Yan Chen, Hai ZhouNorthwestern Lab for Internet

and Security Technology (LIST)

Dept. of Electrical Engineering and Computer Science

Northwestern University

http://list.cs.northwestern.edu

Automatic Vulnerability Analysis and Intrusion Mitigation Systems for

WiMAX Networks Motorola Liaisons

Greg W. Cox, Z. Judy Fu, Peter McCann, and Philip

R. Roberts

Motorola Labs

The Spread of Sapphire/Slammer Worms

Outline• Threat Landscape and Motivation• Our approach• Accomplishment• Achievement highlight: a Mobile IPv6

vulnerability

The Current Threat Landscape and Countermeasures of WiMAX

Networks • WiMAX: next wireless phenomenon

– Predicted multi-billion dollar industry

• WiMAX faces both Internet attacks and wireless network attacks– E.g., 6 new viruses, including Cabir and Skulls, with

30 variants targeting mobile devices

• Goal of this project: secure WiMAX networks• Big security risks for WiMAX networks

– No formal analysis about WiMAX security vulnerabilities

– No intrusion detection/mitigation product/research tailored towards WiMAX networks

Our Approach

• Vulnerability analysis of 802.16e specs and WiMAX standards– Systematical and automatic searching through formal

methods. – First specify the specs and potential capabilities of

attackers in a formal language TLA+ (the Temporal Logic of Actions)

– Then model check for any possible attacks– The formal analysis can also help guide fixing of the

flaws

• Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) – Could be differentiator for Motorola’s 802.16 products

Accomplishments This Year• Most achieved with close interaction with

Motorola liaisons• Automatic vulnerability analysis

– Checked the initial ranging and authentication of WiMAX

» Found a potential vulnerability for ranging (but needs to change MAC)

» Published a joint paper with Judy Fu

“Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols through TLA+”, in Proc. of the Second Workshop on Secure Network Protocols (NPSec), 2006.

– Checking the mobile IPv6» Find an easy attack to disable the route optimization !

Accomplishments This Year (II)• Sketch-based online flow-level intrusion detection

– Mature and ready to be deployed– Motorola liaisons are talking to various groups for

commercialization» E.g., recently talked to Joshua Brickel, John Bruner, and Ephraim

Borow in MSG. “Sketch can be used in our DoS attack solution for Verizon Wireless networks or may be used in SLA monitor.”

• Automatic polymorphic worm signature generation systems for high-speed networks– Fast, noise tolerant, and attack resilient– Resulted a joint paper submission with Judy Zhi Fu“Network-based and Attack-resilient Length Signature

Generation for Zero-day Polymorphic Worms”, submitted to USENIX Security Symposium 2007.

– Patent under review by the patent committee of Motorola

Automatic Length Based Worm Signature Generation

• Majority of worms exploit buffer overflow vulnerabilities

• Worm packets have a particular field longer than normal

• Length signature generation– Parse the traffic to different fields– Find abnormally long field– Apply a three-step algorithm to determine a

length signature– Length based signature is hard to evade if the

attacker has to overflow the buffer.

Length Based Signature Generator

Filter

SuspiciousTraffic Pool

NormalTraffic Pool

YESQuit

SignaturesLESGCore

ProtocolSpecification

ParsedNormal

ParsedSuspicious

ProtocolParser

NO

Pool sizetoo small?

Evaluation of Signature Quality

• Seven polymorphic worms based on real-world vulnerabilities and exploits from securityfocus.com

• Real traffic collected at two gigabit links of a campus edge routers in 2006 (40GB for evaluation)

• Another 123GB SPAM dataset

Accomplishments on Publications

• Four conference and one journal papers, and one tech report

– Hop ID: A Virtual Coordinate based Routing for Sparse Mobile Ad Hoc Networks, to appear in IEEE Transaction on Mobile Computing.

– A Suite of Schemes for User-level Network Diagnosis without Infrastructure, to appear in the Proc. of IEEE INFOCOM, 2007 (18%).

– Internet Cache Pollution Attacks and Countermeasures, in Proc. of the 14th IEEE International Conference on Network Protocols (ICNP), Nov. 2006 (14%).

– Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols through TLA+, in Proc. of the Second Workshop on Secure Network Protocols (NPSec) (33%).

– A DoS Resilient Flow-level Intrusion Detection Approach for High-speed Networks, in Proc. of IEEE International Conference on Distributed Computing Systems (ICDCS), 2006 (14%).

– Abstraction Techniques for Model-Checking Parameterized Systems, EECS Tech. Report, 2007.

Students Involved

• PhD students: – Yan Gao, Zhichun Li, Yao Zhao (all in their 3rd

years), – Nicos Liveris (4th year)

• MS students: – Prasad Narayana (graduating, will work for

Motorola soon) – Sagar Vemuri (1st year)

• Undergraduate student: – Coh Yoshizaki

Outline• Threat Landscape and Motivation• Our approach• Accomplishment• Achievement highlight: a Mobile IPv6

vulnerability

Mobile IPv6 (RFC 3775)

• Provides mobility at IP Layer

• Enables IP-based communication to continue even when the host moves from one network to another

• Host movement is completely transparent to Layer 4 and above

Mobile IPv6 - Entities

• Mobile Node (MN) – Any IP host which is mobile

• Correspondent Node (CN) – Any IP host communicating with the MN

• Home Agent (HA) – A host/router in the Home network which:– Is always aware of MN’s current location– Forwards any packet destined to MN– Assists MN to optimize its route to CN

Mobile IPv6 - Process

• (Initially) MN is in home network and connected to CN

• MN moves to a foreign network:– Registers new address with HA by sending Binding

Update (BU) and receiving Binding Ack (BA)– Performs Return Routability to optimize route to CN

by sending HoTI, CoTI and receiving HoT, CoT– Registers with CN using BU and BA

Mobile IPv6 in Action

Home AgentCorrespondent

Node

Home Network

Foreign Network

InternetMobile Node

Mobile Node

HA

– MN

TunnelBU

BAHoTI

HoTI

CoTI

HoT

HoT

CoT

BU

BA

Mobile IPv6 Vulnerability

• Nullifies the effect of Return Routability• BA with status codes 136, 137 and 138

unprotected• Man-in-the-middle attack

– Sniffs BU to CN– Injects BA to MN with one of status codes above

• MN either retries RR or gives up route optimization and goes through HA

MIPv6 Attack In ActionMN HA AT CN

HoTI

HoTI

CoTI

CoT

HoTHoT

Start Return

Routability

Restart Return

Routability

Silently Discard

Bind Ack

Bind Update (Sniffed by AT along the way)

Bind Ack Spoofed by AT

Bind Ack

MIPv6 Vulnerability - Effects

• Performance degradation by forcing communication through sub-optimal routes

• Possible overloading of HA and Home Link• Service disruption – Communication

between two mobile entities can be disrupted if they were already using optimized route

Conclusions

• Vulnerability analysis of 802.16e specs (WiMAX) and mobile IP protocols

• Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM)

Thank You !

Existing WLAN Security Technology Insufficient for

WiMAX Networks • Cryptography and authentication cannot prevent

attacks from penetrating WiMAX networks– Viruses, worms, DoS attacks, etc.

• 802.16 IDS development can potentially lead to critical gain in market share– All major WLAN vendors integrated IDS into products

• Limitations of existing IDSes (including WIDS)– Mostly host-based, and not scalable to high-speed

networks– Mostly simple signature based, cannot deal with

unknown attacks, polymorphic worms– Mostly ignore dynamics and mobility of wireless

networks

Deployment of WAIDM

• Attached to a switch connecting BS as a black box• Enable the early detection and mitigation of global

scale attacks• Could be differentiator for Motorola’s 802.16 products

Original configuration WAIDM deployed

Internet

802.16BS

Users

(a)

(b)

802.16BS

Users

Switch/BS controller

Internet

sca

n

po

rtW

AID

Msy

ste

m

802.16BS

Users

802.16BS

Users

Switch/BS controller