WAVED: Principled Identification of Off-Path Exploitable Weak Verifications within the TCP/IP Protocol Suite

Off-path exploits targeting the fundamental TCP/IP protocol suite pose significant threats to the security of the Internet infrastructure. In particular, weak verifications of received payloads—arising from the lack of reliable information to validate or implementation flaws within the suite—lead to vulnerabilities that attackers can exploit to manipulate traffic, induce data loss, and disrupt services on victim servers. In this paper, we present the first systematic study of these vulnerabilities and introduce WAVED, a framework for identifying off-path exploitable weak verifications within the TCP/IP protocol suite implementation. At the core of WAVED, we develop a flow-, context-, and field-sensitive pointer analysis tailored to the TCP/IP kernel, and construct a Taint Propagation Graph (TPG) to model and trace data flow within the stack. By modeling byte-granularity taint propagation across diverse arithmetic operations, our approach can accurately locate specific input bytes associated with each constraint. Furthermore, direction-sensitive taint information is computed to accurately capture and differentiate the strength of constraints imposed by alternative branch outcomes, thereby significantly outperforming traditional byte-insensitive and direction-insensitive analyses. We evaluate WAVED on IPv4 and IPv6 across Linux 5.15, Linux 6.8, and FreeBSD 14.1. It precisely uncovers weak verifications leading to semantic vulnerabilities in TCP/IP and reveals 14 previously unknown vulnerabilities. We have responsibly disclosed these vulnerabilities to the affected OS vendors and have received acknowledgments from the Linux community.