passive data link layer 802.11 wireless device driver fingerprinting jason franklin, damon mccoy,...
Post on 30-Mar-2015
225 Views
Preview:
TRANSCRIPT
Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting
Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie Van
Randwyk, Douglas Sicker
What would you like to
identify today?
Be Pessimistic!
• Today, we take a glass is half-empty view of device driver security.
• We present a fingerprinting technique for 802.11 device drivers under the premise that wireless device drivers are and will remain vulnerable.
Half-empty
Outline
I. MotivationII. 802.11 and all that jazzIII. Fingerprinting ApproachIV. EvaluationV. Preventative MeasuresVI. Wrap up
Motivation
• 802.11 is everywhere.– Coffee shops, airports, homes, businesses, here!– Full-city coverage (San Francisco, London, Chicago)
• Driver-specific exploits are an emerging threat.– Drivers are complex, numerous, buggy, and usually
NOT easy to externally interact with.– Wireless drivers, however, are externally accessible.– 802.11 driver exploits already exist.– New APIs for 802.11 packet generation will make
writing exploits easier.
802.11 Basics
Station: Device with wireless capabilities (laptop, PDA, etc.)
Access Point: Device that acts as a communication hub for wireless devices connected to a wireless LAN
Wireless Frame: Unit of data at data-link layer
Fingerprinting
• What is fingerprinting?– Process by which a target object is identified
by its externally observable characteristics
Target Device
What would you like to
identify today?
Fingerprinter
Device Driver Fingerprinting
• Utility of fingerprinting– Intrusion detection: detecting MAC address
spoofing – Network forensics: narrow or verify source of
network event or security incident– Reconnaissance: targeted attacks
• Why not use the MAC Address?– MAC address is one way to identify a NIC
manufacturer– Easy to change (spoof) to another legitimate,
copied, or fictitious MAC
802.11 Active Scanning• A station sends probe request frames when it needs to
discover access points in a wireless network. This process is known as active scanning.
• The IEEE 802.11 standard specifies active scanning as…
For every channel:Broadcast probe request frame;Start channel timer, t;If t reaches MinChannelTime AND current channel is IDLE:
Scan to the next channel;Else
Wait until t reaches MaxChannelTime;Process probe response frames from current channel;Scan to the next channel;
• The remaining details of this process implementation are determined by wireless driver authors…
Intuition
• As you may have guessed, we distinguish drivers based on unique active scanning!
D-Link driverD-Link DWL-G520 PCI Wireless NIC
Cisco driverAironet AIR-CB21AG-A-K9 PCI Wireless NIC
Fingerprinting Approach
REQREQ
REQ
Driver signature
madwifi
engeniushostapcisco
Outline of Method
Supervised Bayesian Classification:1. Create tagged signatures (Bayesian
Models)• 17 different device drivers• 12 hour traffic traces
2. Capture traffic trace for an unidentified driver
3. Compare how close the unidentified trace is to every tagged signature and identify based on nearest match
Signature Generation• Driver signatures are based
on the delta arrival time between probe requests.
• Signatures are obtained via binning with an empirically tuned and fixed bin width.1. Record the percentage of probe
requests placed in each bin2. Record the average, for each
bin, of all actual (non-rounded) delta arrival time values in that bin
3. Generate a vector initialized with these parameters as the signature for that driver
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.06 1.19 1.27 2.5 3.81
Windows Engenius driver signature.
Identification
• Calculate how close the trace is to every known driver signature using distance metric
• Trace is identified as having the driver with the signature that is the closest according to our metric
Factors that Effect Probing
• Association status– Associated to an access
point– Unassociated
• Driver management– Managed by Windows– Managed by NIC vendor
drivers
Experimental Setup
• The fingerprinter: Pentium 4 running Linux with a Cisco Aironet a/b/g wireless card
• The victims: 17 different wireless drivers, including drivers from Apple, Cisco, D-link, Intel, Linksys, Madwifi, Netgear, Proxim, and SMC
• The signature database: 31 unique driver signatures with tags and signature of the format:driver assoc-status manager : (bin, % in bin, mean)
Experimental Setup
Test set #1, Master Signature Database (Lab):– No background traffic– No obstructions
Test set #2 (Home network):– No background traffic– Wall between fingerprinter and victim
Test set #3 (Coffee house):– Background wireless traffic– Miscellaneous objects fingerprinter and victim
Results
Test
Set
Successful
Total Accuracy
1 55 57 96%
2 48 57 84%
3 44 57 77%N
um
ber
of
Dri
vers
Accuracy of Driver Percentage
0123456789
10
100 99-90 89-80 79-70 69-60
Results
Trace Data (Minutes)Fin
gerp
rin
tin
g A
ccu
racy
(Perc
en
tag
e)
Limitations
• Cannot distinguish between different driver versions
• Accuracy is sensitive to network conditions
Preventing Fingerprinting
• Standardize IEEE 802.11 active scanning– Power constrained devices will want to probe less
often then devices worried about quick handoffs
• Support configurable active scanning– Off by default?– Can we expect users to understand when to
appropriately enable or disable active scanning?
• Inject probe requests to disguise driver behavior– Wastes power and bandwidth– Difficult to ensure that the noise is masking the
driver
Preventing Fingerprinting
• Modify driver code– Extremely difficult with closed source
drivers– Non-trivial to modify even in open source
drivers
• Patch existing drivers– Best effort to mitigate driver exploits– A usable and efficient patching process is
needed to fix existing and future vulnerabilities discovered in device drivers
Conclusions
• Wireless devices are a target of attack• Unique implementations of active
scanning can be used to fingerprint a wireless driver
• According to our results, this method of fingerprinting is highly accurate and efficient
• Now that more drivers are externally accessible, a larger focus needs to be placed on their software security
Questions?
top related