to prefix hijack attacks.

We demonstrate experimentally that at least 47% of the public repositories are vulnerable against a specific version of our attacks, a rate-limiting off-path downgrade attack. We also show that all the current RPKI relying party implementations are vulnerable to attacks by a malicious publication point. This translates to 20.4% of the IPv4 address space.

We provide recommendations for preventing our downgrade attacks. However, resolving the fundamental problem is not straightforward: if the relying parties prefer security over connectivity and insist on RPKI validation when ROAs cannot be retrieved, the victim AS may become disconnected from many more networks than just the one that the adversary wishes to hijack. Our work shows that the publication points are a critical infrastructure for Internet connectivity and security. Our main recommendation is therefore that the publication points should be hosted on robust platforms guaranteeing a high degree of connectivity.}
}

@inproceedings{jeitner2022xdri,
  author = {Philipp Jeitner and Haya Schulmann and Lucas Teichmann and Michael Waidner},
  title = {XDRI Attacks - and - How to Enhance Resilience of Residential Routers},
  booktitle = {31st USENIX Security Symposium (USENIX Security 22)},
  year = {2022},
  isbn = {978-1-939133-31-1},
  address = {Boston, MA, USA},
  pages = {4473--4490},
  url = {https://www.usenix.org/conference/usenixsecurity22/presentation/jeitner},
  publisher = {USENIX Association},
  month = {August},
  abstract = {We explore the security of residential routers and find a range of critical vulnerabilities. Our evaluations show that 10 out of 36 popular routers are vulnerable to injections of fake records via misinterpretation of special characters. We also find that in 15 of the 36 routers the mechanisms, that are meant to prevent cache poisoning attacks, can be circumvented.

In our Internet-wide study with an advertisement network, we identified and analyzed 976 residential routers used by web clients, out of which more than 95% were found vulnerable to our attacks. Overall, vulnerable routers are prevalent and are distributed among 177 countries and 4830 networks.

To understand the core factors causing the vulnerabilities we perform black- and white-box analyses of the routers. We find that many problems can be attributed to incorrect assumptions on the protocols' behaviour and the Internet, misunderstanding of the standard recommendations, bugs, and simplified DNS software implementations.

We provide recommendations to mitigate our attacks. We also set up a tool to enable everyone to evaluate the security of their routers at https://xdi-attack.net/.}
}