Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks

1. Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Motorola Liaisons Greg W. Cox, Z. Judy Fu, Peter McCann, and Philip R. Roberts Motorola Labs

2. The Current Threat Landscape and Countermeasures of WiMAX Networks • WiMAX: next wireless phenomenon • Predicted multi-billion dollar industry • WiMAX faces both Internet attacks and wireless network attacks • E.g., 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices • Goal of this project: secure WiMAX networks • Big security risks for WiMAX networks • No formal analysis about WiMAX security vulnerabilities • No intrusion detection/mitigation product/research tailored towards WiMAX networks

3. Our Approach • Vulnerability analysis of 802.16e specs and WiMAX standards • Intelligent and complete checking through combo of manual analysis + auto search through formal methods • First, manual analysis provide hints and right level of abstraction for auto search • Then specify the specs and potential capabilities of attackers in a formal language TLA+ (the Temporal Logic of Actions) • Then model check for any possible attacks • Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) • Could be differentiator for Motorola’s 802.16 products

4. Outline • Threat landscape and motivation • Our approach • Accomplishment of this year • Achievement highlight: a Mobile IPv6 vulnerability • Plan for the next year

5. Accomplishments This Year (I) • Most achieved with close interaction with Motorola liaisons • Intelligent vulnerability analysis of WiMAX • Focused on outsider attacks, i.e., w/ unprotected msgs • Checked the complete spec of 802.16e before authentication • Found some vulnerability, e.g., for ranging (but needs to change MAC) • Published a joint paper with Motorola Labs “Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols through TLA+”, in Proc. of the Second Workshop on Secure Network Protocols (NPSec), 2006. • Checked the mobile IPv4/v6 • Find an easy attack to disable the route optimization of MIPv6 !

6. Accomplishments This Year (II) • Automatic polymorphic worm signature generation systems for high-speed networks • Fast, noise tolerant w/ proved attack resilience • Resulted a joint paper submission with Motorola Labs “Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, submitted to IEEE International Conference on Network Protocols (ICNP) 2007. • Patent under review by the patent committee of Motorola

7. Automatic Length Based Worm Signature Generation • Majority of worms exploit buffer overflow vulnerabilities • Worm packets have a particular field longer than normal • Length signature generation • Parse the traffic to different fields • Find abnormally long field • Apply a three-step algorithm to determine a length signature • Length based signature is hard to evade if the attacker has to overflow the buffer.

8. Length Based Signature Generator

9. Evaluation of Signature Quality • Seven polymorphic worms based on real-world vulnerabilities and exploits from securityfocus.com • Real traffic collected at two gigabit links of a campus edge routers in 2006 (40GB for evaluation) • Another 123GB SPAM dataset

10. Accomplishments on Publications • Four conference papers and one tech report • “Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in the Proc. of the 15th IEEE International Workshop on Quality of Service (IWQoS), 2007 (26.6%). • “A Suite of Schemes for User-level Network Diagnosis without Infrastructure”, in the Proc. of IEEE INFOCOM, 2007 (18%). • “Towards Scalable and Robust Distributed Intrusion Alert Fusion with Good Load Balancing”, in Proc. of ACM SIGCOMM Workshop on Large-Scale Attack Defense 2006(33%). • Automatic Vulnerability Checking of IEEE 802.16 WiMAX Protocols through TLA+, in Proc. of the Second Workshop on Secure Network Protocols (NPSec) (33%). • Abstraction Techniques for Model-Checking Parameterized Systems, EECS Tech. Report, 2007.

11. Students Involved • PhD students: • Zhichun Li, Yao Zhao (all in their 3rd years) • Lanjia Wang, Yanmei Zhang (visiting PhD students) • Nicos Liveris (4th year) • MS students: • Prasad Narayana (graduated) • Sagar Vemuri (1st year)

12. Outline • Threat Landscape and Motivation • Our approach • Accomplishment • Achievement highlight: a Mobile IPv6 vulnerability • Plan for the next year

13. Mobile IPv6 (RFC 3775) • Provides mobility at IP Layer • Enables IP-based communication to continue even when the host moves from one network to another • Host movement is completely transparent to Layer 4 and above

14. Mobile IPv6 - Entities • Mobile Node (MN) – Any IP host which is mobile • Correspondent Node (CN) – Any IP host communicating with the MN • Home Agent (HA) – A host/router in the Home network which: • Is always aware of MN’s current location • Forwards any packet destined to MN • Assists MN to optimize its route to CN

15. Mobile IPv6 - Process • (Initially) MN is in home network and connected to CN • MN moves to a foreign network: • Registers new address with HA by sending Binding Update (BU) and receiving Binding Ack (BA) • Performs Return Routability to optimize route to CN by sending HoTI, CoTI and receiving HoT, CoT • Registers with CN using BU and BA

16. Mobile Node Mobile IPv6 in Action Home Network HoT Internet Correspondent Mobile Node Home Agent Node HoTI BA CoT HoTI BA HoT CoTI BU BU Foreign Network

17. Mobile IPv6 Vulnerability • Nullifies the effect of Return Routability • BA with status codes 136, 137 and 138 unprotected • Man-in-the-middle attack • Sniffs BU to CN • Injects BA to MN with one of status codes above • MN either retries RR or gives up route optimization and goes through HA

18. Restart Return Silently Discard MIPv6 Attack In Action MN HA AT CN Start H o T I Return o C T I Routability H o T I T o C T o H T o H Bind Update (Sniffed by AT along the way) Bind Ack Spoofed by AT Routability Bind Ack Bind Ack • Only need a wireless network sniffer and a spoofed wired machine (No MAC needs to be changed !) • Bind ACK often skipped by CN

19. MIPv6 Vulnerability - Effects • Performance degradation by forcing communication through sub-optimal routes • Possible overloading of HA and Home Link • DoS attack, when MN repeatedly tried to complete the return routability procedure • Attack can be launched to a large number of machines in their foreign network • Small overhead for continuously sending spoofed Bind ACK to different machines

20. TLA Analysis and Experiments • With the spec modeled in TLA, the TLC search gives two other similar attacks w/ the same vulnerability • Complete the search of vulnerabilities w/ unprotected messages • Implemented and tested in our lab • Using Mobile IPv6 Implementation for Linux (MIPL) • Tunnel IPv6 through IPv4 with Generic Routing Encapsulation (GRE) by Cisco • When attack in action, MN repeatedly tried to complete the return routability procedure – DOS attack !

21. Outline • Threat landscape and motivation • Our approach • Accomplishment • Achievement highlight: a Mobile IPv6 vulnerability • Plan for the next year • Vulnerability analysis of EAP protocols • Insider attack analysis • Technology transfer

22. Extensible Authentication Protocols (EAP) Authentication method layer EAP-TLS EAP-TTLS EAP-SIM EAP-AKA PEAP EAP-FAST Extensible Authentication Protocol (EAP) EAP Over LAN (EAPOL) EAP Layer Data Link Layer CDMA 802.16 PPP 802.3 Ethernet 802.5 Token Ring 802.11 WLAN GSM

23. Extensible Authentication Protocols (EAP) • EAP is an authenticaiton framework • Support about 40 different EAP methods • Current targets • EAP-SIM for GSM cellular networks • EAP-AKA for 3G networks, such as UMTS and CDMA2000 • EAP-FAST (Flexible Authentication via Secure Tunneling) • Most Comprehensive and secure EAP method for WLAN • Will compare it w/ EAP-SIM and EAP-AKA

24. Insider Attack Analysis • Not hard to become a subscriber • Can five subscribers bring down an entire WiMAX network ? • Check vulnerability after authentication • Plan to analyze various layers of WiMAX networks • IEEE 802.16e: MAC layer • Mobile IP v4/6: network layer • EAP layer

25. 802.16e SS Init Flowchart

26. Work Done

27. Future work

28. Conclusions • Vulnerability analysis of WiMAX protocols: 802.16e and mobile IP specs • Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) Thank You !

29. Existing WLAN Security Technology Insufficient for WiMAX Networks • Cryptography and authentication cannot prevent attacks from penetrating WiMAX networks • Viruses, worms, DoS attacks, etc. • 802.16 IDS development can potentially lead to critical gain in market share • All major WLAN vendors integrated IDS into products • Limitations of existing IDSes (including WIDS) • Mostly host-based, and not scalable to high-speed networks • Mostly simple signature based, cannot deal with unknown attacks, polymorphic worms • Mostly ignore dynamics and mobility of wireless networks

30. Deployment of WAIDM • Attached to a switch connecting BS as a black box • Enable the early detection and mitigation of global scale attacks • Could be differentiator for Motorola’s 802.16 products Users Internet Users WAIDM system Internet 802.16 scan port 802.16 BS BS Switch/ Switch/ BS controller BS controller 802.16 802.16 BS BS Users Users (a) (b) WAIDM deployed Original configuration