1 / 22

Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

What would you like to identify today?. Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting. Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie Van Randwyk, Douglas Sicker . Be Pessimistic!.

oriana
Télécharger la présentation

Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What would you like to identify today? Passive Data Link Layer 802.11 Wireless Device Driver Fingerprinting Jason Franklin, Damon McCoy, Parisa Tabriz, Vicentiu Neagoe, Jamie Van Randwyk, Douglas Sicker

  2. Be Pessimistic! • Today, we take a glass is half-empty view of device driver security. • We present a fingerprinting technique for 802.11 device drivers under the premise that wireless device drivers are and will remain vulnerable. Half-empty

  3. Outline • Motivation • 802.11 and all that jazz • Fingerprinting Approach • Evaluation • Preventative Measures • Wrap up

  4. Motivation • 802.11 is everywhere. • Coffee shops, airports, homes, businesses, here! • Full-city coverage (San Francisco, London, Chicago) • Driver-specific exploits are an emerging threat. • Drivers are complex, numerous, buggy, and usually NOT easy to externally interact with. • Wireless drivers, however, are externally accessible. • 802.11 driver exploits already exist. • New APIs for 802.11 packet generation will make writing exploits easier.

  5. 802.11 Basics Station: Device with wireless capabilities (laptop, PDA, etc.) Access Point: Device that acts as a communication hub for wireless devices connected to a wireless LAN Wireless Frame: Unit of data at data-link layer

  6. What would you like to identify today? Target Device Fingerprinter Fingerprinting • What is fingerprinting? • Process by which a target object is identified by its externally observable characteristics

  7. Device Driver Fingerprinting • Utility of fingerprinting • Intrusion detection: detecting MAC address spoofing • Network forensics: narrow or verify source of network event or security incident • Reconnaissance: targeted attacks • Why not use the MAC Address? • MAC address is one way to identify a NIC manufacturer • Easy to change (spoof) to another legitimate, copied, or fictitious MAC

  8. 802.11 Active Scanning • A station sends probe request frames when it needs to discover access points in a wireless network. This process is known as active scanning. • The IEEE 802.11 standard specifies active scanning as… For every channel: Broadcast probe request frame; Start channel timer, t; If t reaches MinChannelTime AND current channel is IDLE: Scan to the next channel; Else Wait until t reaches MaxChannelTime; Process probe response frames from current channel; Scan to the next channel; • The remaining details of this process implementation are determined by wireless driver authors…

  9. D-Link driver D-Link DWL-G520 PCI Wireless NIC Cisco driver Aironet AIR-CB21AG-A-K9 PCI Wireless NIC Intuition • As you may have guessed, we distinguish drivers based on unique active scanning!

  10. engenius cisco hostap madwifi Fingerprinting Approach REQ REQ REQ Driver signature

  11. Outline of Method Supervised Bayesian Classification: • Create tagged signatures (Bayesian Models) • 17 different device drivers • 12 hour traffic traces • Capture traffic trace for an unidentified driver • Compare how close the unidentified trace is to every tagged signature and identify based on nearest match

  12. Signature Generation • Driver signatures are based on the delta arrival time between probe requests. • Signatures are obtained via binning with an empirically tuned and fixed bin width. • Record the percentage of probe requests placed in each bin • Record the average, for each bin, of all actual (non-rounded) delta arrival time values in that bin • Generate a vector initialized with these parameters as the signature for that driver Windows Engenius driver signature.

  13. Identification • Calculate how close the trace is to every known driver signature using distance metric • Trace is identified as having the driver with the signature that is the closest according to our metric

  14. Factors that Effect Probing • Association status • Associated to an access point • Unassociated • Driver management • Managed by Windows • Managed by NIC vendor drivers

  15. Experimental Setup • The fingerprinter: Pentium 4 running Linux with a Cisco Aironet a/b/g wireless card • The victims: 17 different wireless drivers, including drivers from Apple, Cisco, D-link, Intel, Linksys, Madwifi, Netgear, Proxim, and SMC • The signature database: 31 unique driver signatures with tags and signature of the format: driver assoc-status manager : (bin, % in bin, mean)

  16. Experimental Setup Test set #1, Master Signature Database (Lab): • No background traffic • No obstructions Test set #2 (Home network): • No background traffic • Wall between fingerprinter and victim Test set #3 (Coffee house): • Background wireless traffic • Miscellaneous objects fingerprinter and victim

  17. 10 9 8 7 6 Number of Drivers 5 4 3 2 1 0 100 99-90 89-80 79-70 69-60 Accuracy of Driver Percentage Results

  18. Trace Data (Minutes) Results Fingerprinting Accuracy (Percentage)

  19. Limitations • Cannot distinguish between different driver versions • Accuracy is sensitive to network conditions

  20. Preventing Fingerprinting • Standardize IEEE 802.11 active scanning • Power constrained devices will want to probe less often then devices worried about quick handoffs • Support configurable active scanning • Off by default? • Can we expect users to understand when to appropriately enable or disable active scanning? • Inject probe requests to disguise driver behavior • Wastes power and bandwidth • Difficult to ensure that the noise is masking the driver

  21. Preventing Fingerprinting • Modify driver code • Extremely difficult with closed source drivers • Non-trivial to modify even in open source drivers • Patch existing drivers • Best effort to mitigate driver exploits • A usable and efficient patching process is needed to fix existing and future vulnerabilities discovered in device drivers

  22. Questions? Conclusions • Wireless devices are a target of attack • Unique implementations of active scanning can be used to fingerprint a wireless driver • According to our results, this method of fingerprinting is highly accurate and efficient • Now that more drivers are externally accessible, a larger focus needs to be placed on their software security

More Related